docs


Docs dropbox mirror: http://bit.ly/korkin

I want to expand and so I need more space for new books, source code and other materials. 
Sign up for free and you will add me to 500 Mb of space: http://db.tt/lspaJPz

If you have found a broken link, please send me an e-mail with this link. I'll correct it.

CONTENT
open docs in new tab
  1. C++ Development

  2. Drivers Development

  3. Rootkits in operation systems. Kernel and user mode

  4. Hardware virtual machine based rootkits

    1. Theoretical works

    2. Papers without malware material

    3. Small papers about HVM rootkits

    4. Big papers about HVM rootkits

    5. Source code HVM rootkits

    6. Trusted Platform Module, Trusted Execution Technology

  5. System management mode rootkits

C++ Development

Publication Copy Tags
Mark E. Russinovich (Author), David A. Solomon (Author), Alex Ionescu, Windows Internals 5th Edition (PRO-Developer) paper
Джеффри Рихтер - Windows для профессионалов. Создание эффективных Win32-пpилoжeний с учетом специфики 64-разрядной версии Windows, 4 издание paper
Johnson M. Hart, Windows System Programming Fourth Edition paper CD
Джеффри Рихтер, Кристоф Назар - Windows via C/C++. Программирование на языке Visual C++ paper CD

Drivers Development

Publication Copy Tags
Курсовая работа на тему: Разработка драйвера виртуального жесткого диска
Факультет: Информатика и системы управления
Кафедра: Программное обеспечение ЭВМ и информационные технологии
paper
Art Baker, Jerry Lozano - The Windows 2000 Device Driver Book, A Guide for Programmers, Second Edition, 2000 paper chm
Marcin Zamorski, System zabezpieczajacy pliki wykonywalne przed modyfikacja i nieautoryzowanym dostepem, 2007 paper translate book
MS - Justin Smith, Inside Microsoft Windows Communication Foundation, 2007 paper chm
MS - Penny Orwickand, Guy Smith Developing Drivers with the MS Win Driver Foundation, 2007 paper chm
MS - Russinovich M. Solomon D. - MS Win Internals, MS Win Server 2003, XP, and 2000 (4th Edition), 2004 paper chm
MS - Walter Oney - Programming the Microsoft Windows Driver Model, 2002 paper chm
Nebbett G. - Windows NT 2000 Native API Reference paper t_a_g_s
Solomon D. Russinovich M. - Inside Microsoft Windows 2000 (3rd Edition), 2000 paper chm
regmon435.zip, filemon434.zip zip sourse
Tomasz Nowak - The Undocumented Functions Microsoft Windows NT 2000 paper chm
Walter Oney - Programming the Windows Driver Model 2nd, 2003 paper chm
Васкецов Сергей - ZW paper chm
Даниель А. Нортон. Драйверы устройств в системе WINDOWS paper doc
Андреев А.С. - Разработка драйверов виртуальных устройств, 2003 paper t_a_g_s
Джеймс К. Фостер, Винсент Лю - Разработка средств безопасности и эксплойтов, 2007 paper djvu
Комиссарова В. - Программирование драйверов для Windows, 2007 paper djvu
М. Руссинович, Д. Соломон - Внутреннее устройство MS Win Server 2003, Win XP, Win 2000, 2005 paper djvu
Рощин А. В. - Виртуальные драйверы и виртуальное окружение Windows, 2006 paper doc
Рощин А. В. - Драйверы для Windows NT, 2006 paper doc
Солдатов В.П. - Программирование драйверов Windows (2е издание) paper chm
Сорокина С. Тихонов А. - Программирование драйверов и систем безопасности, 2003 paper djvu
А.Ю. Тихонов - Введение в архитектуру ОС Windows NT и программирование драйверов paper chm
А.Ю. Тихонов - Иллюстрированный самоучитель по программированию систем безопасности paper htm
А.Ю. Тихонов - Лекции и лабораторные работы по курсу "Безопасность операционных систем" paper source
Свен Шрайбер Недокументированные возможности Windows 2000, 2002 paper sourse book + CD
Sven Schreiber, Undocumented Windows 2000 Secrets paper sourse
Яковлев В. - Основы написания kernel-драйвера win2000,XP,XP Embedded, 2006 paper
Rajeev Nagar, NT File System Internals paper book and sourse
Огородникова Людмила Николаевна - Разработка драйвера файловых систем в операционных системах на базе ядра Windows NT для защиты от несанкционированного доступа. Дипломная работа Научный руководитель, ст. преп. каф. ТОИ, к.т.н. В.А. Лавровб 2006 paper slides t_a_g_s
Undocumented Windows NT, 324 paper t_a_g_s
Стивена Смит перевод Ерофеева Вера - Разработка драйверов для 64-разрядной Windows, 11 paper t_a_g_s
Валерий Яковлев, Основы написания kernel-драйвера win2000,XP,XP Embedded, 8 paper t_a_g_s
Сидякин И.М., Основы проектирования драйверов WDM для Windows 98 2K, 2003 38 paper t_a_g_s
Рудаков Фигонев Язык ассемблера уроки программирования_Главы 7, 8 драйвера NT, 2001 640 paper t_a_g_s
David B. Probert, Ph.D.
Windows Kernel Development Microsoft Corporation
AdvVirtualMemory.pdf
CacheManager.pdf
CommonCodingErrors.pdf
IOArchitecture.pdf
LPC.pdf
NTFS.pdf
ObjectManager.pdf
Processes.pdf
Registry.pdf
Synchronization.pdf
ThreadScheduling.pdf
TrapsInterruptsExceptions.pdf
UserModeHeapManager.pdf
VirtualMemory.pdf
Win32K.pdf
WindowsKernelOverview.pdf
WindowsServices.pdf
slides t_a_g_s
Architecture of the Kernel-Mode Driver Framework.doc paper t_a_g_s
Architecture of the Windows Driver Foundation, May 10, 2006 .doc paper t_a_g_s
Windows Vista Kernel Security - [EN] paper t_a_g_s
Windows_Vista_Kernel_Mode_Security.pdf paper t_a_g_s
Журнал Спецвыпуск Xakep # 072 Windows Vista extreme test paper t_a_g_s
Kernel Structures
vista_32_kernel_struct, ntdll.h, ntifs.h, etc
sourse t_a_g_s

Rootkits in operation systems. Kernel and user mode

Publication Copy Tags
Bill Blunden, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2009 937 paper book
Bill Blunden, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, Second Edition, 2012 824 book
Chris Ries, Inside Windows Rootkits, 2006 28 paper
Jamie Butler, Direct Kernel Object Manipulation (DKOM), 2004 45 slides DKOM
Jan Rutkowski, Advanced Windows 2000 Rootkits Detection, slides t_a_g_s
Greg Hoglund, James Butler, Rootkits Subverting the Windows Kernel, 2005 paper book
Enrico Perla, Massimiliano Oldani, A Guide to Kernel Exploitation Attacking the Core 2010, 465 book t_a_g_s
he4dev.e1.bmstu.ru mirror, pass=123 rar t_a_g_s
Joanna Rutkowska, Detecting Windows Server Compromises, 2003, 59 slides
Ric Vieler, Professional Rootkits, 2007, 360 paper t_a_g_s
RDP_World.exe pass=www.rootkits.ru exe
Larry Stevenson, Nancy Altholz, Rootkits for Dummies, 2007 425 paper book
Yaroslavtsev, Rootkits and its detection, 2004
Курс "Защита информации", кафедра радиотехники, Московский физико-технический институт (МФТИ), Rootkits и их обнаружение
paper russian
Jamie Butler, Sherri Sparks, Spyware and Rootkits: The Future Convergence, 2004 paper
Joanna Rutkowska, Thoughts about Cross-View based Rootkit Detection paper
Jesse Gough, Userspace Windows Rootkits via Code Injection, 2004 8 paper
Harlan Carvey, Windows Forensic Analysis DVD Toolkit, Second Edition, 2009 512 paper book
James Butler, Sherri Sparks, Windows rootkits of 2005 1 2 3
Спецвыпуск журнала Хакер #70, 2006 paper
Arturo Alberto Busleiman aka Buanzo, Detecting and Understading rootkits an Introduction and just a little-bit-more paper
Miguel Tarasco. Andres Tarasco. Defeating Windows Rootkits slides t_a_g_s
Дармаван Салихан, BIOS. Дизассемблирование, модификация, программирование, paper djvu
Денис Колисниченко, Руткиты под Windows. Теория и практика программирования шапок-невидимок, 2006 paper djvu
Олег Зайцев, Rootkits, SpyWare AdWare, Keyloggers BackDoors. Обнаружение и защита, 2006 paper CD.rar t_a_g_s
Грег Хоглунд, Джеймс Батлер, Руткиты внедрение в ядро Windows, 2007 paper t_a_g_s
Бредихин Д. П., Сокрытие информации о процессах в ОС Windows, 9 2011 paper PspCidTable
Reliable enumerating the Windows processes in ring3 slides Windows NT 5.0,5.1 EPROCESS.Vm.WorkingSetExpansionLinks,
Jamie Butler, Peter Silberman, RAIDE: Rootkit Analysis. Identification Elimination slides slides KPRCB

Hardware virtual machine based rootkits

Theoretical works

Publication Copy Tags
Gerald J. Popek and Robert P. Goldberg, Formal Requirements for Virtualizable Third Generation Architectures, 1974 10 slides sensitive instruction, formal requirements, abstract model
Alexandra Fedorova, A High Performance CPU Cache Model, 29 slides t_a_g_s

Papers without malware material

Publication Copy Tags
Methods and systems to manage machine state in virtual machine operation, 2010 15 paper patent
John R. Lange, Symbiotic Virtualization, 2010 226 paper High Performance Computing, MPI
Intel, A Primer on Virtualization, 2009 20 slides обзор технологий intel
Michael Swift, Virtual Machines, 2007 7 slides t_a_g_s
Dilma da Silva, Virtualization, 2007 97 slides Xen
Adrien Derock, HVM Virtual Machine Monitor, A Powerful Concept for Forensic and Anti-Forensic, 2009 37 slides t_a_g_s
John Fisher-Ogden, Hardware Support for Efficient Virtualization,_ 12 paper slides t_a_g_s
J. E. Smith, Virtual Machines: Architectures, Implementations and Applications, 2005 51 slides TLB
Rich Uhlig, Gil Neiger, Dion Rodgers, Amy L., Santoni Fernando, C.M. Martins, Andrew V., Anderson Steven M., Bennett, Alain Kagi, Felix H., Leung, Larry Smith, Intel Virtualization Technology,2005 9 paper t_a_g_s
Gil Neiger, Amy Santoni, Felix Leung, Dion Rodgers, Rich Uhlig, Intel® Virtualization Technology: Hardware support for efficient processor virtualization, 2006 14 paper intel journal
Scott Devine, What is Virtualization?,_ 28 slides t_a_g_s
Tavis Ormandy, Julien Tinnes, Virtualisation security and the Intel privilege model,_ 57 slides t_a_g_s
Intel Vanderpool Technology for IA-32 Processors (VT-x) Preliminary Specification, 2005 62 paper slides t_a_g_s
Jack Lo, VMware and CPU Virtualization Technology slides t_a_g_s
Loic Duflot, Laurent Absil, Programmed I/O accesses: a threat to Virtual Machine Monitors?, 2007 45 slides t_a_g_s
Russell Newman, Secure Hypervisors for Virtual Systems,_ 3 paper t_a_g_s
Heradon Douglas, Christian Gehrmann, Secure Virtualization and Multicore Platforms State-of-the-Art report, 2009 71 paper t_a_g_s
Yu Ke, Intel Virtualization Technology, 2009 35 paper t_a_g_s
Leendert van Doorn, The Future of x86 Virtualization, 2009 39 slides t_a_g_s
A first look at some aspects of Intel’s ‘Vanderpool’ initiative,_ 28 slides t_a_g_s
Michael H. Warfield, Virtualization Technology A Manifold Arms Race, 2008 35 slides t_a_g_s
Dr. Michael L. Collard, Virtualization,_ 21 slides t_a_g_s
Heradon Douglas, Thin Hypervisor-Based Security Architectures for Embedded Platforms, 2010 112 paper t_a_g_s
Narendar B. Sahga, Dion Rodgers, Understanding Intel Virtualization Technology (VT) slides t_a_g_s
Ковалёв Сергей, УИР МВМ intel boot paper t_a_g_s
Gil Neiger, Amy Santoni, Felix Leung, Dion Rodgers, Rich Uhlig, Intel® Virtualization Technology: Hardware support for efficient processor virtualization, 2006

Darren Abramson, Jeff Jackson, Sridhar Muthrasanallur, Gil Neiger, Greg Regnier, Rajesh Sankaran, Ioannis Schoinas, Rich Uhlig, Balaji Vembu, John Wiegert, Intel Virtualization Technology for Directed I/O

Yaozu Dong, Shaofan Li, Asit Mallick, Jun Nakajima, Kun Tian, Xuefei Xu, Fred Yang, Wilfred Yu, Extending Xen with Intel Virtualization Technology

New Client Virtualization Usage Models Using Intel Virtualization Technology

Dean Neumann, Intel Virtualization Technology in Embedded and Communications Infrastructure Applications

Virtualization in the Enterprise

J.P. Casazza, M. Greenfield, K. Shi, Redefining Server Performance Characterization for Virtualization Benchmarking
paper Intel Technology Journal, ITJ volume 10
Bernard Golden, Virtualization For Dummies paper slides amd-v
Krzysztof Lichota, Virtual machines and operating systems slides t_a_g_s
Dr. Michael L. Collard, Virtualization,_ 21 slides t_a_g_s
Александр Самойленко, Технологии аппаратной виртуализации, 2007 paper paper Intel VT, AMD-V
Александр Самойленко, Аппаратная виртуализация в процессорах Intel и AMD - технологии для ускорения виртуальных машин, 2009 paper t_a_g_s
Сергей Озеров, Александр Карабуто, Технологии виртуализации: вчера, сегодня, завтра, Виртуализация сегодня и завтра: Intel VT и AMD Pacifica,_ paper t_a_g_s
Игорь Козлов, Аппаратная виртуализация: AMD SVM vs. Intel VT,_ paper t_a_g_s
Александр Александров, Спирали аппаратной виртуализации, 2007 paper slides t_a_g_s
Сергей Озеров, Александр Карабуто, Технологии виртуализации: вчера, сегодня, завтра, 2007 paper paper t_a_g_s
Kamanashis Biswas, Md. Ashraful Islam, Hardware virtualization support in Intel, AMD and IBM Power Processors, International Journal of Computer Science and Information Security, 2009, 6 paper software, hardware, para, full -virtualization
Reiner Sailer , Enriquillo Valdez, Trent Jaeger, Ronald Perez, sHype: Secure Hypervisor Approach to Trusted Virtualized Systems, 2005 13 paper ibm research, covert storage channels, side channels (adversary)
Douglas, Heradon, Thin Hypervisor-Based Security Architectures for Embedded Platforms, paper t_a_g_s
Edgar Barbosa, SyScan 2009 - Singapore, The COSEINC Hypervisor Framework slides The COSEINC Hypervisor Framework

