mailing list archives
RE: 4tphi: Detecting VMWare
From: "Andrew Hintz \(Drew\)" <drew () overt org>
Date: Mon, 11 Nov 2002 16:43:44 -0500
All of your methods will of course work to detect normal VMWare installs.
However the methods that you describe can be prevented without breaking
functionality. For example, someone with plenty of time could modify the
textual description in the VMWare BIOS, put the BIOS through an
ADMmutate-type program, recalculate checksums, and then use the new BIOS for
their virtual machine.
VMWare detection methods that analyze the behavior of hardware devices are
probably more robust. For example, looking for quirks in the behavior of
virtualized IO devices will reveal plenty of VMWare-specific signatures. In
order to prevent this type of detection, a defender would have to modify the
logical performance of virtualized IO devices. This detection method also
has the added benefit of enabling a non-root user to detect VMWare.
--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518 5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--
From: Kurt Seifried [mailto:bt () seifried org]
Sent: Friday, November 08, 2002 4:42 PM
To: Andrew Hintz (Drew); honeypots () securityfocus com
Subject: Re: 4tphi: Detecting VMWare
There are numerous other methods, from looking at a dump of the BIOS (kind
of hard to hide, and if the attacker has root they can do it no matter
AMD 1 gigahertz with 32 megabytes of ram?