Honeypots mailing list archives
(pacsec bonus) Re: VMWare Detection?
From: Laurent OUDOT <oudot () rstack org>
Date: Tue, 16 Nov 2004 22:58:57 +0100
Hi, Last week in Tokyo, during the conference PacSec (http://pacsec.jp) organized by Dragos, I proposed another funny way to detect VMware without too much stuff : no need to import and/or compile an external program, just use natural usual unix commands.. Here is a short example : by looking at the BIOS values, one can easily recognize a typical VMware BIOS... ** Example : VGA BIOS card on my laptop : root@localhost# dd if=/dev/mem bs=64k skip=12 count=1 |hd ... 0d 0a 4d 39 20 42 49 4f 53 20 52 65 71 34 34 37 |..M9 BIOS Req447| 37 0d 0a 00 28 43 29 20 31 39 38 38 2d 32 30 30 |7...(C) 1988-200| 32 2c 20 41 54 49 20 54 65 63 68 6e 6f 6c 6f 67 |2, ATI Technolog| 69 65 73 20 49 6e 63 2e 20 42 4b 2d 41 54 49 20 |ies Inc. BK-ATI | 56 45 52 30 30 38 2e 30 30 37 2e 30 31 31 2e 30 |VER008.007.011.0| 31 37 00 20 66 78 69 62 6d 2e 61 6c 6c 20 76 36 |17. fxibm.all v6| 31 31 20 00 4d 39 20 20 41 47 50 20 44 47 44 31 |11 .M9 AGP DGD1| ** Same test with VMWare : root@vmhost# dd if=/dev/mem bs=64k skip=12 count=1 |hd ... 66 03 27 01 00 00 00 00 00 01 18 01 00 00 49 42 |f.'...........IB| 4d 20 43 4f 4d 50 41 54 49 42 4c 45 0a 50 68 6f |M COMPATIBLE.Pho| 65 6e 69 78 56 69 65 77 28 74 6d 29 20 56 47 41 |enixView(tm) VGA| 2d 43 6f 6d 70 61 74 69 62 6c 65 20 42 49 4f 53 |-Compatible BIOS| 20 56 65 72 73 69 6f 6e 20 00 0d 0a 43 6f 70 79 | Version ...Copy| 72 69 67 68 74 20 28 43 29 20 31 39 38 34 2d 31 |right (C) 1984-1| 39 39 32 20 50 68 6f 65 6e 69 78 20 54 65 63 68 |992 Phoenix Tech| 6e 6f 6c 6f 67 69 65 73 20 4c 74 64 2e 0d 0a 41 |nologies Ltd...A| 6c 6c 20 52 69 67 68 74 73 20 52 65 73 65 72 76 |ll Rights Reserv| Then you can read "IBM COMPATIBLE - PhoenixView(tm) VGA-Compatible BIOS Version Copyright (C) 1984-1992 Phoenix Technologies Ltd. All Rights Reserved" which is quite enough to begin your inspection. This is just a fast example. People will find by themselves the interesting values in the memory for that purpose. Notice that if a box is a vmware based computer, it does not mean that this is a honeypot ; but it might be considered as a special box, especially if other different things are seen (no system activity, etc). Have fun, laurent http://rstack.org/oudot/ Polazzo Justin wrote:
2004-11-14 Shortly after Dave posted his Trip Report from Poland, I started getting emails from people wanted to know "how to detect VMWare using one instruction"... So, although I'm not the first one who discovered this trick, I decided to put a short paper about it accompanied by a simple C code. This trick is able to detect not only VMWare, but any VMM running on Pentium processor. from http://invisiblethings.org/papers/redpill.html: int swallow_redpill () { unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); return (m[5]>0xd0) ? 1 : 0; We already knew VMWare was detectable, just not sure if this code made it to everyone. -JP
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)