[Dailydave] Microsoft on Hypervisor-based Rootkits
Irby Thompson
irby at sliphead.com
Fri Sep 14 12:06:36 EDT 2007
>From the horse's mouth:
http://www.microsoft.com/whdc/system/platform/virtual/CPUVirtExt.mspx
Choice quote #1:
"a rogue hypervisor can be detected using standard rootkit detection
mechanisms because the [hypervisor-based] rootkit cannot protect itself
from the operating system running on top of it"
The golden nugget:
"Rootkit developers have traditionally shown a strong desire to write
code that runs in user mode rather than in kernel mode."
That's news to me.
-irby
More information about the Dailydave
mailing list