CN101499016A - Virtual machine monitor, virtual machine system and process handling method of client operating system - Google Patents
Virtual machine monitor, virtual machine system and process handling method of client operating system Download PDFInfo
- Publication number
- CN101499016A CN101499016A CN 200810057354 CN200810057354A CN101499016A CN 101499016 A CN101499016 A CN 101499016A CN 200810057354 CN200810057354 CN 200810057354 CN 200810057354 A CN200810057354 A CN 200810057354A CN 101499016 A CN101499016 A CN 101499016A
- Authority
- CN
- China
- Prior art keywords
- client
- virtual machine
- page table
- address
- machine monitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Memory System Of A Hierarchy Structure (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a virtual machine monitor, a virtual machine operating system and a method of handling customers. The virtual machine monitor comprises an obtaining module used for obtaining process segmental information while the operating system is changing by the environment. According to the information referred to in paragraph referred to the process of acquiring customers linear address; the process of identification modules, described the process used to identify; Page Table Identity Module, used to identify the process of identification modules described in the process of identification of the corresponding shadow page table, shadow page table above are described in Records of customer and machine linear physical memory address page Address correspondence; positioning module for customers under the above mentioned linear address and the shadow page table location described in the process of physical machines memory page. The invention has an accurate realization of the machine process the positioning of physical memory pages; at the same time, protecting the process the security of that system.
Description
Technical field
The present invention relates to operating system process treatment technology, particularly a kind of virtual machine monitor, dummy machine system and process handling method of client operating system.
Background technology
Internal memory is one of valuable source of operating system management, also is the main target of virus attack.The protection of internal memory is one of the most basic security service of providing of secure operating system.Memory protect typically refers to the data of protection user in internal memory, and each process is not disturbed mutually in the assurance system, isolated process and process, user-isolated space and kernel spacing, and necessary access control.
But because operating system perfect inadequately to memory protect, or perhaps some convenient mechanism that operating system self provides have destroyed this insulation blocking, make many viruses utilize this leak.Utilized the mode of long-range injection executable code and the method for long-range establishment thread to attack as Rootkit virus, Rootkit virus is the debug authority by the authority that promotes oneself, open a far-end process such as IE then, to far-end process application virtual memory address, write viral code, or the dll file name, create remote thread then and move this viral code.
In realizing process of the present invention, find the technical scheme that also in VMM (Virtual MonitorMachine, virtual machine monitor), the client operating system process is not positioned in the prior art.
Summary of the invention
The purpose of the embodiment of the invention provides a kind of virtual machine monitor, dummy machine system and process handling method of client operating system, is implemented among the VMM location to process in the client operating system under the virtual environment.
In order to realize said method, the embodiment of the invention provides a kind of virtual machine monitor, comprising:
Acquisition module is used for obtaining the segment information of a process when client operating system generation environmental change, and obtains client's linear address of described process according to described segment information;
The process identification module is used to discern described process;
The page table identification module is used to discern the pairing shadow page table of process that described process identification module identifies, and records the corresponding relation of described client's linear address and machine physical memory page address in the described shadow page table;
Locating module is used for locating according to described client's linear address and described shadow page table the machine physical memory page of described process.
Above-mentioned virtual machine monitor, wherein, described acquisition module specifically comprises:
Record cell is used for when described client operating system generation environmental change, the segment information of the described process in the record CPU register;
Computing unit is used for calculating according to the segment information of described process described client's linear address of described process.
Above-mentioned virtual machine monitor wherein, also comprises:
Protection module is used to protect the code segment of process described in the described machine physical memory page.
Above-mentioned virtual machine monitor, wherein, described protection module is specially verification unit, is used for the code segment of the described process of the machine physical memory page of described process is carried out verification.
Above-mentioned virtual machine monitor, wherein, described protection module is specially the unit is set, and the code segment of described process that is used for the machine physical memory page of described process is set to read-only.
In order better to realize above-mentioned purpose, the embodiment of the invention also provides a kind of dummy machine system, comprises client operating system and virtual machine monitor, and wherein, described virtual machine monitor comprises:
Acquisition module is used for obtaining the segment information of a process when client operating system generation environmental change, and obtains client's linear address of described process according to described segment information;
The process identification module is used to discern described process;
The page table identification module is used to discern the pairing shadow page table of process that described process identification module identifies, and records the corresponding relation of described client's linear address and machine physical memory page address in the described shadow page table;
Locating module is used for locating according to described client's linear address and described shadow page table the machine physical memory page of described process.
