Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (1)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
HOW TO LOCATE A VM ENVIRONMENT
i recently read a great book that tapped into this subject briefly. the idea and the tool used are from an amazing researcher named Joanna Rutkowska. the tool she wrote is called Red Pill. it is really a rootkit (and one of the most advanced ones out there).
the idea behind what she did was based on the fact that every operating system has an IDT (Interrupt Descriptor Table). this is a place that stores all interrupt address ranges. it it usually found in the first 100 bytes on a standard hard drive. what she found is that, when in a VM environment, this table is moved up further in memory since there is a virtual disk being used by the VM. the Red Pill tool calls upon the register IDTR to locate where the IDT is located. if it is found in the first few bytes, you are seeing the main OS environment, if further up, then we know a VM is being used. i found that quite amazing. i am assuming this can also be done on a remote level as well, maybe with a Meterpreter session being used to extract data like how a null session does in Windows or also using WMI APIs
the book in reference to what i just wrote is "Counter Hack Reloaded". the article mentions that from what the author knows, as of now, there is still no way to "jump" outside of a VM environment into the main OS one. does anyone know of this happening yet?
that's a pretty clever method of detecting a vm, i haven't really heard of anything more basic than using process/module lists to identify targets (ie. SbieDll.dll will be a loaded module within a sandboxie'd application) until now; cool~~
read more about her if you have time. she is one of the most elite women out there! she has wrote other tools as well
Add a Comment