HACKING EXPOSED MALWARE AND ROOTKITS by Aaron LeMasters & Michael Davis & Sean Bodmer
Author:Aaron LeMasters & Michael Davis & Sean Bodmer [LeMasters, Aaron]
Language: eng
Format: mobi
Published: 0101-01-01T00:00:00+00:00
Unless otherwise noted, these tools
only detect VMWare and Virtual PC
VMs. For a more comprehensive
list of detection methodologies for
other VMs including Parallels,
Bochs, Hydra, and many others, see
http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf Red Pill by Joanna Rutkowska:
Logical Discrepancy Anomaly Using
SIDT
Popularity
3
Simplicity
10
Impact
5
Risk Rating
6
The Red Pill was released by
Joanna
Rutkowska
in
2004
(http://www.invisiblethings.org/papers/redpill.html after observing some anomalies in
testing the SuckIt rootkit inside
VMWare versus on a “real” host.
As it turns out, the rootkit (which
hooked the IDT) failed to load in
VMWare, because of how VMWare
handles the SIDT (store IDT) x86
instruction. Since multiple operating
systems can be running in a VM,
and there is only one IDT register to
store the IDT when the SIDT
instruction is issued, the VM has to
swap the IDTs out and store one of
them in memory. Although this
broke the rootkit’s functionality, it
happened to reveal one of the many
implementation quirks in VMs that
make them easily detectable; hence,
Red Pill was born.
Red Pill issues the SIDT
instruction inside a VM and tests the
returned address of the IDT against
known values for Virtual PC and
VMWare Workstation. Based on the
return value, Red Pill can detect if
it is inside a VM. The following
code is the entire program in C:
#include <stdio.h>
int main () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*
((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)
();
printf ("idt base: %#x\n", *
((unsigned*)&m[2]));
if (m[5]>0xd0)
printf ("Inside Matrix!\n", m[5]);
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(6568)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(6288)
Machine Learning Security Principles by John Paul Mueller(6258)
Attacking and Exploiting Modern Web Applications by Simone Onofri & Donato Onofri(5932)
Operationalizing Threat Intelligence by Kyle Wilhoit & Joseph Opacki(5891)
Solidity Programming Essentials by Ritesh Modi(4034)
Microsoft 365 Security, Compliance, and Identity Administration by Peter Rising(3672)
Operationalizing Threat Intelligence by Joseph Opacki Kyle Wilhoit(3404)
Future Crimes by Marc Goodman(3350)
Mastering Python for Networking and Security by José Manuel Ortega(3346)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3335)
Blockchain Basics by Daniel Drescher(3303)
Learn Computer Forensics - Second Edition by William Oettinger(3168)
Incident Response with Threat Intelligence by Roberto Martínez(2890)
Mobile App Reverse Engineering by Abhinav Mishra(2884)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2872)
The Code Book by Simon Singh(2831)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2782)
Building a Next-Gen SOC with IBM QRadar: Accelerate your security operations and detect cyber threats effectively by Ashish M Kothekar(2747)
