New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detecting Drakvuf by 'remapped_gfn' #309

Closed
skvl opened this Issue Sep 29, 2017 · 4 comments

Comments

3 participants
@skvl
Copy link
Contributor

skvl commented Sep 29, 2017

Hello.

In libdrakvuf/vmi.c:inject_trap_pa() new page is added inside guest physical address space like this:

        remapped_gfn->r = ++(drakvuf->max_gpfn);

        rc = xc_domain_populate_physmap_exact(drakvuf->xen->xc, drakvuf->domID, 1, 0, 0, &remapped_gfn->r);

Could kernel mode code scan memory after the end of virtual RAM (for example for VM with 1G of RAM scan address starting from 0x40000000) to detect this pages?

@tklengyel

This comment has been minimized.

Copy link
Owner

tklengyel commented Sep 29, 2017

It could detect that there is a page there but reading/writing to it would return nothing. See https://github.com/tklengyel/drakvuf/blob/master/src/libdrakvuf/vmi.c#L1199

@saimoon

This comment has been minimized.

Copy link

saimoon commented Oct 4, 2017

Drakvuf could be detected using its shadow pages mapping to zero page:
xc_altp2m_change_gfn(drakvuf->xen->xc, drakvuf->domID, drakvuf->altp2m_idr, remapped_gfn->r, drakvuf->zero_page_gfn);
As tklengyel said in the code comments (issue and possible solution):
/* * TODO: We will use the idr view to map all shadow pages to the zero (empty) page in case * something is trying to check the contents of these pages. However, since all shadow pages * will point to the zero page, if someone writes to one, the change will appear through the * other shadow pages as well, thus potentially revealing the presence of DRAKVUF. This can * be avoided if we cache all pages separately that have been written to and use emulate with * custom read data to only return the change in the page on the gfn it was written to. */
It'd be interesting to implement the proposed solution.

@tklengyel

This comment has been minimized.

Copy link
Owner

tklengyel commented Oct 5, 2017

Certainly, feel free to do so ;)

@tklengyel

This comment has been minimized.

Copy link
Owner

tklengyel commented Aug 1, 2018

Fixed by #412

@tklengyel tklengyel closed this Aug 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment