TransWikia.com

VMware Tools list of all installed files with it

Reverse Engineering Asked by nop on September 30, 2021

I’m reversing an anti VMware mechanism which detects VGAuthService.exe and vmtoolsd.exe as well as a few registries that I’ve taken care of and some drivers from C:WindowsSystem32driversvm.... I deleted C:Program FilesVMware folder and those drivers, killed VGAuthService.exe, vmtoolsd.exe and vm3dservice.exe processes but it’s still detected, which means I’m missing something. However, when I uninstall VMware Tools, even without rebooting the machine, it’s undetected.

Is there a tool/or way to find which files VMware Tools installation drops on disk, what it modifies, etc.? I remember there was a tool “Orca” which was useful for .MSI files, but it’s not in this case.

My VM:

VMware® Workstation 15 Pro
15.5.5 build-16285975
vmware

2 Answers

First step in understanding installer is identifying what product the installer was created with, then look is there any known extract command lines. Tools such as Universal Extractor 2 can also help do this automatically. In this case if you use a tool such as ProcMon you can see that VMWare's setup.exe extracts an MSI and executes that.

We can pass the admin install command line to setup.exe, which is then passed to Windows Installer msiexec.exe which extracts the MSI. This is also documented by VMWare in Extracting the drivers from VMware Tools bundled with VMware Workstation

setup /A /P C:setup

This will output files into C:setup along with the MSI. You can then just browse the folder structure to identify files, or use an MSI editing tool such as ORCA open the MSI to view registry tables and custom actions.

Also be aware there is more low level options then simply looking for files/drivers to detect running in VMWare for example as per Mechanisms to determine if software is running in a VMware virtual machine

  • Testing the CPUID hypervisor present bit Testing the virtual BIOS
  • DMI information and the hypervisor port

Example using CPU id:

int cpuid_check() {
    unsigned int eax, ebx, ecx, edx;
    char hyper_vendor_id[13];
    cpuid(0x1, & eax, & ebx, & ecx, & edx;;
        if (bit 31 of ecx is set) {
          cpuid(0x40000000, & eax, & ebx, & ecx, & edx;; memcpy(hyper_vendor_id + 0, & ebx, 4); memcpy(hyper_vendor_id + 4, & ecx, 4); memcpy(hyper_vendor_id + 8, & edx, 4); hyper_vendor_id[12] = '';
              if (!strcmp(hyper_vendor_id, "VMwareVMware")) return 1; // Success - running under VMware         }

Using DMI information:

int dmi_check(void) {
    char string[10];
    GET_BIOS_SERIAL(string);
    if (!memcmp(string, "VMware-", 7) || !memcmp(string, "VMW", 3)) return 1; // DMI contains VMware specific string.         else                 return 0; }

Answered by chentiangemalc on September 30, 2021

Possibly it's checking for the drivers (e.g. network card, mouse, or display), or for a registered service (even if it's not running). Check the devices and services list before and after uninstalling.

Answered by Igor Skochinsky on September 30, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP