Getting real machine information from a virtual machine

Question

If a malicious software gets into a virtual machine, what is the most information of the actual machine it can obtain?

Answer 1

Ideally, the virtual guest is not able to see anything from the host. But the world is not ideal. Here we go back to the discussion of Joanna Rutkowska. She developed a technique to determine to test if you are living in a virtual environment. It was called the "red pill".

Joanna just provided a proof-of-concept, which you can see in https://stackoverflow.com/questions/46267618/red-pill-detect-virtualization It, however, does not mean that you can just read (or even write!) all sorts of host data.

Some virtualization techniques provide explicitly some information for their virtual machines. If you are running Windows as a Hyper-v client, you can see in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters that you are a guest. If you use Vagrant, you will see a directory vagrant somewhere. This directory may also be available to your malware.

And there is always the possibility that a form of malicious software made a new discovery how to access the host from a guest. We may think that is not likely, but we also thought that of processor-microcode.

Answer 2

With default options in many cases you can at least see the CPU manufacturer, sometimes the exact CPU model. You can also make some assumptions on CPU speed, amount of RAM. The GPU, while not being passed through directly can still be fingerprinted. Maybe also some info on the network when it is bridged/nated If the malware can break out of the VM by bugs in the virtualization software, side channels like CPU bugs, rowhammer ... it can of course do a lot more.