Check if physical memory is < 1Gb

Question

Check if physical memory is < 1Gb

binsec-zz opened this issue 9 years ago · comments

binsec-zz commented 9 years ago

Hi, the < 1 Gb memory check detects my VM's with 1 Gb memory as "traced".

Is the number based on a bare metal memory amount ?

gensandbox.c

return (statex.ullTotalPhys/1024) < 1048576 ? TRUE : FALSE;

As an example for WinXP;

I'm using Vmware ESX set to 1 Gb, which allocates exactly 1048040 KB
I also checked my VirtualBox, 1 Gb. which also allocates exactly 1048040 KB

So does bare metal 1 Gb actually show 1048576 to the OS, or does it show 1048040 ?

Maybe somebody can verify virtual vs physical (KB).

This could also be used as a flag, if VM's round off 1Gb memory in a special way compared to physical. You could check 512, 1gb, 2gb etc (if there is a mismatch).

Thanks

Alberto Ortega · Answer 1 · Thu Nov 19 2015 01:07:52 GMT+0800 (China Standard Time)

Hello! Yes exactly, that number was just chosen because of this calculation: 1048576 / 1024 = 1024 So it could be that VMs are rounding up some bytes. I didn't try with a physical machine of 1GB but that could be an interesting test. Just for completion, that value is stored in this structure: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366770(v=vs.85).aspx ullTotalPhys: The amount of actual physical memory, in bytes. Cheers!