VMware Communities
steffi2
Contributor
Contributor

Sorry, this application cannot run under a Virtual Machine

I've seen this application work under Parallels so can anybody tell me what the above error actually means?

It's the JAF program for the JAF Flasher which is admitadly a pretty specific piece of software.

Reply
0 Kudos
24 Replies
bgertzfield
Commander
Commander

They probably explicitly check for VMware, but don't explicitly check for Parallels.

Reply
0 Kudos
rcardona2k
Immortal
Immortal

>I've seen this application work under Parallels so can anybody tell me what the above error actually means?

It means the developer is a bonehead and put in an explicit check for virtualization, e.g. a blue pill check. If this software works in Parallels, there's a good chance bypassing that alert would make it work in Fusion and Workstation 6. Maybe the developer was pestered by user asking for support in a VM that s/he put in the alert in on-purpose? Either way it's a bad move. Your best bet is contacting the developer and asking for a workaround.

I found the software here: http://www.odeon.cn/ and version 1.98.6 contains that alert. I could find no obvious registry and/or file check using regmon/filemon where the developer is looking specifically for VMware but whatever criteria the check is based on, it must work on multiple host platforms.

Reply
0 Kudos
drbanks
Contributor
Contributor

I worked on an app once that checked to see if it was running on a VM. They actually had a fairly good reason for doing it...

You can find samples of code on the web for making this check. It typically consists of executing an illegal instruction, then examining the exception stack. Or something like that. The routine was pre-cooked, and I really didn't spend much time looking at exactly what it was doing. In any case, not only was the routine able to determine whether it was running virtual, it could also tell you whether it was running under VMware, VirtualPC or Parallels.

Reply
0 Kudos
steffi2
Contributor
Contributor

Well my question is that does Fusion then itself depend on the \_wording_ and \_format_ of the exception stack? If not then it might be possible the twart these checks by rewriting it. so an option could be provided that allows me to "hide" from an application that's using it to check etc etc.

Reply
0 Kudos
Andreas_Masur
Expert
Expert

Well my question is that does Fusion then itself

depend on the \_wording_ and \_format_ of the exception

stack? If not then it might be possible the twart

these checks by rewriting it. so an option could be

provided that allows me to "hide" from an application

that's using it to check etc etc.

Well....I think that is the wrong approach to the problem. The problem is not with Fusion but rather with the application itself. So any fix should go into the application itself. If you start tweaking Fusion in order to get around that, then a different approach will be used by the next application which requires a different workaround in Fusion and so on.

As Richard already indicated in his previous post...contact the developer...

Reply
0 Kudos
steffi2
Contributor
Contributor

Yeah that would seem fair however my response was making the assumption that this and only this would be the way developers can check if you're running in a virtual machine. I suppose there are other ways too. I don't expect to get much help from the developer.

Reply
0 Kudos
Andreas_Masur
Expert
Expert

I don't expect to get much help from the

developer.

Well...I do not know that specific application and what it does but are there any alternatives you can use instead if the developer really does not want to provide any workarounds?

Reply
0 Kudos
steffi2
Contributor
Contributor

The application controls a very proprietory piece of hardware. The kind of box that's used to reflash cell phones.

Reply
0 Kudos
admin
Immortal
Immortal

There are actually a bunch of ways to check if you're running in a VM. For example, once you install tools, the name of the network adapter in Windows is "VMware Accelerated AMD PCNet". In Linux the video card is detected as a VMware video adapter. IIRC the BIOS is named something VMware related. And so on. I'm sure there are similar easy checks for other virtualization software.

It's akin to a program refusing to run on certain motherboards - there's generally no valid reason to do this (drbanks, I'm curious what reason you had). The only reason I can come up with is the developer is paranoid about reverse-engineering or doesn't want users to get around copy protection (and I don't think these are really good reasons).

While technically[/i] it's possible for VMware to play the arms race, it'd be a bad idea in terms of stability and ultimately it's a problem with the developer of the uncooperative software.

