(pacsec bonus) Re: VMWare Detection?

[Laurent OUDOT <oudot () rstack org>]

Hi,

Last week in Tokyo, during the conference PacSec (http://pacsec.jp)
organized by Dragos, I proposed another funny way to detect VMware
without too much stuff : no need to import and/or compile an external
program, just use natural usual unix commands..

Here is a short example : by looking at the BIOS values, one can easily
recognize a typical VMware BIOS...


** Example : VGA BIOS card on my laptop :

root@localhost# dd if=/dev/mem bs=64k skip=12 count=1 |hd
...
0d 0a 4d 39 20 42 49 4f  53 20 52 65 71 34 34 37  |..M9 BIOS Req447|
37 0d 0a 00 28 43 29 20  31 39 38 38 2d 32 30 30  |7...(C) 1988-200|
32 2c 20 41 54 49 20 54  65 63 68 6e 6f 6c 6f 67  |2, ATI Technolog|
69 65 73 20 49 6e 63 2e  20 42 4b 2d 41 54 49 20  |ies Inc. BK-ATI |
56 45 52 30 30 38 2e 30  30 37 2e 30 31 31 2e 30  |VER008.007.011.0|
31 37 00 20 66 78 69 62  6d 2e 61 6c 6c 20 76 36  |17. fxibm.all v6|
31 31 20 00 4d 39 20 20  41 47 50 20 44 47 44 31  |11 .M9  AGP DGD1|


** Same test with VMWare :

root@vmhost# dd if=/dev/mem bs=64k skip=12 count=1 |hd
...
66 03 27 01 00 00 00 00  00 01 18 01 00 00 49 42  |f.'...........IB|
4d 20 43 4f 4d 50 41 54  49 42 4c 45 0a 50 68 6f  |M COMPATIBLE.Pho|
65 6e 69 78 56 69 65 77  28 74 6d 29 20 56 47 41  |enixView(tm) VGA|
2d 43 6f 6d 70 61 74 69  62 6c 65 20 42 49 4f 53  |-Compatible BIOS|
20 56 65 72 73 69 6f 6e  20 00 0d 0a 43 6f 70 79  | Version ...Copy|
72 69 67 68 74 20 28 43  29 20 31 39 38 34 2d 31  |right (C) 1984-1|
39 39 32 20 50 68 6f 65  6e 69 78 20 54 65 63 68  |992 Phoenix Tech|
6e 6f 6c 6f 67 69 65 73  20 4c 74 64 2e 0d 0a 41  |nologies Ltd...A|
6c 6c 20 52 69 67 68 74  73 20 52 65 73 65 72 76  |ll Rights Reserv|


Then you can read "IBM COMPATIBLE - PhoenixView(tm) VGA-Compatible BIOS
Version Copyright (C) 1984-1992 Phoenix Technologies Ltd. All Rights
Reserved" which is quite enough to begin your inspection.

This is just a fast example. People will find by themselves the
interesting values in the memory for that purpose.

Notice that if a box is a vmware based computer, it does not mean that
this is a honeypot ; but it might be considered as a special box,
especially if other different things are seen (no system activity, etc).

Have fun,

laurent
http://rstack.org/oudot/


Polazzo Justin wrote:

>  2004-11-14 Shortly after Dave posted his Trip Report from Poland, I
> started getting emails from people wanted to know "how to detect VMWare
> using one instruction"... So, although I'm not the first one who
> discovered this trick, I decided to put a short paper about it
> accompanied by a simple C code. This trick is able to detect not only
> VMWare, but any VMM running on Pentium processor. 
>
> from http://invisiblethings.org/papers/redpill.html:
>
> int swallow_redpill () {
>        unsigned char m[2+4], rpill[] =
> "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
>        *((unsigned*)&rpill[3]) = (unsigned)m;
>        ((void(*)())&rpill)();
>        return (m[5]>0xd0) ? 1 : 0;
>
>
> We already knew VMWare was detectable, just not sure if this code made
> it to everyone.
>
> -JP