[vbox-dev] Interrupt Descriptor Tables and malware

Sander van Leeuwen sander.x.van.leeuwen at oracle.com
Thu Nov 25 04:50:55 PST 2010

On 25-11-2010 13:19, Josh x90 wrote:
> According to this article, it seems to be possible:
> http://www.infoworld.com/d/security-central/excellent-vm-detection-and-breakout-presentation-333
>  From the article:
> "Essentially, the majority of VMs "hook" interrupts and APIs on the host operating system. It's the way they work. Malware can walk the interrupt vector table or VM interface subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. So far, I haven't found the VM that protects against this, although various host OSs are doing more and more to prevent interrupt vector table manipulation on their own."
I can't judge what the competition does, but VirtualBox does not hook 
interrupts nor APIs on the host. Only in software virtualization mode we 
replace the host's IDT with our own, but the replacement IDT memory is 
read-only from the guest's point of view. The host's IDT memory isn't 
mapped into the guest's address space and is therefor not accessible by 
the guest.

Hardware virtualization is a completely different story as the VT-x or 
AMD-V world switch instruction takes care of the details and we do not 
perform any host IDT modifications.

>  From what I can see, the interrupt vector table seems to be virtualised (the 'Red Pill' mechanism for detecting whether an OS is running in a virtualised environment relies upon the Interrupt Descriptor Table existing at a different memory address than it typically should in a non-virtualised environment). Does VirtualBox virtualise this? Is it possible for malware to hook into the host IDT?
That is not possible.

Kind regards / Mit freundlichen Gruessen / Met vriendelijke groet

Sander van Leeuwen | Senior Staff Engineer, VirtualBox
Oracle Virtualization

ORACLE Deutschland B.V.&  Co. KG | Werkstrasse 24 | 71384 Weinstadt

ORACLE Deutschland B.V.&  Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 Muenchen
Registergericht: Amtsgericht Muenchen, HRA 95603

Komplementaerin: ORACLE Deutschland Verwaltung B.V.
Rijnzathe 6, 3454PV De Meern, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschaeftsfuehrer: Juergen Kunz, Marcel van de Molen, Alexander van der Ven

More information about the vbox-dev mailing list