[Victor43]

What I would like to know if it is possible to write a hypervisor program (not malicious) which runs before the OS and executes kernel and user mode application code inside a virtual environment ? I would like to find out if its possible to evaluate/analyze code while it is executing in real time ? Need to be able to perform some kind of analysis in real time while the code (kernel mode code including the OS or user mode code) is executing in a hypervisor environment or in a sandbox or in some sort of virtual type environment.

[Vrtule]

Hello,

the answer, in theory, is yes. Your question is quite broad, so I don't seem to understand what exactly you wish to accomplish.

You can find source code of several hypervisors, such as SimpleVisor or HyperPlatform, on Github. For example, SimpleVisor works as a kernel driver that, when loaded, places the currently running operating system into a hypervisor that can control things like access to MSRs, system calls and other events that cause a VM exit.

[Victor43]

@Vrtule I'm interested in network security, so ideally i would like to catchthe bad guys in their tracks while they executing in RAM. I need to be able to look for anomalies or rather suspicious behavior in the what the code of the bad guys does. If suspicious code execution is isolated I will need to prevent the code from executing any further. Can this work in principle or in the real world via hypervisor ? Suspicious code execution can be OS code as well that has been patched by some sort of rootkit or malware code. I need to be able to execute before and below even the operating system (hypervisor type 1 possibly) in order to properly analyze and isolate suspicious code execution. Does this help ?

[Vrtule]

Well, if you need quite a control over the code being executed, it would be probably best to boot the computer to something like a very small OS kernel (e.g. linux) and run the "real" OS inside a virtual machine (using one of the popular open source solutions). You can than take appropriate action when you determine that something within the VM went wrong.

This is possible to do. The question is, how do you plan to recognize what is good and bad and how time and resource consuming would be such a decision, since I expect the system running inside VM should be usable to certain extent.

[Victor43]

@Vrtule thank you. I understand the part about booting the computer with a small kernel OS (such as linux) but not quite so sure about running the real OS inside a VM. Is that necessary ? Probably is but I thought I would ask anyways.

What I have read is that a Type 1 a bare metal hypervisor can intercept monitor and control memory access as shown here (see below) in this article and if interrupts can be intercepted as well then I should be able to put a picture in memory as to what is happening to IP data as IP data travels within the network yes ? So take for example a hacker infiltrates a network workstation and begins exfiltrating the data either the data is saved and then sent home or the data is retrieved then immediately sent home.

Having said the above I need to be able to trace or monitor what's happening to IP data where ever it goes once it enters or leaves the file server or database hosted on the file server ? So if a piece of data is seen exiting the system or leaving the network all together (heading home) I want to know from where that piece of data originated from. So I basically I want to know from where IP data originated from and where it is going. If it is determined that data is being stolen then alarms should go off so to speak.

https://firmwaresecurity.com/2017/05/17 ... -rootkits/

[feryno]

Hi Victor43, you can start hypervisor before OS as an efi executable or in a way similar to bios rootkit and then let OS to boot.
But because you are interested in monitoring network, you can start it as early launched driver before network driver, this hypervisor is easier to write than previous one (no worry about unrestricted guest mode, no worry how to hide stolen memory where hypervisor runs etc).
You want to achieve real time performance. Using EPT to monitor accesses to RAM introduces some problems, because hitting protected region causes vm exit at which you have 2 choices:
[0] kill the process/thread immediately and resume OS execution (just I do not know from which point to restart OS because original process killed and also killing it may be tricky as you are in vm exit handler running with disabled interrupts rflags.IF=0 every vm exit)
[1] let the process/thread to continue so you have to change EPT attributes or EPT entry which then requires invalidation of EPT (frequently executing the INVEPT instruction decreases performance considerably, when it occurs only rarely then no worry)
I can't estimate the performance when monitoring interrupts generated by network adapter hardware. I monitored exceptions (interrupts 00-1F) in one of my very old project and that run very fast, I did not notice performance penalty.

[Vrtule]

I can't estimate the performance when monitoring interrupts generated by network adapter hardware. I monitored exceptions (interrupts 00-1F) in one of my very old project and that run very fast, I did not notice performance penalty.

About seven years ago, I was playing with IDT and implemented an interrupt monitor that was counting execution of every interrupt. As far as I remember, lower 32 interrupts are not execute very often (possibly with exception of the page fault handler). I think the timer interrupt may be a problem.

[param_module]

Yes they are called unikernels, https://mirage.io/, it's actually pretty interesting how with a spreading mechanism to infect unix-like hosts, you can build a very benign but useful and difficult to take down botnet of them, if you partition the network well, like you can just build unikernels for spam, build unikernels that do the fancy dns tricks, build unikernels to do ddos attacks and spread, build unikernels that act as part of a distributed file system for the botnet, you can even build a custom code deployment system for the botnet due to Irmin and mirage-git being stressed to make compatible, each being self contained, and running on Xen or Qemu / KVM itself rather than the host OS