GitHub - madtrapper/Hypro: VMI on BitVisor to detect hidden rootkits.

madtrapper / Hypro Public

forked from jdk8/Hypro

Notifications You must be signed in to change notification settings
Fork 0
Star 0

VMI on BitVisor to detect hidden rootkits.

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
VMI		VMI
boot		boot
core		core
crypto		crypto
drivers		drivers
edk		edk
idman		idman
include		include
process		process
storage		storage
tools		tools
vpn		vpn
Doxyfile		Doxyfile
Makefile		Makefile
Makefile.build		Makefile.build
Makefile.clean		Makefile.clean
Makefile.common		Makefile.common
Makefile.config		Makefile.config
README		README
bitvisor.lds		bitvisor.lds
bitvisor.map		bitvisor.map
config.sh		config.sh
defconfig		defconfig
defconfig.tmpl		defconfig.tmpl

Repository files navigation

Hypro - VMI on BitVisor to detect hidden rootkits.

tools/adore-ng is a well-known LKM(loadable kernel modules) rootkit for getting root privilege, hiding certain processes, files, ports, .etc.
tools/hypercall has the files to read VM's processes, loaded kernel modules, physical memory from VMM, so we can check the differences to find exceptions.
core/vmmcall_test.c implements the core VMI functions.
VMI/fs is a ported EXT4 file system from Uboot. With this module, we can reread block device to check to hidden files.
Guest's Fs/(attecked)    VMI/fs
  |_______________________|
  |
driver
  |
hardware
BitVisor uses parapass-through architecture that allows VM's device driver to handle the real device. So VMI/fs is ported to host's OS.

How to build:
Hypro's build can be found in BitVisor's HomePage.