Tuesday, August 6, 2013

VirtualBox IBM/Lenovo and the missing VPD

While having a go at writing an updated post regarding how to configure Virtualbox to avoid VM detection, new versions of VBox has been released since I wrote my previous posts.

I found something that could potentially give away the Virtual guest, especially if you pretend or use IBM/Lenovo hardware. For those of us that don't use Apple hardware, Lenovo seems still to be a favourite, I guess because of their Linux compatibility and their stylish black color. So this case might not be that far fetched.

Anyway almost all IBM/Lenovo hardware has something called Vital Product Data, VPD for short. It's information like:

BIOS Build ID
Box Serial Number
Motherboard Serial Number
Machine Type/Model

Information you can get from running dmidecode. But it's the lack of VPD information that could be a tell tell sign that something is fishy.

In the dmidecode package (there is a windows build out there as well) it ships with tools like biosdecode and vpddecode.

Below is part of the output from these two commands on a Linux host OS:

# biosdecode 2.11
VPD present.
    BIOS Build ID: XXXX
    Box Serial Number: XXXX
    Motherboard Serial Number: XXXX
    Machine Type/Model: XXXX


# vpddecode 2.11
BIOS Build ID: XXXX
Box Serial Number: XXXX
Motherboard Serial Number: XXXX
Machine Type/Model: XXXX

The same command, only this time from inside the guest OS (VirtualBox with XP)

# biosdecode 2.10
... no VPD in the output

# vppdecode 2.10
# No VPD stucture found, sorry.


The guest is set to present LENOVO as the BIOS vendor. This could be used to check if vendor is IBM/Lenovo and there is no VPD present if so that would/could mean that the system is not native.

Just a thought ..

/Micke




No comments:

Post a Comment