%0 Journal Article
%T Detecting hidden process with local virtualization technology<br>基于本地虚拟化技术的隐藏进程检测
%A WEN Yan
%A ZHAO Jin-jing
%A WANG Huai-min
%A <br>温研
%A 赵金晶
%A 王怀民
%J 计算机应用
%D 2008
%I 
%X Currently stealth malware is becoming a major threat to the PC computers. Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners. In this paper, we presented a new VM-based approach called Gemini that accurately reproduced the software environment of the underlying preinstalled OS within the Gemini VM. With our new local-booting technology, Gemini VM just booted from the underlying host OS but not a newly installed OS image. In addition, Gemini adopted a unique technique to implicitly construct the Trusted View of Process List (TVPL) from within the virtualized hardware layer. Thus, Gemini provided a way to detect the existing process-hiding stealth malware in the host OS. Our evaluation results with real-world hiding-process rootkits, which are widely used by stealth malware, demonstrate its practicality and effectiveness.
%K virtual machine monitor (VMM)
%K virtual machine (VM)
%K stealth malware
%K local virtualization
%K process hiding<br>虚拟机监视器
%K 虚拟机
%K 自隐藏恶意代码
%K 本地虚拟化技术
%K 进程隐藏
%U http://www.alljournals.cn/get_abstract_url.aspx?pcid=5B3AB970F71A803DEACDC0559115BFCF0A068CD97DD29835&cid=8240383F08CE46C8B05036380D75B607&jid=831E194C147C78FAAFCC50BC7ADD1732&aid=0C8EE2BB2CD6E723BE32451D886086EE&yid=67289AFF6305E306&vid=D3E34374A0D77D7F&iid=DF92D298D3FF1E6E&sid=DF28BAAD0FD19027&eid=8A16493E4294FD55&journal_id=1001-9081&journal_name=计算机应用&referenced_num=0&reference_num=10