pafish icon indicating copy to clipboard operation
pafish copied to clipboard

Published 20 hours ago verified publisher icon a0rtega

Check if physical memory is < 1Gb

Open binsec-zz opened this issue 10 years ago • 1 comments

Hi, the < 1 Gb memory check detects my VM's with 1 Gb memory as "traced".

Is the number based on a bare metal memory amount ?

gensandbox.c

return (statex.ullTotalPhys/1024) < 1048576 ? TRUE : FALSE;

As an example for WinXP;

I'm using Vmware ESX set to 1 Gb, which allocates exactly 1048040 KB I also checked my VirtualBox, 1 Gb. which also allocates exactly 1048040 KB

So does bare metal 1 Gb actually show 1048576 to the OS, or does it show 1048040 ?

Maybe somebody can verify virtual vs physical (KB).

This could also be used as a flag, if VM's round off 1Gb memory in a special way compared to physical. You could check 512, 1gb, 2gb etc (if there is a mismatch).

Thanks

binsec-zz avatar Nov 18 '15 00:11 binsec-zz

Hello!

Yes exactly, that number was just chosen because of this calculation: 1048576 / 1024 = 1024

So it could be that VMs are rounding up some bytes. I didn't try with a physical machine of 1GB but that could be an interesting test.

Just for completion, that value is stored in this structure: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366770(v=vs.85).aspx

ullTotalPhys: The amount of actual physical memory, in bytes.

Cheers!

a0rtega avatar Nov 18 '15 17:11 a0rtega