Small papers about HVM rootkits

Publication Copy Tags
Alessandro Perilli, Rootkits powered by virtualization, 2006 paper общие принципы обнаружения виртуализации
Keith Adams(VMWare), BluePill detection in two easy steps, 2007 paper dynamic, static TLB
Tal Garfinkel, Keith Adams, Andrew Warfield, Jason Franklin Compatibility is Not Transparency: VMM Detection Myths and Realities, 2007 paper translate slides logical, resource and timing discrepancies, time, local\remote time
Fionnbharr Davies, Hypervisor Malware // Honors Thesis, 2007 [40] paper translate *nix VMM, nested VMs, TLB, DMA, External Hardware Timing, intel, time
Peter Ferrie(Symantec), Attacks on More Virtual Machine Emulators, 17 paper logical, resource and timing discrepancies, time, local\remote time, Subvirt, Vitriol, Blue Pill
Michael Myers Stephen Youndt, An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits, 2009 [15] paper-2007 paper-2009 AMD, intel, TSC, TLB, Nested Page Table, multicore
Anthony Desnos, Eric Filiol, Ivanlef0u, Detection of an HVM rootkit (aka BluePill-like), _ [28] paper
slides
Review BluePill, BP, timing, pattern, TLB, NTP, DMA, CPUbugs, model, time, Method of detection:Counter, Timing attack, Pattern matching, TLB, DMA/Firewire, Cpu Bugs, Statistical model for detection
Ryan Riley, Xuxian Jiang, Dongyan Xu, Multi-Aspect Profiling of Kernel Rootkit Behavior, 2009 [53] paper slides PoKeR: Virtualization based rootkit profiler. Применение технологии виртуализации для обнаружения скрытого ПО
Arati Baliga, Xiaoxin Chen, Liviu Iftode, Paladin: Automated Detection and Containment of Rootkit Attacks,_ [20] paper rootkits, intrusion detection, containment, stealthy malware. Применение технологии виртуализации для обнаружения скрытого ПО
Virtualizing rootkits and the future of system security virtual malware, magazine, 2008 [5] paper Рекламаня статья из попсового журнала по руткиты на основе виртуализации
Junghwan Rhee, Ryan Riley, Dongyan Xu, Xuxian Jiang, Defeating Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring,_ [8] paper Применение технологии виртуализации для обнаружения скрытого ПО
  • eluding detection system
  • passive monitors(мой диплом)
  • DKOM без драйвера: \\Device\\PhysicalMemory \\Device\\Debug Memory
Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, Frederic T. Chong, Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines, 2006 [12] paper Применение технологии виртуализации для обнаружения скрытого ПО
Joanna Rutkowska, Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case),_ [56] slides AMD, DMA, Hardware-based solutions
Junichi Murakami, A Hypervisor based on Fourteenforty Research Institute, Inc. IPS Hardware Assisted Virtualization Technology,_ [43] slides paper Применение технологии виртуализации для обнаружения скрытого ПО, Memory virtualization, Bitvisor, Viton
Paul Royal, Alternative Medicine: The Malware Analyst’s Blue Pill,_ [3] paper Применение технологии виртуализации для обнаружения скрытого ПО
Yuriy Bulygin, CPU SIDE-CHANNELS VS. VIRTUALIZATION MALWARE: THE GOOD, THE BAD, OR THE UGLY,_ [38] slides src demo RSB, return stack buffer
