SYSENTER hook

This is for discussing general topics about how to use VirtualBox.
Post Reply
gb_master
Posts: 2
Joined: 10. Feb 2010, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP

SYSENTER hook

Post by gb_master »

Hello buddies, I'll post here my problem. I've installed Windows XP on my Virtualbox-3.1.2 VM just to learn developing rootkits (or at least learn some more about them). After I completed the installation, I've installed Rootkit Unhooker to check if the developing of my simple rootkit was going good. The real problem is that Rootkit Unhooker reveals a hook on SYSENTER/INT 0x2E at the address 0x00000000, which for me (and my little experience) has really no sense. I am unable to create a new hook on SYSENTER or unhook the existing one. What do you think about this ?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: SYSENTER hook

Post by mpack »

All guest code that normally runs at ring 0 is made to run at ring 1 instead when running in the VM. That way the higher privilege level is reserved for parts of VBox itself, and of course the host OS kernel. I imagine the hook you have found is related to that.
gb_master
Posts: 2
Joined: 10. Feb 2010, 13:41
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP

Re: SYSENTER hook

Post by gb_master »

Mmm... that would mean that there's no solution to this problem. I don't know if this is useful, but I tried to virtualize WinXP on a PC of a friend of mine with VMWare (shame on me !) and there's no hook in this situation. This makes me think that it's just a different approach to the virtualization (but I'm just making guesses as I don't know much about virtualization)
Post Reply