Above-mentioned dummy machine system, wherein, described acquisition module specifically comprises:
Record cell is used for when described client operating system generation environmental change, the segment information of the described process in the record CPU register;
Computing unit is used for calculating according to the segment information of described process described client's linear address of described process.
Above-mentioned dummy machine system, wherein, described virtual machine monitor also comprises:
Protection module is used to protect the code segment of process described in the described machine physical memory page.
Above-mentioned dummy machine system, wherein, described protection module is specially verification unit, is used for the code segment of the described process of the machine physical memory page of described process is carried out verification.
Above-mentioned dummy machine system, wherein, described protection module is specially the unit is set, and the code segment of described process that is used for the machine physical memory page of described process is set to read-only.
In order better to realize above-mentioned purpose, the embodiment of the invention also provides a kind of process handling method of client operating system, wherein, comprising:
When client operating system generation environmental change, obtain the segment information of a process, and obtain client's linear address of described process according to described segment information;
Discern described process;
Discern the pairing shadow page table of the described process that identifies, record the corresponding relation of described client's linear address and machine physical memory page address in the described shadow page table;
Locate the machine physical memory page of described process according to described client's linear address and described shadow page table.
Above-mentioned method wherein, also comprises:
Code segment to the described process in the machine physical memory page of described process carries out verification; And/or
The code segment of the described process in the machine physical memory page of described process is set to read-only.
Above-mentioned method, wherein, the shadow page table of the described process correspondence of described identification specifically comprises:
Virtual machine monitor obtains the client physical address in the CR3 register of the process title of described client operating system notice and process correspondence;
Described virtual machine monitor obtains the machine physical address of the described shadow page table of described client physical address correspondence;
Described virtual machine monitor obtains described shadow page table according to the machine physical address of described shadow page table;
Corresponding described process and the described shadow page table preserved of described virtual machine monitor.
Above-mentioned method, wherein, the shadow page table of the described process correspondence of described identification specifically comprises:
Virtual machine monitor is set up client physical address in the process CR3 register and the process name corresponding relation between being referred to as;
After described virtual machine monitor obtains the described process title of described client operating system notice, corresponding relation between being referred to as according to the client physical address in the described process CR3 register and described process name obtains the client physical address in the corresponding described CR3 register;
Described virtual machine monitor obtains the machine physical address of the described shadow page table of described client physical address correspondence;
Described virtual machine monitor obtains described shadow page table according to the machine physical address of described shadow page table; Corresponding described process and the described shadow page table preserved of described virtual machine monitor.
Above-mentioned method, wherein, the step that described virtual machine monitor is set up client physical address in the process CR3 register and the process name corresponding relation between being referred to as specifically comprises:
During described client operating system generation environmental change, the described virtual machine monitor record as ready client physical address in the client CR3 register of journey of advancing;
Described virtual machine monitor obtains the title of the described process of current operation;
Described virtual machine monitor carries out advance client physical address in the client CR3 register of journey and the title of described current operation process of the described as ready of last registration of storage corresponding one by one.
The embodiment of the invention has following beneficial effect:
In the embodiment of the invention; the client's linear address by obtaining process and the shadow page table of process; accurately realized location according to the corresponding relation of described client's linear address that writes down in client's linear address and the shadow page table and machine physical memory page address to the machine physical memory page of process; realize simple; simultaneously; according to location, and then process carried out effective protection, to such an extent as to protected the safety of process system to the machine physical memory page of process.
Description of drawings
Fig. 1 is the structural representation of the dummy machine system of the embodiment of the invention;
Fig. 2 is the schematic flow sheet of the method for the embodiment of the invention.
Embodiment
In the embodiment of the invention; preserve among the VMM and the corresponding Shadow page table of process (shadow page table); record the linear address of process in the client operating system and the corresponding relation between the machine physical memory addresses in this Shadow page table; and then after finding corresponding machine physical memory addresses by VMM according to the linear address of current process; locate corresponding machine physical memory page, and process is protected.
