Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine
Currently stealth malware is becoming a major threat to the PC computers. Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners. On the defensive side, previous host-based approaches will be defeated once the privileged stealth malware controls a lower reach of the system. The Virtual Machine (VM) based solutions gain tamper resistance at the cost of losing the OS-level process view. Moreover, existing VM-based approaches cannot introspect the preinstalled OS which is just the protecting concern for PC users. In this paper, the authors present a new VM-based approach called Libra which accurately reproduces the software environment of the underlying preinstalled OS within the Libra VM and provides an OS-level semantic view of the processes.