{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,21]],"date-time":"2025-05-21T06:55:48Z","timestamp":1747810548412},"publisher-location":"Berlin, Heidelberg","reference-count":31,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783642043413"},{"type":"electronic","value":"9783642043420"}],"license":[{"start":{"date-parts":[[2009,1,1]],"date-time":"2009-01-01T00:00:00Z","timestamp":1230768000000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2009]]},"DOI":"10.1007\/978-3-642-04342-0_16","type":"book-chapter","created":{"date-parts":[[2009,9,28]],"date-time":"2009-09-28T23:00:22Z","timestamp":1254178822000},"page":"304-325","source":"Crossref","is-referenced-by-count":16,"title":["Toward Revealing Kernel Malware Behavior in Virtual Execution Environments"],"prefix":"10.1007","author":[{"given":"Chaoting","family":"Xuan","sequence":"first","affiliation":[]},{"given":"John","family":"Copeland","sequence":"additional","affiliation":[]},{"given":"Raheem","family":"Beyah","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"16_CR1","unstructured":"Anubis Project (2009), http:\/\/anubis.iseclab.org\/?action=home"},{"key":"16_CR2","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, U., Ligatti, j.: Control-flow integiryt: Principles, implementations, and applications. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2005)","DOI":"10.1145\/1102120.1102165"},{"key":"16_CR3","unstructured":"BitBlaze Project (2009), http:\/\/bitblaze.cs.berkeley.edu\/"},{"key":"16_CR4","doi-asserted-by":"crossref","unstructured":"Baliga, A., Ganapathy, V., Iftode, L.: Automatic Inference and Enforcement of Kernel Data Structure Invariants. In: Proceedings of the 24th Annual Computer Security Applications Conference, ACSAC (2008)","DOI":"10.1109\/ACSAC.2008.29"},{"key":"16_CR5","unstructured":"Bellard, F.: QEMU and Kqemu (2009), http:\/\/fabrice.bellard.free.fr\/qemu\/"},{"key":"16_CR6","unstructured":"CBS News. Conficker Wakes Up (2009), http:\/\/www.cbsnews.com\/stories\/2009\/04\/09\/tech\/cnettechnews\/main4931360.shtml"},{"key":"16_CR7","unstructured":"Chiang, K., Lloyd, L.: A case Study of the Rustock Rootkit and Spam Bot. In: First workshop on hot topics in understanding botnets (2007)"},{"key":"16_CR8","unstructured":"Dr.Web Company. Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real (2009), http:\/\/info.drweb.com\/show\/3342\/en"},{"key":"16_CR9","unstructured":"Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the Symposium on Network and Distributed System Security, NDSS (2003)"},{"key":"16_CR10","unstructured":"Geeg Blog. The Conficker Worm Awakens (2009), http:\/\/geeg.info\/blog4.php\/2009\/04\/the-conficker-worm-awakens"},{"key":"16_CR11","unstructured":"GraphViz Project (2009), http:\/\/www.graphviz.org\/"},{"key":"16_CR12","volume-title":"Rootkits: Subverting the Windows Kernel","author":"G. Hoglund","year":"2005","unstructured":"Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)"},{"key":"16_CR13","doi-asserted-by":"crossref","unstructured":"Kruegel, B.C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits through Binary Analysis. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC (2004)","DOI":"10.1109\/CSAC.2004.19"},{"key":"16_CR14","unstructured":"Lanzi, A., Sharif, M., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. In: Proceeding of the Annual Network and distributed System Security Symposium, NDSS (2009)"},{"key":"16_CR15","unstructured":"Microsoft Symbol Server (2009), http:\/\/msdl.microsoft.com\/download\/symbols"},{"key":"16_CR16","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the IEEE Symposium on Security and Privacy (2007)","DOI":"10.1109\/SP.2007.17"},{"key":"16_CR17","unstructured":"Petroni, N.L., Fraser, T., Molinz, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the USENIX Security Symposium (2004)"},{"key":"16_CR18","unstructured":"Petroni, N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proceedings of the USENIX Security Symposium (2006)"},{"key":"16_CR19","doi-asserted-by":"crossref","unstructured":"Petroni, N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)","DOI":"10.1145\/1315245.1315260"},{"key":"16_CR20","unstructured":"Offensivecomputing Website (2009), http:\/\/www.offensivecomputing.net\/"},{"key":"16_CR21","unstructured":"Rootkit website (2009), http:\/\/www.rootkit.com"},{"key":"16_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-87403-4_1","volume-title":"Recent Advances in Intrusion Detection","author":"R. Riley","year":"2008","unstructured":"Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol.\u00a05230, pp. 1\u201320. Springer, Heidelberg (2008)"},{"key":"16_CR23","doi-asserted-by":"crossref","unstructured":"Riley, R., Jiang, X., Xu, D.: Multi-Aspect Profiling of Kernel Rootkit Behavior. In: Proceedings of the ACM SIGOPS European Conference on Computer Systems, EuroSys (2009)","DOI":"10.1145\/1519065.1519072"},{"key":"16_CR24","doi-asserted-by":"crossref","unstructured":"Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)","DOI":"10.1145\/1315245.1315313"},{"key":"16_CR25","doi-asserted-by":"crossref","unstructured":"Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A Tiny Hypervisor to Guarantee Lifetime Kernel Code Integrity for Commodity OSes. In: Proceedings of the ACM Symposium on Operating Systems Principles, SOSP (2007)","DOI":"10.1145\/1294261.1294294"},{"key":"16_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"219","DOI":"10.1007\/978-3-540-74320-0_12","volume-title":"Recent Advances in Intrusion Detection","author":"J. Wilhelm","year":"2007","unstructured":"Wilhelm, J., Chiueh, T.: A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol.\u00a04637, pp. 219\u2013235. Springer, Heidelberg (2007)"},{"key":"16_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-540-87403-4_2","volume-title":"Recent Advances in Intrusion Detection","author":"Z. Wang","year":"2008","unstructured":"Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering Persistent Kernel Rootkits Through systematic Hook Discovery. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol.\u00a05230, pp. 21\u201338. Springer, Heidelberg (2008)"},{"key":"16_CR28","doi-asserted-by":"crossref","unstructured":"Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-Based \u201cOut-of-the-Box\u201d Semantic View Recontruction. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)","DOI":"10.1145\/1315245.1315262"},{"key":"16_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"48","DOI":"10.1007\/978-3-642-02918-9_4","volume-title":"DIMVA 2009","author":"C. Xuan","year":"2009","unstructured":"Xuan, C., Copeland, J., Beyah, R.: Shepherding Loadable Kernel Modules through On-demand Emulation. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol.\u00a05587, pp. 48\u201367. Springer, Heidelberg (2009)"},{"key":"16_CR30","unstructured":"Yin, H., Liang, Z., Song, D.: Hookfinder: Identifying and understanding malware hooking behaviors. In: Proceeding of the Annual Network and distributed System Security Symposium, NDSS (2008)"},{"key":"16_CR31","doi-asserted-by":"crossref","unstructured":"Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Captureing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)","DOI":"10.1145\/1315245.1315261"}],"container-title":["Lecture Notes in Computer Science","Recent Advances in Intrusion Detection"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-04342-0_16","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,22]],"date-time":"2019-05-22T22:11:50Z","timestamp":1558563110000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-04342-0_16"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009]]},"ISBN":["9783642043413","9783642043420"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-04342-0_16","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2009]]}}}