‘Detecting the Presence of Virtual Machines Using the Local Data Table’
The SIDT mechanism as implemented by Tobias Klein  and separately by Joanna Rutkowska  is a method for detecting the presence of a virtual machine environment. While the test is by no means thorough, it is an effective test for the presence of an emulated CPU environment on a single-processor machine. There are various problems with the implementation, however. If a multi-core CPU is used, the interrupt descriptor table can change significantly when the process is run on different cores. Furthermore if two or more physical processors are present the same implementation issues apply.
The Interrupt Descriptor Table (IDT) is an internal data structure used by the operating system in processing interrupts. Devices use the IDT to process events in the operating system. The IDT is a data structure often exploited by rootkits.  By subverting the IDT, the attacker can point critical items such as the keyboard interrupt to a different function. Using this method an attacker can then insert malicious code to be executed when certain interrupts are run.
The Redpill and scoopy_doo mechanisms use the SIDT assembly operation to retrieve the interrupt descriptor table from the CPU. This data is available at unprivileged operating levels. By providing this key information a non-privileged (non-OS level) process can then query this information. This is bad for a number of reasons. First this
exposes a small level of detail regarding the operating state of the underlying OS. Second, this information can be used to ascertain the operating environment of the OS. Malicious software can then determine the presence of a virtual machine. This can allow the program to terminate itself, or implement specific exploits to escape from the virtual machine.
To read the full paper : http://www.offensivecomputing.net/files/active/0/vm.pdf‘