论文信息 - Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning

Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning

Leveraging developed root kit, malware could deeply hide its own process and hardly be detected. Based on analyzing various existing detecting technologies, a novel approach for hidden process detection was proposed in this paper. The approach used page table entry patching to traverse physical memory and obtain the raw data, and formulated the characteristic selection constraints to extract reliable process object characteristics, which were used to search process object instances based on string matching in physical memory to form a credible list of processes. The approach could also be used to search other kernel objects on varieties of system platforms. The experimental results show that new detection is effective in hidden process searching.

Tianyang Zhou | Qingxian Wang | Junhu Zhu

[1] Fan Ming-yu. Research of HSC-based hidden process detection technique , 2008 .

[2] Xuxian Jiang,et al. Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction , 2010, TSEC.

[3] Andreas Schuster,et al. Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[4] Zhi He. Research of HSC-based hidden process detection technique: Research of HSC-based hidden process detection technique , 2008 .

[5] Abhinav Srivastava,et al. Robust signatures for kernel data structures , 2009, CCS.

[6] Xuxian Jiang,et al. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[7] Joe Grand,et al. A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..