How to detect VMware system-vulnerability warning-the black bar safety net
2008-09-05T00:00:00
ID MYHACK58:62200820280 Type myhack58 Reporter 佚名 Modified 2008-09-05T00:00:00
Description
by ayaREI
When the AVer caught your virus, they usually are going to analyze it. They need to understand how the virus in a complex network environment to spread. This time a lot of people will choose in such as VMware and some virtual machines under execution of the virus to observe viral behavior. The Vxer that naturally does not want this to happen, then how can we detect the virus by running system is not VMware?
Here are a few ways to determine this problem:
Use the VMware Backdoor.
VMware system the presence of the back door, for the virtual system and the real system of interaction. This is some of the functions that you can execute in the program in order to judge. Of course, it is best that you also have to add exception handling.
mov ecx, 0Ah ; CX=function# (0Ah=get_version)
mov eax, 'VMXh' ; EAX=magic
mov dx, 'VX' ; DX=magic
in eax, dx ; specially processed io cmd
; output: EAX/EBX/ECX = data
cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?)
je under_VMware
Registry key value
In a real system, the VMware registration HKLM\Software\VMware, Inc.\ VMware for Windows NT, while in the virtual system, VMware registration HKLM\Software\VMWare, Inc.\ VMware Tools\, and it is also a good determination method.
Program path
In the real or virtual system is: C:\Program Files\VMware.
Other methods
You can determine the system hardware information, etc., these in VMware will be different things we determined that the VMware tools.
{"type": "myhack58", "published": "2008-09-05T00:00:00", "reporter": "\u4f5a\u540d", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2016-11-10T18:28:39", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-10T18:28:39", "rev": 2}, "vulnersScore": 0.6}, "lastseen": "2016-11-10T18:28:39", "viewCount": 1, "id": "MYHACK58:62200820280", "references": [], "edition": 1, "href": "http://www.myhack58.com/Article/html/3/62/2008/20280.htm", "modified": "2008-09-05T00:00:00", "title": "How to detect VMware system-vulnerability warning-the black bar safety net", "description": "by ayaREI \n\nWhen the AVer caught your virus, they usually are going to analyze it. They need to understand how the virus in a complex network environment to spread. This time a lot of people will choose in such as VMware and some virtual machines under execution of the virus to observe viral behavior. The Vxer that naturally does not want this to happen, then how can we detect the virus by running system is not VMware? \n\nHere are a few ways to determine this problem: \n\n1. Use the VMware Backdoor. \nVMware system the presence of the back door, for the virtual system and the real system of interaction. This is some of the functions that you can execute in the program in order to judge. Of course, it is best that you also have to add exception handling. \nmov ecx, 0Ah ; CX=function# (0Ah=get_version) \nmov eax, 'VMXh' ; EAX=magic \nmov dx, 'VX' ; DX=magic \nin eax, dx ; specially processed io cmd \n; output: EAX/EBX/ECX = data \ncmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?) \nje under_VMware \n\n2. Registry key value \nIn a real system, the VMware registration HKLM\\Software\\VMware, Inc.\\ VMware for Windows NT, while in the virtual system, VMware registration HKLM\\Software\\VMWare, Inc.\\ VMware Tools\\, and it is also a good determination method. \n\n3. Program path \nIn the real or virtual system is: C:\\Program Files\\VMware. \n\n4. Other methods \nYou can determine the system hardware information, etc., these in VMware will be different things we determined that the VMware tools.\n"}