[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Re: Have any ideas about how to detect whether a program is

From: Anthony Liguori
Subject: [Qemu-devel] Re: Have any ideas about how to detect whether a program is running inside QEMU?
Date: Fri, 07 Jul 2006 15:36:47 -0500
User-agent: Pan/ (As She Crawled Across the Table (Debian GNU/Linux))

On Fri, 07 Jul 2006 10:07:47 +0200, G Portokalidis wrote:

> Actually, i have also noticed this.
> It implies that an exploit might not succeed (this usually the case with
> most exploits), since the attacker supplied shellcode will not be at the
> "expected" location.
> My question is, does anybody know why this happens? Why this difference
> when running qemu with kqemu and without... I wonder if there is way to
> override this behaviour.

It's because kqemu is shadowing the IDT.  kqemu happens to be using high
vaddr space to do this.

kqemu needs to shadow the IDT so that traps are delivered to it (instead
of directly to the guest).


Anthony Liguori

> Cheers,
> G.
> PS: I'm also responsible for the qemu derivative Argos. We make sure that
> the attacker will never get to run his code to determine whether he is
> running withing a VM. Of course there always some type of attacks that we
> would not be able to detect.
> On 07/07/06, Kevin F. Quinn <address@hidden> wrote:
>> On Thu, 6 Jul 2006 16:46:40 -0400
>> Daniel Serpell <address@hidden> wrote:
>> > But there is a way to detect virtual machines under x86, see
>> > http://invisiblethings.org/papers/redpill.html
>> >
>> > But if you run qemu without direct instruction copying, it won't work
>> > (and qemu will run slower), because qemu will correctly emulate the
>> > unprivileged instructions.
>> Out of interest, sidt returns limit:base 07ff:c0372000 on my host, and
>> 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000 on the same
>> linux guest without kqemu, which illustrates the point.
>> I used the following code:
>> #include <stdio.h>
>> int main(int argc, char **argv) {
>>         unsigned char idtr[6];
>>         __asm__ ("sidt %0" : "=m" (*&idtr));
>>         fprintf(stdout,
>>                 "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
>>                 idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
>> }
>> }
>> which doesn't need executable heap (my kernel is PaX-enabled), unlike
>> the redpill version, but is gcc-specific.
>> --
>> Kevin F. Quinn
>> _______________________________________________ Qemu-devel mailing list
>> address@hidden
>> http://lists.nongnu.org/mailman/listinfo/qemu-devel

reply via email to

[Prev in Thread] Current Thread [Next in Thread]