Skip to main content
SpringerLink
Log in

Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor

  • Conference paper
Information Security and Privacy (ACISP 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5107))

Included in the following conference series:

Abstract

Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Zombie PCs: Silent, Growing Threat. PC World (July 2004), http://www.pcworld.com/news/article/0,aid,116841,00.asp

  2. Microsoft: Windows Malicious Software Removal Tool, http://www.microsoft.com/security/malwareremove/

  3. Naraine, R.: Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes (December 2005), http://www.eweek.com/article2/0,1895,1896605,00.asp

  4. Wang, Y.-M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: Proceedings of 35th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)

    Google Scholar 

  5. Silberman, P., C.H.A.O.S. : FUTo: Bypassing Blacklight and IceSword (2007), https://www.rootkit.com/newsread.php?newsid=433

  6. Effective file hiding : Bypassing Raw File System I/O Rootkit Detector, http://www.rootkit.com/newsread.php?newsid=690

  7. Bypassing Klister 0.4 with No Hooks or Running a Controlled Thread Scheduler, http://hi-tech.nsys.by/33/

  8. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  9. Goldberg, R.P.: Architectural Principles for Virtual Computer Systems, Ph.D. Thesis. Harvard University, Cambridge, MA (1972)

    Google Scholar 

  10. Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V., Bennett, S.M., Kägi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology. IEEE Computer 38, 48–56 (2005)

    Google Scholar 

  11. AMD: AMD64 Vrtualization Codenamed pacifica Technology: Secure Virtual Machine Architecture Reference Manual (May 2005)

    Google Scholar 

  12. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauery, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pp. 164–177 (2003)

    Google Scholar 

  13. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS 2003) (2003)

    Google Scholar 

  14. Wen, Y., Zhao, J., Wang, H.: Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine. In: Proceedings of 2th International Conference on Information Security and Assurance (ISA 2008), pp. 150–155 (2008)

    Google Scholar 

  15. Aphex: AFX Windows Rootkit (2003), http://www.iamaphex.cjb.net

  16. Hacker Defender, http://hxdef.org/

  17. fuzen_op: FU Rootkit, http://www.rootkit.com/project.php?id=12

  18. PE386: phide_ex -untimate process hiding example, http://forum.sysinternals.com/printer_friendly_posts.asp?TID=8527

  19. Anti Rootkit Group, http://www.antirootkit.com/blog/

  20. F-Secure Blacklight, http://www.f-secure.com/blacklight/

  21. DarkSpy, http://www.fyyre.net/~cardmagic/index_en.html

  22. Icesword, http://pjf.blogcn.com/index.shtml

  23. RootKit Unhooker, http://www.antirootkit.com/software/RootKit-Unhooker.htm

  24. UnHackMe, http://www.greatis.com/unhackme/

  25. Gmer, http://www.gmer.net/index.php

  26. Kernel Hidden Process/Module Checker, http://www.security.org.sg/code/kproccheck.html

  27. Process Hunter, http://ms-rem.dot-link.net/

  28. TaskInfo, http://www.iarsn.com/taskinfo.html

  29. Adams, K., Agesen, O.: A Comparison of Software and Hardware Techniques for x86 Virtualization. In: Proceedings of The 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2006), pp. 2–13 (2006)

    Google Scholar 

  30. Petroni, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the 13th USENIX Security Symposium, pp. 179–194 (2004)

    Google Scholar 

  31. Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting Past and Present Intrusions through Vulnerability-Specific Predicates. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), Brighton, United Kingdom, pp. 91–104 (2005)

    Google Scholar 

  32. Wen, Y., Wang, H.: A Secure Virtual Execution Environment for Untrusted Code. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 156–167. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  33. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pp. 211–224 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer, National University of Defense Technology, Changsha, China

    Yan Wen & Huaimin Wang

  2. Beijing Institute of System Engineering, Beijing, China

    Jinjing Zhao

  3. Department of Computing, Hong Kong Polytechnic University, Kowloon, Hong Kong, China

    Jiannong Cao

Authors
  1. Yan Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jinjing Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Huaimin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jiannong Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Yi Mu Willy Susilo Jennifer Seberry

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wen, Y., Zhao, J., Wang, H., Cao, J. (2008). Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70500-0_27

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69971-2

  • Online ISBN: 978-3-540-70500-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation