Yan Wen,Jinjing Zhao,Huaimin Wang

DOI: https://doi.org/10.1109/ISA.2008.22

2008-01-01

Abstract:Currently stealth malware is becoming a major threat to the PC computers. Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners. On the defensive side, previous host-based approaches will be defeated once the privileged stealth malware controls a lower reach of the system. The virtual machine (VM) based solutions gain tamper resistance at the cost of losing the OS-level process view. Moreover, existing VM-based approaches cannot introspect the preinstalled OS which is just the protecting concern for PC users. In this paper, we present a new VM-based approach called Libra which accurately reproduces the software environment of the underlying preinstalled OS within the Libra VM and provides an OS-level semantic view of the processes. With our new local-booting technology, Libra VM just boots from the underlying host OS but not a newly installed OS image. Thus, Libra provides a way to detect the existing process-hiding stealth malware in the host OS. In addition, instead of depending on the guest information which is subvertable to the privileged guest malware, Libra adopts a unique technique to implicitly construct the trusted view of process list (TVPL) from within the virtualized hardware layer. Our evaluation results with real-world hiding-process rootkits, which are widely used by stealth malware, demonstrate its practicality and effectiveness.

Yan Wen,Jinjing Zhao,Huaimin Wang,Jiannong Cao

DOI: https://doi.org/10.1007/978-3-540-70500-0_27

2008-01-01

Abstract:Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Ariesto implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPLand non-bypassable interfacesfor exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.

Chaoyuan Cui,Yun Wu,Ping Li,Rujing Wang

DOI: https://doi.org/10.2991/ccis-13.2013.59

2013-01-01

Abstract:With the development of the Cloud computing, more and more people are accustomed to resource sharing or online shopping. And malware has become a major threat to the Cloud safety. Process hiding is a powerful technique commonly used by stealthy malware to evade detection by anti-malware. In this paper, we present a novel approach called VMPmonitor-an efficient modularity approach for hidden process detection. With the help of the guest OS register information (mainly the ESP) collected by virtual machine monitor, VMPmonitor can implicitly capture the hidden process information of target guest OS. Compared to other approaches, VMPmonitor obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attack. Experimental result shows that VMPmonitor has better reliability and accuracy.

Huaimin Wang

2008-01-01

Abstract:Currently stealth malware is becoming a major threat to the PC computers.Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners.In this paper,we presented a new VM-based approach called Gemini that accurately reproduced the software environment of the underlying preinstalled OS within the Gemini VM.With our new local-booting technology,Gemini VM just booted from the underlying host OS but not a newly installed OS image.In addition,Gemini adopted a unique technique to implicitly construct the Trusted View of Process List(TVPL) from within the virtualized hardware layer.Thus,Gemini provided a way to detect the existing process-hiding stealth malware in the host OS.Our evaluation results with real-world hiding-process rootkits,which are widely used by stealth malware,demonstrate its practicality and effectiveness.

Ying Wang,Chunming Hu,Bo Li

DOI: https://doi.org/10.1109/hase.2011.41

2011-01-01

Abstract:Recently, "rootkit" becomes a popular hacker malware on the Internet, which controls the hosts on the Internet by hiding itself, and raises a serious security threat. Existing host-based and hardware-based solutions have some disadvantages, such as hardware overhead and being discovered by root kits, where the development of virtualization technology provides a better solution to avoid those. Virtual machine monitor has the highest authority on the virtual machine, and has the right to control the activities in the virtual machine without being found by root kits in the virtual machines. We propose VM Detector based on this hardware virtualization technology, using multi-view detection mechanism, to detect hidden processes inside the virtual machine on many aspects, then to improve the virtual machine's security. Through several experiments, VM Detector carried on the process detection effectively, and introduced less than 10% performance overhead.

Chen Lin,Liu Bo,Hu Huaping,Xiao Fengtao,Zhang Jing

2011-01-01

China Communications

Abstract:Security tools are rapidly developed as network security threat is becoming more and more serious. To overcome the fundamental limitation of traditional host-based anti-malware system which is likely to be deceived and attacked by malicious codes, VMM-based anti-malware systems have recently become a hot research field. In this article, the existing malware hiding technique is analyzed, and a detecting model for hidden process based on "In-VM" idea is also proposed. Based on this detecting model, a hidden process detection technology which is based on HOOK Swap Context on the VMM platform is also implemented successfully. This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies. In order to detect the malwares which use remote injection method to hide themselves, a method by hijacking sysenter instruction is also proposed. Experiments show that the proposed methods guarantee the isolation of virtual machines, can detect all malware samples, and just bring little performance loss.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

