gsuberland
commented
3 years ago There are a couple of issues I see with this, but I think we need more information to understand how they are using XSETBV before I can concretely say whether this is something we can, or want to, do.
If they're calling XSETBV from usermode, it shouldn't do anything but throw a general protection fault unconditionally, regardless of whether or not the system is running under a VM. Now, shouldn't isn't the same as won't, and it does appear that on some VM platforms you can cause the hypervisor to fault due to buggy handling.
The only reference I could find is this article, which provides an example of using XSETBV as a detection mechanism. However, the way it does so is by registering a bugcheck callback routine in a driver, calling the XSETBV instruction with garbage parameters, then seeing if the bugcheck callback gets called before the system crashes. This indicates that the detection is being done from ring 0, using a driver, and that the detection mechanism necessarily crashes the system as part of the check.
As a policy, Al-Khaser doesn't load drivers or do any kind of ring 0 detection. There are a number of reasons, but the three main ones are that driver signing is a pain in the ass, we don't want to load a driver that could be vulnerable (or load a known-vulnerable signed driver in order to execute code in kernelmode), and we don't want to provide a nice generic signed anti-VM driver for malware authors to use.
Another policy we have is we avoid doing anything that risks crashing the box, causing data loss, or changing system settings.
If you have a reference for how XSETBV can be used in order to detect VMs/hypervisors reliably, from usermode, without crashing anything, then that's definitely something we'd be interested in.
Hi,
I came across some malware that uses XSETBV to check for VM presence. Could we add some checks on this?