Page 1 of 1
SYSENTER hook
Posted: 10. Feb 2010, 16:53
by gb_master
Hello buddies, I'll post here my problem. I've installed Windows XP on my Virtualbox-3.1.2 VM just to learn developing rootkits (or at least learn some more about them). After I completed the installation, I've installed Rootkit Unhooker to check if the developing of my simple rootkit was going good. The real problem is that Rootkit Unhooker reveals a hook on SYSENTER/INT 0x2E at the address 0x00000000, which for me (and my little experience) has really no sense. I am unable to create a new hook on SYSENTER or unhook the existing one. What do you think about this ?
Re: SYSENTER hook
Posted: 10. Feb 2010, 18:44
by mpack
All guest code that normally runs at ring 0 is made to run at ring 1 instead when running in the VM. That way the higher privilege level is reserved for parts of VBox itself, and of course the host OS kernel. I imagine the hook you have found is related to that.
Re: SYSENTER hook
Posted: 10. Feb 2010, 19:25
by gb_master
Mmm... that would mean that there's no solution to this problem. I don't know if this is useful, but I tried to virtualize WinXP on a PC of a friend of mine with VMWare (shame on me !) and there's no hook in this situation. This makes me think that it's just a different approach to the virtualization (but I'm just making guesses as I don't know much about virtualization)