inside_vm/
lib.rs

1//! # inside-vm
2//!
3//! Detect if code is running inside a virtual machine.
4//!
5//! > Only works on x86 and x86-64.
6//!
7//! ## How does it work
8//!
9//! Measure average cpu cycles when calling [`cpuid`](https://en.wikipedia.org/wiki/CPUID) and compare to a threshold, if the value is high assume code is running inside a VM.
10//!
11//! ## Quick Start
12//!
13//! ```
14//! use inside_vm::{inside_vm, inside_vm_custom, cpuid_cycle_count_avg};
15//!
16//! let inside = inside_vm();
17//! println!("inside vm: {}", inside);
18//!
19//! let inside = inside_vm_custom(5, 100, 5, 1200);
20//! println!("inside vm: {}", inside);
21//!
22//! let average_cpu_cyles = cpuid_cycle_count_avg(5, 100, 5);
23//! println!("average __cpuid cpu cycles: {}", average_cpu_cyles);
24//! ```
25//!
26//!## Credits
27//!
28//!https://evasions.checkpoint.com/techniques/timing.html#difference-vm-hosts
29
30use std::arch::x86_64::{CpuidResult, __cpuid, _rdtsc};
31
32/// Compute cpuid cpu cycles average.
33///
34/// Perform `low + samples + high` measurements,
35/// discard `low` and `high` (outliers),
36/// compute average using the remaining `samples` measurements.
37///
38/// Prefer `inside_vm::inside_vm()` or `inside_vm::inside_vm_custom()`.
39///
40/// This function uses `unsafe`.
41///
42/// ```
43/// use inside_vm::cpuid_cycle_count_avg;
44/// // perform 5 + 100 + 10 = 115 measurements
45/// // discard 5 lowest and 10 highest measurements
46/// // compute average over the 100 remaining measurements
47/// let avg = cpuid_cycle_count_avg(5, 100, 10);
48/// ```
49pub fn cpuid_cycle_count_avg(low: usize, samples: usize, high: usize) -> u64 {
50    let mut tsc1: u64;
51    let mut tsc2: u64;
52    let mut cycles: Vec<u64> = vec![];
53    let mut cpuid = CpuidResult {
54        eax: 0,
55        ebx: 0,
56        ecx: 0,
57        edx: 0,
58    };
59    for _ in 0..(low + samples + high) {
60        unsafe {
61            tsc1 = _rdtsc();
62            cpuid = __cpuid(0);
63            tsc2 = _rdtsc();
64        }
65        cycles.push(tsc2 - tsc1);
66    }
67    unsafe {
68        // call to __cpuid would be optimized away by the compiler in release mode
69        // if it were not for this call
70        std::ptr::read_volatile(&cpuid);
71    }
72
73    // remove low and high outliers, keep samples
74    cycles.sort_unstable();
75    let cycles_without_outliers = &cycles[low..low + samples];
76
77    // compute average cycle count without outliers, make sure we do not divide by zero
78    let avg = cycles_without_outliers.iter().sum::<u64>() / std::cmp::max(samples as u64, 1);
79    avg
80}
81
82/// Detect if inside vm by computing cpuid cpu cycles average and compare to `threshold`.
83///
84/// Perform `low + samples + high` measurements,
85/// discard `low` and `high` (outliers),
86/// compute average using the remaining `samples` measurements.
87///
88/// Compare average to `threshold`, if above return true else false.
89///
90/// Example
91/// ```
92/// use inside_vm::inside_vm_custom;
93/// let inside: bool = inside_vm::inside_vm_custom(5, 100, 5, 1_000);
94/// ```
95pub fn inside_vm_custom(low: usize, samples: usize, high: usize, threshold: u64) -> bool {
96    cpuid_cycle_count_avg(low, samples, high) > threshold
97}
98
99/// Compute cpuid cpu cycles average and compare to threshold.
100///
101/// Same as `inside_vm_custom(5, 100, 5, 1_000)`
102///
103/// Example:
104/// ```
105/// use inside_vm::inside_vm;
106/// let inside: bool = inside_vm::inside_vm();
107/// ```
108pub fn inside_vm() -> bool {
109    inside_vm_custom(5, 100, 5, 1_000)
110}
111
112#[cfg(test)]
113mod tests {
114    use crate::cpuid_cycle_count_avg;
115
116    #[test]
117    fn test_cpuid_cycle_count_avg() {
118        let avg = cpuid_cycle_count_avg(5, 100, 5);
119        assert!(avg < 1000); // may fail if test is run on a VM
120    }
121}