Research On Rootkit Detection Based On The Analysis Of Physical Memory And Realization

Information technology has greatly promoted the progress of human society, but it also has brought the issue of computer crime. Hacking, Internet fraud, Internet pornography cases affected the healthy development of the Internet, but also damaged the normal economic development and social order. Computer Forensics is the main technical means used to combat computer crime and the important content for the law and information technology workers to study together at present.Based on the defection of the traditional rootkit detection and the development of physical memory analysis this paper has been proposed. By analyzing the physical memory, obtained the existence of evidence of rootkit Trojan on the target machine. Firstly, the author thoroughly studied and analyzed the technology of access to physical memory mirroring and the principle of Rootkit attacks. This article described the popular Windows Rootkit, too.After analyzed the principle of windows rootkit, it shows that there are more concealing technology for rootkit to use, such as to set a hook, or directly modify certain kernel data structures at IDT or SSDT. Detailed analysis This article analyzed several principle of rootkit hidden technology and several windows rootkit detection tools which were commonly used in detail.Windows Rootkit cheated the system may by modifying the interrupt descriptor table, driving function, system service dispatch table, or other places, and allowed the system to implement its illegal code, which could achieve its unlawful purpose, its process needs to be hided anyhow. Preventing the system or Anti-Rootkit procedures discovered Windows Rootkit hide its process, which is the work the Windows Rootkit must be done. According to this principle, there was a rootkit in the system could be judged with the hidden process, when detecting the Windows rootkit.Rootkit was detected by the method of cross-view, In which method it is difficult to obtain a real list of process. In the course of the experiment to debug the kernel to EPROCESS, HADLE_TABLE and other important kernel data structures were obtained by debuging Windbg, By studying these important kernel data structures, we mastered the methods that through the process handle table to list the current system processes list.The main contents in this paper are as follows: 1. The concepts of computer forensics, background and current development at home and abroad are described in detail.2. The format of log file in Windows XP system has been analyzed in detail.3. This paper described in detail several common methods to obtain physical memory mirroring in Windows System, and also introduced the method of physical memory mirroring analysis.4. This paper summarized the physical memory management mechanism in windows kernel, and described in detail the translation from virtual address to physical address with examples.5. Several technologies principles used by the rootkit (such as Hook system service descriptor table hooks, direct kernel object manipulation) were described in detail.6. This paper presented the test methods of traditional rootkit, and presented a detection method with more obvious effect, on the basis of detection based the cross-view, and showed the main code.