@Cypher: Hypervisor Rootkits

[amadmonk]

You mentioned this in a PM, and it got me curious enough to poke into it a bit. Interesting stuff...

I think that if I can figure out how to do this (particularly the OS "hoisting"), it could be the Vista replacement for my old XP rootkit. Essentially this would be a class-break for Warden, since you'd be below the kernel. If I'm lucky, some malware writer has already posted code somewhere...

There would be no detection from Warden unless they too jumped into the hypervisor (exceedingly unlikely as they haven't even been willing to go kernel). There are possibly countermeasures (although not detections, unless the coder was stupid). Also I'm not sure I fully understand paravirtualization; I don't think I'd want to even attempt the task of writing a full VM for Windows.

So right now, it's just a (very) interesting long-term research project.

http://www.eecs.umich.edu/virtual/papers/king06.pdf

Our project, which is called SubVirt, shows how at-
tackers can use virtual-machine technology to address
the limitations of current malware and rootkits. We
show how attackers can install a virtual-machine mon-
itor (VMM) underneath an existing operating system
and use that VMM to host arbitrary malicious soft-
ware. The resulting malware, which we call a virtual-
machine based rootkit (VMBR), exercises qualitatively
more control than current malware, supports general-
purpose functionality, yet can completely hide all its
state and activity from intrusion detection systems run-
ning in the target operating system and applications

[lanman92]

I, too read up on this. I saw a nice looking one called blue pill. I'm not sure if it's still up-to-date for x64 or Vista. It was just a very thin "wrapper" around windows. There was some good documentation on the site.

[amadmonk]

Sweet... I'll look for code too. If I am understanding it right, it should actually be superior to a kernel rootkit -- it's "below" the kernel, and will, even so, have less chance of BSOD'ing the box.

Lemme know if you find it (PM or whatever) This looks like a very interesting anti-Warden technique (and anti-Punkbuster, and anti-well... everything).

[Apoc]

bluepillproject.org

Enjoy.

[lanman92]

Thanks Apoc

[amadmonk]

bluepillproject.org

Enjoy.

Lol. Can you tell I'm at work and didn't have time to google it?

Thanks, Apoc.

[lanman92]

Has anyone ever seen anything where you can execute code in VMWare that will take effect in the guest OS? I'm assuming not, but it's worth a shot asking. I'll go google now...

[amadmonk]

IIRC, there are some sort of backdoorish tricks you can do that will crash the guest OS (the emulated OS, that is).

If you're talking the other way around, I don't think you can do that with closed-source type 2 hypervisors. Type 1 hypervisors should be able to do anything you can do normally (including having the host execute code in the guest), since it's essentially just another privilege level, sort of just a "super kernel" (oversimplification, but not completely off).

[lanman92]

Hm. I bet there's something that does it. I wish QEMU was a better emulator, I'd use that(by that I mean mod the hell out of it).

[amadmonk]

Honestly, the easiest path is probably just to mod wine a bit. It really doesn't take much work to make it detour all the important system API's at (what looks to the app like) the kernel level. The only real problem with that approach is that you have to be fairly skilled at both Linux and Windows debugging and coding.

Well... actually... the EASIEST method is probably just not to release your code. From what I've heard, if you're not public and you're not stupid, the odds are pretty high that you'll never get caught.

[lanman92]

This is true, but it's way more fun if you're subverting Windows' functions :P Gotta love smiting Microsoft

[Cypher]

Warden runs in usermode, you can hook APIs at that level all you want and they can't ban you unless they have a binary they can hash. Kernelmode (and hence also a hypervisor) is overkill for a private project.

Also, yes, Blue Pill the original PoC hypervisor rootkit.

[F1n1st]

oh, hvrootkit will take so much resources for makin. Right now there is a warden in user mode, so its ok to use ring0 rootkit. am i right?

[Cypher]

oh, hvrootkit will take so much resources for makin. Right now there is a warden in user mode, so its ok to use ring0 rootkit. am i right?

Like I said, even that is overkill for a private project.

[Greyman]

Cypher, there's nothing wrong with overkill: Most of us do what we do out of interest rather than necessity.

Madmonk, what exactly are you wanting to achieve with a hypervisor rootkit? I think that's the first thing you want to establish. Hypervisors are not a magic wand you can simply wave at anti-cheat tech and make it go away, nor are they any more proof against BSOD's than a kernel driver.

For instance, it would be nontrivial (but still possible) to hide in-process shenanigans with such a beast, but something equal to say the Glider shadow driver would be relatively straightforward.

If you have any specific questions or thoughts, feel free to post them in this thread and I'll do my best to respond. I have a reasonable amount of experience in this area.