| With the rapid popularization of the Internet and the constant development of its application, various kinds of Internet attack methods have also appeared. These attacks have seriously damaged the interests of the Internet users. Based on the influent hook trojan hidden method, the detectioner advanced the detection method about Memory integrality in order to detect more trojans which use the hook technology andintroduce the various detection technologies.The detection method of memory integrity, is to find possible abnormal phenomena by make integrity test of every important area of memory while program is running, so to judge the existance of Trojan in the system. However, most of present methods of memory integrity judge the existance of Trojan through testing the integrity of code area, which can not detect some special Trojan which can change other area in the memory. Thus, a detection procedure is designed according to memory detection principle which include four detection modules: import address table detection module, system service address table detection module, system service description table detection module and active processes link table detection module.The method of import address table detection is based on the detection method of PE (Portable Executable) file format. By comparing function addresses of import address table with those of import function table, we can find out whether it exists Trojan hook function in address table. System service address table detection is based on whether memory is consistent with file. After the system service table is loaded into memory, operation system will add a address offset to file content in memory. So, by figuring out the offset, we can find out where is different between memory and file.In practical, this system has find out Trojan virus--He4Hook based on hook function, which can make up the shortage of present Trojan detection tools based on kernel. |
PDF Full Text Request