SYSENTER hook
-
- Posts: 2
- Joined: 10. Feb 2010, 13:41
- Primary OS: Debian other
- VBox Version: PUEL
- Guest OSses: Windows XP
SYSENTER hook
Hello buddies, I'll post here my problem. I've installed Windows XP on my Virtualbox-3.1.2 VM just to learn developing rootkits (or at least learn some more about them). After I completed the installation, I've installed Rootkit Unhooker to check if the developing of my simple rootkit was going good. The real problem is that Rootkit Unhooker reveals a hook on SYSENTER/INT 0x2E at the address 0x00000000, which for me (and my little experience) has really no sense. I am unable to create a new hook on SYSENTER or unhook the existing one. What do you think about this ?
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: SYSENTER hook
All guest code that normally runs at ring 0 is made to run at ring 1 instead when running in the VM. That way the higher privilege level is reserved for parts of VBox itself, and of course the host OS kernel. I imagine the hook you have found is related to that.
-
- Posts: 2
- Joined: 10. Feb 2010, 13:41
- Primary OS: Debian other
- VBox Version: PUEL
- Guest OSses: Windows XP
Re: SYSENTER hook
Mmm... that would mean that there's no solution to this problem. I don't know if this is useful, but I tried to virtualize WinXP on a PC of a friend of mine with VMWare (shame on me !) and there's no hook in this situation. This makes me think that it's just a different approach to the virtualization (but I'm just making guesses as I don't know much about virtualization)