Detecting (and creating !) a HVM rootkit (aka BluePill-like)

Since the first systems and networks developed, virus and worms matched them to follow these advances. So after a few technical evolutions, rootkits could moved easily from userland to kernelland, attaining the holy grail: to gain full power on computers. Those last years also saw the emergence of the virtualization techniques, allowing the deployment of software virtualization solutions and at the same time to reinforce computer security. Giving means to a processor to manipulate virtualization have not only significantly increased software virtualization performance, but also have provide new techniques to virus writers. These effects had as impact to create a tremendous polemic about this new kind of rootkits—HVM (hardware-based virtual machine)—and especially the most (in)famous of them: Bluepill. Some people claim them to be invisible and consequently undetectable thus making antivirus software or HIDS definitively useless, while for others HVM rootkits are nothing but fanciful. However, the recent release of the source code of the first HVM rootkit, Bluepill, allowed to form a clear picture of those different claims. HVM can indeed change the state of a whole operating system by toggling it into a virtual machine and thus taking the full control on the host and on the operating system itself. In this paper, we haven striven to demystify that new kind of rootkit. Ona first hand we are providing clear and reliable technical data about the conception of such rootkit to explain what is possible and what is not. On a second hand, we provide an efficient, operational detection technique that make possible to systematically detect Bluepill-like rootkits (aka HVM-rootkits).