In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.

Physical memory resource maps

By far the most ubiquitous source of discrepancies between VMs and real hardware is the virtualized hardware façade that is presented by the VM platform. To kick off this series, we’re going to take a look at system resource maps. These lists are available to unprivileged users via the Windows registry, in the following paths:

HKLM\Hardware\ResourceMap\System Resources\Loader Reserved\
HKLM\Hardware\ResourceMap\System Resources\Physical Memory\
HKLM\Hardware\ResourceMap\System Resources\Reserved\

The DACLs on these keys are permissive, allowing read access by everyone, including low integrity processes.

If you take a look at the values in these keys, in regedit, you might notice they are of an unfamiliar type.

The REG_RESOURCE_LIST key type isn’t a general-purpose data type. It is specifically for device driver resource lists.

A convenient way to query these, without needing to know what the value of the REG_RESOURCE_LIST constant is on your particular target system, is to call RegQueryValueEx on the registry value with the lpData parameter set to NULL. This causes the type constant and length to be returned in the lpType and lpcbData parameters respectively:

HKEY hKey = NULL;
LPTSTR pszSubKey = "Hardware\\ResourceMap\\System Resources\\Physical Memory";
LPTSTR pszValueName = ".Raw";
DWORD dwLength = 0;
DWORD dwType = 0;
RegOpenKey(HKEY_LOCAL_MACHINE, pszSubKey, &hKey);
RegQueryValueEx(hKey, pszValueName, 0, &dwType, NULL, &dwLength);

This tells you what the REG_RESOURCE_LIST type constant is, and how much space you need to allocate when reading the value.

The structure of this data type is defined in CM_RESOURCE_LIST:

typedef struct _CM_RESOURCE_LIST {
ULONG Count;
CM_FULL_RESOURCE_DESCRIPTOR List[1];
} CM_RESOURCE_LIST, *PCM_RESOURCE_LIST;

Digging down a few levels of nested structures, we eventually find that the meat of the information is stored in an array of CM_PARTIAL_RESOURCE_DESCRIPTOR structures.

typedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {
UCHAR Type;
UCHAR ShareDisposition;
USHORT Flags;
union {
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Generic;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Port;
struct {
#if ...
USHORT Level;
/* ... */

This structure describes general-purpose descriptor that may contain a number of different fields, depending on the specific type of resource being described. The type, and by extension the union member of the struct we should look at, is specified by the Type field at the start of the structure.

The type of descriptor we are interested in is CmResourceTypeMemory (numeric value 3). This is used to describe physical memory resource regions. The structure is simple:

struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Memory;

By iterating through all of the descriptors, we can extract all of the memory resource map entries.

At this point we can extract and compare the memory resource maps from various physical hosts and VMs. The initial results are as follows.

Type OS/Platform Assigned RAM Physical Memory Translated Reserved Translated Loader Reserved Raw
Host 1 Win10 x64 N/A 00001000 – 0003e000

 

5acf6000 – 66e71000

 00001000 – 0003e000

 

00203000 – 00207000

00600000 – 00800000

 00000000 – 00101000

 

002f3000 – 002f8000

02600000 – 02800000

5a8cb000 – 5acf6000

fd000000 – fe800000
Host 2 Win10 x64 N/A 00001000 – 0009d000

 

cb52d000 – cb98c000

 00001000 – 0009d000 00000000 – 000a0000

 

cb526000 – cb52d000

fec00000 – fec01000
Host 3 Win10 x64
(w. Hyper-V)		 N/A 00001000 – 0009d000 00001000 – 0009d000

 

001f5000 – 001fe000

002fe000 – 003fe000

 00000000 – 000a0000

 

001f5000 – 001fe000

00293000 – 00297000

00875000 – 0095a000

0364c000 – 03675000

6929d000 – 7fa00000
Host 4 Win10 x64 N/A 00001000 – 00058000

 

b83ab000 – c8bed000

 00001000 – 00058000 00000000 – 00100000

 

00207000 – 0020b000

f0000000 – f8000000
VM1 Win10 x64
(Hyper-V)		 Dynamic 00001000 – 000a0000

 

f7fff000 – f8000000

 00001000 – 0001a000 00000000 – 0001a000

 

f6ecc000 – f6f1b000
VM2 Win10 x64
(Hyper-V)		 Dynamic 00001000 – 000a0000 00001000 – 000a0000 00000000 – 000a0000

 

7eee9000 – 7ef1b000
VM3 Win10 x64
(Hyper-V)		 2GB 00001000 – 000a0000 00001000 – 000a0000 00000000 – 000a0000

 

7eee9000 – 7ef1b000
VM4 Win10 x64
(VirtualBox)		 4GB 00001000 – 0009f000 00001000 – 00018000 00000000 – 00018000

