View Single Post
  #4  
Old 08-03-2018, 01:22
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 127
Rept. Given: 1
Rept. Rcvd 31 Times in 21 Posts
Thanks Given: 40
Thanks Rcvd at 270 Times in 85 Posts
DavidXanatos Reputation: 31
> Could IO MMU and hardware be exploited?

Hmm...
I think that would strongly depend on how your anti-debugging technique ties into the operating system. Without ring 0 access you are limited to no hardware access and only a limited set of opcodes.

So assuming that your protected application is just that, a user space application, other that a Hardware dongle or Server I don't think there is any way.

If your application however comes with a driver than possibly there is a way, although I wouldn't know of hand how this way looks.

But, if you are virtualizing an entire OS with your victim application, why use hardware virtualization and risk the application having a shot at detecting something?

There were virtual machines long before there was Intel VT and AMD Pacifica, I remember Connectix virtual PC later M$ virtual PC, although this was before 64bit became mainstream.
Anyhow I don't see a reason why one couldn't make a new virtual machine software which runs a 64bit OS but does not require hardware support that is runs on the host as a boring user mode process. That is of cause except that fact that its performance would be worse may be much worse of cause. But for debugging that wouldn't matter much I guess.


So ultimately the only way to go would be to try to detect being run in a VM at all and than denying to run.

However if said VM software would be intended to be a Debuging host I think there would be no reliable way to detect being run in it which couldn't be bypassed by some minor update to the VM software.
Reply With Quote