Honeypots mailing list archives
Re: (pacsec bonus) Re: VMWare Detection?
From: "Kurt Seifried" <bt () seifried org>
Date: Tue, 16 Nov 2004 15:35:09 -0700
Computer BIOSOne way to identify VMware systems is by their BIOS, there are a number of free windows utilities that can query the BIOS for information and even extract a copy of the BIOS from the VMware system. The good news is that from within Windows NT/2000 you cannot easily access the BIOS and send commands as direct access to the hardware is blocked. You can however easily query the BIOS for information from within the guest operating system you will be given the following information:
BIOS ID: unknown BIOS Date: 10/16/01 BIOS Signon: unknown BIOS Type: PhoenixBIOS 4.0 Release 6.0 licensed to Intel Super I/O: unknownChipset: Intel 440BX/ZX rev 1Which is quite different then the actual BIOS in use on the host operating system.
As well there are a number of utilities to make a copy of the bios, BIOS Wizard is available for free and can easily make a copy of the system bios, considering that the BIOS VMware uses is relatively unique it becomes quite easy to check a signature of the BIOS file to see if it is a VMware BIOS. Unfortunately there is almost no way to hide this information from a savvy attacker, making it an Achilles' heel for VMware honeypot systems. Both these utilities are available from: http://www.bioscentral.com/misc/downloads.htm. There is a utility for Linux and BSD at: http://www.cgsecurity.org/.
The information may have changed since, I originally wrote this in Feb of 2002 using VMware 3.x I think.
Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)