Sreelakshmi Panangatt graduated from Vrije University and Amrita Vishwa Vidyapeetham. She focuses on reverse engineering. Her tool DeViL (Detect Virtual Machine in Linux) demonstrates techniques malware uses to detect virtual machines. It determines how the current Linux configuration exposes itself. DeViL checks files, CPU instructions, network settings and timing to detect signs the system is running in a VM like VMWare or VirtualBox rather than physical hardware. It aims to help analysts understand how malware detects analysis environments.
Introduction to Ewasm - crosslink taipei 2019hydai
Based on my previous talk - Introduction to Ewasm 1.0 in COSCUP 2019 and lots of sessions in Ethereum devcon V, I remake this presentation to give an introduction to Ewasm 1.0 and 2.0.
(auto)Installing BSD Systems
The auto-installation methods you can use to set BSD operating systems up and running
-----
After more than a decade in touch with systems like FreeBSD, not by just consuming them as an end-user but also by working as a sysadmin or by developing 'BSD Powered' solutions, you might fall into pitfalls by not easily finding a way to fully automate their installations. The good news: it's possible and it's not as complicated as you might think!
Today's needs regarding automating things like an O.S. installation can save you a lot of time; Kickstart or Preseed files are not the only ways of doing it. One can even combine or expand it all to add patching and updating routines into the game.
Here we are not talking about a one-click solution or something like querying an API endpoint to provide you with a shiny virtual machine; no. The main idea behind this talk is to present you with a tool-set and ways of (auto)installing your machines, let's say, using a NetBSD operating system; be it virtual, or not.
Inspired by talks like the ones showing how OpenBSD Amsterdam sets its virtual machines up, we get together and share thoughts, ideas and setups to get DHCP, iPXE and diskless systems in our favor to set our infrastructure up and running.
Concerned about the first boot and keeping up with services' configurations and consistencies, we also talk about getting Puppet to watch it for you. Considering plain text passwords no one wishes to host in a Git repository, EYAML to the rescue!
-----
DEMO
* https://share.riseup.net/#Uomo3eX77PLcgicqNFdVXw
* https://share.riseup.net/#rPDzTIcRGEzTYkoUD2MwLw
Dieser Vortrag zeigt, welchen Herausforderungen im Hosting punkt.de in der jüngeren Vergangenheit gegenüber stand und welche Änderungen gegenüber unserer 2010 vorgestellten "NanoBSD"-Architektur wir seitdem umgesetzt haben. Der proServer hat auf der Seite des Hosting-Anbieters viele der erwünschten Eigenschaften eines "Private Cloud"-Produkts, stellt sich dem Kunden aber wie ein klassischer Root-Server dar. Für Anwendungen, bei denen eine solche Plattform gefordert ist, ein unschätzbarer Vorteil gegenüber reinen Container-Lösungen, die praktisch immer eine speziell angepasste Anwendungs-Architektur benötigen.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
Introduction to Ewasm - crosslink taipei 2019hydai
Based on my previous talk - Introduction to Ewasm 1.0 in COSCUP 2019 and lots of sessions in Ethereum devcon V, I remake this presentation to give an introduction to Ewasm 1.0 and 2.0.
(auto)Installing BSD Systems
The auto-installation methods you can use to set BSD operating systems up and running
-----
After more than a decade in touch with systems like FreeBSD, not by just consuming them as an end-user but also by working as a sysadmin or by developing 'BSD Powered' solutions, you might fall into pitfalls by not easily finding a way to fully automate their installations. The good news: it's possible and it's not as complicated as you might think!
Today's needs regarding automating things like an O.S. installation can save you a lot of time; Kickstart or Preseed files are not the only ways of doing it. One can even combine or expand it all to add patching and updating routines into the game.
Here we are not talking about a one-click solution or something like querying an API endpoint to provide you with a shiny virtual machine; no. The main idea behind this talk is to present you with a tool-set and ways of (auto)installing your machines, let's say, using a NetBSD operating system; be it virtual, or not.
Inspired by talks like the ones showing how OpenBSD Amsterdam sets its virtual machines up, we get together and share thoughts, ideas and setups to get DHCP, iPXE and diskless systems in our favor to set our infrastructure up and running.
