Although I had posted this already at the malware research forum and received little feedback, I decided to prepare a brief research paper about this topic and post it here.
The topic is that the Redpill approach by Joanna Rutkowska does not seem to work reliably and the values retrieved in kernel mode inside a virtual machine (VMWare ) differ substantially from the ones retrieved in user mode. While calling SIDT
in user mode was the rationale of the whole approach, it would not usually be expected that the results between user mode and kernel mode are different. Also the difference means that the approach is not generally applicable. Last but not least the Redpill approach failed for me on Virtual PC (see the paper).
Download
- The paper (PDF): redpill_getting_colorless.pdf (Rev. 2), the same compressed using RAR: redpill_getting_colorless.rar
- Download of the SIDTcon tool: SIDT.rar
Feedback
Any comments to the paper or the tool – criticism, feedback, description of problems – are welcome on my contact page. You find the link in the navigation bar in the header of this blog …
Also if this has been found out by someone else before, please provide me with a pointer to it, so I can mention it here and possibly in the paper. I haven’t found anything during my search on the web, and my research took place independently from anyone.
Some words on SIDTcon
The program comes in binary and source form and can be freely used (PUBLIC DOMAIN). However, there is no warranty – whatsoever – for any problems that occur from the use of the tool in its source or binary form.
Why is VMM detection a problem
First of all malware can behave differently when run inside a virtual machine and appear harmless to a researcher. This is the most obvious problem. However, rootkits and their counterparts (i.e. detection tools) have the problem of treating SIDT in a special way – read it from kernel mode – as the user mode values might not be reliable.
// Oliver
PS: Updated to reflect the changes mentioned here. The old version of the paper can be downloaded here:
- The paper (PDF): redpill_getting_colorless.pdf (Rev. 1), the same compressed using RAR: redpill_getting_colorless.rar
There is a nice article from August on Jason Geffner’s blog about a similar finding on Virtual PC. However, the conclusions are different.
http://blogs.msdn.com/geffner/archive/2006/08/21/710834.aspxNew URL: http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2006/08/21/15.aspx
// Oliver
Geffner’s new blog is now at malwareanalysis.com.
I corrected the link above.
// Oliver