

DLL injection tool to unlock guest VMs - alter8
http://www.secforce.com/blog/2012/11/vminjector/

======
rwmj
Why don't they just edit the password directly in the disk image (like this:
[http://libguestfs.org/virt-edit.1.html#non-interactive-
editi...](http://libguestfs.org/virt-edit.1.html#non-interactive-editing) )?

I wrote a neat little tool called virt-dmesg which reads rather than writes
kernel memory in VMs in order to pull out things like the kernel messages
(dmesg): <http://people.redhat.com/~rjones/virt-dmesg/>

Also, since when is "Ubuntu" synonymous with Linux?

~~~
eldondev
I think this is for engagements where they may not want to stop/reboot the
virtual machine. This tool claims to patch memory directly, so a running VM
would be the target. Perhaps the vm they want to connect to has some existing
connections of some sort that they don't want to break, alerting that would
happen if it were restarted, or unlocked keys in memory (think ssh agents).
One of the first thing virt-edit says is "You must not use virt-edit on live
virtual machines."

------
gnu8
Remembering the "evil" discussion from not too long ago, these two statements
are not compatible:

"This tool is for legal purposes only. The code is released under GPLv3
license."

~~~
gvb
I beg to differ (IANAL however). "Legal" is a legally defined term. It varies
from country to country and may vary within a country and changes from time to
time due to legislation and court actions, but _it is defined_ for a given
place and a given time.

"Evil" has no legal definition.

~~~
jahewson
I think the point was that the GPL does not allow restrictions on fields of
endeavour, and "legal purposes only" is such a restriction. Although GPLv3
restricts DRM.

~~~
asdfaoeu
I think he intended to reply the other comment comparing this to the evil
issue. "This tool is for legal purposes" it doesn't restrict the use of the
software (any legal use of the software is still legal, illegal uses are now
just illegal in more than one way). The purpose of is to indemnify the author
against claims when the software is used for illegal purposes. Whether it
actually makes any difference (it's implied anyway) is another question.

~~~
jahewson
You've taken the quote out of context, what he actually says is "This tool is
for legal purposes _only_ ". That's quite clearly intended as a restriction on
its use. The problem being that if the user does something illegal in a very
minor way then he's opened himself up to a potentially large copyright suit
because he's violated the license.

The point of the GPL is to stop the copyright holder from dictating what you
can and can't do via the threat of a copyright suit. Extra clauses like this
go against both the letter and the spirit of the GPL.

Either his extra clause is nullified by the GPL, in which case he's only
created the illusion of legal indemnity for himself, or his extra clause is
accepted, and the GPL is rejected, in which case he looses all of the
important legal protections such as the warranty disclaimer. Either way his
attempt to protect himself has failed.

------
btbuilder
I'm not sure why a penetration tester would bother to run this against a VM
when they had already obtained a privilege level that allows memory
modification of the hypervisor process. That level of access is already the
equivalent of physical access.

~~~
shabble
Surely a tool like this is exactly how you translate that 'physical access'
into a useful result within the target VM? If that VM is handling the data
you're tasked with stealing, bypassing auth and getting a root-shell
equivalent which you can use to exfiltrate is probably just as or more useful
than taking a memory image at the hypervisor.

The "It's all over when they have physical access" idea always seemed to me
like "Once the thief steals your safe, they can probably get it open
eventually", but they still _do_ need to get it open. Yes, you might succeed
_eventually_ with just a hand-drill and hacksaw, but a set of grinding tools
and cutting torch is going to make it much easier and faster.

~~~
btbuilder
I'm not sure that it's as tough as your analogy makes out. I'd say something
like "Once the thief notices the safe door is open they can probably take your
secrets out of it" :)

However, I agree that there are probably some cases where the secrets are in
memory rather than on the disk where this approach would be very useful.

The typical case though is reboot to alternative media or single user mode.

