Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine

Currently stealth malware is becoming a major threat to the PC computers. Process hiding is the technique commonly used by stealth malware to evade detection by anti-malware scanners. On the defensive side, previous host-based approaches will be defeated once the privileged stealth malware controls a lower reach of the system. The virtual machine (VM) based solutions gain tamper resistance at the cost of losing the OS-level process view. Moreover, existing VM-based approaches cannot introspect the preinstalled OS which is just the protecting concern for PC users. In this paper, we present a new VM-based approach called Libra which accurately reproduces the software environment of the underlying preinstalled OS within the Libra VM and provides an OS-level semantic view of the processes. With our new local-booting technology, Libra VM just boots from the underlying host OS but not a newly installed OS image. Thus, Libra provides a way to detect the existing process-hiding stealth malware in the host OS. In addition, instead of depending on the guest information which is subvertable to the privileged guest malware, Libra adopts a unique technique to implicitly construct the trusted view of process list (TVPL) from within the virtualized hardware layer. Our evaluation results with real-world hiding-process rootkits, which are widely used by stealth malware, demonstrate its practicality and effectiveness.