Codegurus.be - Detecting Virtual PC and/or VMWare

Visual C++

EN NL TR

The next program

How to detect Virtual PC or VMWare from your program

Detecting VMWare

The method to detect VMWare is well documented on the internet. It's pretty easy actually, you put value 10 (0x0A) in the ECX register and you put the magic value of 0x564D5868 in the EAX register. Then you read a dword from port 0x5658.

It can only be done in assembler and it's done like this :

mov eax, 0x564D5868 mov ecx, 10 // command for obtaining VMWare version information mov dx, 0x5658 in eax, dx

If VMWare is installed than this code will be executed correctly and the EBX register will contain the same magic value of 0x564D5868. If VMWare is not installed than on Linux and Windows NT an exception will occur because these operating systems don't allow direct port access. In DOS and Windows the read will succeed but EBX will remain unchanged.

This results in the following semi-C++ function (compatible with both Windows 9x and NT+) :

bool IsVMWare() { unsigned long _EBX; __try { __asm { // Run the magic code sequence push ebx mov eax, 0x564D5868 mov ebx, 0x8685D465 // Ensure EBX doesn't contain 0x564D5868 :) mov ecx, 10 // The command for obtaining VMWare version information mov dx, 0x5658 in eax, dx mov _EBX, ebx pop ebx }; } __except(1) { // An exception occured, we ain't in VMWare return false; } // The code was executed successfuly, check for the magic value return _EBX == 0x564D5868; }

Detecting Virtual PC

There are two ways to detect Microsoft's Virtual PC. Note: the methods described below have only been tested with Microsoft Virtual PC 2004 Trial.

Microsoft delivers add-on tools for enabling extra features on the Virtual PC. These add-on tools fail to install on a read processor, this comes because Microsoft has put a DLL named vmcheck.dll within the installation file. This DLL is placed in your TEMP-directory during the installation process. This DLL exports a single function with the name "IsRunningInsideVirtualMachine".

Here I present a function that detects Virtual PC using this DLL, the DLL is loaded dynamicly so the program will start even if DLL isn't available :

bool IsVirtualPC() { // Load the library HMODULE dll = LoadLibrary("c:\\vmcheck.dll"); if(dll == NULL) return false; // The library has been loaded, get the function address BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine"); // Execute the function BOOL retValue = FALSE; if(fnIsRunningInsideVirtualMachine != NULL) retValue = fnIsRunningInsideVirtualMachine(); // We no longer need the DLL, release it FreeLibrary(dll); return retValue != FALSE; }

If you don't want to use this DLL than you can use the code below (tested only with Microsoft Virtual PC 2004 Trial). This assembler code doesn't make much sense on a real-processor, so it will crash programs not running inside Virtual PC :

bool IsVirtualPC() { __try { __asm { // Execute the magic code sequence mov eax, 1 db 0fh aas pop es or eax, edi inc ebp cld dd 0ffffffffh }; } __except(1) { // An exception occured, we ain't in Virtual PC return false; } // We succeeded, we're Virtual PC emulated return true; }

Demo program

I've created a small test project for the routines showed above (with source code publicly available). As an extra, the program will also detect if you are running this 32-bit program under a 64-bit version of Windows. Here's a screenshot of it running on a real processor using the Evaluation Edition of Windows XP 64-Bit Edition :

Download

You can download a project showing the detection methods described above here (compressed ZIP files) :

The source code of Host Detection 3
The executable version of Host Detection 3

If you use this code, please acknowledge me by putting a link inside your code to this page, thank you!

NOTE: All the required files are included in the source code file in order to compile succesfully

Contact

If you have questions or remarks about this article or its contents, then feel free to contact me at <fibergeek @ codegurus.be>. Don't forget to remove the white spaces or the e-mail won't arrive.

Also, the demo code contains a function IsSomethingUnknown( ), if you are able to execute this routine successfully, please contact me and let me know what kind of emulator you were using.

External links

VMWare
Virtual PC

The previous program

Home

The next program