| With the development of information security techniques, Rootkit become more and more important in information security area and it is also becoming one of the biggest challenges in this area, more researchers have began to involve in research it. Rootkit was first used in UNIX system and then in many other operating systems. Rootkit is a group of persistent and undetectable programs and codes. Most of the technologies and tricks employed by Rootkit are designed to hide code and data in a system. Rootkits are not inherently "bad", on the contrary, they can be used for legitimate purposes. For instance, the forensic can use Rootkit to monitor suspect real-time .It can not only collect evidence, but also can take prompt action. Now, information has increasingly become the lifeblood of countries, if we can destroy enemies' core information system we will win the modern war. To win an information war, the key is how to obtain information intelligence to destroy the adversary's information system and control of the battlefield information.In this paper, I firstly describe the theories of windows system kernel which are related to Rootkit. Secondly, I research the influence on system caused by hidden process. With the research I put forward the thought of Multi-Point Joint Process Hide which not only hide the process itself but also the influences which caused by the hidden process. This paper formalizes operating system based on Abraham Silberschatz's research.Then I give out the properties of MPJPHR (Multi-Point Joint Process Hide Rootkit) from the theoretical point of view and abstract the dynamic behavior and static features of MPJPHR with petri nets theory then give the MPJPHR model. Finally, after I analyze the details of this model I design and implement the prototype of MPJPHR, the experiments results indicate that the prototype takes good effect. |
PDF Full Text Request