| With the development of information technology, especially the Internet, network security issues are being increasingly concerned. Malicious code has become the focus of research in the area of network security. This paper concerns the malicious code detection technology on the Windows platform. This paper concerns the malicious code detection technology on the Windows platform.The main ways for detecting the malicious code are signatures detection, integrality detection and virtual machine detection. This paper analyzes the detection of these three principles, and their respective advantages and disadvantages. Signatures detection has high speed and low false alarm rate. But a voluminous signature is needed and the polymorphic malicious code can not be detected by signatures detection. Integrity detection can detect file modificateion, but it assumes the new files don't contain malicious code. Integrity detection can not detect malicious with incoming files. Virtal machine detection can effectively deal with the some polymorphic malicious code. But there are still many ways malicious code can bypass its detection, such as the use of special instructions, the use of structured exception handling and so on.With new malicious code Rootkit technology in a wide range of applications, the malicious code detection technology is in the face of unprecedented challenges. Rootkit technology hides the aims of the malicious detection system, including the processes, files, TCP ports, registry information and so on. The experiments show that, existing commercial malicious code detection system can not be effectively detected Rootkit technology hidden malicious code. This paper analyzes the methods malicious code using to hiding processes, TCP ports, files, registry information.With the analysis of the malicious code hidden technology, this paper presents a hidden malicious code detection technology base on the analysis of the differences. This technology compares the trusty system information with untrusty ones. The differences are hidden information. This paper presents the method to obtain the trusty system information and untrusty system information.The paper summarizes the principles of the backdoor, find the characteristics distinguished backdoor from other program. From the characteristics, the paper presents a new way to detect the backdoor.Using the technologies this paper present, I develop a malicious code detection system MalFinder. MalFinder presents more effective performance than the existing detection system when detecting hidden malicious code and backdoors. |
PDF Full Text Request