SlideShare a Scribd company logo

Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra

OWASP Delhi, profile picture
OWASP Delhi

This document provides an overview of using virtualization and hypervisors for malicious purposes. It discusses hypervisors, how they work, and why they could be useful for malware. It then covers setting up a basic virtual machine using KVM on Linux, including initializing memory, injecting code, handling I/O, and converting the code to a shellcode. The presentation includes demos of creating a KVM-powered hypervisor and a hypervisor shellcode.

Internet
1 of 23
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Malicious Hypervisor Virtualization in Shellcodes Adhokshaj Mishra
Who am I?  A security fella  I am fascinated by malware, and cryptography  I work on offensive side of research  Get in touch: me@adhokshajmishraonline.in
Agenda  Hypervisor: what, how and why?  Hypervisor in Linux  Capsule course on hypervisor (Intel VT-x, AMD-V, KVM)  Spawning a bare-bone VM  Injecting code in VM  I/O Between Host and Guest  Converting C Code to Shellcode
Hypervisor: What?  A hypervisor is computer software, firmware, or hardware, that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.  Type-1 hypervisor: runs directly on bare metal. Example: ESXi  Type-2 hypervisor: runs on a conventional OS. Example: KVM
Hypervisor: How?  Software emulation: Hypervisor emulates instructions of guest machine using instructions of host machine. These are slow, but can handle arbitrary architecture for guest machine.  Hardware-assisted: Hypervisor runs the instructions of guest machine directly on physical CPU using virtualization instructions provided by chip (vmenter, vmexit etc). Naturally, these are much faster than emulation based; but cannot handle architectures not supported by underlying chip.
Hypervisor: Why?
Hypervisor: Why?
Hypervisor: Why?  Hypervisor makes it harder to debug the code running inside it.  Debugging is even harder if guest architecture is custom and undocumented.
Capsule Course on Hypervisor  A virtual CPU starts up just like an actual CPU, i.e., it will start in 8086 aka real mode. You need to switch it to protected mode (x86), and then to long mode (x64). Mode switch is not mandatory if you keep yourself limited to instruction set of the mode you are going to use.  At startup, you need to allocate memory which will be used by guest machine. Guest machine will see it as ram, while host will see it as a memory buffer.  Registers must be set properly on startup, otherwise guest machine will fail. You need to load code in guest memory, set registers (at least instruction pointer) before running the guest.
Capsule Course on Hypervisor  During execution, guest machine will raise events, which must be handled by the host.  For any I/O, virtual ports will be used by guest machine. Whenever guest machine attempts a write to port, or read from port, it triggers an event, which is passed to host. Host must handle the data transfer if any.
Spawning a Bare-bone VM  int kvm = open(“/dev/kvm”, O_RDWR | O_CLOEXEC); int vmfd = ioctl(kvm, KVM_CREATE_VM, (unsigned long)0); int vcpufd = ioctl(vmfd, KVM_CREATE_CPU, (unsigned long)0);  All communication and configuration is done by IOCTL calls. These calls follow the following pattern: int ioctl(file_descriptor, command, parameter);
Spawning a Bare-bone VM  Setting up memory: uint8_t *mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); The above call allocates a buffer of length 4KB, with read and write permissions. The allocated page will be anonymous (as in, not backed by any file).
Spawning a Bare-bone VM  Setting up guest memory: struct kvm_userspace_memory_region region = { .slot = 0, .guest_phys_addr = 0x1000, .memory_size = 0x1000, .userspace_addr = (uint64_t)mem; }; int ret = ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &region);
Why was guest physical address set to 0x1000, and not at, say, 0x10 or 0x1?
Injecting Code in VM  It is as simple as copying code bytes into memory buffer before giving it to guest machine. Uint8_t code[] = {/*code bytes here*/}; memcpy(mem, code, sizeof(code));  NOTE: The code must be for 8086 CPU, otherwise guest machine will fail with illegal instruction fault and/or with bizarre results. If you want to switch modes, it must happen through 8086 code.
Injecting Code in VM  Setting up segment registers: struct kvm_sregs sregs; ret = ioctl(vcpufd, KVM_GET_SREGS, &sregs); sregs.cs.base = 0; sregs.cs.selector = 0; ret = ioctl(vcpufd, KVM_SET_SREGS, &sregs);
Injecting Code in VM  Setting up registers: struct kvm_regs regs = { .rip = 0x1000, .rax = 4, .rbx = 5, .rflags = 0x2, }; ret = ioctl(vcpufd, KVM_SET_REGS, &regs);
Kicking VM to Life size_t mmap_size = ioctl(kvm, KVM_GET_CPU_MMAP_SIZE, NULL); kvm_run *run = mmap(NULL, mmap_size, PROT_READ | PRO_WRITE, MAP_SHARED, vcpufd, 0); while(1){ ret = ioctl(vcpufd, KVM_RUN, NULL); switch (run->exit_reason) { /*handle events here*/ } }
I/O Between Host and Guest switch (run->exit_reason) { case KVM_EXIT_IO: if (run->io.direction == KVM_EXIT_IO_OUT && io.port == 0xabc) { char ch = *(((char*)run) + run->io.data_offset); } /*handle more cases here*/ }
Demo of KVM Powered Hypervisor
Conversion to Shellcode  gcc kvm.c –o kvm –save-temps –masm=intel  kvm.s contains assembly listing.  Remove all the extra clutter generated by compiler  Resolve addresses of all hardcoded values using JMP-CALL-POP method  Profit!
Demo of shellcode
Got any questions?

