The huge work is completed, and the product is ready for shipping. We would like to thank all people who helped us with advices, criticism and testing.
The purpose of Hypersight RD is monitoring the Windows kernel against the following malicious events:
- Hypervisor-Like Activity. Attempts to start hypervisor (enter virtualization root mode) by kernel-mode code. This activity is blocked. Hypervisors cannot be started when monitoring is active.
- Suspicious CPU Activity. Rootkits often change control registers. Mostly this is clearing the "write-protect" bit of CR0 register for subsequent modifying of write-protected code.
- In-Memory Code Modifications. This is modifying of non-paged code of drivers, Windows kernel and HAL. SSDT modifications fall in this category as well (SSDT is located in the code section of the NT kernel). Both direct modifications (with CR0.WP clearing) and modifications with remapping (MmMapLockedPages) are intercepted.
- Stealth Code. This is the favorite trick of rootkit writers: to execute code outside of drivers and kernel. Traditional rootkit detectors are unable to find such code in the general case.
The activity is reported inside of the main window of Hypersight. A detailed description is provided for each intercepted event: CPU state, code, stack and list of kernel modules. Usually this information is enough to identify the threat.
Hypersight currently has the following requirements:
- OS: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 (x86 only for all systems)
- Memory: 1GB minimum, 2GB recommended
- Processors: Intel Core i3, i5, i7
- Consulting on events intercepted by program
- Free updates of the application