That's interesting - I would have guessed that after a certain point, a VM and a physical computer are indistinguishable from the POV of software running inside.
It's easy to make the core device indistinguishable. It's the additional hardware that becomes a problem: QEMU/libvirt hardcodes its hard drive model to include the word "QEMU" (although there is an unmerged patch to make that configurable), and although I don't know how graphics work in a VM, it's far easier to create a higher-level graphics device than e.g. emulating Intel graphics.
I imagine a script could be used with qemu - given that patch you mentioned, which I would love a source for if you have it - to match the names of the virtual devices with names of devices on the physical host. Then there's no way for software to check the device names against a list of VM tools, since it always matches real, physical hardware.
At that point, it seems to me that there isn't much left to distinguish the virtual machine from the physical. Behavioral properties of the CPU? Anyway, that's what I meant when I said it seems like after a certain point, it becomes impossible to tell the difference.
One of the other telltale signs of a VM are "things VMs can do that physical devices can't" - such as weird screen resolutions (when running in windowed mode rather than full screen), weird CPU core counts, physical ram values that aren't cleanly divisible into DIMM slots, etc.
Good point. I guess that would be relatively easy to check for programmatically.
What else is there that could possibly indicate virtualization? Available instruction sets? Strange limitations of the given CPU? (e.g., the cpu presents itself as some Intel chip that's known to have 4 cores, but there's only 2 available)
I know of malware long ago that would attempt to time how long CPU instructions take, based on the theory that a VM would be significantly slower, but more recently, especially with hardware-assisted virtualisation, the differences have become close to indistinguishable.
The video game anti-cheat world has been playing this cat and mouse game for a while. A few months back I saw an interesting article [0] describing some of the detection methods being used. It's fascinating to think about how much effort gets put into this.
