Shulou(Shulou.com)11/24 Report--

This article comes from the official account of Wechat: programming Technology Universe (ID:xuanyuancoding), author: Xuanyuan Wind O

Straying into the trap, the dark wind was high at night, and two uninvited guests came to a new land once again.

"second, finally come in. Let's stick to the plan. You scan the files on the hard drive to see if there is anything valuable. I'll modify the boot item and add us to it."

"wait a minute, boss. I don't feel right."

"what's wrong?" Well, the boss asked.

"the other places we've been to are very lively, why is it so quiet here? you see, there is no progress like QQ or Wechat!" Well, the second said.

The boss looked around and noticed something unusual.

After waiting for a little while, the boss suddenly exclaimed, "No!" here is a virtual machine, we fell into the virtual machine! "

"how do you see that this is a virtual machine?" The second asked inexplicably.

"you see, there's a vmware process and there's a bunch of vmware tags in the registry."

"what are we going to do? it's over. We're going to be picked clean." the second looked anxious.

The boss frowned, paced back and forth, suddenly smiled and said, "Don't worry, before leaving, the master secretly gave me a brow bag and told me to open it in an emergency."

"then what are you waiting for? take it out quickly!"

The boss took out the brocade bag from his pocket, in which there was a letter, and the two looked at it carefully.

A moment later, the boss laughed loudly and said, "Brother! steady!"

The second had a question mark on his face and didn't quite understand, "Big Brother, forgive me for being clumsy, but how can this be stable?"

"you see here, the owner explained the escape method of the virtual machine and told us how to escape from the virtual machine."

"keep your voice down, brother, or you'll get caught. Let's get started. It may be too late if it's too late."

"Don't worry, let me study it carefully."

There was a lot of writing on the letter paper, which looked complicated, and the two men's relaxed brows slowly frowned again.

After a while, the second lost his patience. "Brother, this is too complicated. I can't understand it. I'm counting on you."

"I see that virtual opportunities communicate with the real world outside. As long as we seize the loopholes in the communication process, add our instruction codes to the communication data, and let the outside world be responsible for the execution of these instruction codes, we can transmit them and escape to the outside real world!"

"I see, but where can we find such a loophole?"

"Yes, look here, the master has found several loopholes for us. It's so sweet!"

CVE-2016-7461

CVE-2017-4901

CVE-2019-14378

"what does this string of characters and numbers mean?" Well, the second asked.

"well, it's called the vulnerability number. CVE means Common Vulnerabilities and Exposures, the second is the year, and the third is the specific vulnerability number. So many software vulnerabilities are found every year that they are uniformly assigned numbers for ease of management."

"then hurry up and pick one to do it!"

"Let me see. Let's choose the second one. This is a vulnerability that belongs to VMware. The version is also appropriate. It hasn't been fixed yet. Second brother, here's our chance!"

With that, according to the description on the stationery, the boss began to get busy and prepare the data and code to be used for a while.

"boss, what is the principle of this loophole? take advantage of your preparation, you can tell me about it."

"the master's letter said that VMware has a backdoor communication interface, which can be used to communicate between the internal operating system of the virtual machine and the external system, and is used to copy and drag and drop files. The code of this backdoor is written with loopholes. As long as we carefully construct the data, it will cause a heap overflow when copying, and we will have a chance to execute our instruction code!"

"Cowhide! the master is so naughty," sighed the second.

"Don't be idle, come and help me prepare the data!"

The new world passed for a while.

"Brother, are you all ready?"

"it's all ready according to the method in the letter, second brother. Come on, we're going out. Hold on to me."

The boss took out the code that had just been carefully prepared, clicked carefully to execute, and only listened to the hissing sound of the current, and the two were transformed into a string of bit streams and transmitted to the outside VMware process.

As planned, the vulnerability was successfully triggered! After executing the instruction code they wrote in advance, the two succeeded in coming to the file directory of the outside computer.

After waiting for a while, the two slowly recovered from their dizziness.

"Boss, we did it!"

"Ha ha! finally coming out."

The two guys hugged each other happily.

"well, now let's get down to business. We've wasted a lot of time, and the host is still waiting to hear from us."

"all right, let's get to work."

The two men began to work, racing against the clock to carry out their plan, but soon they found that something was wrong.

"Boss, why is there still a vmware process here? didn't we get out?"

"nonsense, we just ran out of there."

"No, come and have a look."

The boss hurried over when he heard the news, examined it carefully, looked around again, and took a cool breath.

"second brother, it's over. It still seems to be a virtual machine."

[end]

The inspiration for the story comes from a question from Zhihu: does the operating system know that it is in a virtual machine?

Here is my answer:

Virtualization technology has evolved over about three periods:

From the early binary instruction translation technology (represented by early VMware)

By modifying special instruction calls in operating system code (represented by XEN)

Hardware virtualization supported by CPU (represented by VT-x technology), especially the emergence of hardware virtualization technology, makes virtualization technology blowout. VirtualBox, VMWare (new) and KVM emerge one after another, which accelerate the arrival of the era of cloud computing to a certain extent.

For the development of virtualization technology, you can refer to my article:

Understand! That's what VMware, KVM and Docker are all about.

Speaking of the problem itself, after three periods of development, virtualization capabilities are getting closer and closer to a real hardware environment, but even so, the operating system wants to know if it is still easy to be in a virtual machine.

Saying that the operating system may not be so easy to understand. Let's change the scene: a Trojan virus developer wants to know if the target is a virtual machine?

This problem is of more practical significance. If the virus Trojan is in a virtual machine, it is likely that it is being analyzed by security researchers. A good developer should know how to hide the intention at this time and cannot be seen through.

This is the anti-virtual machine technology commonly used by virus Trojans.

There are many specific detection methods, but the core idea is that different virtual opportunities have different characteristics, and what you need to do is to find these characteristics. For example, special IO devices, special file directories, special registry entries, special process names, and so on.

Of course, said so much or by some superficial phenomena to determine whether it is in the virtual machine, then if these are not, how to achieve the real "perception"?

There's still a way.

There is always a difference between a real physical machine and a virtual machine, and some thinking can be done in this direction from the "side channel", such as the time it takes to execute an algorithm, the hardware fluctuation caused by the execution of a special code, and so on.

The virtual machine is not absolutely secure, you know, the program code in the virtual machine, like the programs on the real host, is executed by physical CPU, but is "forcibly isolated" by hardware, software and other mechanisms.

Once these mechanisms are flawed, malicious programs have a chance to escape from the virtual machine!

At the end of the story, they managed to escape from the virtual machine, only to find that they were still in another virtual machine.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.