Windows The Bootkit Technology Research And Application

Windows Bootkit as the forefront Rootkit technology, it put storage location from the file system extension to the hardware store, and advanced its boot process in the same level of Windows kernel system, or even earlier. Therefore, Bootkit can be made earlier on the computer control in order to achieve a strong hide and control functions.Although the technology is still in the conceptual stage of verification, and there is no actual sophisticated malicious programs,if the detection and removal methods are not reaserch, it would pose a threat to the network. Only mastered the core technology of the Bootkit, the corresponding solutions can be find. Therefore, this dissertation from the perspective of an attacker,to research and analysis the Windows Bootkit.The Windows Bootkit technical from the examples is summarized and analyzed. A formal model of the cooperative concealment of bootkit from the complex technical principle is abstract. Combination of prior research, a Windows Bootkit prototype based on the MBR is designed and implementation.The prototype compared with the traditional Bootkit based on the MBR, its hook signature is more general, and the anti-detect capabilities is enhanced by the read and write operations of MBR to hook. At the hidden module, the use of the object hijack technology can bypass the current hidden file detection system. In the functional module, a shell function for remote control had completed. The three times of the experiment show the Bootkit prototype reflects the thinking of the cooperative concealment and owns a satisfied concealing, and it also found many of the shortcomings of Bootkit. It provided some reference information for the field of bootkit to further research.Finally, a combination of vulnerability attack to implant Bootkit is proposed, and the penetration technique of proactive defense software to disk operation is reasarched, also a PE file infection techniques to bypass the Vista's UAC security mechanism is proposed. At the same time, some prevention and detection technologies of the windows bootkit are proposed.