[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] VM's and W7 crash

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] VM's and W7 crash
From: bad apple <ifindthatinteresting@xxxxxxxxx>
Date: Wed, 21 Dec 2011 20:14:40 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1324498481; bh=RE9FRI7YcBjkuIrDww8EuQLmnqjH3kusKQvjwpclA0s=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=R0/KpBN1qc8zqv7U5DX5otAWVeLxtvTSRIxkGULTmP1gN9QW7+q+Sz6tzlKzvNp/oHtFOSULnDISsDBMeJsKHk7kiB4FOrVy1xjawDMgRD1oN8yfzMo+ZZF17v4aKAKcgFIQsd8edp3+FEa3b3Ge8mQcqB1VdkhXVMJMnWoOi3E=

On 21/12/11 16:05, tom wrote:
> I dont know if you've heard of this safari crashing w7 thing but I was
> wondering if anyone has experience of debugging the OS in a VM - i.e.
> could I re-produce the crash and then examine the VM setup for
> debugging purposes?
> This would, I image, be a very easy way for a bad hacker to get in,
> find an reproduce the problem and build on it.
>
> Just wondering
> Tom te tom te tom
>

Yes and no - mostly no though. Debugging in a VM is fine and except for
certain known issues, is the primary method most researchers/hackers/etc
use when investigating/developing vulnerabilities - the ability to use
multiple snapshots is invaluable for example. The real work however will
still be done inside the VM with your regular debugging and disassembly
tools: you can't just magically completely deconstruct the entire attack
surface and code execution path by diffing a before and after exploit VM
image (think about it: if it was this easy then anyone with a copy of
Virtualbox would be writing rootkits).

In my experience at least, VMs are a useful tool for analysing the
effects *caused* by malware and tracking the filesystem writes, network
I/O and any other mischief the payload brings, but actually
understanding *how* the malware code originally executes requires an
in-depth understanding of the stack, kernel internals, memory addressing
and countless other factors that are not necessarily exposed further
merely by virtue of the target OS being virtualized rather than bare
metal. In fact, unless you're specifically targeting the virtualized
system ecology with your zero day (and many do, who wouldn't like to be
able to break out of jails/chroots/LPARS/VPARS/etc to the hypervisor?)
the massive added complexity overhead of a VM brings many complications
to malware development and many prefer to do initial development on bare
metal. Shell code is complicated enough as it is without ring -1 getting
in the way.

Saying all that, you'd be surprised what can be pulled out of the
pagefile.sys from a crashed virtualized victim box sometimes though - or
the swap partition.

As for the initial issue, Safari on win7: ha ha. Rather them than me,
talk about the worst of both worlds...

Cheers,

Mat

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- [LUG] VM's and W7 crash
  - From: tom

Prev by Date: Re: [LUG] An iPod for the Linux generation...
Next by Date: [LUG] Spell checker Libreoffice (english)
Previous by thread: [LUG] VM's and W7 crash
Next by thread: [LUG] don't mess with penguins
Index(es):
- Date
- Thread