2. Oktober 2025

HypErSIS

Alexander Schmitz, Artur Leinweber, Anas Karazon, Prof. Dr. Christian Dietrich

Motivation

Cyberattacks pose a significant and steadily growing threat to businesses and government organizations. To address this challenge, proactive and preventive security mechanisms continue to be a crucial pillar in the architecture of secure IT systems. The aim is to conceptually prevent attacks. However, the practical implementation of proactive mechanisms is incomplete and does not provide comprehensive security, as evidenced by daily cyberattacks on businesses and government agencies. To address this issue, effective IT security architecture also includes reactive methods to detect attacks as they happen. Endpoint Detection and Response (EDR) software serves as a practical implementation of a reactive security solution used in many organizations. EDR software is installed on client computers (endpoints) and monitors behavior for anomalies that may indicate an attack, attempting to thwart such attacks. The behavioral information from endpoints is aggregated at a higher level to enhance detection within the organization. The sensors in today’s EDR systems are primarily located in the kernel of the operating systems (security drivers). If attackers manage to gain system privileges and execute malicious code in kernel context, the functionality of these EDR systems can be significantly compromised or even completely shut down. As a result, further cyberattacks could go unnoticed. Our analyses have shown that modern malware and advanced attackers are increasingly attempting to infiltrate the operating system kernel and disrupt existing EDR software.

Goals and Approach

In the project “Hypervisor-Based Intrusion Detection, Reaction, and Prevention for Endpoint Systems (HypErSIS),” the project team focuses on securing virtualized endpoints using hypervisor-based detection methods. Virtualized endpoints are client computers where a hypervisor runs, hosting one or more virtual machines (VMs) that are the actual user systems (mostly Windows-based) users work with. In the approach pursued in HypErSIS, the sensors are anchored outside the user VMs in the trusted host environment. Virtualization serves as a secure isolation layer in this context. Attacks occurring within the VMs are no longer capable of disabling the detection mechanisms implemented outside. Even the infiltration of malware into the operating system kernels of virtualized systems can be reliably detected and prevented. Since users interact with the VMs and only these have access to untrusted external resources (e.g., internet access), only the systems within the VMs are at risk.

To create sensors capable of monitoring activities within the VMs and detecting malicious behavior, the system state within the VMs must be interpreted from the main memory contents observable from the outside. This aspect poses a significant challenge in the project. The problem is referred to as the Semantic Gap, and solutions fall within the research domain of Virtual Machine Introspection. Solutions to partial problems are known from digital main memory forensics, which also has to deal with the Semantic Gap problem. Therefore, the project will investigate how existing methods can be mapped to the basic functions of a virtualization platform. Furthermore, the virtualization technology itself will be explored for its ability to provide more meaningful sensor data.

Basis — VMI Monitoring for Windows VMs. Thanks to virtualization, the sensor software (VMI Monitor) is effectively isolated from the system being monitored, and thereby protected from malware attacks. The security monitoring related access to the monitored system is done via Virtual Machine Introspection (VMI) through the hypervisor layer.

Innovations and Perspectives

As hypervisor-based technology is increasingly employed, expanding the know-how to protect IT systems using it becomes crucial. The project’s results will initially contribute to significantly enhancing security in Windows-based virtualized endpoints. In the future, it is conceivable to transfer the gained knowledge to other platforms and architectures. Hypervisor-based technology forms the basis for ubiquitous virtualization in data centers and the cloud. Even in these growth areas, there is a need for hypervisor-based security solutions. The results of this project can potentially enhance security in cloud computing as well.

Furthermore, the project aims to facilitate knowledge transfer of fundamental insights regarding the use of virtualization technology and the security solutions it provides to industry and research. In this way, the HypErSIS project contributes to the security of corporate and government networks and strengthens the high-tech sector in Germany.

HypErSIS team at if(is): A. Schmitz, C. Dietrich, A. Leinweber, M. Gudel, E. Winterstein, A. Karazon, S. Rudi

EtwEventMon:
VMI-based ETW event monitoring

We developed a novel technique that uses the internal Windows‑kernel tracing system Event Tracing for Windows (ETW) to monitor system behaviour from outside a potentially infected VM. Via virtual machine introspection (VMI) we activate ETW providers sitting in user and kernel space code by injecting function calls of the provider activation callbacks registered by the ETW providers. The Event signaling is intercepted via Hyper-Breakponts and volatile ETW event data is extracted and interpreted outside the system. By reverse engineering the internal structures and data formats of the ETW system, we understood these undocumented binary data structures and thereby we were able to monitor the behaviour of Windows systems and detect malware infections and malicious actions.

The manipulative method we use to activate ETW tracing through VMI leaves no artifacts (no ETW sessions, no log files, no manipulated kernel data structs) on the target system, so the monitoring is invisible to the system, its software, or an attacker. Moreover, our approach captures the data on signaling path briefly after creation and has no dependency on the ETW control infrastructure. Consequently, our technique is robust against most attack vectors aimed at the ETW system.

