how to disable vm exit on cpuid 0x00 ?
If you want some help from the community then something more than cryptic messages would help.
What version of Workstation are you using? What is your host OS? What is the guest OS? Is the host or guest having problems? What are you trying to achieve?
host windows 7 x64
guest windows 7 x64
12.1.1 build-3770994 i think all versions hv this problem
need bypass/fix this bug/exploit
for this need dissable vm exid on cpuid 0 , but i dont know how
i dont know why this bug #10947 (Wrong instruction after single-step exception with 'rdtsc' and 'cpuid' => fixed in SVN) – Or... hv vmware? or vmware dev's clone bugged code of vbox ?
Hi,
Please do not keep on posting the same question all over the forum, I removed a few of your duplicate posts.
Your question still isn't clear and crossposting it all over doesn't help.
Besides that crossposting isn't allowed as it makes it very difficult to follow a discussion if you scatter it out over a lot of isolated posts (see forum Community Terms of Use article 1i )
Instead please explain what you are trying to do and what exactly the issue is?
Are you getting errors or does the VM crash or??
At the moment you a re just posting some code and tell us that you are getting an unexpected result, but there's no context.
What has the problem to do with virtual box for example? Does the problem happen there as well or are you trying to run both virtualbox and vmware workstation/player at the same time, are you trying to run virtualbox as a guest?
How about starting with attaching a vmware.log and explaining a bit more details of the issue?
If you provide a bit more context I might even be able to move your post to a more relevant sub forum, but at this moment I am not even understanding your issue.
thanks,
--
Wil
i try fix exploit what forse vm exit on cpu id 0 in rdtsc
this sample code detect if run in vm ware
i try find how to fix this , but no result
i think dissable vm exit is fix the problem - but dont know how
sample what been on vbox . vbox: disable rdtsc VM exit · cnuke/genode@85175fe · GitHub
How do this on vmware ? what option use ?
code what i post detects if program run on debugger. End program think - vm ware is debugger end it need dissable.
->>> program what detect if in vmware with this exploit GitHub - a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sa...
Ok, so if I'm reading your question correctly then, you're not seeing an error, but instead want to be able to evade detection of some unknown software that it is running in a VM?
(Not sure what the "exploit" bit is about)
The specifics are very low level (the rdtsc turns out to be an x86 CPU register ) and as this is an end user forum I do not expect a lot of replies on the specific.
There used to be a VMware employee around that answered this type of question, but he isn't around anymore.
Maybe covelli has an answer on this, but that's just a rough guess on who might be able to answer.
edit: A program that runs under a debugger has AFAIK a completely different way for detecting that.
Eg. as we are talking about windows, that would normally be done via windows API IsDebuggerPresent
Of course I don't know what that API call does.. (as I do not normally meddle in assembly)
--
Wil
how i understand this bug not fixable end cannot be disable ?
whay the vm exit is forsed when it's try call cpu id ?
if it's not call cpu id all good - its happen only how you see on comet of code if
move aex 0x00
cpuid
this code work fine no detect's vmware ( if change cpuid.x.xxx"xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx")
static inline unsigned long long rdtsc_diff() {
unsigned long long ret, ret2;
unsigned eax, edx;
__asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
ret = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
__asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
ret2 = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
return ret2 - ret;
}
i try fix exploit what forse vm exit on cpu id 0 in rdtsc
What is the source of this supposed exploit? Do you have a CVE reference?
this sample code detect if run in vm ware
How? It is just a random code snippet with no definitive indication of what language it is in.
i try find how to fix this , but no result
Not surprising. The only search result I get is this thread!
sample what been on vbox . vbox: disable rdtsc VM exit · cnuke/genode@85175fe · GitHub
Well that appears to be about mitigating audio recording problems due to CPU overload when trapping RDTSC so what is the connection?
->>> program what detect if in vmware with this exploit GitHub - a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sa...
Posting the output of this tool here may enlighten us on what this is all about.
* Pafish (Paranoid fish) *
Some anti(debugger/VM/sandbox) tricks
used by malware for the general public.
[*] Windows version: 6.1 build 7601
[*] CPU: GenuineIntel
CPU brand: Intel(R) Core(TM)2 Quad CPU Q9300 @ 2.50GHz
[-] Debuggers detection
[*] Using IsDebuggerPresent() ... OK
[-] CPU information based detections
[*] Checking the difference between CPU timestamp counters (rdtsc) ... OK
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
it ... traced!
[*] Checking hypervisor bit in cpuid feature bits ... OK
[*] Checking cpuid hypervisor vendor for known VM vendors ... OK
[-] Generic sandbox detection
[*] Using mouse activity ... traced!
