RE: 4tphi: Detecting VMWare

["Andrew Hintz \(Drew\)" <drew () overt org>]

All of your methods will of course work to detect normal VMWare installs.
However the methods that you describe can be prevented without breaking
functionality.  For example, someone with plenty of time could modify the
textual description in the VMWare BIOS, put the BIOS through an
ADMmutate-type program, recalculate checksums, and then use the new BIOS for
their virtual machine.

VMWare detection methods that analyze the behavior of hardware devices are
probably more robust.  For example, looking for quirks in the behavior of
virtualized IO devices will reveal plenty of VMWare-specific signatures.  In
order to prevent this type of detection, a defender would have to modify the
logical performance of virtualized IO devices.  This detection method also
has the added benefit of enabling a non-root user to detect VMWare.

Cheers,
--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--

> -----Original Message-----
> From: Kurt Seifried [mailto:bt () seifried org]
> Sent: Friday, November 08, 2002 4:42 PM
> To: Andrew Hintz (Drew); honeypots () securityfocus com
> Subject: Re: 4tphi: Detecting VMWare
>
>
> There are numerous other methods, from looking at a dump of the BIOS (kind
> of hard to hide, and if the attacker has root they can do it no matter
> what),
>
> From
> http://www.seifried.org/security/ids/20020107-honeypot-vmware-basics.html
<snip>
> VMware tools
<snip>
> AMD 1 gigahertz with 32 megabytes of ram?
<snip>
> Computer BIOS
<snip>