CHIPSET BASED APPROACH TO DETECT

CHIPSET BASED APPROACH TO DETECT
CHIPSET BASED APPROACH TO DETECT
VIRTUALIZATION MALWARE
a.k.a. DeepWatch
Yuriy Bulygin
Joint work with David Samyde
Security Center of Excellence / PSIRT @ Intel Corporation
AGENDA
• Introduction
• Chipset based detection of virtualization malware
• DeepWatch: proof of concept detector
• Removing virtualization rootkits
• Detecting SMM rootkits
• Limitations
• Bypassing detection
• Comparing with other detection approaches
• Demo: detecting Intel VT-x
VT x based rootkit
• Conclusions
2
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
INTRODUCTION
3
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
(G)MCH-BASED PLATFORM OVERVIEW
CPU
w/ VT
FSB
DRAM
OS
MEMORY
CONTROLLER
SPI FLASH
BIOS
ICH
DMI
(G)MCH
4
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
(G)HMM.. PROBLEM
CPU
w/ VT
VMX-root(kit)
FSB
DRAM
HYPERVISOR
MEMORY
CONTROLLER
SPI FLASH
BIOS
ICH
DMI
(G)MCH
5
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
OS
EMBEDDED μCONTROLLER(S)
CPU
w/ VT
VMX-root(kit)
FSB
DRAM
HYPERVISOR
MEMORY
CONTROLLER
EMBEDDED μCONTROLLER
SPI FLASH
BIOS
FIRMWARE
ICH
SRAM
DMI
ROM
EMBEDDED
CORE
DMA
CTRL
(G)MCH
6
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
OS
EMBEDDED μCONTROLLER(S): SUMMARY
• (G)MCH a.k.a. NorthBridge has embedded
microcontroller(s)
• Embedded uController in NorthBridge appears as a
separate integrated device on PCI bus with one or more
PCI functions
• Assigned with its B/D/F for device enumeration by BIOS
• Embedded uController mayy integrate
g
different hardware
engines such as various bus controllers, PIC, crypto
accelerators, DMA engine(s) etc.
• DMA capable embedded uController(s) can be
programmed by firmware to access system DRAM
– host physical addresses (HPA) are used to access system DRAM
7
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
EMBEDDED μCONTROLLER(S): FIRMWARE
•
Embedded uController runs firmware
– Real-time operating system (RTOS)
– Firmware drivers operating hardware engines
– Firmware applications
•
Embedded firmware can operate hardware engines in chipset
such as crypto
yp hardware, internal DMA ..
•
Internal SRAM memory or memory stolen from DRAM is used
for firmware code, stack/heap ..
•
External non-volatile
non volatile memory is used for storing firmware
binaries: e.g. SPI Flash
•
New Intel chipsets have embedded uController which executes
Intell ffirmware digitally
d
ll signed
d and
d stored
d in non-volatile
l l SPI
Flash memory
•
Example: Intel® Active Management Technology (iAMT) [13]
8
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
CHIPSET BASED DETECTION AND REMOVAL
OF VIRTUALIZATION MALWARE
9
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
DETECTION IDEA
CPU
w/ VT
VMX-root(kit)
FSB
DRAM
HYPERVISOR
MEMORY
CONTROLLER
EMBEDDED μCONTROLLER
DeepWatch
SPI FLASH
BIOS
DeepWatch
ICH
SRAM
DMI
ROM
EMBEDDED
CORE
DMA
CTRL
(G)MCH
10
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
OS
DETECTION SUMMARY
• Embedded firmware runs on embedded core in the
chipset
• It runs “underneath”
“ d
th” any hypervisor
h
i
executing
ti
on
host CPU
• uController
uController’s
s internal DMA hardware can be used
by embedded firmware to access system memory
DRAM
• .. and scan for code/structures of known HW
virtualization rootkits and remove them
11
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
VT-x ROOTKIT BRIEF
VT-x rootkit “signature” =
VM Exit Handler opcodes
bpknock checks
magic response
Rootkit relocated VM Exit
Handler to 0x73000 PA
12
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
LET’S PROGRAM DMA MANUALLY
•
•
13
Programming DMA hardware over JTAG port in debugger
DMA-ing 64 bytes from system memory containing malicious
VMExit handler code to internal chipset
p
memory
y
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
WHY IS IT INTERESTING ??
