Journal of Software:2011.22(zk2):1-8

一种利用物理内存搜索硬件虚拟化Rootkit 的检测方法
(解放军信息工程大学 信息工程学院,河南 郑州 450002)
Approach for Hardware Virtualization-Based Rootkit Detection via Physical Memory Searching
ZHOU Tian-Yang,ZHU Jun-Hu,LI He-Shuai,WANG Qing-Xian
(Institute of Information Engineering, PLA Information Engineering University, Zhengzhou 450002, China)
Chart / table
Similar Articles
Article :Browse 2412   Download 3799
Received:February 15, 2011    Revised:July 28, 2011
> 中文摘要: 硬件虚拟化Rootkit(hardware virtualization-based Rootkit,简称HVBR)是近几年出现的新型恶意程序,相比传统Rootkit 具有更强的隐藏性,难以被有效地检测出来.分析了HVBR 的隐藏原理和运行机制,针对HVBR能够绕过直接内存扫描的隐藏特性,提出了一种基于物理内存搜索的检测方法.该方法通过修改页表项PTE 遍历物理内存,通过比较HVBR 的固有特征进行检测和定位.实验结果表明,该方法具有较好的可靠性和检测效率.
Abstract:Hardware Virtualization-Based Rootkit (HVBR) is one of many new malwares appearing over the years. Compared to the traditional Rootkit, HVBR is stealthier and more difficult to detect. This paper analyzes the concealment and working mechanism of HVBR. By aiming at the stealth of HVBR on bypassing virtual memory scan to counter detection, this paper proposes a detection approach, based on physical memory search. The approach modifies Page Table Entry (PTE) to traverse the physical memory, and matches the fixed characteristic of HVBR with the raw memory data to detect and locate HVBR in memory. The experimental results show it is reliable and efficient.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(60903220) 国家自然科学基金(60903220)
Foundation items:
Reference text:

周天阳,朱俊虎,李鹤帅,王清贤.一种利用物理内存搜索硬件虚拟化Rootkit 的检测方法.软件学报,2011,22(zk2):1-8

ZHOU Tian-Yang,ZHU Jun-Hu,LI He-Shuai,WANG Qing-Xian.Approach for Hardware Virtualization-Based Rootkit Detection via Physical Memory Searching.Journal of Software,2011,22(zk2):1-8