While having a go at writing an updated post regarding how to configure Virtualbox to avoid VM detection, new versions of VBox has been released since I wrote my previous posts.
I found something that could potentially give away the Virtual guest, especially if you pretend or use IBM/Lenovo hardware. For those of us that don't use Apple hardware, Lenovo seems still to be a favourite, I guess because of their Linux compatibility and their stylish black color. So this case might not be that far fetched.
Anyway almost all IBM/Lenovo hardware has something called Vital Product Data, VPD for short. It's information like:
BIOS Build ID
Box Serial Number
Motherboard Serial Number
Machine Type/Model
Information you can get from running dmidecode. But it's the lack of VPD information that could be a tell tell sign that something is fishy.
In the dmidecode package (there is a windows build out there as well) it ships with tools like biosdecode and vpddecode.
Below is part of the output from these two commands on a Linux host OS:
# biosdecode 2.11
VPD present.
BIOS Build ID: XXXX
Box Serial Number: XXXX
Motherboard Serial Number: XXXX
Machine Type/Model: XXXX
# vpddecode 2.11
BIOS Build ID: XXXX
Box Serial Number: XXXX
Motherboard Serial Number: XXXX
Machine Type/Model: XXXX
The same command, only this time from inside the guest OS (VirtualBox with XP)
# biosdecode 2.10
... no VPD in the output
# vppdecode 2.10
# No VPD stucture found, sorry.
The guest is set to present LENOVO as the BIOS vendor. This could be used to check if vendor is IBM/Lenovo and there is no VPD present if so that would/could mean that the system is not native.
Just a thought ..
/Micke
No comments:
Post a Comment