Hello Everybody !
As I had promised in my previous post, I’m going to discuss about the Red and Blue pill concepts. Those who have seen the movie Matrix would be quite familiar with these terms ! However to give a brief background let me quote a few famous lines from the movie.
Morpheus describes the effects of the two pills to Neo
“You take the blue pill, the story ends, you wake up in your bed, and believe whatever you want to believe. You take the red pill, you stay in Wonderland, and I show you just how deep the rabbit hole goes.”
As was shown in the movie, the hero was offered two pills and was asked to choose any one. He choses the red pill and comes to know about what is Matrix ! You might be wondering what a movie plot has to do with real life, computers and computer security ! Well then… you are completely mistaken ! Because these terms are very widely popular in computer security and amongst the hacker community. So what is this all about ?? What is Red Pill and Blue Pill all about ???
Let me explain. Again I’ll relate this to the movie Matrix. If you have seen the film and remember, it was shown that if Neo (Hero of the movie guys … Not Me !!! ), swallows the Red Pill, he would come to know about reality and what is Matrix all about. And if he takes the Blue Pill, then he would continue living inside the Matrix and would never come to know about the real world ! The same concepts are applied when it comes to computers, computer security and hacking !
Let me first start with what is meant by a Blue Pill. All the current rootkits and backdoors, which all of us are aware of, are based on some concept or what we call it — Algorithm. For example: FU was based on an idea of unlinking EPROCESS blocks from the kernel list of active processes, Shadow Walker was based on a concept of hooking the page fault handler and marking some pages as invalid, deepdoor on changing some fields in NDIS data structure, etc… Once you know the algorithm (concept) you can at least theoretically detect the given rootkit.
Now, imagine a malware (e.g. a network backdoor, keylogger, etc…) whose capabilities to remain undetectable do not rely on obscurity of the concept. Malware, which could not be detected even though its algorithm (concept) is publicly known. Let’s go further and imagine that even its code could be made public, but still there would be no way for detecting that this creature is running on our machines…! Amused ???? (Remember Matrix ??)
The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica.
Many of you might be amazed to know that a real life Blue Pill like technology does exist ! Its called the SubVirt rootkit. This rootkit is designed by a team of researchers from University of Michigan and Microsoft Research Team. However, there a few points in which SubVirt differes from the actual Blue Pill technology :
- SubVirt is a permanent (i.e. restart surviving) rootkit. And it has to be, because the SubVirt’s installation process requires that it takes control before the original operating system boots. Consequently, in contrast to Blue Pill, SubVirt can not be installed ‘on-the-fly’. It also means that SubVirt must introduce some modifications to hard disk, which allows for the ‘off line’ detection.
- SubVirt was implemented on x86 hardware, which doesn’t allow to achieve 100% virtualization, because there are number of sensitive machine level instructions, which are not privileged, like the famous SIDT/SGDT/SLDT. This allows for trivial detection of the virtual mode. This however, doesn’t apply to Blue Pill, as it relies on AMD SVM technology.
- SubVirt is based on one of the commercial VMM: Virtual PC and/or VMWare. Both of these applications create virtual devices to be used by the operating system, which are different from the real underlying hardware (e.g. network cards, graphic cards, etc.), which allows for easy detection of the virtual machine.
Now that we know what is exactly a Blue Pill, we must also know about Red Pill ! Can you guess what it could be all about ??? Well… Its just the opposite of Blue Pill and conceptually same as what was shown in the movie Matrix. As was shown in the film, once a person take the Red Pill, it activates a trace program that allows the crew to locate the human’s body in the Matrix powerplant. Once the person is found, commands are sent to the pod to awake him, and the freed individual is rescued by the respective ship crew. According to Morpheus, leaving the Matrix can be traumatic particularly to those who have lived in it for too long. As a rule, crews only offer the Red Pill to those younger than 18. After that, the risk of denial and psychotic episodes from the reality of separation is much higher. The exception to this rule (as seen in the movies) is Neo, whose age is around 30 when released by Morpheus.
Well… That was in the movie. Now let’s see how it is implemented in the real life ! In reality, Red Pill consists of just one CPU instruction which is injected into the system to check, if the system is running on virtual environment or is running the actual OS. The Red Pill code is shown as below :
int swallo_redpill ( )
unsigned char m[2+4], rpill [ ] = “\x0f\x01\x0d\x00\x00\x00\x00\xc3″;
*((unsigned *) & rpill) = (unsigned)m;
((void(*) ( ) ) & rpill ) ( );
return (m>0xd0) ? 1 : 0;
Heart of this code is actually the SIDT instruction (encoded as 0F010D[addr]), which stores the contents of the interrupt descriptor table register (IDTR) in the destination operand, which is actually a memory location. What is special and interesting about SIDT instruction is that, it can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system.
Because there is only one IDTR register, but there are at least two OS running concurrently (i.e. the host and the guest OS), VMM needs to relocate the guest’s IDTR in a safe place, so that it will not conflict with a host’s one. Unfortunately, VMM cannot know if (and when) the process running in guest OS executes SIDT instruction, since it is not privileged (and it doesn’t generate exception). Thus the process gets the relocated address of IDT table.
For those who are interested in actually seeing the execution of Red Pill code, here is the link to a simple code written in C language. This code would run on any Intel based OS.
If find this article worth a read, and would like digg more on these concepts, then I would recommend you all to visit http://www.trapkit.de where you could find some other tips, tricks and tools to fingerprint virtual environment.
I hope you find this post a good read. Any suggestions / comments / feedback are most welcome.
Similar Posts you might be interested in:
- None Found