[Code-Crunchers] detecting blue pill and BH challege

Peter Ferrie pferrie at symantec.com
Mon Jul 2 12:22:10 CDT 2007 

Ha, I misunderstood completely.  I thought that you meant her running code there, not us running code there.
In any case, since we can't force SMIs, we can't be on-demand, though it could be useful for asynchronous detection.
Perhaps Microsoft will use it for future PatchGuard. :-)
 

________________________________

From: Gil Dabah [mailto:arkon at ragestorm.net]
Sent: Mon 7/2/2007 10:09 AM
To: Peter Ferrie
Cc: code-crunchers at whitestar.linuxbox.org
Subject: Re: [Code-Crunchers] detecting blue pill and BH challege



Maybe I didn't get the bet right. SMM is just one way to know (99% for
sure) that there's a rootkit on the computer which uses virtualization
to hide.
Although, it will be much *usable* to have a tool that alerts you when
such event happens...The question is what you do next? SOOO... are we
again in the game of mouse and cat but in much more advanced
environment? gimme a break, that won't last.


Peter Ferrie wrote:
> While SMM's memory is hidden from ordinary operation, anything inside it can see everything else.  So, if she can go there, we can too.  However, since she can't force SMIs to occur at interesting times (like NDIS packet receive), it's not going to be very useful.
> 
> 
>
> ________________________________
>
> From: Gil Dabah [mailto:arkon at ragestorm.net]
> Sent: Sun 7/1/2007 11:05 PM
> To: Peter Ferrie
> Cc: code-crunchers at whitestar.linuxbox.org
> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
>
>
>
> SMM's memory is hidden anyways because it's not mapped on default and
> cannot be accessed unless there's SMI, which is much better than hiding
> in memory, the CPU does the work for you. The disadvantage of SMM is
> that it is CPU/MOBO specific, so you can't install your SMI handler easily..
> Anyways, if your detection method will alert upon transition, then way
> to go :) I just suggest a way for checking once the state of the machine.
> Maybe my method can be extended to monitor and detect the transition as
> well, but it will require more thought, if that's possible at all.
>
> Peter Ferrie wrote:
>  
>> But you don't get to control when the transition occurs, and you can't hide your memory because SMM does not use paging.
>>
>>
>> ________________________________
>>
>> From: Gil Dabah [mailto:arkon at ragestorm.net]
>> Sent: Sat 6/30/2007 3:46 PM
>> To: Fionnbharr
>> Cc: code-crunchers at whitestar.linuxbox.org
>> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
>>
>>
>>
>> I still stick to my old idea that you can run in SMM mode and do
>> whatever you want...
>>
>> Fionnbharr wrote:
>> 
>>    
>>> I would say timing attacks but it's hard to do a baseline to compare
>>> to in their competition.
>>>
>>> But there is also situations like the TLB + CPUID Ferrie talks about
>>> in his paper where you don't need a clean base. So my guess would be
>>> something like that.
>>>
>>> On 30/06/07, Gadi Evron <ge at linuxbox.org> wrote:
>>>
>>>   
>>>      
>>>> On 2007-06-29 15:28-0700, Peter Ferrie wrote:
>>>>  
>>>>     
>>>>        
>>>>>> Hmm, so what do you think the detection technique is?
>>>>>>
>>>>>> Let's at least have one bet going here, winner gets free beer
>>>>>> once, from each of us who talk about the detection options, and
>>>>>> from me, too.
>>>>>>      
>>>>>>         
>>>>>>            
>>>>> Oh, I can't collect.  Bummer. ;-)
>>>>>    
>>>>>       
>>>>>          
>>>> But you can buy them beer. :)
>>>>
>>>> _______________________________________________
>>>> Code-Crunchers mailing list
>>>> Code-Crunchers at whitestar.linuxbox.org
>>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>>
>>>>  
>>>>     
>>>>        
>>> _______________________________________________
>>> Code-Crunchers mailing list
>>> Code-Crunchers at whitestar.linuxbox.org
>>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>>
>>>
>>>   
>>>      
>> _______________________________________________
>> Code-Crunchers mailing list
>> Code-Crunchers at whitestar.linuxbox.org
>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>
>>
>> _______________________________________________
>> Code-Crunchers mailing list
>> Code-Crunchers at whitestar.linuxbox.org
>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>>
>> 
>>    
>
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>

More information about the Code-Crunchers mailing list