Fig. 1 is the structural representation of the dummy machine system of the embodiment of the invention, and as shown in Figure 1, dummy machine system comprises GOS (can be one or more, be that example describes with a GOS only among Fig. 1), VMM and real hardware, wherein is provided with among the VMM:
The page table identification module is used for discerning the Shadow page table of the process correspondence of GOS, records the corresponding relation between process linear address and the machine physical memory addresses in the described Shadow page table;
Client process Physical Page acquisition module is used for obtaining the machine physical memory page of process according to process location information when described client operating system generation environmental change;
This client process Physical Page acquisition module comprises record cell and computing unit, wherein:
Record cell is used for after intercepting and capturing the visit CR3 operation registers (client operating system generation process switching) of carrying out when GOS carries out process switching, the segment information of the process in the record CPU register, and wherein process section information comprises:
Code segment base address in the CS_base register and the code segment size in the CS_1imit register;
Data segment base address in the DS_base register and the data segment size in the DS_1imit register.
When GOS is written into as ready and advances the page directory of journey, need write client's physical memory addresses of this process page directory tables to the CR3 register, in case GOS visit CR3 register will be intercepted and captured by VMM, cause the switching of GOS to VMM running environment.
Computing unit is used for the linear address of the segment information calculation procedure of the process that obtains according to record cell, that is:
Obtain the process linear address of process code segment correspondence according to code segment base address and code segment size;
Obtain the process linear address of process data section correspondence according to data segment base address and data segment size.
The process identification module is used for discerning the process of GOS;
Locating module, be used for linear address according to process, and client process linear address that writes down in the Shadow page table of the process correspondence that identifies and the corresponding relation between the machine physical memory addresses, obtain the machine physical memory page of process, realization is to the location of process in the actual physical internal memory, that is:
Linear address according to the process code segment, and client's linear address that writes down in the Shadow page table of the process correspondence that identifies and the corresponding relation between the machine physical memory addresses, obtain the machine physical memory page of process code segment, realize location the process code segment;
Linear address according to the process data section, and client's linear address that writes down in the Shadow page table of the process correspondence that identifies and the corresponding relation between the machine physical memory addresses, obtain the machine physical memory page of process data section, realize location the process code segment.
Behind the machine physical memory page of the code segment of localization and data segment, can carry out corresponding subsequent processing to process according to this positioning result, as tracking, protection etc., therefore, in the dummy machine system of the embodiment of the invention, also comprise:
Protection module be used for carrying out verification according to the code to the machine physical memory page of process code segment, or the machine physical memory page of process code segment is set to read-only.
Fig. 2 is the schematic flow sheet of the method for the embodiment of the invention, and as shown in Figure 2, the method for the embodiment of the invention comprises:
Code segment base address in the CS_base register and the code segment size in the CS_limit register;
Data segment base address in the DS_base register and the data segment size in the DS_limit register.
Obtain process code segment corresponding client linear address according to code segment base address and code segment size;
Obtain process data section corresponding client linear address according to data segment base address and data segment size.
Client's linear address according to the process code segment, and client process linear address that writes down in the Shadow page table of the process correspondence that identifies and the corresponding relation between the machine physical memory addresses, obtain the machine physical memory page of process code segment, realize location the process code segment;
Client's linear address according to the process data section, and client process linear address that writes down in the Shadow page table of the process correspondence that identifies and the corresponding relation between the machine physical memory addresses, obtain the machine physical memory page of process data section, realize location the process code segment.
Be that example is carried out further detailed description to each step with the process code segment below.
In step 21, need the Shadow page table of the process among the identification GOS, in specific embodiments of the invention, realize by dual mode, as described below respectively.
First kind of mode, step 21 specifically comprises:
Step 21A1, GOS inform the client physical address in the CR3 register of the title of the process that VMM need monitor and process correspondence;
Step 21A2, VMM obtain the machine physical address of Shadow page table of the process of this client physical address correspondence;
Step 21A3, VMM obtains corresponding Shadow page table according to the machine physical address of Shadow page table;
Step 21A4, VMM foundation and preservation need the corresponding relation between the process of the monitoring Shadow page table corresponding with it.
