anti vm with acpi tables
play

Anti-VM with ACPI tables @gsuberland whois Graham Sutherland - PowerPoint PPT Presentation

Jul 06, 2023 •341 likes •499 views

Anti-VM with ACPI tables @gsuberland whois Graham Sutherland Twitter: @gsuberland (partyhat) IRC: gsuberland on freenode Email: contact@fisting.horse disclaimer This talk does not reflect, refract, absorb, ionise, engage in

  1. Anti-VM with ACPI tables @gsuberland

  2. whois ● Graham Sutherland ● Twitter: @gsuberland (partyhat) ● IRC: gsuberland on freenode ● Email: contact@fisting.horse

  3. disclaimer This talk does not reflect, refract, absorb, ionise, engage in quantum superposition with, or otherwise associate with the views of my employer, their clients, or their clients' clients. I like where I work. Please don't fire me. Research done in 3 hours. Slides written in an hour. I borrowed this laptop from @dominicgs, don't judge me for any donkey porn popups or other sketchy business. This may or may not be original research. Who knows. The internet is a pretty big place.

  4. how this came about ● Looking into WPBT at lunch today ● Discovered ACPI tables are A Thing(TM) ● A thought occurs (a rarity, I know) ● Looked into it, vague mentions from places ● I now know that AV knows about this trick

  5. dafuq is an ACPI table? ● Bunch of data tables from hardware ● Used to expose hardware config to OS ● Contains stuff like: – SMBIOS data – APIC data – PCI data – HPET data – SLIC licenses – Trusted Computing evil – WPBT evil

  6. so what? ● Tables have names ● Tables have OEM IDs ● Tables have OEM Table IDs ● Tables have Creator IDs ● Tables contain system-specific data ● This stuff isn't (usually) faked by VMs ● It's accessible from ring3, non-admin! – (on Windows)

  7. what you talkin bout willis? picture > 1000 WORDs

  8. virtually undetectable differences 2008R2 x64, VirtualBox

  9. and on vmware? 2008R2 x64, VMware Workstation

  10. teh code? ● Kernel32.dll – EnumSystemFirmwareTables – GetSystemFirmwareTable ● Fully documented on MSDN ● Trivial to use, even a Lemon could do it ● Probably comparable APIs on Linux/BSD – (I am a Windows monkey, don't ask me.)

  11. approach ● Enumerate ACPI, FIRM, RSMB system tables ● Get info & contents for each table ● Check for known VM values ● Exit if found

  12. countermeasures ● VboxAntiVMDetectHardened (kernelmode.info) – Replaces some ACPI tables – Fixes lots of hardware descriptors – Doesn't fix everything! – Only for VirtualBox. ● AV – Some AV detects code that enumerates firmware tables, via heuristic magics. ● Only run Windows XP – XP doesn't support dumping FIRM and RSMB – This is not a solution ever :-\ ● ??? – Anyone know something I don't?

  13. future research ● Results from ESXi, QEMU, KVM, etc. ● Results from other guest operating systems. ● Deeper analysis of table contents for variances. ● A public PoC that's actually worth a damn. ● ????

  14. kthxbai any questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT?

TIMES TABLES HOW WE TEACH TIMES TABLES AND HOW YOU CAN HELP WHY ARE TIMES TABLES IMPORTANT? New from 2019: all children in year 4 will sit an online times table test. Times Tables knowledge and recall underpin so many different areas of

526 views • 25 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
NZ Data Tables Data tables sit alongside the Active NZ main report The data tables provide

NZ Data Tables Data tables sit alongside the Active NZ main report The data tables provide

Reading the Active NZ Data Tables Data tables sit alongside the Active NZ main report The data tables provide results included in the report split by a range of population sub-groups The data tables are separated into different sheets based

351 views • 20 slides
Cameras in embedded systems: Device tree and ACPI view Sakari Ailus - Intel A typical embedded

Cameras in embedded systems: Device tree and ACPI view Sakari Ailus - Intel A typical embedded

Cameras in embedded systems: Device tree and ACPI view Sakari Ailus - Intel A typical embedded system with a camera Image Signal Processor Raw camera sensor Lens voice coil vana camera regulator module vdig lens GPIO reset

