Isis
03.08.2007, 20:08
Blue Pill Project
// Intro
The original Blue Pill proof of concept code has been written by Joanna Rutkowska, while working for COSEINC, and presented at the Black Hat Briefings 2006 in Las Vegas on August 3rd. Joanna Rutkowska then formed a small team of researchers inside COSEINC, Advanced Malware Labs, which was supposed to focus on further research into virtualization based malware. However after just a few months the priorities of work have been shifted, resulting in Blue Pill research activities being ceased.
In April 2007 Joanna Rutkowska decided to quit COSEINC and start her own security consulting firm, Invisible Things Lab. In May 2007 Alexander Tereshkin, a former member of COSEINC AML, joined ITL as a principal researcher. Joanna Rutkowska and Alexander Tereshkin decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. Most of the New Blue Pill’s code was developed by Alexander Tereshkin.
The New Blue Pill is significantly different from the original Blue Pill, not only because of the various features that it implements, but also because of the different architecture it was based on (HVM-like approach, similar to that used by XEN 3).
// Currently implemented features
* Common HVM layer architecture to support SVM and VT-x
* On the fly loading and unloading
* RDTSC cheating via tracing (simple version)
* Avoiding trusted time source attacks using Blue Chicken Technology
* NBP uses its own private Page Tables (Private CR3)
* Support for nested hypervisors (NBP inside NBP inside NBP...)
// Current limitations
* No support for VT-x (HVM implements only SVM specific functions)
* RDTSC cheating uses a very simple (too simple) cycle emulation
* Blue Chicken TimeBomb setting algorithm seems to contain a mysterious race condition that causes a BSoD from time to time after the timeboms is set
* Virtual PC 2007 (with enabled h/w virtualization) currently crashes when run inside a blue pilled machine
* BP knock feature might casue a crash in a nested scenerio due to CPUID interception.
* No support for "exotic" CPU modes
* No support for intercepting "exotic" high-precision local timers
// Disclaimer
/* * Copyright holder: Invisible Things Lab * * This software is protected by domestic and International * copyright laws. Any use (including publishing and * distribution) of this software requires a valid license * from the copyright holder. * * This software is provided for the educational use only * during the Black Hat training. This software should not * be used on production systems. * */
// Downloads
* nbp-0.11.zip (http://www.bluepillproject.org/stuff/nbp-0.11.zip) (2007-08-01)
* svm-detectors-0.1.zip (http://www.bluepillproject.org/stuff/svm-detectors-0.1.zip) (2007-08-01)
* IsGameOver.ppt (http://www.bluepillproject.org/stuff/IsGameOver.ppt) (2007-08-01)
(c) ITL
// Intro
The original Blue Pill proof of concept code has been written by Joanna Rutkowska, while working for COSEINC, and presented at the Black Hat Briefings 2006 in Las Vegas on August 3rd. Joanna Rutkowska then formed a small team of researchers inside COSEINC, Advanced Malware Labs, which was supposed to focus on further research into virtualization based malware. However after just a few months the priorities of work have been shifted, resulting in Blue Pill research activities being ceased.
In April 2007 Joanna Rutkowska decided to quit COSEINC and start her own security consulting firm, Invisible Things Lab. In May 2007 Alexander Tereshkin, a former member of COSEINC AML, joined ITL as a principal researcher. Joanna Rutkowska and Alexander Tereshkin decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. Most of the New Blue Pill’s code was developed by Alexander Tereshkin.
The New Blue Pill is significantly different from the original Blue Pill, not only because of the various features that it implements, but also because of the different architecture it was based on (HVM-like approach, similar to that used by XEN 3).
// Currently implemented features
* Common HVM layer architecture to support SVM and VT-x
* On the fly loading and unloading
* RDTSC cheating via tracing (simple version)
* Avoiding trusted time source attacks using Blue Chicken Technology
* NBP uses its own private Page Tables (Private CR3)
* Support for nested hypervisors (NBP inside NBP inside NBP...)
// Current limitations
* No support for VT-x (HVM implements only SVM specific functions)
* RDTSC cheating uses a very simple (too simple) cycle emulation
* Blue Chicken TimeBomb setting algorithm seems to contain a mysterious race condition that causes a BSoD from time to time after the timeboms is set
* Virtual PC 2007 (with enabled h/w virtualization) currently crashes when run inside a blue pilled machine
* BP knock feature might casue a crash in a nested scenerio due to CPUID interception.
* No support for "exotic" CPU modes
* No support for intercepting "exotic" high-precision local timers
// Disclaimer
/* * Copyright holder: Invisible Things Lab * * This software is protected by domestic and International * copyright laws. Any use (including publishing and * distribution) of this software requires a valid license * from the copyright holder. * * This software is provided for the educational use only * during the Black Hat training. This software should not * be used on production systems. * */
// Downloads
* nbp-0.11.zip (http://www.bluepillproject.org/stuff/nbp-0.11.zip) (2007-08-01)
* svm-detectors-0.1.zip (http://www.bluepillproject.org/stuff/svm-detectors-0.1.zip) (2007-08-01)
* IsGameOver.ppt (http://www.bluepillproject.org/stuff/IsGameOver.ppt) (2007-08-01)
(c) ITL