摘要
针对现有进程分析方法存在的缺陷,提出了一种在Windows平台虚拟环境下分析进程的方法。该方法首先在宿主机下分析虚拟机的内存,捕捉当前线程,并通过内核数据结构得到当前线程所在进程,然后通过页目录表物理地址计算进程页面,对内存进行清零来结束进程。实例分析表明本方法在保护宿主机安全的同时,能快速监测到程序,并且可以有效地结束进程。
In view of the shortcomings of the existing process analyzing methods,a new method was proposed based on virtual environment of Windows platform.This method captured the current thread by analyzing virtual machine's memory under host,got the current process by the kernel data structures,and set zero among the memory to kill the process.The physical address of memory could be worked out by using the base address of page table.The experimental result shows that the proposed method can quickly detect process,effectively kill the process,and maintain the host security at the same time.
出处
《计算机应用》
CSCD
北大核心
2010年第5期1327-1330,共4页
journal of Computer Applications
基金
国家863计划项目(2009AA01Z403
2009AA01Z435)
关键词
虚拟机
内核
进程
CR3
Virtual Machine (VM)
kernel
process
CR3