Yuriy Bulygin, CHIPSET BASED APPROACH TO DETECT VIRTUALIZATION MALWARE a.k.a. DeepWatch, 2008 [38] slides SMM rootkits, detecting Intel VT-x based rootkit, DMA, DeepWatch
Nate Lawson, Dave Goldsmith, Thomas Ptacek, Don’t Tell Joanna The Virtualized Rootkit Is Dead,_ [41] slides-1
Vitriol, time
Joanna Rutkowska. Alexander Tereshkin, IsGameOver, 2007 [127] slides virtualization based malware, time
Крис Касперски, blue pill/red pill — the matrix has windows longhorn paper Blue Pill, time, Nested VM, time
Bartlomiej Zolnowski, The Blue Pill as an example of hardware-level rootkit in the virtual environment,_ [9] paper Blue Pill
Xuxian Jiang, Xinyuan Wang, Dongyan Xu, Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction, 2007 [11] paper slides Применение технологии виртуализации для обнаружения скрытого ПО
Rachel Greenstadt, Virtualization and Security, 2009 [24] paper slides Применение технологии виртуализации для обнаружения скрытого ПО, Techniques to Detect Virtualized Malware, time
Samuel T. King Peter M. Chen, Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch, SubVirt: Implementing malware with virtual machines,_ [26] paper[14]
slides[26]
slides-1
slides-2
SUBVIRT, Defending VMBR
Jason Franklin, Mark Luk, Jonathan M. McCune, Detecting the Presence of a VMM through Side-Effect Analysis, 2005 [7-22] paper gathering digital evidence, resourse availability exception(!) , time
Edgar Barbosa, Detecting BluePill, 2007 [50] slides TLB, timing 2 cores, counter, CPU bugs, time
Matt Webster, Grant Malcolm, Detection of Metamorphic and Virtualization-based Malware using Algebraic Specification,_ [18] paper Руткиты, использующие не аппаратную виртуализацию
Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee, Ether: Malware Analysis via Hardware Virtualization Extensions, 2008 [12]
http://ether.gtisc.gatech.edu/source.html
paper slides Malware Analysis, Dynamic Analysis, Virtualization, Emulation, Unpacking, intel, Применение технологии виртуализации для обнаружения скрытого ПО
Ryan Naraine, VM Rootkits: The Next Big Threat?, 2006, article paper Обзорная статья, SubVirt,
Jason Franklin, Mark Luk, Jonathan M. McCune, Arvind Seshadri, Adrian Perrig, Leendert van Doorn, Remote Detection of Virtual Machine Monitors with Fuzzy Benchmarking,_ [10] paper VMM detection problem space, Удалённое обнаружение вирт. машин - без АВ
Ryan Riley, Xuxian Jiang, Dongyan Xu, Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing, 2008 [22] paper slides Применение технологии виртуализации для обнаружения скрытого ПО
John Fisher-Ogden, Hardware Support for Efficient Virtualization,_ [12] paper address-space compression, Popek and Goldberg, Address Space Compression, Non-Privileged Sensitive Instructions
[-=ПЕРЕНЕСТИ=-] Shawn Embleton aka mobydefrag, Hooking CPUID – A Virtual Machine Monitor Rootkit Framework, 2007 paper intel, review source monitor
Francis Hsu, Juan Lang, Anna Tikhonova, Hao Chen, How Real is Virtual: Hiding Artifacts of Virtual Machines,_ [7] paper Hardware Virtualization Technology, Применение технологии виртуализации для обнаружения скрытого ПО
Dino A. Dai Zovi, Hardware Virtualization Rootkits,_ [38] slides-1 slides-2 Vitriol
Apeksha Godiyal, Anh Nguyen, Nabil Schear, A Lightweight Hypervisor for Malware Analysis,_ [12]

