C - Convenient way to check if system is a virtual machine?

Question

I'm trying to check if Linux system is running on virtual or physical machine.

My current solution is:

void check_vm() {
   FILE *fp;
   char hyperv[] = "hypervisor";   // /proc/cpuinfo should contain 'hypervisor' if the system is a virtual machine 
   char buffer[255];

   fp = popen("cat /proc/cpuinfo | grep -o 'hypervisor'","r");
   fgets(buffer,255,fp);
   if (strstr(buffer,hyperv) != NULL) {
      printf("Virtual Machine = True\n");
   } else {
      printf("Virtual Machine = False\n");
   }
   pclose(fp); }

The question is: Can I actually rely on output of
cat /proc/cpuinfo | grep -o 'hypervisor' cat /proc/cpuinfo | grep -o 'hypervisor' , or is there a better/more convenient way to check if the system is a virtual machine?

Thanks!

Answer 1

Virtual machines are designed as complete sandboxes; that is, they are designed such that the operating system within them operates in exactly the same manner as if it were running directly on a physical machine.

This means that, through memory address translation, hardware simulation, and other means, the operating system within the VM is tricked into thinking that it is running directly on a physical machine.

If cat /proc/cpuinfo | grep -o 'hypervisor' cat /proc/cpuinfo | grep -o 'hypervisor' provides information that allows you to tell whether or not your OS is running inside a VM, that is certainly interesting but, as far as I know, not the norm. Typically, the CPU will be emulated as well.

I would expect that this is a VM-related feature; it should be consistent across all operating systems running that VM but not across all VMs.

Even if you could rely upon the output of this to determine whether or not you are in a virtual machine, this practice is highly discouraged and really defeats a huge reason for having VMs in the first place. The principle of virtualization poses a hypothetical question: what would happen if I were to run this software/OS on different hardware? and virtual machines answer that question, by simulating the hardware. Changing how software runs inside vs. outside a VM gives an incorrect answer to that question and would be extremely frustrating to people using your program. If this is a feature that you absolutely have to deliver, at least make it toggle-able, and off by default.

As far as I know, there is no reliable way to tell if you are running in a virtual machine across all architectures, operating systems, and VMs. And if there is, it would violate the basic principles of virtualization to use it.

Answer 2

The question is: Can I actually rely on output of cat /proc/cpuinfo | grep -o 'hypervisor' cat /proc/cpuinfo | grep -o 'hypervisor'

No. First off, that only works on x86/x86_64 CPUs. It relies on the hypervisor bit from the CPUID instruction, which is always 0 when not virtualized, but even when running in a VM it isn't necessarily 1. For example, qemu can be configured not to set it; I know because I've used this setting to work around software that tried to detect a VM.

or is there a better/more convenient way to check if the system is a virtual machine?

Not really. You could call CPUID yourself ( example ); at least that would work on machines without /proc/cpuinfo (like those runnig Windows), but it's still x86-specific and unreliable.

You could use red pill . It's also x86-only, but might be more reliable than depending on CPUID, assuming it still works.

You may also want to read up on blue pill .

It's probably not feasible to make a perfect hypervisor that is impossible to detect even with timing attacks, but over time it will likely also get harder and harder to detect a hypervisor which is meant to be stealthy (like blue pill). There is no magical am_i_on_a_virtualized_machine() function that is completely reliable, and never will be, but if you're willing to spend a lot of time trying you can combine multiple exploits, and keep adding new ones over time… over all, detection will probably have the advantage for the foreseeable future.