Hi all, Sorry if this issues, or parts of this issue have been covered in separate threads. We have an executable, of unknown origin, that is very likely to be malicious. We use KVM ( version 78) for sand-boxing the execution of such software. Each time the Virtual Machine is started from a snapshot (with loadvm ), an executable is copied from a share and launched. Now the problem. We have both AMD and Intel machines. A snapshot taken on Intel doesn't load on AMD and vice versa, so The snapshots from which the VMs are started are different. This executable, runs on the AMD machines, but not on Intel. We concluded that the executable uses an undocumented Windows API function, and relies on a side-effect (a value placed in a register). The value of this register differs from AMD to Intel. That is why it shortly and silently terminates if ran on Intel. (by ran on Intel and ran on AMD i mean of course a KVM VM on those platforms) The questions are: Can a process within the VM find out the native processor type? Or can Windows XP find out the original processor type and behave differently? Does this behavior make sense to you? Is it possible that the difference is not due to hardware differences, but because of different snapshots, and the events that occur before the snapshots, are different? We need to have consistent and repeatable results with thease sand-boxed tests, that was what triggered the investigation in the first place. -- Alpar Torok -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
