Approach for Hardware Virtualization-Based Rootkit Detection via Physical Memory Searching

Hardware Virtualization-Based Rootkit (HVBR) is one of many new malwares appearing over the years. Compared to the traditional Rootkit, HVBR is stealthier and more difficult to detect. This paper analyzes the concealment and working mechanism of HVBR. By aiming at the stealth of HVBR on bypassing virtual memory scan to counter detection, this paper proposes a detection approach, based on physical memory search. The approach modifies Page Table Entry (PTE) to traverse the physical memory, and matches the fixed characteristic of HVBR with the raw memory data to detect and locate HVBR in memory. The experimental results show it is reliable and efficient.