Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[G Portokalidis]

Actually, i have also noticed this.
It implies that an exploit might not succeed (this usually the case
with most exploits), since the attacker supplied shellcode will not be
at the "expected" location.

My question is, does anybody know why this happens? Why this
difference when running qemu with kqemu and without...
I wonder if there is way to override this behaviour.

Cheers,
G.

PS: I'm also responsible for the qemu derivative Argos. We make sure
that the attacker will never get to run his code to determine whether
he is running withing a VM. Of course there always some type of
attacks that we would not be able to detect.

On 07/07/06, Kevin F. Quinn <address@hidden> wrote:
> On Thu, 6 Jul 2006 16:46:40 -0400
> Daniel Serpell <address@hidden> wrote:
>
> > But there is a way to detect virtual machines under x86, see
> > http://invisiblethings.org/papers/redpill.html
> >
> > But if you run qemu without direct instruction copying, it won't
> > work (and qemu will run slower), because qemu will correctly
> > emulate the unprivileged instructions.
>
> Out of interest, sidt returns limit:base 07ff:c0372000 on my
> host, and 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000
> on the same linux guest without kqemu, which illustrates the point.
>
> I used the following code:
>
> #include <stdio.h>
> int main(int argc, char **argv) {
>         unsigned char idtr[6];
>         __asm__ ("sidt %0" : "=m" (*&idtr));
>         fprintf(stdout,
>                 "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
>                 idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
> }
>
> which doesn't need executable heap (my kernel is PaX-enabled), unlike
> the redpill version, but is gcc-specific.
>
> --
> Kevin F. Quinn
>
>
> _______________________________________________
> Qemu-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/qemu-devel