Jump to content
Tuts 4 You
Sign in to follow this  
JMC31337

VMWare StandAlone USB

Recommended Posts

JMC31337

Once a long long time ago, came across a [stealth] team mod of a CS adobe that would run on usb as stand alone which did not require any hard disk installs


 


The directory structure actually seemed to have a reg hive from within the CS folder to allow the program to run off that USB


 


IS this illegal for the single user to "hack""crack" his own version of VMWarez for his own USB and personal use?


 


and how does one go about researching the [stealth] team tricks that they used;


 


In that, where could i read up on the subject of having my program run off USB as stand-alone and how in the world does one go about setting up a "fake reg hive" on a usb to allow that said program to function properly?


Share this post


Link to post
evlncrn8

sounds like thinstall or some variant

Share this post


Link to post
m0rpheus

its thinstall or portableapps 


Share this post


Link to post
JMC31337

yea i checked out thinApps.. but the true problem i came across was the fact that; the theory is to be able to take our vm images anywhere and run them off the USB flash (which a rumor i saw on the net says that it would destroy the flash stick with the constant writing -external usb HD is different) 


I was able to stop all the services to vmplayer


And yet the one file service is started automatically (vmware-vmx.exe) and without ADMIN privs i would not be able to load that service


a few sys drivers are also installed into system32 and i copied them to the USB  (as we could patch the vmplayer and point it to the usb sys driver)


But starting that one service is something else


 


Now, i suppose of a public locked down system is itself being used in VM virtualized mode then maybe the service and sys drivers are already loaded  : /   


 


And of course a few reg keys: (heres the list of everything)


 


Note: Your system may not have all of these files.

=====================================

C:\Windows\system32\vmnat.exe

C:\Windows\system32\vmnetbridge.exe

C:\Windows\system32\VMNetDHCP.exe

C:\Windows\system32\vmnetdhcp.leases

C:\Windows\system32\vmxw2ksetup.dll

C:\Windows\system32\vnetprobe.exe

C:\Windows\system32\vnetprobelib.dll

C:\Windows\system32\vnetinst.dll

C:\Windows\system32\vnetlib.dll

C:\Windows\system32\vnetlib.exe

C:\Windows\system32\drivers\vmnet.sys

C:\Windows\system32\drivers\vmnetx.sys

C:\Windows\system32\drivers\VMparport.sys

C:\Windows\system32\drivers\vmx86.sys

C:\Windows\system32\drivers\vmnetadapter.sys

C:\Windows\system32\drivers\vmnetbridge.sys

C:\Windows\system32\drivers\vmnetuserif.sys

C:\Windows\system32\drivers\hcmon.sys

C:\Windows\system32\drivers\vmusb.sys

 

 

VMware Player 2.x/3.x/4.x/5.x/6.x

=========================

HKEY_CLASSES_ROOT\Installer\Features\AE11A35A5900F39468AF1AE5A8684A50

HKEY_CLASSES_ROOT\Installer\Products\AE11A35A5900F39468AF1AE5A8684A50

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\AE11A35A5900F39468AF1AE5A8684A50

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\AE11A35A5900F39468AF1AE5A8684A50

HKEY_CLASSES_ROOT\Installer\Products\7A26F0EA2A1AF704F9C48439B99DDAD8

HKEY_CLASSES_ROOT\Installer\Products\7A79579133DA8984D9E8376086814B46

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\AE11A35A5900F39468AF1AE5A8684A50

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A53A11EA-0095-493F-86FA-A15E8A86A405}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3F935F414A4C79542AD9C8D157A3CC39

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.

 

 

Stop the VMware Services on the Windows host operating system:

Open Start > Run, type services.msc, and click OK. The Services Snap-in opens.

Right click the following service and select Stop.

VMware Authorization Service

VMware Authentication Service

VMware Registration Service

VMware DHCP Service

VMware NAT Service

VMware USB Arbitration Service

VMware Workstation Server

VMware WSX Service

===========================

Note: Depending on the VMware product, some services might not be there on your Windows host.

 


 


listing all loaded VMWARE sys driver modules for this SP3


0xBA318000 vmnetuserif.sys

0xB45CB000 VMNET.SYS

0xB4167000 vmx86.sys

0xB4327000 hcmon.sys

0xF77C7000 VMparport.sys

0xB4147000 vmci.sys

 


 


If you kill all VM services and run that player it wont let yu do any networking... and vmware-vmx.exe seems to be an authorization service


Edited by JMC31337 (see edit history)

Share this post


Link to post
evlncrn8

vm = virtual machine

thinstall is kinda like a sandbox... two entirely different things..

Share this post


Link to post
JMC31337

vm = virtual machine

thinstall is kinda like a sandbox... two entirely different things..

thought you were referring to vmware thinapp ... 

 

ill let you all know if i can find out anything on this portability stand alone VMWare idea... 

 

And i found out that Adobe CS releases versions called CS Portable.. so you were both correct on that 

 

Also came across an idea after seeing that MCSFT has user mode drivers and kernel mode drivers... it would be a hellacious project 

Edited by JMC31337 (see edit history)

Share this post


Link to post
JMC31337

Now, i suppose of a public locked down system is itself being used in VM virtualized mode then maybe the service and sys drivers are already loaded : /

and vmware-vmx.exe seems to be an authorization service

this was an incorrect assumption on my part

(as the a file i see loaded under the vmware OS for Win7 and vmware OS for XP is dump_diskdump.sys)

vmware-authd is the Authorization servce

Didn't realize it was going to probably be a failure before I tried this idea

And at any point in time, if a moderator wants to trash this thread go ahead... Otherwise I'm going to keep at it

Edited by JMC31337 (see edit history)

Share this post


Link to post
JMC31337

After about 50 reboots and numerous registry keys deleted the following are necessary for VMwarez Player to run (of course without some functions such as networking) :


 


1) VMAuthdService "vmware-authd.exe"


2) vmx86  "vmx86.sys"


 


The following must be changed in the Vmwarez config files for each machine:


 


1) vmci0.present = "FALSE"  since the reg key to VMCI was deleted this is no longer an option


2) WIN 7 had to have guestOS = "other"  since vmplayer didnt recognize Win 7 as a system


 


Questions Presented:


Since we're down to only 2 keys dealing with sys kernel driver modules and services, is their a way to map the sys file into memory and still use the IODeviceControls?  


Do those sys files really need to be in kernel space or can they be in user space too?


 


    :dunno:   


 


Note: all keys were located in the ControlSet Services registry and this is the only place i removed crap from and ill continue to peruse through the registry for other vmwarez necessities later on such as the HKEY_CLASSES_ROOT\Installer\Assemblies\C:|Program Files|VMware|VMware Player|Resources|msvcm80.dll which has a public key token


and the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components


Edited by JMC31337 (see edit history)

Share this post


Link to post
evlncrn8

map sys file into memory? considering its a driver, and thus runs at ring 0... nope

Share this post


Link to post
JMC31337

map sys file into memory? considering its a driver, and thus runs at ring 0... nope

exactly.. but their are user mode drivers.. DLL's

fig'd i wouldnt be able to do this when i saw the services and the sys file

But like what was mentioned in the SYS ENTER thread; a default flash device driver gets loaded on a restricted USER account, anyway to reclassify the driver as a default device (bypassing the admin restrictions) and still have full functionality?

then it would come down to the Services snap-in sc.exe crap

 

It even happend yesterday when i went to grab DCIM images from the android, i plugged it in and the windows auto install said :unable to find your hardware and it wont work correctly" then i selected mass storage on the droid and accessed the droids SDCARD like nothing went wrong from OS

 

let's see here:  plug my droid in

memory card access

found new hardware   

generic volume under storage volumes (device manager says)

STORAGE\REMOVABLEMEDIA\8&1430C8C2&0&RM

STORAGE\REMOVABLEMEDIA\8&177181D&0&RM

 

 

and that works on any locked down user account i use, at a public terminal with USB access permissions...since people have to be able to carry their docs around and use the printer and stuff

 

so why cant i fool the system into thinking the vmware sys file (or any sys file) is a generic volume storage device

 

Question Presented:

1) does it have any affect on the loaded kernel driver if its labeled as some generic device?

Edited by JMC31337 (see edit history)

Share this post


Link to post
evlncrn8

driver != dll

the notifaction you get there is from the usb subsystem...

net start drivername usually does the trick too, provided the driver is written properly, and you have the sufficient rights to load it

Share this post


Link to post
JMC31337

Thought kernel drivers were SYS file modules


and User mode drivers were just DLL's


 


"and you have the sufficient rights to load it "  yea thats what its coming down to.. 


thinking the OS sees a generic usb volume and loads up its system32 usbstor.sys driver; so their is no way i would be able to load my own on a basic user account


 


but if a system allows ZwSetSystemInformation and SystemLoadAndCallImage its on..  and sometimes the admins let basic user accounts load some services/drivers anyways


Share this post


Link to post
JMC31337

ZwSetSystemInformation SystemLoadAndCallImage... cant load a driver in a locked down user account so their is no way to load any vmware necessary drivers...


 


guess this is a "trashed" idea


 


:nopity: 


 


tried loading vmx86.sys with the above Zw call.. pops 2 C0000005 violations...


 


(cant load the driver in that fashion  \\??\\C:\\WINDOWS\\system32\\Drivers\\vmx86.sys)


the starting point for the driver loader when attempting to load the Vmware driver:


 


CPU Disasm

Address   Hex dump          Command                                  Comments

007ADD5E    8078 51 00      CMP BYTE PTR DS:[EAX+51],0

 

 

 

and the programs starting point on other drivers (driver.sys):


CPU Disasm

Address   Hex dump          Command                                  Comments

00401220  /.  55            PUSH EBP

 


the vmx86.sys has normal archive attribs



0:000> !load msec
0:000> g
(a30.334): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=003f0ce6 ecx=0000860e edx=7c90e514 esi=00000a30 edi=00000001
eip=007add5e esp=0022f9e0 ebp=0022f9f0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\HAL.dll -
HAL!HalInitSystem+0x376:
007add5e 80785100 cmp byte ptr [eax+51h],0 ds:0023:00000051=??

Exploitability Classification: UNKNOWN

Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at HAL!HalInitSystem+0x0000000000000376 (Hash=0x10206046.0x167a4b51)

The data from the faulting address is later used to determine whether or not a branch is taken.

Edited by JMC31337 (see edit history)

Share this post


Link to post
JMC31337

now apparently:


 


WCHAR daPath[] = L"\\??\\C:\\WINDOWS\\system32\\1";   //SYS DRIVER NAME


will not give the two c000005 access violation windows


 


but


 


   WCHAR daPath[] = L"\\??\\C:\\WINDOWS\\system32\\11111111";   //SYS DRIVER NAME


will


 


once its continued at the fault: HAL!HalInitSystem+0x376



(1c4.db4): Access violation - code c0000005 (!!! second chance !!!)
eax=0022fc54 ebx=00000000 ecx=0022fca8 edx=7c90e514 esi=c0000005 edi=00000000
eip=7c9673be esp=0022fc54 ebp=0022fca4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlRaiseStatus+0x26:
7c9673be c9 leave
0:000> g
WARNING: Continuing a non-continuable exception
(1c4.db4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00440fb2 ebx=00004000 ecx=00000000 edx=00000002 esi=00440fb0 edi=0022ff50
eip=31004485 esp=0022ef50 ebp=0022ef58 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
31004485 ?? ???
0:000> g
(1c4.db4): Access violation - code c0000005 (!!! second chance !!!)
eax=00440fb2 ebx=00004000 ecx=00000000 edx=00000002 esi=00440fb0 edi=0022ff50
eip=31004485 esp=0022ef50 ebp=0022ef58 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
31004485 ?? ???
0:000> !load msec
0:000> !exploitable
*** ERROR: Module load completed but symbols could not be loaded for image00400000
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000031004485 called from image00400000+0x00000000000013e7 (Hash=0x56657323.0x7c466806) Access violations at the instruction pointer are exploitable if not near NULL.

