|
Hardware virtualization is good in cracking?
my notebook hp has an option to active virtualization in bios... my cpu is i7
it says it's advised to be disabled... and just enable function for specific softwares.... what are the pros and cons?? is it usefull for cracking or packing? thanks |
This feature in your bios is called Hardware Accelerated Virtualization(HAV). According to the intel webpage, it is intended to improve virtualization software flexibility by:
- Speeding up the transfer of platform control between the guest operating systems (OSs) and the virtual machine manager (VMM)/hypervisor - Enabling the VMM to uniquely assign I/O devices to guest OSs - Optimizing the network for virtualization with adapter-based acceleration With that being stated, I do not see any way it could be beneficial with cracking, unless you are working with a virtual os with the use of either Virtual Box or VMWare Workstation. I can see where this could benefit malware reversers, since they commonly use VM's to reverse engineer hostile code. Here are several good articles to give you insight into this technology: Intel Article: Code:
http://www.intel.com/content/www/us/en/virtualization/virtualization-technology/hardware-assist-virtualization-technology.htmlCode:
http://en.wikipedia.org/wiki/Hardware-assisted_virtualization |
There are different types of HW virtualization
VTx (general), VTd -I/O virtualization (not all even i7 CPUs have it, check your model) and VTc (network virtualization) check your CPU feat by reading /proc/cpuinfo (if you are a Linux guy) |
The BIOS option probably activates the VTx (general) virtualization.
It's helpful if you use a virtual machine (VMware Workstation for example). |
As said above, not all i7's have VTd, even if your BIOS tells you that you can turn it on or off.
Git |
I think the answer is yes. u can set or get some type breakpoint by VT. The breakpoint is not hardware break point and not software bp��int 3) and not memory bp.And it can useful in anti anti debug, anti ring 0 hook check because your code is run at ring -1 by VT.
|
It is very useful for cracking. For example, you can fake cpuid and use it as break. I've used cpuid as break point to catch when application is using it for anti-dump. VT also allows you to have hooking on x64 system without disabling PatchGuard, as you can control drX registers, and hook using them. You can also hook all system calls, as you are controling read/write to MSR registers for example. (eg. ron ead you fake to real-old address, and keep yours inside)
It's also useful for virtualization software like VmWare, VirtualBox, VirtualPC as it will speedup their execution a lot :) |
VTx (or SVM in case of AMD) is very useful in debugging/reversing/patching. The only thing you need - small helper-hypervisor. Using it, you can execute almost any code under kind of virtual machine and watch it's execution, set breakpoints, read/write any cpu registers, and even debug switching modes (user<->kernel). This hypervisor works as a "filter": most of processor events are passing through into real OS, except critical/sensitive ones. Catching some events is needed to hide hypervisor from OS, minimize it's influence on execution flow and fake some sensitive data. Using hardware supported MTF (so called monitor trap flag) you can execute cpu commands one-by-one, logging/modifying cpu registers or memory as you need on each command.
Suggest reading intel/amd docs about VTx/SVM to understand the power of using it in debugging/reversing. |
| All times are GMT +8. The time now is 19:39. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX