{"id":1097,"date":"2015-02-16T21:21:12","date_gmt":"2015-02-16T21:21:12","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1097"},"modified":"2015-02-16T21:21:12","modified_gmt":"2015-02-16T21:21:12","slug":"vmware-detection","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2015\/02\/vmware-detection\/","title":{"rendered":"Vmware Detection"},"content":{"rendered":"

Ladies and gentleman – I give you yet another case of VMware detection. Unfortunately, this only works for VMware. A friend of mine, one Aaron Yool<\/a> told of me a way to detect VMware via the use of privileged instructions. Specifically the “IN” instruction. This instruction is used for reading values from I\/O ports. What the heck is that? According to the IA32 manual, I\/O ports are created in system hardware by circuity that decodes the control, data, and address pins on the processor. These I\/O ports are then configured to communicate with peripheral devices. An I\/O port can be an input port, an output port, or a bidirectional port. Some I\/O ports are used for transmitting data, such as to and from the transmit and receive registers, respectively, of a serial interface device. Other I\/O ports are used to control peripheral devices, such as the control registers of a disk controller.<\/p>\n

Dry material huh? That’s the Intel manual for you. <\/p>\n

Normally you can’t execute this instruction on Windows in user mode – its a SYSTEM instruction like HLT which are reserved for ring 0. On VMware however, you can call it from ring 3. <\/p>\n

What can be done if a user mode program and run system level instructions? The sky is the limit, but think rootkit without admin. Pretty wicked stuff. Is this the case here? No, not yet anyways. For now though, we have here a simple way of checking to see if we’re inside VMWare, POC included. We’re using SEH (Structured Exception Handling) here in case Windows complains about the instruction being privileged.
\nWho here likes code? I do!
\n<\/p>\n

\n
\/\/ ------------------------------------------------------------------------------<\/span>\r\n\/\/ THE BEER-WARE LICENSE (Revision 43):<\/span>\r\n\/\/ <aaronryool@gmail.com> wrote this file. As long as you retain this notice you<\/span>\r\n\/\/ can do whatever you want with this stuff. If we meet some day, and you think<\/span>\r\n\/\/ this stuff is worth it, you can buy me a beer in return<\/span>\r\n\/\/ ------------------------------------------------------------------------------<\/span>\r\n\r\n#include <iostream><\/span>\r\n#include <windows.h><\/span>\r\n\r\nunsigned<\/span> vmware(void<\/span>)\r\n{\r\n__asm<\/span>{\r\n\tmov eax, 0x564d5868<\/span>\r\n\tmov cl, 0xa<\/span>\r\n\tmov dx, 0x5658<\/span>\r\n\tin eax, dx\r\n\tcmp ebx, 0<\/span>\r\n\tjne matrix\r\n\txor eax, eax\r\n\tret\r\n\tmatrix:\r\n\tmov eax, 1<\/span>};\r\n}\r\n\r\nint<\/span> seh_filter(unsigned<\/span> code, struct<\/span> _EXCEPTION_POINTERS* ep)\r\n{\r\n\treturn<\/span> EXCEPTION_EXECUTE_HANDLER;\r\n}\r\n\r\nint<\/span> _tmain(int<\/span> a, _TCHAR* argv[])\r\n{\r\n    __try<\/span>\r\n\t{\r\n\t\tif<\/span>(vmware()) goto<\/span> matrix;\r\n    }\r\n    __except<\/span>(seh_filter(GetExceptionCode(), GetExceptionInformation()))\r\n    {\r\n            goto<\/span> stage2;\r\n    }\r\n\r\nstage2:\r\n\tstd::cout << "Isn't real life boring?"<\/span><<std::endl;\r\n\texit(0<\/span>);\r\n\r\nmatrix:\r\n\tstd::cout << "The Matrix haz you Neo..."<\/span><<std::endl;\r\n\texit(1<\/span>);\r\n}\r\n<\/pre>\n<\/div>\n
PoC pic:
\n\"30kcmzf\"<\/a><\/p>\n
Happy hacking!
\n\"1258259648622\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Ladies and gentleman – I give you yet another case of VMware detection. Unfortunately, this only works for VMware. A friend of mine, one Aaron Yool told of me a way to detect VMware via the use of privileged instructions. Specifically the “IN” instruction. This instruction is used for reading values from I\/O ports. What […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[103],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1097"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1097"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1097\/revisions"}],"predecessor-version":[{"id":1104,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1097\/revisions\/1104"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}