关键词: 虚拟机, 内核, 进程, CR3

Abstract: In view of the shortcomings of the existing process analyzing methods, a new method was proposed based on virtual environment of Windows platform. This method captured the current thread by analyzing virtual machine's memory under host, got the current process by the kernel data structures, and set zero among the memory to kill the process. The physical address of memory could be worked out by using the base address of page table. The experimental result shows that the proposed method can quickly detect process, effectively kill the process, and maintain the host security at the same time.

Key words: Virtual Machine (VM), kernel, process, CR3