Published on: 20.06.2017







At Joe Security, innovation is in our genes. We have been working on an awesome new component which takes advantage of hardware virtualization to analyze and detect malware. We call this new product Joe Sandbox Hypervisor.



What is hardware virtualization? What technology do we use for introspection? How do we implement it and what are its benefits? Read this blog post to get answers to these questions. We call this new product





Hardware Virtualization

To achieve that, it adds an additional feature for memory separation (e.g. via extended paging tables) as well as a new CPU ring/mode (often referred to as root mode or ring -1). The transition from the normal modes (ring 0-3) to root mode can be visualized like this: Hardware virtualization is a general term for an instruction set, introduced by Intel (VT-x) and AMD (AMD-V) in 2005/2006. The instruction set supports running several operating systems simultaneously on the same CPU.that, it adds an additional feature for memory separation (e.g. via extended paging tables) as well as a new CPU ring/mode (often referred to as root mode or ring -1). The transition from the normal modes (ring 0-3) to root mode can be visualized like this:









For malware analysis, this transition is very interesting since it intercepts execution of the malware at specific events, extracts additional information and then returns/continues execution. This enables fine grained interception as well as tracking detailed runtime information. Another great benefit of hardware virtualization is stealthiness, making it very difficult for malware to detect.





Kernel mode Hooking

Since hardware virtualization is relatively new, Joe Sandbox currently uses a pure kernel mode (ring 0) driver which intercepts various system events such as system calls, kernel calls, memory events etc. So is there something to fear of? Not really: Using hooking/function interception in kernel mode works perfectly for 99% of all malware out there. The only problem are rootkits which run in kernel mode themselves. However, rootkits have all but disappeared during the last years:







