From: john.fellers@gmail.com
Date: Thu May 18 2006 - 12:59:33 EDT
VMware has its own "backdoor" port, to communicate between internal (emulated) and exernal (emulating) code. There are some functions, which allows you (under emulation) to enable/disable different virtual devices, send internal messages, and do other things. Here is how these functions are called (you should use exception handling for this code):
mov ecx, 0Ah ; CX=function# (0Ah=get_version)
mov eax, 'VMXh' ; EAX=magic
mov dx, 'VX' ; DX=magic
in eax, dx ; specially processed io cmd
; output: EAX/EBX/ECX = data
cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?)
je under_VMware
VMware registry keys are
HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual
VMware executables directory is
C:\Program Files\VMware -- both real and virtual
There can be many different methods to detect if you're under virtual OS, such as incorrectly emulated ports, predetermined hardware info, special drivers and other things.
I have not tried this, but the capability exists. It would not be hard to write a detection mechanism to test if you are in a virtual OS and write routines and functions to essentially "break out" of the virtual environment. You would simply have to know where the virtual OS is hooking into the actual operating system and bypass those.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:59 EDT