A forum for reverse engineering, OS internals and malware analysis 

 #1571  by __Genius__
 Fri Jul 16, 2010 8:17 pm
Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor

I found it at Acm portal,
Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.
Code: Select all
http://www.sersc.org/journals/IJSIA/vol2_no4_2008/5.pdf
 #1572  by EP_X0FF
 Sat Jul 17, 2010 3:22 am
Table 2. Experimental Results for Libra Hidden Processes Detection. D refers to the tool
has detect the hidden process successfully while F denotes failure of detecting.
Aphex Hacker Defender FU FUTo phide_ex
Blacklight D D D F F
DarkSpy D D D D F
IceSword D D D F F
RkUnhooker D D D D F
Bitdefender Antirootkit D D D D F
UnHackMe D D D F F
GMER D D D D F
KProcCheck D D D D F
Process Hunter D D D F F
TaskInfo D D D F F
Libra D D D D D
This is lie. RkUnhooker as well as GMER is able to detect phide_ex since 2006.
Vol. 2, No. 4, October, 2008
Yes-yes, when it was firstly detected by ProcWalker in October 2006.
 #1576  by EP_X0FF
 Sat Jul 17, 2010 7:20 am
ProcWalker since 28/10/2006
GMER since November 2006
Rootkit Unhooker since November 2006

+ some more (almost all popular antirootkits can do this).
 #1591  by Alex
 Sun Jul 18, 2010 10:18 am
There isn't any information inside this article about versions of tools they tested, so it looks like they just put in a table information released while publishing individual demo rootkits and this will be true, because phide_ex defeated all ark's in 2006. But as you wrote, phide_ex has been detected about few days after it publishing by mentioned ark's. Anyway, this article has been published in 2008 and now we have 2010, when malware rootkits don't try to hide their processes/threads instead of files and kernel modules/code hiding. So maybe this time they will intercept I/O port access instead of cr3 ;)
 #1593  by EP_X0FF
 Sun Jul 18, 2010 11:57 am
There isn't any information inside this article about versions of tools they tested, so it looks like they just put in a table information released while publishing individual demo rootkits and this will be true
GMER / DarkSpy, RKU and some other were created after FUTo, so this theory can't be taken. Otherwise if we lead this logic, they also "bypassed" by many rootkits.
There is simple explanation of this fake table - crappy self-PR of authors of this "article". Your tool must be best of the best, otherwise there is no point in creating it.