Abstract: Leveraging virtualization technology, rootkit has improved its stealth capability greatly. Research on VMM based rootkit has become the focus in computer security field. This paper summarized the traditional hidden methods and the bottleneck of the in-box technology, introduced the advantage of VMM at architecture and the implementation based on software and hardware,and then analyzed the design and operation mechanisms of various VMM Rootkits. In order to resolve the limitation of VMM existence detection, it proposed a new method detecting malicious VMM. In addition,this paper discussed the evolvement of VMM Rootkit,and presented how to apply virtualization technictues safely to defend VMM Rootkit.

Key words: Rootkit, VMM, Detection, Defence