[funsec] 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit

Dude VanWinkle dudevanwinkle at gmail.com
Tue Oct 17 21:50:43 CDT 2006


On 10/17/06, Fergie <fergdawg at netzero.net> wrote:
> Microsoft's twice-yearly BlueHat summit will kick off with a demo of a
> virtualization-based rootkit that can be used to defeat the company's
> PatchGuard technology.
<snip>
> Dino Dai Zovi, a principal at penetration-testing outfit Matasano
> Security, has been invited to Microsoft's Redmond, Wash., campus to
> showcase a hardware VM-based rootkit called Vitriol that piggybacks on
> Intel's VT-x virtualization extension.


Hmm, seems MS was prepared for this article:

from: http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx

Many system structures are protected on x64-based systems, including
the system service dispatch tables, the interrupt descriptor table
(IDT), and the global descriptor table (GDT). The operating system
also does not allow third-party software to allocate memory "on the
side" and use it as a kernel stack. If the operating system detects
one of these modifications or any other unauthorized patch, it will
generate a bug check and shut down the system.

For compatibility with Windows for x64-based systems, drivers must
avoid the following practices:
...
<cut to the juicy part>
...
Patching any part of the kernel (detected only on AMD64-based systems)

------------------------

lol

-JP


More information about the funsec mailing list