System Virginity Verifier (SVV) is a legacy, specialized rootkit detection tool developed by security researcher Joanna Rutkowska in 2005. It evaluates Windows kernel driver integrity using a concept known as Explicit Compromise Detection. Instead of searching for known malware signatures, SVV validates whether the core operating system components running in memory remain in a pristine, “virgin” state.
SVV analyzes and verifies Windows kernel-mode drivers through a cross-view mechanism. 1. Cross-View Code Section Comparison
The primary methodology used by SVV relies on bitwise integrity checking.
The Process: SVV maps active kernel drivers (.sys files) and critical system components currently executing in physical memory. It simultaneously accesses the corresponding binary file stored safely on the local file system.
The Comparison: It executes a byte-by-byte comparison between the .text (executable code) sections of the driver in memory and the driver on disk. Because code sections are strictly read-only in memory during normal execution, any mismatch directly signals unauthorized manipulation. 2. Identifying Malicious Hooks
Malware or rootkits targeting the kernel often intercept code execution by placing inline hooks. SVV identifies these by evaluating the modifications found during the memory-to-disk comparison:
Modification Assessment: If the bytes differ, SVV tracks where the modified instructions point.
Unmapped Redirection: If a modified instruction diverts code execution to an address that does not belong to any legitimately loaded kernel module, SVV flags it as highly suspicious. This pattern typically denotes that code is executing out of a manually allocated, hidden memory block. 3. Calculating an “Infection Level”
SVV handles the variations inherent in a live operating system with an evaluation algorithm. It accounts for false positives resulting from expected runtime changes, such as base memory relocations or localized page faults. Once it filters out normal behaviors, it assigns an infection level based on the severity and intent of the code modification, alerting the administrator if a rootkit is actively hiding. 4. Critical Kernel Table Auditing
Beyond comparing linear code blocks, SVV assesses specific pointer tables within the kernel that drivers rely on to communicate with the OS:
System Service Descriptor Table (SSDT): SVV verifies that core system call pointers point to legitimate memory spaces inside ntoskrnl.exe rather than rogue drivers.
Interrupt Descriptor Table (IDT): It checks the pointers that handle hardware interrupts.
I/O Request Packet (IRP) Dispatch Tables: SVV monitors the driver structures responsible for passing data between user space applications and hardware devices. Structural Limitations of SVV
While highly innovative for its time, SVV suffers from classic live-response architectural vulnerabilities:
Memory integrity and virtualization-based security – Microsoft Learn