Home page logo
/

honeypots logo Honeypots mailing list archives

RE: 4tphi: Detecting VMWare
From: "Andrew Hintz \(Drew\)" <drew () overt org>
Date: Mon, 11 Nov 2002 16:43:44 -0500

All of your methods will of course work to detect normal VMWare installs.
However the methods that you describe can be prevented without breaking
functionality.  For example, someone with plenty of time could modify the
textual description in the VMWare BIOS, put the BIOS through an
ADMmutate-type program, recalculate checksums, and then use the new BIOS for
their virtual machine.

VMWare detection methods that analyze the behavior of hardware devices are
probably more robust.  For example, looking for quirks in the behavior of
virtualized IO devices will reveal plenty of VMWare-specific signatures.  In
order to prevent this type of detection, a defender would have to modify the
logical performance of virtualized IO devices.  This detection method also
has the added benefit of enabling a non-root user to detect VMWare.

Cheers,
--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--

-----Original Message-----
From: Kurt Seifried [mailto:bt () seifried org]
Sent: Friday, November 08, 2002 4:42 PM
To: Andrew Hintz (Drew); honeypots () securityfocus com
Subject: Re: 4tphi: Detecting VMWare


There are numerous other methods, from looking at a dump of the BIOS (kind
of hard to hide, and if the attacker has root they can do it no matter
what),

From
http://www.seifried.org/security/ids/20020107-honeypot-vmware-basics.html
<snip>
VMware tools
<snip>
AMD 1 gigahertz with 32 megabytes of ram?
<snip>
Computer BIOS
<snip>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]