Abstract
Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs. In this work, we propose Windows Virtual Machine Introspection (WVMI) to accurately detect those hidden processes by analyzing memory data. WVMI dumps in-memory data of the target Windows operating systems from hypervisor and retrieves EPROCESS structures’ address of process linked list first, and then generates Data Type Confidence Table (DTCT). Next, it traverses the memory and identifies the similarities between the nodes in process linked list and the corresponding segments in the memory by utilizing DTCT. Finally, it locates the segments of Windows’ EPROCESS and identifies the hidden processes by further comparison. Through extensive experiments, our experiment shows that the WVMI detects the hidden process with high identification rate, and it is independent of different versions of Windows operating system.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ruff N. Windows memory forensics [J]. Journal in Computer Virology, 2008, 4(2): 83–100.
Garcia G L. Forensic physical memory analysis: An overview of tools and techniques [C]// TKK T-110.5290 Seminar on Network Security. Helsinki: TKK, 2007: 305–320.
Wampler D R. Methods for Detecting Kernel Rootkits [M]. Louisville: ProQuest, 2007.
Russinovich M, Solomon D, Ionescu A. Windows Internals [M]. Boston: Pearson Education, 2012.
Levine J, Grizzard J B, Owen H L. Detecting and categorizing kernel-level rootkits to aid future detection [J]. Security & Privacy, IEEE, 2006, 4(1): 24–32.
Vomel S, Freiling F C. A survey of main memory acquisition and analysis techniques for the windows operating system [J]. Digital Investigation, 2011, 8(1): 3–22.
Zhang X, Hu L, Song S, et al. Windows volatile memory forensics based on correlation analysis [J]. Journal of Networks, 2014, 9(3): 645–652.
Cohen M L. Characterization of the windows kernel version variability for accurate memory analysis [J]. Digital Investigation, 2015, 12: S38–S49.
Graziano M, Lanzi A, Balzarotti D. Hypervisor memory forensics [C]// Research in Attacks, Intrusions, and Defenses. Berlin: Springer-Verlag, 2013: 21–40.
Li X, An X Q, Zhang W. Hidden process detection system based on hardware-assisted virtualization [C]// Internet Computing for Engineering and Science (ICICSE), 2013 Seventh International Conference. Piscataway: IEEE, 2013: 48–50.
Zeng C, Liu S L, Chen L G. Effective method for analysis of cisco iOS image injection attack [J]. Application Research of Computers, 2013, 30(12): 3775–3778.
Gionta J, Azab A, Enck W, et al. Seer: Practical memory virus scanning as a service [C]// 30th Annual Computer Security Applications Conference. Piscataway: IEEE, 2014: 186–195.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Foundation of China (61170026)
Biography: CUI Jingsong, male, Associate professor, research direction: virtualization technology, cloud computing, algorithm optimization.
Rights and permissions
About this article
Cite this article
Cui, J., Zhang, H., Qi, J. et al. Hidden process offline forensic based on memory analysis in windows. Wuhan Univ. J. Nat. Sci. 22, 346–354 (2017). https://doi.org/10.1007/s11859-017-1257-y
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-017-1257-y