From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Fyd0m-0008Ep-KS
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 19:11:56 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Fyd0l-0008Ec-Tl
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 19:11:56 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Fyd0l-0008EY-QJ
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 19:11:55 -0400
Received: from [213.205.33.41] (helo=mail-relay-1.tiscali.it)
	by monty-python.gnu.org with esmtp (Exim 4.52) id 1Fyd13-0006Ui-Fj
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 19:12:13 -0400
Received: from c1358217.kevquinn.com (84.222.84.177) by
	mail-relay-1.tiscali.it (7.3.104)
	id 44AA85C500053991 for qemu-devel@nongnu.org;
	Fri, 7 Jul 2006 01:11:51 +0200
Date: Fri, 7 Jul 2006 01:21:14 +0200
From: "Kevin F. Quinn" <ml@kevquinn.com>
Subject: Re: [Qemu-devel] Have any ideas about how to detect whether a
	program	is running inside QEMU?
Message-ID: <20060707012114.4a4a0c44@c1358217.kevquinn.com>
In-Reply-To: <20060706204640.GA28903@aplik.cl>
References: <c13b6c000607052204x33217b2dw4a4f4f28b5c73ecd@mail.gmail.com>
	<1152168950.6324.302.camel@aragorn>
	<c13b6c000607060018y10cf5c8fwdce320e34fb0f333@mail.gmail.com>
	<20060706204640.GA28903@aplik.cl>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=Sig_cu46hpJ_qw_HfKWedQdiLe3;
	protocol="application/pgp-signature"; micalg=PGP-SHA1
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

--Sig_cu46hpJ_qw_HfKWedQdiLe3
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Thu, 6 Jul 2006 16:46:40 -0400
Daniel Serpell <daniel_serpell@yahoo.com> wrote:

> But there is a way to detect virtual machines under x86, see
> http://invisiblethings.org/papers/redpill.html
>=20
> But if you run qemu without direct instruction copying, it won't
> work (and qemu will run slower), because qemu will correctly
> emulate the unprivileged instructions.

Out of interest, sidt returns limit:base 07ff:c0372000 on my
host, and 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000
on the same linux guest without kqemu, which illustrates the point.

I used the following code:

#include <stdio.h>
int main(int argc, char **argv) {
        unsigned char idtr[6];
        __asm__ ("sidt %0" : "=3Dm" (*&idtr));
        fprintf(stdout,
                "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
                idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
}

which doesn't need executable heap (my kernel is PaX-enabled), unlike
the redpill version, but is gcc-specific.

--=20
Kevin F. Quinn

--Sig_cu46hpJ_qw_HfKWedQdiLe3
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFErZrv9G2S8dekcG0RArW7AJ957QgOQ5kuks3zjaFbEz0i2NRkqgCfWFWq
edno1RB3wqsGf1NdfHOzPgA=
=3q43
-----END PGP SIGNATURE-----

--Sig_cu46hpJ_qw_HfKWedQdiLe3--