Lt comet
From: "Polazzo Justin" <Justin.Polazzo@facilities.gatech.edu>
To: <honeypots@securityfocus.com>
2004-11-14 Shortly after Dave posted his Trip Report from Poland, I
started getting emails from people wanted to know "how to detect VMWare
using one instruction"... So, although I'm not the first one who
discovered this trick, I decided to put a short paper about it
accompanied by a simple C code. This trick is able to detect not only
VMWare, but any VMM running on Pentium processor.=20
from http://invisiblethings.org/papers/redpill.html:
int swallow_redpill () {
unsigned char m[2+4], rpill[] =3D
"\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) =3D (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
We already knew VMWare was detectable, just not sure if this code made
it to everyone.
-JP
Interesting.
Lt comet
Special Operations and Security
X/O of Research, Assessment and Code Auditing Team
- Email: comet@cyberarmy6.net
- IRC: #specopsec, #ca-uug
Replies:
|
2004-11-19 18:10:40