Results 1 to 9 of 9

Thread: Intel VT and cpuid break

  1. #1

    Intel VT and cpuid break

    Do you want to use cpuid as int 3 or any other event? Well Intel VT allows us that, as cpuid always generates VM-Exit. In this case what we do is:

    1. Read Guest Cr3 to check correct process
    2. inject int 3 event into Guest
    3. SoftICE will popup if i3here on is set
    4. Enjoy

    bin/src -> http://deroko.phearless.org/cpuid_break.rar

  2. #2
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Hi deroko, I remember also reading an article about VT and cpuid on rootkit.com some time ago:

    http://www.rootkit.com/newsread.php?newsid=758

    The ones interested may wanna read this article as well.

    Ciao

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Another low-level gem from deroko, keep 'em coming.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    ghgh

    thanks
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  5. #5
    Hi Daniel,

    Yup, I remember that article, but truth is that VT can be used for reversing purposes (rdtsc, dr emulation, idt hooks without hooking idt - did anyone say Patch Guard?, cpuid fakeing for protectors which relay on cpuid as anti-dump etc.) Not sure why everybody try to use this tech for rootkits, as it's real potential is RCE

  6. #6
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Hi deroko,

    well this seems a good moment to tell that I have an unfinished article about License Virtualization. That's why I was so interested in cpuid. And yes, it's a great potential for RCE. =)

  7. #7
    can't wait to read it

  8. #8
    Sounds like a very interesting topic.

    Regards,
    JMI

  9. #9
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    deroko: thanks. JMI, yeah it is, I'm also tempted to write the article pretty soon, because the quantity of code already written for that article borders surreal. But, to offer a demonstration, more code is needed and I guess the demonstration is just too nice to not do it. I'm sorry if I diverted the thread from the cpuid instruction.

Similar Threads

  1. Intel as risc?
    By Hero in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: October 25th, 2013, 17:26
  2. searching for a script/method to change cpuid results with ida pro (while debugging)
    By joblack in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: January 19th, 2011, 09:19
  3. Intel VT-x technology
    By TiGa in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: August 11th, 2007, 14:50
  4. IDE or editor for Intel C++???
    By yaa in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: November 7th, 2003, 06:32
  5. Intel manuals
    By kalisto in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: May 15th, 2002, 07:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •