Research Of Rootkit Detection Technology Based On The Windows's Course Of Startup

As a kind of forefront Rootkit technology, Windows's startup-based Rootkit extends its storage location from the file system to the hareware store such as BIOS, MBR, ect. Synchronously, its boot process is also ahead in the same level of Windows kernel system, or even earilier time. Therefore, the Windows's startup-based Rootkit can control the computer early, and stronger hiding and control functions are implemented. The Windows's startup-based Rootkit and Bootkit according to the store place and startup time.If the key technologies of Windows's startup-based Rootkit are mastered, the corresponding detection methods will be found. Therefore, the Windows's startup-based Rootkit technique is researches and analysed from the defendable standpoint in this dissertation.The main research results of this dissertation as follows:(1) To deeply research and analyse the theory of framework for modeling Trojans and Trojans model about cooperative concealment, the BIOS Rootkit's formal model about cooperative concealment and model's application have given in this paper, and a BIOS Rootkit detection technology based on the character of cooperation has been proposed. This algorithm can apply technology about search signature code and dynamic resume in order to resolve the problem that BIOS Rootkit detection technology exist the deficiency about being able to detect BIOS Rootkit but not resume. Experimental results show that this scheme is very highly reliability and the resume interrupt service has been changed by the BIOS Rootkit.(2) After detailedly analyzing inversely the MBR's configuration and Bootable code, a Bootkit detection technology that based on MBR has been proposed. This detection technology resolves a difficult problem that Bootkits as the embedded sort are unable to be detected, and applys different ways to resume MBR which is changed by Bootkit. Finally, Experiment validates that Bootkit detection technology based on MBR is a method of high efficiency of detection and has a good effect of resume.