WCHAR daPath[] = L"1111111111111111111111111111111111111111";


 


will HAL crash too...


 


follow the white rabbit  :bunny:

Edited by JMC31337 (see edit history)

Share this post


Link to post
JMC31337

int main ()

{

WCHAR daPath[] = L"1111111111111111111111111111111111111111111111111111"; 

return 0;

}


 

 

 

CPU Stack

Address   Value      ASCII Comments

0022F9E0  /00000001  ...

0022F9E4  |0022FA04  ".

0022F9E8  |003F0CE6  .?.   ; KDCOM.<ModuleEntryPoint>

0022F9EC  |000030DB  0..

0022F9F0  |0022FA10  ".

0022F9F4  \7C90118A  |    ; RETURN to ntdll.7C90118A

 


CPU - main thread, module HAL

 

EAX 00000000

ECX 000030DB

EDX 7C90E514 ntdll.KiFastSystemCallRet

EBX 003F0CE6 Jump to HAL.HalInitSystem

ESP 0022F9E0

EBP 0022F9F0

ESI 0000077C

EDI 00000001

EIP 007ADD5E HAL.007ADD5E

 

 

 



 



Edited by JMC31337 (see edit history)

Share this post


Link to post
evlncrn8

cos you've fornicated up the stack.. leave = mov esp, ebp .. pop ebp..

i really have the feeling you are way out of your depth in what you're trying to do

Share this post


Link to post
JMC31337

cos you've ****ed up the stack.. leave = mov esp, ebp .. pop ebp..

i really have the feeling you are way out of your depth in what you're trying to do

 

its just something i came across... 

#include <iostream>#include <Windows.h>#include <string.h>int main (int argc, char* argv[]){WCHAR daPath[] = L"\\??\\??\\??\\??\\??\\??\\??\\??\\??\\??\\??\\";return 0;}

puts a different program space on the stack...

CPU StackAddress   Value      ASCII Comments0022F9E0  /00000001  ...0022F9E4  |0022FA04  ".0022F9E8  |003F0CE6  .?.   ; KDCOM.<ModuleEntryPoint>0022F9EC  |000081F4  ..0022F9F0  |0022FA10  ".0022F9F4  \7C90118A  |    ; RETURN to ntdll.7C90118A

whereas when i choose one less UNC path :

WCHAR daPath[] = L"\\??\\??\\??\\??\\??\\??\\??\\??\\??\\??\\";

my program space is:

CPU StackAddress   Value      ASCII Comments0022FFE4   7C839AB0  |0022FFE8   7C817778  xw|0022FFEC   00000000  ....0022FFF0   00000000  ....0022FFF4   00000000  ....0022FFF8   00401220   @.  ; ZDriverList.<ModuleEntryPoint>0022FFFC   00000000  ....

EDIT:

 

Figured this out in http://forum.tuts4you.com/topic/34169-dev-c-4992/

 

maybe load the vmware driver with SCManager and no reg keys... worst comes to worst, it may end up as a "admin" privs protable VMWare idea... since those privs are usually necessary to load RegKeys  in the controlset hive

Edited by JMC31337 (see edit history)

Share this post


Link to post
JMC31337

So I'm trying again with workstation 4.3.5 and/or vmplayer 1 ...

These early stage variants have less crap installed too...

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...