| Rootkit木马隐藏技术分析与检测技术综述 |
| |
| 引用本文: | 刘喆,张家旺. Rootkit木马隐藏技术分析与检测技术综述[J]. 信息安全与通信保密, 2010, 0(11): 61-65 |
| |
| 作者姓名: | 刘喆 张家旺 |
| |
| 作者单位: | 1. 北京交通大学,北京,100044;国家保密科学技术研究所,北京,100044
2. 国家保密科学技术研究所,北京,100044 |
| |
| 摘 要: | 对Rootkit技术和Windows操作系统内核工作流程作了简要介绍,对Rootkit木马的隐藏技术进行了分析,内容包括删除进程双向链表中的进程对象实现进程隐藏、SSDT表内核挂钩实现进程、文件和注册表键值隐藏和端口隐藏等Rootkit木马的隐藏机理,同时还对通过更改注册表和修改寄存器CR0的写保护位两种方式屏蔽WindowsXP和2003操作系统SSDT表只读属性的技术手段做了简要分析。最后对采用删除进程双项链表上的进程对象、更改内核执行路径和SSDT表内核调用挂钩3种Rootkit隐藏木马的检测技术作了概要性综述。
|
| 关 键 词: | Rootkit技术 系统服务描述符表(SSDT) 隐藏 |
Overview on Concealment and Detection of Windows Rootkit Trojan |
| |
| LIU Zhe,ZHANG Jia-wang. Overview on Concealment and Detection of Windows Rootkit Trojan[J]. China Information Security, 2010, 0(11): 61-65 |
| |
| Authors: | LIU Zhe ZHANG Jia-wang |
| |
| Affiliation: | ( Beijing Jiaotong University, Beijing 100044, China; 2 , Institute of National Scientific Security Technology, Beijing 100044, China) |
| |
| Abstract: | The paper gives a brief introduction of Rootkit technology and the Windows kernel working process, discusses the concealing technology of Rootkit Trojan, including deleting the process objects in the doubly-linked list, the implementation process, document and registry hiding of SSDT kernel hooking, port hiding, etc, and briefly analyzes the two ways to shield the Windows XPand2003 SSDT's reading attribution by changing the registry and the CR0 register's writing protection. Finally, the paper gives an overview on the detection method against the three types of Rootkit Trojan, concealment, including the deletion of process objects in the doubly-linked list, the change of kernel's executing path and SSDT kernel hooking technology. |
| |
| Keywords: | |
| 本文献已被 维普 万方数据 等数据库收录! |
|
