I'm surprised at the
hullaballoo surrounding the so-called "blue pill" pseudo-exploit. The non-exploit consists of a boot-loaded VT/SVM hypervisor that "undetectably" compromises your chain-loaded host. Recall with me the fundamental theorem of VT/SVM: "VT and SVM make nothing possible that was not possible before." VMware's pre-VT/SVM products are an existence proof.
This case is particularly hilarious, because "cloaking" a rootkit is actually
harder to do with VT/SVM than with plain-jane, pre-virtualization x86 technology. Without getting into all the gory details here, malicious code that runs at CPL 0 (a pre-requisite, remember, for the ostensible "attack") can simply map itself in a convenient portion of the kernel address space (say, the top megabyte), modify the limit fields in the running kernel's code and data descriptor table entries,
et voila: it's "undetectable", at least in the limited sense in which the blue pill hypervisor was undetectable. Yeah, there are some dots to connect; you have to point the IDT at the rootkit, and you may even ultimately need an x86 emulator if the kernel tries
really hard to detect you. But x86 emulators aren't exactly the stuff of science fiction; they're pretty much
commodities, which is a handy thing, since you need one in VT/SVM hypervisors, too.
The funny thing is that setting up an IDT and smashing a few GDT entries is actually a good deal simpler than setting up a full-fledged hypervisor, which needs a richer set of trap handlers, its own address space, probably needs to set up a shadow CR3 to protect itself from the guest, certainly needs a GDT and IDT, and so on. Most of that "life support" code can simply be stolen from the exploited host if you take the simpler approach outlined above. I'll go so far as to say that this "blue pill" hype is straightforward attention-whoring; virtualization is hot, and finding some sense in which it might be "bad" seems contrarian and interesting, so people's ears prick up. There's really nothing to see here, though.