Satoshi Tanda has created EopMon, an elevation-of-privilege detector for Windows 7/8.1/10 on Intel x86 and x64 systems which support Intel VT-x and EBT.
EopMon is based his earlier project, HyperPlatform, which is also worth checking out, along with MemoryMon and GuardMon.
EopMon is a hypervisor-based elevation of privilege (EoP) detector. It can spots a process with a stolen system token and terminate it by utilizing hypervisor’s ability to monitor process context-swiching. […] While EopMon is tested against multiple EoP exploits carried out by in the wild malware, it is rather meant to be an educational tool to demonstrate a potential use case of a hypervisor for security research and not aimed for comprehensive exploit prevention. […] EopMon is meant to be an educational tool and not robust, production quality software which is able to handle various edge cases. […] For this reason, researchers are encouraged to use this project only as a reference to examine and develop ideas of using a hypervisor.
https://github.com/tandasat/EopMon
https://github.com/tandasat/HyperPlatform
https://github.com/tandasat/MemoryMon
https://github.com/tandasat/GuardMon
Firmware Security 