{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,1,13]],"date-time":"2023-01-13T09:32:43Z","timestamp":1673602363329},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2009,9,12]],"date-time":"2009-09-12T00:00:00Z","timestamp":1252713600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["J Comput Virol"],"published-print":{"date-parts":[[2011,2]]},"DOI":"10.1007\/s11416-009-0130-8","type":"journal-article","created":{"date-parts":[[2009,9,11]],"date-time":"2009-09-11T16:20:23Z","timestamp":1252686023000},"page":"23-49","source":"Crossref","is-referenced-by-count":10,"title":["Detecting (and creating !) a HVM rootkit (aka BluePill-like)"],"prefix":"10.1007","volume":"7","author":[{"given":"Anthony","family":"Desnos","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"\u00c9ric","family":"Filiol","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ivan","family":"Lefou","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2009,9,12]]},"reference":[{"key":"130_CR1","unstructured":"Advanced Micro Devices. Amd64 architecture programmer\u2019s manual, vol. 2: System programming. 15 Secure Virtual Machine"},{"key":"130_CR2","unstructured":"Advanced Micro Devices. Amd64 architecture programmer\u2019s manual, vol. 2: System programming. 15.23 External Access Protection"},{"key":"130_CR3","unstructured":"Anonymous. Runtime process infection. phrack 59-0x08"},{"key":"130_CR4","unstructured":"Anonymous author. Runtime process infection. Phrack Mag. 8(59), (2002)"},{"key":"130_CR5","unstructured":"Anonymous author. Building ptrace injecting shellcodes. Phrack Mag. 12(59), (2002)"},{"key":"130_CR6","unstructured":"Barbosa, E.: Detecting bluepill. SyScan\u201907"},{"key":"130_CR7","unstructured":"Bareil, N.: Playing with ptrace() for fun and profit. http:\/\/actes.sstic.org\/SSTIC06\/Playing_with_ptrace\/SSTIC06-article-Bareil-Playing_with_ptrace.pdf"},{"key":"130_CR8","unstructured":"Bochs: highly portable open source ia-32 (x86) pc emulator. http:\/\/bochs.sourceforge.net\/"},{"key":"130_CR9","unstructured":"Brian Carrier. Open source digital investigation tools. http:\/\/www.sleuthkit.org"},{"key":"130_CR10","unstructured":"Casek. http:\/\/www.uberwall.org"},{"key":"130_CR11","unstructured":"Core Security Technologies. Coreimpact outil de test d\u2019intrusion. http:\/\/www.coresecurity.com\/content\/core-impact-overview"},{"key":"130_CR12","unstructured":"Desnos Guih\u00e9ry Sala\u00fcn. Sanson the headman. (2008). http:\/\/sanson.kernsh.org"},{"key":"130_CR13","unstructured":"Dornseif, M.: All your memory are belong to us. Cansecwest 2005"},{"key":"130_CR14","unstructured":"Dralet, S., Gaspard, F.: Corruption de la m\u00e9moire lors de l\u2019exploitation. In: SSTIC 06, 2006"},{"key":"130_CR15","unstructured":"Filiol, E.: A formal model proposal for malware program stealth. Virus Bulletin Conference Proceedings, Vienna, 2007"},{"key":"130_CR16","unstructured":"Filiol, \u00c9.: Techniques virales avanc\u00e9es. Collection IRIS, Springer, France, 2008"},{"key":"130_CR17","unstructured":"Filiol, E., Josse, S.: A statitical model for undecidable viral detection. In: Broucek, V., Turner, P. (eds.) Eicar 2007 Special Issue. J. Comp. Virol. (3), 2, 65\u201374 (2007)"},{"key":"130_CR18","unstructured":"Gaspard, F., Dralet, S.: Technique anti-forensic sous linux: utilisation de la m\u00e9moire vive. Misc (25), (2005)"},{"key":"130_CR19","doi-asserted-by":"crossref","unstructured":"grugq. Remote exec. Phrack Mag. 11(62) (2004)","DOI":"10.1109\/MRA.2004.1371610"},{"key":"130_CR20","unstructured":"Input\/output memory management unit. http:\/\/en.wikipedia.org\/wiki\/iommu"},{"key":"130_CR21","unstructured":"Intel. Intel 64 and ia-32 Architectures Software Developer\u2019s Manual, Chap. 19. Introduction to virtual-machine extensions"},{"key":"130_CR22","unstructured":"Joanna. Site web de bluepill. http:\/\/www.bluepillprojet.org"},{"key":"130_CR23","unstructured":"King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: implementing malware with virtual machines. University of Michigan and Microsoft Research. Available at http:\/\/www.eecs.umich.edu\/~pmchen\/papers\/king06.pdf"},{"key":"130_CR24","unstructured":"Microsoft Windows. Driver signing requirements for windows. http:\/\/www.microsoft.com\/whdc\/winlogo\/drvsign\/drvsign.mspx"},{"key":"130_CR25","unstructured":"Myers, M., Youndt, S.: An introduction to hardware-assisted virtual machine (HVM) rootkits. http:\/\/crucialsecurity.com"},{"key":"130_CR26","unstructured":"Northsecuritylabs. Hypersight rootkit detector. http:\/\/www.northsecuritylabs.com"},{"key":"130_CR27","unstructured":"Pluf. Perverting unix processes. (2006). http:\/\/7a69ezine.org\/docs\/7a69-PUP.txt"},{"key":"130_CR28","unstructured":"Pluf and Ripe. Advanced antiforensics: self. Phrack Mag. 11(63) (2005)"},{"key":"130_CR29","unstructured":"ptrace(2)\u2014Linux man page. http:\/\/linux.die.net\/man\/2\/ptrace"},{"key":"130_CR30","unstructured":"Qemu: open source processor emulator. http:\/\/bellard.org\/qemu\/"},{"key":"130_CR31","unstructured":"Rutkowska, J.: Subverting Vista Kernel for Fun and Profit. 2006. SyScan\u201906 & BlackHat Briefings (2006)"},{"key":"130_CR32","unstructured":"Rutkowska, J., Tereshkin, A.: Isgameover() anyone? 2007. BlackHat Briefings (2007)"},{"key":"130_CR33","unstructured":"Rutkowski, J.K.: Execution path analysis: finding kernel based rootkits. Phrack Mag. 13(59) (2002)"},{"key":"130_CR34","unstructured":"Sala\u00fcn, D.G.: Sanson the headman. Rapport Interne Ifsic (2007)"},{"key":"130_CR35","unstructured":"sk devik. Rootkit linux kernel \/dev\/kmem. http:\/\/packetstormsecurity.org\/UNIX\/penetration\/rootkits\/suckit2priv.tar.gz"},{"key":"130_CR36","unstructured":"Stealth. Rootkit linux kernel lkm. http:\/\/packetstormsecurity.org\/groups\/teso\/adore-ng-0.41.tgz"},{"key":"130_CR37","unstructured":"The ERESI team. The eresi reverse engineering software interface. http:\/\/www.eresi-project.org"},{"key":"130_CR38","unstructured":"The Grugq. The design and implementation of userland exec. (2004) http:\/\/www.derkeiler.com\/Mailing-Lists\/Full-Disclosure\/2004-01\/0004.html"},{"key":"130_CR39","unstructured":"Tripwire. Configuration audit and control solutions. http:\/\/www.tripwire.com"},{"key":"130_CR40","unstructured":"Virtualpc. http:\/\/www.microsoft.com\/windows\/products\/winfamily\/virtualpc\/default.mspx"},{"key":"130_CR41","unstructured":"Vmware. http:\/\/www.vmware.com\/"},{"key":"130_CR42","unstructured":"Vmware esx. http:\/\/www.vmware.com\/fr\/products\/vi\/esx\/"},{"key":"130_CR43","unstructured":"Xen. http:\/\/www.xen.org\/"}],"container-title":["Journal in Computer Virology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-009-0130-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11416-009-0130-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-009-0130-8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,1]],"date-time":"2019-06-01T14:45:42Z","timestamp":1559400342000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11416-009-0130-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009,9,12]]},"references-count":43,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2011,2]]}},"alternative-id":["130"],"URL":"https:\/\/doi.org\/10.1007\/s11416-009-0130-8","relation":{},"ISSN":["1772-9890","1772-9904"],"issn-type":[{"value":"1772-9890","type":"print"},{"value":"1772-9904","type":"electronic"}],"subject":[],"published":{"date-parts":[[2009,9,12]]}}}