Re: Windows Vista 64bits and unexported kernel symbols
Matthieu Suiche wrote:
Hello,
This article is talking about Windows Vista 64bits and its system
structures
which are proteged against rootkit. I also explain how these structures can
be authentified without Pathguard.
http://www.msuiche.net/papers/Windows_Vista_64bits_and_unexported_kernel_symbols.pdf
If you really wanted to protect a kernel from root kits, you could
use virtualization for that. Simply mark part of the guest memory
as read only, and only allow the guest to map that memory read-only.
Conversely, the guest needs to only be allowed to map that memory
(and no other memory) at the addresses that memory is supposed to
be mapped, so it cannot eg. create duplicate syscall table, modify
that and map it where the original used to be mapped in virtual
memory.
This kind of scheme can work because an exploit would not have the
permission to modify the memory in question, and the hypervisor itself
does not run any of the applications that could exploit it.
Of course, with such a scheme the anti-virus vendors would be totally
locked out.
--
Politics is the struggle between those who want to make their country
the best in the world, and those who believe it already is. Each group
calls the other unpatriotic.