[vbox-dev] Interrupt Descriptor Tables and malware

Sander van Leeuwen sander.x.van.leeuwen at oracle.com
Thu Nov 25 04:40:51 PST 2010

On 25-11-2010 13:19, Josh x90 wrote:
> Hello all,
> I'm interested in virtualisation security and during a conversation with someone yesterday, an issue came up which I hope you can resolve.
> I was told that there is malware which 'installs itself in the CPU interrupt vector table' - after a little research, I presume that by this he meant that malware can modify the interrupt vector table to hook into it and log keystrokes. He claims that in a virtualised OS, if you hooked the interrupt vector table, you would essentially be applying those hooks to the interrupt vector table of the host OS - applying a keylogger/rootkit to the host machine from the guest.
That's complete nonsense. Guest malware can change the guest IDT to 
catch e.g. keyboard interrupts. Host keyboard events that aren't 
intended for the VM (keyboard focus on another window/application) are 
never sent to the VM's virtual keyboard controller and therefor *never* 
seen by the guest no matter what.

Kind regards / Mit freundlichen Gruessen / Met vriendelijke groet

Sander van Leeuwen | Senior Staff Engineer, VirtualBox
Oracle Virtualization

ORACLE Deutschland B.V.&  Co. KG | Werkstrasse 24 | 71384 Weinstadt

ORACLE Deutschland B.V.&  Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 Muenchen
Registergericht: Amtsgericht Muenchen, HRA 95603

Komplementaerin: ORACLE Deutschland Verwaltung B.V.
Rijnzathe 6, 3454PV De Meern, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschaeftsfuehrer: Juergen Kunz, Marcel van de Molen, Alexander van der Ven

More information about the vbox-dev mailing list