检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
出 处:《计算机应用》2017年第A02期39-43,共5页journal of Computer Applications
基 金:国家自然科学基金资助项目(61272447)
摘 要:为了解决目前虚拟机隐藏进程检测方案高能耗、检测不全的问题,提出一种基于进程生命周期的隐藏进程检测系统(HPro Dectector)。首先利用虚拟机监视器(VMM)的高特权级和系统自身的回调机制在虚拟机非换页内存区构建一份透明内存区并注入回调函数硬编码,通过回调函数注册模块对进程创建、终止过程注册回调。虚拟机内部进程的创建/终止事件会触发回调函数执行,利用硬件虚拟化的超级调用机制下发目标进程相关信息至事件处理模块,维护真实进程视图。视图分析模块结合真实视图和当前视图进行交叉分析,获取当前隐藏的进程信息。利用多种样本对系统进行实验CART:HPro Dectector在检测功能上优于传统基于线程调度和基于遍历进程链表方案。实验结果表明HPro Dectector可以准确地分析出当前隐藏进程,且具有更低的性能损耗。To slove the problems of high energy consumption and uncomplete detection of the current hidden process detection schemes,a hidden process detection system based on process life cycle called HPro Dectector was proposed. Using the high privilege of VMM and callback mechanism of guest OS, a block of Transparent Memory( TM) belonging to VM was reserved and hard code of callback was injected to TM, callback function was registerd by callback-registering module in VM and triggered by process creation or termination events. At that time, target process information was sent down to eventprocessing module by using of hardware-assisted virtualization technology and a true process list was maintained constantly.Hidden process list was got from view-analying module by comparing true process list and current process list. Mutiple kinds of samples were chosen to test HPro Dectector function, and the results show that HPro Dectector performs better than traditional schemes which can detect hidden process more accurately with less performance loss.
关 键 词:进程 回调函数 虚拟机监视器 进程视图 生命周期
分 类 号:TP309.5[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.222