[*] Checking username ... OK
[*] Checking file path ... OK
[*] Checking common sample names in drives root ... OK
[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
[*] Checking if Sleep() is patched using GetTickCount() ... OK
[*] Checking if NumberOfProcessors is < 2 via raw access ... OK
[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[*] Checking if pysical memory is < 1Gb ... OK
[*] Checking operating system uptime using GetTickCount() ... traced!
[*] Checking if operating system IsNativeVhdBoot() ... OK
[-] Hooks detection
[*] Checking function ShellExecuteExW method 1 ... OK
[*] Checking function CreateProcessA method 1 ... OK
[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK
[-] Wine detection
[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[*] Reg key (HKCU\SOFTWARE\Wine) ... OK
[-] VirtualBox detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[*] Additional system files ... OK
[*] Looking for a MAC address starting with 08:00:27 ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VBoxTray windows ... OK
[*] Looking for VBox network share ... OK
[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK
[-] VMware detection
[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5
0:56 ... OK
[*] Looking for network adapter name ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VMware serial number ... OK
[-] Qemu detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK
[-] Bochs detection
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK
[-] Cuckoo detection
[*] Looking in the TLS for the hooks information structure ... OK
[-] Feel free to RE me, check log file for more information.--
Hi,
There really are a LOT of ways to detect if you are running under a hypervisor or under VMware specifically.
Not sure if I'm reading the output correctly. Have you already made changes to the VM to evade VMware detection?
Have you added the restrict_backdoor setting already?
eg see for details:
https://communities.vmware.com/thread/448013?start=0&tstart=0
edit: for other's reading this, some pafish explanation: Sandbox detection: Pafish overview | Portcullis Labs
edit2: and SANS has an article about this too, with a lot of possible settings in your vmx to try out:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
--
Wil
yes i add any setting what i find
my settings of vmx
.encoding = "windows-1251"
config.version = "8"
virtualHW.version = "12"
numvcpus = "4"
cpuid.coresPerSocket = "4"
scsi0.present = "TRUE"
scsi0.virtualDev = "lsisas1068"
memsize = "4096"
mem.hotadd = "TRUE"
scsi0:0.present = "TRUE"
scsi0:0.fileName = "Windows 7 x64-000002.vmdk"
ethernet0.present = "TRUE"
ethernet0.connectionType = "nat"
ethernet0.virtualDev = "e1000"
ethernet0.wakeOnPcktRcv = "FALSE"
ethernet0.addressType = "static"
ethernet0.address = 00:02:12:21:01:44
usb.present = "TRUE"
ehci.present = "TRUE"
ehci.pciSlotNumber = "35"
usb_xhci.present = "TRUE"
sound.present = "TRUE"
sound.virtualDev = "hdaudio"
sound.fileName = "-1"
sound.autodetect = "TRUE"
svga.graphicsMemoryKB = "1048576"
pciBridge0.present = "TRUE"
pciBridge4.present = "TRUE"
pciBridge4.virtualDev = "pcieRootPort"
pciBridge4.functions = "8"
pciBridge5.present = "TRUE"
pciBridge5.virtualDev = "pcieRootPort"
pciBridge5.functions = "8"
pciBridge6.present = "TRUE"
pciBridge6.virtualDev = "pcieRootPort"
pciBridge6.functions = "8"
pciBridge7.present = "TRUE"
pciBridge7.virtualDev = "pcieRootPort"
pciBridge7.functions = "8"
hpet0.present = "TRUE"
usb.vbluetooth.startConnected = "TRUE"
displayName = "Windows 7 x64"
guestOS = "windows7-64"
nvram = "Windows 7 x64.nvram"
virtualHW.productCompatibility = "hosted"
gui.applyHostDisplayScalingToGuest = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
extendedConfigFile = "Windows 7 x64.vmxf"
monitor_control.restrict_backdoor = "TRUE"
isolation.tools.copy.disable = "TRUE"
isolation.tools.dnd.disable = "TRUE"
isolation.tools.paste.disable = "TRUE"
vmx.buildType = "release"
mainMem.useNamedFile = "FALSE"
MemTrimRate = "0"
prefvmx.minVmMemPct = "100"
prefvmx.useRecommendedLockedMemSize = "TRUE"
sched.mem.pshare.enable = "FALSE"
