How would I run this code in a networked machine?

B&W · 25 Apr 2008 at 20:57

Hello as part of my project I need to simulate attacks against other computers on the network in order to find out whether they are running in a Virtual Machine environment.

I have found some code on the internet that can do this, however it needs to be run inside the VM.

Is there anyway I could run this code from a PC on the same network? So that it would be able to determine if one of the networked hosts is on a VM?

The code is available at:

http://www.codegurus.be/codegurus/Programming/virtualpc&vmware_en.htm

More specifically:

Code:

bool IsVirtualPC()
{
  __try 
  {
    __asm
    {
      // Execute the magic code sequence
      mov eax, 1
      db 0fh
      aas
      pop es
      or eax, edi
      inc ebp
      cld
      dd 0ffffffffh
    };
  }
  __except(1)
  {
    // An exception occured, we ain't in Virtual PC
    return false;
  }
  // We succeeded, we're Virtual PC emulated
  return true;

B&W · 26 Apr 2008 at 12:54

Thanks for the reply mate, it is supposed to look like an attack, how would I go about doing this remote dll injection?

note: my programming skills are extremely poor..

B&W · 26 Apr 2008 at 14:59

Thanks for your reply again, since my programming skills are awful I think its best if I try to monitor the traffic. I've used nmap. ive downloaded metasploit, nessus. will try them aswell.

Is there anything else I code to try and detect the VM?

B&W · 26 Apr 2008 at 15:03

Also would there be one example of an active attack that wouldn't be too hard to implement? I think I should show at least 1 example otherwise I may loose quite a few marks.

B&W · 26 Apr 2008 at 15:19

Thank you my friend, I have till Monday 14:00 to hand it in.

B&W · 26 Apr 2008 at 15:25

Yup it is for a final year project, 7000 words minimum required. I am less worried about that, I am more worried about achieving one of my objectives which is:

• To simulate attacks on the NIDS and determine whether there are any tell tale signs that the NIDS is being run in a VM environment

At my disposal I have a number of network monitoring tools

Basically the NIDS is being run in a VM environment, so by trying the analyse the network behaviour or attack the VM host (or even the physical machine running the VM...) im trying to tell if theres signs that its being run in a VM environment.

Of course once the NIDS is compromised it is very easy to determine that your in a VM environment.

B&W · 26 Apr 2008 at 15:38

Yes I am using a NIDS distribution with a version of snort. The VM machine is running a Windows XP OS fully patched (can be reinstalled without the patched if required).

B&W · 26 Apr 2008 at 15:49

yeah, thats what im going to try. I will also try scanning the Physical machine which is running the VM incase it gives indications of what its running (which it shouldnt tho).

I think it would be difficult to detect what the VM host is, especially considering that the whole basis is that your an external cracker trying to break the NIDS as such you have no idea what kind of applications would be on the VM.

B&W · 26 Apr 2008 at 15:58

hmm yeah thats an interesting idea, the code would have to run, return a value and then report back to sender which would be done through the email client I guess.

B&W · 26 Apr 2008 at 16:07

uhuh, im just trying to figure out how I would run that application I linked to earlier on that PC and make it report back.

Some kind of script I guess.

First the application would need to be sent to the email addy and automatically run, once that is done the result should be collected and sent back to the original sender. If I could get that to work would be pretty neat.

Thanks for the help dude, BRB in a short while.