Blackhat Review - Subverting Vista Kernel For Fun And Profit

Windows vista tries to stop administrators from loading unsigned drivers on the 64-bit version of Vista. The reason this is done is so that DRM can be enforced and to stop root kits from loading (consquently this gives Microsoft control over who can write device drivers).

Joanna Rutkowska found a way to bypass this restriction without having to restart the OS. She found that she could get a driver to be paged out of memory, change the code on the disk, then page the driver back into memory. This gave her a foot hold into ring zero. From there her patched driver could load other unsigned code.

Joanna also had the coolest idea presented at Black hat. AMD64 has a new introduction designed to create a virtual CPU to aid in OS visualization. She found that using this feature she could move the OS into a virtual machine on the fly. With the OS now running in a VM she can run the rootkit on the real CPU. This is a great idea, this makes for the most stealth root yet. There isn’t any easy way to detect her root kit.
This method does not survive a reboot, but is very stealth.