[Code-Crunchers] detecting blue pill and BH challege

Gadi Evron ge at linuxbox.org
Mon Jul 2 12:14:19 CDT 2007 

On 2007-07-02 20:09+0300, Gil Dabah wrote:
>Maybe I didn't get the bet right. SMM is just one way to know (99% for 
>sure) that there's a rootkit on the computer which uses virtualization 
>to hide.
>Although, it will be much *usable* to have a tool that alerts you when 
>such event happens...The question is what you do next? SOOO... are we 
>again in the game of mouse and cat but in much more advanced 
>environment? gimme a break, that won't last.

Nothing is EVER 100%, which is why although Joanna is cool, that claim
is stupid.

I'd be very happy with a tool to tell me if (in all likelyhood) SMM is
even being used. In this case it would be a decent enough rootkit
detection tool.

	Gadi.

>
>
>Peter Ferrie wrote:
>> While SMM's memory is hidden from ordinary operation, anything inside it can see everything else.  So, if she can go there, we can too.  However, since she can't force SMIs to occur at interesting times (like NDIS packet receive), it's not going to be very useful.
>>  
>>  
>>
>> ________________________________
>>
>> From: Gil Dabah [mailto:arkon at ragestorm.net]
>> Sent: Sun 7/1/2007 11:05 PM
>> To: Peter Ferrie
>> Cc: code-crunchers at whitestar.linuxbox.org
>> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
>>
>>
>>
>> SMM's memory is hidden anyways because it's not mapped on default and
>> cannot be accessed unless there's SMI, which is much better than hiding
>> in memory, the CPU does the work for you. The disadvantage of SMM is
>> that it is CPU/MOBO specific, so you can't install your SMI handler easily..
>> Anyways, if your detection method will alert upon transition, then way
>> to go :) I just suggest a way for checking once the state of the machine.
>> Maybe my method can be extended to monitor and detect the transition as
>> well, but it will require more thought, if that's possible at all.
>>
>> Peter Ferrie wrote:
>>   
>>> But you don't get to control when the transition occurs, and you can't hide your memory because SMM does not use paging.
>>>
>>>
>>> ________________________________
>>>
>>> From: Gil Dabah [mailto:arkon at ragestorm.net]
>>> Sent: Sat 6/30/2007 3:46 PM
>>> To: Fionnbharr
>>> Cc: code-crunchers at whitestar.linuxbox.org
>>> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
>>>
>>>
>>>
>>> I still stick to my old idea that you can run in SMM mode and do
>>> whatever you want...
>>>
>>> Fionnbharr wrote:
>>>  
>>>     
>>>> I would say timing attacks but it's hard to do a baseline to compare
>>>> to in their competition.
>>>>
>>>> But there is also situations like the TLB + CPUID Ferrie talks about
>>>> in his paper where you don't need a clean base. So my guess would be
>>>> something like that.
>>>>
>>>> On 30/06/07, Gadi Evron <ge at linuxbox.org> wrote:
>>>>
>>>>    
>>>>       
>>>>> On 2007-06-29 15:28-0700, Peter Ferrie wrote:
>>>>>   
>>>>>      
>>>>>         
>>>>>>> Hmm, so what do you think the detection technique is?
>>>>>>>
>>>>>>> Let's at least have one bet going here, winner gets free beer
>>>>>>> once, from each of us who talk about the detection options, and
>>>>>>> from me, too.
>>>>>>>       
>>>>>>>          
>>>>>>>             
>>>>>> Oh, I can't collect.  Bummer. ;-)
>>>>>>     
>>>>>>        
>>>>>>           
>>>>> But you can buy them beer. :)
>>>>>
>>>>> _______________________________________________
>>>>> Code-Crunchers mailing list
>>>>> Code-Crunchers at whitestar.linuxbox.org
>>>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>>>
>>>>>   
>>>>>      
>>>>>         
>>>> _______________________________________________
>>>> Code-Crunchers mailing list
>>>> Code-Crunchers at whitestar.linuxbox.org
>>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>>
>>>>
>>>>    
>>>>       
>>> _______________________________________________
>>> Code-Crunchers mailing list
>>> Code-Crunchers at whitestar.linuxbox.org
>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>
>>>
>>> _______________________________________________
>>> Code-Crunchers mailing list
>>> Code-Crunchers at whitestar.linuxbox.org
>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>
>>>  
>>>     
>>
>>
>> _______________________________________________
>> Code-Crunchers mailing list
>> Code-Crunchers at whitestar.linuxbox.org
>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>
>>   
>_______________________________________________
>Code-Crunchers mailing list
>Code-Crunchers at whitestar.linuxbox.org
>http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers

-- 
--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.

More information about the Code-Crunchers mailing list