Method for detecting existence of virtual machine monitor (VMM) under Windows platform

Abstract

The invention discloses a method for detecting the existence of a virtual machine monitor (VMM) under a Windows platform, aiming at solving the problem that malicious codes use the VMM as a platform for hiding self behaviors and providing malicious services, and providing a method for detecting the existence of the VMM through resource differences. In a technical scheme, the method comprises the steps of: firstly, allocating internal memory spaces for Allocated PTEs (Page Table Entries) and a Special PTE; writing an address A before mapping modification for the Allocated PTEs; writing an address B after mapping modification for the Special PTE; accessing the Allocated PTEs in sequence to ensure that all PTEs pointing to the address A are stored into a page table buffer register; sequentially modifying the pointer contents of the Allocated PTEs into the address B pointed by the Special PTE; executing a privileged instruction RDMSR (Read from Model Specific Register) in a Windows system; and setting a counter, traversing all page table entries in the page table buffer register, and judging whether the VMM exists in the current system by judging whether the numerical value of the counter is consistent with N. The method disclosed by the invention can be used for effectively detecting the VMM so as to improve system security.

Description

technical field [0001] The invention relates to a method for detecting the existence of a virtual machine monitor (VMM), in particular to a method for detecting the existence of a virtual machine monitor through differences in page table buffer registers. Background technique [0002] In hardware virtualization technology, a virtual machine monitor (Virtual Machine Monitor, VMM) is software that can create an efficient, isolated copy of a computer system. Since the VMM has higher authority than the guest operating system (Guest OS), more and more malicious codes use the VMM as a platform to hide their behavior and provide malicious services. The detection technology for this kind of malicious code is mainly to detect the existence characteristics of VMM (Virtual Machine Monitor). Only when the existence of VMM is detected can it be used as one of the important basis for detecting the existence of this new type of malicious code. Traditional methods for detecting VMM current...

AI Technical Summary

Problems solved by technology

However, this detection method has limitations: for the case where the VMM runs directly on the hardware environment, the VMM does not relocate the IDTR to a new address, so it cannot distinguish the operating environment of the current operating system

Based on this resource sharing framework, the characteristics of VMM can be found from these resource differences as a method for detecting the existence of VMM, but there is no public report on the technical solution for detecting the existence of VMM through resource differences such as page table buffer registers.

Images