This paper is about a new approach to hardware-assisted virtual machine rootkits detection that can calculate nested VMMs. This method is based on the fact that the time of unconditionally captured instructions is a random value which depends on the processor’s model and whether a VMM is present or not. If a VMM is present, the mean value and variability of the time of the unconditionally captured instructions is generally larger than with no VMM. Limitations of the method application are given.This article is a translation of my dissertation abstract into English and it was published in Hakin9 Extra Magazine, English Edition, Issue 6/2011 (6) ISSN 1733-7186, November 2011.
Download pdf docx