VMX-rootkit : implementing malware with hardware virtual machine extensions

Esoul, OM 2008, VMX-rootkit : implementing malware with hardware virtual machine extensions , PhD thesis, Salford : University of Salford.

[img] PDF
Restricted to Repository staff only until 31 July 2023.

Download (2MB) | Request a copy


Stealth Malware (Rootkit) is a malicious software used by attack- ers who wish to run their code on a compromised computer with- out being detected. Over the years, rootkits have targeted differ- ent operating systems and have used different techniques and mecha- nisms to avoid detection. In late 2005 and early 2006, both, Intel™ and AMD™ incorporated explicit hardware support for virtualiza- tion into their CPUs. While this hardware support can help sim- plify the design and the implementation of a light-weight and efficient Virtual Machine Monitors (VMMs), this technology has introduced a new powerful mechanism that can be used by malware to create extremely stealthy rootkit called hardware-assisted virtual machine rootkit (HVM rootkit). An HVM rootkit is capable of totally control- ling a compromised system by installing a small VMM (a.k.a. hyper- visor) underneath the operating system and its applications without altering any part of the target operating system or any part of its applications. It places the existing operating system into a virtual machine and turns it into a guest operating system on-the-fly without a reboot. The guest operating system is then totally governed and manipulated by the malicious hypervisor. In this thesis I have investigated the design and implementation of a minimal hypervisor based Rootkit that takes advantage of Intel Visualization Technology (Intel VT) for the IA-32 architecture (VT- x ) and Microsoft Windows XP SP2 as the target operating system.

Item Type: Thesis (PhD)
Contributors: Cooper, GS (Supervisor)
Additional Information: Located in the Secure Room
Schools: Schools > School of Computing, Science and Engineering
Depositing User: Institutional Repository
Date Deposited: 03 Oct 2012 13:34
Last Modified: 04 Aug 2022 11:26
URI: http://usir.salford.ac.uk/id/eprint/26667

Actions (login required)

Edit record (repository staff only) Edit record (repository staff only)


Downloads per month over past year