Research And Application Of ROOTKIT Technology Under WINDOWS Environment

With the fast development of information technique, people become more and more reliable on the help of computers. People use computer to save many important messages. Following this result, computer network penetration and theft of sensitive information take place every day. Rootkit is a kind of software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Rootkit was first designed to implement in UNIX system, then gradually developed to the other operating systems. Currently, Rootkit under Windows platform has been widespreadly concerned and researched. In information security area, attack and defense technology are accelerating the development of each other. Attackers use Rootkit to keep the continuing control of the computer, and also it can help attackers to hide the backdoor. Rootkit is a technique hackers using to attack. However, we must have good understanding of Rootkit, then we can promote more research to detect and defend this technique.According to the invasion level to operating system, Rootkit is classified into user-level Rootkit and kernel-level Rootkit. In comparison, user-level Rootkit works in the application level of the operation system, owing the advantages of light and versatility. Kernel-level Rootkit attacks the kernel of the operation system directly, is more dangerous, more powerful, and more difficult to detect. However it needs Ring0 privileges to work and it has poor compatibility.This paper first describes the relevant principles of Rootkit, including the principles of user-level Rootkit and kernel-level Rootkit. Based on these, this paper put forward the core technique of Rootkit attack, including SSDT table hook, IAT table hook, inline hook and driver filtering. For the principles of each technique, this paper describes in detail and gives the implementation process. In the following chapter, this paper researches the two type methods of Windows Rootkit detection, method based on behavior and method based on cross view. These methods are discussed in detail and implementation is given, also reviews for each detection technique is given. In the end, the application of SSDT hook is realized using the method of experiment. In addition, several techniques are presented to effectively avoid the monitoring of the active defense softwares.