flat assembler
Message board for the users of flat assembler.

Index > Heap > Interesting use of Pacifica (rootkit)

Goto page Previous  1, 2, 3
Author
Thread Post new topic Reply to topic
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7751
Location: Kraków, Poland
Tomasz Grysztar
f0dder wrote:
Tomasz Grysztar wrote:
f0dder wrote:
I haven't read up enough on the VMX instructions, but can a VM running inside VMX set up a hypervisor itself? If not, that'd be a detection vector.

You can catch the tries of program running inside VM to use the VMX instructions, but then you probably have to emulate the VMX for it yourself.

Sounds like a MASSIVE undertaking Smile

I think that not really. It should be enough to set up structures for one more virtual machine - the "embedded" one, and on each VM exit that happens from the code inside the embedded machine, pass it on to the handler of intermediate machine, just as if hardware did it. Such written hypervisors could be then embedded untile they eat up all the memory. Smile

The more massive undertaking would be to successfully hide the hypervisor from software executing inside virtual machine. The hypervisor would have to somehow mask out and protect the memory it uses - and since the most times you know what amount of available memory should you expect to be available, this might make it detectable this way. But perhaps it would be possible to hide it somehow in the read-only BIOS memory area? It may depend on how the BIOS is mapped/shadowed, I have no experience with a newest machines in this aspect - but I will check this out.

PS. Sorry for late reply - when I had thought it up, I could not write it, and later I forgot... Smile
PS2. What make me most concerned about those virtualization features is the possibility to use the for the so called "trusted computing" (what an ironical term). I don't see this mentioned in VMX/SVM discussions, though - am I not right about it?
Post 24 Aug 2006, 19:01
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Well, you need to not only take care of the memory hiding, but also MSRs (including prettying-up the TSC) - if you want to be "perfect", anyway. Hiding in the BIOS area is a pretty interested idea... it might be possible with some chipset-specific code.

And yes, you're right about the Fascist Computing, VMX is a part of that. Windows Vista is already taking some steps that directions, by making it harder to run unsigned drivers even from an admin account...
Post 25 Aug 2006, 15:19
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
about hiding in memory - you could virtualize that "missing" memory, no?
Post 25 Aug 2006, 16:12
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7751
Location: Kraków, Poland
Tomasz Grysztar
Yeah, I also thought about it - for example you could "emulate" the bad sectors on the hard drive and keep the swapped memory there. Wink
Post 25 Aug 2006, 16:16
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
btw, how many bytes are we talking about? roughly...
Post 25 Aug 2006, 16:57
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
You can fit a good deal of code in a single page of memory - and then some per-vm data structure. If we think a bit on the pessimistic side and overkill it, 16kb would probably go pretty far.
Post 25 Aug 2006, 22:42
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Post 09 Jul 2007, 17:32
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
haha, of course they accept challenge, if it gives them 200$ per hour and no responsibility (in worst case, their "will lost").

No, there is no chance that hypervisor will properly hide itself. Just think about memory used by hypervisor: You must hide it from system running in virtual machine. Since there is no memory access virtualization support in current CPUs, you have to change mapping table in VM's memory. That means you should also hide these changes. To hide them, you must again modify VMs mapping table, and remove mapping of pages used by table from itself. And you must then be able to virtualize all access to this memory, and provide fake values. That means you must be able to emulate every instruction that can be used to access memory. For example someone may use RETN to access this memory. Or point IDT to it and wait for specific hardware interrupt. Or even point GDT there, and then EVERY instruction that access any place in memory would have to be virtualized. Can you imagine how they would handle these cases?

Of course, if you don't know code of hypervisor, like they proposed, then your chances to guess proper detection methid is smaller. But in real world, people trying to write detectors will know how the hypervisor works, and it's weaknesses.
Post 09 Jul 2007, 19:21
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
http://theinvisiblethings.blogspot.com/2007/08/virtualization-detection-vs-blue-pill.html

Quote:
On a side note: now I can also explain (if this is not clear already) how we were planning to beat our challengers. We would simply ask them to install Virtual Server 2005 R2 on all the test machines and we would install our New Blue Pill on just a few of them. Then their wonderful detectors would simply detect that all the machines have SVM mode enabled, but that would be a completely useless information. Yes, we still believe we would need a couple of months to get our proof-of-concept to the level we would be confident that we will win anyway (e.g. if they used memory scanning for
some “signature).

Smile
Post 21 Aug 2007, 04:12
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Loco: look at their sources and comments. There are plenty places which, as they confess, are detectable, and would be hell to virtualize in not detectable way.


PS: I was wrong about virtualizing memory access in last post, there is easier way to do it.
Post 21 Aug 2007, 09:10
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
0x4e71



Joined: 25 Feb 2004
Posts: 50
0x4e71
Seen these already?

Anyway, quite interesting:

Interview with Joanna Rutkowska:
http://www.securityfocus.com/columnists/451

Interview with Thomas Ptacek, Nate Lawson, Peter Ferrie (the other side)
http://www.securityfocus.com/columnists/452/
Post 06 Sep 2007, 20:42
View user's profile Send private message Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
Thanks for the links 0x4e71! Very cool.
Post 06 Sep 2007, 20:51
View user's profile Send private message Visit poster's website Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
Here's an interesting and recent article on why VMMs can not be 100% undetectable. I can't imagine Joanna R. refuting this study.
Post 11 Oct 2007, 13:29
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Thanks for posting it HyeprVista. Pretty funny the detector they say in a footnote Laughing
Quote:
2For example, native x86 CPUs block non-maskable interrupts
(NMIs) after delivery of an NMI until execution of the IRET instruction,
but VT hardware does not provide a corresponding “block NMIs”
bit [7]. Similarly, native x86 CPUs hold off debug exceptions for a oneinstruction
window following MOV %SS instructions. AMD’s SVM
provides no information about pending debug exceptions if an exit occurs
in such a window [2]. We constructed a simple SVM detector
based on this discrepancy in less than 100 lines of C and assembly.
Post 11 Oct 2007, 18:13
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
I must say i like Joanna version of "undetectable", which means "undetectable by usual means of detection without user intervention in very short amount of time". But yeah, "undetectable" makes better headings....
Post 11 Oct 2007, 19:58
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
rob.rice



Joined: 20 Dec 2003
Posts: 54
rob.rice
This will be in the next update for windows by request of the department of home land security
Post 05 Dec 2007, 10:31
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.