Esoul, O 2008, VMX-rootkit : implementing malware with hardware virtual machine extensions , PhD thesis, Salford : University of Salford.

PDF Restricted to Repository staff only until 03 October 2014. Download (2408kB) | Request a copy

Abstract

Stealth Malware (Rootkit) is a malicious software used by attack- ers who wish to run their code on a compromised computer with- out being detected. Over the years, rootkits have targeted differ- ent operating systems and have used different techniques and mecha- nisms to avoid detection. In late 2005 and early 2006, both, Intel™ and AMD™ incorporated explicit hardware support for virtualiza- tion into their CPUs. While this hardware support can help sim- plify the design and the implementation of a light-weight and efficient Virtual Machine Monitors (VMMs), this technology has introduced a new powerful mechanism that can be used by malware to create extremely stealthy rootkit called hardware-assisted virtual machine rootkit (HVM rootkit). An HVM rootkit is capable of totally control- ling a compromised system by installing a small VMM (a.k.a. hyper- visor) underneath the operating system and its applications without altering any part of the target operating system or any part of its applications. It places the existing operating system into a virtual machine and turns it into a guest operating system on-the-fly without a reboot. The guest operating system is then totally governed and manipulated by the malicious hypervisor. In this thesis I have investigated the design and implementation of a minimal hypervisor based Rootkit that takes advantage of Intel Visualization Technology (Intel VT) for the IA-32 architecture (VT- x ) and Microsoft Windows XP SP2 as the target operating system.

Actions (login required)