Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


(pacsec bonus) Re: VMWare Detection?
.

  • To: Polazzo Justin <[EMAIL PROTECTED]>
  • Subject: (pacsec bonus) Re: VMWare Detection?
  • From: Laurent OUDOT <[EMAIL PROTECTED]>
  • Date: Tue, 16 Nov 2004 22:58:57 +0100
  • Cc: [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • Organization: rstack.org
  • References: <[EMAIL PROTECTED]>
.
 
Hi,

Last week in Tokyo, during the conference PacSec (http://pacsec.jp)
organized by Dragos, I proposed another funny way to detect VMware
without too much stuff : no need to import and/or compile an external
program, just use natural usual unix commands..

Here is a short example : by looking at the BIOS values, one can easily
recognize a typical VMware BIOS...


** Example : VGA BIOS card on my laptop :

[EMAIL PROTECTED] dd if=/dev/mem bs=64k skip=12 count=1 |hd
...
0d 0a 4d 39 20 42 49 4f  53 20 52 65 71 34 34 37  |..M9 BIOS Req447|
37 0d 0a 00 28 43 29 20  31 39 38 38 2d 32 30 30  |7...(C) 1988-200|
32 2c 20 41 54 49 20 54  65 63 68 6e 6f 6c 6f 67  |2, ATI Technolog|
69 65 73 20 49 6e 63 2e  20 42 4b 2d 41 54 49 20  |ies Inc. BK-ATI |
56 45 52 30 30 38 2e 30  30 37 2e 30 31 31 2e 30  |VER008.007.011.0|
31 37 00 20 66 78 69 62  6d 2e 61 6c 6c 20 76 36  |17. fxibm.all v6|
31 31 20 00 4d 39 20 20  41 47 50 20 44 47 44 31  |11 .M9  AGP DGD1|


** Same test with VMWare :

[EMAIL PROTECTED] dd if=/dev/mem bs=64k skip=12 count=1 |hd
...
66 03 27 01 00 00 00 00  00 01 18 01 00 00 49 42  |f.'...........IB|
4d 20 43 4f 4d 50 41 54  49 42 4c 45 0a 50 68 6f  |M COMPATIBLE.Pho|
65 6e 69 78 56 69 65 77  28 74 6d 29 20 56 47 41  |enixView(tm) VGA|
2d 43 6f 6d 70 61 74 69  62 6c 65 20 42 49 4f 53  |-Compatible BIOS|
20 56 65 72 73 69 6f 6e  20 00 0d 0a 43 6f 70 79  | Version ...Copy|
72 69 67 68 74 20 28 43  29 20 31 39 38 34 2d 31  |right (C) 1984-1|
39 39 32 20 50 68 6f 65  6e 69 78 20 54 65 63 68  |992 Phoenix Tech|
6e 6f 6c 6f 67 69 65 73  20 4c 74 64 2e 0d 0a 41  |nologies Ltd...A|
6c 6c 20 52 69 67 68 74  73 20 52 65 73 65 72 76  |ll Rights Reserv|


Then you can read "IBM COMPATIBLE - PhoenixView(tm) VGA-Compatible BIOS
Version Copyright (C) 1984-1992 Phoenix Technologies Ltd. All Rights
Reserved" which is quite enough to begin your inspection.

This is just a fast example. People will find by themselves the
interesting values in the memory for that purpose.

Notice that if a box is a vmware based computer, it does not mean that
this is a honeypot ; but it might be considered as a special box,
especially if other different things are seen (no system activity, etc).

Have fun,

laurent
http://rstack.org/oudot/


Polazzo Justin wrote:

>  2004-11-14 Shortly after Dave posted his Trip Report from Poland, I
> started getting emails from people wanted to know "how to detect VMWare
> using one instruction"... So, although I'm not the first one who
> discovered this trick, I decided to put a short paper about it
> accompanied by a simple C code. This trick is able to detect not only
> VMWare, but any VMM running on Pentium processor. 
> 
> from http://invisiblethings.org/papers/redpill.html:
> 
> int swallow_redpill () {
>        unsigned char m[2+4], rpill[] =
> "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
>        *((unsigned*)&rpill[3]) = (unsigned)m;
>        ((void(*)())&rpill)();
>        return (m[5]>0xd0) ? 1 : 0;
> 
> 
> We already knew VMWare was detectable, just not sure if this code made
> it to everyone.
> 
> -JP
> 
>
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.