11-27-2011 05:16 AM
Microsoft has published a CPUID-HyperCall interface of interaction with VMMs, which are based on hardware virtualization.
Determining If Hypervisor Is Installed. Hypervisor-present bit
Before it uses any hypervisor interface functions, software should first determine whether it runs within a virtualized environment. On x64 platforms, software verifies that it runs within a virtualized environment by executing the CPUID instruction with an input (EAX register) value of 1. When the CPUID instruction is executed, code should check bit 31 of register ECX. Bit 31 is the hypervisor-present bit. If the hypervisor-present bit is set, the hypervisor is present. In a non-virtualized environment, the hypervisor-present bit is clear.
I have several concerns.
- I wonder if vendors will support this mechanism.
- Will malware writers follow this rule?
- Will it work for nested virtualization (eg. some legal VMMs and one malware VMM)?
- Is it possible to prevent cheating VMM IDs?
http://msdn.microsoft.com/en-us/library/windows/hardware/ff538624(v=VS.85).aspx Determining If Hypervisor Is Installed