------------------------------------------------------------------ | ▀█████████▄ ▄████████ ▄████████ ▄█ ▄█ ███▄▄▄▄ | | ███ ███ ███ ███ ███ ███ ███ ███ ███▀▀▀██▄ | | ███ ███ ███ █▀ ███ ███ ███ ███▌ ███ ███ | | ▄███▄▄▄██▀ ▄███▄▄▄ ▄███▄▄▄▄██▀ ███ ███▌ ███ ███ | | ▀▀███▀▀▀██▄ ▀▀███▀▀▀ ▀▀███▀▀▀▀▀ ███ ███▌ ███ ███ | | ███ ██▄ ███ █▄ ▀███████████ ███ ███ ███ ███ | | ███ ███ ███ ███ ███ ███ ███▌ ▄ ███ ███ ███ | | ▄█████████▀ ██████████ ███ ███ █████▄▄██ █▀ ▀█ █▀ | | ███ ███ ▀ | ------------------------------------------------------------------ .........A /$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$ /$$$$$$ /$$_____/ /$$__ $$ /$$__ $$ /$$__ $$| $$ /$$/ /$$__ $$ | $$$$$$ | $$$$$$$$| $$ \__/| $$$$$$$$ \ $$$$/ | $$ \ $$ \____ $$| $$_____/| $$ | $$_____/ >$$ $$ | $$ | $$ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ /$$/\ $$| $$$$$$$/ |_______/ \_______/|__/ \_______/|__/ \__/| $$____/ | $$ | $$ |__/ ......... PRODUCTION................................................ Berlin: a cross-platform CPU-based virtual machine detection framework for modern offensive security. === LAYER II ====== RESEARCH........................................... We introduce the notion that virtual machines have a general best-effort manner as to the emulation of CPU features. CPUs interpret programs instruction by instruction, decoding them and executing them one by one after performing checks on them. One of these checks is the verification of the instruction against a list of "vmexit instruction", instructions that cannot reliably be executed on virtual machines and require the host CPU to execute. These are notably slower to execute, because instead of being executed in a virtualized CPU and taking at most a few nanoseconds, vmexit instructions need to exit virtualization, leading to some of them taking hundred of milliseconds depending on device and configuration. In our work, we introduce a CPU-agnostic framework for the identification of virtual machines through the use of vmexit instructions and use timing attacks to identify virtualization. We offer a single entry point with a parameter: int isVM(int threshold); Once the threshold is reached OR surpassed, we deem that we are running in a virtualized machine and therefore return true (aka 1). In case we suffer from an error, we return true (1). Otherwise, false is returned, testifying that we have made adequate testing and think we are running on genuine bare metal. === LAYER III ====== ENGINEERING......................................... The birth of this library is due to me being very bored of rewriting the same code for VM detection in my offensive tooling and deciding to evolve not to use third-party means of identification, such as registry keys on Windows, because they only introduce additional IOCs and overhead while being very easily fakeable. These methods are all best-effort. It is entirely possible to build a machine that can fool Berlin. It however requires what I deem significant effort (patching kvm, qemu and more), and is enough to twart moderately- motivated adversaries. You cannot win against a determined adversary, anyway. To make this library portable, I have decided to abstract OS-specific dependencies and make the library and its POC entirely freestanding, not requiring the C (or C++) runtime. You may and should tune the thresholds for your target's hardware if it is known. Default thresholds work well on my bare metal machine and a VM, but my CPU is not the same as yours or your target's. Compile with optimizations to reduce the size of some loops, which makes them run faster and makes detections more accurate. === LAYER IV ====== Compilation........................................ Compilation is very simple: clang poc.c berlin.c -DDEBUG -O3 === LAYER V ====== LICENSE............................................. Proprietary software. All rights reserved to Serexp. No license granted. Contact for commercial use.