@Cypher:  Hypervisor Rootkits menu

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    amadmonk's Avatar Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    @Cypher: Hypervisor Rootkits

    You mentioned this in a PM, and it got me curious enough to poke into it a bit. Interesting stuff...

    I think that if I can figure out how to do this (particularly the OS "hoisting"), it could be the Vista replacement for my old XP rootkit. Essentially this would be a class-break for Warden, since you'd be below the kernel. If I'm lucky, some malware writer has already posted code somewhere...

    There would be no detection from Warden unless they too jumped into the hypervisor (exceedingly unlikely as they haven't even been willing to go kernel). There are possibly countermeasures (although not detections, unless the coder was stupid). Also I'm not sure I fully understand paravirtualization; I don't think I'd want to even attempt the task of writing a full VM for Windows.

    So right now, it's just a (very) interesting long-term research project.

    http://www.eecs.umich.edu/virtual/papers/king06.pdf

    Our project, which is called SubVirt, shows how at-
    tackers can use virtual-machine technology to address
    the limitations of current malware and rootkits. We
    show how attackers can install a virtual-machine mon-
    itor (VMM) underneath an existing operating system
    and use that VMM to host arbitrary malicious soft-
    ware. The resulting malware, which we call a virtual-
    machine based rootkit (VMBR), exercises qualitatively
    more control than current malware, supports general-
    purpose functionality, yet can completely hide all its
    state and activity from intrusion detection systems run-
    ning in the target operating system and applications

    @Cypher:  Hypervisor Rootkits
  2. #2
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I, too read up on this. I saw a nice looking one called blue pill. I'm not sure if it's still up-to-date for x64 or Vista. It was just a very thin "wrapper" around windows. There was some good documentation on the site.

  3. #3
    amadmonk's Avatar Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sweet... I'll look for code too. If I am understanding it right, it should actually be superior to a kernel rootkit -- it's "below" the kernel, and will, even so, have less chance of BSOD'ing the box.

    Lemme know if you find it (PM or whatever) This looks like a very interesting anti-Warden technique (and anti-Punkbuster, and anti-well... everything).

  4. #4
    Apoc's Avatar Angry Penguin
    Reputation
    1388
    Join Date
    Jan 2008
    Posts
    2,750
    Thanks G/R
    0/13
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  5. #5
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Apoc

  6. #6
    amadmonk's Avatar Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Apoc View Post
    Lol. Can you tell I'm at work and didn't have time to google it?

    Thanks, Apoc.

  7. #7
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Has anyone ever seen anything where you can execute code in VMWare that will take effect in the guest OS? I'm assuming not, but it's worth a shot asking. I'll go google now...

  8. #8
    amadmonk's Avatar Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    IIRC, there are some sort of backdoorish tricks you can do that will crash the guest OS (the emulated OS, that is).

    If you're talking the other way around, I don't think you can do that with closed-source type 2 hypervisors. Type 1 hypervisors should be able to do anything you can do normally (including having the host execute code in the guest), since it's essentially just another privilege level, sort of just a "super kernel" (oversimplification, but not completely off).

  9. #9
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hm. I bet there's something that does it. I wish QEMU was a better emulator, I'd use that(by that I mean mod the hell out of it).

  10. #10
    amadmonk's Avatar Active Member
    Reputation
    124
    Join Date
    Apr 2008
    Posts
    772
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Honestly, the easiest path is probably just to mod wine a bit. It really doesn't take much work to make it detour all the important system API's at (what looks to the app like) the kernel level. The only real problem with that approach is that you have to be fairly skilled at both Linux and Windows debugging and coding.

    Well... actually... the EASIEST method is probably just not to release your code. From what I've heard, if you're not public and you're not stupid, the odds are pretty high that you'll never get caught.
    Last edited by amadmonk; 05-22-2009 at 01:46 AM.

  11. #11
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is true, but it's way more fun if you're subverting Windows' functions :P Gotta love smiting Microsoft

  12. #12
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Warden runs in usermode, you can hook APIs at that level all you want and they can't ban you unless they have a binary they can hash. Kernelmode (and hence also a hypervisor) is overkill for a private project.

    Also, yes, Blue Pill the original PoC hypervisor rootkit.
    Last edited by Cypher; 05-22-2009 at 02:41 AM.

  13. #13
    F1n1st's Avatar Member
    Reputation
    1
    Join Date
    Mar 2009
    Posts
    3
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh, hvrootkit will take so much resources for makin. Right now there is a warden in user mode, so its ok to use ring0 rootkit. am i right?

  14. #14
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by F1n1st View Post
    oh, hvrootkit will take so much resources for makin. Right now there is a warden in user mode, so its ok to use ring0 rootkit. am i right?
    Like I said, even that is overkill for a private project.

  15. #15
    Greyman's Avatar Active Member
    Reputation
    61
    Join Date
    Oct 2006
    Posts
    40
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cypher, there's nothing wrong with overkill: Most of us do what we do out of interest rather than necessity.

    Madmonk, what exactly are you wanting to achieve with a hypervisor rootkit? I think that's the first thing you want to establish. Hypervisors are not a magic wand you can simply wave at anti-cheat tech and make it go away, nor are they any more proof against BSOD's than a kernel driver.

    For instance, it would be nontrivial (but still possible) to hide in-process shenanigans with such a beast, but something equal to say the Glider shadow driver would be relatively straightforward.

    If you have any specific questions or thoughts, feel free to post them in this thread and I'll do my best to respond. I have a reasonable amount of experience in this area.

Page 1 of 2 12 LastLast

Similar Threads

  1. Sony BMG Rootkit
    By Bobrick22 in forum World of Warcraft General
    Replies: 0
    Last Post: 05-07-2007, 04:01 PM
  2. Hacking WoW-An exercise in advanced rootkit design
    By Dude_in_the_dark in forum World of Warcraft Bots and Programs
    Replies: 6
    Last Post: 01-02-2007, 03:50 AM
  3. Sony Rootkit
    By Farore in forum World of Warcraft General
    Replies: 0
    Last Post: 10-06-2006, 07:11 PM
  4. FU Rootkit Frontend
    By raunchy in forum Community Chat
    Replies: 3
    Last Post: 08-22-2006, 08:42 AM
All times are GMT -5. The time now is 01:42 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search