| With the continuous development of the Internet,Internet technology has been more and more widely applied to all aspects of social life.Internet technology has penetrated into the key parts of national infrastructure,such as national defense,energy,medical care,government and other important aspects related to the national economy and people’s livelihood.Cyberspace has become the "fifth space" alongside land,sea,air and space,and is the core of national strategic security.At the same time,the country’s critical infrastructure is also constantly threatened by cyber attacks.Advanced persistent threat(Advanced Persistent Threat,APT)is an organized and targeted cyber attack,and the country’s critical infrastructure often becomes the preferred target of APT organizations.In a complete APT attack chain,using malicious code(Malicious Code)to achieve the final attack goal has become an essential link.Malicious code is very important in national network attack and defense,and fighting against malicious code has become the core of the national network security defense system.First,after analyzing the attack mechanism of malicious code,this paper proposes a lock protection model architecture.The locking protection model architecture can protect Windows system APIs,intercept and block malicious codes from calling system APIs illegally,so as to fight against malicious codes.Secondly,this paper studies the anti-malware technology based on lock protection.In the application layer,this paper uses remote thread injection technology,InlineHook technology,and stack backtracking technology to construct locking protection,and proposes three construction methods of locking protection kernel layer:based on kernel Hook,based on filter driver,based on The callback also implements two methods of locking and protecting the interaction between the application layer and the kernel layer:based on I/O communication and based on MiniFilter.This paper also uses a variety of ransomware and secret-stealing Trojans to test the lock protection.The test results prove the effectiveness of the malicious code countermeasure technology based on lock protection.Finally,this paper designs and implements a malicious code defense system based on lock protection.The kernel layer of the system uses MiniFilter technology to develop a WDM driver,and uses MFC to implement an interactive interface for the system that is provided to the user and is convenient for the user to operate. |
