{"id":1430,"date":"2017-08-08T09:42:49","date_gmt":"2017-08-08T09:42:49","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1430"},"modified":"2017-08-08T09:42:49","modified_gmt":"2017-08-08T09:42:49","slug":"more-vm-detection","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2017\/08\/more-vm-detection\/","title":{"rendered":"More VM Detection!"},"content":{"rendered":"

Hiyo!<\/p>\n

Defcon was awesome this year. It always gives me inspiration for things to blog about. That said, I want to go over something simple today – more VM detection.<\/p>\n

I’ll be hitting vmware because I have it, also OpenVZ and KVM because that’s what my old hosts worked on.<\/p>\n

In my humble opinion, the best way to determine if you’re running on a VM is to read the SMBios<\/a> information. Doing this on Linux is easy-peasy. Just use dmidecode<\/a>. It works great.<\/p>\n

\"\"<\/a><\/p>\n

Here we see KVM listed under ‘Product Info’. <\/p>\n

This is fine and all for Linux, but the main focus of this blog post is on Windows and the VM’s employed by anti-malware appliances which run Windows for behavior analysis. How the hell do we read SMBios information on Windows? <\/p>\n

Well, DMIDecode does exist for windows<\/a>. How would we go about this programatically though? The GetSystemFirmwareTable<\/a> API allows us to read the bios table. DmiDecode’s source tells me it does pretty much the same thing. I had to clean it up a little because GNU code is cray…<\/p>\n

