Explore a comprehensive framework for detecting and identifying control-flow modifying kernel rootkits in virtual machines through this 53-minute Black Hat conference talk. Learn about NumChecker, a Virtual Machine Monitor (VMM) based system that leverages Hardware Performance Counters to measure low-level events during system call execution. Discover the two-phase detection and identification process, including syscall measurement, kernel preemption handling, and choosing proper events. Examine real-world kernel rootkit detection results, performance evaluations, and security analysis of this practical and effective approach implemented on Linux with Kernel-based Virtual Machine.