xorl %eax, %eax

VMM Detection Continued

leave a comment »

Yeah, I’m going to post another instruction which is poorly implemented on VMware and results in a nice segfault just like verr/verw. Why I’m posting this? Once again, it is something used on malware lately. So, what’s up with this instruction now. This is about SMSW (Store Machine Status Word) which according to Intel manuals (Volume 2B, pp. 4-401) does this:

Stores the machine status word (bits 0 through 15 of control register CR0) into the destination operand. The destination operand can be a general-purpose register or a memory location.

Extremely simple but once again, if you play around protected mode you’re gonna see a lot of interesting behavior on VMMs. Even though I personally use some VMM detection tool, these simple instructions are a quick and dirty way of determining possible VMMs. So… here you are:

xorl@vmware:~$ cat > heh.c <<_EOF
> #include <stdio.h>
> int main(void) {
> __asm__(“smsw 313(%eax)”);
> printf(“can you read this?\n”);
> return 0;
> }
> xorl@vmware:~$ gcc heh.c -o heh && ./heh
Segmentation fault

Which of course on host OS works perfectly. Here is my attempt on a debian box:

xorl@debian:~$ cat > heh.c << _EOF
> #include <stdio.h>
> int main(void) {
> __asm__(“smsw 313(%eax)”);
> printf(“can you read this?\n”);
> return 0;
> }
> xorl@debian:~$ gcc heh.c -o heh && ./heh && rm heh*
can you read this?

Just a suggestion. If you’re interested in VMM detection by any means, then just have a look at the protected mode instructions. I’m not going to make any other post regarding this subject but there are literally hundreds of techniques.


Written by xorl

March 30, 2009 at 15:37

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s