Dailydave mailing list archives
Re: Conover's BCE
From: Joanna Rutkowska <joanna () invisiblethingslab com>
Date: Thu, 14 May 2009 11:07:36 +0200
Dave Aitel wrote:
Matthew Conover's BCE talk was very interesting yesterday, and I had a chance to annoy him a bit more about it at dinner. Basically the idea is this: Apply virtualization techniques (code rewriting + page permissions) to run drivers in usermode. The goal here is to be able to control the driver such that it does not know it is running under BCE, and be able to analyze it. He has working code - this was not a theory talk so much as a demonstration and explanation, as were most of the talks at SyScan. This is a useful dynamic analysis tool (he demo'd running process explorer under it, which worked), and if he open sourced it I could see lots of people using it for rootkit analysis.
This sounds like a simple light-weight software-based virtualization (read VMWare or VBox), but has an obvious problem that to avoid a simple detection via DMA (a rootkit sets up a DMA via one of the devices, e.g. SATA controller and checks if its code is indeed at kernel addresses), the tool needs to emulate as much I/O as possible. This way it is becoming more and more like a VMWare Workstation product, losing all it's light-weight benefits. In the end it comes down to the question -- why not simply use VBox (which is opensourced, so one can easily insert "probes" there and also change the I/O devices strings so they don't immediately look like VBox's ones)? On the other hand, if the tool simply decided to cut off all the I/O to unknown devices, this would make it just as easy for generic detection -- the DMAs would simply not work. Needles to say, every single device can have different ways of programming it for DMA transfers, so it is nearly impossible to come up with a generic DMA emulator. joanna. -- Joanna Rutkowska Founder/CEO Invisible Things Lab http://invisiblethingslab.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Conover's BCE Dave Aitel (May 13)
- Re: Conover's BCE Joanna Rutkowska (May 14)
- Re: Conover's BCE Matt Conover (May 14)
- Re: Conover's BCE Joanna Rutkowska (May 14)