Black Hat Briefings, Usa 2007 [audio] Presentations From The Security Conference.

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. Then we will briefly discuss kernel infections of the type II (pure data patching), especially NDIS subversions that allow for generic bypassing of personal firewalls on Vista systems. A significant amount of time will be devoted to presenting new details about virtualization-based malware. This will include presenting various detection methods that could be used to either detect the presence of a hypervisor or find the malware itself. We will also discuss why each of these approaches cannot be used to build a practical detector, either because they could be fully defeated by virtualization based malware or because they are very impractical. This will include demonstration of how virtualization based malware can avoid timing-based detection, even if a detector uses trusted time source. We will also discuss detection appr