[vbox-dev] Interrupt Descriptor Tables and malware
Sander van Leeuwen
sander.x.van.leeuwen at oracle.com
Thu Nov 25 04:50:55 PST 2010
On 25-11-2010 13:19, Josh x90 wrote:
> According to this article, it seems to be possible:
> From the article:
> "Essentially, the majority of VMs "hook" interrupts and APIs on the host operating system. It's the way they work. Malware can walk the interrupt vector table or VM interface subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. So far, I haven't found the VM that protects against this, although various host OSs are doing more and more to prevent interrupt vector table manipulation on their own."
I can't judge what the competition does, but VirtualBox does not hook
interrupts nor APIs on the host. Only in software virtualization mode we
replace the host's IDT with our own, but the replacement IDT memory is
read-only from the guest's point of view. The host's IDT memory isn't
mapped into the guest's address space and is therefor not accessible by
Hardware virtualization is a completely different story as the VT-x or
AMD-V world switch instruction takes care of the details and we do not
perform any host IDT modifications.
> From what I can see, the interrupt vector table seems to be virtualised (the 'Red Pill' mechanism for detecting whether an OS is running in a virtualised environment relies upon the Interrupt Descriptor Table existing at a different memory address than it typically should in a non-virtualised environment). Does VirtualBox virtualise this? Is it possible for malware to hook into the host IDT?
That is not possible.
Kind regards / Mit freundlichen Gruessen / Met vriendelijke groet
Sander van Leeuwen | Senior Staff Engineer, VirtualBox
ORACLE Deutschland B.V.& Co. KG | Werkstrasse 24 | 71384 Weinstadt
ORACLE Deutschland B.V.& Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 Muenchen
Registergericht: Amtsgericht Muenchen, HRA 95603
Komplementaerin: ORACLE Deutschland Verwaltung B.V.
Rijnzathe 6, 3454PV De Meern, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschaeftsfuehrer: Juergen Kunz, Marcel van de Molen, Alexander van der Ven
More information about the vbox-dev