Detecting and Managing Hidden Process via Hypervisor

Malicious process is a significant threat to computer system security, which is not only able to compromise the integrity of system, but also getting increasingly stealthy and elusive when facilitated with stealthy rootkit techniques. Conventional detection tools are deployed and executed inside the very host they are protecting, which makes them vulnerable to deceive and subvert. In order to improve the accuracy of detection and the ability of tamper resistance, a VMM-based hidden process detection system located outside the protected virtual machine is designed and implemented. Using virtual machine introspection mechanism, the system implicitly inspects the low-level state of the protected virtual machine, and then reconstructs the high level OS abstractions (process queues) which are needed for analysis by semantic view reconstruction technique. Based on cross-view validation principle, the system compares various process queues between internal and external view, and finally identifies the target hidden process through their discrepancies. In the meantime, this system facilitates response mechanism for reporting more specific information (such as network port, real memory occupation etc) about the hidden process to the administrator and supplies the interfaces for hidden process termination and suspension. The experiments on some real-world rootkits which can hide process are designed to validate the effectiveness and feasibility of the detection system.