Skip to content
/ VmdtStr Public

Detect VMMs with faulty handling of STR exit

Notifications You must be signed in to change notification settings

cryotb/VmdtStr

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 

Repository files navigation

VmdtStr

Detect VMMs with faulty handling of STR exit
NOTE: This detection requires the VMM in question to exit on descriptor table access, otherwise it won't work!

Showcase

This is the output on a KVM with no nested VMM active:

And this is with HVPP as a nested VMM:

How it works

This demo works because some public VMMs don't emulate STR instruction correctly. Let me quote the relevant part in the instruction set reference from Intel website:

When the destination operand is a 32-bit register, the 16-bit segment selector is copied into the lower 16 bits of the
register and the upper 16 bits of the register are cleared. When the destination operand is a memory location, the
segment selector is written to memory as a 16-bit quantity, regardless of operand size.

In 64-bit mode, operation is the *same*. The size of the memory operand is fixed at 16 bits. In register stores, the 2-
byte TR is *zero extended* if stored to a 64-bit register.

Disclaimer

This has been tested using HVPP and some other public VMMs, in a KVM virtual machine.
Although i think the results on bare metal should be the same, more evaluation is required if this should be used legitimately.

About

Detect VMMs with faulty handling of STR exit

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published