Abstract The security of operating system has always been challenged by the hidden operation of rootkits. Based on virtual machine introspection technology, security tools are deployed outside the target virtual machine (TVM) that provides strict isolation between them and enhances the anti-interference of security tools. However, the current methods based on virtualization can only detect the hidden objects but cannot make them visible to TVM that leads to handling failure for host-based security tools. To solve this problem, this paper proposes a hidden object detection and recovery method RecObj based on virtualization technology. RecObj uses multidimensional semantic views cross-comparison to discover the hidden processes and files. By dynamically monitoring the change of logical relationship between loadable kernel modules and the change of their states, the hiding detection of rootkit itself can be realized. For processes and modules hidden by direct kernel object manipulation technology, RecObj uses memory writable mapping to restore hidden objects to be visible objects. Finally, the processing signal is transmitted to the hidden object manager in TVM through xenstore, and the cleanup operation to the hidden object is completed. The feasibility and effectiveness of RecObj is proved through the hiding detection, recovery, and processing experiments.
Wu et al. (Fri,) studied this question.