Research On Kernel Monitoring Of 64 Bit Windows Operating System

In 2015, Hacking Team was hacked, in addition to disclosure of internal information 415 G. These materials contain a large number of attacking code and tools that hackers use these data and source code can develop a strong network destructive weapons quickly.The leaking of Hacking Team, enhance the level of hackers, but also increased the difficulty of anti-virus security vendors.There are already a large number of hackers use Hacking Team’s source code to make the network attack tools.Hacking Team’s most famous product is the RCS(Remote Control System), they make a full platform of RCS system in which the windows platform Trojan can avoid been detected by all online sandbox system. Whether Jinshan huoyan, Tencent habo,or other foreign online sandbox platform like anubis, hybrid, malwr were unable to effectively detect the malicious behavior of these Trojan. Hacking Team uses a lot of technology to escape the sandbox. To solve the problem of advanced Trojans’ s escaping, we need to use kernel-level monitoring technology to enhance the detection effect of sandbox.Faced with the grim security situation in cyberspace,the traditional static scanning technology can not meet the requirements.In the face of directed against detection of malware,The effect of detection in behavior-based malware detection system is getting worse and worse. In order to solve the problem that the malware behavior analysis system is detected or a higher possibility of being bypassed, we researched the monitoring technology of 64-bit windows operating system in the kernel. In this paper, we achieved a variety of behavior monitoring technologies(including api hooking technology,ring0 hook,the filter driver,hardware-based virtualization monitoring technology),and analysis the advantages and disadvantages of these technologies.Then using a full range of hooking technology in behavior monitoring system,reducing the possibility of the malware detection system been passed by advanced Trojans(such as hacking Team),greatly enhance the ability of detection by the malware detection system.At the same time,in order to fully release the behavior of the malware,this paper research the hidden and detection technology under the windows system.And added a variety of techniques to hide the traces of the malware detection system,so the malware can’t detect itself in the environment being analyzed,thereby it can releasingthe complete sequence of malicious behavior.So as to provide more comprehensive data to determine the Degree of malice of the software,to provide more detailed clues to security analysts.