Demos

In this demonstration, we present our in-memory YARA scanner for Windows VMs, which makes it possible to detect malware artifacts in the memory of a running Windows VM from the outside without any in-VM agent components. It is possible to scan the virtual address spaces of the guest system’s processes using YARA memory signatures. In user space, the context information from the VAD tree is used to scan efficiently with awearness of memory regions and enrich matches with context information. In the video, we show how malware infections and malicious artifacts generated by malware inside a running VM are detected from outside. For this, we recreated a real-world case involving the WINELOADER malware and the ROOTSAW loader developed by the Russian state actor APT29.

In this demonstration, we present a VMI-based detection pipeline that is located entirely outside the VM being monitored and does not use any guest agents or other in-VM components. It applies CAPA behavioral signatures to ETW events from guest software that we capture from outside using VMI. Activities in the guest system are tracked in fine detail. By analyzing patterns in the sequences of actions, it is possible to detect malware infections and follow the individual steps performed by the malware in detail. In the video, we demonstrate our method using the example of the WINELOADER malware and its loader, ROOTSAW, developed by the Russian state actor APT29.

In this demonstration, we show the robustness of our VMI-based ETW event extraction against attacks on the ETW system by EDR-blinding malware. FudModule is a malware developed by Lazarus, a North Korean state APT actor, which is used as a post-exploitation tool to disrupt EDR agents. As one of several EDR blinding methods, FudModule also attacks the ETW system in the Windows kernel through a vulnerability in a device driver (BYOVD). Specifically, FudModule zeros the provider registration handles of the ETW providers in the kernel by Direct Kernel Object Manipulation (DKOM), which results in signaled events no longer being captured within the VM. In the video, we show that our VMI-based solution is not affected by this attack, because all of our event processing is located outside the infected system, and we therefore do not rely on the guest Windows ETW infrastructure. The video shows how the internal capture of ETW events stops after FudModule (1f0a6.dll) is launched, but we are still capturing all ETW events externally via VMI.

Publications

Schmitz, A.; Karazon, A.; Leinweber, A.; Gudel, M.; Springer, R.; Telöken, S.; Beierlieb, L.; Dietrich, C. ETW through VMI: Hypervisor-Level Collection of Windows ETW Telemetry. 23rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA ’26). Published: to appear.
Beierlieb, L.; Schmitz, A.; Karazon, A.; Leinweber, A.; Dietrich, C. EPT Switching vs. Instruction Repair vs. Instruction Emulation: A Performance Comparison of Hyper-Breakpoint Variants. Eng 2025, 6, 278. PDF download. Published: 16 October 2025.
- Abstract: Virtual Machine Introspection (VMI) is a powerful technology used to detect and analyze malicious software inside Virtual Machines (VMs) from the outside. Asynchronous access to the VM’s memory can be insufficient for efficient monitoring of what is happening inside of a VM. Active VMI introduces breakpoints to intercept VM execution at relevant points. Especially for frequently visited breakpoints, and even more so for production systems, it is crucial to keep performance overhead as low as possible. In this paper, we present an empirical study that compares the performance of four VMI breakpoint-implementation variants—EPT switching (SLAT view switching) with and without fast single-stepping acceleration, instruction repair, and instruction emulation—from two VMI applications (DRAKVUF, SmartVMI) with the XEN hypervisor on 20 Intel Core i processors ranging from the fourth to the thirteenth generation. Instruction emulation was the fastest method across all 20 tested platforms. Modern processors such as the Intel Core i7 12700H and Intel Core i9 13900HX achieved median breakpoint-processing times as low as 15 µs for the emulation mechanism. The slowest method was instruction repair, followed by EPT switching and EPT switching with FSS. The order was the same for all measurements, indicating that this is a strong and generalizable result.
Beierlieb, L.; Schmitz, A.; Springer, R.; Dietrich, C.; Iffländer, L. Benchmarking Hyper-Breakpoints for Efficient Virtual Machine Introspection. Electronics 2025, 14, 534. PDF download. Published: 28 January 2025.
- Abstract: Virtual Machine Introspection (VMI) is a powerful technology used to detect and analyze malicious software inside Virtual Machines (VMs) from outside. Asynchronously accessing the VM’s memory can be insufficient for efficiently monitoring what is happening inside of a VM. Active VMI introduces breakpoints to intercept VM execution at relevant points. Especially for frequently visited breakpoints, and even more so for production systems, it is crucial to keep their performance overhead as low as possible. In this paper, we provide a systematization of existing VMI breakpoint implementation variants, propose workloads to quantify the different performance penalties of breakpoints, and implement them in the benchmarking application bpbench. We used this benchmark to measure that, on an Intel Core i5 7300U, SmartVMI’s breakpoints take around 81 µs to handle, and keeping the breakpoint invisible costs an additional 21 µs per read access. The availability of bpbench facilitates the comparison of disparate breakpoint mechanisms and their performance optimization with immediate feedback.
- You can find more information in the blog post by Cyberus Technology GmbH
  Securing The Past Efficiently: Measuring the Cost of Virtual Machine Introspection.