From: "G Portokalidis" <georgios.portokalidis@gmail.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?
Date: Fri, 7 Jul 2006 10:07:47 +0200 [thread overview]
Message-ID: <ef735050607070107u4708f651t3e905b2526e46e5@mail.gmail.com> (raw)
In-Reply-To: <20060707012114.4a4a0c44@c1358217.kevquinn.com>
Actually, i have also noticed this.
It implies that an exploit might not succeed (this usually the case
with most exploits), since the attacker supplied shellcode will not be
at the "expected" location.
My question is, does anybody know why this happens? Why this
difference when running qemu with kqemu and without...
I wonder if there is way to override this behaviour.
Cheers,
G.
PS: I'm also responsible for the qemu derivative Argos. We make sure
that the attacker will never get to run his code to determine whether
he is running withing a VM. Of course there always some type of
attacks that we would not be able to detect.
On 07/07/06, Kevin F. Quinn <ml@kevquinn.com> wrote:
> On Thu, 6 Jul 2006 16:46:40 -0400
> Daniel Serpell <daniel_serpell@yahoo.com> wrote:
>
> > But there is a way to detect virtual machines under x86, see
> > http://invisiblethings.org/papers/redpill.html
> >
> > But if you run qemu without direct instruction copying, it won't
> > work (and qemu will run slower), because qemu will correctly
> > emulate the unprivileged instructions.
>
> Out of interest, sidt returns limit:base 07ff:c0372000 on my
> host, and 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000
> on the same linux guest without kqemu, which illustrates the point.
>
> I used the following code:
>
> #include <stdio.h>
> int main(int argc, char **argv) {
> unsigned char idtr[6];
> __asm__ ("sidt %0" : "=m" (*&idtr));
> fprintf(stdout,
> "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
> idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
> }
>
> which doesn't need executable heap (my kernel is PaX-enabled), unlike
> the redpill version, but is gcc-specific.
>
> --
> Kevin F. Quinn
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
>
>
next prev parent reply other threads:[~2006-07-07 8:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-06 5:04 [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU? James Lau
2006-07-06 6:48 ` Natalia Portillo
2006-07-06 6:55 ` John R. Hogerhuis
2006-07-06 7:18 ` James Lau
2006-07-06 8:20 ` Kevin F. Quinn
2006-07-06 10:33 ` Jan Marten Simons
2006-07-07 2:12 ` James Lau
2006-07-06 10:56 ` Jamie Lokier
2006-07-06 20:46 ` Daniel Serpell
2006-07-06 23:21 ` Kevin F. Quinn
2006-07-07 8:07 ` G Portokalidis [this message]
2006-07-07 20:36 ` [Qemu-devel] " Anthony Liguori
2006-07-07 0:06 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ef735050607070107u4708f651t3e905b2526e46e5@mail.gmail.com \
--to=georgios.portokalidis@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).