An advanced method of process reconstruction based on VMM

Recently, VMM-based anti-malware systems have become a hot research topic in finding ways of overcoming the fundamental limitations of traditional host-based anti-malware systems, which are likely to be deceived and attacked by malicious codes. Guest system semantic views (e.g., files, processes) must be reconstructed to overcome the semantic gap challenge. As a result of frequent switching between processes, process reconstruction based on CR3 register causes many VM EXIT events and some performance losses. In the current study, an advanced method to reconstruct processes is presented. Utilizing the features of hardware virtualization technology, this method reduces VM EXIT events caused by process switching; thus, the efficiency of process reconstruction is improved. Experiments show that the method can reduce nearly 85% of VM EXIT events caused by process switching.