VM

Web-based virtual machine detection using the HTML5 Performance object

Multiple browsers (Microsoft Edge, Microsoft Internet Explorer, Mozilla Firefox) Performance object leaks the Windows performance counter frequency (equivalent to physical CPU clock speed or virtual machine detection)

 

Advisory

Amit Klein

 

On Windows Performance Counter Frequency, VMs and guest OSes

The following table summarizes the values of Windows Performance Counter Frequency in various Windows guest OS and VM implementations. In all cases, Windows (8.x/10) was the host OS - do note that very different results may be obtained on non-Windows host OS. Data was gathered in Q3 2015 with current versions at that time.

Web-based virtual machine detection with HTML5 features

Here's a quick and simple web-based heuristic to detect a virtual machine (not 100% accurate).

 

Observation 1

1.a A typical virtual machine configuration assigns a guest VM a single (HT) core. Clearly this is not 100% accurate, but in the case of a large-scale virtualization (as is the case of sandboxing/research), it makes a lot of sense.

1.b A typical modern physical machine has multiple (HT) cores. I can't remember when I last saw a physical machine with a single core. Definitely not in the last 5 years.

Tags:

Subscribe to RSS - VM