Dailydave mailing list archives
redpill vs. Microsoft rootkit...
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Mon, 13 Mar 2006 22:28:00 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I find it quite funny that my little redpill, which many people used to consider as malicious, can now be used to detect advanced rootkits, like the one from MS Research: http://www.eecs.umich.edu/Rio/papers/king06.pdf It's interesting how some technology, which was invented as offensive or defensive at some point in time, within a next few years starts being used in the exactly opposite way... SIDT attack (redpill) and the use of Virtual Machines to implement rootkits is just one example. We also remember TLB tricks used by PaX a few years ago to prevent exploitation and now we can see almost the same techniques exploited by Shadow Walker rootkit. How about executable packing/morphing? Originally used by legal applications to make cracking difficult, then used by malware to make signature scanning hard (or was it in the reverse order?) and now used by rootkit detectors to defend against implementation specific attacks. We also see Dave, using his canvas technology to implement nematodes, the good worms... Is this kind of a "natural balance in the nature" thing? OK, back to technical discussion - I must say that I really enjoyed reading this paper about VM based rootkits (especially the emulated power-off mode;), but didn't quite like how they addressed SIDT attack (AKA redpill) against VMM... Basically they just check (from within VMM) if the program which the guest OS is going to load is redpill.exe and provided it is, they set up a breakpoint at the SIDT instruction... this is what we call a "holly_father-like attack" ;) But the truth is that they were not able to do it in any other way, just because ia32 architecture is buggy by design (BbD ;) and doesn't support 100% virtualization... It's maybe a good time to say (before people start advising having redpill.exe run regularly as part of everybody's anti-rootkit defender toolkit) that redpill was more of a joke rather then an usable tool... It naively assumes that if IDT address is greater then magic number 0xd0000000 then we're inside VM. It should be clear that this is just a *very* simple heuristic, which used to work in the past on most of the systems I tested, but today will probably generates lots of false positives, especially on systems having lots of physical memory and having more then one CPU/core. It seems that the most reliable way for implementing redpill-like detector would require it to have also a kernel mode component, which would execute SIDT in ring0 (allowing VMM to happily emulate it) and then compare it with the IDT addresses returned by SIDT ran in ring3 (which cannot be caught by VMM)... Yes this is yet another example of cross view based detection... It also means that VMBR is not SbD. It's also not type II :P But still is very cool :) If you really don't know what this whole redpill discussion is about, you might want to check out this old paper for some background info: http://invisiblethings.org/papers/redpill.html joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFEFePfORdkotfEW84RAqpUAJ9ekJSqyslBhDyluz3QSEUSYuzPUwCfRrc9 VbaETfXid5Mq+0bVVKxQf0E= =zol1 -----END PGP SIGNATURE-----
Current thread:
- redpill vs. Microsoft rootkit... Joanna Rutkowska (Mar 13)
- Re: redpill vs. Microsoft rootkit... Dave Aitel (Mar 14)