How can I detect (.NET or Win32) if my application is running in a virtual machine?
我怎么能发现(?)如果我的应用程序在虚拟机中运行,是NET还是Win32) ?
9 个解决方案
#1
17
According to Virtual PC Guy's blog post "Detecting Microsoft virtual machines", you can use WMI to check the manufacturer of the motherboard. In PowerShell:
根据Virtual PC Guy的博客“检测微软虚拟机”,你可以使用WMI检查主板的制造商。PowerShell:
(gwmi Win32_BaseBoard).Manufacturer -eq "Microsoft Corporation"
#2
36
This is what I use:
这就是我所使用的:
using (var searcher = new System.Management.ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
{
using (var items = searcher.Get())
{
foreach (var item in items)
{
string manufacturer = item["Manufacturer"].ToString().ToLower();
if ((manufacturer == "microsoft corporation" && item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL"))
|| manufacturer.Contains("vmware")
|| item["Model"].ToString() == "VirtualBox")
{
return true;
}
}
}
}
return false;
Edit 2014-12-02: Updated code so that it no longer detects a Microsoft Surface Pro as a VM. Thanks to Erik Funkenbusch for pointing this out.
编辑2014-12-02:更新代码,使其不再检测微软Surface Pro作为VM。感谢埃里克·芬肯布施指出这一点。
Edit 2017-06-29: Updated code so that it also checks the value of the HypervisorPresent property.
编辑2017-06-29:更新后的代码,以检查HypervisorPresent属性的值。
Edit 2018-02-05: removed check for the HypervisorPresent property since it's incorrect. This property could return true if running on the host O/S on a hyper-V server.
编辑2018-02-05:因为它是不正确的,所以删除了HypervisorPresent属性的检查。如果在hyper-V服务器上运行主机O/S,则该属性可以返回true。
#3
12
Here is an example of one way to do it. It only works with Microsoft's Virtual PC and VMWare, but it's a start: http://www.codeproject.com/KB/system/VmDetect.aspx
这里有一个方法的例子。它只适用于微软的虚拟PC和VMWare,但它是一个开始:http://www.codeproject.com/KB/system/VmDetect.aspx
#4
3
Jay Abuzi showed the solution in powershell. Here's the same as a c# function:
Jay Abuzi展示了powershell的解决方案。这里有一个c#函数:
/// <summary>
/// Detect if this OS runs in a virtual machine
///
/// http://blogs.msdn.com/b/virtual_pc_guy/archive/2005/10/27/484479.aspx
///
/// Microsoft themselves say you can see that by looking at the motherboard via wmi
/// </summary>
/// <returns>false</returns> if it runs on a fysical machine
public bool DetectVirtualMachine()
{
bool result = false;
const string MICROSOFTCORPORATION ="microsoft corporation";
try
{
ManagementObjectSearcher searcher =
new ManagementObjectSearcher("root\\CIMV2","SELECT * FROM Win32_BaseBoard");
foreach (ManagementObject queryObj in searcher.Get())
{
result = queryObj["Manufacturer"].ToString().ToLower() == MICROSOFTCORPORATION.ToLower();
}
return result;
}
catch (ManagementException ex)
{
return result;
}
}
#5
2
This C function will detect VM Guest OS: (Tested on Windows, compiled with Visual Studio)
这个C函数将检测VM客户OS:(在Windows上测试,与Visual Studio一起编译)
#include <intrin.h>
bool isGuestOSVM()
{
unsigned int cpuInfo[4];
__cpuid((int*)cpuInfo,1);
return ((cpuInfo[2] >> 31) & 1) == 1;
}
#6
1
For Lower level Tests I recommend looking at ScoopyNG [1]. It is a collection of known low-level, well working vm detection methods, albeit being a little dated.
对于较低水平的测试,我推荐使用ScoopyNG[1]。它是一种已知的低层次的工作vm检测方法的集合,虽然有点过时。
If you really want to rely on other things, like installed tools (VM* Additions) , these are much easier to "fake".
如果您真的想要依赖于其他东西,比如已安装的工具(VM* add),那么这些东西更容易“伪造”。
This [2] Blog Post also has a pretty nice overview, from low level asm stuff, checking for specific DLLs, filepaths and registry keys to check.
这篇[2]博客也有一个很好的概述,从低级asm的东西,检查特定的dll、文件路径和注册表键来检查。
[1] http://trapkit.de/research/vmm/scoopyng/index.html
[1]http://trapkit.de/research/vmm/scoopyng/index.html
[2] http://securitykitten.github.io/vm-checking-and-detecting/
[2]http://securitykitten.github.io/vm-checking-and-detecting/
#7
0
The easiest way I found to figure out whether my C# app is running on a vmware VM or not is to check the MAC address of the NIC card(s). If it's a VMware VM it would always be: 00:50:56:XX:YY:ZZ
我发现,要判断我的c#应用程序是否在vmware VM上运行,最简单的方法就是检查网卡的MAC地址。如果它是一个VMware VM,它总是:00:50:56:XX:YY:ZZ
You may enumerate through the NICs as resolved here.
