doomedraven
commented
7 years ago there work in progress on zer0mon integration ;) about qemu, nice, but the problem what a lot of users prefer to use different hypervisors
Open lynnux opened 7 years ago
doomedraven
commented
7 years ago there work in progress on zer0mon integration ;) about qemu, nice, but the problem what a lot of users prefer to use different hypervisors
Currently, monitor hooks a lot functions in ring3, this can be easy detected by malwares. There is a project zer0m0n hook in ring0, but seems only a few functions.
I have an idea to avoid anti-cuckoo detection, which is based on qemu. In qemu, there are two mode emulation, one is kvm, one is tcg. When run in tcg mode, we can know the running state of the guest VMs, like the EIP of CPU registers. Then we can use the value of EIP to compare with the address of APIs, if they are equal, we can say that the API has been called, then we can record the parameters (must read the stack memory, it's another thing). This don't need any hook in guest VMs, the downside of this approach is may lack some features of now.
There already some projects based on qemu did this, but not mature. Like s2e , DECAF, and MBA