| A rootkit is a software system that designed to hide itself and all its associated resources(processes,ports,files,etc.),or obscure the fact that a system has been compromised.The discovery of the Sony Digital Rights Management(DRM) Rootkit by a well-known security researcher Mark Russonovich of Sysinternals(acquired by Microsoft on July 18,2006) suddenly thrust rootkits from relative obscurity to a position of prominence since 2005,which has also spurred the development of new rootkit technology and research,rootkits are regarded as a real and growing potential threat now.A senior official in Microsoft Corp.'s security unit ever disclosed "more than 20 percent of all malware removed from Windows XP SP2 systems are stealth rootkits". Gray- bird(GrayPigeon),a notorious backdoor in China,resorts to rootkit capabilities,so it can hide its presence and is hard to detect its infection.This is one of the reasons why Graybird was ranked in the top 10 viruses in China for the third straight year.The security community,both home and abroad,has taken this threat very seriously.The thesis studies Windows rootkit in a systematic way.At first,Give the definition of Windows rootkit,and its classification.Verify the segmentation and paging mechanism in protected-mode using WinDbg.At second,a detailed analysis of the classic Windows rootkit technologies:SSDT HOOK,IDT HOOK,detour patch, DKOM rootkit,as well as their implementation.At third,Study Windows rootkit how to hide themselves,analyze their design ideas and core technologies in depth.At last,Study alternate data stream,hiding registry and other relative technologies for Windows rootkit.In this paper,these techniques are analyzed in detail.The research is a comprehensive and thorough analysis on Windows rootkit,and make up the existing deficiencies of design and analysis for Windows rootkit technology. |
PDF Full Text Request