Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and...Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes,VMM-based anti-malware systems have recently become a hot research field.In this article,the existing malware hiding technique is analyzed,and a detecting model for hidden process based on "In-VM" idea is also proposed.Based on this detecting model,a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully.This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies.In order to detect the malwares which use remote injection method to hide themselves,a method by hijacking sysenter instruction is also proposed.Experiments show that the proposed methods guarantee the isolation of virtual machines,can detect all malware samples,and just bring little performance loss.展开更多
基金National High Technical Research and Development Program of China(863 Program)under Grant No. 2008AA01Z414
文摘Security tools are rapidly developed as network security threat is becoming more and more serious.To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes,VMM-based anti-malware systems have recently become a hot research field.In this article,the existing malware hiding technique is analyzed,and a detecting model for hidden process based on "In-VM" idea is also proposed.Based on this detecting model,a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully.This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies.In order to detect the malwares which use remote injection method to hide themselves,a method by hijacking sysenter instruction is also proposed.Experiments show that the proposed methods guarantee the isolation of virtual machines,can detect all malware samples,and just bring little performance loss.
