基于KVM的Windows客户机进程查杀技术

崔竞松; 向浩; 郭迟; 张雅娜; 何松

###

DOI:10.15961/j.jsuese.2014.06.002

工程科学与技术:2014,46(6):7-13

查看/发表评论过刊浏览高级检索 HTML 文章目录

←前一篇 | 后一篇→

码上扫一扫！

下载全文

基于KVM的Windows客户机进程查杀技术

崔竞松^1,2, 向浩¹, 郭迟³, 张雅娜¹, 何松¹

(1.武汉大学计算机学院;2.武汉大学空天信息安全与可信计算教育部重点实验室;3.武汉大学卫星定位导航技术研究中心)

Online Anti-virus Technology of Processes Running on Windows VM Based on KVM

Cui Jingsong^1,2, Xiang Hao¹, Guo Chi³, Zhang Ya’na¹, He Song¹

(1.Computer School, Wuhan Univ.;2.Key Lab. of Aerospace Info. and Trusted Computing,Wuhan Univ.;3.Global Navigation Satellite System Research Center,Wuhan Univ.)

摘要

图/表

参考文献

相似文献

本文已被：浏览 2423次下载 1次
投稿时间：2014-06-23 修订日期：2014-09-01

中文摘要: 传统反病毒架构不能有效利用虚拟化优势解决云平台上的Windows系统所面临的恶意软件威胁，并且传统反病毒软件自身面临安全威胁，针对此问题，提出一种基于KVM的无代理Windows客户机进程在线杀毒技术。通过在KVM内核模块中添加读写内存的函数，以及为进程处理模块提供在其中注册钩子的接口等方法，解析客户机当前进程信息。将进程在内存中的PE（portable executable）镜像大致还原成运行前的磁盘文件后，调用开源杀毒引擎ClamAV（Clam AntiVirus）进行扫描查毒。查毒结果返回给决策模块后，由进程处理内核模块对可疑进程进行相应处理，实现对客户机当前进程的无代理查杀。分析及测试结果表明，该技术利用虚拟化优势较好地解决了传统反病毒框架的资源耗费和自身安全性问题。

中文关键词: KVM虚拟化虚拟化安全无代理方式进程监控 PE镜像还原进程终止

Abstract:Aiming at the problem that the traditional anti-virus structure cannot effectively solve malware threats on Windows OS on virtualization platform by using the benefits of virtualization, and traditional anti-virus softwares have to face their own security threats, an agentless online anti-virus technology of processes running on Windows VM based on KVM was proposed. By adding memory reading and writing functions in KVM kernel module and providing interfaces to register hooks in the kernel module of processes handling, the VM’s processes’ information could be resolved. After restoring process’s PE image in memory into disk file before running, the open source antivirus engine ClamAV would be called to scan virus. When results returned to the decision-making module, process handling module would deal with suspicious processes accordingly, and the current process could be scanned and killed without any agent. Analysis and test results showed that the technique could solve the traditional anti-virus frameworks’ resource consumption and security issues by taking advantage of virtualization’s benefits.

keywords: KVM virtualization security agentless technique process monitoring PE image reduction process killing

文章编号：201400665 中图分类号： 文献标志码：

基金项目:国家高技术研究发展计划资助项目（2013AA12A206）；国家自然科学基金资助项目（41104010；91120002；61170026）

作者	单位
崔竞松	武汉大学计算机学院武汉大学空天信息安全与可信计算教育部重点实验室
向浩	武汉大学计算机学院
郭迟	武汉大学卫星定位导航技术研究中心
张雅娜	武汉大学计算机学院
何松	武汉大学计算机学院

Author Name	Affiliation
Cui Jingsong	Computer School, Wuhan Univ. Key Lab. of Aerospace Info. and Trusted Computing,Wuhan Univ.
Xiang Hao	Computer School, Wuhan Univ.
Guo Chi	Global Navigation Satellite System Research Center,Wuhan Univ.
Zhang Ya’na	Computer School, Wuhan Univ.
He Song	Computer School, Wuhan Univ.

作者简介:
引用文本：
崔竞松,向浩,郭迟,张雅娜,何松.基于KVM的Windows客户机进程查杀技术[J].工程科学与技术,2014,46(6):7-13.
Cui Jingsong,Xiang Hao,Guo Chi,Zhang Ya’na,He Song.Online Anti-virus Technology of Processes Running on Windows VM Based on KVM[J].Advanced Engineering Sciences,2014,46(6):7-13.