Hidden Process Detection Based on Virtual Machine Monitor
A Virtual Machine Monitor(VMM)has ready access to the raw state of its guest registers and memory even though it is separated from guests by a secure barrier. Hidden process detection based on VMM use this advantage to read out the memory of guests in hexadecimal without modifying the memory. By analyzing the hexadecimal data combined with windows system kernel structure, we present an original and effective solution to reveal processes hidden by Direct Kernel Object Manipulation(DKOM) and API Hook technique. In this paper, we use VMware ESX as the virtual platform and Windows XP SP3 as the guest OS. For other virtual platforms such as Xenserver and Virtualbox, a similar way can be adopted to reveal hidden processes in their guests.
Hidden process VProbes Windows kernel structure VMM
Jingsong Cui Shasha Zhu Yuzhong Wen Xuhui Liu Yu Yang
School of Computer Science Wuhan University Wuhan, China
国际会议
2010 International Conference on Future Information Technology(2010年未来信息技术国际会议 ICFIT 2010)
长沙
英文
434-437
2010-12-14(万方平台首次上网日期,不代表论文的发表时间)