Concerned about the first boot and keeping up with services' configurations and consistencies, we also talk about getting Puppet to watch it for you. Considering plain text passwords no one wishes to host in a Git repository, EYAML to the rescue!
-----
DEMO
* https://share.riseup.net/#Uomo3eX77PLcgicqNFdVXw
* https://share.riseup.net/#rPDzTIcRGEzTYkoUD2MwLw
Dieser Vortrag zeigt, welchen Herausforderungen im Hosting punkt.de in der jüngeren Vergangenheit gegenüber stand und welche Änderungen gegenüber unserer 2010 vorgestellten "NanoBSD"-Architektur wir seitdem umgesetzt haben. Der proServer hat auf der Seite des Hosting-Anbieters viele der erwünschten Eigenschaften eines "Private Cloud"-Produkts, stellt sich dem Kunden aber wie ein klassischer Root-Server dar. Für Anwendungen, bei denen eine solche Plattform gefordert ist, ein unschätzbarer Vorteil gegenüber reinen Container-Lösungen, die praktisch immer eine speziell angepasste Anwendungs-Architektur benötigen.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
Brainstorming session for agents support in Nova code. Current state of agents, its support in Nova. New architecture of agents-Nova communication, agnostic to hypervisor, is suggested.
A basic introduction for Windows Users and how they can access their VM in Fiware Lab. It describes very briefly a couple of tools which may be handy to access your already created FIWARE Instance from Windows.
Distributed locks in Ruby - Correctness vs Efficiency - Knapsack Pro case stu...Artur Trzop
I wrote an article with more detailed Ruby example of a distributed lock using Redis Semaphore.
https://docs.knapsackpro.com/2017/when-distributed-locks-might-be-helpful-in-ruby-on-rails-application
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
How can OpenNebula fit your needs - OpenNebulaConf 2013 Maxence Dunnewind
In the scope of a European Project (BonFIRE - www.bonfire-project.eu ), I had to tune openNebula to fit our requirement that are unusual in a private cloud environment (small hardware, small number of base images, but lot of vms created).
These slides explain how, thanks to how OpenNebula enables administrators to tune it, I updated the transfer manager scripts to improve our deployment speed by almost 8.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Brainstorming session for agents support in Nova code. Current state of agents, its support in Nova. New architecture of agents-Nova communication, agnostic to hypervisor, is suggested.
A basic introduction for Windows Users and how they can access their VM in Fiware Lab. It describes very briefly a couple of tools which may be handy to access your already created FIWARE Instance from Windows.
Distributed locks in Ruby - Correctness vs Efficiency - Knapsack Pro case stu...Artur Trzop
I wrote an article with more detailed Ruby example of a distributed lock using Redis Semaphore.
https://docs.knapsackpro.com/2017/when-distributed-locks-might-be-helpful-in-ruby-on-rails-application
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
This talk will initially cover Device Guard, and how it works. After discussing high level methods of attacking Device Guard, we will go into detail on WMImplant, a tool which can be used to operate on Device Guard protected systems.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
How can OpenNebula fit your needs - OpenNebulaConf 2013 Maxence Dunnewind
In the scope of a European Project (BonFIRE - www.bonfire-project.eu ), I had to tune openNebula to fit our requirement that are unusual in a private cloud environment (small hardware, small number of base images, but lot of vms created).
These slides explain how, thanks to how OpenNebula enables administrators to tune it, I updated the transfer manager scripts to improve our deployment speed by almost 8.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
An examination of techniques used to detect, identify, isolate and defeat malware using popular virtual machines including VMWare, VirtualBox and others. For more information about malware detection and removal visit https://www.intertel.co.za
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
Shifting left - How to use Continuous Integration tools to bring security into the DevOps world
In today's modern software factories, organizations are shifting security to the left. No longer just the purview of firewalls, security needs to be built in during development and deployment processes. By doing so, organizations can ensure they are limiting vulnerabilities getting into production while cutting costs of both downtime and code rework.
