Design And Realization Of Hiding Objects Detection System Based On Virtual Machine Monitor Technology

Recently, Rootkit is becoming a popular haker malware on the Internet, which controls the hosts on the Internet by hiding itself, and raises a serious threat to the host's information security. After hacking in the host, it will use various means to hide the traces of its behaviors, and the main relevant operating system objects for it to hide are processes, network connections and files, in which, the processes and the network connections with the dynamic characteristics are the most important hidden goals. Therefore, to detect the operating system's hidden objects, in particular, the processes and the network connections, then further to protect the host from being controled and abused by Rootkit has a very important role on protecting the host's information security. However, the current host-based and hardware-assisted solutions have some disvantages. And the development of virtualization technology provides a better solution.This paper designs and implements a virtual machine monitor based operating system hidden objects detection mechanism, including hidden process detection mechanism by multi-view detection mechanism and hidden network connection detection mechanism by dual-view detection mechanism, to provide a more reliable, and more active detection mechanism with good semantic information. And it is not only transparent for the client virtual machine, but also has some performance guarantees for the guest virtual machine to operate in a more secure environment. The main jobs of this paper are as follows:The hidden means of the operating system is studied, and the principle and deficiency of the traditional detection technology based on the operating system and the detection technology based on the auxiliary hardware implementation are analyzed. On this basis, introduces in detail the virtual machine monitor hidden detection technology theory, and focus on hardware virtualization technology, especially on the Intel vt VT-x technology and its data structure for in-depth analysis, grasp the characteristics and advantages of virtual machine monitor.According to the hidden object system existing problem, research the VMDetector detection technology theory, hidden detection theory model and VMDetector system of virtual machine performance problems of two kinds of objects in the actual demand analysis and discussion VMDetector VMDetector. Combined with the design principle of VMDetector, are the core of the system flow and the overall architecture, and complete the summary design of main module in the VMDetector.Based on the design of the VMDetector hidden detection system, the key technology of the system is studied. VMM-level process view and Kernel-level process view maintenance mechanism, design and related algorithms and explores the use of virtual machine monitor has a set of client VM-Exit. Under different conditions of VM-Exit maintenance view of the different processes are analyzed.Then, the process of semantic information conversion mechanism, process and port mapping information acquisition mechanism and algorithm to achieve in-depth study, and gives the system core functions of the detailed design.The VMDetector hidden detection system of hidden process detection and hiding the network connection detection testing function obtained satisfactory results, to verify the correctness of the system design, and focus on the display of the VMM state management module, the core control module and trusted network view extraction module module and the whole system realization process.This based on the virtual machine monitor operating system hidden objects detection technology has the following characteristics: 1, to provide more proactive and more credible hidden process and hidden network detection; 2, to provide hidden-level information of processes; 3, for the virtual machine, the entire testing activities are transparent; 4, to provide a clear semantic description of the objects; 5, the system is independent to use; 6, the system ensures the virtual machines' running performance.In this paper, the design of based on the virtual monitor hidden object detection system not only is completed the hidden object detection function, the virtual machine performance impact of cost control in a certain range. To solve the problem of network security and protection of the host network information security has important practical significance.