Git-Mirrors/thgtoa
1
0
Fork 0
mirror of https://github.com/Anon-Planet/thgtoa.git synced 2024-08-05 17:55:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Note these factors when using nested virtualization.

Browse Source 
You can still be caught out by some identifiers in a VM.

Signed-off-by: Sharp-tailed Grouse <sharptail@riseup.net>
This commit is contained in:
Sharp-tailed Grouse 2022-10-12 22:59:44 -04:00
parent 4c89ea6377
commit 66f75641fa
No known key found for this signature in database
GPG Key ID: 6C7408090F90B43D
1 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
guide.md
View File

@ -340,6 +340,7 @@ Finally note that this guide does mention and even recommends various commercial
- [Addons to install/consider:]
- [Bonus resources:]
- [Appendix W: Virtualization]
- [Nested virtualization risks]
- [Appendix X: Using Tor bridges in hostile environments]
- [Appendix Y: Installing and using desktop Tor Browser]
- [Installation:][25]
@ -11735,12 +11736,40 @@ Here is a little basic illustration of what Virtualization is:
Each Virtual Machine is a sandbox. Remember the reasons for using them are to prevent the following risks:
- Mitigate local data leaks and easier clean-up in case of risk (everything is contained within the VM and only the VM identifiers could be leaked and not the Host Hardware identifiers)
- Mitigate local data leaks and easier clean-up in case something gets messed up or it is suspected to be compromised.
- Reduce malware/exploit attack surfaces (if your VM is compromised, the adversary still must figure out he is in a VM and then gain access to the Host OS which is not so trivial).
- Mitigate online data leaks by being able to enforce strict network rules on Virtual Machines for accessing the network (such as passing through the Tor Network).
## Nested virtualization risks
**There is an inherently larger attack surface when nesting virtualization.**
Here's some host information that can be leaked through the Virtual Machine:
- Organizationally unique identifier or OUI - the unique identifier assigned to VMWare Guest VMs;
- Virtual Windows registry keys like **ProductID** might show the Host Machine's environment:
`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId XXXXX-123-1234567-12345`
- HDD, GPU, and mouse drivers can be exposed through: `HKEY_LOCAL_MACHINE\System\CurrentControlSet\`
- Registry entries will show that this is a virtual mouse: `%WINDIR%\system32\drivers\vmmouse.sys`
- Descriptor Table Registers: <https://stackoverflow.com/questions/52505313/what-are-descriptor-registers/52505743#52505743>
- Since it's a Virtual Machine using the same CPU cores, the descriptor values are relocated due to there only being space for one of each identifier per CPU. This is a dead giveaway and is used in detection by advanced malware. It's employed by malware architects to tell when the program is being ran in a forensics environment, even such as a Remnux or Flare VM - popular OS and OS addons that are used by experts to analyze the malware.
- VMware Tools detection:
- In fact, some advanced malware actually automatically detect virtualization. This is trivial; most VMs contain this addon, operating unhidden by the Guest VM (it's user-installed, after successfully launching the VM). You don't want to install the tools in any of the VMs discussed in this guide because it can be easily detected by simple checks. It's not worth the exposure.
- Guest VMs also indirectly access the same hardware as the Host.
See <https://www.malwarebytes.com/blog/news/2014/02/a-look-at-malware-with-virtual-machine-detection> for more techniques used by malware to detect virtualization. These techniques are mostly prevented by appending some settings to your VM config file (.vmx). <https://blog.talosintelligence.com/2009/10/how-does-malware-know-difference.html>
# Appendix X: Using Tor bridges in hostile environments
In some environments, your ISPs might be trying to prevent you from accessing Tor. Or accessing Tor openly might be a safety risk.
@ -13812,6 +13841,7 @@ In short, our opinion is that you may use Session Messenger on iOS due to the ab
[Addons to install/consider:]: #addons-to-installconsider
[Bonus resources:]: #bonus-resources
[Appendix W: Virtualization]: #appendix-w-virtualization
[Nested virtualization risks]: #nested-virtualization-risks
[Appendix X: Using Tor bridges in hostile environments]: #appendix-x-using-tor-bridges-in-hostile-environments
[Appendix Y: Installing and using desktop Tor Browser]: #appendix-y-installing-and-using-desktop-tor-browser
[25]: #installation-6