Virtual DoS is usefulPeter Kamensky
@Python0x0
Defcon Russia 0x16
VMWare VM theory notes
VMWare Backdoor I/O
•
•
•
•
VMWare GuestRPC
•
•
•
•
GuestRPC work scheme
Open Channel Send length Send data
Get return data length
Receive data End of receive Close channel
GuestRPC packet example
VMWare VM main loop
VMM vmx86/ESXi-kernelGuest VMBackdoor I/O UserRPC
user-mode
vmware-vmx
main vm-loopI/O UserRPC
handlerGuestRPChandler
IOCTL/syscall
BackDoor I/O handler
Grab GuestRPC commands
•
•
•http://pastebin.com/HWGtfy3G
Create a simple fuzzer
•
•
•
•
Host Guest File System
•
• “ ”
•
SetGuestInfo memory leak
SetGuestInfo
•
• “ ”
Host memory abuse
Countermeasure to AV sandbox system
•
•
•
Obvious steps
•
•
•
Not so easy
•
•
•
•
•
Never Fixed VMWare behavior
•
•
•http://www.piotrbania.com/all/adv/vmware-io-adv.txt
RWEverything
•
•
•
•http://rweverything.com/
NOT_IMPLEMENTED+RWEverything
•
•
•
•