The second way is preserved client physical address in the CR3 register of process correspondence and the process name corresponding relation between being referred to as among the VMM, step 21 specifically comprises:
Step 21B1, VMM set up client physical address in the CR3 register of process correspondence and the process name corresponding relation between being referred to as;
Step 21B2, GOS inform the title of the process that VMM need monitor;
Corresponding relation between step 21B3, GOS are referred to as according to the client physical address in the CR3 register of process correspondence and process name obtains the client physical address of the pairing CR3 register of process that needs monitoring;
Step 21B4, VMM obtain the machine physical address of Shadow page table of the process of this client physical address correspondence;
Step 21B5, VMM obtains corresponding Shadow page table according to the machine physical address of Shadow page table;
Step 21B6, VMM set up and preserve the title of the process that needs monitoring and the corresponding relation between the Shadow page table.
Step 21B1 specifically realizes by following steps:
Step 21B11, when GOS carries out process switching, the VMM record as ready client physical address in the CR3 register of journey correspondence of advancing;
Step 21B12, VMM obtain the title of current operation process, at this, are the readable sign of process;
Step 21B13, the as ready of the wheel record corresponding relation of title of client physical address in the CR3 register of correspondence of journey and current operation process of advancing in the VMM storage.
Because current relatively operation process, in last round of process switching, its identity is the as ready journey of advancing, therefore, in step 21B13, corresponding stored be the advance identification information of journey page directory base address and current operation process of the as ready of going up the wheel record, to guarantee the correct correspondence between the two.
Among step 22 and the step 21B2, all need the readable sign of process of the process of obtaining, its concrete acquisition process is as described below.
Client operating system is process descriptors of all corresponding maintenance of each process, and comprises the readable sign of process in this process descriptors.
With the (SuSE) Linux OS is example, and the process descriptors of current operation process can parse by kernel or interrupt stack pointer information in the Linux management of process, stores because stack information is arranged in the page that links to each other with progress information.
Therefore, can obtain the process descriptors of current operation process by following code.
movl?$0xffffe000,%ecx/*or?0xfffff000?for?4KB?stacks*/
andl?%esp,%ecx
movl(%ecx),p
And for Windows operating system, the process descriptors of current operation process can be resolved from prcb (processor control block) and be obtained, for each processor, the address of prcb is fixed, so VMM can obtain the process descriptors of current operation process easily according to this address.
After the process descriptors of having obtained current operation process, can therefrom obtain the readable sign of process of current operation process.
Certainly, VMM obtains this process descriptors and can also be, by special interface the process descriptors table is exposed to VMM by GOS, tells VMM as the mode by virtual unit.
In the step 23, the register information of record CPU, comprising:
Code segment base address in the CS_base register and the code segment size in the CS_limit register;
Data segment base address in the DS_base register and the data segment size in the DS_limit register; The register information of CPU is as follows, comprising:
eip; /*execution?pointer*/
esp; /*stack?pointer*/
eflags; /*flags?register*/
cr0;
cr3; /*page?table?directory*/
cr4;
idtr_limit;/*idt*/
idtr_base;
gdtr_limit;/*gdt*/
gdtr_base;
cs_sel; /*cs?selector*/
cs_limit;
cs_base;
cs_arbytes;
ds_sel; /*ds?selector*/
ds_limit;
ds_base;
ds_arbytes;
es_sel; /*es?selector*/
es_limit;
es_base;
es_arbytes;
ss_sel; /*ss?selector*/
ss_limit;
ss_base;
ss_arbytes;
fs_sel;/*fs?selector*/
fs_limit;
fs_base;
fs_arbytes;
gs_sel; /*gs?selector*/
gs_limit;
gs_base;
gs_arbytes;
tr_sel; /*task?selector*/
tr_limit;
tr_base;
tr_arbytes;
ldtr_sel; /*ldtr?selector*/
ldtr_limit;
ldtr_base;
ldtr_arbytes;
In step 23, for the client operating system that uses section mechanism, VMM can obtain the base address of code segment/data segment and the size of code segment/data segment from context switches, and, can from executable file, obtain the base address of code segment/data segment and the size of code segment/data segment by the executable file loader for the client operating system of the section employment mechanism that weakened.
In step 26, need carry out verification to the process code segment in the machine physical memory page, at this, can realize in the following manner in the specific embodiments of the invention:
Utilize the process code segment in the machine physical memory page to do the Hash computing, carry out verification;
Utilize the process code segment in the machine physical memory page to do the MD5 computing, carry out verification.
Certainly, also can realize verification by other modes to code segment.
