The Research And Improvement Of Kernel Rootkit Hidden

Responding to the rapid increase of information security, the network attack and security techniques progress and perfect continuously. And the research of remote control techniques has become a hot focus. Rootkit is a kind of tool used to control target's computer system permanently and secretly after successfully breaking into the target. The technique of Rootkit plays an important role in remote control research. The kernel Rootkit is much more powerful than the userland Rootkit, so Rootkit based on the kernel is the future of the remote control technique in WINDOWS system.In the existing kernel Rootkits, kernel API hooking and direct kernel object manipulation are used to hide the Rootkit in the system memory,and the code inject into trusted process is used to bypass the firewall stealthily. There are three definite improvements on our advanced kernel Rootkit, compared to the existing kernel Rootkits. In the launch hiding area, a new loading patterns which can evade the detection system effectively has been chosen through the reverse analysis about the system kernel. In the memory hiding, current Rootkit subvert essentially the operating system's memory management subsystem although they can easy control the execution path of system call, our advanced kernel Rootkit is able to filter the memory access by using the memory paging mechanism and desynchronizing the Pentium TLB architecture, then hide its changes to executable code and its own code from view. In the majority of the existing Rootkit data transmission, port reuse and code injection techno are adopted to cheat the common firewall, they are either firewall implementation specific or take advantage of incompetence of a user. In our advanced kernel Rootkit, the data transmission is a low level communication mechanism based on the modification of the NDIS network protocol stack. This mechanism can hook the NDIS protocol stack according to the rules of the network firewalls and can effectively penetrate the packet filtering firewalls and most kinds of local desktop firewalls.There is a definite improvement of our advanced kernel Rootkit in the hidden, through analysis of confrontation with current Rootkit detection tools. So how Rootkit hide its behavior and itself existence is the key problem in the implementation of Rootkit system.