How would I run this code in a networked machine?

B&W

B&W

B&W

Soldato
Joined
3 Oct 2003
Posts
7,668
Location
Birmingham
Hello as part of my project I need to simulate attacks against other computers on the network in order to find out whether they are running in a Virtual Machine environment.

I have found some code on the internet that can do this, however it needs to be run inside the VM.

Is there anyway I could run this code from a PC on the same network? So that it would be able to determine if one of the networked hosts is on a VM?

The code is available at:

http://www.codegurus.be/codegurus/Programming/virtualpc&vmware_en.htm

More specifically:

Code: 
bool IsVirtualPC()
{
  __try 
  {
    __asm
    {
      // Execute the magic code sequence
      mov eax, 1
      db 0fh
      aas
      pop es
      or eax, edi
      inc ebp
      cld
      dd 0ffffffffh
    };
  }
  __except(1)
  {
    // An exception occured, we ain't in Virtual PC
    return false;
  }
  // We succeeded, we're Virtual PC emulated
  return true;
 
Well the code needs to be run inside the virtual machine so there are a few ways I can see to do it over a network:

- Write some server code which sits on all the networked virtual machines which accepts your detection code and jumps execution to that once it has been received. This is like a 2 stage payload system, you can do remote dll injection as well...

(Though you may as well put your detection code locally on the virtual machine if your gonna do that since you have control over the vm normally)

- It may actually be possible to use vmware remote debugger interface to do it.
 
Thanks for the reply mate, it is supposed to look like an attack, how would I go about doing this remote dll injection?

note: my programming skills are extremely poor..
 
B&W said:
Thanks for the reply mate, it is supposed to look like an attack, how would I go about doing this remote dll injection?

note: my programming skills are extremely poor..
Click to expand...

Ok so your wanting to simulate an attack which I guess detects to see if a vm is present and then if it is then chooses a different execution path (i.e. like trojan behaviour).

Now lets assume you have a network service in which you can exploit to get this code injected. (You could write a simple server listener with a stack based buffer overflow in which you could exploit) and put that on the virtual machine. If you can't install anything on the virtual machine then you need to find some software which is vulnerable and thats a whole different story. (If you don't know how to exploit software then you got a long way to go.)

Remote library injection[1] is not really needed in this case. If you got a buffer you can fill with your detection code then you should be able to just jump execution to it. This all depends of if you can find something exploitable or write your own code which sits on the vm and listens.

[1] http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf

Have you though of looking at network traffic from a virtual machine and comparing that to a physical machine. I'm not sure if you could determine anything from this. However, if you need to do detection passively then this is a possible idea as well.

Interesting idea though, not seen that much about vm detection over a network... could be a cool project.
 
Last edited:
Thanks for your reply again, since my programming skills are awful I think its best if I try to monitor the traffic. I've used nmap. ive downloaded metasploit, nessus. will try them aswell.

Is there anything else I code to try and detect the VM?
 
Also would there be one example of an active attack that wouldn't be too hard to implement? I think I should show at least 1 example otherwise I may loose quite a few marks.
 
Detection of virtual machines is quite a hot topic at the moment and far from trivial. There are plenty of ways I could think of as areas of research into however that's all it is research and I couldn't give you an definitive answers.

You basically got to spot differences between virtual machines and physical machines. The way virtual machines are implemented often misses out features in which a real physical architecture machine would exhibit. You also have timing issues, clock skew/drift etc.. that give the game away.

Peter Ferrie's paper gives an in-depth view into this stuff - well worth a read. [1]

I'm not sure you will be able to tell anything from network traffic since your guest OS uses the hosts physical network interfaces. However, I wonder if flags like ttl/window size etc.. will be different between a physical and virtual interface... hmm...

Wiresharks the best tool for the job to look at network traffic by the way.

[1] http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf

Actually what your doing... I don't think anyone has done before, though I may be wrong. Good luck with it, should be some interesting results.

