Agentless Guest Protection - Stealthy Code Injection From The Virtual Machine

No ratings

Presented at SyScan 2009 by

Matthew Conover

This will demonstrate that we can inject code into a guest virtual machine from the hypervisor. We are able to install a standard Windows driver and invoke an exported function in the driver. It will run within the guest VM at ring 0 and it can interact with the guest in a standard way (use exported NTOSKRNL functions, etc.). It runs under a standard Windows kernel thread. After the function returns, the driver is unloaded and all traces of the driver are removed.The benefit to this design is that we can minimize the chance for malware in the guest to detect or interfere with our in-guest agent to a small window. The in-guest agent is only detectable while it is running. It is intended that the code be relatively small and fast (i.e., used to kill a malware process, apply a code patch, etc.).