THM-Hosted Hypervisors-Writeup
Learn about Hosted Hypervisors, how to investigate them, and more.
Support My Writeup
Find This Room: Hosted Hypervisors
Task2 Environment & Setup
For the following learning tasks in this room, we will use a VM to aid in your learning. Start the attached machine in this task by clicking the Start Machine button. A split-screen view of the VM will appear. In case the VM is not visible, use the blue Show Split View button at the top of the page.
Alternatively, you can use RDP to access the VM for this room with the following credentials:
Task3 Networking & Memory Investigations
Q1: What is the PID of the process vmware.exe on the memory dump: memdump.mem?
Open CMD :
cd C:\Users\Administrator\Desktop\Volatility3
Task4 VirtualBox Investigations
VirtualBox Memory Dump
Finally, we’ll maybe want to create a memory dump of a VM in VirtualBox; for that, we can use VBoxManage to create the image. We can do it by using cmd.exe and navigate to C:\Program Files\Oracle\VirtualBox, and execute the VBoxManage tool using the following syntax.
Note: Volatility2 is not installed on the VM. The below is just an example.
VBoxManage.exe debugvm {name of the vm} dumpvmcore --filename={output file name}
After that, we need to use Volatility2; since this feature is not supported on Volatility3, the command to convert the core dump into a memory dump is the following:
python vol.py -f {output file name} imagecopy -O {new output file name}
This will create a memory dump of the machine for us to investigate the internal memory of it.
Note: It’s also worth mentioning that you can inspect snapshots on the default directory. C:\Users\user01\VirtualBox VMs\secretvm\Snapshots. Also, the Virtual disk used by the VM can be found in the VM directory, and while it is not strictly a Hypervisor investigation, it can be helpful.
Task5 Vmware Workstation Investigations
Now, let’s take a look at how we can investigate when dealing with a VMware workstation Hypervisor.
VMware Workstation is also a Hypervisor, similar to VirtualBox. We can use it to create and manage virtual machines, each operating as a separate computer with its own operating system and applications.
We can retrieve settings and configuration information in C:\ProgramData\VMware\VMware Workstation. We’ll usually find 3 files:
Note: The directory C:\ProgramData is hidden by default in Windows OS.
Let’s explore the content of vmautostart.xml, which is displayed below.
<!--
This is a sample configuration file for the Virtual Machine Autostart
functionality. You may uncomment the below section and specify the path to
the vmx files of those Virtual Machine which you want to automatically
power-on when the host machine starts or whenever the "VMware Autostart
Service" is started.
-->
<ConfigRoot>
<AutoStartOrder>
<!-- e id="0">
<vmxpath>C:\Users\Administrator\Documents\Virtual Machines\Windows10x64\Windows10x64.vmx</vmxpath>
<startOrder>0</startOrder>
</e>
<e id="1">
<vmxpath>C:\Users\Administrator\Documents\Virtual Machines\VM2\VM2.vmx</vmxpath>
<startOrder>0</startOrder>
</e -->
</AutoStartOrder>
</ConfigRoot>In the above output, we can observe and reveal relevant information, such as the vmxpath filesystem path, where a VMware Workstation virtual machine’s files, including .vmx and .vmdk files, are stored. Specific logs for each VM can be found in the path of the virtual machine location, in this case: C:\Users\Administrator\Documents\Virtual Machines\{name of the vm}
VMware Workstation Logs
We can find the Hypervisor logs in Windows in the following location: C:\ProgramData\VMware\logs; the name of the log usually starts with the name of the logging process vmmsi.log, followed by the date and time information, for example, vmmsi.log_20240822_234016. Below, we can find an example of the log file.
=== Verbose logging started: 8/22/2024 23:38:24 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\Administrator\Downloads\VMware-workstation-17.5.2-23775571.exe ===
MSI (c) (CC:40) [23:38:24:407]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg
MSI (c) (CC:40) [23:38:24:407]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg
MSI (c) (CC:B0) [23:38:24:423]: Resetting cached policy values
MSI (c) (CC:B0) [23:38:24:423]: Machine policy value 'Debug' is 0
MSI (c) (CC:B0) [23:38:24:423]: ******* RunEngine:
******* Product: C:\Program Files (x86)\Common Files\VMware\InstallerCache\{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}.msi
******* Action:
******* CommandLine: **********
MSI (c) (CC:B0) [23:38:24:423]: Machine policy value 'DisableUserInstalls' is 0
MSI (c) (CC:B0) [23:38:24:423]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (c) (CC:B0) [23:38:24:423]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Program Files (x86)\Common Files\VMware\InstallerCache\{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}.msi' against software restriction policy
MSI (c) (CC:B0) [23:38:24:423]: SOFTWARE RESTRICTION POLICY: C:\Program Files (x86)\Common Files\VMware\InstallerCache\{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}.msi has a digital signature
MSI (c) (CC:B0) [23:38:25:095]: SOFTWARE RESTRICTION POLICY: C:\Program Files (x86)\Common Files\VMware\InstallerCache\{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}.msi is permitted to run at the 'unrestricted' authorization level.
MSI (c) (CC:B0) [23:38:25:095]: Cloaking enabled.
MSI (c) (CC:B0) [23:38:25:095]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (CC:B0) [23:38:25:095]: End dialog not enabled
MSI (c) (CC:B0) [23:38:25:095]: Original package ==> C:\Program Files (x86)\Common Files\VMware\InstallerCache\{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}.msi
MSI (c) (CC:B0) [23:38:25:095]: Package we're running from ==> C:\Program Files (x86)\Common Files\VMware\InstallerCache\{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}.msi
MSI (c) (CC:B0) [23:38:25:142]: APPCOMPAT: Compatibility mode property overrides found.
MSI (c) (CC:B0) [23:38:25:158]: APPCOMPAT: looking for appcompat database entry with ProductCode '{CA8F10D6-31EC-42F4-A94E-0061A5D183D1}'.
MSI (c) (CC:B0) [23:38:25:158]: APPCOMPAT: no matching ProductCode found in database.
MSI (c) (CC:B0) [23:38:25:173]: MSCOREE not loaded loading copy from system32Above, we can observe the logs from the Hypervisor; if we want to spot an attacker’s exploit causing crashes or strange behavior, this would be one of the key places to look.
VMware VM Memory Dump
Finally, If we want to create a memory dump of a VM on a VMware workstation, we need to use or take a screenshot of the VM we want to dump the memory on, and then we need to use a tool to convert it to a memory dump. A commonly used tool for this is “vmss2core.” The following command will allow us to dump the memory of a VM.
vmss2core -W {snampshot.vmss} {new name of dump.vmem}
Task6 Practical
Use what we learned in the previous tasks and answer the question by accessing the VM for this room. There’s a memory dump exercise.mem alongside the necessary files in C:\Users\Administrator\Desktop
In this room, we learned the basics of Hypervisor investigation. We identified how to spot VM traffic on the host and extract valuable information from logs. We also practice our learning in a practical scenario that allows us to navigate through the host machine and the Hypervisor to be able to answer the questions.
Follow Me:
