From 80693aea4abf5462245e6ba336713f74031f692a Mon Sep 17 00:00:00 2001 From: Than Harrison Date: Fri, 7 Oct 2022 18:13:10 -0400 Subject: [PATCH] A few ways you leak data to your Guest VMs Signed-off-by: Than Harrison --- guide.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/guide.md b/guide.md index a75847b..17fc060 100644 --- a/guide.md +++ b/guide.md @@ -11735,12 +11735,34 @@ Here is a little basic illustration of what Virtualization is: Each Virtual Machine is a sandbox. Remember the reasons for using them are to prevent the following risks: -- Mitigate local data leaks and easier clean-up in case of risk (everything is contained within the VM and only the VM identifiers could be leaked and not the Host Hardware identifiers) +- Mitigate local data leaks and easier clean-up in case something gets messed up or it is suspected to be compromised. - Reduce malware/exploit attack surfaces (if your VM is compromised, the adversary still must figure out he is in a VM and then gain access to the Host OS which is not so trivial). - Mitigate online data leaks by being able to enforce strict network rules on Virtual Machines for accessing the network (such as passing through the Tor Network). +There is still an inherently larger attack surface when nesting virtualization. + +Some host information that can be leaked through the Virtual Machine include: + +- Organizationally unique identifier or OUI - the unique identifier assigned to VMWare Guest VMs; + +- Virtual Windows registry keys like **ProductID** might show the Host Machine's environment: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId XXXXX-123-1234567-12345`; + +- HDD, GPU, and mouse drivers can be exposed through the `HKEY_LOCAL_MACHINE\System\CurrentControlSet\`; + +- `%WINDIR%\system32\drivers\vmmouse.sys` registry entries (which show that this is a virtual mouse); + +- Descriptor Table Registers ; + + - Since it's a Virtual Machine using the same CPU cores, the descriptor values are relocated due to there only being space for one of each identifier per CPU. This is a dead giveaway and is used in detection by advanced malware. It's employed by malware architects to tell when the program is being ran in a forensics environment, even such as a Remnux or Flare VM - popular OS and OS addons that are used by experts to analyze the malware. + +- VMware Tools detection: In fact, some advanced malware actually automatically detect virtualization. This is trivial; most VMs contain this addon, operating unhidden by the Guest VM (it's user-installed, after successfully launching the VM). You don't want to install the tools in any of the VMs discussed in this guide because it can be easily detected by simple checks. It's not worth the exposure. + +- Guest VMs also indirectly access the same hardware as the Host. + +See for more techniques used by malware to detect virtualization. These techniques are mostly prevented by appending some settings to your config file (.vmx). + # Appendix X: Using Tor bridges in hostile environments In some environments, your ISPs might be trying to prevent you from accessing Tor. Or accessing Tor openly might be a safety risk.