Edited to include paranthetical notes --etung 2007.03.04 10:48

Reply
0 Kudos
steffi2
Contributor
Contributor

Why does virtualization make it easier to circumvent copy protection?

JAF requires Pkey which is a USB dongle/smartcard.

Reply
0 Kudos
admin
Immortal
Immortal

Why does virtualization make it easier to circumvent copy protection?

The same way that setting breakpoints or running a program in a debugger would make it easier - it's then possible to examine memory state. Some viruses, for example, won't run if a debugger is present in order to make it harder for antivirus writers to figure out what's going on. Note that it's still not easy to do, just something a determined attacker might use.

From what you've said about JAF, I don't see any reason it shouldn't be able to run in a VM.

Reply
0 Kudos
drbanks
Contributor
Contributor

As for why do this...

I'm not sure about the state of the NDAs, so I won't be specific, but:

The particular application had to lock down the desktop and control all access to the outside world. Think of it as a kiosk-like application. It would have hardly been appropriate to allow the application to be run under a VM, where the user could access anything and everything in the real world on the host computer. So basically, the entire sandbox we tried so hard to create would be mooted if it were allowed to be run virtualized.

Reply
0 Kudos
steffi2
Contributor
Contributor

If you think about if you can tell you are running under virtualization then it's not true virtualization.

Reply
0 Kudos
admin
Immortal
Immortal

If you think about if you can tell you are running under virtualization then it's not true virtualization.

A lot of what I described isn't determining that you're running in a virtual environment, it's determining your hardware happens to match what a known virtual environment looks like. Also, once you start involving the real world (e.g. the network, unless you virtualize that too), it's possible via timing attacks.

drbanks: Hmm, I hadn't considered a security app. Thanks for pointing out this use case. However, I agree only from a developer perspective - as a user, I might not consider this a good thing Smiley Happy

Edited to include question about user's perspective. --etung 2007.03.05 20:25

Reply
0 Kudos
rcardona2k
Immortal
Immortal

I'm not admitting to violating traffic laws but I have seen Defensive Driving applications that have tried to 'lock' my friend's[/i] computer, of course they lock friend's[/i] VM's instead.

Also I have beta tested software that attempts to DRM-lock Office documents like Word, Excel, Adobe Acrobat, etc. They even went so far as to hook keyboard interrupts and lock the video frame buffers somehow. Luckily I screenshotted away from the host during the beta to demonstrate actual bugs not the 'breaking' of their technologies (which I also was successful in, btw). Needless to say the quickly became aware of the reality of virtualization.

Reply
0 Kudos
rcardona2k
Immortal
Immortal

There's a security researcher that claims Intel VT and AMD-V can be used to make a perfectly undetectable ring -1 environment. Assuming there are no 'give-away' devices, drivers or registry entries. It might be possible to conjure an undetectable ring 0 - ring 3 working set. In practice such an x86 black box is impractical because you'll always want to accelerate, trap and emulate, enlighten or paravirtualize some aspect of x86 and that will be your poker tell.

Reply
0 Kudos
DaveP
Commander
Commander

Out of interest try opening the VMX file associated with the virtual machine. Try adding the following line to it:

monitor_control.restrict_backdoor = TRUE[/code]

The VMware tools won't function but it may stop the software detecting the fact that it is running in a VM. If it doesn't work, just power off the VM and remove the line from the VMX file.

Reply
0 Kudos
HPReg
VMware Employee
VMware Employee

You might also want to try this:

disable_acceleration = "TRUE"

It all depends on how they detect the VMware hypervisor.

Reply
0 Kudos
Tomahawk_
Contributor
Contributor

You should try capturing the install on a non-virtual Win OS using something like Altiris's SVS, then once you have it captured, you then can export the layer, and import the layer on your Virtual OS via SVS again. This should get around this problem, that is unless the process/application checks for virtualization when it is ran.

Reply
0 Kudos