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, Hai D. Nguyen, MAVMM: Lightweight and Purpose Built VMM for Malware Analysis,_ 13

MAVMM, svn code-download-instruction
paper-1
slides

paper-2

text
Применение технологии виртуализации для обнаружения скрытого ПО, src
Joanna Rutkowska, Introducion Blue Pill, 2006 [33] slides Одна из перых публикаций о BluePill, BP, SubVirt, Nested Vms, time
Thomas Raffetseder, Christopher Kruegel, Engin Kirda, Detecting System Emulators paper intel, timing
Cedric Lauradoux, Detecting Virtual Rootkits with Cover Channels,_ 10 paper time
Stephen T. Jones, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau, VMM-based Hidden Process Detection and Identification using Lycosid, 2008 10 paper Lycosid, Применение технологии виртуализации для обнаружения скрытого ПО
Joanna Rutkowska, Introducing Stealth Malware Taxonomy, 2006 9 slides классификация скрытого ПО
North Security Labs, Catching Blue Pill, 2008

Hypersight Rootkit Detector A New-Generation Rootkit Detector,_ 4

Hypersight Rootkit Detector (Антируткит нового поколения)
paper

paper

paper
BluePill, BP
Aditya Kapoor, Ahmed Sallam, Rootkits Part 2: A Technical Primer,_ 16 paper SubVirt, BluePill, BP
Bryan D. Payne, Martim Carbone, Monirul Sharif, Wenke Lee Lares: An Architecture for Secure Active Monitoring Using Virtualization,_ 15 paper Lares, Применение технологии виртуализации для обнаружения скрытого ПО
H. Andres Lagar-Cavilla, Patagonix: Dynamically Neutralizing Malware with a Hypervisor,_ 2 paper Patagonix, Применение технологии виртуализации для обнаружения скрытого ПО
IBM, HVM-Based Rootkits: Blue Pill,_ 1 slides Blue Pill
Sherri Sparks, Shawn Embleton, Cliff Zou, WINDOWS ROOTKITS A GAME OF “HIDE AND SEEK” paper slides VMM rootkits, SMM rootkits, BIOS and PCI Rootkits
Min Xu, Xuxian Jiang, Ravi Sandhu, Xinwen Zhang, Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection, 2007 22 paper slides UCON, Применение технологии виртуализации для обнаружения скрытого ПО
Nick L. Petroni, Jr. and Michael Hicks, Automated Detection of Persistent Kernel Control-Flow Attacks, 2007 13 paper Применение технологии виртуализации для обнаружения скрытого ПО, State-based control-flow integrity (SBCFI), CFI, integrity, virtualization, rootkit, kernel
Monirul Sharif, Wenke Lee, Weidong Cui, Secure In-VM Monitoring Using Hardware Virtualization, 2009 11 paper Применение технологии виртуализации для обнаружения скрытого ПО, Virtual Machines, Secure Monitoring, Kernel Integrity, Malware, model, windows VMM
Reinhard Riedmuller, Alternative Einsatzmoglichkeiten der Hardwarevirtualisierung, 2009 61 slides Nested Vms
Joanna Rutkowska, Alexander Tereshkin, Bluepilling the Xen Hypervisor, 2008 85 slides BluePillBoot, Nested Vms
Rafal Wojtczuk, Subverting the Xen hypervisor, 2008 53 slides DMA, Xen, Blue Pill
Joanna Rutkowska, Security Challenges in Virtualized Environments, 2008 97 slides Blue Pill detecting, Nested VMs, Blue Chicken, Static and Dynamic Root of Trust Measurement, VMM bugs,
Joanna Rutkowska, Virtualization – the other side of the coin NLUUG-virtualization,_ 41 slides SubVirt vs. Blue Pill, Nested VMs, detecting, time
Tyler Shields, Survey of Rootkit Technologies and Their Impact on Digital Forensics,_ 11 paper VMBR, detection, firmware rootkit, malware taxonomy
Virtualized rootkits PART 1: Joanna Rutkowska,_

Virtualized rootkits PART 2: Thomas Ptacek and Nate Lawson,_

Интервью с Рутковской, 2007
paper-1

paper-2

paper
популярные статьи
Joanna Rutkowska, Security Challenges in Virtualized Environments,2007 63 slides Blue Pill, Nested VMMs
FOLLOW THE WHITE RABBIT: VIRTUAL MACHINE ROOTKITS, 2006 20 paper BluePill, BP, SubVirt
[--=ПЕРЕНЕСТИ=--]Skoudis, Lenny Zeltser, Malware: Fighting Malicious Code, 2003 672 book-chm
...
BIOS-level and Malware Microcode, (Setting the Stage: Different Layers of Malware)
Joanna Rutkowska, Virtualization Detection vs. Blue Pill Detection, 2007 paper Blue Pill, BP, TLB, Сравнение обнаружение виртуализации и VMBR
Joanna Rutkowska, We're ready for the Ptacek's challenge!, 2007

Undetectable hypervisor rootkit challenge
paper

paper
Blue Pill, BP, Спор Joanna Rutkowska и Thomas Ptacek
Joanna Rutkowska, Kick Ass Hypervisor Nesting! paper Blue Pill, BP, первое упомянание о вложенной виртуализации
[--=ПЕРЕНЕСТИ=--]Keith Adams, Ole Agesen, A Comparison of Software and Hardware Techniques for x86 Virtualization, 2006 12 paper Popek and Goldberg’s, Nested paging hardware
Nick L. Petroni, Jr. Timothy Fraser Jesus Molina William A. Arbaugh, Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor,_ 16 paper DMA, pci bus
Brent Boe, Rootkits,_ 7 paper
slides
Virtual Machine Rootkits, detecting, Популярная статья про VMBR
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig, SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes, 2007 16 paper SecVisor, промышленные ОС, Применение технологии виртуализации для обнаружения скрытого ПО
ZhiWang, XuxianJiang, HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity, 31stIEEE Symposium on Security and Privacy, Oakland CA, May 16-19 2010 paper
slides
detect, Restricted Pointer Indexing (RPI), HyperSafe, Применение технологии виртуализации для обнаружения скрытого ПО
Виртуализация на уровне железа BluePill paper BluePill, EEPROM, статья, прошивка, Sinowal
Интервью с Джоанной Ратковской: виртуализация, руткиты и гипервизоры, Дмитрий Чеканов, 10 августа 2009

16/07/2009: Tom’s Hardware, Going Three Levels Beyond Kernel Rootkits(Original version)
index 1 2
3 4

eng-part
BluePill, TXT, SMM, HyperCore
Francis M. David Ellick M. Chan Jeffrey C. Carlyle Roy H. Campbell, Cloaker: Hardware Supported Rootkit Concealment, IEEE Symposium on Security and Privacy, 2008 15 paper Cloaker, ARM rootkit
Marcos Laureano, Carlos Maziero, Edgard Jamhour, Intrusion Detection in Virtual Machine Environments,2004 6 paper no VT, review how to work WmWare workstation, история развития виртуальных машин SOFT->HARD

