Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
940 Views

CPUID-HyperCall detection of hardware virtual machine monitors by Microsoft

Hi all!

 

 

Microsoft has published a CPUID-HyperCall interface of interaction with VMMs, which are based on hardware virtualization.

Determining If Hypervisor Is Installed. Hypervisor-present bit

 

Before it uses any hypervisor interface functions, software should first determine whether it runs within a virtualized environment. On x64 platforms, software verifies that it runs within a virtualized environment by executing the CPUID instruction with an input (EAX register) value of 1. When the CPUID instruction is executed, code should check bit 31 of register ECX. Bit 31 is the hypervisor-present bit. If the hypervisor-present bit is set, the hypervisor is present. In a non-virtualized environment, the hypervisor-present bit is clear.

I have several concerns.

  • I wonder if vendors will support this mechanism.
  • Will malware writers follow this rule?
  • Will it work for nested virtualization (eg. some legal VMMs and one malware VMM)?
  • Is it possible to prevent cheating VMM IDs?

http://msdn.microsoft.com/en-us/library/windows/hardware/ff538624(v=VS.85).aspx Determining If Hypervisor Is Installed

Igor Korkin

sites.google.com/site/igorkorkin

0 Kudos
0 Replies
Reply