
These Are Not Your Grand Daddy's CPU Performance Counters (+ Rootkit Detection) - peter_d_sherman
https://www.youtube.com/watch?v=dfIoKgw65I0
======
peter_d_sherman
PDF:
[https://www.blackhat.com/docs/us-15/materials/us-15-Herath-T...](https://www.blackhat.com/docs/us-15/materials/us-15-Herath-
These-Are-Not-Your-Grand-Daddys-CPU-Performance-Counters-CPU-Hardware-
Performance-Counters-For-Security.pdf)

Excerpt:

"Rootkit Detection Using PMCs Any code that executes triggers PMCs – Rootkits
execute code

● With interrupt on PMC overflow we get EIP/RIP

● If EIP/RIP not in a known module we got a suspect

● We solve the problem of differentiating between data and code since we get
EIP/RIP

● Suspect can be dealt with by using standard methods..."

etc.

A lot of other good stuff for performance programming, too... (Mike Abrash
would be proud...)

