| 基于硬件虚拟化技术的隐藏进程检测技术* |
| |
| 引用本文: | 温研,赵金晶,王怀民.基于硬件虚拟化技术的隐藏进程检测技术*[J].计算机应用研究,2008,25(11):3460-3462. |
| |
| 作者姓名: | 温研 赵金晶 王怀民 |
| |
| 作者单位: | 1. 国防科学技术大学,计算机学院,长沙,410073
2. 北京系统工程研究所,北京,100101 |
| |
| 基金项目: | 国家“973”计划资助项目( 2005CB321801);国家杰出青年科学基金资助项目(60625203) |
| |
| 摘 要: | 随着越来越多的PC用户习惯于从互联网上下载和执行各类软件,潜在的自隐藏恶意代码已成为亟待解决的安全问题,而进程隐藏是这类恶意代码最常用也是最基本的规避检测的自隐藏技术。针对这个问题,提出了一种新的基于硬件虚拟化技术的隐藏进程检测技术——Libra。Libra通过构造一个轻量级的虚拟机监视器(libra virtual machine monitor,LibraVMM)实现了从虚拟层隐式获取真实进程列表(true process list, TPL)的新技术。与已有的基于虚拟机技术的解决方案相比,Libra
|
| 关 键 词: | 虚拟机监视器 自隐藏恶意代码 硬件虚拟化技术 进程隐藏 |
Detecting hidden process with hardware assisted virtual machine monitor |
| |
| WEN Yan,ZHAO Jin jing,WANG Huai min.Detecting hidden process with hardware assisted virtual machine monitor[J].Application Research of Computers,2008,25(11):3460-3462. |
| |
| Authors: | WEN Yan ZHAO Jin jing WANG Huai min |
| |
| Affiliation: | (1.School of Computer, National University of Defense Technology, Changsha 410073, China;2.Beijing Institute of System Engineering, Beijing 100101, China) |
| |
| Abstract: | With more and more PC users were accustomed to download and execute programs from Internet,stealth malware had become a major threat to the PC computers.Process hiding was a powerful stealth technique commonly used by stealth malware to evade detection by computer users and anti-malware scanners.This paper proposed a new approach called Libra for detect hidden processes implicitly.Libra implemented a novel lightweight hardware-assisted VMM to obtain the true process list(TPL) from deep within the system.Compared to existing VMM-based approaches,Libra provides two unique advantages: dynamic OS migration and implicit introspection of TPL.The functionality evaluation shows the completeness and effectiveness of Libra. |
| |
| Keywords: | virtual machine monitor(VMM) stealth malware hardware-assisted virtualization process hiding |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机应用研究》浏览原始摘要信息 |
|
点击此处可从《计算机应用研究》下载全文 |
