Hiding that you use a VM

[Dennissimeau]

Hi guys,

For College we use a laptop and we make our tests with a program called QMP (question mark perception).

I used to use windows XP, but since I use W7 now, I can't use it anymore because the program only works with Vista and lower.

I already knew that QMP can detect VM's, (except Parallels for Mac OS X)
but I installed WVM and, indeed, I get : error: this program can't run within a Virtual Machine.

My question is: can I , in some way, hide that I am using the virtual machine ?


PS: I'm dutch, so don't mind my english please.

Greetings

Dennis

 

[huisinro]

This is interesting. Most of the time, the programs running inside a vm don't know at all about the virtual machine.

I am quite sure that QMP checks hardware of the machine, and if it dectects certain hardware are from those popular vm vendors, then consider the machine to be virtual. In Parallels's case, most likely, it doesn't include Parallel's hardware check, so it escapes.

This is a very tough case to bypass, unless you change hardware's vendors and IDs to something else. If you run "devmgmt.msc", and you will see many virtual devices.

In other words, I don't see any solution to this.

 

[Dennissimeau]

Well... I use a Apple intel Macbook Pro. For most of the programmes I can use OS X.

In VMware (another Apple virtual machine ) you can change some codes so the program can't monitor wether it's the real deal or a VM. Can't this also be done in MS' vm?

(those stupid engeneers of QMP...)

 

[huisinro]

Most probably, QMP did it on purpose, although I am not sure why it does not allow it to run inside vm. Perhaps, some license control?

If QMP uses the mechanism I described by checking PCI devicce IDs (look at Windows Registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI keys), then it's very difficult to do it. It all depends on how QMP detects virtual machines.

 

[jimbo45]

Hi there
I'm not a programming guru but you could probably do it like this

Create any old application which will run under QMP without a problem.

Now in the application dynamically attach / link / call the vm application and execute it.

The "Checker" program will still think you are running the "base " application --its very difficult to track "dynamically called" applications.


I'm sure a "C" programmer could sort out something for you.

Back in old IBM mainframe days it was simple in their old MVS / 370 "Assembler" language

you just did LINK EP= either a variable containing the program you wanted to attach or you passed a register (you could use 0 and 1 for parameters if my memory serves me correctly) containing the address of the variable having the value (or name) of the program you wanted to link to.

Windows must have something similar.

If you do get it to work the vm application will run without QMP's "sneak / tittletat ware" getting in the way as it will only be looking at your "original application".

We used to fool old fashioned hardened IBM sysprogs loads of times with the method I've outlined back when to run stuff they didn't want us to.


Cheers
jimbo

 

[Dennissimeau]

well..the reason that QMP win't let you work in a VM is that it creates a secured environment so you can't access a calculator or msn messenger...

I'm to willing to do this at all...but since it won't work with 7, I have to use XP.

I'm also a noob in programming... (even stronger, I can't) , but if you know the file who reflects that it is a VM, (I mean, the program QMP recognizes a VM by reading the files where is written if it's a VM or a real OS, is what I thought that was happening)

btw, in 7 you have the option to run in compatibility mode, it won't work with it, also some strange thing.

 

[huisinro]

not easy to make it to work if it detects hardware.

Just in case it uses very simple check, you can try to uninstall VPC Integration Components from XP vm Add/Remove programs, and check if QMP runs.

I highly doubt that it will do such a simple check, though.

 

[masterB]

You can dual boot Xp and 7 and it will solve the problem.

 

[johngalt]

Along the same lines, you could make a VHD out of an XP install for just that purpose....

 

[mckillwashere]

It could check several thing,
Bios,
Drivers,
Running Process's,
And Processor.

Just like a regular computer the VM uses a bios. If im not mistaken the bios says its made by the manufacture of the vm-software.
The drivers used in vms are made for use in vms and can be cross-referenced to distinguish wether its a vm or not.
Running process's such as vmwares vm-tools can let a program know its running in a vm.

It may even check the make of the processor since it uses an emulated processor.

I may be wrong about any of that some-one please let me know if i am.

 

[johngalt]

Without actually knowing anything about hte program, I cannot refute what you are saying, mckillwashere. It makes sense to me.

Or it could be performing some other check as well....

 

[mckillwashere]

Im installing xp pro sp3 into a vm to check the system info to see if i can find a solution for you.

 

[mckillwashere]

http://th34b1dn.com/7forums/for7.png

I saw multiple things that start Vmware. Even when I launched Astra it said this is running inside of a vm. Results may be incorrect.

Unless you can figure out a way to mask ALL 6 of them, I must say good luck uless if you re-write the program to ignore that check.

Note.
The vm is running with 512 mb of ram.
1 2.3 ghz processor
Fresh from install. No other programs installed.

The cd-rom is the only one i can think of a way to bypass and that is disabling the drive.
But I honestly believe it checks the bios.

McKillWasHere