Bugtraq mailing list archives
Re: Windows Vista 64bits and unexported kernel symbols
From: Rik van Riel <riel () surriel com>
Date: Tue, 02 Jan 2007 16:10:31 -0500
Matthieu Suiche wrote:
Hello,This article is talking about Windows Vista 64bits and its system structureswhich are proteged against rootkit. I also explain how these structures can be authentified without Pathguard.http://www.msuiche.net/papers/Windows_Vista_64bits_and_unexported_kernel_symbols.pdf
If you really wanted to protect a kernel from root kits, you could use virtualization for that. Simply mark part of the guest memory as read only, and only allow the guest to map that memory read-only. Conversely, the guest needs to only be allowed to map that memory (and no other memory) at the addresses that memory is supposed to be mapped, so it cannot eg. create duplicate syscall table, modify that and map it where the original used to be mapped in virtual memory. This kind of scheme can work because an exploit would not have the permission to modify the memory in question, and the hypervisor itself does not run any of the applications that could exploit it. Of course, with such a scheme the anti-virus vendors would be totally locked out. -- Politics is the struggle between those who want to make their country the best in the world, and those who believe it already is. Each group calls the other unpatriotic.
Current thread:
- Windows Vista 64bits and unexported kernel symbols Matthieu Suiche (Jan 02)
- Re: Windows Vista 64bits and unexported kernel symbols Rik van Riel (Jan 03)