• Detects HW virtualization rootkits in system memory regions
inaccessible to host OS
•
Can remove virtualization rootkits from compromised system
– E.g.
E g replace malicious #VMEXIT handler with a good one
•
Anti-virus vendors can integrate AV engines with DeepWatch
in chipsets to detect and remove virtualization rootkits
•
Detection can be unnoticeable by the user:
– doesn’t consume host CPU time
– fast enough
g to scan entire DRAM ((hundreds MBps)
p )
– can scan memory/SSD while host is in sleep
•
Can be used to detect and remove malware rootkits in other
reserved memory regions (e.g.
(e g SMRAM) inaccessible to OS
and anti-viruses
•
Could provide hardware based verification of Windows Patch
Guard or other OS kernel-mode
kernel mode rootkit detectors
14
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
DeepWatch: PROOF OF CONCEPT CHIPSET
BASED DETECTOR
“DeepWatch” named after Labyrinth of Reflections novel by Sergei Lukyanenko
(http://en.wikipedia.org/wiki/Labyrinth_of_Reflections)
15
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
DeepWatch
• DeepWatch
D
W t h is
i implemented
i
l
t d as a P
PoC
C iin (G)MCH
firmware on Intel® Q35 chipset codename “Bearlake”
• Detects Intel® VT
VT-x
x based rootkits
– Rootkit is running on Intel® Core 2 Duo CPU and virtualizes
Microsoft® Windows® XP SP2
– Rootkit relocates VM Exit handler code and VMCS structures to
legacy address space (below 1MB)
• DeepWatch programs internal DMA hardware to access
system memory and scan for signatures of known VT
VT-x
x
based rootkits
• Uses opcode sequence of VM Exit Handler of the rootkit
as a signature (can implement more sophisticated
detection)
• DMA transfers are done in 32/64 kB chunks
16
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
DeepWatch CONT’D
•
DeepWatch scanning thread starts during BIOS POST:
– does DMA copy of DRAM contents to internal g_local_buffer
– sets g_detected_at to DRAM physical address of detected rootkit
17
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
1: CLEAN SYSTEM
18
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
2: ROOTKITTED/VIRTUALIZED SYSTEM
19
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
2: DETECTING ROOTKIT SIGNATURE
• Malicious #VMEXIT handler detected at 73000h physical address
– g_detected_at = 0x7300a
– g_local_buffer contains DMA’ed VM Exit handler of the rootkit
20
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
REMOVING VIRTUALIZATION ROOTKITS
•
•
•
DeepWatch not only detects malicious HW hypervisors
•
Other options:
– Search and modify/replace host and guest VMCS structures
set up by the rootkit
– Overwrite malicious VM Exit Handler code with VMXOFF
opcodes; upon next #VMEXIT rootkit turns off VT (need to
carefully restore OS context)
21
It disinfects host OS from them
Current implementation:
– Detect malicious VM Exit Handler executed upon every
#VMEXIT
– Overwrite
O
it VM Exit
E it H
Handler
dl with
ith h
harmless
l
iinstructions
t
ti
– OS is still virtualized: in VMX non-root (guest) mode
– But the rootkit does no harm
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
DETECTING SMM ROOTKITS
• SMM malware compromises SMM memory (SMRAM)
protections to run in System Management Mode [17-19]
• Both chipset and CPU don
don’tt allow non-SMM
non SMM access to
SMRAM after it’s locked
– So anti-viruses cannot scan SMRAM after it’s locked by
malware
• DeepWatch can detect malicious code in SMRAM
provided that chipset allows embedded uController to
access SMRAM
– DMA access to SMRAM by I/O devices is typically prohibited
by chipset
• Periodically scan SMRAM for malicious code or/and
verify integrity of SMI handlers’
22
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
LIMITATIONS
• Detection
D t ti
is
i OS-independent
OS i d
d tb
butt chipset-specific
hi
t
ifi
– Embedded uController and internal DMA hardware are
chipset-specific
– DeepWatch can detect only VT-x based rootkits. It could
detect SVM rootkits but AMD CPUs don’t work well with
Intel chipsets ;)
• DeepWatch is a proof of concept implementation in
chipset firmware and uses simple signature
matching detection
– It’s not a replacement for an anti-virus managing huge
signature bases and multitude of heuristics to detect
g o ing number
growing
n mbe of malware
mal a e etc.
