funsec mailing list archives
Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Tue, 17 Oct 2006 22:50:43 -0400
On 10/17/06, Fergie <fergdawg () netzero net> wrote:
Microsoft's twice-yearly BlueHat summit will kick off with a demo of a virtualization-based rootkit that can be used to defeat the company's PatchGuard technology.
<snip>
Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsoft's Redmond, Wash., campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intel's VT-x virtualization extension.
Hmm, seems MS was prepared for this article: from: http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx Many system structures are protected on x64-based systems, including the system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT). The operating system also does not allow third-party software to allocate memory "on the side" and use it as a kernel stack. If the operating system detects one of these modifications or any other unauthorized patch, it will generate a bug check and shut down the system. For compatibility with Windows for x64-based systems, drivers must avoid the following practices: ... <cut to the juicy part> ... Patching any part of the kernel (detected only on AMD64-based systems) ------------------------ lol -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Fergie (Oct 17)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Valdis . Kletnieks (Oct 17)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Dude VanWinkle (Oct 17)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Blue Boar (Oct 18)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Dude VanWinkle (Oct 17)
- RE: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Larry Seltzer (Oct 17)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Blue Boar (Oct 18)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Dude VanWinkle (Oct 18)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Blue Boar (Oct 18)
- Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Dude VanWinkle (Oct 18)
- RE: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Larry Seltzer (Oct 17)
- <Possible follow-ups>
- RE: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Larry Seltzer (Oct 17)
- RE: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit Fergie (Oct 17)