摘要
针对虚拟机环境下木马隐藏自身进程的方式多样化和隐蔽化的问题,提出一种基于虚拟机的隐藏进程检测算法.算法依据客户机调度进程时会访问CR3寄存器而引起VCPU陷出到根模式执行原理,在虚拟机的陷出异常处理函数中插入多视图进程检测算法.提出一种优化的hash算法来减小对虚拟机的性能损失.对比内存搜索算法,实验证明本算法能准确地检测出隐藏原理未知的进程,且性能损失较小.
Aiming at the diversity and covert of problem of the Trojans hidden themselves in the virtualization environment, a new method to detect the hidden Trojan process based on the KVM virtual machine is presented. According to the Inter-VT technology, when the guest operation scheduling a process to run, the VCPU must read the CR3 register, which is a privileged behavior, and cause the VM-Exit exception. This Algorithm hooks the exception handle procedure, and injects the multi-view model to detect hidden processes. An optimized hash algorithm is presented to reduce the cost of virtual machine performance. Experiments show that this method can detect hidden processes accurately even the principle of hide is not clear, and the cost of performance is small.
出处
《小型微型计算机系统》
CSCD
北大核心
2016年第2期231-235,共5页
Journal of Chinese Computer Systems
关键词
虚拟机
虚拟机内省
隐藏进程
多视图模型
哈希算法
KVM virtual machine
KVM introspection
hidden process
multi view model
hash algorithm