0

I've been researching for several days now on how to distinguish programatically (C#) if my software (Windows) is running on a VM or a physical machine. The approaches I find are two:

  1. Test for specific attributes indicating you're running on a specific type of a VM (VMWare, AMI etc.). Disadvantage: And what if you're not running on them? And what if these attributes can easily be changed by the manufacturer?
  2. Try use WMI to determine that by querying for certain attributes: I saw at least five different pieces of code, all contradicting each other and with someone commenting "it doesn't work".

I find it very difficult to believe that we do not have a definitive solution for making that distinction. Can anyone share a robust piece of code for this problem?

Michael J. Gray
  • 9,784
  • 6
  • 38
  • 67
user181218
  • 1,655
  • 5
  • 28
  • 42
  • What are you trying to accomplish by checking this? Usually it's only easy to tell if you're running on certain types of virtualization but some may not be so easy to detect. – Jesus Ramos Apr 30 '14 at 20:45
  • 1
    Mybe it could be helpful to check what kind of information the Virtual CPU contains : http://www.codeproject.com/Articles/17973/How-To-Get-Hardware-Information-CPU-ID-MainBoard-I – Seb Apr 30 '14 at 20:46
  • 2
    Our requirement is to tell the difference between the platforms for some licensing purposes. I really don't know much about the world of virtualization, but you mean to say there is not a SINGLE queryable attribute that distinguishes a virtual environment from a physical one? – user181218 Apr 30 '14 at 20:48
  • 1
    @user181218 In some cases **no**, because that's the whole idea: to make sure the *virtual* is as *real* as possible; having run into some issues also related to licensing, I can tell you that *all* identifiable information can be forged by the host of the VM. – rae1 Apr 30 '14 at 21:04
  • Our initial assumption was that it could be forged. Right now we're at least trying to make it not completely open. – user181218 Apr 30 '14 at 21:07
  • 1
    You might also want to look into "Blue Pill Detection", which is the art of detecting a hypervisor that's trying to hide from you. – Ben Voigt Apr 30 '14 at 21:29
  • @BenVoigt - I looked into it before I wrote this post. It's not always the case that the information is there. – user181218 Apr 30 '14 at 22:06
  • There is no method, nor should there be. – payo Apr 30 '14 at 22:54
  • Note that this is a [walls and ladders](http://blogs.msdn.com/b/oldnewthing/archive/2012/01/17/10257351.aspx) problem. – Harry Johnston Apr 30 '14 at 23:09
  • Also, note that distinguishing between virtual and physical machines for licensing purposes is a bad idea on both ethical and PR grounds. Your legitimate customers are not going to be happy if they can't run your software in their virtual infrastructure, just because you don't trust them. – Harry Johnston Apr 30 '14 at 23:11

2 Answers2

2

My suggestion is to poll the registry of the machine running your app for specific keys that the VM's insert. It is highly unlikely that a physical machine will have the keys.

For example, below is a screenshot of some keys in one of my VMware dev boxes.
You could check for the presence of some or all of these keys from within your app if it is running VMware.

Since this was tagged with C#, I would suggest you use the methods in the following Stack Overflow question: Read Registry Keys via C#

Same methodology applies to any other VM system.

VMware Keys in Windows Server

Community
  • 1
  • 1
user3507825
  • 430
  • 5
  • 13
  • 1
    What if the physical server is running several VMs and your application is simply run under the physical server? They'll have those keys for VMWare products installed. – Michael J. Gray Apr 30 '14 at 22:15
  • @Michael J. Gray, interesting and valid comment. I can only speak for VMware as it is what I use but the specific keys are different on the host vs the guest. If one were to use this method, you'd have to do a little homework to find the differences but they are definitely there. – user3507825 Apr 30 '14 at 22:32
  • Another part of the requirement based on a response by the author about hardware spoofing is that the keys could be detoured/altered/edited by some hypervisor module or something operating below the OS in general. It could detect that the virtualization software is trying to read a key and then return results for the other keys, thus defeating your detection mechanism. I believe all methods are easily thwarted because of the fact that the application only knows what the OS/hardware tells it. When you get into virtual hardware, it can represent anything, even add or remove CPU instructions. – Michael J. Gray Apr 30 '14 at 22:49
0

As far as I know there is no confident way to determine whether you are in a virtual Environment.

I would start with:

  • Look for VM-specific virtual hardware (for instance network adapters or USB Controllers etc.)
  • Look for VM-specific processor capabilities some virtual machines introduce additional intructions sets.

there might be something else....

Vladimir Gondarev
  • 1,243
  • 7
  • 14
  • Sadly, for the first point, the information can be easily forged (literally every device type, model and/or serial number is stored in a clear text file, which the VM reads on startup). – rae1 Apr 30 '14 at 21:15