 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Computer BIOSOne way to identify VMware systems is by their BIOS, there are a number of free windows utilities that can query the BIOS for information and even extract a copy of the BIOS from the VMware system. The good news is that from within Windows NT/2000 you cannot easily access the BIOS and send commands as direct access to the hardware is blocked. You can however easily query the BIOS for information from within the guest operating system you will be given the following information: BIOS ID: unknown BIOS Date: 10/16/01 BIOS Signon: unknown BIOS Type: PhoenixBIOS 4.0 Release 6.0 licensed to Intel Super I/O: unknownChipset: Intel 440BX/ZX rev 1Which is quite different then the actual BIOS in use on the host operating system. As well there are a number of utilities to make a copy of the bios, BIOS Wizard is available for free and can easily make a copy of the system bios, considering that the BIOS VMware uses is relatively unique it becomes quite easy to check a signature of the BIOS file to see if it is a VMware BIOS. Unfortunately there is almost no way to hide this information from a savvy attacker, making it an Achilles' heel for VMware honeypot systems. Both these utilities are available from: http://www.bioscentral.com/misc/downloads.htm. There is a utility for Linux and BSD at: http://www.cgsecurity.org/. The information may have changed since, I originally wrote this in Feb of 2002 using VMware 3.x I think. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.