439 views • 39 slides
Analytic Component Tackling tables Analytic component Tasks and techniques Keys and values Age

Analytic Component Tackling tables Analytic component Tasks and techniques Keys and values Age

Focus on Tables Exercise: Sketch 2 ways to visualize each table Information Visualization Dataset Types Spatial Net Tables Tables Networks Fields (Continuous) Geometry (Spatial) Attributes (columns) Furthest BPM T1 BPM T2 BPM T3 Age

214 views • 4 slides
INF5110 Compiler Construction Symbol tables Spring 2016 1 / 43 Outline 1. Symbol tables

INF5110 Compiler Construction Symbol tables Spring 2016 1 / 43 Outline 1. Symbol tables

INF5110 Compiler Construction Symbol tables Spring 2016 1 / 43 Outline 1. Symbol tables Introduction Symbol table design an interface Implementing symbol tables Block-structure, scoping, binding, name-space organization Symbol tables

1.09k views • 41 slides
10 years of Speed Tables Peter da Silva FlightAware What are Speed Tables? What are Speed

10 years of Speed Tables Peter da Silva FlightAware What are Speed Tables? What are Speed

10 years of Speed Tables Peter da Silva FlightAware What are Speed Tables? What are Speed Tables? An array of structures A Key-Value store A NoSQL database A portable API Example CExtension particles 1.0 { CTable quark

476 views • 32 slides
Ch 7+8: Tables, Spatial Data Arrange not much about the ones in the middle Express

Ch 7+8: Tables, Spatial Data Arrange not much about the ones in the middle Express

News VAD Ch 7: Arrange Tables Arrange tables clarification on artery vis Encode Axis Orientation Express Values Rectilinear Parallel Radial diverging colormap since doctors care about high and low values Ch 7+8: Tables, Spatial

77 views • 3 slides
MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was

MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was

MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was officially announced by the Department for Education (DfE) in September 2017. It will be administered for children in Year 4, starting in the

526 views • 7 slides
Information Visualization Tables Tamara Munzner Department of Computer Science University of

Information Visualization Tables Tamara Munzner Department of Computer Science University of

Information Visualization Tables Tamara Munzner Department of Computer Science University of British Columbia Lect 6/7, 23/28 Jan 2020 https://www.cs.ubc.ca/~tmm/courses/436V-20 Tables 2 Focus on Tables Dataset Types Spatial Net Tables

1.04k views • 61 slides
TABLES Statistics Canadas Supply and Use Tables and their use in examining value chains

TABLES Statistics Canadas Supply and Use Tables and their use in examining value chains

INTRODUCTION TO INPUT-OUTPUT TABLES Statistics Canadas Supply and Use Tables and their use in examining value chains Matthew Stewart Associate Director, Economics, The Conference Board of Canada Partner: Project Executed by: Agenda and

398 views • 19 slides
Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to automate PDF table extraction and export Dimiter Naydenov @dimitern 1 . 1 Overview Overview PDF: brief history, structure, representing tables Camelot

355 views • 13 slides
Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration

Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration

Use and abuse of anti-arbitration injunctions: strategies in dealing with anti-arbitration injunctions ASA Below 40 Seminar: Court assistance in international arbitration how to use it wisely and efficiently Anti-suit and anti-arbitration

359 views • 10 slides
Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014

Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014

Hounslow Housing Chris Shoubridge Head of Area Housing Anti-Social Behaviour Anti-Social Behaviour - Anti-social Behaviour, Crime and Policing Act 2014 conduct that has caused, or is likely to cause, harassment, alarm or distress to any

377 views • 18 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
Business Statistics CONTENTS Contingency tables Independence of categorical variables 2 2

Business Statistics CONTENTS Contingency tables Independence of categorical variables 2 2

CONTINGENCY TABLES: TESTS Business Statistics CONTENTS Contingency tables Independence of categorical variables 2 2 -tables Old exam question Further study CONTINGENCY TABLES Contingency table (see Summarizing data): matrix with