<\/p>\n

\n
#include <windows.h><\/span>\r\n#include <stdio.h><\/span>\r\n\r\nint<\/span> num_structures = 0<\/span>;\r\ntypedef<\/span> struct<\/span> RawSMBIOSData\r\n{\r\n    BYTE    Used20CallingMethod;\r\n    BYTE    SMBIOSMajorVersion;\r\n    BYTE    SMBIOSMinorVersion;\r\n    BYTE    DmiRevision;\r\n    DWORD    Length;\r\n    BYTE    SMBIOSTableData[];\r\n} RawSMBIOSData, *PRawSMBIOSData;\r\n\r\nPRawSMBIOSData get_raw_smbios_table(void<\/span>){\r\n\r\n    void<\/span> *buf = NULL;\r\n    DWORD size = 0<\/span>;\r\n    size = GetSystemFirmwareTable('<\/span>RSMB'<\/span>, 0<\/span>, buf, size);\r\n    buf = (void<\/span> *)malloc(size);\r\n    GetSystemFirmwareTable('<\/span>RSMB'<\/span>, 0<\/span>, buf, size);        \r\n    return<\/span> buf;\r\n}\r\n\r\nint<\/span> main(void<\/span>)\r\n{\r\nPRawSMBIOSData smb = NULL;\r\nsmb=get_raw_smbios_table();\r\nprintf("SMBIOS %u.%u present.\\r\\n"<\/span>, smb->SMBIOSMajorVersion, smb->SMBIOSMinorVersion);\r\ngetchar();\r\nreturn<\/span> 1<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
Does malwr.com flag this query information as suspicious? See for yourself:
\n\"\"<\/a><\/p>\n
There’s more than 1 way to query this information. This means we don’t have to rely on 1 thing (which might be spoofed or used as a behavior indicator).<\/p>\n
The registry (command is reg query HKEY_LOCAL_MACHINE\\Hardware\\Description\\System \/v SystemBiosVersion<\/i>):
\n\"\"<\/a>
\nThe other key worth noting is HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS seen here:
\n\"\"<\/a><\/p>\n
This info can be gleaned with PowerShell via the command Get-WmiObject win32_bios<\/i>
\n\"\"<\/a>
\nThere are a shitload of other win32 classes with tons of info to sift through in powershell. Too much info, not enough time. Take a peek<\/a> if you have infinite resolve.<\/p>\n
System Info pane (msinfo32 in run box) will tell you bios info:
\n\"\"<\/a><\/p>\n
Finally you can grab this info from the command line again running either the systeminfo command or the wmi command line client.
\n\"\"<\/a><\/p>\n
But Joe, what if I’m a sadist, and want to use WMI in plain old C? I got your back:<\/p>\n
<\/p>\n
\n
#include <stdio.h><\/span>\r\n#include <windows.h><\/span>\r\n#include <wbemidl.h><\/span>\r\n#include <Objbase.h><\/span>\r\n\r\nint<\/span> main(int<\/span> argc, char<\/span>* argv[])\r\n{\r\n    HRESULT hr = 0<\/span>;\r\n    IWbemLocator         *locator  = NULL;\r\n    IWbemServices        *services = NULL;\r\n    IEnumWbemClassObject *results  = NULL;\r\n    BSTR resource = SysAllocString(L"ROOT\\\\CIMV2"<\/span>);\r\n    BSTR language = SysAllocString(L"WQL"<\/span>);\r\n    BSTR query    = SysAllocString(L"SELECT * FROM Win32_BIOS"<\/span>);\r\n\r\n    hr = CoInitializeEx(0<\/span>, COINIT_MULTITHREADED);\r\n    hr = CoInitializeSecurity(NULL, -1<\/span>, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);\r\n    hr = CoCreateInstance(&CLSID_WbemLocator, 0<\/span>, CLSCTX_INPROC_SERVER, &IID_IWbemLocator, (LPVOID *) &locator);\r\n    hr = locator->lpVtbl->ConnectServer(locator, resource, NULL, NULL, NULL, 0<\/span>, NULL, NULL, &services);\r\n    hr = services->lpVtbl->ExecQuery(services, language, query, WBEM_FLAG_BIDIRECTIONAL, NULL, &results);\r\n    if<\/span> (results != NULL) \r\n\t{\r\n        IWbemClassObject *result = NULL;\r\n        ULONG returnedCount = 0<\/span>;\r\n        while<\/span>((hr = results->lpVtbl->Next(results, WBEM_INFINITE, 1<\/span>, &result, &returnedCount)) == S_OK) \r\n\t\t{\r\n            VARIANT Manufacturer;\r\n            hr = result->lpVtbl->Get(result, L"Manufacturer"<\/span>, 0<\/span>, &Manufacturer, 0<\/span>, 0<\/span>);\r\n\t\t\tchar<\/span> prop[128<\/span>];\r\n\t\t\twcstombs(prop,Manufacturer.bstrVal,SysStringByteLen(Manufacturer.bstrVal));\r\n\t\t\tchar<\/span> *vm1 = "QEMU"<\/span>;\r\n\t\t\tchar<\/span> *vm2 = "VMware"<\/span>;\r\n\t\t\tchar<\/span> *vm3 = "vbox"<\/span>;\r\n\r\n\t\t\tif<\/span>(strstr(prop,vm1))\r\n\t\t\t{\r\n\t\t\t\tprintf("I see qemu!\\r\\n"<\/span>);\r\n\t\t\t}\r\n\r\n\t\t\tif<\/span>(strstr(prop,vm2))\r\n\t\t\t{\r\n\t\t\t\tprintf("I see vmware!\\r\\n"<\/span>);\r\n\t\t\t}\r\n\r\n\t\t\tif<\/span>(strstr(prop,vm3))\r\n\t\t\t{\r\n\t\t\t\tprintf("I see virtualbox!\\r\\n"<\/span>);\r\n\t\t\t}\r\n\r\n            printf("%s \\r\\n"<\/span>, prop);\r\n            result->lpVtbl->Release(result);\r\n        }\r\n    }\r\n\r\n    results->lpVtbl->Release(results);\r\n    services->lpVtbl->Release(services);\r\n    locator->lpVtbl->Release(locator);\r\n    CoUninitialize();\r\n    SysFreeString(query);\r\n    SysFreeString(language);\r\n    SysFreeString(resource);\r\n}\r\n<\/pre>\n<\/div>\n
Looks familiar, right? I borrowed some of the code from my Crypter<\/a>. This is just for bios info though. <\/p>\n
I dug deeper and looked using an amazing tool called RW-Everything<\/a> on both VMWare and OpenVZ to try and find other ways to reveal if I’m in a VM besides the BIOS info. The result? Let’s take a look…<\/p>\n
First up is Windows 7 on VMWare. The tool does a pretty good job at identifying VMWare off the bat via the Extended System Description Table<\/>. This part of ACPI (Advanced Configuration and Power Interface) and used in BIOS and hardware shit. If you really want to know more, knock yourself out<\/a>.
\n\"\"<\/a>
\nNote the ‘Creator ID’ specifies VMW. Is this the only reference in the ACPI table for VMWare? Fuck no. We can dump the whole thing with our little tool to a file and peek for ourselves:
\n\"\"<\/a>
\n23 hits! Not bad.  <\/p>\n
What about for KVM? Let’s take a peek:
\n\"\"<\/a>
\nSeems to list Bochs and Qemu. Makes sense since KVM is a fork of Qemu and Bochs comes with KVM. <\/p>\n
One more part to check out is the USB information window. This proves quite fruitful for determining if we’re in a VM.
\n\"\"<\/a>
\nHere we see multiple instances of ‘Vmware’ devices in the list of USB devices. Dumping the file and taking a peek, we again see multiple instances for VMWare:
\n\"\"<\/a>
\n10 hits. The mouse, the hub, vendor and product info. Not a bad haul.<\/p>\n
How about KVM?
\n\"\"<\/a>
\nOnly 2 hits, but better than none. <\/p>\n
I’m trailing off here, so let’s go over one more example via WMI that we can use to determine if we’re in a VM:
\n\"\"<\/a>
\nBy querying the win32_OnboardDevice class, we get a hit. <\/p>\n
Are there more ways? You betcha. I’m always looking for new ways to detect VM’s on Windows and I’m certain I’ll think of more in the future.<\/p>\n
For now though, It’s like 3 am and I’m in need of sleep.<\/p>\n
Until next time,<\/p>\n
Happy cracking!
\n\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hiyo! Defcon was awesome this year. It always gives me inspiration for things to blog about. That said, I want to go over something simple today – more VM detection. I’ll be hitting vmware because I have it, also OpenVZ and KVM because that’s what my old hosts worked on. In my humble opinion, the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[103],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1430"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1430"}],"version-history":[{"count":7,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1430\/revisions"}],"predecessor-version":[{"id":1494,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1430\/revisions\/1494"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}