| Now, some malware and business software begin to use a kind of stealth technology named Windows Rootkit on Windows platform, which is more capable and hard to detect. Hiding backdoor and malware in our computer system is not difficult by using Windows Rootkit. The worse is, the backdoor and malware armed with Windows Rootkit in our computer system are hard to detect with its available detection tools.The current situation of Windows Rootkit and its detection tools are introduced, the technologies used by several Windows Rootkit instances is listed. Then, the detection methods used by several detection tools are depicted, later the capability of these detection tools is discussed..First of all, the beginning of rootkit, its definition and property are introduced, and then the classification from several views is presented.The 386 protect-mode of x86 CPU, including the segment management, segment privilege, memory page, interrupt and exception and I/O concepts, is the basis of Windows Rootkit. Another base of Widnows Rootkit is the architect of Windows, which is composed of user mode and kernel mode. Specially, the Executive subsystem in kernel mode is briefly introduced because it is very important for kernel rootkit.The technology used by most Windows Rootkit is analyzed in detail. Firstly, the API hook in user memory and in-line function hook are presented; the SSDT hook, IDT hook, IRP hook, code patch in kernel mode are introduced. Secondly, a new born, kernel-oriented technology: Direct Kernel Object Manipulation was discussed, which can direct manipulate kernel object, bypasses the Object Manager. The method of how to hide process and device with DKOM was analyzed..According the analysis of Windows Rootkit's behavior, some Windows Rootkit detection tools are discussed, including the advantage and disadvantage. From those detection tools, some common disadvantages are analyzed, such as each tool can only detect one kind Windows Rootkt and some tools can only work in a specific Windows version.In order to resolve these problem, improve the capability and compatibility, Aa new detection method and application technology is proposed, named Integrated Method Detection. This method is based on the comprehensive understanding of Windows Rootkit, capable of catching the essence of most common property of Windows Rootkit; it can analyze API hook, code patching, DKOM, etc technology used by Windows Rootkit, analyze user memory and kernel memory, use integrity detection, cross view detection, behavior detection, etc. A program is written according to Integrated Method Detection. It was tested with some representative Windows Rootkit on Windows 2000 and XP, it can detect effectively. |
PDF Full Text Request