Anti-VM with ACPI tables @gsuberland whois Graham Sutherland - - PowerPoint PPT Presentation

anti vm with acpi tables
SMART_READER_LITE
LIVE PREVIEW

Anti-VM with ACPI tables @gsuberland whois Graham Sutherland - - PowerPoint PPT Presentation

Jul 06, 2023 341 likes •500 views

Anti-VM with ACPI tables @gsuberland whois Graham Sutherland Twitter: @gsuberland (partyhat) IRC: gsuberland on freenode Email: contact@fisting.horse disclaimer This talk does not reflect, refract, absorb, ionise, engage in

slide-1
SLIDE 1

Anti-VM with ACPI tables

@gsuberland

slide-2
SLIDE 2

whois

  • Graham Sutherland
  • Twitter: @gsuberland (partyhat)
  • IRC: gsuberland on freenode
  • Email: contact@fisting.horse
slide-3
SLIDE 3

disclaimer

This talk does not reflect, refract, absorb, ionise, engage in quantum superposition with, or otherwise associate with the views of my employer, their clients, or their clients' clients. I like where I work. Please don't fire me. Research done in 3 hours. Slides written in an hour. I borrowed this laptop from @dominicgs, don't judge me for any donkey porn popups or other sketchy business. This may or may not be original research. Who knows. The internet is a pretty big place.

slide-4
SLIDE 4

how this came about

  • Looking into WPBT at lunch today
  • Discovered ACPI tables are A Thing(TM)
  • A thought occurs (a rarity, I know)
  • Looked into it, vague mentions from places
  • I now know that AV knows about this trick
slide-5
SLIDE 5

dafuq is an ACPI table?

  • Bunch of data tables from hardware
  • Used to expose hardware config to OS
  • Contains stuff like:

– SMBIOS data – APIC data – PCI data – HPET data – SLIC licenses – Trusted Computing evil – WPBT evil

slide-6
SLIDE 6

so what?

  • Tables have names
  • Tables have OEM IDs
  • Tables have OEM Table IDs
  • Tables have Creator IDs
  • Tables contain system-specific data
  • This stuff isn't (usually) faked by VMs
  • It's accessible from ring3, non-admin!

– (on Windows)

slide-7
SLIDE 7

what you talkin bout willis?

picture > 1000 WORDs

slide-8
SLIDE 8

virtually undetectable differences

2008R2 x64, VirtualBox

slide-9
SLIDE 9

and on vmware?

2008R2 x64, VMware Workstation

slide-10
SLIDE 10

teh code?

  • Kernel32.dll

– EnumSystemFirmwareTables – GetSystemFirmwareTable

  • Fully documented on MSDN
  • Trivial to use, even a Lemon could do it
  • Probably comparable APIs on Linux/BSD

– (I am a Windows monkey, don't ask me.)

slide-11
SLIDE 11

approach

  • Enumerate ACPI, FIRM, RSMB system tables
  • Get info & contents for each table
  • Check for known VM values
  • Exit if found
slide-12
SLIDE 12

countermeasures

  • VboxAntiVMDetectHardened (kernelmode.info)

– Replaces some ACPI tables – Fixes lots of hardware descriptors – Doesn't fix everything! – Only for VirtualBox.

  • AV

– Some AV detects code that enumerates firmware tables,

via heuristic magics.

  • Only run Windows XP

– XP doesn't support dumping FIRM and RSMB – This is not a solution ever :-\

  • ???

– Anyone know something I don't?

slide-13
SLIDE 13

future research

  • Results from ESXi, QEMU, KVM, etc.
  • Results from other guest operating systems.
  • Deeper analysis of table contents for

variances.

  • A public PoC that's actually worth a damn.
  • ????
slide-14
SLIDE 14

kthxbai

any questions?