libimvirt-perl 0.9.6-4 / usr / share / perl5 / ImVirt / VMD / PillBox.pm

This file is indexed.

/usr/share/perl5/ImVirt/VMD/PillBox.pm is in libimvirt-perl 0.9.6-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# ImVirt - I'm virtualized?
#
# Authors:
#   Thomas Liske <liske@ibh.de>
#
# Copyright Holder:
#   2009 - 2012 (C) IBH IT-Service GmbH [http://www.ibh.de/]
#
# License:
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this package; if not, write to the Free Software
#   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
#

package ImVirt::VMD::PillBox;

use strict;
use warnings;

use ImVirt;
use ImVirt::Utils::helper;

ImVirt::register_vmd(__PACKAGE__);

#
# The detection heuristic is based on:
#
# [1] "Red Pill... or how to detect VMM using (almost) one CPU instruction"
#      Joanna Rutkowska
#      http://invisiblethings.org/papers/redpill.html
#
# [2] "Detecting the Presence of Virtual Machines Using the Local Data Table"
#      Danny Quist, Val Smith
#      http://www.offensivecomputing.net/files/active/0/vm.pdf
#
# [3] "Methods for Virtual Machine Detection"
#      Alfredo Andrés Omella
#      http://www.s21sec.com/descargas/vmware-eng.pdf
#
# [4] "ScoopyNG - The VMware detection tool"
#      Tobias Klein
#      http://www.trapkit.de/research/vmm/scoopyng/index.html

sub detect($) {
    ImVirt::debug(__PACKAGE__, 'detect()');

    my $dref = shift;

    if (my $pb = helper('pillbox')) {
	my %pb = split(/,/, $pb);

	# pillbox was bound to one cpu - if we got different
	# IDTR/GDTR values, we are virtualized (so the HVM
	# did schedule us on a different physical cpus) or
	# our cpu has been taken offline.
	ImVirt::inc_pts($dref, IMV_PTS_MAJOR, IMV_VIRTUAL)
	 if (exists($pb{'idt2'}) || exists($pb{'gdt2'}));

	ImVirt::inc_pts($dref, IMV_PTS_NORMAL, IMV_VIRTUAL)
	 if ((($pb{'idt'} & 0xffff) > 0xd000) &&
	     (($pb{'gdt'} & 0xffff) > 0xd000)); # [1]

	ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL)
	 if ($pb{'ldt'} > 0); # [2]

	ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL, '|VMware')
	 if ($pb{'tr'} == 0x4000); # [3]

	ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL, '|VMware')
	 if ($pb{'idt'} >> 24 == 0xff); # [4]

	ImVirt::inc_pts($dref, IMV_PTS_MINOR, IMV_VIRTUAL, '|VMware')
	 if ($pb{'gdt'} >> 24 == 0xff); # [4]
    }
}

sub pres() {
    return ('|VMware');
}

1;

APT Browse - Built by Thomas Orozco.