Andrei Lutas
Andrei started his career at Bitdefender in October 2008 as a junior virus researcher. In December 2011, he moved to the research and development team as a lead for Introspection Research, where he played a pivotal role in developing the innovative Hypervisor Memory Introspection technology. His contributions extended beyond the lab, authoring academic papers, presenting at prestigious conferences like Black Hat, and co-authoring 15 patents. Currently, Andrei holds a PhD in computer science and leads a team at Bitdefender focused on innovative memory protection technologies. His passion lies in low-level systems, particularly reverse engineering, kernel security, hypervisors, and hardware-based security like side-channel attacks and speculative execution vulnerabilities.
Session
We present in this talk HyperVinject, the first tool capable of injecting code inside a running Hyper-V VM (Child Partition), from the Root Partition, as if it was a regular process. We describe in detail how this can be achieved step by step, from gaining control of the VM by injecting code inside the Virtual Machine Worker Process (vmwp.exe) running inside the Root Partition, injecting a small shellcode inside the kernel of the guest operating system running inside the VM, intercepting execution, and then finalizing the injection by deploying a small calc.exe spawning shellcode inside a user-mode process running inside the VM. On top of that, we will disclose several additional methods that can be used to inject code inside a running Hyper-V VM.