Page 1 of 1
How to bypass Red Pill detection against VirtualBox?
Posted: 15. Jan 2009, 05:22
by daishuo
Hi all, I'm working on a sandbox project that monitors and records malware behaviors. VirtualBox is employed as the virtual system.
I found that
Red Pill works for VirtualBox. Lots of malware samples are using Red Pills to detect virtual enviornment and refuse to run in VMs.
Is there any solution to bypass Red Pill?
CPU: Intel Celeron 2.8GHz
Memory: 1.5GB
Host OS: Windows XP Professional SP3
Guest OS: Windows XP Professional SP3
Posted: 15. Jan 2009, 07:14
by TerryE
Use H/W virtualisation. This gives far finer control over the so called17 dangerous instructions including SIDT. Guest code which execs the readonly ones is typically not trapped / translated in S/W because of the overhead, and it is rarely necessary. The H/W systems have finer control. See
VirtualBox SVN — HWACCM.cpp line 105.
Ironically these "smart ways" can be defeated, but there is little that you can do to prevent Guest code detecting that you are running in a VM. Why? Because a VM is just that a virtual
machine which has its own characteristics: VGA adapter, IDE + HDD characteristics, ..., device drivers. For legacy guest OS support these tend not to emulate the bleeding edge H/W you see in modern PCs. You can quite easily determine if you are running in a VM. I've given example scripts in this forum.
Security mechanisms should not rely on obfuscation. They should rely on the intrinsic strength of the algorithms and architecture. You should assume that knowledgeable guests can detect that they are running in a VM. This issue is whether they can do anything about it, even if they do so.
Posted: 15. Jan 2009, 16:04
by Verb
Some people don't use VMs because of this problem. While I don't yet have experience with these, you could try
Truman or
ZeroWine. They are both very new projects, but they have a lot of potential.
Posted: 15. Jan 2009, 16:51
by TerryE
Thanks Verb, interesting reading. However, I still think that a properly crafted VMM can run secure VMs — or at least an order of magnitude safer to the host than a getting a threat on you native OS, in an architecture such as NT.
Of course you still have all of the vulnerabilities of a compromise machine on the same network. If you are running H/W virtualisation, then as long as you don't run Host file sharing, then really the only exploitation route is a successful attack on the HGCM interface that Guest Additions uses.