| Rootkit is a set of programs and code that could allow a long-lasting and undetectable presence in a computer system. As the comprehensive application of Windows operating system, Windows Rootkit has become increasingly popular. Windows Rootkit can hide operating system objects (such as files, processes, ports and so on), so malicious software can make use of Rootkit to hide attack activities and avoid the detection from monitoring software, which makes system administrator hard to find the abnormal activities in the computer system. In this way, the computer system has serious security risks. Therefore, detecting the Rootkit that may exist in the Windows operating system will help to achieve the safe and reliable operation of computer system.Firstly, the thesis introduces operational mechanism of Windows operating system related to Windows Rootkit and its detection technology, including Ring Zero and Ring Three of Intel x86 processors, architecture and address space of Windows operating system, translation mechanism from virtual address to physical address, the related concepts of process and thread. Secondly, it also describes the definition and classification of Rootkit, and emphatically analyzes two types of hiding technologies used mainly by Windows Rootkit, that is program execution path modification and direct kernel object manipulation. As for program execution path modification, the thesis mainly analyzes realization principle of import address table hook, system service dispatch table hook, inline function hook, interrupt descriptor table hook and I/O request packet major function table hook. At the same time, as for direct kernel object manipulation, the thesis mainly analyzes that Rootkit makes use of this technology to hide processes and drivers. Thirdly, the thesis analyzes and studies the current major detection technologies of Windows Rootkit in depth, that is signature detection, address analysis detection, cross-view detection, execution path detection and integrity detection. And it also respectively points out their advantages and disadvantages.On the basis of analysis and research of operational mechanism of Windows operating system and Windows Rootkit hiding and detection technologies, the thesis designs and implements a Windows Rootkit detection program.This detection program mainly consists of Rootkit detection module, main control module and self-protection module. Among them, Rootkit detection module is mainly responsible for detecting hidden behaviors of Rootkit in user space and kernel space. It takes advantage of address analysis detection method to detect import address table hook, system service dispatch table hook, inline function hook and I/O request packet major function table hook. Meanwhile, it also takes advantages of cross-view detection method to detect hidden processes and drivers. Main control module is primarily responsible for loading and unloading the driver which is used to detect Rootkit by Rootkit detection module, communication between the application part and the driver part, summary and display of the detection results. Self-protection module mainly uses SHA-1 algorithm to achieve the integrity protection of Rootkit detection module and main control module, and recovers them if the modules are destroyed. In addition, in the process of the realization of Rootkit detection program, the part of detection algorithm was improved.Finally, the thesis selects some typical Windows Rootkits to test the Rootkit detection program. For Windows Rootkits that make use of program execution path modification or direct kernel object manipulation, the experimental results show that the detection program can effectively detect their hidden behaviors. |
PDF Full Text Request