Reverse Engineering Asked by nop on September 30, 2021
I’m reversing an anti VMware mechanism which detects VGAuthService.exe
and vmtoolsd.exe
as well as a few registries that I’ve taken care of and some drivers from C:WindowsSystem32driversvm...
. I deleted C:Program FilesVMware
folder and those drivers, killed VGAuthService.exe
, vmtoolsd.exe
and vm3dservice.exe
processes but it’s still detected, which means I’m missing something. However, when I uninstall VMware Tools, even without rebooting the machine, it’s undetected.
Is there a tool/or way to find which files VMware Tools installation drops on disk, what it modifies, etc.? I remember there was a tool “Orca” which was useful for .MSI files, but it’s not in this case.
My VM:
VMware® Workstation 15 Pro
15.5.5 build-16285975
First step in understanding installer is identifying what product the installer was created with, then look is there any known extract command lines. Tools such as Universal Extractor 2 can also help do this automatically. In this case if you use a tool such as ProcMon you can see that VMWare's setup.exe extracts an MSI and executes that.
We can pass the admin install command line to setup.exe, which is then passed to Windows Installer msiexec.exe which extracts the MSI. This is also documented by VMWare in Extracting the drivers from VMware Tools bundled with VMware Workstation
setup /A /P C:setup
This will output files into C:setup along with the MSI. You can then just browse the folder structure to identify files, or use an MSI editing tool such as ORCA open the MSI to view registry tables and custom actions.
Also be aware there is more low level options then simply looking for files/drivers to detect running in VMWare for example as per Mechanisms to determine if software is running in a VMware virtual machine
Example using CPU id:
int cpuid_check() {
unsigned int eax, ebx, ecx, edx;
char hyper_vendor_id[13];
cpuid(0x1, & eax, & ebx, & ecx, & edx;;
if (bit 31 of ecx is set) {
cpuid(0x40000000, & eax, & ebx, & ecx, & edx;; memcpy(hyper_vendor_id + 0, & ebx, 4); memcpy(hyper_vendor_id + 4, & ecx, 4); memcpy(hyper_vendor_id + 8, & edx, 4); hyper_vendor_id[12] = ' ';
if (!strcmp(hyper_vendor_id, "VMwareVMware")) return 1; // Success - running under VMware }
Using DMI information:
int dmi_check(void) {
char string[10];
GET_BIOS_SERIAL(string);
if (!memcmp(string, "VMware-", 7) || !memcmp(string, "VMW", 3)) return 1; // DMI contains VMware specific string. else return 0; }
Answered by chentiangemalc on September 30, 2021
Possibly it's checking for the drivers (e.g. network card, mouse, or display), or for a registered service (even if it's not running). Check the devices and services list before and after uninstalling.
Answered by Igor Skochinsky on September 30, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP