In this talk we show how to profit from OS functions (e.g., ReadProcessMemory, WriteProcessMemory in Windows and ptrace in Linux) to inject code locally from a server that hosts virtual machines into one or several guest operating systems. We will explain the problems we had to solve to get this done, starting from the detection of services and running programs in the guest OS through the search of memory patterns and moving to the correct selection of memory portions were to inject the code so that it is executable, has the "system" permissions and is robust. We will exemplify this against VMWare and Virtual Box. We will close this address with the execution of a Core Impact module that detects all the guest virtual machines running in a server host and installs an agent in each detected OS.
Thursday, October 2, 2008