I need a software that runs on WIndows that detects highly suspect activity happening at the hypervisor level. It is a Hypervisor Introspection Detection tool.
Develop a UI that runs on a Host or Guest that makes use of the Tuzel libraries, A very simple one that maybe shows a status in the toolbar, red/green/yellow.
Green signifying that there is no suspicious activity happening at the hypervisor/hardware level.
Red signifying that there is some suspicious activity happening at the hypervisor/hardware/introspection layer. And it is highly concerning.
Yellow signifying that there is some suspicious activity happening at the Hypervisor/hardware/Introspection layer. And it is mildly concerning.
The application should log activity to syslog, and be able to forward the information to a syslog server.
You need to be an expert at writing software at OS kernel level, in whatever language is best suited for the Operating System and the Tuzel libraries. This might be the C language, I don't know, you need to help me here.
Based on the work done by Tomasz Tuzel
Toolkit: [login to view URL]
Evil Hypervisor: [login to view URL]
Preso - [login to view URL]
Write a tool that detects if LibVMI is being used, report it into a log file, and also through a GUI application, browser based.
Use the ecr_toolkit to develop a tool to detect and report into a log file and also through a GUI application, browser based, that
can detect Hypervisor Introspection Attacks:
Types of Attacks:
LibVMI - on Github
Create a baseline
Memory Intercessions - excessive page violations, VM-exit large overhead, large timing increase
Passive Memory Monitoring - Flush+Reload, Timing Decrease
Instruction Intercession - Wall Timing
Non-Temporal Instructions -
Detection using Increased Virtualization Exceptions #VE
Intel SGX is enabled/disabled
Needs to work in PV, HVM and PVH mode.
Icon is attached