etc
– It can always use integrity checking, white-lists, heuristics
or combine them
23
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
FORGOT A SMALL DETAIL: DMA REMAPPING
CPU
w/ VT
VMX-root(kit)
FSB
DRAM
HYPERVISOR
OS
MEMORY
CONTROLLER
EMBEDDED μCONTROLLER
DMAr
SPI FLASH
BIOS
DeepWatch
ICH
SRAM
DMI
ROM
DeepWatch
EMBEDDED
CORE
DMA
(G)MCH
24
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
VT-d conformant chipset
should remap DMA cycles
f
from
all
ll DMA d
devices
including from its own
internal uControllers
DMA REMAPPING
•
VT-d
VT
d capable
bl chipsets
hi
t have
h
DMA remapping
i
engine(s)
i ( )
virtualizing Directed I/O access [12]
•
Internal DMA devices should also be a subject to DMA
remapping
•
Chipset has dedicated register-set for each DMA remapping
engine accessible by software as MMIO range
•
DMA remapping can be programmed by software to protect
certain memory regions from certain DMA-capable I/O devices
– I/O device is identifiable by its PCI Bus and Device
– Embedded uControllers in chipset have their own PCI B/D/F
– Create DMA remapping page tables translating DMA virtual address issued
by embedded uController’s B/D/F to host physical address (HPA)
– All DMA cycles issued by embedded uController will be translated
•
Additionally, certain DMA-protected memory regions
(PLMR/PHMR) may be enabled to prevent DMA access
– E.g. for initializing DMAr structures by trusted VMM
25
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
AVOIDING DETECTION BY REMAPPING DMA
To avoid
T
id detection
d t ti
• rootkit can program DMA-remapping engine translating DMA
transactions issued by
y embedded uController running
g
DeepWatch
•
relocate its code/data (VM Exit Handler, VMCS structs etc.) to
physical memory protected by DMA remapping page tables or
to PLMR/PHMR regions
So how to solve it
• DMA-remapping engine may not translate DMA transactions
issued by DeepWatch DMA engine distinguishing them from
any other DMA transactions
•
26
Trusted software such as SMX authenticated code modules
(Intel® TXT) can enable and program DMA-remapping engine
p
uController
for DeepWatch
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
COMPARING WITH OTHER DETECTION
APPROACHES
27
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
ANOMALY BASED DETECTION
• Timing
Ti i
measurements
t off iinstructions
t
ti
causing
i
VMEXIT
–
–
–
–
Local timing: RDTSC, ACPI timer, Local APIC, RTC [8, by bugcheck]
Remote timing: NTP [8]
Using another thread on SMT CPU to measure #VMEXIT latency [7]
Using timers of integrated devices in the chipset
• TLB profiling of instructions causing VMEXIT events
– M
Measure timing
i i
off address
dd
translation
l i
due
d
to TLB evictions
i i
by
b a hypervisor
h
i
[5,6,8,9]
– TLB coloring: observe if TLB VA-2-PA mappings changed due to VMEXIT [9]
– Measure
a u # of
o TLB misses due
du to
o flushing
u
g TLB’s upon
upo VMEntry/#VMEXIT
y/
• Using μArchitectural side-channel attacks
– RSB based side-channel: corruption of RSB state by VT Exit handler [25]
• Other: CPU errata, causing faults or exhausting resources ,
Last Branch Record, different CPU behavior in VMX root vs.
in non-root modes
28
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
CONS
• Do not distinguish good hypervisors from bad
– Detected SSDT hook, it may be XXX anti-virus or a kernel rootkit.