Key Takeaways:
○ How to ensure that the use of open source doesn’t introduce vulnerabilities and other security risks
○ How to automate the delivery of trusted images using a policy-driven approach
○ Empowering developers to secure their applications, while maintaining segregation of duties
○ Ensuring the consistent flow of images through the pipeline, with no side-doors or introduction of unvetted images
○ Enforcing immutability of containers, preventing container-image drift
Securing Applications and Pipelines on a Container PlatformAll Things Open
Presented at: Open Source 101 at Home
Presented by: Veer Muchandi, Red Hat Inc
Abstract: While everyone wants to do Containers and Kubernetes, they don’t know what they are getting into from Security perspective. This session intends to take you from “I don’t know what I don’t know” to “I know what I don’t know”. This helps you to make informed choices on Application Security.
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions:
- How does application security work on this platform? What all do I need to secure?
- How do I implement security in pipelines?
- What about vulnerabilities discovered at a later point in time?
- What are newer technologies like Istio Service Mesh bring to table?
In this session, I will be addressing these commonly asked questions that every enterprise trying to adopt an Enterprise Kubernetes Platform needs to know so that they can make informed decisions.
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18Casey Bisson
As presented at LinuxCon/CloudOpen 2015: http://sched.co/3Y3v
We tell our code lies from development to deploy. The most common of these lies start with the simple act of launching a virtual machine. These lies are critical to our applications. Some of them protect applications from themselves and each other, some even improve performance. Some, however, decrease performance, and others create barriers to simply getting things done.
We lie about the systems, networks, storage, RAM, CPU and other resources our applications use, but how we tell those lies is critical to how the applications that depend on them perform. Joyent's Casey Bisson will explore the lies we tell our code and demonstrate examples of how they sometimes help and hurt us.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
2. @srlkhmi
● Sreelakshmi Panangatt
● Member of Team bi0s
● Graduated from Vrije University and Amrita Vishwa Vidyapeetham.
● Focusing on Reverse engineering.
5. Virtualization
● Creation of virtual version of resources like Storage, OS
● Examples: VMware, VirtualBox, KVM, QEMU
● Benefits in Malware Analysis
○ Researchers can intrepidly execute potential malware samples without having their
systems affected.
○ If a malware destabilizes the OS, analyst just needs to load in a fresh image on a VM.
○ Reduce the time and cost
○ Increase the productivity
6. Anti-VM Techniques
● To evade the analysis in VM`s
● Types
○ File based detection
○ Time based detection
○ Instruction based detection
7. Presence of VM
● /usr/bin - standard directory contains most of the executable files
● Searching for the files that start with ”vmw” or ”VirtualBox” provides
information regarding the presence of VMware and Virtualbox.
16. Known MAC Address
● VMWare
○ 00:05:69
○ 00:0C:29
○ 00:1C:14
○ 00:50:56
● VirtualBox
○ 08:00:27
17. CPUID Instruction
● Hypervisor bit
○ CPUID instruction with EAX=0x01
○ 31st bit in ECX
● Virtualization vendor string
○ EAX=40000000
○ Strings in EBX, ECX and EDX
18. Hypervisor port - IN Instruction
● Specific for VMware.
● Performs an IN operation to port 0x5658 (the VMware hypervisor port).
○ eax = 0x564D5868 (VMware hypervisor magic value)
○ ebx = 0xFFFFFFFF (UINT_MAX)
○ ecx = 10 (Getversion command identifier)
○ edx = 0x5658 (hypervisor port number)
● Value of register ebx to 0x564D5868 (the VMware hypervisor magic
value).
19. VMEXIT through CPUID Instruction
● Timing based
● Measures time takes to run instruction CPUID.
● Context switch from guest caller to hypervisor causes VMEXIT.
● Summary - Execution on VM`s will take more time!
20. DeViL
● Demonstration tool
● Determines how the current configuration expose itself to malware
● Supports only Linux
● Tested in Ubuntu 16.04
VMware implements an I/O port that programs can query to detect if software is running in a VMware hypervisor. This hypervisor port behaves differently depending on magic values in certain registers and modifies some registers as a side effect. VMware hypervisor is detected by performing an IN operation to port 0x5658 (the VMware hypervisor port).
Doing a IN on port 0x5658 with
eax = 0x564D5868 (VMware hypervisor magic value)
ebx = 0xFFFFFFFF (UINT_MAX)
ecx = 10 (Getversion command identifier)
edx = 0x5658 (hypervisor port number)
On VMware, this operation modifies the value of register ebx to 0x564D5868 (the VMware hypervisor magic value).