| With the rapid development of malicious programs, nowadays people pay more and moreattention to information security issues. Along with the mature of the technology of Rootkit, themalicious code has been hidden more deeply with the help of it. Because of the disadvantages ofthe detection technology of traditional process, such as lower access, backward detection meansand limited to users’ operating system, it can’t finish detecting to hidden process, creatingmonitoring, terminating,and so on effectively. Sometimes even itself will be attacked ordestroyed by malicious processes. The development of the technology of Virtualization hardwareprovides new ideas for the security software development.Cross-view comparison is a common method of detecting hidden processes. Its effectivenessdepends largely on the ability to obtain a credible process list. The existing cross-viewcomparison accesses information by setting information acquisition in the operating systems. It’seasy for the kernel-level Rootkit to cheat and bypass it. At the same time, the detection softwareitself can’t be guaranteed to get security. For this problem, For this problem, we designed andrealized the process detection system based on Virtual Hardware by building a light virtualmachine monitor. We monitor the Guest operating system fully by using the highest level ofprivilege of the Virtual Machine Monitor and collect credible information of the process onlineoutside the operating system to detect.Paper work and innovations include:1. Conduct a in-depth analysis and research of Hardware Virtualization Technologyespecially the Intel VT-x Technology. On the basis, this paper constructs a light VMM with theIntel VT-x technology.2. Through analysising of Hardware Virtualization and operating system kernel in-depth,combining with the existing communication mechanisms of operating system, and newinstructions of Hardware Virtualization, This paper proposes a semantic mapping and semanticreconstruction method to fill the semantic gap and to achieve effective communications betweenthe VMM and the Guest OS. On this basis, the detection of hidden process is realized.3. On the basis of traditional clearing memory method to terminate the process, take fulladvantage of the privilege advantage of the VMM, this paper puts forward a way to intercept theaction of MOV CR3in the VMM to identify the process to be terminated, and by traversing0-2G address space to accurately locate the memory space of the process to be terminated, andachieve the target process termination by memory reset.4. This paper creates a method to monitor the creation of the process by creating a blacklist and destroying the creation of malicious processes in VMM, and this way need’t hook anyfunction of the system, to ensure the integrity of the system.The test results show that the system can detect the hidden processes reliably, itsperformance overhead is small, with good usability. |
PDF Full Text Request