Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-05-2004, 23:48
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 571
Rept. Given: 63
Rept. Rcvd 44 Times in 18 Posts
Thanks Given: 59
Thanks Rcvd at 78 Times in 33 Posts
taos Reputation: 44
Post Detect VirtualPC or VMWARE [ASM]

[NASM compiler]
VirtualPC:
push ebp
mov ecx, offset @@exception_handler
mov ebp, esp
push ebx
push ecx
push dword ptr fs:[0]
mov dword ptr fs:[0], esp
mov ebx, 0 ; flag
mov eax, 1 ; VPC function number
; call VPC
db 00Fh, 03Fh, 007h, 00Bh
mov eax, dword ptr ss:[esp]
mov dword ptr fs:[0], eax
add esp, 8
test ebx, ebx
setz al
lea esp, dword ptr ss:[ebp-4]
mov ebx, dword ptr ss:[esp]
mov ebp, dword ptr ss:[esp+4]
add esp, 8
jmp @@ret
@@exception_handler:
mov ecx, [esp+0Ch]
mov dword ptr [ecx+0A4h], -1 ; EBX = -1 -> not running, ebx = 0 -> running
add dword ptr [ecx+0B8h], 4 ; -> skip past the detection code
xor eax, eax ; exception is handled
ret
@@ret:


VMWare:
mov eax, 564D5868h
mov ebx, 00000000h
mov ecx, 0000000Ah
mov edx, 00005658h
in eax, dx
cmp ebx, 564D5868h
jne @@exit
mov Result, True
@@exit:
Reply With Quote
  #2  
Old 12-06-2004, 01:35
 
Posts: n/a
Quote:
Originally Posted by taos
VMWare:
mov eax, 564D5868h
mov ebx, 00000000h
mov ecx, 0000000Ah
mov edx, 00005658h
in eax, dx
cmp ebx, 564D5868h
jne @@exit
mov Result, True
@@exit:
Try to add following to VMX file

isolation.tools.getVersion.disable = "TRUE"

You will be surprised ;)
Reply With Quote
  #3  
Old 12-06-2004, 09:53
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 571
Rept. Given: 63
Rept. Rcvd 44 Times in 18 Posts
Thanks Given: 59
Thanks Rcvd at 78 Times in 33 Posts
taos Reputation: 44
Hi! [email protected]:

VMware registry keys are
HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual
VMware executables directory is
C:\Program Files\VMware -- both real and virtual

There can be many different methods to detect if you're under virtual
OS, such as incorrectly emulated ports, predetermined hardware info,
special drivers and other things.

There's another code to know if we're under a VMM or under a real environment.
int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

The heart of this code is...
hXXp://addict3d.org/index.php?page=viewarticle&type=security&ID=2594

Hardware info:
Detecting VMware hardware even with Kostyra's modifications is to look at the IDE CD-Rom or Hard drive on the system. To do this, we can use hdparm with the -I argument:
[[email protected]]# hdparm -I /dev/hda
/dev/hda:
ATAPI CD-ROM, with removable media
Model Number: VMware Virtual IDE CDROM Drive
Serial Number: 00000000000000000001
Firmware Revision: 00000001
Standards:
Likely used CD-ROM ATAPI-1
Configuration:
DRQ response: 50us.
Packet size: 12 bytes
Capabilities:
LBA, IORDY(can be disabled)
Buffer size: 32.0kB
DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 *udma1 udma2
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* NOP cmd
* DEVICE RESET cmd
* PACKET command feature set
* Power Management feature set
Now, go look at the output on a regular cdrom drive running on your
system. Lets go over the differences.

Also, in this page you've all commands:
hXXp://chitchat.at.infoseek.co.jp/vmware/backdoor.html#top

You can use any of them that returns values to check VMWARE or not.

Regards.
Reply With Quote
  #4  
Old 12-07-2004, 09:01
bart
 
Posts: n/a
redpill uses sidt to detect relocated IDT table, i heard it doesnt work on newer VMWares, VirtualPC detection method sux, lock cmpxchg8b , from my observation it hangs up pentium cpu's and even SEH frame wont help you (hmm but not this one, it doesnt use cmpxchg8b... i must be not high enough)

Last edited by bart; 12-07-2004 at 09:07.
Reply With Quote
  #5  
Old 12-07-2004, 19:31
Dr.Golova
 
Posts: n/a
Quote:
Originally Posted by bart
redpill uses sidt to detect relocated IDT table
Also redpill execute code on stack. This program will be immediately terminated under 64-bit enwironment by date execution prevention technology in Windows XP
Reply With Quote
  #6  
Old 12-08-2004, 07:29
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
running code from the stack is not important there, it's just done so you could compile the program with many c compilers (no inline asm)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Detect It Easy 0.73 Dreamer Community Tools 85 11-03-2019 23:08
Detect It Easy 2.0 hors Community Tools 14 10-17-2019 22:16


All times are GMT +8. The time now is 12:38.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX