Abstract: Example methods are provided for virtual machine introspection in which a guest monitoring mode (GMM) module monitors the execution of guest calls by an agent that resides in a virtual machine (VM). The GMM module sets a bit in bit mask that corresponds to a guest call that the agent needs to execute, and inserts an invisible breakpoint in the code of the guest call. If the GMM module detects that despite the setting of the bit in the bit mask, the agent does not complete the execution of the code (due to the invisible breakpoint not being triggered), then the GMM module considers this condition as a potential hijack of the VM by malicious code.

Abstract: A method is provided for a hypervisor to dynamically discover internal address information of a guest kernel on a virtual machine. The method includes locating a kernel exported system call or function in an image of the guest kernel in guest memory of the virtual machine, disassembling machine code of the kernel exported system call or function in the image into assembly code, detecting a pattern from memory references in the assembly code, and, after detecting the pattern, determining the internal address information of the guest kernel from the assembly code.

Abstract: Example methods are provided for virtual machine introspection in which a guest monitoring mode (GMM) module monitors the execution of guest calls by an agent that resides in a virtual machine (VM). The GMM module sets a bit in bit mask that corresponds to a guest call that the agent needs to execute, and inserts an invisible breakpoint in the code of the guest call. If the GMM module detects that despite the setting of the bit in the bit mask, the agent does not complete the execution of the code (due to the invisible breakpoint not being triggered), then the GMM module considers this condition as a potential hijack of the VM by malicious code.

Abstract: A method is provided for a kernel driver in an operating system to detect loading of images into memory and unloading of the images from memory. The method includes registering a callback routine for load-image notifications, receiving a load-image notification for an image and recording loading of the image, storing original code at or about an entry point of the image, and patching redirect stub code over the original code at or about the entry point. The method also includes receiving, from the redirect stub code, a redirected call to or about the entry point to execute a routine in the image. The redirected call identifies a driver object representing the image. The method further includes, based on the driver object, providing a mechanism to intercept unloading of the image and recording the unloading of the image.

Abstract: A method is provided to for a hypervisor to dynamically discover internal address information of a guest kernel on a virtual machine. The method includes locating a kernel exported system call or function in an image of the guest kernel in guest memory of the virtual machine, disassembling machine code of the kernel exported system call or function in the image into assembly code, detecting a pattern from memory references in the assembly code, and, after detecting the pattern, determining the internal address information of the guest kernel from the assembly code.

Abstract: The subject matter described herein provides protection against zero-day attacks by detecting, via a hypervisor maintaining an extended page table, an attempt to execute arbitrary code associated with malware in a guest operation system (OS) running within a virtual machine (VM). Further, the subject matter provides detection of lateral movement of the malware. The hypervisor uses hidden breakpoints to detect a request for thread creation, and then determines whether the request is to download and execute arbitrary code.

Abstract: The subject matter described herein provides protection against zero-day attacks by detecting, via a hypervisor maintaining an extended page table, an attempt to execute arbitrary code associated with malware in a guest operation system (OS) running within a virtual machine (VM). Further, the subject matter provides detection of lateral movement of the malware. The hypervisor uses hidden breakpoints to detect a request for thread creation, and then determines whether the request is to download and execute arbitrary code.

Abstract: An example method of managing guest code in a virtualized computing instance of a virtualized computing system includes: receiving, at a hypervisor that manages the virtualized computing instance, identifiers for a first guest-physical memory page, which stores a patched version of the guest code, and a second guest-physical memory page, which stores an original version of the guest code; modifying an entry in a nested page table (NPT), which is associated with the first guest-physical memory page, to cause an exception to the hypervisor in response to a first read operation, performed by first software in the virtualized computing instance, which targets the first guest-physical memory page; and executing, at the hypervisor in response to the exception, a second read operation that emulates the first read operation, but targets the second guest-physical memory page.

Abstract: A hypervisor monitors for an initialization of a guest kernel running on a virtual machine implemented by the hypervisor. When the initialization of the guest kernel is detected, the hypervisor pauses a virtual processor of the virtual machine, locates a guest kernel image of the guest kernel in guest memory, locates a kernel function in the guest kernel image, inserts a breakpoint on the guest kernel function, resumes the virtual processor and monitors for a breakpoint instruction. After detecting the breakpoint instruction, the hypervisor gathers guest context by examining the guest memory and guest registers, pauses the virtual processor, constructs and injects a code gadget configured to run in the virtual machine, diverts the virtual processor to execute the code gadget, which causes the virtual processor to call the hypervisor at the end of executing the code gadget, and returns the virtual processor to execute the guest kernel function.

Abstract: Example methods are provided for locating an operating system (OS) data structure on a host according to a hypervisor-assisted approach. The method may comprise a virtualized computing instance identifying a guest virtual memory address range in which the OS data structure is stored; and configuring the hypervisor to perform a safe read on the guest virtual memory address range to access data stored within the guest virtual memory address range. The method may further comprise the virtualized computing instance performing attribute matching by comparing the data stored within the guest virtual memory address range with attribute data associated with the OS data structure; and determining a location associated with the OS data structure based on the attribute matching.

