Abstract
Malicious software programs usually bypass the detection of anti-virus software by hiding themselves among apparently legitimate programs. In this work, we propose Windows Virtual Machine Introspection (WVMI) to accurately detect those hidden processes by analyzing memory data. WVMI dumps in-memory data of the target Windows operating systems from hypervisor and retrieves EPROCESS structures’ address of process linked list first, and then generates Data Type Confidence Table (DTCT). Next, it traverses the memory and identifies the similarities between the nodes in process linked list and the corresponding segments in the memory by utilizing DTCT. Finally, it locates the segments of Windows’ EPROCESS and identifies the hidden processes by further comparison. Through extensive experiments, our experiment shows that the WVMI detects the hidden process with high identification rate, and it is independent of different versions of Windows operating system.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