283 views • 24 slides
WADS 2009 On the Design of Adaptive-and-dependable Systems Lessons learned and experiences at

WADS 2009 On the Design of Adaptive-and-dependable Systems Lessons learned and experiences at

WADS 2009 On the Design of Adaptive-and-dependable Systems Lessons learned and experiences at the University of Antwerp Vincenzo De Florio http://www.pats.ua.ac.be/vincenzo.deflorio Agenda Adaptive-and-Dependable Software Systems

674 views • 51 slides
La terapia del mieloma ricaduto The natural course of MM is characterised by a pattern of

La terapia del mieloma ricaduto The natural course of MM is characterised by a pattern of

La terapia del mieloma ricaduto The natural course of MM is characterised by a pattern of remission and relapse Asymptomatic Symptomatic Relapsing Refractory ACTIVE SECOND M-protein level (g/L) 100 MYELOMA RELAPSE FIRST RELAPSED/

939 views • 45 slides
Chemistry 1000 Lecture 7: Hydrogenic orbitals Marc R. Roussel September 10, 2018 Marc R. Roussel

Chemistry 1000 Lecture 7: Hydrogenic orbitals Marc R. Roussel September 10, 2018 Marc R. Roussel

Chemistry 1000 Lecture 7: Hydrogenic orbitals Marc R. Roussel September 10, 2018 Marc R. Roussel Hydrogenic orbitals September 10, 2018 1 / 24 Uncertainty principle Heisenberg uncertainty principle Fundamental limitation to simultaneous

396 views • 24 slides
The Greedy Basis Equals the Theta Basis A Rank Two Haiku Man Wai Cheung (UCSD), Mark Gross

The Greedy Basis Equals the Theta Basis A Rank Two Haiku Man Wai Cheung (UCSD), Mark Gross

The Greedy Basis Equals the Theta Basis A Rank Two Haiku Man Wai Cheung (UCSD), Mark Gross (Cambridge), Greg Muller (Michigan), Gregg Musiker (University of Minnesota) *, Dylan Rupel (Notre Dame), Salvatore Stella (Roma La Sapienza), and Harold

1.09k views • 72 slides
Implementing ALE Motion in a Discontinuous Finite Element Hydro Code* Manoj K. Prasad, Jose L.

Implementing ALE Motion in a Discontinuous Finite Element Hydro Code* Manoj K. Prasad, Jose L.

Implementing ALE Motion in a Discontinuous Finite Element Hydro Code* Manoj K. Prasad, Jose L. Milovich, Aleksei I. Shestakov, David S. Kershaw, and Michael J. Shaw Lawrence Livermore National Laboratory, Livermore, CA 94550, USA *Work

1.26k views • 46 slides
Spatial Audio for Immersive Virtual Environments David Swapp Department of Computer Science, UCL

Spatial Audio for Immersive Virtual Environments David Swapp Department of Computer Science, UCL

Spatial Audio for Immersive Virtual Environments David Swapp Department of Computer Science, UCL <d.swapp@cs.ucl.ac.uk> Part 1 Overview PART 1: Perception of Spatial Audio What is spatial audio? Why do spatial audio? How

1.74k views • 45 slides
Seeds of Science/Roots of Reading An Integrated Approach to Science and Literacy Instruction

Seeds of Science/Roots of Reading An Integrated Approach to Science and Literacy Instruction

Seeds of Science/Roots of Reading An Integrated Approach to Science and Literacy Instruction STEM Smart: Lessons Learned from Successful Schools Las Vegas, NV September 19, 2012 Traci Wierman, Lawrence Hall of Science Seeds of Science/Roots

717 views • 60 slides
Low frequency observation of cosmic-ray air-shower radio emission by EXTASIS Antony Escudie et.

Low frequency observation of cosmic-ray air-shower radio emission by EXTASIS Antony Escudie et.

Low frequency observation of cosmic-ray air-shower radio emission by EXTASIS Antony Escudie et. al Subatech IMTA / CNRS / Universit de Nantes 18/07/2017 - CRI102 What ? Low frequency detection What ? Low frequency detection Radio

497 views • 26 slides

More recommend