vm´s ring1 vs. ring0

Actually I read something about vm´s method of assigning the rings, it is very interesting to know that some of them shift ring0 into ring1 that could explain why the former hidden things are revealed within the matrix. If ring0 is shifted to ring1(better said no ring0 in vm´s existent therefore all ring0 things are forced to take seat in ring1) in virtual machines then you could discover nearly all rootkits inside the matrix, even the best and hardware based one too!! But the other side could be that it might cause false positives in VM´s. What do you think?

Maybe some of you remember that I showed once screens of possible rootkit infections inside virtual machine and outside everything looked clean.

Step inside the matrix to beat the matrix or false positives?!
According to the ring1 shift it could be true that would mean all usual rootkits would have no more chances for hiding themselves except those who were virtual machine based or born out of the matrix!

Probably this is the real reason for creations like blue pill, not because people use generally VM´s or sometimes in future, actually 0,01% may use vm´s for internet surfing 99,9% uses real systems. The main reason is that all usual rootkits (if they are based on ring0) will be caught inside virtual machines!! (especially also those bios, pci or otherwise hardware based ones which may take a relation to ring0 but maybe even if they´d take no relation to ring0) Therefore all internet criminals have to change their malware code and recode it matrix-compatible.

You just have to install vm and start your anti-rootkits! Ring0 rootkits might get caught all at once!?!! (no matter which tactic in case anti-rootkits already included all possibilities of ring0 detection)

That would mean: A impossibility of deceiving Anti-Rootkits inside the matrix! Only outside possible! (if we think about ring0 and hardware based kits)

It would be cool if some people would check their anti-rootkit results outside and inside virtual machines and post it in here to compare the amount of possible false positives or possible infections for all well known and popular anti-rootkits.

 

If a rootkit doesn't install if it "knows" it's inside a VM, how will using an anti-rootkit inside the VM provide any meaningful results?

 

Most malware don´t know that at least the 99% from the past so we have good chances to catch them.