-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Anti-VM: XSETBV check #213
Comments
There are a couple of issues I see with this, but I think we need more information to understand how they are using XSETBV before I can concretely say whether this is something we can, or want to, do. If they're calling XSETBV from usermode, it shouldn't do anything but throw a general protection fault unconditionally, regardless of whether or not the system is running under a VM. Now, shouldn't isn't the same as won't, and it does appear that on some VM platforms you can cause the hypervisor to fault due to buggy handling. The only reference I could find is this article, which provides an example of using XSETBV as a detection mechanism. However, the way it does so is by registering a bugcheck callback routine in a driver, calling the XSETBV instruction with garbage parameters, then seeing if the bugcheck callback gets called before the system crashes. This indicates that the detection is being done from ring 0, using a driver, and that the detection mechanism necessarily crashes the system as part of the check. As a policy, Al-Khaser doesn't load drivers or do any kind of ring 0 detection. There are a number of reasons, but the three main ones are that driver signing is a pain in the ass, we don't want to load a driver that could be vulnerable (or load a known-vulnerable signed driver in order to execute code in kernelmode), and we don't want to provide a nice generic signed anti-VM driver for malware authors to use. Another policy we have is we avoid doing anything that risks crashing the box, causing data loss, or changing system settings. If you have a reference for how XSETBV can be used in order to detect VMs/hypervisors reliably, from usermode, without crashing anything, then that's definitely something we'd be interested in. |
Addendum: it also appears that this trick is only intended to work against incomplete / naive hypervisor implementations that were sloppily written (e.g. hypervisor drivers to avoid cheat detection, probably some EDR/AV products too), rather than mainstream virtual machine products. That being said, I think I need to sit down and have a good read through the VirtualBox source code regarding handling of XSETBV VM exit conditions, because a quick read through (see |
Hi,
I came across some malware that uses XSETBV to check for VM presence.
Could we add some checks on this?
The text was updated successfully, but these errors were encountered: