topic CPUID-HyperCall detection of hardware virtual machine monitors by Microsoft in Intel vPro® Platform https://community.intel.com/t5/Intel-vPro-Platform/CPUID-HyperCall-detection-of-hardware-virtual-machine-monitors/m-p/315992#M3694 <P>Hi all! </P><P>&nbsp;</P> <P>&nbsp;</P> Microsoft has published a CPUID-HyperCall interface of interaction with VMMs, which are based on hardware virtualization.<P></P><P><B>Determining If Hypervisor Is Installed. Hypervisor-present bit</B> </P><P>&nbsp;</P>Before it uses any hypervisor interface functions, software should first determine whether it runs within a virtualized environment. On x64 platforms, software verifies that it runs within a virtualized environment by executing the CPUID instruction with an input (EAX register) value of 1. When the CPUID instruction is executed, code should check bit 31 of register ECX. Bit 31 is the hypervisor-present bit. If the <I>hypervisor-present bit</I> is set, the hypervisor is present. In a non-virtualized environment, the hypervisor-present bit is clear.<P></P><P>I have several concerns.</P><P></P><UL><LI>I wonder if vendors will support this mechanism.</LI><LI>Will malware writers follow this rule?</LI><LI>Will it work for nested virtualization (eg. some legal VMMs and one malware VMM)?</LI><LI>Is it possible to prevent cheating VMM IDs?</LI></UL><P></P><P><A href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff538624">http://msdn.microsoft.com/en-us/library/windows/hardware/ff538624</A>(v=VS.85).aspx Determining If Hypervisor Is Installed</P><P></P><P></P><P>Igor Korkin</P><P><A href="http://sites.google.com/site/igorkorkin">sites.google.com/site/igorkorkin</A></P> Sun, 27 Nov 2011 13:16:00 GMT idata 2011-11-27T13:16:00Z CPUID-HyperCall detection of hardware virtual machine monitors by Microsoft https://community.intel.com/t5/Intel-vPro-Platform/CPUID-HyperCall-detection-of-hardware-virtual-machine-monitors/m-p/315992#M3694 <P>Hi all! </P><P>&nbsp;</P> <P>&nbsp;</P> Microsoft has published a CPUID-HyperCall interface of interaction with VMMs, which are based on hardware virtualization.<P></P><P><B>Determining If Hypervisor Is Installed. Hypervisor-present bit</B> </P><P>&nbsp;</P>Before it uses any hypervisor interface functions, software should first determine whether it runs within a virtualized environment. On x64 platforms, software verifies that it runs within a virtualized environment by executing the CPUID instruction with an input (EAX register) value of 1. When the CPUID instruction is executed, code should check bit 31 of register ECX. Bit 31 is the hypervisor-present bit. If the <I>hypervisor-present bit</I> is set, the hypervisor is present. In a non-virtualized environment, the hypervisor-present bit is clear.<P></P><P>I have several concerns.</P><P></P><UL><LI>I wonder if vendors will support this mechanism.</LI><LI>Will malware writers follow this rule?</LI><LI>Will it work for nested virtualization (eg. some legal VMMs and one malware VMM)?</LI><LI>Is it possible to prevent cheating VMM IDs?</LI></UL><P></P><P><A href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff538624">http://msdn.microsoft.com/en-us/library/windows/hardware/ff538624</A>(v=VS.85).aspx Determining If Hypervisor Is Installed</P><P></P><P></P><P>Igor Korkin</P><P><A href="http://sites.google.com/site/igorkorkin">sites.google.com/site/igorkorkin</A></P> Sun, 27 Nov 2011 13:16:00 GMT https://community.intel.com/t5/Intel-vPro-Platform/CPUID-HyperCall-detection-of-hardware-virtual-machine-monitors/m-p/315992#M3694 idata 2011-11-27T13:16:00Z