[Code-Crunchers] detecting blue pill and BH challege
Gil Dabah
arkon at ragestorm.net
Mon Jul 2 01:05:49 CDT 2007
SMM's memory is hidden anyways because it's not mapped on default and
cannot be accessed unless there's SMI, which is much better than hiding
in memory, the CPU does the work for you. The disadvantage of SMM is
that it is CPU/MOBO specific, so you can't install your SMI handler easily..
Anyways, if your detection method will alert upon transition, then way
to go :) I just suggest a way for checking once the state of the machine.
Maybe my method can be extended to monitor and detect the transition as
well, but it will require more thought, if that's possible at all.
Peter Ferrie wrote:
> But you don't get to control when the transition occurs, and you can't hide your memory because SMM does not use paging.
>
>
> ________________________________
>
> From: Gil Dabah [mailto:arkon at ragestorm.net]
> Sent: Sat 6/30/2007 3:46 PM
> To: Fionnbharr
> Cc: code-crunchers at whitestar.linuxbox.org
> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
>
>
>
> I still stick to my old idea that you can run in SMM mode and do
> whatever you want...
>
> Fionnbharr wrote:
>
>> I would say timing attacks but it's hard to do a baseline to compare
>> to in their competition.
>>
>> But there is also situations like the TLB + CPUID Ferrie talks about
>> in his paper where you don't need a clean base. So my guess would be
>> something like that.
>>
>> On 30/06/07, Gadi Evron <ge at linuxbox.org> wrote:
>>
>>
>>> On 2007-06-29 15:28-0700, Peter Ferrie wrote:
>>>
>>>
>>>>> Hmm, so what do you think the detection technique is?
>>>>>
>>>>> Let's at least have one bet going here, winner gets free beer
>>>>> once, from each of us who talk about the detection options, and
>>>>> from me, too.
>>>>>
>>>>>
>>>> Oh, I can't collect. Bummer. ;-)
>>>>
>>>>
>>> But you can buy them beer. :)
>>>
>>> _______________________________________________
>>> Code-Crunchers mailing list
>>> Code-Crunchers at whitestar.linuxbox.org
>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>
>>>
>>>
>> _______________________________________________
>> Code-Crunchers mailing list
>> Code-Crunchers at whitestar.linuxbox.org
>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>
>>
>>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
More information about the Code-Crunchers
mailing list