Stealing stuff from vmdk files

Posted: November 8, 2009 in security
Tags: , , , , ,

Well that’s been a while. I almost forgot my WordPress password. My last post wasn’t really informative so I thought let me just post one of the projects I’m currently working on. It’s far from finished and I doubt if I’ll release it once it’s finished. So for the moment being I’ll only share my alpha POC which should be enough to build upon.

Have you ever had the need to get stuff of vmdk files without using any of the visual VMWARE products? Well I have!! Now luckily VMWARE also has detected that there are a lot of people with that need and they have released an excellent API the Virtual Disk Development Kit 1.1. Now that stuff is sexy, quote from it’s website:

The Virtual Disk Development Kit (VDDK) is a collection of C libraries, code samples, utilities, and documentation to help you create or access VMware virtual disk storage. The kit includes:

  • The Virtual Disk and Disk Mount libraries, a set of C function calls to manipulate virtual disk files.
  • C++ code samples that you can build with either Visual Studio or the GNU C compiler.
  • The Disk Mount utility to access files and file systems in offline virtual disks on Windows or Linux guest virtual machines.
  • Documentation about the VDDK libraries and the command-line utilities.
  • The Virtual Disk Manager utility to manipulate offline virtual disk on Windows or Linux (clone, create, relocate, rename, grow, shrink, or defragment).

I assume that after reading the above you’ll also agree that the possibilities are endless. Now let’s get cooking.

First of all here are a variety of reasons why I got interested into the subject of messing with vmdk files(or like Joey from Friends would say, they are threefold):

  • People always assume malware wants to break out of a VM
  • Currently advise is being given to do financial stuff inside an VM, instead of properly fixing the issue
  • It’s fun to mess with new stuff

So with the above reasons I started to mess around with the VDDK API. The API boils down to two things in my opinion:

  • raw read/write of the VMDK file
  • mount the VMDK and perform read/write operations

So let’s mix the reasons with the possibilities and see what kind of probable attacks you could expect from malware:

  • Infect the MBR aka port the stoned bootkit to support VMDK infection(thanks to an anonymous thinker for this idea)
  • Have the malware insert itself into all VMDK files present on a system
  • Have the malware steal important file(registry files,sam file,private keys…etc)
  • Bypass full disk encryption on VMDK files using for example the Evil Maid
  • Disable all kind of protection software like AV/FW

For the moment being I’m only releasing the alpha code to steal stuff from a VMDK file. There are several reasons why it’s alpha code, so if it doesn’t work in your own situation or if it breaks things it’s all your OWN responsibility. This code has only been tested on a virtual machine with 1 disk, no partitions, no snapshots, known configuration. At the moment the code only works if the virtual machine is powered off.

Oh and you DO need to have the VDDK installed for this to work. The mounting of the VMDK file is done through a driver which needs to be installed. This can all be solved and malware won’t have this problem cause they will just supply the driver them self. Also don’t forget to configure your programming environment properly to include the VDDK headers and libraries.

Alpha POC

Advertisements
Comments
  1. […] This post was mentioned on Twitter by dotrandomcode, Brad Arnold and propagare, Offensive Computing. Offensive Computing said: Hacking into vmdk's via the API from Diablo Horn http://bit.ly/EBnWw […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s