Skip to main content
Cybersecurity
Fig. 3 | Cybersecurity

Fig. 3

From: Hypervisor-assisted dynamic malware analysis

Fig. 3

Windows memory layout after performing a write to SYSENTER_EIP MSR. The wrmsr instruction is intercepted by the hypervisor. Upon interception, the hypervisor looks for the kernel-image base by moving backward at a page granularity until the PE magic number (0x4d5a90) is encountered. Finally, the hypervisor looks for the ExAllocatePool address within the export table

Back to article page