Blue Pill is back

Joanna Rutkowska received severe critics to its Blue Pill rootkit prototype in more than one year from security community and top representatives of virtualization community (see virtualization.info interview with Xen hacker Anthony Liguori and VMware/XenSource/Stanford/Carnegie Mellon whitepaper VMM Detection Myths and Realities).

Despite that security reseacher is still firmly resolute to demonstrate VMM undetectability is achievable.

To prove so Rutkowska started a new prototype from scratch with a new architecture and new features. Project is still in very early development phase and has some serious limitations:

  • No support for VT-x (HVM implements only SVM specific functions)
  • RDTSC cheating uses a very simple (too simple) cycle emulation
  • Blue Chicken TimeBomb setting algorithm seems to contain a mysterious race condition that causes a BSoD from time to time after the timeboms is set
  • Virtual PC 2007 (with enabled h/w virtualization) currently crashes when run inside a blue pilled machine
  • BP knock feature might casue a crash in a nested scenerio due to CPUID interception.
  • No support for “exotic” CPU modes
  • No support for intercepting “exotic” high-precision local timers

Download the rootkit prototype and documentation here.