[vbox-dev] Interrupt Descriptor Tables and malware
Sander van Leeuwen
sander.x.van.leeuwen at oracle.com
Thu Nov 25 04:40:51 PST 2010
On 25-11-2010 13:19, Josh x90 wrote:
> Hello all,
> I'm interested in virtualisation security and during a conversation with someone yesterday, an issue came up which I hope you can resolve.
> I was told that there is malware which 'installs itself in the CPU interrupt vector table' - after a little research, I presume that by this he meant that malware can modify the interrupt vector table to hook into it and log keystrokes. He claims that in a virtualised OS, if you hooked the interrupt vector table, you would essentially be applying those hooks to the interrupt vector table of the host OS - applying a keylogger/rootkit to the host machine from the guest.
That's complete nonsense. Guest malware can change the guest IDT to
catch e.g. keyboard interrupts. Host keyboard events that aren't
intended for the VM (keyboard focus on another window/application) are
never sent to the VM's virtual keyboard controller and therefor *never*
seen by the guest no matter what.
Kind regards / Mit freundlichen Gruessen / Met vriendelijke groet
Sander van Leeuwen | Senior Staff Engineer, VirtualBox
ORACLE Deutschland B.V.& Co. KG | Werkstrasse 24 | 71384 Weinstadt
ORACLE Deutschland B.V.& Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 Muenchen
Registergericht: Amtsgericht Muenchen, HRA 95603
Komplementaerin: ORACLE Deutschland Verwaltung B.V.
Rijnzathe 6, 3454PV De Meern, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschaeftsfuehrer: Juergen Kunz, Marcel van de Molen, Alexander van der Ven
More information about the vbox-dev