-
Notifications
You must be signed in to change notification settings - Fork 10
/
README
18 lines (15 loc) · 898 Bytes
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Hypro - VMI on BitVisor to detect hidden rootkits.
tools/adore-ng is a well-known LKM(loadable kernel modules) rootkit for getting root privilege, hiding certain processes, files, ports, .etc.
tools/hypercall has the files to read VM's processes, loaded kernel modules, physical memory from VMM, so we can check the differences to find exceptions.
core/vmmcall_vmi.c implements the core VMI functions.
VMI/fs is a ported EXT4 file system from Uboot. With this module, we can reread block device to check to hidden files.
Guest's Fs/(attacked) VMI/fs
|_______________________|
|
driver
|
hardware
BitVisor uses parapass-through architecture that allows VM's device driver to handle the real device. So VMI/fs is ported to host's OS.
New features(such as capture of memory event and register event) are under developement.
How to build:
Hypro's build can be found in BitVisor's HomePage.