Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor

  • Yan Wen
  • Jinjing Zhao
  • Huaimin Wang
  • Jiannong Cao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5107)


Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.


Virtual machine monitor stealth malware hardware-assisted VMM 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Zombie PCs: Silent, Growing Threat. PC World (July 2004),,aid,116841,00.asp
  2. 2.
    Microsoft: Windows Malicious Software Removal Tool,
  3. 3.
    Naraine, R.: Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes (December 2005),,1895,1896605,00.asp
  4. 4.
    Wang, Y.-M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: Proceedings of 35th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)Google Scholar
  5. 5.
    Silberman, P., C.H.A.O.S. : FUTo: Bypassing Blacklight and IceSword (2007),
  6. 6.
    Effective file hiding : Bypassing Raw File System I/O Rootkit Detector,
  7. 7.
    Bypassing Klister 0.4 with No Hooks or Running a Controlled Thread Scheduler,
  8. 8.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy (2004)Google Scholar
  9. 9.
    Goldberg, R.P.: Architectural Principles for Virtual Computer Systems, Ph.D. Thesis. Harvard University, Cambridge, MA (1972)Google Scholar
  10. 10.
    Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V., Bennett, S.M., Kägi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology. IEEE Computer 38, 48–56 (2005)Google Scholar
  11. 11.
    AMD: AMD64 Vrtualization Codenamed pacifica Technology: Secure Virtual Machine Architecture Reference Manual (May 2005)Google Scholar
  12. 12.
    Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauery, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pp. 164–177 (2003)Google Scholar
  13. 13.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS 2003) (2003)Google Scholar
  14. 14.
    Wen, Y., Zhao, J., Wang, H.: Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine. In: Proceedings of 2th International Conference on Information Security and Assurance (ISA 2008), pp. 150–155 (2008)Google Scholar
  15. 15.
    Aphex: AFX Windows Rootkit (2003),
  16. 16.
    Hacker Defender,
  17. 17.
  18. 18.
    PE386: phide_ex -untimate process hiding example,
  19. 19.
  20. 20.
  21. 21.
  22. 22.
  23. 23.
  24. 24.
  25. 25.
  26. 26.
    Kernel Hidden Process/Module Checker,
  27. 27.
  28. 28.
  29. 29.
    Adams, K., Agesen, O.: A Comparison of Software and Hardware Techniques for x86 Virtualization. In: Proceedings of The 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2006), pp. 2–13 (2006)Google Scholar
  30. 30.
    Petroni, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the 13th USENIX Security Symposium, pp. 179–194 (2004)Google Scholar
  31. 31.
    Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting Past and Present Intrusions through Vulnerability-Specific Predicates. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), Brighton, United Kingdom, pp. 91–104 (2005)Google Scholar
  32. 32.
    Wen, Y., Wang, H.: A Secure Virtual Execution Environment for Untrusted Code. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 156–167. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pp. 211–224 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Yan Wen
    • 1
  • Jinjing Zhao
    • 2
  • Huaimin Wang
    • 1
  • Jiannong Cao
    • 3
  1. 1.School of ComputerNational University of Defense TechnologyChangshaChina
  2. 2.Beijing Institute of System EngineeringBeijingChina
  3. 3.Department of ComputingHong Kong Polytechnic University, KowloonHong KongChina

Personalised recommendations