| Rootkit is a new technology used by hackers to access the system as super-user, creat backdoors and hide theirs attack. Rootkit mainly has two functions: to hide themselves and steal information. Rootkit can exist on many operate systems. Because of the extensive use of Windows operate system. It becomes the main goal of Rootkit attact.The emergence of this new attack method becomes a new thread to the fragility internet. It can control the target host under hiding itself and aggressive behavior when a Windows Rootkit quietly sneaked into the target host, Stealing secret information or make destruction. And it can change the target host as a"springboard"to carry out variety of network attacks.Through the analysis of Windows Rootkit's working principle, we know that in order to hide them and stealing information quietly, the Windows Rootkit must modify some system files, memory data and kernel data. Further analysis, we know that the Windows Rootkit usually set a hook at interrupt descriptor table (IDT) and system service descriptor table (SSDT) or modify some kernel data structure. It can make the system execute its code by modify a little of system. This article also analyzed some popular Windows Rootkit Detection Tool, point out that they can detect certain Windows, but can not detecte new Windows Rootkit or other Windows Rootkit use other technology. So there should be a more comprehensive and effective detecte mechanism to deal with the thread bring by Windows Rootkit.This paper designs a detecte system after analysis the technology use by Windows Rootkit. This system use integrity check and hide itself to prevent the detection system from malicious codes'attack.This system detecte the Windows Rootkits both on user mode and kernel mode where the Rootkits may be modify. On user mode, this paper check the integrity of importrant system files, code area of executable file and import address table; on kernel mode, base on the analisys to the Windows Rootkit modifing interrupt descriptor table, the system service dispatch table, inline function and hiding port and process, Correspondly, this paper proposes detecte methods.So that we can detecte Windows Rootkits comprehensively and complement the defect of traditional methods.At last, this paper accomplishes the design work and realize the detect system, aurhorities the feasibility and effectiveness of the new system, points out its shortcoming and work in the next step. |
PDF Full Text Request