miechovy
Enthusiast
Enthusiast

VMware hardening or VMX file change to achive similar effect to VMRay.com solution

Is there any way to achive moreless "agent-less" effect in VMware, just similar to VMRay solution? Or somebody know best way to create max-hardened VM as possible by change .VMX file configuration?

I have read many solutions, like editing BIOS / EFI ROM to change or delete "vmware%", adding some custom configuration e.g. "isolation.tools*". Some of them is useful.

I'm still keep searching for best way to obtain hidden VM by detection of VM environment. Do you know any tricks to obfuscate Vm against anti-vm detection?

0 Kudos
19 Replies
daphnissov
Immortal
Immortal

What exactly is your goal you're trying to achieve here?

0 Kudos
miechovy
Enthusiast
Enthusiast

I'm trying to find more ways to prevent / hardened VM against detection of VM enviroment by malicious file.

0 Kudos
daphnissov
Immortal
Immortal

You can view the latest security guide here which contains some parameters that can be changed.

0 Kudos
miechovy
Enthusiast
Enthusiast

That's not what I meant. I was rather thinking of how to hide the information that it is a virtual system.

0 Kudos
wila
Immortal
Immortal

Hi,

You can't really hide that fact, only flawed VM detection mechanisms will fall for hiding parts of the info.

The VM using a chipset based on an intel 440BX chipset while running on a modern processor is a dead give away.

There is no motherboard that uses that strange combination, so by definition when you see that, the hardware is a VM.

You can look at this thread for ideas:

Re: how to disable vm exit on cpuid 0x00 ?

But I'm not entirely convinced it makes sense to spent much time on this.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
miechovy
Enthusiast
Enthusiast

I have read this topic some time ago. Furthermore most of information from VMware community forum regarding anti-vm techniques I know very well.

But still I am wondering, in a way, how VMware employees did it in the VMRay solution?

I know only that VMRay is without any agents / tools (agentless) installed. Therefore I ask for searching a new ways to hide VM system by using VMX file configuration.

0 Kudos
daphnissov
Immortal
Immortal

The point of VMRay is not to obfuscate the nature of a system but to detect and analyze threats and malware. There is not going to be a way to comprehensively eliminate all traces of a host being a virtual instance. And, moreover, what's your use case? Why would be wanting to do this in the first place?

0 Kudos
miechovy
Enthusiast
Enthusiast

Basically, I'm using VM to analyse of malware sample as a lot of people, therefore the max-anti-vm solution is what I have to do. A do not know what exactly VMRay is works but on this blog https://www.vmray.com/blog/a-pafish-primer/ we can see that all data belongs to VM system is hidden from pafish project.

And I'm wondering how they build this environment:

pafish_1_getmousepos_ok.png

In my own environment I could not do it like VMRay shows on screen, only for:

"Checking the difference between CPU and timestamp counters (rdtsc) forcing VM exit"

"Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier"

"Looking for pseudo devices".

This features is red. The rest I have green.

I'm looking a way to build best environment based on VMware hipervizor and hard to detect for malware that is running in virtual system. I know there are many ways to detect VM. I do not know all about its, that's why I am asking for some advice.

0 Kudos
daphnissov
Immortal
Immortal

A quote from the end of that same article:

Summary

Pafish is a great tool for hardening your malware analysis environment, though this is not possible in all cases due to the un-remediable side-effects of certain technologies. While in the past virtual machine detection used to be a powerful mechanism for malware to conceal its real behavior, the effectiveness of this approach is diminishing constantly due to the ubiquitous usage of virtualization on productive systems, both server and client-side.

I've bolded the important areas. 1) It's not possible to obfuscate absolutely everything and, more importantly, 2) there is basically no point in trying to obfuscate or detect the existence of an instance within a virtual machine because it gives you no toehold.

So, in short, don't worry about it because you're not gaining anything valuable here in your attempts to mask if a system is running in a VM or not.

wila
Immortal
Immortal

Hi,

Ah, pointing to the article helps. I had looked up the vmray.com site, but not seen the article that debates pafish.

What is in the registry at:

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier

If there's a string that has "VMware" ---> you've found another reason why pafish marks that as not passed.

Note that the port numbers etc.. might be different.

For the RDTSC check:

Their article says "The CPU just has to be configured to allow guests execution of the rdtsc instruction without trapping in the hypervisor."

If you then look at sanbarrow.com

You'll see this option:

monitor_control.virtual_rdtsc = "false"

This should turn off TSC virtualisation

For pseudo devices... I'm not sure what they are looking for. I see the code is at: GitHub - a0rtega/pafish: Pafish is a demonstration tool that employs several techniques to detect sa...  but I'm too lazy to read all the source to find what it checks for.

As you're the researcher, perhaps you can point out the lines of that check?

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
miechovy
Enthusiast
Enthusiast

My VMX file contain data:

cpuid.disable_apicExtRegs = "TRUE"

monitor_control.enable_fullcpuid="TRUE"

cpuid.1.eax = "0---:----:----:----:----:----:----:----"

cpuid.1.ecx = "0---:----:----:----:----:----:----:----"

cpuid.1.edx = "0---:----:----:----:----:----:----:----"

monitor_control.restrict_backdoor = "true"

monitor_control.disable_directexec = "true"

monitor_control.disable_chksimd = "true"

monitor_control.disable_ntreloc = "true"

monitor_control.disable_selfmod = "true"

monitor_control.disable_reloc = "true"

monitor_control.disable_btinout = "true"

monitor_control.disable_btmemspace = "true"

monitor_control.disable_btpriv = "true"

monitor_control.disable_btseg = "true"

monitor_control.enable_extended_core = "true"

monitor_control.enable_paravirt = "true"

monitor_control.virtual_rdtsc = "false"

isolation.tools.getPtrLocation.disable = "true"

isolation.tools.getVersion.disable = "true"

SMBIOS.reflecthost = "TRUE"

SMBIOS.assettag = "IBM Corporation"

SMBIOS.useShortSerialNumber = "TRUE"

monitor_control.virtual_rdtsc = "false"

This should turn off TSC virtualisation

Unfortunately, it didn't works for me. Pafish still shows red line for Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit. It could be change in some way?

