VMX-rootkit : implementing malware with hardware virtual machine extensions

Abstract

Stealth Malware (Rootkit) is a malicious software used by attack-
ers who wish to run their code on a compromised computer with-
out being detected. Over the years, rootkits have targeted differ-
ent operating systems and have used different techniques and mecha-
nisms to avoid detection. In late 2005 and early 2006, both, Intel™
and AMD™ incorporated explicit hardware support for virtualiza-
tion into their CPUs. While this hardware support can help sim-
plify the design and the implementation of a light-weight and efficient
Virtual Machine Monitors (VMMs), this technology has introduced
a new powerful mechanism that can be used by malware to create
extremely stealthy rootkit called hardware-assisted virtual machine
rootkit (HVM rootkit). An HVM rootkit is capable of totally control-
ling a compromised system by installing a small VMM (a.k.a. hyper-
visor) underneath the operating system and its applications without
altering any part of the target operating system or any part of its
applications. It places the existing operating system into a virtual
machine and turns it into a guest operating system on-the-fly without
a reboot. The guest operating system is then totally governed and
manipulated by the malicious hypervisor.
In this thesis I have investigated the design and implementation of
a minimal hypervisor based Rootkit that takes advantage of Intel
Visualization Technology (Intel VT) for the IA-32 architecture (VT-
x ) and Microsoft Windows XP SP2 as the target operating system.