13 Security Lab

[anti-VM] vmware - VMSwitchUserControlClass [1] 본문

Computer Security/Security Articles

[anti-VM] vmware - VMSwitchUserControlClass [1]

Maj0r Tom 2015. 12. 28. 11:59

Analyse equipment

Let's start from the hard disk. If you look hard disk ID in the Device Manager on the virtual machine in its structure can be seen interesting lines:


DiskVirtual for VirtualPC 
DiskVBOX_HARDDISK for Virtual Box 
Prod_VMware_Virtual for VMware Workstation

The easiest way to find out the name of the hard disk - read the key value with the name "0" in the registry branch HKLM\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\Enum.

This site lists all the disk drives in the system, and the first, just in the key with the name "0" is the disk from which to boot the system has occurred.


[ID VirtualBox hard drive in the registry]


ID VirtualBox hard drive in the registry

How to read a register, I think you know. Use the first API RegOpenKeyEx to open the desired key, then using RegQueryValueEx read value. Look it should something like this:

... 
// Opening the desired Registry key 
RegOpenKeyExA (HKEY_LOCAL_MACHINE, "HARDWARE \ SYSTEM \ CurrentControlSet \ Services \ Disk \ Enum", 0, KEY_QUERY_VALUE, & rKey); 
// Read the value 
RegQueryValueExA (rKey, "0", NULL, & Type, (LPBYTE) RegKey, & RegPath); 
// Close all previously opened 
RegCloseKey (rKey); ...

Then everything is simple - use strstr to find the correct rows in us to consider value and, depending on the comparison result, we conclude. BIOS Version contained in the key «SystemProductName» in branch HKLMHARDWAREDESCRIPTIONSystemBIOS. For example, the VMware environment there will lie a string «VMware Virtual Platform», and for VirtualBox -. «VBOX -1»

Read it all, you can use all the same API - RegOpenKeyEx and RegQueryValueEx.




For VirtualPC this line type VEN_5333 & DEV_8811 & SUBSYS_00000000 & REV_00, which defines the video card S3 Trio 32/64, emulated Dev from Microsoft - on real hardware such equipment is now the day the fire could not be found (and I have such was the end of the last century. - Approx. Ed.). 

The VirtualBox video card is described sequence VEN_80EE & DEV_BEEF & SUBSYS_00000000 & REV_00, which stands for «VirtualBox Display», while the Parallels Workstation - line VEN_1AB8 & DEV_4005 & SUBSYS_04001AB8 & REV_00 video adapter determines «Parallels Display».

In addition, in VirtualBox, you can find a line VEN_80EE & DEV_CAFE & SUBSYS_00000000 & REV_00, defining a «VirtualBox Device», while the Parallels Workstation line VEN_1AB8 & DEV_4000 & SUBSYS_04001AB8 & REV_00 and VEN_1AB8 & DEV_4006 & SUBSYS_04061AB8 & REV_00, defining «Parallels Tools Device» and «Parallels Memory Controller», respectively.

The algorithm operates as follows: We are trying to open the desired key, and if it opens successfully, the equipment described by this option available and you can make a conclusion about the presence of a virtual machine:


... 
If (RegOpenKeyEx (HKEY_LOCAL_MACHINE, L "SYSTEM \ CurrentControlSet \ Enum \ PCI \ VEN_5333 & DEV_8811 & SUBSYS_00000000 & REV_00", 0, KEY_QUERY_VALUE, & rKey) == ERROR_SUCCESS) 
  {RegCloseKey (rKey); // We're under VirtualPC return true; 
   ... }


CPU ID is determined by the team cpuid. Thanks to her, you can get a lot of any useful information about the installed processor. Type issued this command information depends on the contents of the register EAX. The result of the command recorded in the registers EBX, ECX, and EDX. More information about this command can be found in any book on programming in assembler. For our purposes, we'll use this instruction, pre-setting value in the EAX register 0x40000000:

... _asm {Mov eax, 0x40000000 cpuid mov ID_1, ebx mov ID_2, ecx mov ID_3, edx} ...

