1 / 1

HVM-Based Rootkits: Blue Pill

HVM-Based Rootkits: Blue Pill. operating system. operating system. operating system. Blue Pill driver. Blue Pill driver. Blue Pill hypervisor. Blue Pill hypervisor. AMD-V hardware. AMD-V hardware. AMD-V hardware. Blue Pill exploits the OS and inserts a malicious driver into the kernel.

nalanie
Download Presentation

HVM-Based Rootkits: Blue Pill

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HVM-Based Rootkits: Blue Pill operating system operating system operating system Blue Pill driver Blue Pill driver Blue Pill hypervisor Blue Pill hypervisor AMD-V hardware AMD-V hardware AMD-V hardware Blue Pill exploits the OS and inserts a malicious driver into the kernel. The driver enables SVM, sets up the VMCB, and loads the Blue Pill hypervisor into memory. Execution is transferred to the hypervisor and VMRUN is called. The OS now runs in a VM. Execution is transferred back to the driver for removal. • Blue Pill requires hardware-enabled machines not running virtualization • Blue Pill exploits operating system/software bugs to install • New research aims to accommodate nested virtualization Source: IBM 1

More Related