[Code-Crunchers] detecting blue pill and BH challege
Rodrigo Rubira Branco (BSDaemon)
rodrigo at kernelhacking.com
Mon Jul 2 10:41:42 CDT 2007
Use SMM in something like patchguard is my proposal at HITB Dubai:
http://conference.hitb.org/hitbsecconf2007dubai/materials/D2%20-%20Rodrigo%20Rubira%20Branco%20and%20Domingo%20Montanaro%20-%20Kernel%20Hacking%20-%20If%20I%20really%20know%20I%20can%20hack.pdf
Also, you can use debug registers to monitor something occurring and execute
your handler in real time (not the SMM handler). Using the dr7 general
detect flag you can also emulate the debug registers and avoid it to be
easily detected.
cya,
Rodrigo (BSDaemon).
--
http://www.kernelhacking.com/rodrigo
Kernel Hacking: If i really know, i can hack
GPG KeyID: 1FCEDEA1
--------- Mensagem Original --------
De: Peter Ferrie <pferrie at symantec.com>
Para: code-crunchers at whitestar.linuxbox.org
<code-crunchers at whitestar.linuxbox.org>
Assunto: Re: [Code-Crunchers] detecting blue pill and BH challege
Data: 02/07/07 15:23
>
> Ha, I misunderstood completely. I thought that you meant her running code
there, not us running code there.
> In any case, since we can't force SMIs, we can't be on-demand, though it
could be useful for asynchronous detection.
> Perhaps Microsoft will use it for future PatchGuard. :-)
>
>
> ________________________________
>
> From: Gil Dabah [mailto:arkon at ragestorm.net]
> Sent: Mon 7/2/2007 10:09 AM
> To: Peter Ferrie
> Cc: code-crunchers at whitestar.linuxbox.org
> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
>
>
>
> Maybe I didn't get the bet right. SMM is just one way to know (99% for
> sure) that there's a rootkit on the computer which uses virtualization
> to hide.
> Although, it will be much *usable* to have a tool that alerts you when
> such event happens...The question is what you do next? SOOO... are we
> again in the game of mouse and cat but in much more advanced
> environment? gimme a break, that won't last.
>
>
> Peter Ferrie wrote:
> > While SMM's memory is hidden from ordinary operation, anything inside
it can see everything else. So, if she can go there, we can too. However,
since she can't force SMIs to occur at interesting times (like NDIS packet
receive), it's not going to be very useful.
> >
> >
> >
> > ________________________________
> >
> > From: Gil Dabah [mailto:arkon at ragestorm.net]
> > Sent: Sun 7/1/2007 11:05 PM
> > To: Peter Ferrie
> > Cc: code-crunchers at whitestar.linuxbox.org
> > Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
> >
> >
> >
> > SMM's memory is hidden anyways because it's not mapped on default and
> > cannot be accessed unless there's SMI, which is much better than
hiding
> > in memory, the CPU does the work for you. The disadvantage of SMM is
> > that it is CPU/MOBO specific, so you can't install your SMI handler
easily..
> > Anyways, if your detection method will alert upon transition, then
way
> > to go :) I just suggest a way for checking once the state of the
machine.
> > Maybe my method can be extended to monitor and detect the transition
as
> > well, but it will require more thought, if that's possible at all.
> >
> > Peter Ferrie wrote:
> >
> >> But you don't get to control when the transition occurs, and you
can't hide your memory because SMM does not use paging.
> >>
> >>
> >> ________________________________
> >>
> >> From: Gil Dabah [mailto:arkon at ragestorm.net]
> >> Sent: Sat 6/30/2007 3:46 PM
> >> To: Fionnbharr
> >> Cc: code-crunchers at whitestar.linuxbox.org
> >> Subject: Re: [Code-Crunchers] detecting blue pill and BH challege
> >>
> >>
> >>
> >> I still stick to my old idea that you can run in SMM mode and do
> >> whatever you want...
> >>
> >> Fionnbharr wrote:
> >>
> >>
> >>> I would say timing attacks but it's hard to do a baseline to
compare
> >>> to in their competition.
> >>>
> >>> But there is also situations like the TLB + CPUID Ferrie
talks about
> >>> in his paper where you don't need a clean base. So my guess
would be
> >>> something like that.
> >>>
> >>> On 30/06/07, Gadi Evron <ge at linuxbox.org> wrote:
> >>>
> >>>
> >>>
> >>>> On 2007-06-29 15:28-0700, Peter Ferrie wrote:
> >>>>
> >>>>
> >>>>
> >>>>>> Hmm, so what do you think the detection technique
is?
> >>>>>>
> >>>>>> Let's at least have one bet going here, winner
gets free beer
> >>>>>> once, from each of us who talk about the
detection options, and
> >>>>>> from me, too.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> Oh, I can't collect. Bummer. ;-)
> >>>>>
> >>>>>
> >>>>>
> >>>> But you can buy them beer. :)
> >>>>
> >>>> _______________________________________________
> >>>> Code-Crunchers mailing list
> >>>> Code-Crunchers at whitestar.linuxbox.org
> >>>>
http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >>>>
> >>>>
> >>>>
> >>>>
> >>> _______________________________________________
> >>> Code-Crunchers mailing list
> >>> Code-Crunchers at whitestar.linuxbox.org
> >>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >>>
> >>>
> >>>
> >>>
> >> _______________________________________________
> >> Code-Crunchers mailing list
> >> Code-Crunchers at whitestar.linuxbox.org
> >> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >>
> >>
> >> _______________________________________________
> >> Code-Crunchers mailing list
> >> Code-Crunchers at whitestar.linuxbox.org
> >> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >>
> >>
> >>
> >
> >
> > _______________________________________________
> > Code-Crunchers mailing list
> > Code-Crunchers at whitestar.linuxbox.org
> > http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> >
> >
>
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
>
>
>
>
________________________________________________
Message sent using UebiMiau 2.7.2
More information about the Code-Crunchers
mailing list