rdtsc-cpuid-vm-check icon indicating copy to clipboard operation
rdtsc-cpuid-vm-check copied to clipboard

Published 20 hours ago verified publisher icon TheDuchy

Metadata

PoC that measures how long it takes the CPU to execute the CPUID instruction and reports if it suspects a VM. Works on both Windows and Linux.

tl;dr

The CPUID instruction takes a lot longer to execute in a VM than it does on bare-metal so we can measure it and confidently say if we are running inside of a VM or not. It is possible because a VM will need to call a VMEXIT to let the VMM execute the instruction bare-metal (and that takes time) or in case of emulators, it needs to manually move the data into the virtual registers (and that also takes time).

Metadata

21
Stars
5
Forks
Watchers

Owner

verified publisher icon TheDuchy

Metadata

PoC that measures how long it takes the CPU to execute the CPUID instruction and reports if it suspects a VM. Works on both Windows and Linux.

Back