您可以通过这里解析的nic枚举。
#8
0
public static bool isVirtualMachine()
{
const string MICROSOFTCORPORATION = "microsoft corporation";
const string VMWARE = "vmware";
foreach (var item in new ManagementObjectSearcher("Select * from Win32_ComputerSystem").Get())
{
string manufacturer = item["Manufacturer"].ToString().ToLower();
// Check the Manufacturer (eg: vmware, inc)
if (manufacturer.Contains(MICROSOFTCORPORATION) || manufacturer.Contains(VMWARE))
{
return true;
}
// Also, check the model (eg: VMware Virtual Platform)
if (item["Model"] != null)
{
string model = item["Model"].ToString().ToLower();
if (model.Contains(MICROSOFTCORPORATION) || model.Contains(VMWARE))
{
return true;
}
}
}
return false;
}
#9
0
this C++ code will detect Vmware Products such as express,esx,fusion or workstation
该c++代码将检测Vmware产品,如express、esx、fusion或工作站。
// VMWareDetector.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
#include <conio.h>
void CheckVM(void);
int main()
{
CheckVM();
_getch();
return 0;
}
void CheckVM(void)
{
unsigned int a, b;
__try {
__asm {
// save register values on the stack
push eax
push ebx
push ecx
push edx
// perform fingerprint
mov eax, 'VMXh' // VMware magic value (0x564D5868)
mov ecx, 0Ah // special version cmd (0x0a)
mov dx, 'VX' // special VMware I/O port (0x5658)
in eax, dx // special I/O cmd
mov a, ebx // data
mov b, ecx // data (eax gets also modified
// but will not be evaluated)
// restore register values from the stack
pop edx
pop ecx
pop ebx
pop eax
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {}
printf("\n[+] Debug : [ a=%x ; b=%d ]\n\n", a, b);
if (a == 'VMXh') { // is the value equal to the VMware magic value?
printf("Result : VMware detected\nVersion : ");
if (b == 1)
printf("Express\n\n");
else if (b == 2)
printf("ESX\n\n");
else if (b == 3)
printf("GSX\n\n");
else if (b == 4)
printf("Workstation\n\n");
else
printf("unknown version\n\n");
}
else
printf("Result : Not Detected\n\n");
}
#1
17
According to Virtual PC Guy's blog post "Detecting Microsoft virtual machines", you can use WMI to check the manufacturer of the motherboard. In PowerShell:
根据Virtual PC Guy的博客“检测微软虚拟机”,你可以使用WMI检查主板的制造商。PowerShell:
(gwmi Win32_BaseBoard).Manufacturer -eq "Microsoft Corporation"
#2
36
This is what I use:
这就是我所使用的:
using (var searcher = new System.Management.ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
{
using (var items = searcher.Get())
{
foreach (var item in items)
{
string manufacturer = item["Manufacturer"].ToString().ToLower();
if ((manufacturer == "microsoft corporation" && item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL"))
|| manufacturer.Contains("vmware")
|| item["Model"].ToString() == "VirtualBox")
{
return true;
}
}
}
}
return false;
Edit 2014-12-02: Updated code so that it no longer detects a Microsoft Surface Pro as a VM. Thanks to Erik Funkenbusch for pointing this out.
编辑2014-12-02:更新代码,使其不再检测微软Surface Pro作为VM。感谢埃里克·芬肯布施指出这一点。
Edit 2017-06-29: Updated code so that it also checks the value of the HypervisorPresent property.
编辑2017-06-29:更新后的代码,以检查HypervisorPresent属性的值。
Edit 2018-02-05: removed check for the HypervisorPresent property since it's incorrect. This property could return true if running on the host O/S on a hyper-V server.
