6533b85dfe1ef96bd12bdcb0

RESEARCH PRODUCT

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

Roee LeonRaz Ben YehudaNezer Jacob ZaidenbergAmit ReshAsaf AlgawiMichael Kiperberg

subject

021110 strategic defence & security studiesAtomicitySoftware_OPERATINGSYSTEMSHoneypotComputer science0211 other engineering and technologiesHypervisor02 engineering and technologycomputer.software_genreVirtualizationMemory forensicsMass storage0202 electrical engineering electronic engineering information engineeringOperating systemMalware020201 artificial intelligence & image processingMalware analysiscomputer

description

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

yearjournalcountryeditionlanguage
2020-01-01
https://doi.org/10.1007/978-3-030-49443-8_15