Remove ??
• Probabilistic: need to run lots of tests to reduce
probability of a false positive
• Hey,
H
we ttalked
lk d about
b t detection
d t ti
only
l !! How
H
about
b t
removing rootkits from the system ??
• Conceptual contradiction: VMX non
non-root
root detector is less
privileged than the VMX root(kit)
– Detector shouldn’t have any way to affect more VMX root(kit) by
g of virtualization
design
– Detectors have no legitimate way to remove VT rootkit. VT rootkit
can do with detector anything it wants/can
• Agents win ;)
29
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
HARDWARE MEMORY ACQUISITION
• Uses DMA capable device to acquire physical
memory dump and perform forensic analysis [15]
• A lot of information can be learned about OS or
VMM from physical memory dump [20-24]
• DMA remapping
i
(VT-d)
(VT d) hardware
h d
iin chipsets
hi
t
protects VMM pages from external I/O devices.
Virtualization malware can trivially
y avoid detection
• Method requires discrete DMA capable card. Can IT
security folks scan memory of every host physically
with
ith external
t
l device
d i ??
30
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
DEMO:
DETECTING INTEL VT-x BASED ROOTKIT
31
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
CONCLUSIONS
•
Embedded μControllers in chipsets can be used to reliably
detect and remove HW virtualization malware distinguishing
it from legitimate VMM’s
•
DeepWatch can bring some benefits to traditional antimalware solutions:
– Can integrate
g
capabilities
p
of anti-virus engines
g
with
hardware capabilities of embedded uControllers in chipsets
– Can provide hardware based verification of OS kernel antirootkit modules ((e.g.
g PatchGuard))
•
Can enable detection of other types of emergent malware
residing in memory inaccessible to OS/anti-viruses such as
SMM rootkits
•
Can be used with any detection technique whether it
signature scanning, integrity checking or various heuristics
32
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
FINAL REMARKS
• This work is now a joint research with Intel
Corporate Technology Group, Networking
Technologies Lab
• Acknowledgements:
Dean Krekos, Sagar Dalvi, Jason Fung, Toby
Kohlenberg, Howard Herbert
All authors off research in virtualization rootkits
and their detection
33
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
Thank you for your attention !!
Any questions ??
34
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
Intel Security Center of Excellence (SeCoE)
•
Evaluates Intel products, platforms and technologies for
security vulnerabilities
•
Staffs Intel Product Security Incident Response Team (iPSIRT)
to respond to security incidents in Intel products
•
Drives Secure Development Lifecycle process across Intel
products
d t
•
Doesn’t do all that alone: works with all security architects,
technology architects, development and validation teams
secure@intel.com
http://www.intel.com/security
p //
/
y
36
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
REFERENCES
1.
Dino A. Dai Zovi. Hardware Virtualization Rootkits. Black Hat USA 2006
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Zovi.pdf
2. Joanna Rutkowska, Subverting Vista Kernel For Fun And Profit, Black Hat USA 2006, SyScan 2006
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf
3. Joanna Rutkowska, Alexander Tereshkin. IsGameOver() Anyone? Black Hat USA 2007
http://bluepillproject.org/stuff/IsGameOver.ppt
4 Nate
4.
N t L
Lawson, P
Peter
t F
Ferrie,
i Th
Thomas Ptacek.
Pt
k Don't
D 't T
Tell
ll Joanna
J
The
Th Virtualized
Vi t li d Rootkit
R tkit Is
I Dead.
