Included with this mail is a patch that addresses a few of the most
obvious ways to fingerprint locally a guest OS running under VMware.
The modifications done are :
- names of the IDE devices (HD & CDROM)
- names of the SCSI devices (HD & CDROM)
- PCI vendor and device ID of the video adapter
- I/O backdoor (feel free to modify the magic number !)
This version targets VMware Workstation for Linux version 4.0.5.
Only constants are modified (except for the SCSI CDROM where a little
code injection was needed since vendor and revision strings are
originally the same as for the SCSI HD), which shouldn't raise any
security issue.
This is only an early version of the patch, and the one being developped
has more features, including BIOS replacements. Anyway, I would like to
have some return from experienced people regarding this, perhaps other
things to patch, or other ways to fingerprint VMware.
I stress the fact that you should _backup_ your *vmware-vmx* binary
before using this, and preferably your guest OS, in case things goes wrong.
Regards,
Kostya KORTCHINSKY
French HoneyNet Project
http://www.frenchhoneynet.org
Included with this mail is a patch that addresses a few of the most
obvious ways to fingerprint locally a guest OS running under VMware.
The modifications done are :
- names of the IDE devices (HD & CDROM)
- names of the SCSI devices (HD & CDROM)
- PCI vendor and device ID of the video adapter
- I/O backdoor (feel free to modify the magic number !)
This version targets VMware Workstation for Linux version 4.0.5.
Only constants are modified (except for the SCSI CDROM where a little
code injection was needed since vendor and revision strings are
originally the same as for the SCSI HD), which shouldn't raise any
security issue.
This is only an early version of the patch, and the one being developped
has more features, including BIOS replacements. Anyway, I would like to
have some return from experienced people regarding this, perhaps other
things to patch, or other ways to fingerprint VMware.
I stress the fact that you should _backup_ your *vmware-vmx* binary
before using this, and preferably your guest OS, in case things goes wrong.
Regards,
Kostya KORTCHINSKY
French HoneyNet Project
http://www.frenchhoneynet.org
[ reply ]