My latest exploit POC for detecting hypervisors

A place to submit all custom code, scripts, and programs.
Forum rules
Do NOT post malicious code or programs. Please review all code posted in this forum before downloading or running any of the code or programs here.

My latest exploit POC for detecting hypervisors

Post by MadM0use on Tue Apr 14, 2015 5:15 am
([msg=87687]see My latest exploit POC for detecting hypervisors[/msg])

this works in every hypervisor I have tested except for xen lol
this includes:
Qemu,
Bochs (not a hypervisor, but hey lol),
vmware,
and VirtualBox

Code: Select all
// ------------------------------------------------------------------------------
// THE BEER-WARE LICENSE (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return
// ------------------------------------------------------------------------------
// this is a completely original POC, if you steal it, I will know :P

#include <unistd.h>
#include <stdio.h>

inline unsigned long rdtsc(void)
{
   unsigned long x;
   asm volatile ("rdtsc" : "=A" (x));
   return x;
}

unsigned long check_time(void* fun)
{
   static unsigned long StartingTime, EndingTime;
   
   StartingTime = rdtsc();
   ((void(*)(void))fun)();
   EndingTime = rdtsc();
   return (EndingTime - StartingTime);
}

void test(void)
{
   int i=0;
   for(;i!=100;i++)
   asm volatile (
      "add eax, ecx\n"
      "imul eax, ebx\n"
      "sub eax, ebx\n"
      "neg eax\n"
      "sbb eax, ecx\n"
   );
}

int pass(void)
{
   int i=0;
   unsigned long x;
   for(;i!=10000;i++)
   {
      x=check_time(test);
      if(x>0xFFFFF) return 1;
   }
   return 0;
}

int main()
{
   int i=0,x=0;
   for(;i!=1000;i++)
      x+=pass();
   
   if(x>200)
      puts("matrix");
   else
      puts("realness");
   return 0;
}
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)


Re: My latest exploit POC for detecting hypervisors

Post by sysopfb on Tue May 26, 2015 6:14 pm
([msg=88198]see Re: My latest exploit POC for detecting hypervisors[/msg])

You can do some vm and most sandbox detection by checking the number of processors set in PEB

Code: Select all
mov eax, FS:[30]
cmp dword ptr DS:[eax+064h], 2  ;if number processors is <2 then we can assume we can assume we're in a sandbox and possibly a VM
sysopfb
New User
New User
 
Posts: 17
Joined: Tue Sep 09, 2014 9:36 pm
Blog: View Blog (0)


Re: My latest exploit POC for detecting hypervisors

Post by MadM0use on Sun May 31, 2015 2:16 pm
([msg=88271]see Re: My latest exploit POC for detecting hypervisors[/msg])

yes you can :D thank you for joining the conversation lol
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)



Return to Custom Code

Who is online

Users browsing this forum: No registered users and 0 guests