Since years researchers looks for method of discovery when a program is running inside a virtual machine. In a near future this could be even more important if virtualization rootkits will really start to spread.
Since November 2004 virtualization.info posted several articles about this topic:
- How to detect virtual machines softwares
- How an application can detect if is running inside a Microsoft Virtual PC virtual machine
- How an application can detect if is running inside a VMware virtual machine
Today the first methods posted, RedPill and scoopy_do, has been further developed and described in this new whitepaper: Detecting the Presence of Virtual Machines Using the Local Data Table:
The SIDT mechanism as implemented by Tobias Klein [1] and separately by Joanna Rutkowska [2] is a method for detecting the presence of a virtual machine environment. While the test is by no means thorough, it is an effective test for the presence of an emulated CPU environment on a single-processor machine. There are various problems with the implementation, however.
…
Our method is a variant on the SIDT process used by Redpill and scoopy_doo. We use the Local Descriptor Table (LDT) as a signature for virtualization. The LDT provides segmentation for operating privilege changes. It provides the base addresses, access rights, type, length, and usage information for each segment…