host windows 7 x64

guest windows 7 x64

12.1.1 build-3770994 i think all versions hv this problem

need bypass/fix this bug/exploit

1. static inline unsigned long long rdtsc_diff_vmexit() {
2.          unsigned long long ret, ret2;
3.          unsigned eax,edx;
4.          __asm__ volatile("rdtsc":"=a"(eax),"=d"(edx));
5. ret=((unsigned long long)eax)|(((unsigned long long)edx)<<32);
6. /* vm exit forced here. it uses:eax=0; cpuid; */
7.          __asm__ volatile("cpuid":/* no output */:"a"(0x00));
8. /**/
9.          __asm__ volatile("rdtsc":"=a"(eax),"=d"(edx));
10.          ret2  =((unsigned long long)eax)|(((unsigned long long)edx)<<32);
11.          return ret2 -ret;

for this need dissable vm exid on cpuid 0 , but i dont know how

i dont know why this bug  #10947 (Wrong instruction after single-step exception with 'rdtsc' and 'cpuid' => fixed in SVN) – Or... hv vmware?  or vmware dev's clone bugged code of vbox ?

i try fix exploit what  forse vm exit on cpu id 0 in rdtsc

this sample code detect  if run in vm ware

i try find how to fix this , but no result

i think dissable vm exit is fix the problem - but dont know how

sample what been on vbox . vbox: disable rdtsc VM exit · cnuke/genode@85175fe · GitHub

How do this on vmware ? what option use ?

code what i post detects if program run on debugger. End program think - vm ware is debugger end it need dissable.

->>> program what detect if in vmware with this exploit GitHub - a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sa...

Ok, so if I'm reading your question correctly then, you're not seeing an error, but instead want to be able to evade detection of some unknown software that it is running in a VM?

(Not sure what the "exploit" bit is about)

The specifics are very low level (the rdtsc turns out to be an x86 CPU register ) and as this is an end user forum I do not expect a lot of replies on the specific.

There used to be a VMware employee around that answered this type of question, but he isn't around anymore.

Maybe covelli has an answer on this, but that's just a rough guess on who might be able to answer.

edit: A program that runs under a debugger has AFAIK a completely different way for detecting that.

Eg. as we are talking about windows, that would normally be done via windows API IsDebuggerPresent

Of course I don't know what that API call does.. (as I do not normally meddle in assembly)

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

how i understand this bug not fixable end cannot be disable ?

whay the vm exit is forsed when it's try call cpu id ?

if it's not call cpu id all good - its happen only how you see on comet of code if

move aex 0x00

cpuid

this code work fine no detect's vmware ( if change cpuid.x.xxx"xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx")

static inline unsigned long long rdtsc_diff() {

  unsigned long long ret, ret2;

  unsigned eax, edx;

  __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));

  ret  = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);

  __asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));

  ret2  = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);

  return ret2 - ret;

}

i try fix exploit what  forse vm exit on cpu id 0 in rdtsc

What is the source of this supposed exploit? Do you have a CVE reference?

this sample code detect  if run in vm ware

How? It is just a random code snippet with no definitive indication of what language it is in.

i try find how to fix this , but no result

Not surprising. The only search result I get is this thread!

sample what been on vbox . vbox: disable rdtsc VM exit · cnuke/genode@85175fe · GitHub

Well that appears to be about mitigating audio recording problems due to CPU overload when trapping RDTSC so what is the connection?

->>> program what detect if in vmware with this exploit GitHub - a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sa...

Posting the output of this tool here may enlighten us on what this is all about.

* Pafish (Paranoid fish) *

Some anti(debugger/VM/sandbox) tricks

used by malware for the general public.

[*] Windows version: 6.1 build 7601

[*] CPU: GenuineIntel

    CPU brand: Intel(R) Core(TM)2 Quad  CPU  Q9300  @ 2.50GHz

[-] Debuggers detection

[*] Using IsDebuggerPresent() ... OK

[-] CPU information based detections

[*] Checking the difference between CPU timestamp counters (rdtsc) ... OK

[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex

it ... traced!

