|
From: Dennis L. <pla...@in...> - 2004-11-18 11:09:28
|
Hello,
recently I found the following code :
int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}
which is used by some rootkits etc. to determine if they run on a real
machine or within e.g. vmware.
http://invisiblethings.org/papers/redpill.html talks about it in a bit more
detail.
My question is now, can valgrind implement this SIDT instruction so that
the program would think its on a real machine ? So perhaps we then can
build some valgrind skin that can be used to analyse such programs...
greets
Dennis
Carpe quod tibi datum est
|
|
From: Tom H. <th...@cy...> - 2004-11-18 11:20:18
|
In message <6.1...@po...>
Dennis Lubert <pla...@in...> wrote:
> My question is now, can valgrind implement this SIDT instruction so
> that the program would think its on a real machine ? So perhaps we
> then can build some valgrind skin that can be used to analyse such
> programs...
I don't see why not. I suggest you raise a bug requesting it.
Tom
--
Tom Hughes (th...@cy...)
Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
|