After this code executes on the VMware Workstation variables ID_1, ID_2 and ID_3 be recorded values ​​0x61774d56, 0x4d566572 and 0x65726177, respectively (in symbolic representation is not nothing but a «VMwareVMware»), on VirtualBox in ID_1 and ID_2 will lie value of 0x00000340, and on the Parallels Workstation in ID_1 0x70726c20, in ID_2 - 0x68797065 and ID_3 - 0x72762020 (which corresponds to the line «prl hyperv»).


Using MAC-addresses to identify the manufacturer of the network card, of course, is not the most reliable method (for MAC-address quite a change), but nevertheless it is quite possible to apply for detecting the virtual machine as an additional check.


You probably know that the first three bytes of the MAC-address of the network card is determined by its manufacturer.Manufacturers virtual machine is no exception:


VMware (VMware Workstation) 00:05:69 00: 0c: 29, 00: 1c: 14 00:50:56 Microsoft (Virtual PC) 00: 03: ff 00: 0d: 3a 00: 50: f2 7c: 1e: 52 00: 12: 5a 00: 15: 5d 00: 17: fa 28:18:78 7c: ed: 8d 00: 1d: d8 00:22:48 00: 25: ae 60: 45: bd Dc: b4: c4 Oracle (VirtualBox) 08:00:20 Parallels (Parallels Workstation) 00: 1c: 42

Pull out the first three bytes of the MAC-address will help us API-function GetAdaptersInfo:

// Connect libu in which 
// shows us the desired feature

#include <iphlpapi.h> #pragma comment (lib, "IPHLPAPI.lib") ... // Determine the size of the buffer for the data returned by GetAdaptersInfo (AdapterInfo , & OutBufLen); // Allocate memory for data adapter

AdapterInfo = (PIP_ADAPTER_INFO) new (char [OutBufLen]); // Get information about the adapter

GetAdaptersInfo (AdapterInfo, & OutBufLen); // Compare the first three bytes of MAC-addresses with // 00: 1c: 42 (Parallels Workstation)

if (((BYTE) AdapterInfo-> Address [0] == 0x00) && ((BYTE) AdapterInfo-> Address [1] == 0x1c)

&& ((BYTE) AdapterInfo-> Address [2] == 0x42))

{delete (AdapterInfo); // We are under Parallels Workstation return true; } Else {delete (AdapterInfo);

return false; ...}

Auxiliary, windows and other "suspicious" objects

For normal operation of almost all virtual machines require the installation of add-ons to the guest operating system, for example VBoxGuestAddition the VirtualBox or Parallels Tools for Parallels Workstation. Without these additions work with virtual machines more difficult (or your normal screen resolution and full-screen mode, any interaction with the USB-device, either a normal network connection settings). In general, all virtual ok manufacturers do not recommend using them without these additions. And these same supplements leave a very noticeable trace in the form of running processes:

VirtualBox VBoxTray.exe VBoxService.exe Parallels Workstation prl_cc.exe prl_tools.exe SharedIntApp.exe Virtual PC vmusrvc.exe vmsrvc.exe VMware Workstation vmtoolsd.exe

To find the process name, we will use functions CreateToolhelp32Snapshot, Process32First and Process32Next:

#include <Tlhelp32.h> ... ... 
// For example, the process of looking for vmtoolsd.exe 
wchar_t VMwareProcessName [] = {L "vmtoolsd.exe"}; PROCESSENTRY32 pe; 
HANDLE hSnapShot; hSnapShot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); 
ZeroMemory (& pe, sizeof (PROCESSENTRY32W)); 
pe.dwSize = sizeof (PROCESSENTRY32W); Process32First (hSnapShot, & pe); 
do {if (memcmp (pe.szExeFile, VMwareProcessName, 24) == 0) 
// We have a VMware 
return true; } 
While (Process32Next (hSnapShot, & pe)); ...

In addition to direct the processes themselves, telltale signs could be a window open these processes. Windows in each of the considered virtual machines can be quite a lot, and all of them, we will not list, and restrict ourselves to one or two. So:

VirtualBox VBoxTrayToolWndClass Parallels Workstation CPInterceptor DesktopUtilites Virtual PC {0843FD01-1D28-44a3-B11D-E3A93A85EA96} VMware Workstation VMSwitchUserControlClass




Open windows for VMware (highlighted in red box class VMSwitchUserControlClass)

Find window class name is very simple - it is a function FindWindow:

... // For example, looking for a window for VMware 
HWND VMwareWindow = FindWindowA ("VMSwitchUserControlClass", NULL); 
if (VMwareWindow! = NULL) // We are under VMware Workstation 
return true; ...

In addition to the processes and windows, indicating the presence of a VM, you can find other "suspicious" objects - for example, if you dig into a guest OS virtual machine WinObj utility or some similar, that can be found here such objects:

VirtualBox DeviceVBoxMiniRdrDN DeviceVBoxGuest Parallels Workstation Deviceprl_pv Deviceprl_tg Deviceprl_time DevicePrlMemDev DevicePrlMemDevPci DevicePrlMemDev Virtual PC DeviceVirtualMachineServices



"Suspicious" objects in VirtualBox

Check "suspicious" object is very simple, just try to open it via CreateFile:

... // For example, check the VirtualBox if ((CreateFile (L "\\. \ VBoxMiniRdrDN", 0,0,0, OPEN_EXISTING, 0,0)! = INVALID_HANDLE_VALUE) || (CreateFile (L "\\. \ VBoxGuest ", 0,0,0, OPEN_EXISTING, 0,0)! = INVALID_HANDLE_VALUE)) // We are under VirtualBox return true; ...

What's "suspicious" can be found in the registry?

In addition to the signs of the presence of specific hardware, the registry can be seen, and other traces left by the virtual machines. Some of them are based in the branch HKLMHARDWAREACPIDSDT. It is enough at this point to verify the existence of such key here:

VirtualBox VBOX__ Parallels Workstation PRLS__ Virtual PC AMIBI VMware Workstation PTLTD__

Check realize just how we check for certain equipment. Just do you want us to try to open the key and, if successful, concludes that there is a VM.



PRLS__ registry key Parallels Workstation

The possibilities inherent manufacturer

Some manufacturers (eg, VMware, and Microsoft) implement special control over its products, which can be used for our purposes.

In Virtual PC uses invalid (not "disability" and "abled". And in fact they are "invalid". - Approx. Ed.) CPU instructions with opcodes 0x0F, 0x3F, 0x07 and 0x0B, attempt to perform them on a real processor throws an exception, while Virtual PC on all goes well. With these commands, you can simply zadetektit Dev from Microsoft:

... __try {__asm ​​{Xor ebx, ebx mov eax, 1 __emit (0x0F) __emit (0x3F) __emit (0x07) __emit (0x0B)} // We are a Virtual PC return true; } __except (EXCEPTION_EXECUTE_HANDLER) return false; ...

In VMware Workstation for interaction guest and host operating system is implemented in the form of a small backdoor port number 0x5658. To use it, you must put into EAX "magic" number 0x564d5868 (in symbolic representation - «VMXh»), and ECX is to record one of the teams and the basic interaction between the guest operating system (for example, 0x0A command returns the version of VMware Workstation). In short, it looks like this:

... __try {__asm ​​{Mov eax, 0x564d5868 mov ecx, 0x0A mov edx, 0x5658 in eax, dx} // We are under VMware return true; } __except (EXCEPTION_EXECUTE_HANDLER) return false; ...

Conclusion

As you can see, character of virtual machines abound, and to see them much deep digging is not necessary.



Ref. 1 :  ДЕТЕКТИМ ВИРТУАЛКИ ; detect virtual

(https://xakep.ru/2013/11/08/61563/)


Ref. 2 : Attacks on Virtual Machine Emulators

(http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf)


Comments