  1. HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier 

If there's a string that has "VMware" ---> you've found another reason why pafish marks that as not passed.

Note that the port numbers etc.. might be different.

You are right. Do you know how to change / rename / delete information about VMware from data?

For pseudo devices...

Pafish main.c contain:

exec_check("Looking for pseudo devices", &vmware_devices, NULL,

           "hi_vmware");

0 Kudos
wila
Immortal
Immortal

Hi,


Well for the RDTSC undocumented vmx feature... it's a good question for why it isn't working.

There's a chance that some other setting in your vmx file is blocking it.

Like the method of virtualisation. Note that one of those (Binary Translation) is I think removed in Workstation 14, so if this feature was depended on that then you are out of luck with WS14.

As for the registry.. you can change the value in regedit, so that is scriptable.

Thanks for the pointer on main.c

That leads me to:

int vmware_devices(int writelogs) {
HANDLE h;
const int count = 2;
string strs[count];
int res = FALSE, i = 0;
char message[200];
strs[0] = "\\\\.\\HGFS";
strs[1] = "\\\\.\\vmci";
for (i=0; i < count; i++) {
h = CreateFile(strs[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE) {
snprintf(message, sizeof(message)-sizeof(message[0]), "VMWare traced using device %s", strs[i]);
if (writelogs) write_log(message);
res = TRUE;
}
}
return res;
}

so it looks like it is searching for HGFS and vmci.

You should be able to disable vmci in the vmx.

vmci0.present = "FALSE"

Probably you can do the same for HGFS there too.

Perhaps this setting?

isolation.tools.hgfs.disable = "TRUE"

Personally I would run pafish in a debugger for testing this part.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
miechovy
Enthusiast
Enthusiast

Well for the RDTSC undocumented vmx feature... it's a good question for why it isn't working.

There's a chance that some other setting in your vmx file is blocking it.

Like the method of virtualisation. Note that one of those (Binary Translation) is I think removed in Workstation 14, so if this feature was depended on that then you are out of luck with WS14.

True. It is hard trying to say why it is not working. I restored original VMX config from backup and I add "vmci0.present = "FALSE" and "isolation.tools.hgfs.disable = "TRUE".
First feature vmci0.present = "FALSE" mess VMX config. VMware get error that VMX is corrupted. As for the second feature "isolation.tools.hgfs.disable = "TRUE", also didn't work, but VM was started without error.

As for the registry.. you can change the value in regedit, so that is scriptable.

I don't think so. VMware restore all changes from registry to default settings after reboot system Smiley Sad

0 Kudos
wila
Immortal
Immortal

re. registry. So you run a script on boot? That's the reason why I said "it is scriptable".

As for "vmx file is corrupt"

Did you happen to copy&paste the settings from my reply?

If so then it is possible that the setting had smart quotes.

Eg. the " symbol is slightly different in that case and not the normal quote symbol as to what you get from your keyboard.

That is a common reason for seeing a "vmx file is corrupt" error.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
miechovy
Enthusiast
Enthusiast

Did you happen to copy&paste the settings from my reply?

Indeed. But now I have another error: "Dictionary problem."

0 Kudos
wila
Immortal
Immortal

Hi,

My memory is fuzzy on what might cause a dictionary problem, but for sure it is something wrong in the vmx (hope you made a copy)

Perhaps an end of line character that's different? I tried a few things here and can't trigger it atm.

As for the actual

vmci0.present = "FALSE"

setting.

I just did added here on a VM and it boots fine. Or actually I just changed a line with the "TRUE" statement into "FALSE".

This is on a host with WS 12.x , but I don't expect that this has changed on WS 14.x

Beware that it is best to have VMware workstation closed and shut down when editing vmx files, although I doubt that that would trigger the dictionary issue.

-

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
miechovy
Enthusiast
Enthusiast

e. registry. So you run a script on boot? That's the reason why I said "it is scriptable".

You are right, men! 🙂 I have wrote simple .bat file to change all data from registry whose contain "vmware%" string. I hop that will be enough to start in on system boot by task scheduler. 

Now the "Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier" feature is on green colour. Thanks for that.

As for "Checking the difference between CPU and timestamp counters (rdtsc) forcing VM exit" I have still problem to hide it. Now I was resolve problem with VMX corruption or "dictionary problem" (and you had right once again - vmx file should be editing on full-disable process vmware on host).

vmci0.present = "FALSE" and isolation.tools.hgfs.disable = "TRUE"

This command seems that do not affect on ...forcing VM exit feature.

0 Kudos
wila
Immortal
Immortal

vmci0.present = "FALSE" and isolation.tools.hgfs.disable = "TRUE"

This command seems that do not affect on ...forcing VM exit feature.

But those settings are for the "pseudo devices" test, not the forcing VM exit one.

You would have to either run pafish in a debugger or run a test to see it either of those pipes from the C++ code are still there.

My guess is that the vmci one is gone, but the hgfs one still there, but that's just a guess.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
miechovy
Enthusiast
Enthusiast

I do not know what to ask more, so thank you for your help.

0 Kudos