From 66f75641fa1d8d11f811bcd50e25e348eb5eb385 Mon Sep 17 00:00:00 2001 From: Sharp-tailed Grouse Date: Wed, 12 Oct 2022 22:59:44 -0400 Subject: [PATCH 1/3] Note these factors when using nested virtualization. You can still be caught out by some identifiers in a VM. Signed-off-by: Sharp-tailed Grouse --- guide.md | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/guide.md b/guide.md index a75847b..e03cb14 100644 --- a/guide.md +++ b/guide.md @@ -340,6 +340,7 @@ Finally note that this guide does mention and even recommends various commercial - [Addons to install/consider:] - [Bonus resources:] - [Appendix W: Virtualization] + - [Nested virtualization risks] - [Appendix X: Using Tor bridges in hostile environments] - [Appendix Y: Installing and using desktop Tor Browser] - [Installation:][25] @@ -11735,12 +11736,40 @@ Here is a little basic illustration of what Virtualization is: Each Virtual Machine is a sandbox. Remember the reasons for using them are to prevent the following risks: -- Mitigate local data leaks and easier clean-up in case of risk (everything is contained within the VM and only the VM identifiers could be leaked and not the Host Hardware identifiers) +- Mitigate local data leaks and easier clean-up in case something gets messed up or it is suspected to be compromised. - Reduce malware/exploit attack surfaces (if your VM is compromised, the adversary still must figure out he is in a VM and then gain access to the Host OS which is not so trivial). - Mitigate online data leaks by being able to enforce strict network rules on Virtual Machines for accessing the network (such as passing through the Tor Network). +## Nested virtualization risks + +**There is an inherently larger attack surface when nesting virtualization.** + +Here's some host information that can be leaked through the Virtual Machine: + +- Organizationally unique identifier or OUI - the unique identifier assigned to VMWare Guest VMs; + +- Virtual Windows registry keys like **ProductID** might show the Host Machine's environment: + `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId XXXXX-123-1234567-12345` + +- HDD, GPU, and mouse drivers can be exposed through: `HKEY_LOCAL_MACHINE\System\CurrentControlSet\` + +- Registry entries will show that this is a virtual mouse: `%WINDIR%\system32\drivers\vmmouse.sys` + +- Descriptor Table Registers: + + - Since it's a Virtual Machine using the same CPU cores, the descriptor values are relocated due to there only being space for one of each identifier per CPU. This is a dead giveaway and is used in detection by advanced malware. It's employed by malware architects to tell when the program is being ran in a forensics environment, even such as a Remnux or Flare VM - popular OS and OS addons that are used by experts to analyze the malware. + +- VMware Tools detection: + + - In fact, some advanced malware actually automatically detect virtualization. This is trivial; most VMs contain this addon, operating unhidden by the Guest VM (it's user-installed, after successfully launching the VM). You don't want to install the tools in any of the VMs discussed in this guide because it can be easily detected by simple checks. It's not worth the exposure. + +- Guest VMs also indirectly access the same hardware as the Host. + +See for more techniques used by malware to detect virtualization. These techniques are mostly prevented by appending some settings to your VM config file (.vmx). + + # Appendix X: Using Tor bridges in hostile environments In some environments, your ISPs might be trying to prevent you from accessing Tor. Or accessing Tor openly might be a safety risk. @@ -13812,6 +13841,7 @@ In short, our opinion is that you may use Session Messenger on iOS due to the ab [Addons to install/consider:]: #addons-to-installconsider [Bonus resources:]: #bonus-resources [Appendix W: Virtualization]: #appendix-w-virtualization + [Nested virtualization risks]: #nested-virtualization-risks [Appendix X: Using Tor bridges in hostile environments]: #appendix-x-using-tor-bridges-in-hostile-environments [Appendix Y: Installing and using desktop Tor Browser]: #appendix-y-installing-and-using-desktop-tor-browser [25]: #installation-6 From 9b2bd9ef49b9ace1a3d92116c52513717501e570 Mon Sep 17 00:00:00 2001 From: Sharp-tailed Grouse Date: Fri, 14 Oct 2022 08:58:26 -0400 Subject: [PATCH 2/3] Use code tags instead of bold text Signed-off-by: Sharp-tailed Grouse --- guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guide.md b/guide.md index e03cb14..093b696 100644 --- a/guide.md +++ b/guide.md @@ -11750,7 +11750,7 @@ Here's some host information that can be leaked through the Virtual Machine: - Organizationally unique identifier or OUI - the unique identifier assigned to VMWare Guest VMs; -- Virtual Windows registry keys like **ProductID** might show the Host Machine's environment: +- Virtual Windows registry keys like `ProductID` might show the Host Machine's environment: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId XXXXX-123-1234567-12345` - HDD, GPU, and mouse drivers can be exposed through: `HKEY_LOCAL_MACHINE\System\CurrentControlSet\` From 1beb6b07d81678580a895118b4ed9f6a0daf4266 Mon Sep 17 00:00:00 2001 From: Sharp-tailed Grouse Date: Mon, 17 Oct 2022 19:01:41 -0400 Subject: [PATCH 3/3] Maybe we don't need this line about VMWare tools We already use a plethora of VMs in this guide; it's probably not necessary to make a big deal about VMWare tools. Signed-off-by: Sharp-tailed Grouse --- guide.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/guide.md b/guide.md index 093b696..53c58ef 100644 --- a/guide.md +++ b/guide.md @@ -11761,10 +11761,6 @@ Here's some host information that can be leaked through the Virtual Machine: - Since it's a Virtual Machine using the same CPU cores, the descriptor values are relocated due to there only being space for one of each identifier per CPU. This is a dead giveaway and is used in detection by advanced malware. It's employed by malware architects to tell when the program is being ran in a forensics environment, even such as a Remnux or Flare VM - popular OS and OS addons that are used by experts to analyze the malware. -- VMware Tools detection: - - - In fact, some advanced malware actually automatically detect virtualization. This is trivial; most VMs contain this addon, operating unhidden by the Guest VM (it's user-installed, after successfully launching the VM). You don't want to install the tools in any of the VMs discussed in this guide because it can be easily detected by simple checks. It's not worth the exposure. - - Guest VMs also indirectly access the same hardware as the Host. See for more techniques used by malware to detect virtualization. These techniques are mostly prevented by appending some settings to your VM config file (.vmx).