Research On Technology Of Anti-Xprobe2 Based On NDIS

In the network each physical facility all needs the support of corresponding OS(operating system).The type of operating system has an important network characteristic value, witch is important both to the attacker and the network administrator. Generally speaking, specific system vulnerability has relation to the specific type of OS or it's specific edition. If attacker detected the type or edition of OS on the target, he may attack it by the system Vulnerability of it. On the other hand, the network administrator make sure if the networking has Vulnerability by detecting the networking. Every type of OS designed to be perfect, they try to avoid all the Vulnerabilities, but they can't insure the system is strong enough to prevent attacking. In fact, every OS has lots of Vulnerabilities. These Vulnerabilities may cause fatal strike. The dissertation research on defending the attack which based on the Vulnerability of specific OS.How to defend detecting of the type and version number of operating system by network masquerade and avoid the attack of operating system hole is researched in this dissertation. Based on the analysis of systems architecture of Windows 2000 and the principle of Xprobe2, a kind of tool used to detect fingerprint of operating systems, Anti-Xprobe2, a king of tool used to defend the detection of operating systems fingerprint, is designed and implemented based on NDIS intermediate driver. Research of this thesis can be summarized as follows:First, the type of detection is classified, research of operating system masquerade both here and abroad is introduced, fingerprint and passive masquerade of operating systems are defined based on reference and the proto type of Anti-Xprobe2 is proposed.Second, in-depth research and analyse of detection principle and technique of Xprobe2 are made. Xprobe2 analyzes feature of ICMP data packet according to active detection data packet by fuzzy matrix and obtains type of remote operating system.At last, because capture of network data packet is an important components of Anti-Xprobe2, capture mechanism of network data packet is researched in detail and Anti-Xprobe2, the tool of defending detection of operating systems fingerprint, is designed. Windows 2000 is Anti-Xprobe2's development platform. Systems architecture of Windows 2000 is analyzed. All kinds of capture mechanism of network data packet based on Windows 2000 are researched and compared. Technique of capturing datapacket based on NDIS intermediate driver is proposed and detection of operating system fingerprint is defended by masquerade of data packet. According to these, the overall framework of Anti-Xprobe2 is designed. Anti-Xprobe2 can be divided into two modules: the event separator module and packets camouflage module. In-and-out packets are judged and separated in event separator module. The detection data packet is transmitted to camouflage module and the others are transmitted as usual. The packets camouflage module fulfill modification to response packets. The test result displays that Anti-Xprobe2 defense the detection of Xprobe2 successfully. The results prove the rationality and feasibility of Anti-Xprobe2's design framework.