Detecting Malware and Rootkit via Memory Forensics

Recent malware processes are armed with stealthy techniques to detect, subvert malware detection facilities of the victim. Traditional host-based detection tools execute inside the very hosts they are protecting, which makes them vulnerable to deceive and subvert. To address this limitation, improve the effectiveness and accuracy of detection, and boost the ability of tamper resistance, a VMM-based hidden process detection system is designed and implemented. The system is placed outside the protected virtual machine, using virtual machine introspection mechanism to inspect the low-level state of the protected virtual machine, then reconstructs the guest OS data structures by guest view casting technique. Based on view comparison detection, the system identifies the lack of the critical processes and the target hidden process. Additionally, this system provides process management operations, such as terminate and restart. Users can configure the corresponding response mechanism with configuration files.