VMware Communities
Aqua_regia
Contributor
Contributor
‎10-05-2018 08:08 AM

How to Disable RDTSC traced

HI, Don't know how to disable the RDS ?, I found by the EDX instructions that the instruction is on 4 bytes, when changing it to 0, OS does not start, maybe I am doing something wrong?

Tags (2)
0 Kudos
6 Replies
bluefirestorm
Champion
Champion
‎10-05-2018 09:40 AM

If I understand you correctly, you want to disable the RDTSC instruction in the VM. But why would you want to do that?

Yes, RDTSC instruction is indicated on on CPUID leaf 1, EDX register bit 4.

I tried masking it out and try to power up an Ubuntu 18.04 VM, it just showed

no TSC found

Aborted. Press any key to exit.

And it went to the virtual EFI menu.

Without the RDTSC instruction, I would think most OS/applications won't be able make perform timekeeping/counting.

Again, why would you want to mask out RDTSC?

0 Kudos
Aqua_regia
Contributor
Contributor
‎10-05-2018 10:28 PM

I want to disable RDTSC, because it can be used to calculate whether an application is running inside a virtual machine

0 Kudos
bluefirestorm
Champion
Champion
‎10-05-2018 11:02 PM

RDTSC has been around since the Pentium chip; so chances are only OS that are designed to run on 80486 or earlier such as MS-DOS or Windows 95 would work without the RDTSC instruction.

Being able to do a task such as timekeeping and programming counters is fundamental to CPU operation; without that ability the CPU (whether real or virtual) is broken.

Besides that there are many different methods for an OS and application to detect whether or not it is running inside a VM; so it is a game of cat-and-mouse if you want to avoid detection about running inside a VM. One method might be successful for a particular application in avoiding being detected inside a VM but completely fail for another application. If you look at Windows 10 OS itself (whether Task Manager or msinfo32) it detects that it is running within a hypervisor.

0 Kudos
Aqua_regia
Contributor
Contributor
‎10-06-2018 01:09 AM

the hypervisor is disabled, I can attach you a screenshot with "aida64"

0 Kudos
bluefirestorm
Champion
Champion
‎10-06-2018 02:05 AM

There are ways to make the running in hypervisor disappear. But again, it is not a guarantee that the application(s) that you want to hide it from will use the same method.

For example, if the application looks at the virtual BIOS/DMI information for the string VMware, that "trick" you applied to make "running in hypervisor" disappear for msinfo32 and Task Manager will not work.

0 Kudos
Aqua_regia
Contributor
Contributor
‎10-06-2018 06:09 AM

no, in general there is no mention of Vmvare, I figured it out

0 Kudos