| With the sustainable development of the Computer and Network, a lot of approaches for the spread of Trojan horse are provided. Trojans which are difficult to be detected and found can bring serious harm. All of the harm mainly comes from their hiding property. However, traditional Trojans, owing to the adoption of some free active defense and anti-virus softwares which have achieved great accomplishment at fighting against them, have shown a declining trend. This has prompted many more researchers to explore Trojan horse hiding technology in the kernel, so as to achieve a better hidden effect, to escape from the detection of traditional tools.The kernel-level Trojan mainly uses Rootkit technology to achieve its own hide. The research of kernel-level Trojan hiding technology, not only can achieve an in-depth study of the kernel, but also find better detections to against hidden technology.The traditional master-slave type of kernel-level Trojan's function module is implemented at the user mode; the kernel module only plays an assisting role of hiding. But, the user mode program has many features, which need kernel module to help in hiding all these features. In response to these shortcomings, through the analysis of common kernel mode hidden technology, the advanced kernel-level Trojan horse were adjusted in four areas: in the self-starting module, the thread injection and the way of loading driver by driver are adopted; in the file hiding, through the reverse of IRP transferring process, Inline Hook the NtfsCommonDirectoryControl function near the operation of the disk volume is used; besides, the function of the Trojan mainly accomplishs the task through drivers; in order to protect the information which are stolen from the controlled user, AES encryption algorithm is adopted to encrypt these information before being transferred to hidden channel.Finally, through the implementation and test of the program, the advanced kernel-level Trojan can escape from detection of some well-known Anti-Rootkit tools and achieve a better effect in hiding. |
PDF Full Text Request