| In this article, we analysis Windows rootkit systematically. Then according the shortcoming of current check method, we put forward a novel check technic-memory integrality check method, to check all kinds of current exist Windows rootkit efficiently. Main work list as below:1. Give the definition of Windows rootkits, and classify them into kernel mode rootkits and usermode rootkits. Distinguish it from common trojans, virus programs and normal hacker programs. Introduce all of Windows rootkit's important technic, including: kernel patch, dynamic load, communication hiding etc.2. Study all kinds of in existence check technic for windows rootkit. With the knowledge of Windows rootkit's implement technic, we explore the secret of several famous Windows rootkit. Then we checked these rootkits with some check tools. According the check result, we point out the deficiency of these check tools and give the advanced idea.3. In order to check all kinds of Windows rootkit efficiently and completely, we put forward memory integrality check method. This method's main point is to find all possible abnormity by check all kinds of sensitive area in the running memory. Based on the memory integrality check method, we design a new Windows rootkit check tool. All technic details is presented. Finnally, we use this new tool, checked some famous Windows rootkit.The research work of this article provide complete base knowledge for research on Windows rootkit's check technic. The novel method - memory integrality check method make up the deficiency of current check method, it can find out all currently exist Windows rootkit. |
PDF Full Text Request