| With the development of computer technology, the computer has become anindispensable part of people’s daily life. However, the number of malicious software isincreasing rapidly and the anti-analysis and anti-detection techniques of the malwareare growing. To design and implement more security software is a key point tocomputer security application. Traditional analysis tools typically run inside theoperating systems which have great limitations in the detection of the presence. Thevirtualization technology provides an outstanding method for malware detection andanalysis due to its unique characteristics such as isolation, security, transparency and soon.According to the processing detection theory and the QEMU emulator theory, weanalyze the existing processes detection mechanisms and QEMU simulator featuresexhaustively, and then propose a new processes detection method by the use of QEMUemulator, which detects the operating system’s internal processes from the outside ofthe system. In this paper, we specify the QEMU source code, the kernel managementmechanism and related data structure of Windows system, and then design andimplement a QEMU-based detection tool. By this tool, all processes running in theoperating system including hidden processes can be detected, and the specific processcan be hidden. Finally, the detection tool is proved correct in design and available infunction. Our proposed detection tool lay the foundation of future code level malwaredetection and analysis, and malicious programs feature extraction. |
PDF Full Text Request