Big papers about HVM rootkits

Publication Copy Tags
Charles Miller, Dino Dai Zovi, The Mac Hacker's Handbook - Part 3, 2009 384 paper src Vitriol
Detecting Rootkits in Memory Dumps Par Osterberg Medina – SITIC, 2009, 40 slides Dumping the memory, DMA, FireWire
Xuxian Jiang, ENABLING INTERNET WORMS AND MALWARE INVESTIGATION AND DEFENSE USING VIRTUALIZATION, Dissertation Doctor of Philosophy, 2006, 154 paper просто диссертация Xuxian Jiang. не по теме.
Manoj B. Athreya Subverting linux on-the-fly using hardware virtualization technology, 2010 59 paper RSB, timing
Bill Blunden, Anti-Forensics: The Rootkit Connection, 2009, 44 paper slides Firmware-Based Rootkits
Hagen Fritsch, Analysis and detection of virtualization-based rootkits, 2008, 49 paper Empirical results(!), BluePill, BP, Timing Attacks, CPU-specifc behaviour, Profling CPU resource discrepancies (TLB, RSB), Counter-based detection, Side Channel Attacks with nested virtualization, Empirical Results, intel, windows
Douglas P. Medley, Virtualization Technology Applied to Rootkit Defense, 2007 92 paper translate Hardware Based Monitoring, intel, amd, FreeBSD
Michael A. Davis, Sean M. Bodmer, Aaron LeMasters, Hacking exposed malware and rootkits: malware and rootkits security secrets and solutions paper Virtual rootkits, SubVirt, BluePill, Vitriol, Hardware-Based Rootkits, Co-Pilot Komoku,
Micha Moffie, Investigating the utility of software semantics for host-based intrusion detection systems, Doctor of Philosophy, 2008, 136 paper VGuard, Применение технологии виртуализации для защиты информации
Stephen T. Jones, Implicit operating system awareness in a virtual machine monitor, Doctor of Philosophy, 2007, 128 paper monitored guest OS, Применение технологии виртуализации для защиты информации
Joao Carlos Carvalho dos Santos Ramos, Security challenges with virtualization, 2009 121 paper BluePill, SubVirt, detect, VT application, Virtual-Machine-Based Rootkit (VMBR)
Melcher Tobias, Integrity checking of operating systems with respect to kernel level malware, Degree, 2005, 141 paper slides Virtual environments, Linux, история развития виртуальных машин SOFT->HARD
Jason Franklin, Mark Luk, Jonathan M. McCune, Arvind Seshadri, Adrian Perrig, and Leendert van Doorn, Towards Sound Detection of Virtual Machines,_ 30 paper timing-based approach to detect virtual machine monitors (VMMs) without relying on VMM implementation details
Sun Bing, Softawre virtualization based rootkits, 2007 _53 paper slides VMM, SMM, VMBR

Source code HVM rootkits

Publication Copy Tags
CPUID Explorer Part 1
CPUID Explorer Part 2
CPUID Explorer src exe
part1
part2
src+exe
check VT-x
Crystal CPUID 415 exe check VT-x
CPU-Z exe check VT-x
Check support & run VMM exe VT-x, intel, amd-v, check VT-x
Check support VT, DEP, max bit length exe VT-x, intel, check VT-x
Setup_Hypersight_RD_0_5_beta exe VT-x, intel, amd-v
Shawn Embleton aka mobydefrag, Virtual Machine Monitor src VT-x, intel, core 2 duo
AMD VMM src amd-v
tlbprofiler, svmchronometer2, svmchronometer src amd-v
dump_smram_vmware, attack_cache (user, kernel) src SMM
nbp-0.32-public src BluePill, BP, VT-x, intel, amd-v
nbp-0.11 src BluePill, BP, amd-v
VMM cpuid_break, 2008 src VT-x, intel
bitvisor-1.1.tar.gz

Zhi Wang, Xuxian Jiang, Weidong Cui, Peng Ning, Countering Kernel Rootkits with Lightweight Hook Protection, 2009 10
src обзор cr4sh paper VT-x, intel, boot, Malware Protection, Rootkits, Virtual Machines, HookSafe
An Introduction to the Palacios Virtual Machine Monitor—Version 1.0
palacios
paper
src
VT-x, intel, boot
Anh M. Nguyen, Nabil Schear, Apeksha Godiyal, HeeDong Jung, MAVMM src-folder VT-x, intel, amd-v
Linux VMM
hxen-091005-src.tar.bz2, kvm-88.tar.gz, kvm-guest-drivers-windows-2.zip, kvm-kmod-devel-88.tar.gz, qemu-kvm-devel-88.tar.gz
Узнайте о виртуальной машине ядра Linux (KVM)
all src
paper
t_a_g_s
Болванка termosintez
Это простой 32 битный драйвер. Включает и выключает режим виртуализации. Работает под Windows NT (проверял на XP и 7). Собрано на masm32. С использованием заголовочных файлов из KmdKit (Four-F и вам привет большой). Вывод можете ловить windbg или debugview. Но лучше сделайте вывод в COM порт своими силами. Пригодится в будущем (кстати эта процедура есть в nbp если хорошо поищите)
Сборка: D:\ASM\masm32\BIN\ML.EXE /nologo /c /coff "Virtualize.asm" Assembling: Virtualize.asm D:\ASM\masm32\BIN\LINK.EXE /nologo /driver /base:0x10000 /align:32 /out:ndissin.sys /subsystem:native /ignore:4078 /OUT:"Virtualize.sys" "Virtualize.obj"
src t_a_g_s
Setup_Hypersight_RD_0_5_beta.exe
Setup-Hypersight-RD-1.0.1235.5575-i386-beta.exe
exe
exe
t_a_g_s

Trusted Platform Module, Trusted Execution Technology

Publication Copy Tags
Stefan Berger, Ramon Caceres, Kenneth A. Goldman, Ronald Perez, Reiner Sailer, Leendert van Doorn, vTPM: Virtualizing the Trusted Platform Module, Security ’06: 15th USENIX Security Symposium, 2006 16 19 paper slides virtual TPM, unix
Antonio Lioy, Gianluca Ramunno and Davide Vernizzi, Trusted-Computing Technologies for the Protection of Critical Information Systems, Journal of Information Assurance and Security 4 (2009) 449-457, 2009 9 paper t_a_g_s
Jonathan M. McCune, Reducing the Trusted Computing Base for Applications on Commodity Systems, 2009 206 paper Software Security, Trusted Computing Base, Dynamic Root of Trust for Measurement, Remote Attestation, Trusted Platform Module
Shane Balfe, Eimear Gallery, Chris J. Mitchell and Kenneth G. Paterson, Royal Holloway, Challenges for Trusted Computing, 2008 13 paper t_a_g_s
Haibo Chen, Fengzhe Zhang, Cheng Chen, Ziye Yang, Rong Chen, Binyu Zang, Tamper-Resistant Execution in an Untrusted Operating System Using A Virtual Machine Monitor, 2007 17 paper t_a_g_s

System management mode rootkits

Publication Copy Tags
Loic Duflot, Daniel Etiemble, Olivier Grumelard, Using CPU System Management Mode to Circumvent Operating System Security, _15 Functions, paper OpenBSD
Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang, Nathan C. Skalsky, HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity, 2010 _12 paper Virtualization, Hypervisor Integrity, Integrity Measurement
Rafal Wojtczuk, Joanna Rutkowska, Attacking Intel® Trusted Execution Technology, _6 paper Trusted Computing, Trusted Execution Technology, System Management Mode, TXT, SMM, STM, BIOS, security, analysis, attacks
Transmeta Corporation, System Management Mode, 2002 5 paper SMM
How to defeat a rootkit paper SMM
How to detect system management mode (SMM) rootkits, 2008 paper SMM rootkit
Hypervisor security using SMM, 2008 12 paper SMM
Loic Duflot, Olivier Levillain, Benjamin Morin, Olivier Grumelard, System Management Mode Design and Security Issues, 2010 79 slides SMM security
Jiang Wang, HyperCheck: a Hardware Assisted Integrity Monitor, _25 src exe paper slides HyperCheck, SMM
Pete Markowsky, Ring -1 vs. Ring -2: Containerizing Malicious SMM Interrupt Handlers on AMD-V slides AMD, Differences from Intel VT
Yuriy Bulygin, Chipset based detection and removal of virtualization malware a.k.a. DeepWatch, 2010 slides DeepWatch, SMM
SMIs Are EEEEVIL (Part 1, 2) paper paper SMI
Matthieu Suiche, SMM Rootkit limitations(and how to defeat it ), 2008 paper SMM rootkit
Rafal Wojtczuk, Joanna Rutkowska, Attacking SMM Memory via Intel CPU Cache Poisoning paper CPU Cache, System Management Mode, SMM, security, analysis, attack
A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers paper SMM rootkit
System and method for providing cacheable smram, 2001 src exe paper slides patent
System and method for execution of a secured environment initialization paper patent
Writing cached data to system managenent memory paper patent
Проверка целостности и присутствия программных агентов во время работы paper Журнал Technology Intel, SMM
Влияние обработчиков SMI на работу QNX, 2008 5 paper SMI, QNX, "Выявить работу обработчика SMI можно по косвенным признакам:"
Chul-woong, Lee, Implementing SMM PS/2 Keyboard sniffer, 2009 14 src exe paper slides SMM sniffer