Determining if a Guest OS is running over a VMware hypervisor

in #virtualization7 years ago

In this post, we give some clues on how to determine hypervisor properties by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor. This can be useful for penetration testing and information gathering, as well as for determining the best software configuration for virtualization-sensitive and virtualization-aware software.

Determining if the Guest OS is running over a VMware hypervisor

There are several methods to determine whether a machine is running as a virtual machine OS inside a VMware hypervisor.
The most popular one is the VMware “backdoor”. This “backdoor” will respond to certain “interrupt calls”, which would crash a user mode application in a physical machine. It provides both an API and a communication layer between a guest OS and the hypervisor. [1] [2]

Even if the backdoor is disabled, you can use any of the hardware “clues” described in [7].
When the VMware guest tools are installed, you can also use them to check whether the machine is running over a VMware hypervisor, using one of the supplied command line utilities. This is a high level option. [3] [4]

The Guest API is another option, we can easily use it inside an application. Some of the VMware Guest Tools use the Guest API. [5] [6]

vm deep arch.PNG
Image 1: VMware guest tools modules

References

[1] VMware Backdoor I/O Port - https://sites.google.com/site/chitchatvmback/backdoor
[2] VM Back - VMware Command Line Tools (Unofficial tools) - https://sites.google.com/site/chitchatvmback/vmtools
[3] Overview of VMware Tools (340) - https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=340
[4] Deep VMware™ Guest Tools and Guest-Hypervisor communication, https://www.amazon.com/VMwareTM-Guest-Tools-Guest-Hypervisor-communication-ebook/dp/B07659WN38

vm deep small.png

[5] vSphere Guest SDK Documentation - https://www.vmware.com/support/developer/guest-sdk/index.html
[6] vSphere Guest and HA Application Monitoring SDK Documentation - http://pubs.vmware.com/vsphere-60/topic/com.vmware.sdk.doc/GUID-14451BD8-6FF5-4265-AC02-CEC7F5A78A3F.html
[7] VMware™ hypervisor fingerprinting, https://www.amazon.com/VMwareTM-hypervisor-fingerprinting-Pedro-Silva-ebook/dp/B06XGFT6BD/ref=asap_bc?ie=UTF8vm fingerprinting cover.png

#vmware #fingerprint #hacking #security
7 years ago in #virtualization by
$0.00
    1 vote
    Reply 1

    Coin Marketplace

    STEEM 0.20
    TRX 0.20
    JST 0.034
    BTC 90227.69
    ETH 3079.14
    USDT 1.00
    SBD 2.93