Guang-lu YAN,Sen-lin LUO,Wang-tong LIU,Li-min PAN

DOI: https://doi.org/10.15918/j.tbit1001-0645.2018.03.014

2018-01-01

Abstract:Executing malicious code via hidden process is a major way to carry out information attack.At present,hidden process detection methods based on In-VM model of virtualization platform can be attacked by circumventing and tampering with the relative data.To solve this problem,a highly reliable In-VM hidden process detection method was proposed.Firstly,an In-VM model and the memory protection mechanism of virtualization were developed to protect its detection code and relative kernel data from being maliciously changed.Secondly,by hijacking the system transfer function exactly and detecting the hidden process with a cross-view method, the detection algorithm was ensured from being circumvented.Finally,several typical Rootkits were built and chosen in experiments.The results show that,the proposed method can detect all kinds of hidden processes.Its detection code and relative kernel data cannot be tampered with and its detection algorithm and memory protection mechanism cannot be circumvented.And the developed memory protection mechanism has better performance in the system,showing a higher reliability and stronger pragmatic value.

Mengmeng CHEN,Xingshu CHEN,Xin JIN

2017-01-01

Journal of Computer Applications

Abstract:To slove the problems of high energy consumption and uncomplete detection of the current hidden process detection schemes,a hidden process detection system based on process life cycle called HProDectector was proposed.Using the high privilege of VMM and callback mechanism of guest OS,a block of Transparent Memory (TM) belonging to VM was reserved and hard code of callback was injected to TM,callback function was registerd by callback-registering module in VM and triggered by process creation or termination events.At that time,target process information was sent down to eventprocessing module by using of hardware-assisted virtualization technology and a true process list was maintained constantly.Hidden process list was got from view-analying module by comparing true process list and current process list.Mutiple kinds of samples were chosen to test HProDectector function,and the results show that HProDectector performs better than traditional schemes which can detect hidden process more accurately with less performance loss.

YAN Guang-lu,LUO Sen-lin

DOI: https://doi.org/10.3969/j.issn.1671-1122.2013.02.010

2013-01-01

Abstract:With the development of Internet,the information technology has become the impetus of economy and society.Windows operating system becomes popular and develops rapidly,so the malicious code for hidden process based on Windows spread quickly.The detection technology for Windows needs to be expanded.This paper will introduce a method to detect hidden processes on 64 bit Windows7 system,which is based on intercept of SwapContext.The experiment shows the method has good reliability and can be used in practical application.

Xiao-can ZHAO,Ju REN,Yang XU,Guo-jun WANG

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2017.12.023

2017-01-01

Abstract:In recent years ,the stealth of malware is getting stronger and stronger .In this paper ,a SMM-based Hidden process Detection model (SHPD) is proposed .SHPD can effectively detect the stealthy process in system while ensuring its own transparency .SHPD consists of two parts :the client and the monitor .The client ,which implemented in BIOS ,uses both internal and external semantic information to establish multiple views of processes in OS and sends those process views to the monitor .The monitor identifies the stealthy process by comparing the differences between the views .In the paper ,we build a prototype system under the support of the SHPD theory , and conduct functional testing and analysis .The experimental results verify the feasibility of SHPD .

Yan Wen,Jinjing Zhao,Huaimin Wang

DOI: https://doi.org/10.1145/1460877.1460904

2008-01-01

Abstract:With security researchers relying on the virtual machine (VM) in their analysis work, malware has a significant stake in detecting the presence of a VM to avoid executing its vicious behavior. But hiding a VM from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This paper proposes a new idea from another perspective: hiding the "real" machine from the VMM-aware malware. We propose a minimal VMM called MiniVMM which can migrate a booted OS, our protecting concern, to this VMM on demand. In our protection model, all the untrusted code, although having been verified by VMM-based malware detectors, should be executed in this migrated OS. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. MiniVMM has two key features: dynamic OS migration and commodity VMM fingerprints emulation. Unlike existing VMM solutions, MiniVMM can make the protected OS transfer between VMM mode and native mode dynamically. MiniVMM can also emulate the fingerprints of prevalent VMMs to make the protected computer more like a "real" VM. MiniVMM might be deployed as a considerable complement of the existing VMM-based security approaches to make the native OSes immune to the VMM-aware malware.

Ling Chong,Wu Zhiyong,Sun Lechang,Liu Jingju

DOI: https://doi.org/10.3969/j.issn.1007-7820.2010.08.033

2010-01-01

Abstract:The current process hiding and detection technologies are analyzed,and the mechanism of cross-views discrepancy utilized by Strider GhostBuster are studied in detail,and based on Hardware-Assisted Machine a new framework for process detection is proposed,namely HCDP,whose effectiveness and integrality are verified through experiment.

Sen-lin LUO,Guang-lu YAN,Li-min PAN,Fan FENG,Hao-chen LIU

DOI: https://doi.org/10.15918/j.tbit1001-0645.2015.05.021

2015-01-01

Abstract:At present,hidden process detection methods are avoidable,poor compatibility or high wastage.A method based on intercepting the entry of system kernel was proposed to solve these problems.The method applies the process behavior of communicating with system kernel to intercept the three channels:KiFastCallEntry,IDT and GDT,which were from user layer to kernel layer.Furthermore,the method applied the semantic reconstruction to establish the process list of kernel layer,and then combined with cross-view to detect hidden processes.The experiments show that the method proposed in this paper can detect all kinds of hidden processes at present.The method can be used in the majority of Windows operating system and it has higher detection accuracy,better compatibility,lower wastage and stronger pragmatic value.

杜海,陈榕

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.08.030

2009-01-01

Abstract:Aiming at the problems existed in Operating System(OS) process monitoring, a new full-virtualization-based process monitoring method is proposed. It uses full virtualization technology to detect and isolate all the harmful behaviors of untrusted processes in OS. Experimental results show this method has better performances of pellucidity and portability, which can prevent against multiple attacks and incur only a small amount of performance overhead.

Zheyuan Liu,Dejun Mu

2012-01-01

Journal of Xidian University

Abstract:Computer malware has forced the transfer of the traditional in-host security tools to the development of VMM-based solutions which isolate the anti-malware software from untrusted systems.However,the inherent semantic gap poses a great challenge in supporting existing monitoring tools.In this paper,we present a process transferring method for fine-grained process execution monitoring to address both isolation and compatibility problems.Also by redirecting system calls invoked by the suspect process we guarantee the execution flow of the transferred process.Evaluation results show its effectiveness and feasibility with a tiny influence on the system.

MA Jian-kun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.024

2011-01-01

Computer Science

Abstract:The message flow of Windows operating system was introduced and the potential threats was analyzed.A solution based on hardware-assisted virtualization was developed to defend against the software key logger.A virtual machine monitor was implemented using Intel virtual technology.When the protected thread is reading keyboard input,the keyboard interrupt is handled in the virtual machine monitor.By reading scan code of the keyboard in the virtual machine monitor,the keyboard input can be safely sent to the protected thread.

YongGang Li,ChaoYuan Cui,BingYu Sun,WenBo Li

DOI: https://doi.org/10.3966/160792642018091905011

2018-01-01

Abstract:With the spread of malwares, the security of virtual machine (VM) is suffering severe challenges recent years. Rootkits and their variants can hide themselves and other kernel objects such as processes, files, and modules making malicious activity hard to be detected. The existed solutions are either coarse-grained, monitoring at virtual machine level, or non-universal, only supporting specific operating system with specific modification. In this paper, we propose a fine-grained approach called HODetector based on static semantic information library (SSIL) to detect the hidden objects outside VM. We have deployed HODetector prototype on Xen virtualization platform and used it to detect the processes, files, and modules hidden by rootkits. The experiment results show that HODetector is effective for different rootkits and general for Linux operating system with various kernels.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Tengfei Yi,Aijun Zong,Miao Yu,Shang Gao,Qian Lin,Peijie Yu,Zhong Ren,Zhengwei Qi

DOI: https://doi.org/10.1109/icrccs.2009.63

2009-01-01

Abstract:Anti-debugging technique is widely used to protect executable files in commercial software applications. However, most of contemporary anti-debugging products fail to guarantee their functionalities in that when the application code is running on Ring 0 or above, malicious attackers can still manipulate it to block the anti-debugging process. This paper introduces an anti-debugging framework based on hardware virtualization technology called Virtual Machine Monitor (VMM), which can monitor each code running above its privilege level on Intel x86 platform. Our experiments demonstrate that major debuggers running on Microsoft Windows, such as VC2005 and WinDBG, are incapable to debug the target application with the protection of our anti-debugging framework.