Research And Application Of Kernel Rootkit Detection Technology Under Win32 Environment

With the development of computer network, more and more network attacks happened around us, such as local network infiltration, privacy information stolen and so on. Also in information security area, attack and defense technology are accelerating the development of each other. Attacker use Rootkit technology to keep the continuing control of the computer, and also it can help attacker to hide the backdoor soft. Rootkit technology is first used in UNIX system and then in many other operating system. Now, Rootkit in Win32 environment is most widely researched. Rootkit is a kind of hack technology, so we must research it in order to defense it better.According to the invasion level to operating system, Rootkit is classified into application-level Rootkit and kernel-level Rootkit. In contrast, application-level Rootkit just works in user-mode, but kernel-level Rootkit attack the kernel of operating system. So it's more difficult to find the kernel-level Rootkit in system. We will make research on kernel-level Rootkit Detection in this paper.This paper describes the structure of Windows operating system and the theory of system kernel which is related to Rootkit technology. And then, I give several Rootkit attack methods, include hook SSDT table, filter driver, kernel object manipulation. This paper describes the theory of each attack method and discusses the implementation of these methods. With the knowledge of Windows Rootkit's implement method, we explore the secrets of several famous Windows Rootkits and study all kinds of detection method of Windows Rootkit. I describe all of these detection technics and give their implementation. Using these technics, I analyze and detect those currently famous Windows Rootkits. According to the check result, I point out the deficiency of these check technics and give some advanced ideas.Finally, By the analysis of the latest Rootkit development, we research and analyze the technics of Bootkit and its system principle. And then we give the primary detection method. All these work have prepared for the next work greatly.