And that the machine physical memory page of process code segment is set to is read-only, can then can't make amendment to the code space of this process in Guest OS by the pairing Shadow page table of process code segment being labeled as read-only the realization.
Because in Intel Virtualization Technology; the page table of really using is the Shadow page table among the VMM, though GOS can revise the page table attribute of process, real page table setting is finished by VMM; therefore can control the real attribute of page table by VMM, to reach the purpose of memory protect.
With Rootkit virus is example; owing to be labeled as read-only in the corresponding Shadow page table; the machine page that shows correspondence cannot be shared; like this when Rootkit virus is used the long-range implantttion technique of operating system; open another process a process; when this process application virtual memory; because the physical memory of the machine among the VMM can not be shared; the page table of code segment correspondence is read-only simultaneously; this process application memory failure then; can't realize protection to far-end process injecting codes to internal memory.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds necessary general hardware platform, can certainly pass through hardware, but obviously the former is better embodiment.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product comprise some instructions with so that a computer equipment (said here computer equipment is a generalized concept, include but not limited to personal computer, server, the network equipment etc.) the described method of the execution embodiment of the invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (15)
1. a virtual machine monitor is characterized in that, comprising:
Acquisition module is used for obtaining the segment information of a process when client operating system generation environmental change, and obtains client's linear address of described process according to described segment information;
The process identification module is used to discern described process;
The page table identification module is used to discern the pairing shadow page table of process that described process identification module identifies, and records the corresponding relation of described client's linear address and machine physical memory page address in the described shadow page table;
Locating module is used for locating according to described client's linear address and described shadow page table the machine physical memory page of described process.
2. virtual machine monitor according to claim 1 is characterized in that, described acquisition module specifically comprises:
Record cell is used for when described client operating system generation environmental change, the segment information of the described process in the record CPU register;
Computing unit is used for the described client's linear address according to the described process of described process section information calculations.
3. virtual machine monitor according to claim 1 and 2 is characterized in that, also comprises:
Protection module is used to protect the code segment of process described in the described machine physical memory page.
4. virtual machine monitor according to claim 3 is characterized in that described protection module is specially verification unit, is used for the code segment of the described process of the machine physical memory page of described process is carried out verification.
5. virtual machine monitor according to claim 3 is characterized in that, described protection module is specially the unit is set, and the code segment of described process that is used for the machine physical memory page of described process is set to read-only.
6. a dummy machine system comprises client operating system and virtual machine monitor, it is characterized in that, described virtual machine monitor comprises:
Acquisition module is used for obtaining the segment information of a process when client operating system generation environmental change, and obtains client's linear address of described process according to described segment information;
The process identification module is used to discern described process;
The page table identification module is used to discern the pairing shadow page table of process that described process identification module identifies, and records the corresponding relation of described client's linear address and machine physical memory page address in the described shadow page table;
Locating module is used for locating according to described client's linear address and described shadow page table the machine physical memory page of described process.
7. dummy machine system according to claim 6 is characterized in that, described acquisition module specifically comprises:
Record cell is used for when described client operating system generation environmental change, the segment information of the described process in the record CPU register;
Computing unit is used for calculating according to the segment information of described process described client's linear address of described process.
8. according to claim 6 or 7 described dummy machine systems, it is characterized in that described virtual machine monitor also comprises:
Protection module is used to protect the code segment of process described in the described machine physical memory page.
9. dummy machine system according to claim 8 is characterized in that described protection module is specially verification unit, is used for the code segment of the described process of the machine physical memory page of described process is carried out verification.
10. dummy machine system according to claim 8 is characterized in that, described protection module is specially the unit is set, and the code segment of described process that is used for the machine physical memory page of described process is set to read-only.
11. a process handling method of client operating system is characterized in that, comprising:
When client operating system generation environmental change, obtain the segment information of a process, and obtain client's linear address of described process according to described segment information;
Discern described process;
Discern the pairing shadow page table of the described process that identifies, record the corresponding relation of described client's linear address and machine physical memory page address in the described shadow page table;
Locate the machine physical memory page of described process according to described client's linear address and described shadow page table.
12. method according to claim 11 is characterized in that, also comprises:
Code segment to the described process in the machine physical memory page of described process carries out verification; And/or
The code segment of the described process in the machine physical memory page of described process is set to read-only.
13., it is characterized in that the shadow page table of the described process correspondence of described identification specifically comprises according to claim 11 or 12 described methods:
Virtual machine monitor obtains the client physical address in the CR3 register of the process title of described client operating system notice and process correspondence;
Described virtual machine monitor obtains the machine physical address of the described shadow page table of described client physical address correspondence;
Described virtual machine monitor obtains described shadow page table according to the machine physical address of described shadow page table;
Corresponding described process and the described shadow page table preserved of described virtual machine monitor.
14., it is characterized in that the shadow page table of the described process correspondence of described identification specifically comprises according to claim 11 or 12 described methods:
Virtual machine monitor is set up client physical address in the process CR3 register and the process name corresponding relation between being referred to as;
After described virtual machine monitor obtains the described process title of described client operating system notice, corresponding relation between being referred to as according to the client physical address in the described process CR3 register and described process name obtains the client physical address in the corresponding described CR3 register;
Described virtual machine monitor obtains the machine physical address of the described shadow page table of described client physical address correspondence;
Described virtual machine monitor obtains described shadow page table according to the machine physical address of described shadow page table; Corresponding described process and the described shadow page table preserved of described virtual machine monitor.
15. method according to claim 14 is characterized in that, the step that described virtual machine monitor is set up client physical address in the process CR3 register and the process name corresponding relation between being referred to as specifically comprises:
During described client operating system generation environmental change, the described virtual machine monitor record as ready client physical address in the client CR3 register of journey of advancing;
Described virtual machine monitor obtains the title of the described process of current operation;
Described virtual machine monitor carries out advance client physical address in the client CR3 register of journey and the title of described current operation process of the described as ready of last registration of storage corresponding one by one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810057354 CN101499016B (en) | 2008-01-31 | 2008-01-31 | Virtual machine monitor, virtual machine system and process handling method of client operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810057354 CN101499016B (en) | 2008-01-31 | 2008-01-31 | Virtual machine monitor, virtual machine system and process handling method of client operating system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101499016A true CN101499016A (en) | 2009-08-05 |
| CN101499016B CN101499016B (en) | 2011-09-21 |
Family
ID=40946100
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810057354 Active CN101499016B (en) | 2008-01-31 | 2008-01-31 | Virtual machine monitor, virtual machine system and process handling method of client operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101499016B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663312A (en) * | 2012-03-20 | 2012-09-12 | 中国科学院信息工程研究所 | ROP attack detection method and system based on virtual machine |
| CN102708330A (en) * | 2012-05-10 | 2012-10-03 | 深信服网络科技(深圳)有限公司 | Method for preventing system from being invaded, invasion defense system and computer |
| WO2014131319A1 (en) * | 2013-02-27 | 2014-09-04 | 华为技术有限公司 | Methods and apparatuses for identifying and tracking process of operating system, and for obtaining information |
| CN105843671A (en) * | 2016-03-22 | 2016-08-10 | 西安电子科技大学 | Cloud platform based virtual machine resource security monitoring and risk preprocessing system |
| CN108920253A (en) * | 2018-06-20 | 2018-11-30 | 成都虫洞奇迹科技有限公司 | A kind of the virtual machine monitoring system and monitoring method of no agency |
| CN110955546A (en) * | 2018-09-26 | 2020-04-03 | 迈普通信技术股份有限公司 | Memory address monitoring method and device and electronic equipment |
| CN111052114A (en) * | 2017-06-07 | 2020-04-21 | 惠普发展公司,有限责任合伙企业 | Intrusion detection system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104899077A (en) * | 2015-06-30 | 2015-09-09 | 北京奇虎科技有限公司 | Process information acquiring method and device based on container technology |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100472547C (en) * | 2006-03-21 | 2009-03-25 | 联想(北京)有限公司 | System and method for killing ROOTKIT |
| CN100489782C (en) * | 2006-06-29 | 2009-05-20 | 联想(北京)有限公司 | Virtual machine system and accessing control method of hardware equipment |
| CN100568181C (en) * | 2007-06-22 | 2009-12-09 | 浙江大学 | Dummy machine system and its implementation based on virtualizing technique of processor |
-
2008
- 2008-01-31 CN CN 200810057354 patent/CN101499016B/en active Active
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663312A (en) * | 2012-03-20 | 2012-09-12 | 中国科学院信息工程研究所 | ROP attack detection method and system based on virtual machine |
| CN102663312B (en) * | 2012-03-20 | 2014-10-01 | 中国科学院信息工程研究所 | ROP attack detection method and system based on virtual machine |
| CN102708330A (en) * | 2012-05-10 | 2012-10-03 | 深信服网络科技(深圳)有限公司 | Method for preventing system from being invaded, invasion defense system and computer |
| CN102708330B (en) * | 2012-05-10 | 2015-07-08 | 深信服网络科技(深圳)有限公司 | Method for preventing system from being invaded, invasion defense system and computer |
| WO2014131319A1 (en) * | 2013-02-27 | 2014-09-04 | 华为技术有限公司 | Methods and apparatuses for identifying and tracking process of operating system, and for obtaining information |
| CN105843671B (en) * | 2016-03-22 | 2018-11-16 | 西安电子科技大学 | Resources of virtual machine security monitoring and risk pretreatment system based on cloud platform |
| CN105843671A (en) * | 2016-03-22 | 2016-08-10 | 西安电子科技大学 | Cloud platform based virtual machine resource security monitoring and risk preprocessing system |
| CN111052114A (en) * | 2017-06-07 | 2020-04-21 | 惠普发展公司,有限责任合伙企业 | Intrusion detection system |
| CN111052114B (en) * | 2017-06-07 | 2024-01-09 | 惠普发展公司,有限责任合伙企业 | Intrusion detection system |
| CN108920253A (en) * | 2018-06-20 | 2018-11-30 | 成都虫洞奇迹科技有限公司 | A kind of the virtual machine monitoring system and monitoring method of no agency |
| CN108920253B (en) * | 2018-06-20 | 2022-05-17 | 成都灵跃云创科技有限公司 | Agent-free virtual machine monitoring system and monitoring method |
| CN110955546A (en) * | 2018-09-26 | 2020-04-03 | 迈普通信技术股份有限公司 | Memory address monitoring method and device and electronic equipment |
| CN110955546B (en) * | 2018-09-26 | 2023-03-21 | 迈普通信技术股份有限公司 | Memory address monitoring method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101499016B (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101499016B (en) | Virtual machine monitor, virtual machine system and process handling method of client operating system | |
| Barresi et al. | {CAIN}: Silently breaking {ASLR} in the cloud | |
| CN109923546B (en) | Event filtering for virtual machine security applications | |
| NL1034451C2 (en) | Monitoring an execution pattern for a target agent on a system that is made suitable for vt. | |
| CN107025405B (en) | Method for improving cloud availability and silicon isolation using security forts | |
| US10140130B2 (en) | System and method of obfuscation through binary and memory diversity | |
| Gu et al. | Process implanting: A new active introspection framework for virtualization | |
| US8990934B2 (en) | Automated protection against computer exploits | |
| US20080077767A1 (en) | Method and apparatus for secure page swapping in virtual memory systems | |
| CN103460179A (en) | Method and apparatus for transparently instrumenting an application program | |
| US10061918B2 (en) | System, apparatus and method for filtering memory access logging in a processor | |
| CN103955649B (en) | A kind of method of clean boot terminal unit | |
| Wang et al. | Vmdetector: A vmm-based platform to detect hidden process by multi-view comparison | |
| CN106909437B (en) | Virtual machine kernel protection method and device | |
| CN103996004A (en) | Highly-available system design method based on virtualization | |
| Xie et al. | Enabling accurate data recovery for mobile devices against malware attacks | |
| Mishra et al. | vproval: Introspection based process validation for detecting malware in KVM-based cloud environment | |
| Zhong et al. | A virtualization based monitoring system for mini-intrusive live forensics | |
| Tian et al. | Defeating buffer overflow attacks via virtualization | |
| Poore et al. | Evolution of digital forensics in virtualization by using virtual machine introspection | |
| Du et al. | Dynamic integrity measurement model based on vTPM | |
| Grimm et al. | Automatic mitigation of kernel rootkits in cloud environments | |
| Quynh | Operating system fingerprinting for virtual machines | |
| Hizver et al. | An introspection-based memory scraper attack against virtualized point of sale systems | |
| EP2720170B1 (en) | Automated protection against computer exploits |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |