HyBIS: Windows Guest Protection through Advanced Memory Introspection

TL;DR

HyBIS is a hypervisor-based system that enhances Windows OS security by providing advanced memory introspection, effective malware detection, and support for modern Windows versions and 64-bit architectures.

Contribution

Introduces HyBIS, a novel hypervisor-based introspection system for Windows that improves malware detection and supports recent Windows versions and 64-bit architectures.

Findings

HyBIS effectively detects malware and rootkits in Windows VMs.

Supports latest Windows versions (8.x and 10) and 64-bit architectures.

Demonstrates advantages over existing solutions in semantic introspection.

Abstract

Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes.