By exploiting hardware features such as Intel VT or AMD-V, this type of rootkit runs in Ring-1 and hosts the target operating system as virtual machine, thereby enabling the rootkit to intercept all hardware calls made by the target operating system. Unlike normal hypervisors, they do not have to load before the OS, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target in order to subvert it-thereby making its detection very difficult. Suggest an approach to detect such rootkits.
Notes: Use any publicly available rootkit or simulate your own rootkit to demonstrate the approach
Sample Data Required: No