Detecting simple hypervisors

This was tested only on Intel VT-x but it might work as well with AMD-V. In between a couple of blue screens, I realized there exist many simple ways to detect primitive HVM rootkits - ie, the ones that don't implement all the code required to achieve super-stealth.

Let me give you a simple example. CPUID is a peculiar instruction; it's the only non ring-0 allowed instruction that will unconditionally trigger a VM-exit (Vol.3B:253669, p21-2). If you trace over CPUID in your favorite debugger, the VM-exit will happen: the CPU enters VMX-Root mode, and your VMM is called to handle the offending instruction.

The lazy coder would write something like:


// emulate CPUID
if(Reason == EXIT_REASON_CPUID) then
pushad
mov eax, GuestEax
mov ecx, GuestEcx
cpuid
mov GuestEax, eax
mov GuestEcx, ecx
mov GuestEdx, edx
mov GuestEbx, ebx
popad
...

// update isntruction pointer
GuestEip += 2

vmresume()


Well, that's not enough. Execution will resume after CPUID. The trap flag will raise the debug exception after executing the instruction that follows... and there you have one simple way to detect poorly coded HVMs. One way to prevent this would be to inject a vectored event (INT1) on VM-entry.

This piece of assembly code implements the above trick (if we may call it so):


call GetCurrentProcess
push 1
push eax
call SetProcessAffinityMask

push offset seh
push dword ptr fs:[0]
mov fs:[0], esp

pushfd
or dword ptr [esp], 100h
popfd

cpuid

traphere:
mov eax, 1
jmp done

seh:
mov eax, [esp+0Ch]
cmp dword ptr [eax+0B8h], traphere
setne al
movzx eax, al

done:
add eax, 30h
push eax
push esp
call crt_printf

push eax
call ExitProcess


(On SMP systems, change the thread affinity to execute the test on other CPUs.)

There are other similar ways to detect a hypervisor from user-mode - again, assuming its implementation is lacking.

New Mebroot domains for the summer

The last variant of Mebroot's driver uses an obfuscated domain generation algorithm to connect to C&C servers. Here are the domains for this summer, you might want to block them for whatever reason.

The first domain, week-based, is used first (though, after the hardcoded domain in the driver itself); the second domain is day-based and used as a failsafe. On top of '.com', the TLDs '.net' and '.biz' are tried as well.

2009/07/17: bdcxduds.com xdjxekgt.com
2009/07/18: bdcxduds.com ejswwhvk.com
2009/07/19: swuvxcds.com khkciudw.com
2009/07/20: swuvxcds.com kxhwcceu.com
2009/07/21: swuvxcds.com xhxvdsck.com
2009/07/22: swuvxcds.com hkssvihg.com
2009/07/23: swuvxcds.com jwjchkci.com
2009/07/24: swuvxcds.com vkcvuksd.com
2009/07/25: swuvxcds.com ecjhdvue.com
2009/07/26: vxvtvhik.com kvcwhwgj.com
2009/07/27: vxvtvhik.com kvbdxjhc.com
2009/07/28: vxvtvhik.com uuvksskh.com
2009/07/29: vxvtvhik.com tkevtxue.com
2009/07/30: vxvtvhik.com vdkhsccs.com
2009/07/31: vxvtvhik.com feuufscg.com
2009/08/01: vxvtvhik.com gcuekdss.com
2009/08/02: wjbijxix.com ubhxghvt.com
2009/08/03: wjbijxix.com vcdgcseb.com
2009/08/04: wjbijxix.com ugfdvxck.com
2009/08/05: wjbijxix.com wdbbgwej.com
2009/08/06: wjbijxix.com fgugcijb.com
2009/08/07: wjbijxix.com twsssthu.com
2009/08/08: wjbijxix.com bfithbdd.com
2009/08/09: ufcsbgsg.com cgkgttfg.com
2009/08/10: ufcsbgsg.com fxxubvcg.com
2009/08/11: ufcsbgsg.com egihvgjf.com
2009/08/12: ufcsbgsg.com fkcxifec.com
2009/08/13: ufcsbgsg.com ukxsuvhw.com
2009/08/14: ufcsbgsg.com fxkihkfi.com

ProjectEuler problem 144

Project Euler is a website offering math challenges solvable by programming - usually few tens lines of code are enough. Last friday, after more than a year of Euler abstinence, I decided to have a look at it again, and ran across this cool problem (#144, check it out here).



So the goal is to find the number of times the laser beam will hit the ellipse-shaped cell before exiting through the input cavity.
First, let's formulate the problem with simple trigonometry. Have a look at the schema below:



The laser beam comes from A and hits the ellipse at point 0. We can calculate the slope m0: (yO-yA)/(xO-xA); we can also calculate the slope m1: -4*x/y. We need to calculate slope m2 and deduce B in order to iterate this process (find the next point of impact).

It appears clear that:
a = a0-a1
and
a = a1+PI-a2

Therefore:
tan(a) = tan(a0-a1)
= (tan(a0)-tan(a1))/(1+tan(a0)*tan(a1))
= (m0-m1)/(1+m0*m1)

and
tan(a) = tan(a1+PI-a2)
= tan(a1-a2)
= (tan(a1)-tan(a2))/(1+tan(a1)*tan(a2))
= (m1-m2)/(1+m1*m2)

Let's set X = (m0-m1)/(1+m0*m1)
X = (m1-m2)/(1+m1*m2)
-> m2 = (m1-X)/(1+X*m1)

We have the slope m2 of the reflected beam (OB). With the coordinates of O (x0,y0), we have the equation of the line:
y = a*x+b, with a=m2 and b=y0-m2*x0

The last step is calculate the coordinates of B. We have:
- the equation of the ellipse: 4*x^2+y^2 = 100
- the equation of (0B): y = m2*x+b

It boils down to solving the quadratic:
x^2*(4+a^2) + x*(2*a*b) + (b^2-100) = 0

And then we yield the coordinates of B. After a few 300-and-something iterations (nah I wouldn't spoil your Euler fun) you'll find out the reflected point falls onto the exit hole. Problem solved!

Sudoku solver

Nothing new or original here.
This Sudoku solver just aims to show how compact Python code can be...
The core of this piece of code is less than 40 lines of code. And we could do much better than that.

Real-time stock quotes Python API

I've put up a handy script on my Google code area right here.

This Python module works like a very simple interface to get stock quotes from the French stock website Boursorama. You can get securities of any trading place providing you know its ISIN of course.

The cool stuff about it is that it gives you real-time quotes (yes, you avoid the 15/20-min delay Yahoo and co. give you).

Here's how to use it:

$ from pybourso import get_stock
$ e = get_stock('US38259P5089')
$ print e['name'], e['value'], e['variation']

GOOGLE INC, 357.66, -1.49

Check out the source to see all that's returned by get_stock(). Enjoy!

csheap

csheap is a customizable dynamic memory allocator written in C. It was originally written as a replacement for the standard libc malloc and the Windows runtime.

I've put it up on Google Code here. Enjoy.

pushfd and popfd are slow...

...damn, damn slow!
Use lahf/sahf instead.
A few numbers later on - if I have time.