10.21
Earlier I wrote a brief article on the theory of VM detection at “Concept of Virtual Machines and Honeypots Detection Techniques“. This time we will talk about technical details. As I use VirtualBox myself, this is one of the ways you can detect VirtualBox :
Under the registry key :
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\
VideoBiosVersion = VBOX – 1
SystemBiosVersion = Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE
Sun xVM VirtualBox Version 2.1.4_OSE
VirtualBox Version 2.1.4_OSE VBE Display Adapter
VirtualBox Version 2.1.4_OSE VBE Display Adapter
The above information indicates presence of VirtualBox.And there are even more giveaways!
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0Identifier = VBOX HARDDISK
HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier = VBOX CD-ROM
There are also hints in Device Manager, too. It can be easily queried programmatically.
DVD/CDROM : VBOX CD-ROM
Harddisk : VBOX HARDDISK
That’s just one solution. I strongly suggest to read Peter Ferrie’s paper.
I have found some resources for those interested : a Virtual Machine Threats paper and slide by Peter Ferrie ( Microsoftie now ), and Marshall Fryman blog entries here and here, and a codeproject demonstration. I hope you guys will find them useful.
===
A brief update. I haven’t been active for these 2 months. Since September I have been in involved some personal matters that took my time, and in October I just got onboard a new job (I was a developer for a server antivirus software for Microsoft Office SharePoint Server). Well, it isn’t about anticrime but the topic of cloud security.
Cloud security! Who haven’t heard of it?
My new job is to work on cloud computing on Windows Azure. Unfortunately I cannot reveal more. But don’t worry, I’m very serious in my anti-cybercrime endeavors. =)
English
No Comment.
Add Your Comment