Home Explore Help
Sign In
msc
/
cheatsheets
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 935fe026ea
Branches Tags
cheatsheets
/
cheatsheets
/
security
/
reversing
/
anti-virtualmachine.md

anti-virtualmachine.md 2.4 KB
History Raw

title: Anti-Virtual-Machine categories: [cheatsheets]

tags: [security, reverse-engineering]

Anti-Virtual-Machine

VM Artifacts

  • VMWare Toolhelper
  • Some VMWare Registry Artifacts
  • -> eg. use Toolhelp32Snapshot to loop though processes
  • VMWare Services for IO Stuff

VM Vulnerable Instructions

for Kernel Mode / Priviledged Operations, VMs use binary translation, so every instruction translated for emulation. These instructions are not given to the real Kernel, gut emulated by the VM Monitor. Use Mode / Unpriviledged Operations run directly on the CPU, (Binary translation would have a to big overhead), so there are some instructions that can be used to detect this behaviour.

sidt, sldt, sgdt are usermode instructions which get the Address of Instruction- /Local- /Global- Distriptor Tabel

-> Two attacks on this problem: Red-Pill and No-Pill

Red-Pill Anti-VM

The Instruction Discriptor Table needs to be remapped by the VM, the remapping places are vencor specific.

0x80ffffff in Windows
0xe8XXXXXX in Virtual PC
0xffXXXXXX in VMware

To detect this:

push    8
push    0
lea     eax, [ebp+Dst]
push    eax
call    _memset
add     esp, 0Ch
lea     eax, [ebp+Dst]
sidt    fword ptr [eax]     ; Contents of IDTR saved to memory location pointed to by EAX
mov     al, [eax+5]         ; Start of base memory address (5th byte offset) saved to AL
cmp     al, 0FFh            ; Check whether it is 0xFF (VMware signature)
jnz     short loc_401E19

Important: This only works on single-core CPUs, with Multiple Cores, VMWare remapps multiple SDT's

No-Pill

sgdt & sldt is assigned to an CPU not an Operating System. On Windows this is mostly zero On VMWare its nonzero

Can be disabled in VMWare with: Settings->Processors->Disable Acceleration

Querying IO Ports

Instruction used: in

  • in the src Operand there is the Channel Port for VMWare communication Port ("VX" or 0x5686)
  • in the dst Operand there is the Memory Location for the result
  • in EAX there must be the Magic Number: 0x564D5868 ("VMXh")
  • ECX is the Value for the Action to be performed (0xA for Querying the VMWare Version Number, 0x14 for "GetMemorySize()")

mov eax, 'VMXh'
mov ebx, [ebp-var_result]
mov ecx, 0xA
mov dx, 'VX'
in eax, dx
mov [ebp-var_result], ebx
mov eax, [ebp-var_result]
cmp eax, 'VMXh'
je vmwaredetected

Summary

Anti-VM Instructions

  • sidt, sgdt, sldt
  • smsw
  • str
  • in
  • cpuid