Rootkits and Blue Pill

Please read WFA pp. 308-328 if you haven't already.

What is a rootkit?

It's a modification, usually of the operating system itself or access to the operating system, in an attempt to hide the presence of malware.

What is Blue Pill?

It's a complete replacement of the user's operating system by a virtualized environment. While it is generally termed as a rootkit, the idea is that the only state that is the same is non-volatile or non-local state.

Rootkits in the real world

The first place to look is the venerable http://www.rootkit.com/. There's a lot there, and it appears to still be alive.


One prevalent idea is the idea of "crossviews"; you use any differences in the view from the suspect system and a different one to detect rootkits. Another is direct analysis (to the extent possible, at least) of memory from within a suspect system and what standard tools are telling you is there.