B&W said:
Also would there be one example of an active attack that wouldn't be too hard to implement? I think I should show at least 1 example otherwise I may loose quite a few marks.
Click to expand...

The easiest way is to just run that code inside your virtual machine hehe. Otherwise as I say above you need some way to remotely execute the code if you have to do it across a network.
 
Last edited:
Last edited:
Yup it is for a final year project, 7000 words minimum required. I am less worried about that, I am more worried about achieving one of my objectives which is:

• To simulate attacks on the NIDS and determine whether there are any tell tale signs that the NIDS is being run in a VM environment

At my disposal I have a number of network monitoring tools

Basically the NIDS is being run in a VM environment, so by trying the analyse the network behaviour or attack the VM host (or even the physical machine running the VM...) im trying to tell if theres signs that its being run in a VM environment.

Of course once the NIDS is compromised it is very easy to determine that your in a VM environment.
 
B&W said:
Yup it is for a final year project, 7000 words minimum required. I am less worried about that, I am more worried about achieving one of my objectives which is:

• To simulate attacks on the NIDS and determine whether there are any tell tale signs that the NIDS is being run in a VM environment

At my disposal I have a number of network monitoring tools

Basically the NIDS is being run in a VM environment, so by trying the analyse the network behaviour or attack the VM host (or even the physical machine running the VM...) im trying to tell if theres signs that its being run in a VM environment.

Of course once the NIDS is compromised it is very easy to determine that your in a VM environment.
Click to expand...

What NIDS are you using? Snort?
 
Yes I am using a NIDS distribution with a version of snort. The VM machine is running a Windows XP OS fully patched (can be reinstalled without the patched if required).
 
B&W said:
Yes I am using a NIDS distribution with a version of snort. The VM machine is running a Windows XP OS fully patched (can be reinstalled without the patched if required).
Click to expand...

I think looking at the network traffic is the only passive way you could detect the presence of a vm (if its even at all possible, I don't know).

http://lcamtuf.coredump.cx/p0f.shtml / nmap -O / wireshark output...

It shouldn't even be possible to detect an NDIS alone if its set up correctly.

You could possible attack the NDIS and try to get it to do tons and tons of analysis of the network traffic (i.e DoS attack) and maybe crash it or exploit it, hehe. Compare the results of that in a virtual machine vs a physical machine.
 
Last edited:
yeah, thats what im going to try. I will also try scanning the Physical machine which is running the VM incase it gives indications of what its running (which it shouldnt tho).

I think it would be difficult to detect what the VM host is, especially considering that the whole basis is that your an external cracker trying to break the NIDS as such you have no idea what kind of applications would be on the VM.
 
B&W said:
yeah, thats what im going to try. I will also try scanning the Physical machine which is running the VM incase it gives indications of what its running (which it shouldnt tho).

I think it would be difficult to detect what the VM host is, especially considering that the whole basis is that your an external cracker trying to break the NIDS as such you have no idea what kind of applications would be on the VM.
Click to expand...

If I was an external cracker I would go for the mailserver or the AV scanner though. Prolly though a mail attachment + code execution these days. Lots of signal/noise ratio to hide in and compromise any machines on the internet network and you can pretty much ignore the external filtering with covert channels. **** active attacks on a network with IDS :-).
 
hmm yeah thats an interesting idea, the code would have to run, return a value and then report back to sender which would be done through the email client I guess.
 
Sure but at that point you got their machine bot net'd. Can control whatever you want via P2P commands (e.g. storm worm) or something like Immunity's PINK blog post C&C :)
 
uhuh, im just trying to figure out how I would run that application I linked to earlier on that PC and make it report back.

Some kind of script I guess.

First the application would need to be sent to the email addy and automatically run, once that is done the result should be collected and sent back to the original sender. If I could get that to work would be pretty neat.

Thanks for the help dude, BRB in a short while.
 
You must log in or register to reply here.
Back
Top Bottom