logging = "TRUE"
isolation.tools.unity.disable = "TRUE"
unity.wasCapable = "FALSE"
unity.allowCompositingInGuest = "FALSE"
unity.showBorders = "FALSE"
unity.showBadges = "FALSE"
unity.enableLaunchMenu = "FALSE"
monitor_control.virtual_rdtsc = "FALSE"
hypervisor.cpuid.v0 = "FALSE"
hypervisor.cpuid.v1 = "FALSE"
mce.enable = "TRUE"
monitor_control.disable_directexec = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
vmci.available = "FALSE"
guest.commands.enabled = "FALSE"
isolation.device.connectable.disable = "TRUE"
isolation.device.edit.disable = "TRUE"
isolation.tools.setGUIOptions.enable = "FALSE"
isolation.tools.hgfsServerSet.disable = "TRUE"
isolation.monitor.control.disable = "TRUE"
isolation.tools.ghi.autologon.disable = "TRUE"
isolation.bios.bbs.disable = "TRUE"
isolation.tools.getCreds.disable = "TRUE"
isolation.tools.ghi.launchmenu.change = "TRUE"
isolation.tools.memSchedFakeSampleStats.disable = "TRUE"
isolation.tools.ghi.protocolhandler.info.disable = "TRUE"
isolation.ghi.host.shellAction.disable = "TRUE"
isolation.tools.dispTopoRequest.disable = "TRUE"
isolation.tools.trashFolderState.disable = "TRUE"
isolation.tools.ghi.trayicon.disable = "TRUE"
isolation.tools.unityInterlockOperation.disable = "TRUE"
isolation.tools.unity.taskbar.disable = "TRUE"
isolation.tools.unityActive.disable = "TRUE"
isolation.tools.unity.windowContents.disable = "TRUE"
isolation.tools.unity.push.update.disable = "TRUE"
isolation.tools.vmxDnDVersionGet.disable = "TRUE"
isolation.tools.guestDnDVersionSet.disable = "TRUE"
isolation.tools.diskShrink.disable = "TRUE"
isolation.tools.diskWiper.disable = "TRUE"
isolation.tools.autoInstall.disable = "TRUE"
isolation.tools.vixMessage.disable = "TRUE"
tools.guestlib.enableHostInfo = "FALSE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
disk.EnableUUID = "TRUE"
vbios.filename = "VGA_BIOS.ROM"
bios440.filename = "SYSTEM_BIOS.ROM"
numa.autosize.vcpu.maxPerVirtualNode = "4"
numa.autosize.cookie = "40001"
uuid.bios = "06 47 ac 71 5c 7b 23 a1-8d 6a 1e dc d1 be a2 d1"
uuid.location = "56 4d a8 72 5e 70 63 f3-80 64 1d dc e4 be 89 4d"
migrate.hostlog = ".\Windows 7 x64-ac484745.hlog"
scsi0:0.redo = ""
pciBridge0.pciSlotNumber = "17"
pciBridge4.pciSlotNumber = "21"
pciBridge5.pciSlotNumber = "22"
pciBridge6.pciSlotNumber = "23"
pciBridge7.pciSlotNumber = "24"
scsi0.pciSlotNumber = "160"
usb.pciSlotNumber = "32"
ethernet0.pciSlotNumber = "33"
sound.pciSlotNumber = "34"
usb_xhci.pciSlotNumber = "192"
scsi0.sasWWID = "50 05 05 62 5c 7b 23 a0"
monitor.phys_bits_used = "42"
vmotion.checkpointFBSize = "8388608"
vmotion.checkpointSVGAPrimarySize = "134217728"
softPowerOff = "FALSE"
sata0.present = "TRUE"
tools.syncTime = "FALSE"
sata0.pciSlotNumber = "37"
checkpoint.vmState = ""
scsi0:1.present = "TRUE"
scsi0:1.fileName =
scsi0:1.deviceType = "cdrom-image"
tools.remindInstall = "TRUE"
vmsafe.enable = "FALSE"
svga.autodetect = "FALSE"
isolation.tools.hgfs.disable = "TRUE"
bios.bootDelay = "7000"
RemoteDisplay.maxConnections = "1"
tools.upgrade.policy = "manual"
usb.generic.allowHID = "TRUE"
cpuid.80000007.edx="0000:0000:0000:0000:0000:0000:0000:0000"
cpuid.1.ecx="0000:0000:0000:1000:1110:0011:1111:1101"
cpuid.1.eax="0000:0000:0000:0001:0000:0110:0111:0111"
cpuid.1.ebx="hhhh:hhhh:hhhh:h1hh:hhhh:1hhh:hhhh:hhhh"
cpuid.1.edx="1011:1111:1110:1011:1111:1011:1111:1111"
cpuid.a.eax="0000:0111:0010:1000:0000:0010:0000:0010"
cpuid.a.ecx="0000:0000:0000:0000:0000:0000:0000:0000"
cpuid.a.ebx="0000:0000:0000:0000:0000:0000:0000:0000"
cpuid.a.edx="0000:0000:0000:0000:0000:0101:0000:0011"
mks.enable3d = "TRUE"
svga.maxWidth = "3840"
svga.maxHeight = "2160"
svga.vramSize = "134217728"
svga.numDisplays = "1"
scsi0:1.startConnected = "false"
scsi0:1.autodetect = "TRUE"
svga.guestBackedPrimaryAware = "TRUE"
vmci0.present = "FALSE"
sata0:1.present = "FALSE"
floppy0.present = "FALSE"
sata0:0.present = "FALSE"
cleanShutdown = "FALSE"
usb_xhci:4.present = "TRUE"
usb_xhci:4.deviceType = "hid"
usb_xhci:4.port = "4"
usb_xhci:4.parent = "-1"
i hv only this detect
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
it ... traced!
