Whispergate/berlin
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
------------------------------------------------------------------
| ▀█████████▄ ▄████████ ▄████████ ▄█ ▄█ ███▄▄▄▄ |
| ███ ███ ███ ███ ███ ███ ███ ███ ███▀▀▀██▄ |
| ███ ███ ███ █▀ ███ ███ ███ ███▌ ███ ███ |
| ▄███▄▄▄██▀ ▄███▄▄▄ ▄███▄▄▄▄██▀ ███ ███▌ ███ ███ |
| ▀▀███▀▀▀██▄ ▀▀███▀▀▀ ▀▀███▀▀▀▀▀ ███ ███▌ ███ ███ |
| ███ ██▄ ███ █▄ ▀███████████ ███ ███ ███ ███ |
| ███ ███ ███ ███ ███ ███ ███▌ ▄ ███ ███ ███ |
| ▄█████████▀ ██████████ ███ ███ █████▄▄██ █▀ ▀█ █▀ |
| ███ ███ ▀ |
------------------------------------------------------------------
.........A
/$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$ /$$$$$$
/$$_____/ /$$__ $$ /$$__ $$ /$$__ $$| $$ /$$/ /$$__ $$
| $$$$$$ | $$$$$$$$| $$ \__/| $$$$$$$$ \ $$$$/ | $$ \ $$
\____ $$| $$_____/| $$ | $$_____/ >$$ $$ | $$ | $$
/$$$$$$$/| $$$$$$$| $$ | $$$$$$$ /$$/\ $$| $$$$$$$/
|_______/ \_______/|__/ \_______/|__/ \__/| $$____/
| $$
| $$
|__/
......... PRODUCTION................................................
Berlin: a cross-platform CPU-based
virtual machine detection framework for modern offensive security.
=== LAYER II ====== RESEARCH...........................................
We introduce the notion that virtual machines have a general best-effort
manner as to the emulation of CPU features.
CPUs interpret programs instruction by instruction, decoding them and
executing them one by one after performing checks on them. One of these
checks is the verification of the instruction against a list of "vmexit
instruction", instructions that cannot reliably be executed on virtual
machines and require the host CPU to execute. These are notably slower
to execute, because instead of being executed in a virtualized CPU and
taking at most a few nanoseconds, vmexit instructions need to exit
virtualization, leading to some of them taking hundred of milliseconds
depending on device and configuration.
In our work, we introduce a CPU-agnostic framework for the identification
of virtual machines through the use of vmexit instructions and use
timing attacks to identify virtualization.
We offer a single entry point with a parameter:
int isVM(int threshold);
Once the threshold is reached OR surpassed, we deem that we are running
in a virtualized machine and therefore return true (aka 1). In case we
suffer from an error, we return true (1). Otherwise, false is returned,
testifying that we have made adequate testing and think we are running
on genuine bare metal.
=== LAYER III ====== ENGINEERING.........................................
The birth of this library is due to me being very bored of rewriting the
same code for VM detection in my offensive tooling and deciding to evolve
not to use third-party means of identification, such as registry keys on
Windows, because they only introduce additional IOCs and overhead while
being very easily fakeable.
These methods are all best-effort. It is entirely possible to build a
machine that can fool Berlin. It however requires what I deem significant
effort (patching kvm, qemu and more), and is enough to twart moderately-
motivated adversaries. You cannot win against a determined adversary,
anyway.
To make this library portable, I have decided to abstract OS-specific
dependencies and make the library and its POC entirely freestanding,
not requiring the C (or C++) runtime.
You may and should tune the thresholds for your target's hardware if
it is known. Default thresholds work well on my bare metal machine and
a VM, but my CPU is not the same as yours or your target's.
Compile with optimizations to reduce the size of some loops, which
makes them run faster and makes detections more accurate.
=== LAYER IV ====== Compilation........................................
Compilation is very simple:
clang poc.c berlin.c -DDEBUG -O3
=== LAYER V ====== LICENSE.............................................
Proprietary software.
All rights reserved to Serexp.
No license granted.
Contact for commercial use.