Honeypots mailing list archives
Re: (pacsec bonus) Re: VMWare Detection?
From: Gerry Eisenhaur <GEisenhaur () cisco com>
Date: Fri, 19 Nov 2004 10:13:56 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Depending on the level of analysis you are doing, you should be able to work around a piece of code detecting VMware sessions pretty easily. You could NOP out the section, jmp over it, change the information returned, etc. If it calls a IsVMwarePresent that returns TRUE if its running in a vmware session, just make it return FALSE. /gerry Croad Christopher D Contr AFRL/IFOSS wrote: | A little off the honeypot topic, but wouldn't the bigger problem with | VMWare detection be to those of us doing Malware analysis? I almost | exclusively use a laptop system with multiple VMWare Guests running to | analyze a suspect piece of Malware. I have found some workarounds to VMWare | detections (i.e the code looks for VMWare tools, so delete it...it looks for | Mac Addresses, so change them), but I don't know how to address the | detection given in this thread. | | Is my nice, compact, portable (not to mention powerhouse) analysis | laptop/lab about to be replaced by desks full of actual computers to do | analysis? Ugh! | | Chris - -- +------------------------------------------------------+ | Gerry Eisenhaur | | | | Cisco Security Agent ||| ||| | | Boxborough, Massachusetts .|||||. .|||||. | | PGP Key: 0xC13E8AFC .:|||||||||:.:|||||||||:. | | 978-936-0465 C i s c o S y s t e m s | +------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBng20RY7FIcE+ivwRAsm5AJ93jCQ7ce+eH43S2ENBInrQ4/MhPACg4r1v KWEjfcLDx+4B18sLEqgigQU= =NsoW -----END PGP SIGNATURE-----
Current thread:
- RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)