http://securitygalore.com/site3/taxonomy/term/19 en http://securitygalore.com/site3/wpc-frequency-vm-os-matrix <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>The following table summarizes the values of Windows Performance Counter Frequency in various Windows guest OS and VM implementations. In all cases, Windows (8.x/10) was the host OS - do note that very different results may be obtained on non-Windows host OS. Data was gathered in Q3 2015 with current versions at that time.</p> <table align="left" border="3" cellpadding="1" cellspacing="1" height="193" width="1113"><thead><tr><th scope="row"> </th> <th scope="col">VMware player 7.0.0 build-2305329</th> <th scope="col">Oracle VirtualBox 4.3.28 r100309</th> <th scope="col">Microsoft Hyper-V 6.3.9600.16384</th> </tr></thead><caption>Guest OS and VM implementation (with Windows 8.x/10 as host OS)</caption> <tbody><tr><th scope="row">Win 10 64-bit</th> <td><span style="color:#008000;">3579545 (PMtimer)</span></td> <td><span style="color:#ff0000;">Nominal speed / 1024 (TSC)</span></td> <td><span style="color:#008000;">10000000 (synthetic  HPET)</span></td> </tr><tr><th scope="row">Win 8.1/8.0 Ent. 32-bit</th> <td><span style="color:#ff0000;">Turbo speed / 1024 (TSC-like)</span></td> <td><span style="color:#ff0000;">Nominal speed / 1024 (TSC)</span></td> <td><span style="color:#008000;">10000000 (synthetic  HPET)</span></td> </tr><tr><th scope="row">Win 7 Ent. SP1 32-bit</th> <td><span style="color:#008000;">10000000 (synthetic HPET)</span></td> <td><span style="color:#008000;">3579545 (PMtimer)</span></td> <td><span style="color:#008000;">10000000 (synthetic HPET)</span></td> </tr></tbody></table><p>In <span style="color:#008000;">green </span>- entries (combinations) that are detectable (as VM) using Windows Performance Counter Frequency.</p> <p>In <span style="color:#ff0000;">red </span>- entries (combinations) that are undetectable (as VM) using Windows Performance Counter Frequency.</p> <p><strong>ADDITION </strong>(January 2016): tested with Microsoft Azure hypervisor (host), guest operating system Windows Server 2012 R2 Datacenter, IE11 browser - the performance counter frequenct is close to 10000000 (synthetic HPET) - the observed deviation was few dozen Hz. So Microsoft Azure is detectable. Not a big surprise since Microsoft Azure hypervisor is said to be a customized version of Microsoft Hyper-V.</p> <p> </p> <p> </p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Tags: </h3><ul class="links"><li class="taxonomy-term-reference-0" rel="dc:subject"><a href="/site3/taxonomy/term/18" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">windows performance counter</a></li><li class="taxonomy-term-reference-1" rel="dc:subject"><a href="/site3/taxonomy/term/4" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">VM</a></li><li class="taxonomy-term-reference-2" rel="dc:subject"><a href="/site3/taxonomy/term/19" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">guest</a></li></ul></div> Mon, 05 Oct 2015 19:59:23 +0000 amit 18 at http://securitygalore.com/site3 http://securitygalore.com/site3/wpc-frequency-vm-os-matrix#comments