Microsoft and researchers at North Carolina State suggest rootkits in virtual environments can be found and removed or blocked by leveraging the hypervisor’s physical memory:

With hook indirection, HookSafe relocates protected hooks to a continuous memory space and regulates accesses to them by leveraging hardware based page-level protection. Our experimental results with nine real-world rootkits show that HookSafe is effective in defeating their hook-hijacking attempts. Our performance benchmarks show that HookSafe only adds about 6% performance overhead.