View Single Post
  #3  
Old 12-06-2004, 09:53
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
Hi! Nikita@Work:

VMware registry keys are
HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual
VMware executables directory is
C:\Program Files\VMware -- both real and virtual

There can be many different methods to detect if you're under virtual
OS, such as incorrectly emulated ports, predetermined hardware info,
special drivers and other things.

There's another code to know if we're under a VMM or under a real environment.
int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

The heart of this code is...
hXXp://addict3d.org/index.php?page=viewarticle&type=security&ID=2594

Hardware info:
Detecting VMware hardware even with Kostyra's modifications is to look at the IDE CD-Rom or Hard drive on the system. To do this, we can use hdparm with the -I argument:
[root@localhost]# hdparm -I /dev/hda
/dev/hda:
ATAPI CD-ROM, with removable media
Model Number: VMware Virtual IDE CDROM Drive
Serial Number: 00000000000000000001
Firmware Revision: 00000001
Standards:
Likely used CD-ROM ATAPI-1
Configuration:
DRQ response: 50us.
Packet size: 12 bytes
Capabilities:
LBA, IORDY(can be disabled)
Buffer size: 32.0kB
DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 *udma1 udma2
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* NOP cmd
* DEVICE RESET cmd
* PACKET command feature set
* Power Management feature set
Now, go look at the output on a regular cdrom drive running on your
system. Lets go over the differences.

Also, in this page you've all commands:
hXXp://chitchat.at.infoseek.co.jp/vmware/backdoor.html#top

You can use any of them that returns values to check VMWARE or not.

Regards.
Reply With Quote