Honeypots mailing list archives
RE: 4tphi: Detecting VMWare
From: "Andrew Hintz \(Drew\)" <drew () overt org>
Date: Mon, 11 Nov 2002 16:43:44 -0500
All of your methods will of course work to detect normal VMWare installs. However the methods that you describe can be prevented without breaking functionality. For example, someone with plenty of time could modify the textual description in the VMWare BIOS, put the BIOS through an ADMmutate-type program, recalculate checksums, and then use the new BIOS for their virtual machine. VMWare detection methods that analyze the behavior of hardware devices are probably more robust. For example, looking for quirks in the behavior of virtualized IO devices will reveal plenty of VMWare-specific signatures. In order to prevent this type of detection, a defender would have to modify the logical performance of virtualized IO devices. This detection method also has the added benefit of enabling a non-root user to detect VMWare. Cheers, -- ^Drew http://guh.nu --Begin PGP Fingerprint-- 3C6C F712 0A52 BD33 C518 5798 9014 CA99 2DA0 5E78 --End PGP Fingerprint--
-----Original Message----- From: Kurt Seifried [mailto:bt () seifried org] Sent: Friday, November 08, 2002 4:42 PM To: Andrew Hintz (Drew); honeypots () securityfocus com Subject: Re: 4tphi: Detecting VMWare There are numerous other methods, from looking at a dump of the BIOS (kind of hard to hide, and if the attacker has root they can do it no matter what), From http://www.seifried.org/security/ids/20020107-honeypot-vmware-basics.html
<snip>
VMware tools
<snip>
AMD 1 gigahertz with 32 megabytes of ram?
<snip>
Computer BIOS
<snip>
Current thread:
- 4tphi: Detecting VMWare Andrew Hintz (Drew) (Nov 08)
- Re: 4tphi: Detecting VMWare Kurt Seifried (Nov 08)
- RE: 4tphi: Detecting VMWare Andrew Hintz (Drew) (Nov 11)
- <Possible follow-ups>
- RE: RE: 4tphi: Detecting VMWare Bridges Lloyd (Nov 11)
- Re: 4tphi: Detecting VMWare Kurt Seifried (Nov 08)