More Related Content

PDF
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Takuya ASADA
 
PDF
Implements BIOS emulation support for BHyVe
Takuya ASADA
 
PDF
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
PPT
[HackInTheBox] Breaking virtualization by any means
Moabi.com
 
PDF
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
PPTX
ARMvisor @ Linux Symposium 2012
Peter Chang
 
PDF
ARMvisor, more details
Peter Chang
 
PDF
ARMvisor @ COSCUP2012
Peter Chang
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Takuya ASADA
 
Implements BIOS emulation support for BHyVe
Takuya ASADA
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
[HackInTheBox] Breaking virtualization by any means
Moabi.com
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
ARMvisor @ Linux Symposium 2012
Peter Chang
 
ARMvisor, more details
Peter Chang
 
ARMvisor @ COSCUP2012
Peter Chang
 

What's hot (19)

PPT
Qemu
robertsong
 
PDF
QEMU in Cross building
Tetsuyuki Kobayashi
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
PDF
Embedded Systems Conference 2014 Presentation
Manish Jaggi
 
PDF
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
Moabi.com
 
PDF
Qemu
Koganti Ravikumar
 
PDF
Linux: the first second
Alison Chaiken
 
PDF
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
PDF
Tegra 186のu-boot & Linux
Mr. Vengineer
 
PDF
sponsorAVAST-VB2014
Martin Hron
 
PDF
VM - Talk
Wan Leung Wong
 
PDF
Dave Gilbert - KVM and QEMU
Danny Abukalam
 
PDF
[CB19] Attacking DRM subsystem to gain kernel privilege on Chromebooks by Di ...
CODE BLUE
 
PDF
XS Boston 2008 Cache
The Linux Foundation
 
PDF
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Anne Nicolas
 
PDF
Project ACRN GVT-d introduction and tutorial
Project ACRN
 
PDF
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
eurobsdcon
 
PDF
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Carlos Eduardo
 
PDF
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN
 
Qemu
robertsong
 
QEMU in Cross building
Tetsuyuki Kobayashi
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Embedded Systems Conference 2014 Presentation
Manish Jaggi
 
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
Moabi.com
 
Qemu
Koganti Ravikumar
 
Linux: the first second
Alison Chaiken
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
Tegra 186のu-boot & Linux
Mr. Vengineer
 
sponsorAVAST-VB2014
Martin Hron
 
VM - Talk
Wan Leung Wong
 
Dave Gilbert - KVM and QEMU
Danny Abukalam
 
[CB19] Attacking DRM subsystem to gain kernel privilege on Chromebooks by Di ...
CODE BLUE
 
XS Boston 2008 Cache
The Linux Foundation
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Anne Nicolas
 
Project ACRN GVT-d introduction and tutorial
Project ACRN
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
eurobsdcon
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Carlos Eduardo
 
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN
 
Ad

Similar to Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra (20)

ODP
Kvm and libvirt
plarsen67
 
PPTX
Virtualization concept slideshare
Yogesh Kumar
 
PPTX
Server virtualization
Kingston Smiler
 
PPT
Virtual Pc Seminar
guest5b5549
 
PPTX
Hypervisors
Inzemamul Haque
 
PPTX
Virtualization-Presentation-with-History
Sachin Darekar
 
PPTX
Virtualization of computing and servers
pooranionline
 
PDF
Rmll Virtualization As Is Tool 20090707 V1.0
guest72e8c1
 
PDF
RMLL / LSM 2009
Franck_Villaume
 
PPTX
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Hann Yu-Ju Huang
 
PDF
BitVisor Summit 11「2. BitVisor on Aarch64」
BitVisor
 
PPTX
Operating system Virtualization_NEW.pptx
Senthil Vit
 
PPTX
3. CPU virtualization and scheduling
Hwanju Kim
 
ODP
S4 xen hypervisor_20080622
Todd Deshane
 
PPTX
Hardware support for efficient virtualization
Lennox Wu
 
PDF
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
PPT
Unit II.ppt
HARISHK762704
 
PPT
Virtualization
satchipatra
 
PDF
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
Dave Voutila
 
PDF
The kvm virtualization way
Francisco Gonçalves
 
Kvm and libvirt
plarsen67
 
Virtualization concept slideshare
Yogesh Kumar
 
Server virtualization
Kingston Smiler
 
Virtual Pc Seminar
guest5b5549
 
Hypervisors
Inzemamul Haque
 
Virtualization-Presentation-with-History
Sachin Darekar
 
Virtualization of computing and servers
pooranionline
 
Rmll Virtualization As Is Tool 20090707 V1.0
guest72e8c1
 
RMLL / LSM 2009
Franck_Villaume
 
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Hann Yu-Ju Huang
 
BitVisor Summit 11「2. BitVisor on Aarch64」
BitVisor
 
Operating system Virtualization_NEW.pptx
Senthil Vit
 
3. CPU virtualization and scheduling
Hwanju Kim
 
S4 xen hypervisor_20080622
Todd Deshane
 
Hardware support for efficient virtualization
Lennox Wu
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
Unit II.ppt
HARISHK762704
 
Virtualization
satchipatra
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
Dave Voutila
 
The kvm virtualization way
Francisco Gonçalves
 
Ad

More from OWASP Delhi (20)

PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
PDF
Securing dns records from subdomain takeover
OWASP Delhi
 
PDF
Effective Cyber Security Report Writing
OWASP Delhi
 
PPTX
Data sniffing over Air Gap
OWASP Delhi
 
PPTX
UDP Hunter
OWASP Delhi
 
PDF
Demystifying Container Escapes
OWASP Delhi
 
PPTX
Automating WAF using Terraform
OWASP Delhi
 
PPTX
Actionable Threat Intelligence
OWASP Delhi
 
PDF
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPTX
Recon with Nmap
OWASP Delhi
 
PPTX
Securing AWS environments by Ankit Giri
OWASP Delhi
 
PDF
DMARC Overview
OWASP Delhi
 
PDF
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
ODP
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
PDF
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi
 
PPTX
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
PDF
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
ODP
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Securing dns records from subdomain takeover
OWASP Delhi
 
Effective Cyber Security Report Writing
OWASP Delhi
 
Data sniffing over Air Gap
OWASP Delhi
 
UDP Hunter
OWASP Delhi
 
Demystifying Container Escapes
OWASP Delhi
 
Automating WAF using Terraform
OWASP Delhi
 
Actionable Threat Intelligence
OWASP Delhi
 
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Recon with Nmap
OWASP Delhi
 
Securing AWS environments by Ankit Giri
OWASP Delhi
 
DMARC Overview
OWASP Delhi
 
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi
 
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi
 

Recently uploaded (20)

PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Funds Management Learning Material for Beg
NKKumar16
 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 

Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra

  • 1. Malicious Hypervisor Virtualization in Shellcodes Adhokshaj Mishra
  • 2. Who am I?  A security fella  I am fascinated by malware, and cryptography  I work on offensive side of research  Get in touch: me@adhokshajmishraonline.in
  • 3. Agenda  Hypervisor: what, how and why?  Hypervisor in Linux  Capsule course on hypervisor (Intel VT-x, AMD-V, KVM)  Spawning a bare-bone VM  Injecting code in VM  I/O Between Host and Guest  Converting C Code to Shellcode
  • 4. Hypervisor: What?  A hypervisor is computer software, firmware, or hardware, that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.  Type-1 hypervisor: runs directly on bare metal. Example: ESXi  Type-2 hypervisor: runs on a conventional OS. Example: KVM
  • 5. Hypervisor: How?  Software emulation: Hypervisor emulates instructions of guest machine using instructions of host machine. These are slow, but can handle arbitrary architecture for guest machine.  Hardware-assisted: Hypervisor runs the instructions of guest machine directly on physical CPU using virtualization instructions provided by chip (vmenter, vmexit etc). Naturally, these are much faster than emulation based; but cannot handle architectures not supported by underlying chip.
  • 8. Hypervisor: Why?  Hypervisor makes it harder to debug the code running inside it.  Debugging is even harder if guest architecture is custom and undocumented.
  • 9. Capsule Course on Hypervisor  A virtual CPU starts up just like an actual CPU, i.e., it will start in 8086 aka real mode. You need to switch it to protected mode (x86), and then to long mode (x64). Mode switch is not mandatory if you keep yourself limited to instruction set of the mode you are going to use.  At startup, you need to allocate memory which will be used by guest machine. Guest machine will see it as ram, while host will see it as a memory buffer.  Registers must be set properly on startup, otherwise guest machine will fail. You need to load code in guest memory, set registers (at least instruction pointer) before running the guest.
  • 10. Capsule Course on Hypervisor  During execution, guest machine will raise events, which must be handled by the host.  For any I/O, virtual ports will be used by guest machine. Whenever guest machine attempts a write to port, or read from port, it triggers an event, which is passed to host. Host must handle the data transfer if any.
  • 11. Spawning a Bare-bone VM  int kvm = open(“/dev/kvm”, O_RDWR | O_CLOEXEC); int vmfd = ioctl(kvm, KVM_CREATE_VM, (unsigned long)0); int vcpufd = ioctl(vmfd, KVM_CREATE_CPU, (unsigned long)0);  All communication and configuration is done by IOCTL calls. These calls follow the following pattern: int ioctl(file_descriptor, command, parameter);
  • 12. Spawning a Bare-bone VM  Setting up memory: uint8_t *mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); The above call allocates a buffer of length 4KB, with read and write permissions. The allocated page will be anonymous (as in, not backed by any file).
  • 13. Spawning a Bare-bone VM  Setting up guest memory: struct kvm_userspace_memory_region region = { .slot = 0, .guest_phys_addr = 0x1000, .memory_size = 0x1000, .userspace_addr = (uint64_t)mem; }; int ret = ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &region);
  • 14. Why was guest physical address set to 0x1000, and not at, say, 0x10 or 0x1?
  • 15. Injecting Code in VM  It is as simple as copying code bytes into memory buffer before giving it to guest machine. Uint8_t code[] = {/*code bytes here*/}; memcpy(mem, code, sizeof(code));  NOTE: The code must be for 8086 CPU, otherwise guest machine will fail with illegal instruction fault and/or with bizarre results. If you want to switch modes, it must happen through 8086 code.
  • 16. Injecting Code in VM  Setting up segment registers: struct kvm_sregs sregs; ret = ioctl(vcpufd, KVM_GET_SREGS, &sregs); sregs.cs.base = 0; sregs.cs.selector = 0; ret = ioctl(vcpufd, KVM_SET_SREGS, &sregs);
  • 17. Injecting Code in VM  Setting up registers: struct kvm_regs regs = { .rip = 0x1000, .rax = 4, .rbx = 5, .rflags = 0x2, }; ret = ioctl(vcpufd, KVM_SET_REGS, &regs);
  • 18. Kicking VM to Life size_t mmap_size = ioctl(kvm, KVM_GET_CPU_MMAP_SIZE, NULL); kvm_run *run = mmap(NULL, mmap_size, PROT_READ | PRO_WRITE, MAP_SHARED, vcpufd, 0); while(1){ ret = ioctl(vcpufd, KVM_RUN, NULL); switch (run->exit_reason) { /*handle events here*/ } }
  • 19. I/O Between Host and Guest switch (run->exit_reason) { case KVM_EXIT_IO: if (run->io.direction == KVM_EXIT_IO_OUT && io.port == 0xabc) { char ch = *(((char*)run) + run->io.data_offset); } /*handle more cases here*/ }
  • 20. Demo of KVM Powered Hypervisor
  • 21. Conversion to Shellcode  gcc kvm.c –o kvm –save-temps –masm=intel  kvm.s contains assembly listing.  Remove all the extra clutter generated by compiler  Resolve addresses of all hardcoded values using JMP-CALL-POP method  Profit!