摘要
为了解决目前虚拟机隐藏进程检测方案高能耗、检测不全的问题,提出一种基于进程生命周期的隐藏进程检测系统(HPro Dectector)。首先利用虚拟机监视器(VMM)的高特权级和系统自身的回调机制在虚拟机非换页内存区构建一份透明内存区并注入回调函数硬编码,通过回调函数注册模块对进程创建、终止过程注册回调。虚拟机内部进程的创建/终止事件会触发回调函数执行,利用硬件虚拟化的超级调用机制下发目标进程相关信息至事件处理模块,维护真实进程视图。视图分析模块结合真实视图和当前视图进行交叉分析,获取当前隐藏的进程信息。利用多种样本对系统进行实验CART:HPro Dectector在检测功能上优于传统基于线程调度和基于遍历进程链表方案。实验结果表明HPro Dectector可以准确地分析出当前隐藏进程,且具有更低的性能损耗。
To slove the problems of high energy consumption and uncomplete detection of the current hidden process detection schemes,a hidden process detection system based on process life cycle called HPro Dectector was proposed. Using the high privilege of VMM and callback mechanism of guest OS, a block of Transparent Memory( TM) belonging to VM was reserved and hard code of callback was injected to TM, callback function was registerd by callback-registering module in VM and triggered by process creation or termination events. At that time, target process information was sent down to eventprocessing module by using of hardware-assisted virtualization technology and a true process list was maintained constantly.Hidden process list was got from view-analying module by comparing true process list and current process list. Mutiple kinds of samples were chosen to test HPro Dectector function, and the results show that HPro Dectector performs better than traditional schemes which can detect hidden process more accurately with less performance loss.
出处
《计算机应用》
CSCD
北大核心
2017年第A02期39-43,共5页
journal of Computer Applications
基金
国家自然科学基金资助项目(61272447)
关键词
进程
回调函数
虚拟机监视器
进程视图
生命周期
process
callback function
Virtual Machine Manager (VMM)
process view
life cycle
