Skip to the content

VMX-rootkit: Implementing malware with hardware virtual machine extensions

Esoul, OM 2008, VMX-rootkit: Implementing malware with hardware virtual machine extensions , PhD thesis, Salford : University of Salford.

[img] PDF
Restricted to Repository staff only until 03 October 2014.

Download (2408kB) | Request a copy

    Abstract

    Stealth Malware (Rootkit) is a malicious software used by attack- ers who wish to run their code on a compromised computer with- out being detected. Over the years, rootkits have targeted differ- ent operating systems and have used different techniques and mecha- nisms to avoid detection. In late 2005 and early 2006, both, Intel™ and AMD™ incorporated explicit hardware support for virtualiza- tion into their CPUs. While this hardware support can help sim- plify the design and the implementation of a light-weight and efficient Virtual Machine Monitors (VMMs), this technology has introduced a new powerful mechanism that can be used by malware to create extremely stealthy rootkit called hardware-assisted virtual machine rootkit (HVM rootkit). An HVM rootkit is capable of totally control- ling a compromised system by installing a small VMM (a.k.a. hyper- visor) underneath the operating system and its applications without altering any part of the target operating system or any part of its applications. It places the existing operating system into a virtual machine and turns it into a guest operating system on-the-fly without a reboot. The guest operating system is then totally governed and manipulated by the malicious hypervisor. In this thesis I have investigated the design and implementation of a minimal hypervisor based Rootkit that takes advantage of Intel Visualization Technology (Intel VT) for the IA-32 architecture (VT- x ) and Microsoft Windows XP SP2 as the target operating system.

    Item Type: Thesis (PhD)
    Contributors: Cooper, GS(Supervisor)
    Additional Information: Located in the Secure Room
    Schools: Colleges and Schools > College of Science & Technology
    Colleges and Schools > College of Science & Technology > School of Computing, Science and Engineering
    Depositing User: Institutional Repository
    Date Deposited: 03 Oct 2012 14:34
    Last Modified: 19 Feb 2014 10:18
    URI: http://usir.salford.ac.uk/id/eprint/26667

    Document Downloads

    More statistics for this item...

    Actions (login required)

    Edit record (repository staff only)