Microsoft on Hypervisor-based Rootkits

[Irby Thompson <irby () sliphead com>]

> From the horse's mouth:
http://www.microsoft.com/whdc/system/platform/virtual/CPUVirtExt.mspx

Choice quote #1:
"a rogue hypervisor can be detected using standard rootkit detection
mechanisms because the [hypervisor-based] rootkit cannot protect itself
from the operating system running on top of it"

The golden nugget:
"Rootkit developers have traditionally shown a strong desire to write
code that runs in user mode rather than in kernel mode." 

That's news to me.

    -irby
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave