Detection Of Trojan Horse Based On Rootkit Technology

As a highly dangerous and covert remote control tool, trojan horse is commonly used techniques on network intrusion. However, with a variety of anti-virus software continuously improving the detection technology, the traditional user mode trojan horse's living space is getting smaller and smaller. As a result,a technology called Rootkit is created. The trojan horse combined rootkit technology is depth to the system kernel, it is able to modify the key data of system, making the conventional detection methods and tools for security are no longer credible, and the safety and reliability of the system has seriously affected.In the article, the main study is the detection methods of trojan horse based on Rootkit technology. Under the windows platform, the Rookit mainly tampers the data of some core modules and directly modifies the kernel object in the memory, to influence the outcome of the request from user mode and achieve sensitive information hided. The core modules are stored on the hard disk in the form of PE file before they are loaded into memory. The format of data in the PE file and the content of the memory is basically the same, so the PE file is able to be a reliable source of information that could compare with the content of the memory, if there are some different between them, it shows the datas are tampered with. For tampering with kernel object, as the operating system exists in a large number of redundant information,many kernel objects keep the informations of other objects. The modification of one object by Rootkit can only be affected the output depended on this object, but not all the informations are changed in other objects which can make use of these redundant information to be restructuring the object.Making comparison between the restructuring object and the original object, if there are differences,it shows the object has been tampered with.On the basis of the detection method above, it achieves a detection tool RkCheck and gives the detailed design of the tool, included the detection method of system service dispatch table hook,hidden processes, as well as the hidden driver.Finally, it uses some typical Rootkit procedures such as He4Hook, Hacker defender, Fu, to test the detection tool. The results show that the tool is simple to achieve and it has a good general stability, as well as a good testing results.