Undetectable Monitoring in a Fully-Virtualized Environment - A Continuation of the HAL Keystroke Logger

Virtualization is ever an expanding research field and, as many predict, the way of the future for large scale business and server solutions. Originally designed as a method of centralizing physical resources and maintenance, recent research has developed methods of also utilizing virtualization for centralizing machine monitoring. Recently, there have been substantial advances in centralized monitoring in a virtualized environment[1]. Specifically, researchers at the Georgia Tech have developed XenAccess, a system for monitoring memory in a paravirtualized environment [2]. This paper highlights the differences between two popular virtualization methods, paravirtualization and full-system virtualization. A comparison between techniques used by XenAccess to those implemented in our undetectable Hardware Abstraction Layer (HAL) Keystroke Logger is then presented before expanding the original HAL template and finally discussing in detail methods to monitor disk access and memory management.