{"title":"通过内存取证检测恶意软件和Rootkit","authors":"Qiang Hua, Yang Zhang","doi":"10.1109/CSMA.2015.25","DOIUrl":null,"url":null,"abstract":"Recent malware processes are armed with stealthy techniques to detect, subvert malware detection facilities of the victim. Traditional host-based detection tools execute inside the very hosts they are protecting, which makes them vulnerable to deceive and subvert. To address this limitation, improve the effectiveness and accuracy of detection, and boost the ability of tamper resistance, a VMM-based hidden process detection system is designed and implemented. The system is placed outside the protected virtual machine, using virtual machine introspection mechanism to inspect the low-level state of the protected virtual machine, then reconstructs the guest OS data structures by guest view casting technique. Based on view comparison detection, the system identifies the lack of the critical processes and the target hidden process. Additionally, this system provides process management operations, such as terminate and restart. Users can configure the corresponding response mechanism with configuration files.","PeriodicalId":205396,"journal":{"name":"2015 International Conference on Computer Science and Mechanical Automation (CSMA)","volume":"94 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":"{\"title\":\"Detecting Malware and Rootkit via Memory Forensics\",\"authors\":\"Qiang Hua, Yang Zhang\",\"doi\":\"10.1109/CSMA.2015.25\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Recent malware processes are armed with stealthy techniques to detect, subvert malware detection facilities of the victim. Traditional host-based detection tools execute inside the very hosts they are protecting, which makes them vulnerable to deceive and subvert. To address this limitation, improve the effectiveness and accuracy of detection, and boost the ability of tamper resistance, a VMM-based hidden process detection system is designed and implemented. The system is placed outside the protected virtual machine, using virtual machine introspection mechanism to inspect the low-level state of the protected virtual machine, then reconstructs the guest OS data structures by guest view casting technique. Based on view comparison detection, the system identifies the lack of the critical processes and the target hidden process. Additionally, this system provides process management operations, such as terminate and restart. Users can configure the corresponding response mechanism with configuration files.\",\"PeriodicalId\":205396,\"journal\":{\"name\":\"2015 International Conference on Computer Science and Mechanical Automation (CSMA)\",\"volume\":\"94 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-10-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"10\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2015 International Conference on Computer Science and Mechanical Automation (CSMA)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CSMA.2015.25\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 International Conference on Computer Science and Mechanical Automation (CSMA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSMA.2015.25","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detecting Malware and Rootkit via Memory Forensics
Recent malware processes are armed with stealthy techniques to detect, subvert malware detection facilities of the victim. Traditional host-based detection tools execute inside the very hosts they are protecting, which makes them vulnerable to deceive and subvert. To address this limitation, improve the effectiveness and accuracy of detection, and boost the ability of tamper resistance, a VMM-based hidden process detection system is designed and implemented. The system is placed outside the protected virtual machine, using virtual machine introspection mechanism to inspect the low-level state of the protected virtual machine, then reconstructs the guest OS data structures by guest view casting technique. Based on view comparison detection, the system identifies the lack of the critical processes and the target hidden process. Additionally, this system provides process management operations, such as terminate and restart. Users can configure the corresponding response mechanism with configuration files.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
