On 25-11-2010 13:19, Josh x90 wrote:
According to this article, it seems to be possible:
http://www.infoworld.com/d/security-central/excellent-vm-detection-and-breakout-presentation-333
From the article:
"Essentially, the majority of VMs "hook" interrupts and APIs on the host operating
system. It's the way they work. Malware can walk the interrupt vector table or VM interface
subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. So far,
I haven't found the VM that protects against this, although various host OSs are doing more and
more to prevent interrupt vector table manipulation on their own."
I can't judge what the competition does, but VirtualBox does not hook
interrupts nor APIs on the host. Only in software virtualization mode we
replace the host's IDT with our own, but the replacement IDT memory is
read-only from the guest's point of view. The host's IDT memory isn't
mapped into the guest's address space and is therefor not accessible by
the guest.
Hardware virtualization is a completely different story as the VT-x or
AMD-V world switch instruction takes care of the details and we do not
perform any host IDT modifications.
From what I can see, the interrupt vector table seems to be virtualised (the
'Red Pill' mechanism for detecting whether an OS is running in a virtualised
environment relies upon the Interrupt Descriptor Table existing at a different
memory address than it typically should in a non-virtualised environment). Does
VirtualBox virtualise this? Is it possible for malware to hook into the host
IDT?
That is not possible.
--
Kind regards / Mit freundlichen Gruessen / Met vriendelijke groet
--
Sander van Leeuwen | Senior Staff Engineer, VirtualBox
Oracle Virtualization
ORACLE Deutschland B.V.& Co. KG | Werkstrasse 24 | 71384 Weinstadt
ORACLE Deutschland B.V.& Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 Muenchen
Registergericht: Amtsgericht Muenchen, HRA 95603
Komplementaerin: ORACLE Deutschland Verwaltung B.V.
Rijnzathe 6, 3454PV De Meern, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschaeftsfuehrer: Juergen Kunz, Marcel van de Molen, Alexander van der Ven
_______________________________________________
vbox-dev mailing list
[email protected]
http://vbox.innotek.de/mailman/listinfo/vbox-dev