 

00102000 – 00103000
VM5 Win10 x64
(VirtualBox)		 4GB 00001000 – 0009f000 00001000 – 00017000 00000000 – 00017000

 

00102000 – 00103000
VM6 Win8.1 x64
(VirtualBox)		 2GB 00001000 – 0009f000 00001000 – 0000e000 00000000 – 0000e000

 

000f0000 – 00100000
VM7 Win8.1 x64
(VirtualBox)		 10GB 00001000 – 0009f000 00001000 – 0000e000 00000000 – 0000e000

 

000f0000 – 00130000
VM8 Win7 x64
(VirtualBox)		 4GB 00001000 – 0009f000 00001000 – 00008000 00000000 – 00008000

 

00110000 – 00140000
VM9 Win7 x86*
(VirtualBox)		 2GB 00001000 – 0009f000

 

00100000 – 7fff0000

 00001000 – 00005000

 

00030000 – 00040000

 00000000 – 00005000

 

00030000 – 00040000

0009f000 – 000a0000

000f0000 – 00100000

7fff0000 – 80000000

fec00000 – fec01000

fee00000 – fee01000

fffc0000 – 100000000

The first clear finding is that VMs tend to have fewer map entries, particularly in the loader reserved key. The clear exception is the Win7 x86 VM – the only x86 entry in the table – which has many more regions than the rest in the rightmost column. This count distinction is unfortunately insufficient as a detection technique, as there is sufficient variation between hardware and platform to make this prone to false positives.

Looking a little more carefully, we can start to notice some more useful patterns:

  • All Hyper-V VMs have a Physical Memory Translated region matching 00001000 – 000a0000.
  • All VirtualBox VMs have a Physical Memory Translated region matching 00001000 – 009f000.
  • None of the host machines have Physical Memory Translated regions matching these addresses.
  • On both VirtualBox and Hyper-V, the lowest Reserved Translated memory region always perfectly overlaps the lowest Loader Reserved Raw memory region (e.g. 00001000 – 0000e000 becomes 00000000 – 0000e000).

By combining the overlapped region test with the known fixed region test for Hyper-V and VirtualBox, we can determine the status of the current system with confidence.

This check can be implemented in C as follows:

