Sunday 8 May 2011

Anti-VMware

Simple way to detect if your application run under VMware.

Path:
C:\Program Files\VMware\VMware Tools


Running process:
VMwareUser.exe
VMwareTray.exe
VMUpgradeHelper.exe
vmacthlp.exe


Registry:
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0]
"Identifier"="NECVMWar VMware IDE CDR10"

[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0]
"Identifier"="VMware, VMware Virtual S1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum]
"0"="SCSI\\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\\4&5fcaafc&0&000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000]
"DriverDesc"="VMware SVGA II"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings]
"Device Description"="VMware SVGA II"

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools]
"InstallPath"="C:\\Program Files\\VMware\\VMware Tools\\"

There is really alot of way for detect VMware (this is why sometime i'm bored of malware who checks for vm)
I redirect you on this interesting paper if you want more informations on VM detection: On the Cutting Edge: Thwarting Virtual Machine Detection


Hypervisor Abyss (In French)
http://www.ivanlef0u.tuxfamily.org/?p=120
http://www.ivanlef0u.tuxfamily.org/?p=122
http://www.ivanlef0u.tuxfamily.org/?p=124

---
http://xylibox.blogspot.com/2011/03/ms-removal-tool.html
http://xylibox.blogspot.com/2011/03/cleanthis-fake-mse-alert.html

No comments:

Post a Comment