D d Black
Bl k
Hat USA 2007 https://www.blackhat.com/presentations/bh-usa07/Ptacek_Goldsmith_and_Lawson/Presentation/bh-usa-07-ptacek_goldsmith_and_lawson.pdf
5. Peter Ferrie. Attacks on More Virtual Machine Emulators http://pferrie.tripod.com/papers/attacks2.pdf
6. Peter Ferrie. Attacks on Virtual Machines. Symantec Corporation
http://www.symantec.com/avcenter/reference/Virtual
p //
y
/
/
/
_Machine_Threats.pdf
p
7. Edgar Barbosa, Blue Pill Detection, COSEINC Advanced Malware Labs, SyScan'07
http://rapidshare.com/files/42452008/detection.rar.html
8. Tal Garfinkel, Keith Adams, Andrew Warfield, Jason Franklin. Compatibility is Not Transparency: VMM
Detection Myths and Realities. HotOS 2007
http://www.cs.cmu.edu/~jfrankli/hotos07/vmm_detection_hotos07.pdf
9 Keith
9.
h Adams,
d
Blue
l
Pill
ll Detection In Two Easy S
Steps, July
l 200
2007
http://x86vmm.blogspot.com/2007/07/bluepill-detection-in-two-easy-steps.html
10. Michael Myers, Stephen Youndt. An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits
http://crucialsecurity.com/
11. Intel® 64 and IA-32 Architectures Software Developer's Manual, Volume 3B: System Programming
Guide (chapters 19
19-23)
23) http://www.intel.com/design/processor/manuals/253669.pdf
12. Intel® Vanderpool Technology for IA-32 Processors (VT-x) http://cachewww.intel.com/cd/00/00/19/76/197666_197666.pdf
13. Intel® Virtualization Technology for Directed I/O. Architecture Specification. September 2007
http://download.intel.com/technology/computing/vptech/Intel(r)_VT_for_Direct_IO.pdf
14. Intel® Active Management
g
Technology
gy (iAMT)
(
) http://www.intel.com/go/iamt/
p //
/g /
/
37
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
REFERENCES
15. Nick L. Petroni,, Jr.,, Timothyy Fraser,, Jesus Molina,, William A. Arbaugh.
g Copilot
p
- a Coprocessor-based
p
Kernel Runtime Integrity Monitor http://www.cs.umd.edu/~waa/pubs/USENIX-copilot.pdf
16. Joanna Ruthkowska.
Beyond the CPU: Defeating Hardware Based RAM Acquisition. Black Hat DC 2007
http://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowskaup.pdf
17. John Heasman. Hacking Extensible Firmware Interface (EFI). Black Hat USA 2007 / DEFCON 15
https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf
18. Loïc Duflot. Using CPU System Management Mode to Circumvent Operating System Security
Functions. CanSecWest 2006
19. BSDaemon, coideloko, D0nand0n. System Management Mode Hacks
http://www.phrack.org/issues.html?issue=65&id=7#article
20. Mariusz Burdach. Physical Memory Forensics. Black Hat USA 2006
http://forensic.seccure.net/pdf/mburdach_physical_memory_forensics_bh06.pdf
21. Andreas Schuster. Searching for processes and threads in Microsoft Windows memory dumps
http://dfrws.org/2006/proceedings/2-Schuster.pdf
22. Tobias Klein. Process Dump Analyses: Forensical acquisition and analyses of volatile data
http://www.trapkit.de/img/pdf.gif
23. int for(ensic){blog;} -- PTFinder -- KntTools and KntList
http://computer.forensikblog.de/en/topics/windows/memory_analysis/
24. Windows Physical Memory Analysis http://windowsir.blogspot.com/2006/03/windows-physicalmemory analysis.html
memory-analysis.html
25. Yuriy Bulygin. CPU side-channels vs. virtualization rootkits: the good, the bad, or the ugly. ToorCon
Seattle 2008. http://www.c7zero.info/home.html#hyper-channel
38
7/6/2008
Copyright © Intel Corporation, 2006. All rights reserved. Third-party marks and
brands are the property of their respective owners. All products, dates, and
figures are preliminary and subject to change without notice.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising