Log in

View Full Version : SourPill VM Detector


TiGa
August 16th, 2007, 19:31
Here is a little program I made to help with VM detection.

It reads the cpu name and checks the average RDTSC timing of the CPUID instruction over 100000 executions.

CPUID takes around 350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM. It should also notice a timing difference if VMX is enabled and used for intel cpus due to the TLB having to be rewritten in part.

The only thing i think that could fool it is Blue Chicken in the New Blue Pill.

I hope it can be of use to somebody.
TiGa

LLXX
August 16th, 2007, 21:51
I ran it 4 times and got...

910
1033
1148
1025

...on a native OS. This is a Pentium 4 3.6 overclocked to 4.17GHz.

The instruction timing varies between processor models and clock rates (and maybe even between the same model and clock, but different stepping/revision) so "350 cycles to execute on a Native OS but around 2500-3500 cycles in a VM" is hardly a definitive measure.

TiGa
August 16th, 2007, 22:16
You're right, I should have specified something else. This is only an approximative measurement.
Results WILL vary from one run to the other but there is still a noticeable timing gap between native OS and VM.

You set your own baseline and then you can notice the difference between native OS and VM. This is why the app doesn't say "You are in a VM!". It is more a tool to help you draw your own conclusion.
BTW When I say you, I don't mean LLXX-you but the everybody you.

I've heard of this method from many papers I've read. The idea behind this is if there is ever a Blue Pill for intel cpus, there should be an apparent-enough timing difference when the Hypervisor handles the CPUID instruction.

I just thought it could be interesting to put in practice something I have only read about.

TiGa

TiGa
August 17th, 2007, 23:34
It's so funny but I'm not laughing.
Quote:
// SourPill.cpp : Defines the entry point for the console application.
// by Maddy

It looks like somebody liked this program enough to try to take credit for it.
I sent the source to 1 person who asked for it in a pm and this is what I find a few hours later. Is there so much pride to gain by putting your name on top of 10 ASM lines?

Here is the source, before it gets skewered into something else:
http://rapidshare.com/files/49672454/SourPillWithSource.zip.html

That is a sour pill to swallow.

TiGa

LLXX
August 18th, 2007, 03:17
It's just a lame script kiddie.

Instruction timing with RDTSC has been around since RDTSC existed, so your code isn't that much of a new idea anyway...

TiGa
August 18th, 2007, 03:35
I know it is not something new, I know it's nothing extraordinary.
Even if it is only a stick-figure drawing, it doesn't leave a good feeling when somebody else tries to take credit for something you have done.

BTW I was searching for a way to disable the TSD bit flag. While searching everywhere in Google, I found this:
http://www.woodmann.com/forum/showthread.php?t=7122

Neitsa's driver is a good idea to counter RDTSC timing attacks, I was about to try to do the same thing.

--Late Addition--
I'd really appreciate if somebody could check this thread, the board requires 30 posts to just read the posts:
http://www.ryan1918.com/viewtopic.php?t=12728
I could only view the first line of the guy's posts through is profile but not the rest.
From those first lines, it seems the guy is exactly quoting me word for word. That is weird. I hope he corrected my typos.

I know it's a bit childish but I'm curious.
TiGa

LLXX
August 19th, 2007, 00:22
Quote:
[Originally Posted by TiGa;67860]I'd really appreciate if somebody could check this thread, the board requires 30 posts to just read the posts:
http://www.ryan1918.com/viewtopic.php?t=12728
I could only view the first line of the guy's posts through is profile but not the rest.
From those first lines, it seems the guy is exactly quoting me word for word. That is weird. I hope he corrected my typos.

I know it's a bit childish but I'm curious.
TiGa
Quote:
phpBB : Critical Error

Could not connect to the database
Haha, a little more digging around shows that he's just a script kiddie, as I suspected.

Site looks dead now

TiGa
August 19th, 2007, 13:53
Kids, these days, you know...

I think this was a case of "The internet is so big, he'll never find out, I'm a 1337 haxxorZ".
The internet is not that big.

I don't have psychic powers but I can predict that he'll lay low for a while or change his nickname then start again.
Get busted again then start again. Until puberty kicks in.

TiGa

ryan1918
August 23rd, 2007, 17:21
Quote:
[Originally Posted by LLXX;67870]Haha, a little more digging around shows that he's just a script kiddie, as I suspected.

Site looks dead now


My site isn't dead, and how am I a script kiddie?

JMI
August 23rd, 2007, 18:06
Yes. We know the sites not "dead".

http://www.ryan1918.com/?

I beleive the "lame script kiddie" is a reference to "Maddy" mentioned in Post #4.

Regards,

blurcode
August 23rd, 2007, 18:07
Your site isn't dead but you need to upgrade your server hardware.
And i dont think you are Maddy (http://www.ryan1918.com/profile.php?mode=viewprofile&u=10746 user if i am correct) right?

ryan1918
August 23rd, 2007, 18:32
No I am not maddy, I am the owner of the site, ryan. It's actually a nice community on learning various things, why do I need to upgrade my hardware?

blurcode
August 23rd, 2007, 19:16
To handle more database connections.
Quote:
phpBB : Critical Error

Could not connect to the database

ryan1918
August 23rd, 2007, 19:22
Quote:
[Originally Posted by blurcode;67984]To handle more database connections.



I have a dedicated server, I can have a couple thousand on at any one given time, You must have stumbled upon my site when I was upgrading a few things and adding some mods.

I didn't really bother to setup a page since it only was for an hour or so.

JMI
August 23rd, 2007, 19:33
I'm wondering if "It's actually a nice community on learning various things" if you have to have 30 Posts just to read information on the Threads?

And why are "members" like HTML allowed to exist and post at all, considering the content of his Posts related to this subject. Although I understand he was eventually banned, seems he was "way over the line" from the "get go."

But that's just "opinion." It's your forum and you can do whatever you want there.

Regards,

ryan1918
August 23rd, 2007, 20:13
I just added certain rules and enforced them, I believe that people should start becoming active and a part of the community before they get to leech from it, This doesn't give them a reason to spam or flood the board with useless crap either, If you really think about it that isn't many posts at all, in can take a few days and you could get access to everything very simple. If people don't then they really shouldn't be part of the community.

blurcode
August 23rd, 2007, 20:49
Well the users leech other people work and post them as theirs just to overcome 30posts rule or be over the average. I don't say all do this, but it is a trend that never dies.

JMI, who is HTML?

JMI
August 24th, 2007, 00:29
I have no idea, nor do I care. I can only clearly discern the lack of maturity and basic intelligence in the poster's attitude and vocabulary.

Regards,

LLXX
August 24th, 2007, 01:39
Quote:
[Originally Posted by ryan1918;67990]I just added certain rules and enforced them, I believe that people should start becoming active and a part of the community before they get to leech from it, This doesn't give them a reason to spam or flood the board with useless crap either, If you really think about it that isn't many posts at all, in can take a few days and you could get access to everything very simple. If people don't then they really shouldn't be part of the community.
Is that "leeching" really a problem?

ryan1918
August 24th, 2007, 02:00
Quote:
[Originally Posted by LLXX;67998]Is that "leeching" really a problem?


Sure it is, when you have over 40,000 people you want to stop the leeching!

TiGa
August 24th, 2007, 12:09
I don't want to add oil on the fire. You do whatever you want on your board with thousands and thousands of fully-contributing members to the community.
Quote:
[Originally Posted by Ryan1918]
Sure it is, when you have over 40,000 people you want to stop the leeching!

New announcement from Ryan's board:
Quote:

Okay I have decided registrations will be closed in 8 days!
Okay, So we are going to do some cleaning up around here, take out the bad seeds, anyone that doesn't want to help or do there fair share, I am going to be closing all registrations, BUT I am going to allow inviting still, I haven't decided how or who I will let invite members but hopefull you get in before it's too late! Also I will be puring all accounts with ZERO POSTS or anyone that doesn't have a VALID email address! Thanks a ton, enjoy!


Example of posts from a random user (really the first one I tried):
post #1 - ehehe
post #2 - repost ?
post #3 - lol ?
post #4 - lol ?
post #5 - nice

Average post length seems to be one word, a long message is a one-liner.

If I post 30 lol messages, am I instantly more mature and a productive member of the community?
If I make a 50$ donation, am I an even better member of the community?

You should add a warning: "You need to post X messages first before obtaining the right to learn. This is not a school or a place to learn freely, it's a community."
I hope you saw the irony in that statement.

I don't even have 30 posts here and yet, I learned a lot here.
I don't need to write 200 lol posts before being able to learn.

This is my personal opinion. If it works well for you, I'm happy for you, keep it that way. May it live long and prosper.
TiGa

ryan1918
August 24th, 2007, 14:27
yeah and I banned a few people too..

JMI
August 24th, 2007, 15:21
And so have I. But we have far less need to ban people just for being ignorant and afflicted with "potty mouths." Such folks know that they will generally receive some "guidance" from one of our admins, and usually from me.

And I am compelled to point out that "so far" YOU haven't posted "anything" "useful" or made a single "contribution" to "our" community, except "justifications" for "your" policies on "your" Forum.

The "irony" is, that despite YOUR failure to "contribute" HERE, YOU are still freely allowed to actually READ the information contained on these Forums and were even permitted to become, and remain a member.

