Anti-VM with ACPI tables - Graham Sutherland ( @gsuberland )
ssuserf70955
17 views
14 slides
Jun 21, 2024
Slide 1 of 14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
About This Presentation
acpi_vm_detect.pdf
Slide Content
Anti-VM with ACPI tables
@gsuberland
@gsuberland
whois
●Graham Sutherland
●Twitter: @gsuberland (partyhat)
●IRC: gsuberland on freenode
●Email: [email protected]
●Graham Sutherland
●Twitter: @gsuberland (partyhat)
●IRC: gsuberland on freenode
●Email: [email protected]
disclaimer
This talk does not reflect, refract, absorb, ionise, engage in
quantum superposition with, or otherwise associate with the
views of my employer, their clients, or their clients' clients.
I like where I work. Please don't fire me.
Research done in 3 hours. Slides written in an hour.
I borrowed this laptop from @dominicgs, don't judge me for any
donkey porn popups or other sketchy business.
This may or may not be original research. Who knows. The
internet is a pretty big place.
This talk does not reflect, refract, absorb, ionise, engage in
quantum superposition with, or otherwise associate with the
views of my employer, their clients, or their clients' clients.
I like where I work. Please don't fire me.
Research done in 3 hours. Slides written in an hour.
I borrowed this laptop from @dominicgs, don't judge me for any
donkey porn popups or other sketchy business.
This may or may not be original research. Who knows. The
internet is a pretty big place.
how this came about
●Looking into WPBT at lunch today
●Discovered ACPI tables are A Thing(TM)
●A thought occurs (a rarity, I know)
●Looked into it, vague mentions from places
●I now know that AV knows about this trick
●Looking into WPBT at lunch today
●Discovered ACPI tables are A Thing(TM)
●A thought occurs (a rarity, I know)
●Looked into it, vague mentions from places
●I now know that AV knows about this trick
dafuq is an ACPI table?
●Bunch of data tables from hardware
●Used to expose hardware config to OS
●Contains stuff like:
–SMBIOS data
–APIC data
–PCI data
–HPET data
–SLIC licenses
–Trusted Computing evil
–WPBT evil
●Bunch of data tables from hardware
●Used to expose hardware config to OS
●Contains stuff like:
–SMBIOS data
–APIC data
–PCI data
–HPET data
–SLIC licenses
–Trusted Computing evil
–WPBT evil
so what?
●Tables have names
●Tables have OEM IDs
●Tables have OEM Table IDs
●Tables have Creator IDs
●Tables contain system-specific data
●This stuff isn't (usually) faked by VMs
●It's accessible from ring3, non-admin!
–(on Windows)
●Tables have names
●Tables have OEM IDs
●Tables have OEM Table IDs
●Tables have Creator IDs
●Tables contain system-specific data
●This stuff isn't (usually) faked by VMs
●It's accessible from ring3, non-admin!
–(on Windows)
what you talkin bout willis?
picture > 1000 WORDs
picture > 1000 WORDs
virtually undetectable differences
2008R2 x64, VirtualBox
2008R2 x64, VirtualBox
and on vmware?
2008R2 x64, VMware Workstation
2008R2 x64, VMware Workstation
teh code?
●Kernel32.dll
–EnumSystemFirmwareTables
–GetSystemFirmwareTable
●Fully documented on MSDN
●Trivial to use, even a Lemon could do it
●Probably comparable APIs on Linux/BSD
–(I am a Windows monkey, don't ask me.)
●Kernel32.dll
–EnumSystemFirmwareTables
–GetSystemFirmwareTable
●Fully documented on MSDN
●Trivial to use, even a Lemon could do it
●Probably comparable APIs on Linux/BSD
–(I am a Windows monkey, don't ask me.)
approach
●Enumerate ACPI, FIRM, RSMB system tables
●Get info & contents for each table
●Check for known VM values
●Exit if found
●Enumerate ACPI, FIRM, RSMB system tables
●Get info & contents for each table
●Check for known VM values
●Exit if found
countermeasures
●VboxAntiVMDetectHardened (kernelmode.info)
–Replaces some ACPI tables
–Fixes lots of hardware descriptors
–Doesn't fix everything!
–Only for VirtualBox.
●AV
–Some AV detects code that enumerates firmware tables,
via heuristic magics.
●Only run Windows XP
–XP doesn't support dumping FIRM and RSMB
–This is not a solution ever :-\
●???
–Anyone know something I don't?
●VboxAntiVMDetectHardened (kernelmode.info)
–Replaces some ACPI tables
–Fixes lots of hardware descriptors
–Doesn't fix everything!
–Only for VirtualBox.
●AV
–Some AV detects code that enumerates firmware tables,
via heuristic magics.
●Only run Windows XP
–XP doesn't support dumping FIRM and RSMB
–This is not a solution ever :-\
●???
–Anyone know something I don't?
future research
●Results from ESXi, QEMU, KVM, etc.
●Results from other guest operating systems.
●Deeper analysis of table contents for
variances.
●A public PoC that's actually worth a damn.
●????
●Results from ESXi, QEMU, KVM, etc.
●Results from other guest operating systems.
●Deeper analysis of table contents for
variances.
●A public PoC that's actually worth a damn.
●????
kthxbai
any questions?
any questions?
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 17
- Slides 14
- Age 536 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
61 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
56 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
44 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
45 views
21
Know for Certain
DaveSinNM
28 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
31 views