[*] Checking hypervisor bit in cpuid feature bits ... OK

[*] Checking cpuid hypervisor vendor for known VM vendors ... OK

[-] Generic sandbox detection

[*] Using mouse activity ... traced!

[*] Checking username ... OK

[*] Checking file path ... OK

[*] Checking common sample names in drives root ... OK

[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK

[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK

[*] Checking if Sleep() is patched using GetTickCount() ... OK

[*] Checking if NumberOfProcessors is < 2 via raw access ... OK

[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK

[*] Checking if pysical memory is < 1Gb ... OK

[*] Checking operating system uptime using GetTickCount() ... traced!

[*] Checking if operating system IsNativeVhdBoot() ... OK

[-] Hooks detection

[*] Checking function ShellExecuteExW method 1 ... OK

[*] Checking function CreateProcessA method 1 ... OK

[-] Sandboxie detection

[*] Using GetModuleHandle(sbiedll.dll) ... OK

[-] Wine detection

[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK

[*] Reg key (HKCU\SOFTWARE\Wine) ... OK

[-] VirtualBox detection

[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK

[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK

[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK

[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK

[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK

[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK

[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK

[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK

[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK

[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK

[*] Additional system files ... OK

[*] Looking for a MAC address starting with 08:00:27 ... OK

[*] Looking for pseudo devices ... OK

[*] Looking for VBoxTray windows ... OK

[*] Looking for VBox network share ... OK

[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK

[*] Looking for VBox devices using WMI ... OK

[-] VMware detection

[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK

[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK

[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK

[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK

[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5

0:56 ... OK

[*] Looking for network adapter name ... OK

[*] Looking for pseudo devices ... OK

[*] Looking for VMware serial number ... OK

[-] Qemu detection

[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK

[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK

[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

[-] Bochs detection

[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK

[*] cpuid AMD wrong value for processor name ... OK

[*] cpuid Intel wrong value for processor name ... OK

[-] Cuckoo detection

[*] Looking in the TLS for the hooks information structure ... OK

[-] Feel free to RE me, check log file for more information.--

Hi,

There really are a LOT of ways to detect if you are running under a hypervisor or under VMware specifically.

Not sure if I'm reading the output correctly. Have you already made changes to the VM to evade VMware detection?

Have you added the restrict_backdoor setting already?

eg see for details:

https://communities.vmware.com/thread/448013?start=0&tstart=0

edit: for other's reading this, some pafish explanation: Sandbox detection: Pafish overview | Portcullis Labs

edit2: and SANS has an article about this too, with a lot of possible settings in your vmx to try out:

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

yes i add any setting what i find

my settings of vmx

.encoding = "windows-1251"

config.version = "8"

virtualHW.version = "12"

numvcpus = "4"

cpuid.coresPerSocket = "4"

scsi0.present = "TRUE"

scsi0.virtualDev = "lsisas1068"

memsize = "4096"

mem.hotadd = "TRUE"

scsi0:0.present = "TRUE"

scsi0:0.fileName = "Windows 7 x64-000002.vmdk"

ethernet0.present = "TRUE"

ethernet0.connectionType = "nat"

ethernet0.virtualDev = "e1000"

ethernet0.wakeOnPcktRcv = "FALSE"

ethernet0.addressType = "static"

ethernet0.address = 00:02:12:21:01:44

usb.present = "TRUE"

ehci.present = "TRUE"

ehci.pciSlotNumber = "35"

usb_xhci.present = "TRUE"

sound.present = "TRUE"

sound.virtualDev = "hdaudio"

sound.fileName = "-1"

sound.autodetect = "TRUE"

svga.graphicsMemoryKB = "1048576"

pciBridge0.present = "TRUE"

pciBridge4.present = "TRUE"

pciBridge4.virtualDev = "pcieRootPort"

pciBridge4.functions = "8"

pciBridge5.present = "TRUE"

pciBridge5.virtualDev = "pcieRootPort"

pciBridge5.functions = "8"

pciBridge6.present = "TRUE"

pciBridge6.virtualDev = "pcieRootPort"

pciBridge6.functions = "8"

pciBridge7.present = "TRUE"

pciBridge7.virtualDev = "pcieRootPort"

pciBridge7.functions = "8"

hpet0.present = "TRUE"

usb.vbluetooth.startConnected = "TRUE"

displayName = "Windows 7 x64"

guestOS = "windows7-64"

nvram = "Windows 7 x64.nvram"

virtualHW.productCompatibility = "hosted"

gui.applyHostDisplayScalingToGuest = "FALSE"

powerType.powerOff = "soft"

powerType.powerOn = "soft"

powerType.suspend = "soft"

powerType.reset = "soft"

extendedConfigFile = "Windows 7 x64.vmxf"

monitor_control.restrict_backdoor = "TRUE"

isolation.tools.copy.disable = "TRUE"

isolation.tools.dnd.disable = "TRUE"

isolation.tools.paste.disable = "TRUE"

vmx.buildType = "release"

mainMem.useNamedFile = "FALSE"

MemTrimRate = "0"

prefvmx.minVmMemPct = "100"

prefvmx.useRecommendedLockedMemSize = "TRUE"

sched.mem.pshare.enable = "FALSE"

logging = "TRUE"

isolation.tools.unity.disable = "TRUE"

unity.wasCapable = "FALSE"

unity.allowCompositingInGuest = "FALSE"

unity.showBorders = "FALSE"

unity.showBadges = "FALSE"

unity.enableLaunchMenu = "FALSE"

monitor_control.virtual_rdtsc = "FALSE"

hypervisor.cpuid.v0 = "FALSE"

hypervisor.cpuid.v1 = "FALSE"

mce.enable = "TRUE"

monitor_control.disable_directexec = "TRUE"

isolation.tools.getPtrLocation.disable = "TRUE"

isolation.tools.setPtrLocation.disable = "TRUE"

isolation.tools.getVersion.disable = "TRUE"

isolation.tools.setVersion.disable = "TRUE"

vmci.available = "FALSE"

guest.commands.enabled = "FALSE"

isolation.device.connectable.disable = "TRUE"

isolation.device.edit.disable = "TRUE"

isolation.tools.setGUIOptions.enable = "FALSE"

isolation.tools.hgfsServerSet.disable = "TRUE"

isolation.monitor.control.disable = "TRUE"

isolation.tools.ghi.autologon.disable = "TRUE"

isolation.bios.bbs.disable = "TRUE"

isolation.tools.getCreds.disable = "TRUE"

isolation.tools.ghi.launchmenu.change = "TRUE"

isolation.tools.memSchedFakeSampleStats.disable = "TRUE"

isolation.tools.ghi.protocolhandler.info.disable = "TRUE"

isolation.ghi.host.shellAction.disable = "TRUE"

isolation.tools.dispTopoRequest.disable = "TRUE"

isolation.tools.trashFolderState.disable = "TRUE"

isolation.tools.ghi.trayicon.disable = "TRUE"

isolation.tools.unityInterlockOperation.disable = "TRUE"

isolation.tools.unity.taskbar.disable = "TRUE"

isolation.tools.unityActive.disable = "TRUE"

isolation.tools.unity.windowContents.disable = "TRUE"

isolation.tools.unity.push.update.disable = "TRUE"

isolation.tools.vmxDnDVersionGet.disable = "TRUE"

isolation.tools.guestDnDVersionSet.disable = "TRUE"

isolation.tools.diskShrink.disable = "TRUE"

isolation.tools.diskWiper.disable = "TRUE"

isolation.tools.autoInstall.disable = "TRUE"

isolation.tools.vixMessage.disable = "TRUE"

tools.guestlib.enableHostInfo = "FALSE"

monitor_control.disable_chksimd = "TRUE"

monitor_control.disable_ntreloc = "TRUE"

monitor_control.disable_selfmod = "TRUE"

monitor_control.disable_reloc = "TRUE"

monitor_control.disable_btinout = "TRUE"

monitor_control.disable_btmemspace = "TRUE"

monitor_control.disable_btpriv = "TRUE"

monitor_control.disable_btseg = "TRUE"

disk.EnableUUID = "TRUE"

vbios.filename = "VGA_BIOS.ROM"

bios440.filename = "SYSTEM_BIOS.ROM"

numa.autosize.vcpu.maxPerVirtualNode = "4"

numa.autosize.cookie = "40001"

uuid.bios = "06 47 ac 71 5c 7b 23 a1-8d 6a 1e dc d1 be a2 d1"

uuid.location = "56 4d a8 72 5e 70 63 f3-80 64 1d dc e4 be 89 4d"

migrate.hostlog = ".\Windows 7 x64-ac484745.hlog"

scsi0:0.redo = ""

pciBridge0.pciSlotNumber = "17"

pciBridge4.pciSlotNumber = "21"

pciBridge5.pciSlotNumber = "22"

pciBridge6.pciSlotNumber = "23"

pciBridge7.pciSlotNumber = "24"

scsi0.pciSlotNumber = "160"

usb.pciSlotNumber = "32"

ethernet0.pciSlotNumber = "33"

sound.pciSlotNumber = "34"

usb_xhci.pciSlotNumber = "192"

scsi0.sasWWID = "50 05 05 62 5c 7b 23 a0"

monitor.phys_bits_used = "42"

vmotion.checkpointFBSize = "8388608"

vmotion.checkpointSVGAPrimarySize = "134217728"

softPowerOff = "FALSE"

sata0.present = "TRUE"

tools.syncTime = "FALSE"

sata0.pciSlotNumber = "37"

checkpoint.vmState = ""

scsi0:1.present = "TRUE"

scsi0:1.fileName =

scsi0:1.deviceType = "cdrom-image"

tools.remindInstall = "TRUE"

vmsafe.enable = "FALSE"

svga.autodetect = "FALSE"

isolation.tools.hgfs.disable = "TRUE"

bios.bootDelay = "7000"

RemoteDisplay.maxConnections = "1"

tools.upgrade.policy = "manual"

usb.generic.allowHID = "TRUE"

cpuid.80000007.edx="0000:0000:0000:0000:0000:0000:0000:0000"

cpuid.1.ecx="0000:0000:0000:1000:1110:0011:1111:1101"

cpuid.1.eax="0000:0000:0000:0001:0000:0110:0111:0111"

cpuid.1.ebx="hhhh:hhhh:hhhh:h1hh:hhhh:1hhh:hhhh:hhhh"

cpuid.1.edx="1011:1111:1110:1011:1111:1011:1111:1111"

cpuid.a.eax="0000:0111:0010:1000:0000:0010:0000:0010"

cpuid.a.ecx="0000:0000:0000:0000:0000:0000:0000:0000"

cpuid.a.ebx="0000:0000:0000:0000:0000:0000:0000:0000"

cpuid.a.edx="0000:0000:0000:0000:0000:0101:0000:0011"

mks.enable3d = "TRUE"

svga.maxWidth = "3840"

svga.maxHeight = "2160"

svga.vramSize = "134217728"

svga.numDisplays = "1"

scsi0:1.startConnected = "false"

scsi0:1.autodetect = "TRUE"

svga.guestBackedPrimaryAware = "TRUE"

vmci0.present = "FALSE"

sata0:1.present = "FALSE"

floppy0.present = "FALSE"

sata0:0.present = "FALSE"

cleanShutdown = "FALSE"

usb_xhci:4.present = "TRUE"

usb_xhci:4.deviceType = "hid"

usb_xhci:4.port = "4"

usb_xhci:4.parent = "-1"

i hv only this detect

[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex

it ... traced!

this [*] Using mouse activity ... traced! move away if litle move mouse on vm

this [*] Checking operating system uptime using GetTickCount() ... traced! move away self after 5 min up time system

c:\test>redpill

idt base: 0x4067080

Not in Matrix.

c:\test\ScoopyNG>scoopyng

####################################################

::       ScoopyNG - The VMware Detection Tool     ::

::              Windows version v1.0              ::

[+] Test 1: IDT

IDT base: 0x9f45c0

Result  : Native OS

[+] Test 2: LDT

LDT base: 0xdead0000

Result  : Native OS

[+] Test 3: GDT

GDT base: 0x2f6e540

Result  : Native OS

[+] Test 4: STR

STR base: 0x40000000

Result  : Native OS

[+] Test 5: VMware "get version" command

Result  : Native OS

[+] Test 6: VMware "get memory size" command

Result  : Native OS

[+] Test 7: VMware emulation mode

Result  : Native OS or VMware without emulation mode

          (enabled acceleration)

::                   tk,  2008                    ::

::               [ www.trapkit.de ]               ::

####################################################

Hi,

I understand your frustration.

But somehow I don't think it is possible to completely evade detection of running in a VM.

I'd be happy to hear/learn otherwise, but unless somebody that works on the innards of the hypervisor jumps in down here, I'm afraid there won't be many more tips.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

for it's  start undectect - need find how dissable forse vmexit when it's call cpu id 0 on rdtsc

it posible to passthrough the host rdtsc ?

‌What context are you using CPUID in?

If you are using it as the value a processor returns to tell you which processor it is (486, Pentium, Core 2, etc) then from what I understand '0' is an unallocated/unused value. It would seem reasonable to me that when the hypervisor is presented with an invalid CPUID for a VM it would exit the VM.

Umm.. I don't know, but you could of course have run strings on the binary and try to poke around a bit with the results from that.

Like:

:/usr/lib/vmware/bin$ strings vmware-vmx | grep -i rdtsc
disable_rdtsc_batching
disable_rdtscopt_bt
disable_rdtscopt_de
virtual_rdtsc
RDTSC exiting
Enable RDTSCP
Disabling TSC scaling since virtual_rdtsc is disabled.
timeTracker.vtsc.rdtscCountThreshold
RDTSC
cpuid.RDTSCP
IA32_VMX_PROCBASED_CTLS.RDTSC_REQUIRED
IA32_VMX_PROCBASED_CTLS.RDTSC_ALLOWED
IA32_VMX_PROCBASED_CTLS2.RDTSCP_REQUIRED
IA32_VMX_PROCBASED_CTLS2.RDTSCP_ALLOWED
IA32_VMX_TRUE_PROCBASED_CTLS.RDTSC_REQUIRED
IA32_VMX_TRUE_PROCBASED_CTLS.RDTSC_ALLOWED
HVSimEmitRDTSCCheck
HVSimEmitRDTSCP
HVSimEmitClusteredRDTSCP
HVSimEmitRDTSC
HVSimEmitClusteredRDTSC
HVSimRDTSCPExit
HVSimRDTSCExit
HVSimRDTSC
HVSimRDTSCP
hvTrapRDTSC
HVSimEmitRDTSCCheck
HVSimEmitRDTSCP
HVSimEmitClusteredRDTSCP
HVSimEmitRDTSC
HVSimEmitClusteredRDTSC
HVSimRDTSCPExit
HVSimRDTSCExit
HVSimRDTSC
HVSimRDTSCP
hvTrapRDTSC
OPCODE_RDTSC
rdtscCnt
OPCODE_RDTSCP

So the vmware player binary certainly is doing something with RDTSC, if any of those strings up there is a configurable option, I don't know... I'll leave that as your home work.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva