Honeypots mailing list archives
RE: (pacsec bonus) Re: VMWare Detection?
From: <Glenn_Everhart () bankone com>
Date: Mon, 22 Nov 2004 09:51:03 -0500
While VMware might fail, it is possible some other systems would still work. Bochs, for example, is a full emulation, does not rely on hardware modes at all. Thus there is no reason to suspect it will respond as VMWare does. The downside is that its speed is less, as it emulates the complete x86, but given the problem, it is at least an approach. A long time ago in a galaxy far far away it was suggested for a similar problem (with a few instructions that were not possible to virtualize) that the OS code loader might detect these and insert workarounds. It was an interesting but of course exceedingly difficult suggestion to implement. -----Original Message----- From: M. Shirk [mailto:shirkdog_linux () hotmail com] Sent: Friday, November 19, 2004 12:26 PM To: honeypots () securityfocus com Subject: RE: (pacsec bonus) Re: VMWare Detection? It would be upsetting if the next ScanOfTheMonth had a binary with this capability. No one could get the malware to execute because it would shutdown after detecting the VMWare environment. :-) Shirkdog http://www.shirkdog.us -----Original Message----- From: Christopher.Croad () rl af mil [mailto:Christopher.Croad () rl af mil] Sent: Friday, November 19, 2004 9:20 AM To: honeypots () securityfocus com Subject: RE: (pacsec bonus) Re: VMWare Detection? Importance: Low A little off the honeypot topic, but wouldn't the bigger problem with VMWare detection be to those of us doing Malware analysis? I almost exclusively use a laptop system with multiple VMWare Guests running to analyze a suspect piece of Malware. I have found some workarounds to VMWare detections (i.e the code looks for VMWare tools, so delete it...it looks for Mac Addresses, so change them), but I don't know how to address the detection given in this thread. Is my nice, compact, portable (not to mention powerhouse) analysis laptop/lab about to be replaced by desks full of actual computers to do analysis? Ugh! Chris ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
Current thread:
- RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)