A Simple Detection of Virtual Machine and Avoid the Detection.

2018-11-08 - Virtualization Technology

Recently, I found a way to detect a hypervisor’s presence as I was reading the AMD64 Architecture Programmer’s Manual. The algorithm is easy. What we need to do is to set function leaf as one and execute the cpuid instruction. Examine the 31st bit of ecx register. The value is the sufficient, not necessary however, condition to indicate the hypervisor’s presence.

We may write a function in assembly like the following:

xor eax,eax
inc eax
bt ecx,1fh
setc al

The return value is 8-bit, stored in al register.

In the C compiler by Microsoft Visual C++, we may write partial code like the following:

int data[4];
return _bittest(&data[2],31);

The function is not defined. Note that __cpuid and _bittest are intrinsic macros and they are compiler-specific. You might want to have some revision in order to use on other C compilers.


In order to avoid the detection, the simple way is to change the configuration file of the virtual machine. For VMware Virtual Machines, you may open the .vmx file by Notepad++ and add one line of configuration to the bottom of file:

hypervisor.cpuid.v0 = "FALSE"

In the default case, there is no such line of configuration. Thus guest software may detect the hypervisor’s presence in this way.

3 thoughts on “A Simple Detection of Virtual Machine and Avoid the Detection.

Dillon Westad

Aw, this was a really nice post. Taking the time and actual effort to generate a superb article… but what can I say… I procrastinate a lot and never seem to get nearly anything done.|

Kathleen Mcfarling

Hello, Neat post. There’s a problem together with your web site in internet explorer, would check this? IE still is the market chief and a good portion of folks will omit your excellent writing because of this problem.|

Delicia Anchondo

Excellent post. I was checking continuously this blog and I’m impressed! Very helpful information specifically the last part 🙂 I care for such information much. I was seeking this particular information for a long time. Thank you and good luck.|


Leave a Reply

Your email address will not be published. Required fields are marked *