> > as an genetic method to detect the presence of any virtual machine > > Gene*R*ic. The word you're looking for is "generic". Genetic means to do > with DNA and stuff. Generic means universal, widespread, non-branded. > > ( Output inside VMWARE ) > Company Brnad Name: Microsoft Corporation Virtual Machine > Motherboard Modal: Microsoft Corporation Virtual Machine
YA.... )O; And I got the two sets of query outputs mixed up as well. >> Querying just few of the above mentioned information from inside the >> virtual machine can IMMIDIATELY PROVE the presence of virtual machine, >> not the actual system. > True. Is it possible to change them, short of binary patching the vm > Executable? > NO NOT POSSIBLE I SUPPOSE WITH PATCHING BECAUSE ITS A COMPLETELY BIG ISSUE HERE. I already told, If the virtual machine responds back too much, too Little, UNKNOWN or suspicious hardware information on ANY SYSTEM HARDWARE (virtual) it can always be clearly guessed the user/code is Inside the virtual machine. Let me explain... Changing information like Ram Memory speed, Manufacturer, Serial No. Voltage CPU clock ratio & Max allowed frequency, L1, L2, L3 cache size information (which VM has no idea right now ) & all other minor details in all hardware peripherals & make VM respond like if it was real hardware is another mountainous task even VMWARE developers decide to fix it. Doing it with "just" reverse engineering, i would be really reallyyyyy impressed! moreover... say if all version of virtual machine finally can respond back with info like; motherboard intel ??? , processor p4, hdd samsung, monitor philips etc EVEN when they show such legitimate info. these all combination of the hardware type will be a type of uniqueness, a fingerprint of presence of VM unless VM support several hardware types & is able to RESPOND BACK WITH VALID LOOKING INFORMATION & have hardware DIFFERENT virtual hardware profile that user can choose that looks like a common hardware combination from the machine which is common in the market. but you see... but using say names like samsung, sygate, intel, phylips,ADM & emulating its hardwareproperty would require $$$ royalties & contract with all the companies (for using & emulating their product as well as name) and yet still its another big task to get cooperation from the companies to let them do so. WHY do you think "these all issue were represent design decisions by the software makers" (ok let us all stop playing fool) BECAUSE this is why! Its not just a technical problem. This way it becomes strategic & political between companies too. so the VM makers pretend being oOooooo these were all design decisions & all (semi?) documented hahah do we look soooooo fool?...... THIS ISSUE IS THERE TO STAY. Suppose even if they manage partial permission to emulate hardware BUT THAT WOULD REQUIRE say... even when the attacker tries to firmware upgrade on particular hardware the PC should let him do it if he/she has system privilege (which is most of the case, & most hardware support firmware upgrade as you know ) failure to do so could again be a UNIQUE/SUSPECIOUS FINGERPRINT. I can already imagine DORZONS of possibilities & issues because just a simple path isn't going to fix this issue by any way unless the VM becomes OSS (we already have OSS alternates) & some third party decides to write a ILLIGAL patch to fix the issue during compile time of the binary itself (but which would again require VERY SERIOUS REVERSE ENGINEERING TO LET THE HARDWARE EMULATION TO HAPPEN) a Person argued with me... no this cant be taken as a issue & once the compromise has happen the VM has served its purpose but you see if the attacker (say automated or manual) when detects a VM will immediately cocoon away instead of doing anything further & would seriously hinder the purpose for what the HONEYPOT was made for. Like these days we have SPAM filters which also blocks spam on email & IP (say black list) i wouldn't be surprised if in next worm outbreak a attacker decides to map all the IP address in the internet for few hours & create his/her own blacklist of NEVER_VISIT_THE_IP_AGAIN_which_runs_VIRTUAL_MACHINE.. its very possible. What do you think guys? Sow some support, write to the companies! -bipin ********************************************************************** http://groups.google.com/group/AntiForensics -Where you will learn to PROTECT your DIGITAL PRIVECY. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
