VMware implements an I/O port that programs can query to detect if software is running in a VMware hypervisor. This hypervisor port behaves differently depending on magic values in certain registers and modifies some registers as a side effect. VMware hypervisor is detected by performing an IN operation to port 0x5658 (the VMware hypervisor port). Doing a IN on port 0x5658 with
eax = 0x564D5868 (VMware hypervisor magic value) ebx = 0xFFFFFFFF (UINT_MAX) ecx = 10 (Getversion command identifier) edx = 0x5658 (hypervisor port number) On VMware, this operation modifies the value of register ebx to 0x564D5868 (the VMware hypervisor magic value).
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
Detect Virtual Machine in Linux
● Sreelakshmi Panangatt
● Member of Team bi0s
● Graduated from Vrije University and Amrita Vishwa Vidyapeetham.
● Focusing on Reverse engineering.
● Creation of virtual version of resources like Storage, OS
● Examples: VMware, VirtualBox, KVM, QEMU
● Benefits in Malware Analysis
○ Researchers can intrepidly execute potential malware samples without having their
○ If a malware destabilizes the OS, analyst just needs to load in a fresh image on a VM.
○ Reduce the time and cost
○ Increase the productivity
● To evade the analysis in VM`s
○ File based detection
○ Time based detection
○ Instruction based detection
Presence of VM
● /usr/bin - standard directory contains most of the executable files
● Searching for the files that start with ”vmw” or ”VirtualBox” provides
information regarding the presence of VMware and Virtualbox.
Known MAC Address
● Hypervisor bit
○ CPUID instruction with EAX=0x01
○ 31st bit in ECX
● Virtualization vendor string
○ Strings in EBX, ECX and EDX
Hypervisor port - IN Instruction
● Specific for VMware.
● Performs an IN operation to port 0x5658 (the VMware hypervisor port).
○ eax = 0x564D5868 (VMware hypervisor magic value)
○ ebx = 0xFFFFFFFF (UINT_MAX)
○ ecx = 10 (Getversion command identifier)
○ edx = 0x5658 (hypervisor port number)
● Value of register ebx to 0x564D5868 (the VMware hypervisor magic
VMEXIT through CPUID Instruction
● Timing based
● Measures time takes to run instruction CPUID.
● Context switch from guest caller to hypervisor causes VMEXIT.
● Summary - Execution on VM`s will take more time!
● Demonstration tool
● Determines how the current configuration expose itself to malware
● Supports only Linux
● Tested in Ubuntu 16.04