Malicious Code Detection Technology

The presence of malicious code made the security of computer systems and network security in unprecedented threat. With the wide variety of viruses and the emergence of malicious tools, malicious code detection technology needs the increasingly high requirements. The Rootkit tool as one of the most dangers malicious tool, also has high difficulty of detection.Rootkit is a new back door technology in the current computer security field, now countless hackers are learning and using it in China and at abroad, the features associated with the theory and function still continue to improve and expand. The emergence of these Rootkit tools for computer system security protection and the protection of privacy of computer users will be a great challenge. Especially when Rootkit technology uses a layer of hook-driven technology, making the current Rootkit detection tools lost their values. So, a reliable and effective Rootkit detection tool becomes very necessary.In this paper, by discussing the current malicious code Rootkit tools used in mainstream related theories, technologies, implementation. We can propose the implementation of effective Rootkit detection methods.The Microsoft's Windows XP operating system is the operation platform for this research and design, due to the operating system is the current most popular operation platform, so the operating system is the main operation platform for Rootkit tools to invasion and theft user informations, study the Rootkit technology from the operation platform, we can understand the direction of the current mainstream of Rootkit technology and application range.The current invasion of Rootkit technology is mainly in two ways, the user space invasion and the kernel space invasion. User Space invasion mainly through the IAT hook way, and in the kernel space is the way by hooking the SSDT table, and from the kernel to hide their suspicious files and suspicious processes.In this paper,we will develop a new Rootkit detection tool through these behavioral characteristics, the analysis of the detection principle and test results of the Rootkit detection function to prove the detection of Rootkit detection tool, especially the kernel space can be achieved. Finally, we will make recommendations for the Rootkit detection tool improvement in the future.