Matthieu Suiche wrote:
Hello,This article is talking about Windows Vista 64bits and its system structureswhich are proteged against rootkit. I also explain how these structures can be authentified without Pathguard.http://www.msuiche.net/papers/Windows_Vista_64bits_and_unexported_kernel_symbols.pdf
If you really wanted to protect a kernel from root kits, you could use virtualization for that. Simply mark part of the guest memory as read only, and only allow the guest to map that memory read-only. Conversely, the guest needs to only be allowed to map that memory (and no other memory) at the addresses that memory is supposed to be mapped, so it cannot eg. create duplicate syscall table, modify that and map it where the original used to be mapped in virtual memory. This kind of scheme can work because an exploit would not have the permission to modify the memory in question, and the hypervisor itself does not run any of the applications that could exploit it. Of course, with such a scheme the anti-virus vendors would be totally locked out. -- Politics is the struggle between those who want to make their country the best in the world, and those who believe it already is. Each group calls the other unpatriotic.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.