this [*] Using mouse activity ... traced! move away if litle move mouse on vm
this [*] Checking operating system uptime using GetTickCount() ... traced! move away self after 5 min up time system
c:\test>redpill
idt base: 0x4067080
Not in Matrix.
c:\test\ScoopyNG>scoopyng
####################################################
:: ScoopyNG - The VMware Detection Tool ::
:: Windows version v1.0 ::
[+] Test 1: IDT
IDT base: 0x9f45c0
Result : Native OS
[+] Test 2: LDT
LDT base: 0xdead0000
Result : Native OS
[+] Test 3: GDT
GDT base: 0x2f6e540
Result : Native OS
[+] Test 4: STR
STR base: 0x40000000
Result : Native OS
[+] Test 5: VMware "get version" command
Result : Native OS
[+] Test 6: VMware "get memory size" command
Result : Native OS
[+] Test 7: VMware emulation mode
Result : Native OS or VMware without emulation mode
(enabled acceleration)
:: tk, 2008 ::
:: [ www.trapkit.de ] ::
####################################################
????
Hi,
I understand your frustration.
But somehow I don't think it is possible to completely evade detection of running in a VM.
I'd be happy to hear/learn otherwise, but unless somebody that works on the innards of the hypervisor jumps in down here, I'm afraid there won't be many more tips.
--
Wil
for it's start undectect - need find how dissable forse vmexit when it's call cpu id 0 on rdtsc
it posible to passthrough the host rdtsc ?
What context are you using CPUID in?
If you are using it as the value a processor returns to tell you which processor it is (486, Pentium, Core 2, etc) then from what I understand '0' is an unallocated/unused value. It would seem reasonable to me that when the hypervisor is presented with an invalid CPUID for a VM it would exit the VM.
Umm.. I don't know, but you could of course have run strings on the binary and try to poke around a bit with the results from that.
Like:
:/usr/lib/vmware/bin$ strings vmware-vmx | grep -i rdtsc
disable_rdtsc_batching
disable_rdtscopt_bt
disable_rdtscopt_de
virtual_rdtsc
RDTSC exiting
Enable RDTSCP
Disabling TSC scaling since virtual_rdtsc is disabled.
timeTracker.vtsc.rdtscCountThreshold
RDTSC
cpuid.RDTSCP
IA32_VMX_PROCBASED_CTLS.RDTSC_REQUIRED
IA32_VMX_PROCBASED_CTLS.RDTSC_ALLOWED
IA32_VMX_PROCBASED_CTLS2.RDTSCP_REQUIRED
IA32_VMX_PROCBASED_CTLS2.RDTSCP_ALLOWED
IA32_VMX_TRUE_PROCBASED_CTLS.RDTSC_REQUIRED
IA32_VMX_TRUE_PROCBASED_CTLS.RDTSC_ALLOWED
HVSimEmitRDTSCCheck
HVSimEmitRDTSCP
HVSimEmitClusteredRDTSCP
HVSimEmitRDTSC
HVSimEmitClusteredRDTSC
HVSimRDTSCPExit
HVSimRDTSCExit
HVSimRDTSC
HVSimRDTSCP
hvTrapRDTSC
HVSimEmitRDTSCCheck
HVSimEmitRDTSCP
HVSimEmitClusteredRDTSCP
HVSimEmitRDTSC
HVSimEmitClusteredRDTSC
HVSimRDTSCPExit
HVSimRDTSCExit
HVSimRDTSC
HVSimRDTSCP
hvTrapRDTSC
OPCODE_RDTSC
rdtscCnt
OPCODE_RDTSCP
So the vmware player binary certainly is doing something with RDTSC, if any of those strings up there is a configurable option, I don't know... I'll leave that as your home work.
--
Wil