Okay, say an evil genius with mad IT skills had access to your pc, and he or she installed what looked like your system inside a virtual machine on your system.
It would be fiendishly contrived to look and act just like your system always did… except that your capacity (processor, storage and so forth) is greatly reduced and encapsulated inside your real system in semi-miniature while the machine keeps insisting that nothing is different. The evil genius then uses the extra capacity for nefarious processes of his own, like say the henchfolks’ payroll.
Assuming it’s possible to get the VM to misreport certain immutable facts like HDD capacity etc.; and whatever other fine points that would make it unlikely stipulated for the sake of argument ---- How would you know? How could you tell for sure?
Interesting question - I think you could compare what the BIOS reported vs what the VM reported and find enough discrepancies to indicate that something is going on. I’ve forwarded this to a ‘white hat hacker’ that I know to get his take on it.
Frightningly enough this may be already happening and in short it is very difficult to detect.
I’m sure someone will be along to give a more technical answer soon, but these two Wikipedia pages might help you out. Rootkits Blue Pill.
If they used a specialized hacker magic hypervisor it’d be hard to tell.
If they just used VMWare, VPC, or Hyper-V, it’d be pretty easy to tell. Just Ctrl-Alt-Del reboot and watch the BIOS startup. Each of those hypervisors emulates a particualr BIOS brand. Probably not the one on your real hardware. Duude, I’m suddenly not gettin’ my Dell any more!!
Again assuming a commercial hypervisor, just power cycling your machine would show 2 boot-ups, one of the hypervisor & one of the virt.
OTOH, once you assume the hacker can create software with any capability he wishes, including overwriting your machine’s factory BIOS, then pretty much by definition his actions would be close to undetectable.
As pointed out in the Blue Pill link above, it’s possible at least in principal to write detection software that you could run to detect the hidden hypervisor by it’s anomalous response times to some actions when compared to a known uncompromised system.
Aha! But I have a homebuild! For which there is no specific benchmark.
Well, say the bigger system and the VM system were both going online… wouldn’t there have to be some place at which the signal split to be separate connections? I mean, you maybe couldn’t see that from the inside, but perhaps it could be detected from the outside.
This doesn’t make sense, perhaps I’m missing something? There’s no “signal splitting” at any point. The hardware that talks to the network is controlled by the hypervisor. The system in the VM communicates with the hypervisor, not the network directly. If you don’t have a “known good” copy of the machine for comparison there’s pretty much no hope.
If you want more reasons to be paranoid, I recommend Ken Thompson’s “cc hack”, where he shows that you can’t trust code you wrote and compiled yourself. Also, never forget the Pentium bug; you just can’t trust computers.