高可靠In-VM隐藏进程对抗检测方法

通过隐藏进程执行恶意代码是信息攻击的一种重要手段，目前虚拟化平台中In-VM隐藏进程检测方法还存在被绕过和相关数据被篡改的可能性，针对这一问题，提出了一种高可靠In-VM隐藏进程对抗检测方法.该方法利用In-VM模型，通过改进虚拟化内存保护机制保护隐藏进程检测代码及其相关内核数据，确保其不被恶意篡改；通过准确劫持系统调用函数，并结合交叉视图方法检测隐藏进程，确保隐藏进程的检测算法无法被绕过.实验选取并构建多种典型的Rootkit隐藏进程，结果表明，该方法可以检测各种Rootkit隐藏进程，其隐藏进程检测代码及其相关数据无法被恶意篡改，检测算法和内存保护机制无法被绕过，而且改进的虚拟化内存保护机制对系统的性能影响更小，方法的可靠性高，实用价值大. 

A Highly Reliable In-VM Hidden Process Detection Countermeasure

Executing malicious code via hidden process is a major way to carry out information attack.At present,hidden process detection methods based on In-VM model of virtualization platform can be attacked by circumventing and tampering with the relative data.To solve this problem,a highly reliable In-VM hidden process detection method was proposed.Firstly,an In-VM model and the memory protection mechanism of virtualization were developed to protect its detection code and relative kernel data from being maliciously changed.Secondly,by hijacking the system transfer function exactly and detecting the hidden process with a cross-view method, the detection algorithm was ensured from being circumvented.Finally,several typical Rootkits were built and chosen in experiments.The results show that,the proposed method can detect all kinds of hidden processes.Its detection code and relative kernel data cannot be tampered with and its detection algorithm and memory protection mechanism cannot be circumvented.And the developed memory protection mechanism has better performance in the system,showing a higher reliability and stronger pragmatic value.