In recent years, malware authors have developed increasingly sophisticated rootkits that burrow into the operating system itself, modifying basic filesystem and process management code in a way that ensures they are essentially invisible to anyone using the machine: no files visible, no processes apparent. While some progress has been made in detecting when a rootkit has compromised a system, preemptively blocking an attack has remained challenging, since the malware relies on important system functions. A team of computer scientists have now described a tool, called Hook Safe, that uses virtualization to preempt rootkits by moving and protecting the kernel functions that they target.

Rootkits burrow their way into an operating system's kernel using a process called hooking.  The services provided by a kernel—file system and hardware access, memory management, etc.—are accessible through callable functions. The kernel keeps track of where the functions reside in memory using pointers, which contain the addr