Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning

Author

Junhu Zhu ; Tianyang Zhou ; Qingxian Wang

Author_Institution

Nat. Digital Switching Syst. Eng. & Technol. Res. Center (NDSC), Zhengzhou, China

fYear

2012

fDate

2-4 Nov. 2012

Firstpage

662

Lastpage

665

Abstract

Leveraging developed root kit, malware could deeply hide its own process and hardly be detected. Based on analyzing various existing detecting technologies, a novel approach for hidden process detection was proposed in this paper. The approach used page table entry patching to traverse physical memory and obtain the raw data, and formulated the characteristic selection constraints to extract reliable process object characteristics, which were used to search process object instances based on string matching in physical memory to form a credible list of processes. The approach could also be used to search other kernel objects on varieties of system platforms. The experimental results show that new detection is effective in hidden process searching.

Keywords

invasive software; string matching; characteristic selection constraints; hidden process detection; hidden process search; kernel objects; malware; page table entry patching; physical memory scanning; physical memory traversal; raw data; reliable process object characteristic extraction; rootkit; search process object instances; string matching; Data structures; Hardware; Kernel; Memory management; Process control; Security; hidden process; paging mechanism; physical memory scan; string matching;

fLanguage

English

Publisher

ieee

Conference_Titel

Multimedia Information Networking and Security (MINES), 2012 Fourth International Conference on

Conference_Location

Nanjing

Print_ISBN

978-1-4673-3093-0

Type

conf

DOI

10.1109/MINES.2012.239

Filename

6405787