Fritsch, H. (2008):
Analysis and detection of virtualization-based rootkits
With the emergence of hardware virtualization, it was discussed if this technology gives ground for a potentially undetectable form of malware. While several claims have been made, this thesis presents this malware technology's state of the art, describes possible detection methods and demystifies the topic referencing the current literature, analyzing a sample implementation and validating results on a special testing machine. Though the 100\% undetectability claim does not hold due to a variety of attack vectors that have been presented over the last two years, such malware raises the bar for detection, especially since real code detection requires ways to get raw memory access which is only possible by getting even closer to the hardware. With this thesis, a testing framework for detection using side-channel attacks is presented implementing some of the proposed detection methods.