编辑2018-02-05:因为它是不正确的,所以删除了HypervisorPresent属性的检查。如果在hyper-V服务器上运行主机O/S,则该属性可以返回true。
#3
12
Here is an example of one way to do it. It only works with Microsoft's Virtual PC and VMWare, but it's a start: http://www.codeproject.com/KB/system/VmDetect.aspx
这里有一个方法的例子。它只适用于微软的虚拟PC和VMWare,但它是一个开始:http://www.codeproject.com/KB/system/VmDetect.aspx
#4
3
Jay Abuzi showed the solution in powershell. Here's the same as a c# function:
Jay Abuzi展示了powershell的解决方案。这里有一个c#函数:
/// <summary>
/// Detect if this OS runs in a virtual machine
///
/// http://blogs.msdn.com/b/virtual_pc_guy/archive/2005/10/27/484479.aspx
///
/// Microsoft themselves say you can see that by looking at the motherboard via wmi
/// </summary>
/// <returns>false</returns> if it runs on a fysical machine
public bool DetectVirtualMachine()
{
bool result = false;
const string MICROSOFTCORPORATION ="microsoft corporation";
try
{
ManagementObjectSearcher searcher =
new ManagementObjectSearcher("root\\CIMV2","SELECT * FROM Win32_BaseBoard");
foreach (ManagementObject queryObj in searcher.Get())
{
result = queryObj["Manufacturer"].ToString().ToLower() == MICROSOFTCORPORATION.ToLower();
}
return result;
}
catch (ManagementException ex)
{
return result;
}
}
#5
2
This C function will detect VM Guest OS: (Tested on Windows, compiled with Visual Studio)
这个C函数将检测VM客户OS:(在Windows上测试,与Visual Studio一起编译)
#include <intrin.h>
bool isGuestOSVM()
{
unsigned int cpuInfo[4];
__cpuid((int*)cpuInfo,1);
return ((cpuInfo[2] >> 31) & 1) == 1;
}
#6
1
For Lower level Tests I recommend looking at ScoopyNG [1]. It is a collection of known low-level, well working vm detection methods, albeit being a little dated.
对于较低水平的测试,我推荐使用ScoopyNG[1]。它是一种已知的低层次的工作vm检测方法的集合,虽然有点过时。
If you really want to rely on other things, like installed tools (VM* Additions) , these are much easier to "fake".
如果您真的想要依赖于其他东西,比如已安装的工具(VM* add),那么这些东西更容易“伪造”。
This [2] Blog Post also has a pretty nice overview, from low level asm stuff, checking for specific DLLs, filepaths and registry keys to check.
这篇[2]博客也有一个很好的概述,从低级asm的东西,检查特定的dll、文件路径和注册表键来检查。
[1] http://trapkit.de/research/vmm/scoopyng/index.html
[1]http://trapkit.de/research/vmm/scoopyng/index.html
[2] http://securitykitten.github.io/vm-checking-and-detecting/
[2]http://securitykitten.github.io/vm-checking-and-detecting/
#7
0
The easiest way I found to figure out whether my C# app is running on a vmware VM or not is to check the MAC address of the NIC card(s). If it's a VMware VM it would always be: 00:50:56:XX:YY:ZZ
我发现,要判断我的c#应用程序是否在vmware VM上运行,最简单的方法就是检查网卡的MAC地址。如果它是一个VMware VM,它总是:00:50:56:XX:YY:ZZ
You may enumerate through the NICs as resolved here.
您可以通过这里解析的nic枚举。
#8
0
public static bool isVirtualMachine()
{
const string MICROSOFTCORPORATION = "microsoft corporation";
const string VMWARE = "vmware";
foreach (var item in new ManagementObjectSearcher("Select * from Win32_ComputerSystem").Get())
{
string manufacturer = item["Manufacturer"].ToString().ToLower();
// Check the Manufacturer (eg: vmware, inc)
if (manufacturer.Contains(MICROSOFTCORPORATION) || manufacturer.Contains(VMWARE))
{
return true;
}
// Also, check the model (eg: VMware Virtual Platform)
if (item["Model"] != null)
{
string model = item["Model"].ToString().ToLower();
if (model.Contains(MICROSOFTCORPORATION) || model.Contains(VMWARE))
{
return true;
}
}
}
return false;
}
#9
0
this C++ code will detect Vmware Products such as express,esx,fusion or workstation
该c++代码将检测Vmware产品,如express、esx、fusion或工作站。
// VMWareDetector.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
#include <conio.h>
void CheckVM(void);
int main()
{
CheckVM();
_getch();
return 0;
}
void CheckVM(void)
{
unsigned int a, b;
__try {
__asm {
// save register values on the stack
push eax
push ebx
push ecx
push edx
// perform fingerprint
mov eax, 'VMXh' // VMware magic value (0x564D5868)
mov ecx, 0Ah // special version cmd (0x0a)
mov dx, 'VX' // special VMware I/O port (0x5658)
in eax, dx // special I/O cmd
mov a, ebx // data
mov b, ecx // data (eax gets also modified
// but will not be evaluated)
// restore register values from the stack
pop edx
pop ecx
pop ebx
pop eax
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {}
printf("\n[+] Debug : [ a=%x ; b=%d ]\n\n", a, b);
if (a == 'VMXh') { // is the value equal to the VMware magic value?
printf("Result : VMware detected\nVersion : ");
if (b == 1)
printf("Express\n\n");
else if (b == 2)
printf("ESX\n\n");
else if (b == 3)
printf("GSX\n\n");
else if (b == 4)
printf("Workstation\n\n");
else
printf("unknown version\n\n");
}
else
printf("Result : Not Detected\n\n");
}