SourPill VM Detector

[TiGa]

Here is a little program I made to help with VM detection.

It reads the cpu name and checks the average RDTSC timing of the CPUID instruction over 100000 executions.

CPUID takes around 350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM. It should also notice a timing difference if VMX is enabled and used for intel cpus due to the TLB having to be rewritten in part.

The only thing i think that could fool it is Blue Chicken in the New Blue Pill.

I hope it can be of use to somebody.
TiGa

[LLXX]

I ran it 4 times and got...

910
1033
1148
1025

...on a native OS. This is a Pentium 4 3.6 overclocked to 4.17GHz.

The instruction timing varies between processor models and clock rates (and maybe even between the same model and clock, but different stepping/revision) so "350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM" is hardly a definitive measure.

[TiGa]

You're right, I should have specified something else. This is only an approximative measurement.
Results WILL vary from one run to the other but there is still a noticeable timing gap between native OS and VM.

You set your own baseline and then you can notice the difference between native OS and VM. This is why the app doesn't say "You are in a VM!". It is more a tool to help you draw your own conclusion.
BTW When I say you, I don't mean LLXX-you but the everybody you.

I've heard of this method from many papers I've read. The idea behind this is if there is ever a Blue Pill for intel cpus, there should be an apparent-enough timing difference when the Hypervisor handles the CPUID instruction.

I just thought it could be interesting to put in practice something I have only read about.

TiGa

[TiGa]

It's so funny but I'm not laughing.

// SourPill.cpp : Defines the entry point for the console application.
// by Maddy

It looks like somebody liked this program enough to try to take credit for it.
I sent the source to 1 person who asked for it in a pm and this is what I find a few hours later. Is there so much pride to gain by putting your name on top of 10 ASM lines?

Here is the source, before it gets skewered into something else:
http://rapidshare.com/files/49672454/SourPillWithSource.zip.html

That is a sour pill to swallow.

TiGa

[LLXX]

It's just a lame script kiddie.

Instruction timing with RDTSC has been around since RDTSC existed, so your code isn't that much of a new idea anyway...

[TiGa]

I know it is not something new, I know it's nothing extraordinary.
Even if it is only a stick-figure drawing, it doesn't leave a good feeling when somebody else tries to take credit for something you have done.

BTW I was searching for a way to disable the TSD bit flag. While searching everywhere in Google, I found this:
http://www.woodmann.com/forum/showthread.php?t=7122

Neitsa's driver is a good idea to counter RDTSC timing attacks, I was about to try to do the same thing.

--Late Addition--
I'd really appreciate if somebody could check this thread, the board requires 30 posts to just read the posts:
http://www.ryan1918.com/viewtopic.php?t=12728
I could only view the first line of the guy's posts through is profile but not the rest.
From those first lines, it seems the guy is exactly quoting me word for word. That is weird. I hope he corrected my typos.

I know it's a bit childish but I'm curious.
TiGa

[LLXX]

I'd really appreciate if somebody could check this thread, the board requires 30 posts to just read the posts:
http://www.ryan1918.com/viewtopic.php?t=12728
I could only view the first line of the guy's posts through is profile but not the rest.
From those first lines, it seems the guy is exactly quoting me word for word. That is weird. I hope he corrected my typos.

I know it's a bit childish but I'm curious.
TiGa

phpBB : Critical Error

Could not connect to the database

Haha, a little more digging around shows that he's just a script kiddie, as I suspected.

Site looks dead now

[TiGa]

Kids, these days, you know...

I think this was a case of "The internet is so big, he'll never find out, I'm a 1337 haxxorZ".
The internet is not that big.

I don't have psychic powers but I can predict that he'll lay low for a while or change his nickname then start again.
Get busted again then start again. Until puberty kicks in.

TiGa

[ryan1918]

Haha, a little more digging around shows that he's just a script kiddie, as I suspected.

Site looks dead now

My site isn't dead, and how am I a script kiddie?

[JMI]

Yes. We know the sites not "dead".

http://www.ryan1918.com/index.php?

I beleive the "lame script kiddie" is a reference to "Maddy" mentioned in Post #4.

Regards,

[blurcode]

Your site isn't dead but you need to upgrade your server hardware.
And i dont think you are Maddy (http://www.ryan1918.com/profile.php?mode=viewprofile&u=10746 user if i am correct) right?

[ryan1918]

No I am not maddy, I am the owner of the site, ryan. It's actually a nice community on learning various things, why do I need to upgrade my hardware?

[blurcode]

To handle more database connections.

phpBB : Critical Error

Could not connect to the database

[ryan1918]

To handle more database connections.

I have a dedicated server, I can have a couple thousand on at any one given time, You must have stumbled upon my site when I was upgrading a few things and adding some mods.

I didn't really bother to setup a page since it only was for an hour or so.

[JMI]

I'm wondering if "It's actually a nice community on learning various things" if you have to have 30 Posts just to read information on the Threads?

And why are "members" like HTML allowed to exist and post at all, considering the content of his Posts related to this subject. Although I understand he was eventually banned, seems he was "way over the line" from the "get go."

But that's just "opinion." It's your forum and you can do whatever you want there.

Regards,