[vbox-dev] Interrupt Descriptor Tables and malware
joshx90 at hotmail.com
Thu Nov 25 04:19:35 PST 2010
I'm interested in virtualisation security and during a conversation with someone yesterday, an issue came up which I hope you can resolve.
I was told that there is malware which 'installs itself in the CPU interrupt vector table' - after a little research, I presume that by this he meant that malware can modify the interrupt vector table to hook into it and log keystrokes. He claims that in a virtualised OS, if you hooked the interrupt vector table, you would essentially be applying those hooks to the interrupt vector table of the host OS - applying a keylogger/rootkit to the host machine from the guest.
According to this article, it seems to be possible:
>From the article:
"Essentially, the majority of VMs "hook" interrupts and APIs on the host operating system. It's the way they work. Malware can walk the interrupt vector table or VM interface subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. So far, I haven't found the VM that protects against this, although various host OSs are doing more and more to prevent interrupt vector table manipulation on their own."
>From what I can see, the interrupt vector table seems to be virtualised (the 'Red Pill' mechanism for detecting whether an OS is running in a virtualised environment relies upon the Interrupt Descriptor Table existing at a different memory address than it typically should in a non-virtualised environment). Does VirtualBox virtualise this? Is it possible for malware to hook into the host IDT?
I'm very interested as to whether this type of attack is possible with virtualbox - can software on the guest log keystrokes/install a rootkit on the host through this mechanism? If not, perhaps I'm misunderstanding what was said - is there any form of attack which could work similarly to this, e.g. to log keystrokes in the host OS?
Any thoughts/information welcome!
Thanks in advance!
More information about the vbox-dev