// system resources physical memory map VM detection trick
// written by Graham Sutherland (@gsuberland) for Nettitude
// based on prior work done as part of the al-khaser project
// https://github.com/LordNoteworthy/al-khaser/
// ref: https://blog.xpnsec.com/total-meltdown-cve-2018-1038/
// ref: https://gist.github.com/xpn/3792ec34d712425a5c47caf5677de5fe
// compile:
// cl.exe -DUNICODE -D_UNICODE vm_resource_check.c kernel32.lib advapi32.lib /W4 /link /out:vm_resource_check.exe
#include <stdio.h>
#include <Windows.h>
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
#pragma pack(push,4)
typedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {
UCHAR Type;
UCHAR ShareDisposition;
USHORT Flags;
union {
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Generic;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Port;
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Level;
USHORT Group;
#else
ULONG Level;
#endif
ULONG Vector;
KAFFINITY Affinity;
} Interrupt;
struct {
union {
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Group;
#else
USHORT Reserved;
#endif
USHORT MessageCount;
ULONG Vector;
KAFFINITY Affinity;
} Raw;
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Level;
USHORT Group;
#else
ULONG Level;
#endif
ULONG Vector;
KAFFINITY Affinity;
} Translated;
} DUMMYUNIONNAME;
} MessageInterrupt;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Memory;
struct {
ULONG Channel;
ULONG Port;
ULONG Reserved1;
} Dma;
struct {
ULONG Channel;
ULONG RequestLine;
UCHAR TransferWidth;
UCHAR Reserved1;
UCHAR Reserved2;
UCHAR Reserved3;
} DmaV3;
struct {
ULONG Data[3];
} DevicePrivate;
struct {
ULONG Start;
ULONG Length;
ULONG Reserved;
} BusNumber;
struct {
ULONG DataSize;
ULONG Reserved1;
ULONG Reserved2;
} DeviceSpecificData;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length40;
} Memory40;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length48;
} Memory48;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length64;
} Memory64;
struct {
UCHAR Class;
UCHAR Type;
UCHAR Reserved1;
UCHAR Reserved2;
ULONG IdLowPart;
ULONG IdHighPart;
} Connection;
} u;
} CM_PARTIAL_RESOURCE_DESCRIPTOR, *PCM_PARTIAL_RESOURCE_DESCRIPTOR;
#pragma pack(pop,4)
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined,
Internal,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
Vmcs,
ACPIBus,
MaximumInterfaceType
} INTERFACE_TYPE, *PINTERFACE_TYPE;
typedef struct _CM_PARTIAL_RESOURCE_LIST {
USHORT Version;
USHORT Revision;
ULONG Count;
CM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1];
} CM_PARTIAL_RESOURCE_LIST, *PCM_PARTIAL_RESOURCE_LIST;
typedef struct _CM_FULL_RESOURCE_DESCRIPTOR {
INTERFACE_TYPE InterfaceType;
ULONG BusNumber;
CM_PARTIAL_RESOURCE_LIST PartialResourceList;
} *PCM_FULL_RESOURCE_DESCRIPTOR, CM_FULL_RESOURCE_DESCRIPTOR;
typedef struct _CM_RESOURCE_LIST {
ULONG Count;
CM_FULL_RESOURCE_DESCRIPTOR List[1];
} *PCM_RESOURCE_LIST, CM_RESOURCE_LIST;
struct memory_region {
ULONG64 size;
ULONG64 address;
};
struct map_key {
LPTSTR KeyPath;
LPTSTR ValueName;
};
/* registry keys for resource maps */
#define VM_RESOURCE_CHECK_REGKEY_PHYSICAL 0
#define VM_RESOURCE_CHECK_REGKEY_RESERVED 1
#define VM_RESOURCE_CHECK_REGKEY_LOADER_RESERVED 2
#define ResourceRegistryKeysLength 3
const struct map_key ResourceRegistryKeys[ResourceRegistryKeysLength] = {
{
L"Hardware\\ResourceMap\\System Resources\\Physical Memory",
L".Translated"
},
{
L"Hardware\\ResourceMap\\System Resources\\Reserved",
L".Translated"
},
{
L"Hardware\\ResourceMap\\System Resources\\Loader Reserved",
L".Raw"
}
};
/* parse a REG_RESOURCE_LIST value for memory descriptors */
DWORD parse_memory_map(struct memory_region *regions, struct map_key key)
{
HKEY hKey = NULL;
LPTSTR pszSubKey = key.KeyPath;
LPTSTR pszValueName = key.ValueName;
LPBYTE lpData = NULL;
DWORD dwLength = 0, count = 0, type = 0;;
DWORD result;
if ((result = RegOpenKeyW(HKEY_LOCAL_MACHINE, pszSubKey, &hKey)) != ERROR_SUCCESS)
{
printf("[X] Could not get reg key: %d / %d\n", result, GetLastError());
return 0;
}
if ((result = RegQueryValueExW(hKey, pszValueName, 0, &type, NULL, &dwLength)) != ERROR_SUCCESS)
{
printf("[X] Could not query hardware key: %d / %d\n", result, GetLastError());
return 0;
}
lpData = (LPBYTE)malloc(dwLength);
RegQueryValueEx(hKey, pszValueName, 0, &type, lpData, &dwLength);
CM_RESOURCE_LIST *resource_list = (CM_RESOURCE_LIST *)lpData;
for (DWORD i = 0; i < resource_list->Count; i++)
{
for (DWORD j = 0; j < resource_list->List[0].PartialResourceList.Count; j++)
{
if (resource_list->List[i].PartialResourceList.PartialDescriptors[j].Type == 3)
{
if (regions != NULL)
{
regions->address = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Start.QuadPart;
regions->size = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Length;
regions++;
}
count++;
}
}
}
return count;
}
#define VM_RESOURCE_CHECK_ERROR -1
#define VM_RESOURCE_CHECK_NO_VM 0
#define VM_RESOURCE_CHECK_HYPERV 1
#define VM_RESOURCE_CHECK_VBOX 2
#define VM_RESOURCE_CHECK_UNKNOWN_PLATFORM 99
int vm_resource_check(
struct memory_region *phys, int phys_count,
struct memory_region *reserved, int reserved_count,
struct memory_region *loader_reserved, int loader_reserved_count)
{
const ULONG64 VBOX_PHYS_LO = 0x0000000000001000ULL;
const ULONG64 VBOX_PHYS_HI = 0x000000000009f000ULL;
const ULONG64 HYPERV_PHYS_LO = 0x0000000000001000ULL;
const ULONG64 HYPERV_PHYS_HI = 0x00000000000a0000ULL;
const ULONG64 RESERVED_ADDR_LOW = 0x0000000000001000ULL;
const ULONG64 LOADER_RESERVED_ADDR_LOW = 0x0000000000000000ULL;
if (phys_count <= 0 || reserved_count <= 0 || loader_reserved_count <= 0)
{
return VM_RESOURCE_CHECK_ERROR;
}
if (phys == NULL || reserved == NULL || loader_reserved == NULL)
{
return VM_RESOURCE_CHECK_ERROR;
}
/* find the reserved address range starting
RESERVED_ADDR_LOW, and record its end address */
ULONG64 lowestReservedAddrRangeEnd = 0;
for (int i = 0; i < reserved_count; i++)
{
if (reserved[i].address == RESERVED_ADDR_LOW)
{
lowestReservedAddrRangeEnd = reserved[i].address + reserved[i].size;
break;
}
}
if (lowestReservedAddrRangeEnd == 0)
{
/* every system tested had a range starting at RESERVED_ADDR_LOW */
/* this is an outlier. error. */
return VM_RESOURCE_CHECK_ERROR;
}
/* find the loader reserved address range starting
LOADER_RESERVED_ADDR_LOW, and record its end address */
ULONG64 lowestLoaderReservedAddrRangeEnd = 0;
for (int i = 0; i < loader_reserved_count; i++)
{
if (loader_reserved[i].address == LOADER_RESERVED_ADDR_LOW)
{
lowestLoaderReservedAddrRangeEnd = loader_reserved[i].address + loader_reserved[i].size;
break;
}
}
if (lowestLoaderReservedAddrRangeEnd == 0)
{
/* every system tested had a range starting at LOADER_RESERVED_ADDR_LOW */
/* this is an outlier. error. */
return VM_RESOURCE_CHECK_ERROR;
}
/* check if the end addresses are equal. if not, we haven't detected a VM */
if (lowestReservedAddrRangeEnd != lowestLoaderReservedAddrRangeEnd)
{
return VM_RESOURCE_CHECK_NO_VM;
}
/* now find the type of VM by its known physical memory range */
for (int i = 0; i < phys_count; i++)
{
if (phys[i].address == HYPERV_PHYS_LO && (phys[i].address + phys[i].size) == HYPERV_PHYS_HI)
{
/* hyper-v */
return VM_RESOURCE_CHECK_HYPERV;
}
if (phys[i].address == VBOX_PHYS_LO && (phys[i].address + phys[i].size) == VBOX_PHYS_HI)
{
/* vbox */
return VM_RESOURCE_CHECK_VBOX;
}
}
/* pretty sure it's a VM, but we don't know what type */
return VM_RESOURCE_CHECK_UNKNOWN_PLATFORM;
}
int main()
{
DWORD count;
printf("[*] Getting physical memory regions from registry\n");
struct memory_region *regions[ResourceRegistryKeysLength];
int region_counts[ResourceRegistryKeysLength];
for (int i = 0; i < ResourceRegistryKeysLength; i++)
{
printf("[*] Reading data from %ws\\%ws\n",
ResourceRegistryKeys[i].KeyPath, ResourceRegistryKeys[i].ValueName);
count = parse_memory_map(NULL, ResourceRegistryKeys[i]);
if (count == 0)
{
printf("[X] Could not find memory region, exiting.\n");
return -1;
}
regions[i] = (struct memory_region *)malloc(sizeof(struct memory_region) * count);
count = parse_memory_map(regions[i], ResourceRegistryKeys[i]);
region_counts[i] = count;
for (DWORD r = 0; r < count; r++)
{
printf("[*] --> Memory region found: %.16llx - %.16llx\n",
regions[i][r].address, regions[i][r].address + regions[i][r].size);
}
}
int check_result = vm_resource_check(
regions[VM_RESOURCE_CHECK_REGKEY_PHYSICAL],
region_counts[VM_RESOURCE_CHECK_REGKEY_PHYSICAL],
regions[VM_RESOURCE_CHECK_REGKEY_RESERVED],
region_counts[VM_RESOURCE_CHECK_REGKEY_RESERVED],
regions[VM_RESOURCE_CHECK_REGKEY_LOADER_RESERVED],
region_counts[VM_RESOURCE_CHECK_REGKEY_LOADER_RESERVED]
);
switch (check_result)
{
case VM_RESOURCE_CHECK_ERROR:
printf("[X] Error occurred during VM check.\n");
break;
case VM_RESOURCE_CHECK_NO_VM:
printf("[-] No VM detected.\n");
break;
case VM_RESOURCE_CHECK_HYPERV:
printf("[+] Detected Hyper-V.\n");
break;
case VM_RESOURCE_CHECK_VBOX:
printf("[+] Detected VirtualBox.\n");
break;
case VM_RESOURCE_CHECK_UNKNOWN_PLATFORM:
printf("[+] Likely VM detected, but cannot identify platform. \n");
break;
default:
printf("[X] VM check returned unexpected value.\n");
break;
}
printf("\nDone.\n");
return 0;
}

That’s it for this month’s instalment of VM Detection Tricks. Stay tuned for part two in February.