Detecting hidden process with local virtualization technology
基于本地虚拟化技术的隐藏进程检测

Currently stealth malware is becoming a major threat to the PC computers. Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners. In this paper, we presented a new VM-based approach called Gemini that accurately reproduced the software environment of the underlying preinstalled OS within the Gemini VM. With our new local-booting technology, Gemini VM just booted from the underlying host OS but not a newly installed OS image. In addition, Gemini adopted a unique technique to implicitly construct the Trusted View of Process List (TVPL) from within the virtualized hardware layer. Thus, Gemini provided a way to detect the existing process-hiding stealth malware in the host OS. Our evaluation results with real-world hiding-process rootkits, which are widely used by stealth malware, demonstrate its practicality and effectiveness.