Detecting (and creating !) a HVM rootkit (aka BluePill-like)

Advanced Micro Devices. Amd64 architecture programmer’s manual, vol. 2: System programming. 15 Secure Virtual Machine

Advanced Micro Devices. Amd64 architecture programmer’s manual, vol. 2: System programming. 15.23 External Access Protection

Anonymous. Runtime process infection. phrack 59-0x08

Anonymous author. Runtime process infection. Phrack Mag. 8(59), (2002)

Anonymous author. Building ptrace injecting shellcodes. Phrack Mag. 12(59), (2002)

Barbosa, E.: Detecting bluepill. SyScan’07

Bareil, N.: Playing with ptrace() for fun and profit. http://actes.sstic.org/SSTIC06/Playing_with_ptrace/SSTIC06-article-Bareil-Playing_with_ptrace.pdf

Bochs: highly portable open source ia-32 (x86) pc emulator. http://bochs.sourceforge.net/

Brian Carrier. Open source digital investigation tools. http://www.sleuthkit.org

Casek. http://www.uberwall.org

Core Security Technologies. Coreimpact outil de test d’intrusion. http://www.coresecurity.com/content/core-impact-overview

Desnos Guihéry Salaün. Sanson the headman. (2008). http://sanson.kernsh.org

Dornseif, M.: All your memory are belong to us. Cansecwest 2005

Dralet, S., Gaspard, F.: Corruption de la mémoire lors de l’exploitation. In: SSTIC 06, 2006

Filiol, E.: A formal model proposal for malware program stealth. Virus Bulletin Conference Proceedings, Vienna, 2007

Filiol, É.: Techniques virales avancées. Collection IRIS, Springer, France, 2008

Filiol, E., Josse, S.: A statitical model for undecidable viral detection. In: Broucek, V., Turner, P. (eds.) Eicar 2007 Special Issue. J. Comp. Virol. (3), 2, 65–74 (2007)

Gaspard, F., Dralet, S.: Technique anti-forensic sous linux: utilisation de la mémoire vive. Misc (25), (2005)

grugq. Remote exec. Phrack Mag. 11(62) (2004)

Input/output memory management unit. http://en.wikipedia.org/wiki/iommu

Intel. Intel 64 and ia-32 Architectures Software Developer’s Manual, Chap. 19. Introduction to virtual-machine extensions

Joanna. Site web de bluepill. http://www.bluepillprojet.org

King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: implementing malware with virtual machines. University of Michigan and Microsoft Research. Available at http://www.eecs.umich.edu/~pmchen/papers/king06.pdf

Microsoft Windows. Driver signing requirements for windows. http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

Myers, M., Youndt, S.: An introduction to hardware-assisted virtual machine (HVM) rootkits. http://crucialsecurity.com

Northsecuritylabs. Hypersight rootkit detector. http://www.northsecuritylabs.com

Pluf. Perverting unix processes. (2006). http://7a69ezine.org/docs/7a69-PUP.txt

Pluf and Ripe. Advanced antiforensics: self. Phrack Mag. 11(63) (2005)

ptrace(2)—Linux man page. http://linux.die.net/man/2/ptrace

Qemu: open source processor emulator. http://bellard.org/qemu/

Rutkowska, J.: Subverting Vista Kernel for Fun and Profit. 2006. SyScan’06 & BlackHat Briefings (2006)

Rutkowska, J., Tereshkin, A.: Isgameover() anyone? 2007. BlackHat Briefings (2007)

Rutkowski, J.K.: Execution path analysis: finding kernel based rootkits. Phrack Mag. 13(59) (2002)

Salaün, D.G.: Sanson the headman. Rapport Interne Ifsic (2007)

sk devik. Rootkit linux kernel /dev/kmem. http://packetstormsecurity.org/UNIX/penetration/rootkits/suckit2priv.tar.gz

Stealth. Rootkit linux kernel lkm. http://packetstormsecurity.org/groups/teso/adore-ng-0.41.tgz

The ERESI team. The eresi reverse engineering software interface. http://www.eresi-project.org

The Grugq. The design and implementation of userland exec. (2004) http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-01/0004.html

Tripwire. Configuration audit and control solutions. http://www.tripwire.com

Virtualpc. http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx

Vmware. http://www.vmware.com/

Vmware esx. http://www.vmware.com/fr/products/vi/esx/

Xen. http://www.xen.org/