/usr/share/perl5/ImVirt/VMD/PillBox.pm is in libimvirt-perl 0.9.6-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 | # ImVirt - I'm virtualized?
#
# Authors:
# Thomas Liske <liske@ibh.de>
#
# Copyright Holder:
# 2009 - 2012 (C) IBH IT-Service GmbH [http://www.ibh.de/]
#
# License:
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this package; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
package ImVirt::VMD::PillBox;
use strict;
use warnings;
use ImVirt;
use ImVirt::Utils::helper;
ImVirt::register_vmd(__PACKAGE__);
#
# The detection heuristic is based on:
#
# [1] "Red Pill... or how to detect VMM using (almost) one CPU instruction"
# Joanna Rutkowska
# http://invisiblethings.org/papers/redpill.html
#
# [2] "Detecting the Presence of Virtual Machines Using the Local Data Table"
# Danny Quist, Val Smith
# http://www.offensivecomputing.net/files/active/0/vm.pdf
#
# [3] "Methods for Virtual Machine Detection"
# Alfredo Andrés Omella
# http://www.s21sec.com/descargas/vmware-eng.pdf
#
# [4] "ScoopyNG - The VMware detection tool"
# Tobias Klein
# http://www.trapkit.de/research/vmm/scoopyng/index.html
sub detect($) {
ImVirt::debug(__PACKAGE__, 'detect()');
my $dref = shift;
if (my $pb = helper('pillbox')) {
my %pb = split(/,/, $pb);
# pillbox was bound to one cpu - if we got different
# IDTR/GDTR values, we are virtualized (so the HVM
# did schedule us on a different physical cpus) or
# our cpu has been taken offline.
ImVirt::inc_pts($dref, IMV_PTS_MAJOR, IMV_VIRTUAL)
if (exists($pb{'idt2'}) || exists($pb{'gdt2'}));
ImVirt::inc_pts($dref, IMV_PTS_NORMAL, IMV_VIRTUAL)
if ((($pb{'idt'} & 0xffff) > 0xd000) &&
(($pb{'gdt'} & 0xffff) > 0xd000)); # [1]
ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL)
if ($pb{'ldt'} > 0); # [2]
ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL, '|VMware')
if ($pb{'tr'} == 0x4000); # [3]
ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL, '|VMware')
if ($pb{'idt'} >> 24 == 0xff); # [4]
ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL, '|VMware')
if ($pb{'gdt'} >> 24 == 0xff); # [4]
}
}
sub pres() {
return ('|VMware');
}
1;
|