VMX-rootkit: Implementing malware with hardware virtual machine extensions
Esoul, OM 2008, VMX-rootkit: Implementing malware with hardware virtual machine extensions , PhD thesis, Salford : University of Salford.
Restricted to Repository staff only until 31 January 2017.
Download (2MB) | Request a copy
Stealth Malware (Rootkit) is a malicious software used by attack- ers who wish to run their code on a compromised computer with- out being detected. Over the years, rootkits have targeted differ- ent operating systems and have used different techniques and mecha- nisms to avoid detection. In late 2005 and early 2006, both, Intel™ and AMD™ incorporated explicit hardware support for virtualiza- tion into their CPUs. While this hardware support can help sim- plify the design and the implementation of a light-weight and efficient Virtual Machine Monitors (VMMs), this technology has introduced a new powerful mechanism that can be used by malware to create extremely stealthy rootkit called hardware-assisted virtual machine rootkit (HVM rootkit). An HVM rootkit is capable of totally control- ling a compromised system by installing a small VMM (a.k.a. hyper- visor) underneath the operating system and its applications without altering any part of the target operating system or any part of its applications. It places the existing operating system into a virtual machine and turns it into a guest operating system on-the-fly without a reboot. The guest operating system is then totally governed and manipulated by the malicious hypervisor. In this thesis I have investigated the design and implementation of a minimal hypervisor based Rootkit that takes advantage of Intel Visualization Technology (Intel VT) for the IA-32 architecture (VT- x ) and Microsoft Windows XP SP2 as the target operating system.
|Item Type:||Thesis (PhD)|
|Contributors:||Cooper, GS (Supervisor)|
|Additional Information:||Located in the Secure Room|
|Schools:||Schools > School of Computing, Science and Engineering|
|Depositing User:||Institutional Repository|
|Date Deposited:||03 Oct 2012 13:34|
|Last Modified:||30 Nov 2015 23:59|
Actions (login required)
|Edit record (repository staff only)|