Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-29-2012, 11:14
Nicogalan Nicogalan is offline
Friend
 
Join Date: Sep 2012
Location: Buenos Aires, Argentina
Posts: 12
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 9
Thanks Rcvd at 6 Times in 6 Posts
Nicogalan Reputation: 0
Hardware virtualization is good in cracking?

my notebook hp has an option to active virtualization in bios... my cpu is i7
it says it's advised to be disabled... and just enable function for specific softwares....

what are the pros and cons??

is it usefull for cracking or packing?

thanks
Reply With Quote
  #2  
Old 09-29-2012, 11:59
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,218
Rept. Rcvd 691 Times in 219 Posts
Thanks Given: 700
Thanks Rcvd at 939 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
This feature in your bios is called Hardware Accelerated Virtualization(HAV). According to the intel webpage, it is intended to improve virtualization software flexibility by:

- Speeding up the transfer of platform control between the guest operating systems (OSs) and the virtual machine manager (VMM)/hypervisor

- Enabling the VMM to uniquely assign I/O devices to guest OSs

- Optimizing the network for virtualization with adapter-based acceleration


With that being stated, I do not see any way it could be beneficial with cracking, unless you are working with a virtual os with the use of either Virtual Box or VMWare Workstation. I can see where this could benefit malware reversers, since they commonly use VM's to reverse engineer hostile code.

Here are several good articles to give you insight into this technology:

Intel Article:
Code:
http://www.intel.com/content/www/us/en/virtualization/virtualization-technology/hardware-assist-virtualization-technology.html
Wikipedia:
Code:
http://en.wikipedia.org/wiki/Hardware-assisted_virtualization
The wikipedia article contains a section discussing the pros and cons of HAV.
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler

Last edited by chessgod101; 09-29-2012 at 15:43.
Reply With Quote
The Following 2 Users Gave Reputation+1 to chessgod101 For This Useful Post:
Nicogalan (09-29-2012), Youtoo (09-29-2012)
  #3  
Old 09-29-2012, 14:52
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
There are different types of HW virtualization
VTx (general), VTd -I/O virtualization (not all even i7 CPUs have it, check your model)
and VTc (network virtualization)
check your CPU feat by reading /proc/cpuinfo (if you are a Linux guy)
Reply With Quote
  #4  
Old 10-13-2012, 02:29
leosmi05 leosmi05 is offline
Friend
 
Join Date: Feb 2005
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
leosmi05 Reputation: 0
The BIOS option probably activates the VTx (general) virtualization.
It's helpful if you use a virtual machine (VMware Workstation for example).
Reply With Quote
  #5  
Old 10-13-2012, 05:13
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
As said above, not all i7's have VTd, even if your BIOS tells you that you can turn it on or off.

Git
Reply With Quote
The Following User Gave Reputation+1 to Git For This Useful Post:
chessgod101 (10-13-2012)
  #6  
Old 11-02-2012, 12:30
justlovemm justlovemm is offline
Friend
 
Join Date: May 2011
Posts: 11
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
justlovemm Reputation: 2
I think the answer is yes. u can set or get some type breakpoint by VT. The breakpoint is not hardware break point and not software bp£¨int 3) and not memory bp.And it can useful in anti anti debug, anti ring 0 hook check because your code is run at ring -1 by VT.
Reply With Quote
The Following User Gave Reputation+1 to justlovemm For This Useful Post:
chessgod101 (11-02-2012)
  #7  
Old 11-02-2012, 17:00
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
It is very useful for cracking. For example, you can fake cpuid and use it as break. I've used cpuid as break point to catch when application is using it for anti-dump. VT also allows you to have hooking on x64 system without disabling PatchGuard, as you can control drX registers, and hook using them. You can also hook all system calls, as you are controling read/write to MSR registers for example. (eg. ron ead you fake to real-old address, and keep yours inside)

It's also useful for virtualization software like VmWare, VirtualBox, VirtualPC as it will speedup their execution a lot
__________________
http://accessroot.com
Reply With Quote
  #8  
Old 12-03-2012, 02:48
pp2 pp2 is offline
Friend
 
Join Date: Jan 2002
Posts: 59
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 1
Thanks Rcvd at 16 Times in 12 Posts
pp2 Reputation: 2
VTx (or SVM in case of AMD) is very useful in debugging/reversing/patching. The only thing you need - small helper-hypervisor. Using it, you can execute almost any code under kind of virtual machine and watch it's execution, set breakpoints, read/write any cpu registers, and even debug switching modes (user<->kernel). This hypervisor works as a "filter": most of processor events are passing through into real OS, except critical/sensitive ones. Catching some events is needed to hide hypervisor from OS, minimize it's influence on execution flow and fake some sensitive data. Using hardware supported MTF (so called monitor trap flag) you can execute cpu commands one-by-one, logging/modifying cpu registers or memory as you need on each command.

Suggest reading intel/amd docs about VTx/SVM to understand the power of using it in debugging/reversing.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Code Virtualization Help tokk350 General Discussion 13 03-26-2009 17:57


All times are GMT +8. The time now is 17:49.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )