Does not detect intel-sde.

[MarekKnapek]

intel-sde is Intel® Software Development Emulator (Intel® SDE) I have no idea how to detect it.

[kernelwernel]

I've never heard of that piece of software if I'm honest. Can you give me more information such as what OS you used?

From a bit of research, there are a few ways to detect Intel-SDE from the looks of it. I can definitely try to add it and work on this, but it may take some time.

[MarekKnapek]

I used it on Windows. I developed an application that could detect the AVX512F instruction set, and if present, use it to speed up some cryptography operations. As my computer lack the AVX512 I used this tool to emulate newer processor in order to test my software. I'm using the Windows Server 2022 x64 operating system.

Aaaand my computer itself is an virtual computer running in Hetzner data center on top of KVM technology. And your tool provides inconsistent report. But this might be separate issue https://github.com/kernelwernel/VMAware/issues/43.

[NotRequiem]

Hi @MarekKnapek!

In the context of our project, which was originally designed to detect virtual machines and improve VM security, adding support for Intel SDE does not align with our primary goals. Our project is aimed at countering reverse engineering/spoofing efforts by identifying environments where software could be running in a virtualized or semi-virtualizatized context, isolated environments overall.

Intel SDE, however, is a CPU instruction set emulator used primarily for software development and testing, and is not a truly isolated environment (you can still access every resource from your host machine). While Intel SDE could theoretically be used by a reverse engineer, it is fundamentally different from a virtual machine or hypervisor in both its purpose and operation. Detecting the presence of Intel SDE does not directly contribute to identifying or countering virtual machines, which is the core objective of our project.

if you want a few possible detections, assuming you want them for Windows because of what you said in your last comment, you can detect it by scanning the memory of your own process (which will contain SDE-specific memory strings, such as SDE errors), process handles opened to your current process by "pin.exe", or following the chain of parent processes until you find a digitally signed process by Intel, which means some emulation program made by Intel invoked your process.

I do not recommend, however, to attempt to detect the presence of Intel SDE by detecting the presence of specific CPU instruction sets that are not currently available in publicly available CPU instruction sets, or by running inline assembly that should behave different on SDE and handling exceptions, because Intel SDE is often used by developers and researchers to prepare for instruction sets that Intel plans to release in future processors (which would mean the detection would not be reliable in a long term scenario), and to test legacy and special purpose instruction sets. Unless..., you whitelist the instruction sets that every Intel CPU should have, and check wether the current environment contains them or not? There's possible way more reliable ways of detecting it, good luck!

[kernelwernel]

This is minor but even if the library won't add support for Intel SDE, you can still customise it for your tailored requirements with VM::add_custom() to integrate Intel SDE detection techniques to the lib. Producing those detections is a different story, however. But I figured it's worth mentioning this.