[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: Re: [Dailydave] Conover's BCE
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2009-05-14 9:07:36
Message-ID: 4A0BDF58.7020802 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dave Aitel wrote:
> Matthew Conover's BCE talk was very interesting yesterday, and I had a
> chance to annoy him a bit more about it at dinner. Basically the idea is
> this:
>
> Apply virtualization techniques (code rewriting + page permissions) to run
> drivers in usermode. The goal here is to be able to control the driver such
> that it does not know it is running under BCE, and be able to analyze it. He
> has working code - this was not a theory talk so much as a demonstration and
> explanation, as were most of the talks at SyScan. This is a useful dynamic
> analysis tool (he demo'd running process explorer under it, which worked),
> and if he open sourced it I could see lots of people using it for rootkit
> analysis.
>
This sounds like a simple light-weight software-based virtualization (read
VMWare or VBox), but has an obvious problem that to avoid a simple detection via
DMA (a rootkit sets up a DMA via one of the devices, e.g. SATA controller and
checks if its code is indeed at kernel addresses), the tool needs to emulate as
much I/O as possible. This way it is becoming more and more like a VMWare
Workstation product, losing all it's light-weight benefits. In the end it comes
down to the question -- why not simply use VBox (which is opensourced, so one
can easily insert "probes" there and also change the I/O devices strings so they
don't immediately look like VBox's ones)?
On the other hand, if the tool simply decided to cut off all the I/O to unknown
devices, this would make it just as easy for generic detection -- the DMAs would
simply not work. Needles to say, every single device can have different ways of
programming it for DMA transfers, so it is nearly impossible to come up with a
generic DMA emulator.
joanna.
--
Joanna Rutkowska
Founder/CEO
Invisible Things Lab
http://invisiblethingslab.com/
["signature.asc" (application/pgp-signature)]
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic