I suggest you make sure you're using the accelerator mode, which should put
qemu in "Virtualization" mode.
If you're doing full CPU emulation then the result you get was correct: you
weren't doing any virtualization inside qemu.
Thomas
> -----Original Message-----
> From: Jeff Epler [mailto:jepler@xxxxxxxxxxxxxx]
> Sent: March 18, 2006 12:01
> To: valsmith@xxxxxxxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: Generically Determining the Prescence of Virtual Machines
>
> I ran the code at the end of 'vm.pdf' inside qemu 0.8.0
> running a debian
> linux system. The host system was a single core amd64 machine running
> fedora linux. I believe that 'kqemu' acceleration may be in use, but
> I'm not sure.
>
> I modified the source code to use gcc-style inline assembly, e.g.,
> asm("sidt %0" : "=m" (m));
>
> Over 1000 runs, it consistently reported a native system,
> even though it
> is running under emulation.
>
> I don't feel that I was able to follow the paper, but I don't
> understand
> why this is claimed to detect (any) virtualization, as opposed to
> detecting some detail of vmware and virtual pc's emulation software.
> The results I got with qemu reinforce this impression.
>
> Jeff
> PS here's the output from the last run of the detection program:
> (transcribed, so there may be errors)
> (none):/mnt# ./a.out
> IDTR: ff 07 00 c0 44 c0
> GDTR: ff 00 80 d9 48 c0
> LDTR: 88 00 80 d9 48 c0
> Native machine detected.
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature