{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,6]],"date-time":"2025-05-06T06:10:05Z","timestamp":1746511805640,"version":"3.40.4"},"publisher-location":"Cham","reference-count":31,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319132563"},{"type":"electronic","value":"9783319132570"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014]]},"DOI":"10.1007\/978-3-319-13257-0_15","type":"book-chapter","created":{"date-parts":[[2014,11,3]],"date-time":"2014-11-03T10:43:57Z","timestamp":1415011437000},"page":"255-272","source":"Crossref","is-referenced-by-count":3,"title":["Investigating the Hooking Behavior: A Page-Level Memory Monitoring Method for Live Forensics"],"prefix":"10.1007","author":[{"given":"Yingxin","family":"Cheng","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiao","family":"Fu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bin","family":"Luo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rui","family":"Yang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hao","family":"Ruan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"issue":"2","key":"15_CR1","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1145\/1113034.1113070","volume":"49","author":"F. Adelstein","year":"2006","unstructured":"Adelstein, F.: Live forensics: Diagnosing your system without killing it first. Commun. ACM\u00a049(2), 63\u201366 (2006)","journal-title":"Commun. ACM"},{"key":"15_CR2","unstructured":"Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.): Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9-13. ACM (2009)"},{"key":"15_CR3","unstructured":"AMD: Amd virtualization (2014), http:\/\/www.amd.com\/us\/solutions\/servers\/virtualization\/Pages\/virtualization.aspx"},{"key":"15_CR4","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1016\/j.diin.2007.06.010","volume":"4","author":"A.R. Arasteh","year":"2007","unstructured":"Arasteh, A.R., Debbabi, M.: Forensic memory analysis: From stack and code to execution history. Digital Investigation\u00a04, 114\u2013125 (2007)","journal-title":"Digital Investigation"},{"key":"15_CR5","unstructured":"Athreya, M.B.: Subverting linux on-the-fly using hardware virtualization technology (2010)"},{"key":"15_CR6","doi-asserted-by":"crossref","unstructured":"Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.L., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Scott, Peterson (eds.) [20], pp. 164\u2013177","DOI":"10.1145\/1165389.945462"},{"key":"15_CR7","unstructured":"Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, pp. 41\u201346. USENIX (2005)"},{"key":"15_CR8","unstructured":"Butler, J.: Dkom. Black Hat Windows Security (2004)"},{"key":"15_CR9","doi-asserted-by":"crossref","unstructured":"Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping kernel objects to enable systematic integrity checking. In: Al-Shaer, et al. (eds.) [2], pp. 555\u2013565","DOI":"10.1145\/1653662.1653729"},{"key":"15_CR10","unstructured":"Cogswell, B., Russinovich, M.: Rootkitrevealer (2006), http:\/\/technet.microsoft.com\/en-us\/Sysinternals\/bb897445.aspx"},{"key":"15_CR11","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security, pp. 51\u201362. ACM (2008)","DOI":"10.1145\/1455770.1455779"},{"key":"15_CR12","doi-asserted-by":"crossref","unstructured":"Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation\u00a07, S64\u2013S73 (2010)","DOI":"10.1016\/j.diin.2010.05.009"},{"key":"15_CR13","doi-asserted-by":"crossref","unstructured":"Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: Scott, Peterson, (eds.) [20], pp. 193\u2013206","DOI":"10.1145\/1165389.945464"},{"key":"15_CR14","unstructured":"Intel: Hardware-assisted virtualization technology (2014), http:\/\/www.intel.com\/content\/www\/us\/en\/virtualization\/virtualization-technology\/hardware-assist-virtualization-technology.html"},{"key":"15_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/978-3-642-15512-3_16","volume-title":"Recent Advances in Intrusion Detection","author":"L. Martignoni","year":"2010","unstructured":"Martignoni, L., Fattori, A., Paleari, R., Cavallaro, L.: Live and trustworthy forensic analysis of commodity production systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol.\u00a06307, pp. 297\u2013316. Springer, Heidelberg (2010)"},{"key":"15_CR16","doi-asserted-by":"crossref","unstructured":"Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM Conference on Computer and Communications Security, pp. 28\u201337. ACM (2012)","DOI":"10.1145\/2382196.2382202"},{"key":"15_CR17","doi-asserted-by":"crossref","unstructured":"Rhee, J., Riley, R., Xu, D., Jiang, X.: Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In: ARES, pp. 74\u201381. IEEE Computer Society (2009)","DOI":"10.1109\/ARES.2009.116"},{"key":"15_CR18","doi-asserted-by":"crossref","unstructured":"Riley, R., Jiang, X.: Multi-aspect profiling of kernel rootkit behavior. In: Schr\u00f6der-Preikschat, W., Wilkes, J., Isaacs, R. (eds.) EuroSys, pp. 47\u201360. ACM (2009)","DOI":"10.1145\/1519065.1519072"},{"key":"15_CR19","unstructured":"Rutkowska, J., Tereshkin, A.: Isgameover() anyone. Black Hat, USA (2007)"},{"key":"15_CR20","unstructured":"Scott, M.L., Peterson, L.L. (eds.): Proceedings of the 19th ACM Symposium on Operating Systems Principles, SOSP 2003, Bolton Landing, NY, USA, October 19-22. ACM (2003)"},{"key":"15_CR21","doi-asserted-by":"crossref","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In: Bressoud, T.C., Kaashoek, M.F. (eds.) SOSP, pp. 335\u2013350. ACM (2007)","DOI":"10.1145\/1323293.1294294"},{"key":"15_CR22","doi-asserted-by":"crossref","unstructured":"Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security, pp. 552\u2013561. ACM (2007)","DOI":"10.1145\/1315245.1315313"},{"key":"15_CR23","doi-asserted-by":"crossref","unstructured":"Shosha, A.F., Liu, C.C., Gladyshev, P.: Evasion-resistant malware signature based on profiling kernel data structure objects. In: Martinelli, F., Lanet, J.L., Fitzgerald, W.M., Foley, S.N. (eds.) CRiSIS, pp. 1\u20138. IEEE Computer Society (2012)","DOI":"10.1109\/CRISIS.2012.6378949"},{"key":"15_CR24","doi-asserted-by":"crossref","unstructured":"Vasudevan, A., Chaki, S., Jia, L., McCune, J.M., Newsome, J., Datta, A.: Design, implementation and verification of an extensible and modular hypervisor framework. In: IEEE Symposium on Security and Privacy, pp. 430\u2013444. IEEE Computer Society (2013)","DOI":"10.1109\/SP.2013.36"},{"key":"15_CR25","unstructured":"Walters, A.: The volatility framework: Volatile memory artifact extraction utility framework (2007), https:\/\/www.volatilesystems.com\/default\/volatility"},{"key":"15_CR26","doi-asserted-by":"crossref","unstructured":"Wang, Z., Jiang, X.: Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In: IEEE Symposium on Security and Privacy, pp. 380\u2013395. IEEE Computer Society (2010)","DOI":"10.1109\/SP.2010.30"},{"key":"15_CR27","unstructured":"Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: Al-Shaer, et al. [2], pp. 545\u2013554"},{"key":"15_CR28","unstructured":"Wikipedia: Cache (2014), http:\/\/en.wikipedia.org\/wiki\/Cache_computing"},{"key":"15_CR29","unstructured":"Yin, H., Liang, Z., Song, D.: Hookfinder: Identifying and understanding malware hooking behaviors. In: NDSS. The Internet Society (2008)"},{"key":"15_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-14215-4_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"H. Yin","year":"2010","unstructured":"Yin, H., Poosankam, P., Hanna, S., Song, D.: HookScout: Proactive binary-centric hook detection. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol.\u00a06201, pp. 1\u201320. Springer, Heidelberg (2010)"},{"issue":"1","key":"15_CR31","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1016\/j.diin.2012.04.002","volume":"9","author":"M. Yu","year":"2012","unstructured":"Yu, M., Qi, Z., Lin, Q., Zhong, X., Li, B., Guan, H.: Vis: Virtualization enhanced live forensics acquisition for native system. Digital Investigation\u00a09(1), 22\u201333 (2012)","journal-title":"Digital Investigation"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-13257-0_15","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,6]],"date-time":"2025-05-06T05:54:29Z","timestamp":1746510869000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-13257-0_15"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014]]},"ISBN":["9783319132563","9783319132570"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-13257-0_15","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2014]]}}}