| Along with the development of rootkit technique,the program designers of virus tend to use the rootkit technique to hide their behavior so as to obtain their aim. Today there are various tools that used to detect rootkit in the window system,but these tools only can detect some special rootkits and exists some flaws,in order not to detect some new windows rootkit virus. In this article a method has been proposed, which can detect a mass of windows rootkits based on windows kernel object.The principle of this new method is implementing in-depth and all-sided protection of windows kernel object by scanning and checking pivotal kernel objects in windows system,such as interrupt descriptor table, system service descriptor table,important PE files,data structure of recording process information and so on.This paper has designed a new detection tool of windows rootkit based on the new detection method proposed in this article.The tool is the most all-sided detection tool of windows rootkit recently and it can detect eight types of hooks include IDT/SYSENTER hook,SSDT hook,Inline hook,IAT/EAT hook,driver function hook, hidden port information, hidden file information and hidden process information.Main works of this paper as follows:1. Summarize the background and definition of windows rootkit,and classify them into seven rootkit types.Introduce all of windows rootkit's important technic,including: Interrupt Describer Table (IDT),kernel patch,Portable Executable (PE) file analyse.2. Study all kinds of rencent check technic of windows rootkit.we have checked these rootkits with these check method.According the check result,we ponit out the deficiency of these check tools and give the advanced idea.3. In order to check all kinds of windows rootkit efficently and completely,we put forward memory integrality check method.Windows kernel include windows kernel architecture,windows PE objects,windows kernel function objects.a) windows rootkit detection method based on windows kernel architecture is to integrate multi-detection methods in order to detect every layer of windows kernel architecture.for example,it don't confine the detection method of inline hook only to detect SSDT hook, but expanding to all the conditions of calling one kernel address.b) windows rootkit detection method based on windows PE objects is detecting the hook point data whether is matching with windows PE objects data or not. c) Windows rootkit detection method based on windows kernel function objects depend on checking most of windows kernel objects in order to check correlative rootkits.4. The author have implemented a tool of windows rootkit detection based on the detection strategy proposed in this paper,and this tool can check all kinds of popular windows rootkit efficacious and completely.The research work of this paper provide complete analyse and summing-up for research on windows rootkit's check technic. The new detection method based on windows kernel objects make up the deficiency of current detect method,it can find out all currently exist windows rootkit. |
PDF Full Text Request