[rwmj]

Testing if you're running under virtualization or emulation is a whole thing. We wrote virt-what to do this for virt and containers. It could do emulators as well if someone was motivated enough. It's basically a giant shell script. https://people.redhat.com/~rjones/virt-what/

There's also an adversarial aspect to this. Some emulators try to avoid detection and a lot of software tries to detect if it's running under virt for various reasons, eg. to stop cheating in games or stop reverse-engineering. (virt-what is deliberately not adversarial, it's very easy to "trick" it if you wanted to do that)

[tombert]

Makes sense; when I was doing WGU they explicitly forbid virtual machines, which makes enough sense since if you're in a VM they can't see your full screen. It wouldn't surprise me if nowadays they have some sort of software detector to see if you're in a VM.

[eek2121]

There are detectors for VMs, and modifications to allow VMs to evade those detectors. It's an arms race.

Example: There is (was? I don't actively follow the community) a patch set for a particular piece of VM software that made it undetectable to anti-cheat in games.

While I don't use said software (I have a casual interest in it only...would be nice to get more games working on Linux), I have to disclose that I'm against anti-cheat mechanisms. I'm a software engineer, and I've worked on a few smaller games, and know the overall structure of bigger ones, and I don't think I've ever seen a game use good practices in multiplayer. Instead, they usually rely on client side code and lean on anti-cheat software to stop cheaters.

[ErroneousBosh]

> when I was doing WGU they explicitly forbid virtual machines,

What's WGU in this context?

> which makes enough sense since if you're in a VM they can't see your full screen

Presumably they can't also see the screen of another device...

[tombert]

Sorry, Western Governors University. It's an online school.

When taking a test they have a proctor that's watching you on a webcam, and they make you pan the webcam around the room to ensure that there's no obvious way to cheat, and they make you share your screen to ensure you only have a browser running.

[ButlerianJihad]

When I took final exams or industry certifications, I reported in-person to the Testing Center at community college. The center is custom built for secure proctoring exams. You check in with ID, you stash your watch, phone and wallet in a locker, and you use a secure computer in a monitored quiet room.

It’s perfect for all parties, and doesn’t intrude on your personal living space or devices.

[ErroneousBosh]

> and they make you pan the webcam around the room to ensure that there's no obvious way to cheat, and they make you share your screen to ensure you only have a browser running.

Well that level of intrusiveness would just make me come up with something overly complicated just so I could prove that I could cheat if I wanted.

[tombert]

I think it's more about just trying to keep honest people honest. I could think of a dozen or so ways that I could have cheated, some more convoluted than others, but it's enough effort to where I don't seriously consider it, and I did all my exams legitimately.

That's why they make you share your screen; obviously there's plenty of ways to fool that but the goal is to make it so that cheating requires enough effort to where it's probably less effort just to study and do it right.

[bombcar]

The proctors are bored college students or similar - you don’t have to do much to defeat it.

They just want to make it difficult enough to catch most.

[billypilgrim]

Also: malware often tries to detect a VM or an emulator too, for example Windows Defender uses an emulator internally to detonate samples, and there are attempts by malware to detect this and change the behavior to something benign.

[EvanAnderson]

Way back in the early 90s Thunderbyte Antivirus' TBCLEAN would use the x86 trap flag to single step viruses up to the point where they restored the original entrypoint of the infected program, then write the "cleaned" program back to disk. They used the CPU single-step as a hack to alleviate needing to write an emulator.

The virus writer Priest figured out he could detect being run under single-stepping, and manipulate the stack and trap flag to re-vector control from TBSCAN to a destructive routine that trash the user's hard disk (but otherwise just run normally when not in the presence of TBCLEAN).

He later used this idea as the basis for the "emulating tracer" (in Natas, for sure-- but I think present in some earlier code too-- I don't remember what, thought) using single-step interrupt calls to trace thru resident antivirus programs to find original BIOS and DOS interrupt vectors and "call past" them (to prevent detection and do stealth).

His tracer decoded the next instruction to detect every method by which the trap flag state could be leaked to or mutated bu the traced code. He would emulate and step over any of these "privileged" instructions", presenting a sanitized state to the code under trace. It wasn't a full x86 emulator and could not have handled code that used trap-based anti-debug. That would have required a full emulator (and that way lies madness).

When VMware virtualized x86 I thought about Priest's code. Defender and other AV running samples under emulation makes me think about it too. So does this article.