That's because, unlike "your" Forum, we follow the tradition of +Fravia, that information should be freely accessible on the net. People are free to come here and read information imparted by our members. And if they want to follow our Rules, they are free to post, even if, like YOU, their posts really add nothing "useful" to our community.

Regards,

Woodmann
August 24th, 2007, 22:17
Howdy,

I am at a loss to understand most of this thread.
I understand TiGa and his/her concerns.

What I dont understand is why "we" are overly concerned with ryan1918.com ?

'Tis but another forum among the thousands out there.
So some "script kiddie" posted shit he stole.
I understand how TiGa would be pissed off BUT, in the grand scheme of things, I dont really understand what ryan1918.com is about.

From what I have read, which of course is limited, I see nothing more than threads with subjects that are ripped from other sites.

I see nothing that could be original, but of course I have not met the minimum posting guidelines so, I have no access to anything that might be original.
After you have spent some time there, you too will see it offers nothing that is not already mainstream knowledge.

TA TA, OBC

LLXX
August 24th, 2007, 22:20
Quote:
Sure it is, when you have over 40,000 people you want to stop the leeching!
A considerable portion of the bandwidth of your site comes from the numerous images that are downloaded (not many follow the "Use Opera and turn images off, duh" advice of +Fravia) on almost every page. Also, a forum description is not an announcement.

Another thing I'd like to point out is that
Quote:
I started this site to better help people learn and discuss telling them to go to google or such is NOT what I want, either help them or don't it's as simple as that.
is the sort of thing that tends to attract the brainless, immature idiots.

~~ I motion this thread be split and the appropriate portions sent to the off-topic subforum. ~~

Woodmann
August 24th, 2007, 22:52
Howdy,

I will do you one better LLXX. This waste of space is done.

TA TA, OBC

Woodmann
August 27th, 2007, 22:08
Howdy,

I have resurected this thread because after 3 days of trying I cannot access ryan1918.com.

Have we been banned ? Does anyone else have access ? Does ryan not like us ? Who pissed him off ? Has his bandwidth usage increased since visiting here ? I need answers god damn it

I am very curious as to what has/is happening.

Luv, peace and hair grease, Woodmann

Kayaker
August 27th, 2007, 22:47
Maybe you were banned, I can view it. Trade ya..

ryan1918
August 28th, 2007, 00:46
Yep server hasn't been down since I got it but I did do a reboot for a ram upgrade..

ryan1918
August 28th, 2007, 00:47
If you still can't connect you might be using firefox with faster fox so it uses several connections, I have designed a script to ban them via iptables if they exceed xx connections, to prevent flooding httpd and such with bots..

TiGa
August 28th, 2007, 02:46
Since this is re-opened, just a thought for Ryan:

If this would have been a 30 posts minimum section, would you have made those 30 posts just to be able to say "My site isn't dead"?

Replace "My site isn't dead" by "Maddy didn't write this" and you will get some insights into my point-of-view about this rule of yours.

I don't seem to have been banned but as the "accidental initiator" of this whole debate, I'm pretty sure I would be one of the first to be "preemptively purged".

@Woodmann
Do you have that bot problem too?
Do you need a large bandwith to accomodate unregistered readers?
Do you need a lot of space for all the attachments?
I don't want to start a "my server is better than yours" spin-off debate, I'm just curious.

TiGa

ryan1918
August 28th, 2007, 17:39
[QUOTE][Originally Posted by TiGa;68138]Since this is re-opened, just a thought for Ryan:

If this would have been a 30 posts minimum section, would you have made those 30 posts just to be able to say "My site isn't dead"?

[QUOTE]

well being this is the only topic I posted in, yes?

Woodmann
August 28th, 2007, 19:10
Quote:
@Woodmann
Do you have that bot problem too?
Do you need a large bandwith to accomodate unregistered readers?
Do you need a lot of space for all the attachments?
I don't want to start a "my server is better than yours" spin-off debate, I'm just curious.


Certain search bots are banned.

I dont have a bandwidth problem. People who come here come for a reason.
You wont find woodmann.com splattered all over search engine results.

This server has plenty of space. I bought a BIG hard drive . Plus I limit the attachment size and type so I dont have a bunch of shit like pictures wasting space.

I dont know the details of ryan1918's server. Mine does not have external throttle controls. I determine how many connections to allow based on the activity from the last seven years. His server may be different.

Woodmann

ryan1918
August 28th, 2007, 21:43
Well, I have ran my site 3 years ago, and it's been up almost 2 years again now, But being the first type of site ever and one of the original bot creators of GT(Global Threat) in 1998 I've a bit more known, but with that and having Honey Pot section where people's botnet's are found daily, some people think they can drop my site and no one will see it, but it will get blocked and then will have to get the net removed so yeah that's why I limit connections..