SYSENTER hook

This is for discussing general topics about how to use VirtualBox.

SYSENTER hook

Postby gb_master » 10. Feb 2010, 16:53

Hello buddies, I'll post here my problem. I've installed Windows XP on my Virtualbox-3.1.2 VM just to learn developing rootkits (or at least learn some more about them). After I completed the installation, I've installed Rootkit Unhooker to check if the developing of my simple rootkit was going good. The real problem is that Rootkit Unhooker reveals a hook on SYSENTER/INT 0x2E at the address 0x00000000, which for me (and my little experience) has really no sense. I am unable to create a new hook on SYSENTER or unhook the existing one. What do you think about this ?
gb_master
 
Posts: 2
Joined: 10. Feb 2010, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP

Re: SYSENTER hook

Postby mpack » 10. Feb 2010, 18:44

All guest code that normally runs at ring 0 is made to run at ring 1 instead when running in the VM. That way the higher privilege level is reserved for parts of VBox itself, and of course the host OS kernel. I imagine the hook you have found is related to that.
mpack
Site Moderator
 
Posts: 13216
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows XP
VBox Version: PUEL
Guest OSses: Mostly XP

Re: SYSENTER hook

Postby gb_master » 10. Feb 2010, 19:25

Mmm... that would mean that there's no solution to this problem. I don't know if this is useful, but I tried to virtualize WinXP on a PC of a friend of mine with VMWare (shame on me !) and there's no hook in this situation. This makes me think that it's just a different approach to the virtualization (but I'm just making guesses as I don't know much about virtualization)
gb_master
 
Posts: 2
Joined: 10. Feb 2010, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP


Return to Using VirtualBox

Who is online

Users browsing this forum: No registered users and 8 guests