Abstract: A method is provided for a kernel driver in an operating system to detect loading of images into memory and unloading of the images from memory. The method includes registering a callback routine for load-image notifications, receiving a load-image notification for an image and recording loading of the image, storing original code at or about an entry point of the image, and patching redirect stub code over the original code at or about the entry point. The method also includes receiving, from the redirect stub code, a redirected call to or about the entry point to execute a routine in the image. The redirected call identifies a driver object representing the image. The method further includes, based on the driver object, providing a mechanism to intercept unloading of the image and recording the unloading of the image.

Abstract: The subject matter described herein provides protection against zero-day attacks by detecting, via a hypervisor maintaining an extended page table, an attempt to execute arbitrary code associated with malware in a guest operation system (OS) running within a virtual machine (VM). Further, the subject matter provides detection of lateral movement of the malware. The hypervisor uses hidden breakpoints to detect a request for thread creation, and then determines whether the request is to download and execute arbitrary code.

Abstract: The subject matter described herein provides protection against zero-day attacks by detecting, via a hypervisor maintaining an extended page table, an attempt to execute arbitrary code associated with malware in a guest operation system (OS) running within a virtual machine (VM). Further, the subject matter provides detection of lateral movement of the malware. The hypervisor uses hidden breakpoints to detect a request for thread creation, and then determines whether the request is to download and execute arbitrary code.

Abstract: A hypervisor monitors for an initialization of a guest kernel running on a virtual machine implemented by the hypervisor. When the initialization of the guest kernel is detected, the hypervisor pauses a virtual processor of the virtual machine, locates a guest kernel image of the guest kernel in guest memory, locates a kernel function in the guest kernel image, inserts a breakpoint on the guest kernel function, resumes the virtual processor and monitors for a breakpoint instruction. After detecting the breakpoint instruction, the hypervisor gathers guest context by examining the guest memory and guest registers, pauses the virtual processor, constructs and injects a code gadget configured to run in the virtual machine, diverts the virtual processor to execute the code gadget, which causes the virtual processor to call the hypervisor at the end of executing the code gadget, and returns the virtual processor to execute the guest kernel function.

Abstract: According to examples of the present disclosure, a method is provided to perform network introspection in an operating system that comprises a user memory space and a kernel memory space. The method may comprise, in response to an initiation of a socket operation, filtering the socket operation at a socket layer in the kernel memory space using a socket operation filter hook associated with the socket operation. The method may further comprise performing an introspection action associated with the socket operation filtered using the socket operation filter hook.

Abstract: An example method of managing guest code in a virtualized computing instance of a virtualized computing system includes: receiving, at a hypervisor that manages the virtualized computing instance, identifiers for a first guest-physical memory page, which stores a patched version of the guest code, and a second guest-physical memory page, which stores an original version of the guest code; modifying an entry in a nested page table (NPT), which is associated with the first guest-physical memory page, to cause an exception to the hypervisor in response to a first read operation, performed by first software in the virtualized computing instance, which targets the first guest-physical memory page; and executing, at the hypervisor in response to the exception, a second read operation that emulates the first read operation, but targets the second guest-physical memory page.

Abstract: Example methods are provided for locating an operating system (OS) data structure on a host according to a hypervisor-assisted approach. The method may comprise a virtualized computing instance identifying a guest virtual memory address range in which the OS data structure is stored; and configuring a hypervisor to generate notification data associated with the guest virtual memory address range. The method may further comprise the virtualized computing instance manipulating the OS data structure; obtaining notification data generated by the hypervisor in response to the manipulation; and determining a location associated with the OS data structure based on the notification data.

Abstract: Example methods are provided for locating an operating system (OS) data structure on a host according to a hypervisor-assisted approach. The method may comprise a virtualized computing instance identifying a guest virtual memory address range in which the OS data structure is stored; and configuring the hypervisor to perform a safe read on the guest virtual memory address range to access data stored within the guest virtual memory address range. The method may further comprise the virtualized computing instance performing attribute matching by comparing the data stored within the guest virtual memory address range with attribute data associated with the OS data structure; and determining a location associated with the OS data structure based on the attribute matching.

Abstract: Examples perform external verification of authenticity of software components loaded onto virtual machines (VM). A processor, external to the VM, reads the loaded software component from the VM, and restores the loaded software component to its disk image state by undoing any changes made to load the software component. The digital signature is read from the restored disk image of the software and compared to the verified digital signature of the publisher of the software component. Some examples contemplate marking the software component as verified or unverified, and preventing unverified software components from making global changes.

Abstract: Examples perform external verification of authenticity of software components loaded onto virtual machines (VM). A processor, external to the VM, reads the loaded software component from the VM, and restores the loaded software component to its disk image state by undoing any changes made to load the software component. The digital signature is read from the restored disk image of the software and compared to the verified digital signature of the publisher of the software component. Some examples contemplate marking the software component as verified or unverified, and preventing unverified software components from making global changes.