摘要
针对当前Windows x64版本的内核保护技术,提出一种基于硬件虚拟化的内核Rootkit技术,该技术利用Intel VT-x硬件虚拟化技术将客户系统(Guest OS)迁移到VMM之上运行实现Rootkit。借鉴Shadow Walker内存隐藏思想,基于扩展页表技术对客户系统的不同内存操作映射不同的物理内存,实现隐藏Rootkit代码,对内核保护研究有一定的启发意义。实验证明该技术稳定性强,能够绕过内核保护机制实现内核Rootkit。
To bypass the Kernel Patch Protection of Windows x64, puts forward a kernel Rootkit technology based on hardware virtualization, which migrates the Guest OS to VMM to achieve kernel Rootkit by Intel VT-x hardware virtualization technology. Inspired by the Shadow Walker, uses the EPT technology to hide rootkit code by mapping different physical memory to different Guest OS memory operations, it has some enlightening significance to the study of kernel protection. Experiments show that the method is robust and can bypass the Ker-nel Patch Protection and achieve kernel Rootkit.
