GitHub - jdk8/Hypro: VMI on BitVisor to detect hidden rootkits.

jdk8 / Hypro Public

Notifications You must be signed in to change notification settings
Fork 10
Star 25

VMI on BitVisor to detect hidden rootkits.

25 stars 10 forks Branches Tags Activity

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
VMI		VMI
boot		boot
core		core
crypto		crypto
drivers		drivers
edk		edk
idman		idman
include		include
process		process
rootkit		rootkit
storage		storage
tools		tools
vpn		vpn
.config		.config
Doxyfile		Doxyfile
Makefile		Makefile
Makefile.build		Makefile.build
Makefile.clean		Makefile.clean
Makefile.common		Makefile.common
Makefile.config		Makefile.config
README		README
bitvisor.lds		bitvisor.lds
bitvisor.map		bitvisor.map
config.sh		config.sh
defconfig		defconfig
defconfig.tmpl		defconfig.tmpl
grub.cfg		grub.cfg

Repository files navigation

Hypro - VMI on BitVisor to detect hidden rootkits.

tools/adore-ng is a well-known LKM(loadable kernel modules) rootkit for getting root privilege, hiding certain processes, files, ports, .etc.
tools/hypercall has the files to read VM's processes, loaded kernel modules, physical memory from VMM, so we can check the differences to find exceptions.
core/vmmcall_vmi.c implements the core VMI functions.
VMI/fs is a ported EXT4 file system from Uboot. With this module, we can reread block device to check to hidden files.
Guest's Fs/(attacked)    VMI/fs
  |_______________________|
  |
driver
  |
hardware
BitVisor uses parapass-through architecture that allows VM's device driver to handle the real device. So VMI/fs is ported to host's OS.

New features(such as capture of memory event and register event) are under developement.

How to build:
Hypro's build can be found in BitVisor's HomePage.