Title :
Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning
Author :
Junhu Zhu ; Tianyang Zhou ; Qingxian Wang
Author_Institution :
Nat. Digital Switching Syst. Eng. & Technol. Res. Center (NDSC), Zhengzhou, China
Abstract :
Leveraging developed root kit, malware could deeply hide its own process and hardly be detected. Based on analyzing various existing detecting technologies, a novel approach for hidden process detection was proposed in this paper. The approach used page table entry patching to traverse physical memory and obtain the raw data, and formulated the characteristic selection constraints to extract reliable process object characteristics, which were used to search process object instances based on string matching in physical memory to form a credible list of processes. The approach could also be used to search other kernel objects on varieties of system platforms. The experimental results show that new detection is effective in hidden process searching.
Keywords :
invasive software; string matching; characteristic selection constraints; hidden process detection; hidden process search; kernel objects; malware; page table entry patching; physical memory scanning; physical memory traversal; raw data; reliable process object characteristic extraction; rootkit; search process object instances; string matching; Data structures; Hardware; Kernel; Memory management; Process control; Security; hidden process; paging mechanism; physical memory scan; string matching;
Conference_Titel :
Multimedia Information Networking and Security (MINES), 2012 Fourth International Conference on
Conference_Location :
Nanjing
Print_ISBN :
978-1-4673-3093-0
DOI :
10.1109/MINES.2012.239
