Research On The Technologies Of Kernel Module Behavior Analysis Based On VMM

On the one hand, the rapid development of the Internet provides us with a flexibleand convenient means of communication, colorful information resources, and facilitatee-commerce trading platform, on the other hand, the security problems faced by networkare more and more serious. Malware behavior analysis is the premise to detect maliciouscode, which provides characteristics of Trojan virus to anti-virus software, but thetraditional behavior analysis tool itself exists in the system environment of insecurity,vulnerable to attack or deception, malicious behavior analysis based on virtual machineprecisely in order to solve the shortcomings of traditional analysis tools developed.This paper focuses on analyzing the behavior of malicious code based on virtualmachine technology.For this stage, behavior analysis of kernel modules are very lack, thispaper research behavior analysis technology of kernel module, the main contributions andinnovations are:(1) An behavior analysis model of kernel module based on "In-VM" ideological isproposed. At this stage, behavioral analysis study for the kernel module is very fewer,for two main reasons: First, all the kernel modules share the same kernel space, so havethe same system privileges; Second, kernel functions scattered, unable to use traditionalmethods to monitor its behavior based on function HOOK. In this paper, take advantageof virtualization technology, VMM (Virtual machine monitor) running on low layer ofthe client operating system (Guest OS), so has the higher operating authority, based onthis to monitor the client system ’s behavior. In this paper, we use "In-VM" idea to isolatekernel modules to be analyzed, analysis of the behavior of tamper with their critical dataor call system functions.(2) Research the automated identification method of malicious kernel modulebehavior. Under the premise of the known behavior of the kernel module, how toautomate to determine whether the module contains malicious behavior, it is importantproblem. This paper study the two aspects of kernel data and kernel function, analyzeand protect the critical data areas, and alarm the high-risk behavior; monitoringexecution of the functions of high-risk, based on the function flow to determine whetherthere is malicious behavior.(3) Implementation of the prototype system of kernel module based analyzation on"In-VM" ideological. Based on KVM, the prototype system is implemented, take advantageof the virtual memory mechanism of VMM, this paper establish a isolation kernel addressspace in the Guest OS, kernel module to be analyzed is placed in the isolated space, so thebehaviors of tampering with system-critical data and call system functions can be monitored.Experiments show that the prototype system is capable of analyzing DKOM behavior,HOOK behavior, the execution of system functions, and so on.This research is supported by the Hunan Provincial Education DepartmentIndustrialization Project (11CY018), is to improve the analyzation skills and ability todetect malicious code.