| Hiding technology is more and more popular for protection of malicious programs in network attacks. General detection tool can hardly detect the hidden programs because of their sophisticated technologies. So it has very important realistic meanings in researching detection of programs that use popular hiding technologies.Aimed at the requirement of specific application, a new system named Cross View Based Windows Hidden Program Detection System is designed on the basis of analysis of the technologies of hiding and detection. Work flow of the system is described and detailed design of pivotal functional modules is completed.On the basis of overall design of CVBHDS, key modules of the system are described, including hidden process detection, hidden module in process detection, hidden system loaded module detection, hidden file detection, hidden port detection and hidden system key kernel object detection.Aimed at the implementation of key detection modules, trusted methods that can detect almost popular hidden activities are researched from many aspects for variant hiding technologies, On the basis of trusted methods researched, the differences of information emulated by general method and trusted method are used to detect the activities which hidden programs try to hide from general detection tools.It is shown by the results of experiment, CVBHDS can detect many activities hidden by popular hidden programs such as process, module in process, system loaded module, file and port, on the other hand CVBHDS can show important information for detection by analysis of SSDT (System Service Descriptor Table) and IDT (Interrupt Descriptor Table) .In other words, CVBHDS can detect almost popular hidden programs in user mode effectively, and analyze the traces of many hidden programs in kernel mode. |
PDF Full Text Request