高可靠In-VM隐藏进程对抗检查方法

Executing malicious code via hidden process is a major way to carry out information attack. At present, hidden process detection methods based on In-VM model of virtualization platform can be attacked by circumventing and tampering with the relative data. To solve this problem, a highly reliable In-VM hidden process detection method was proposed. Firstly, an In-VM model and the memory protection mechanism of virtualization were developed to protect its detection code and relative kernel data from being maliciously changed. Secondly,by hijacking the system transfer function exactly and detecting the hidden process with a cross-view method, the detection algorithm was ensured from being circumvented. Finally, several typical Rootkits were built and chosen in experiments. The results show that, the proposed method can detect all kinds of hidden processes. Its detection code and relative kernel data cannot be tampered with and its detection algorithm and memory protection mechanism cannot be circumvented. And the developed memory protection mechanism has better performance in the system, showing a higher reliability and stronger pragmatic value.