Page 1 of 3 123 LastLast
Results 1 to 15 of 34

Thread: SourPill VM Detector

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6

    SourPill VM Detector

    Here is a little program I made to help with VM detection.

    It reads the cpu name and checks the average RDTSC timing of the CPUID instruction over 100000 executions.

    CPUID takes around 350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM. It should also notice a timing difference if VMX is enabled and used for intel cpus due to the TLB having to be rewritten in part.

    The only thing i think that could fool it is Blue Chicken in the New Blue Pill.

    I hope it can be of use to somebody.
    TiGa
    Attached Files Attached Files
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  2. #2
    I ran it 4 times and got...

    910
    1033
    1148
    1025

    ...on a native OS. This is a Pentium 4 3.6 overclocked to 4.17GHz.

    The instruction timing varies between processor models and clock rates (and maybe even between the same model and clock, but different stepping/revision) so "350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM" is hardly a definitive measure.

  3. #3
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    You're right, I should have specified something else. This is only an approximative measurement.
    Results WILL vary from one run to the other but there is still a noticeable timing gap between native OS and VM.

    You set your own baseline and then you can notice the difference between native OS and VM. This is why the app doesn't say "You are in a VM!". It is more a tool to help you draw your own conclusion.
    BTW When I say you, I don't mean LLXX-you but the everybody you.

    I've heard of this method from many papers I've read. The idea behind this is if there is ever a Blue Pill for intel cpus, there should be an apparent-enough timing difference when the Hypervisor handles the CPUID instruction.

    I just thought it could be interesting to put in practice something I have only read about.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  4. #4
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6

    It's so funny but I'm not laughing

    It's so funny but I'm not laughing.
    // SourPill.cpp : Defines the entry point for the console application.
    // by Maddy
    It looks like somebody liked this program enough to try to take credit for it.
    I sent the source to 1 person who asked for it in a pm and this is what I find a few hours later. Is there so much pride to gain by putting your name on top of 10 ASM lines?

    Here is the source, before it gets skewered into something else:
    http://rapidshare.com/files/49672454/SourPillWithSource.zip.html

    That is a sour pill to swallow.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  5. #5
    It's just a lame script kiddie.

    Instruction timing with RDTSC has been around since RDTSC existed, so your code isn't that much of a new idea anyway...

  6. #6
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    I know it is not something new, I know it's nothing extraordinary.
    Even if it is only a stick-figure drawing, it doesn't leave a good feeling when somebody else tries to take credit for something you have done.

    BTW I was searching for a way to disable the TSD bit flag. While searching everywhere in Google, I found this:
    http://www.woodmann.com/forum/showthread.php?t=7122

    Neitsa's driver is a good idea to counter RDTSC timing attacks, I was about to try to do the same thing.

    --Late Addition--
    I'd really appreciate if somebody could check this thread, the board requires 30 posts to just read the posts:
    http://www.ryan1918.com/viewtopic.php?t=12728
    I could only view the first line of the guy's posts through is profile but not the rest.
    From those first lines, it seems the guy is exactly quoting me word for word. That is weird. I hope he corrected my typos.

    I know it's a bit childish but I'm curious.
    TiGa
    Last edited by TiGa; August 18th, 2007 at 06:18.
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  7. #7
    Quote Originally Posted by TiGa View Post
    I'd really appreciate if somebody could check this thread, the board requires 30 posts to just read the posts:
    http://www.ryan1918.com/viewtopic.php?t=12728
    I could only view the first line of the guy's posts through is profile but not the rest.
    From those first lines, it seems the guy is exactly quoting me word for word. That is weird. I hope he corrected my typos.

    I know it's a bit childish but I'm curious.
    TiGa
    phpBB : Critical Error

    Could not connect to the database
    Haha, a little more digging around shows that he's just a script kiddie, as I suspected.

    Site looks dead now

  8. #8
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Kids, these days, you know...

    I think this was a case of "The internet is so big, he'll never find out, I'm a 1337 haxxorZ".
    The internet is not that big.

    I don't have psychic powers but I can predict that he'll lay low for a while or change his nickname then start again.
    Get busted again then start again. Until puberty kicks in.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  9. #9
    ryan1918
    Guest
    Quote Originally Posted by LLXX View Post
    Haha, a little more digging around shows that he's just a script kiddie, as I suspected.

    Site looks dead now
    My site isn't dead, and how am I a script kiddie?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Yes. We know the sites not "dead".

    http://www.ryan1918.com/index.php?

    I beleive the "lame script kiddie" is a reference to "Maddy" mentioned in Post #4.

    Regards,
    JMI

  11. #11
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Your site isn't dead but you need to upgrade your server hardware.
    And i dont think you are Maddy (http://www.ryan1918.com/profile.php?mode=viewprofile&u=10746 user if i am correct) right?
    A picture worth 1K words (or .5K DWORDS).

  12. #12
    ryan1918
    Guest
    No I am not maddy, I am the owner of the site, ryan. It's actually a nice community on learning various things, why do I need to upgrade my hardware?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    To handle more database connections.
    phpBB : Critical Error

    Could not connect to the database
    A picture worth 1K words (or .5K DWORDS).

  14. #14
    ryan1918
    Guest
    Quote Originally Posted by blurcode View Post
    To handle more database connections.

    I have a dedicated server, I can have a couple thousand on at any one given time, You must have stumbled upon my site when I was upgrading a few things and adding some mods.

    I didn't really bother to setup a page since it only was for an hour or so.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    I'm wondering if "It's actually a nice community on learning various things" if you have to have 30 Posts just to read information on the Threads?

    And why are "members" like HTML allowed to exist and post at all, considering the content of his Posts related to this subject. Although I understand he was eventually banned, seems he was "way over the line" from the "get go."

    But that's just "opinion." It's your forum and you can do whatever you want there.

    Regards,
    JMI

Similar Threads

  1. Firmware reversing on Ultrasonic Flaw Detector
    By tazBRC in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: June 14th, 2011, 11:02
  2. Hash & Crypto Detector
    By Ahmed18 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: November 12th, 2009, 20:27
  3. ####RDG Packer Detector v0.5.8####
    By RDGMax in forum OllyDbg Support Forums
    Replies: 6
    Last Post: October 25th, 2005, 11:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •