| With the development of internet technology, computers are used very widely in different industry, more and more important data are stored in computers and transferred on internet, people pay more attention on security of computer system and network.Malware also develop quickly and become stronger. In order to survive, a lot of hiding technologies are adopted by malware to prevent being detected, among which Rootkit technology is most powerful one, it can make malware with administrator privilege and hide in computer system to avoid the detection of security software. By integrating Rootkit with malware, malware becomes more and more difficult to be found, which is a big threaten to computer users.Rootkit technology is described in details in this thesis. Firstly, the definition of Rootkit, development history and main functionality, secondly, windows API calling mechanism, how kernel object and driver works. Based on that, we introduce all popular Rootkit technics and analyze their running mechanism and give a summary of their merits.After widely research in all kinds of Rootkit technology , an new hiding platform based on win32 Rootkit technology is realized in this thesis. The platform consists of two parts: the user module and the kernel module.The user module consists of the console module and transition DLL module. The main function of the console module is to analysis whether the arguments from user command line are correct and then transmit these arguments to the transition DLL module. Transition DLL module provides the console module with a set of functions.The kernel module consists of by kernel function module and assisting function module. The purpose of the kernel function module is to hide files, processes, register items and network connections through using popular Rootkit technologies. While the assisting module is mainly in charge of hide kernel modules by using memory camouflage technologies. The aim to hide these items is to prevent these kernel modules from being scanned and ended by anti-virus software through memory characteristic codes scanning. The main functionality of the platform is to create the driver module to hide object file, process, register table and so on. As the most of popular Rootkit technics are integrated in the platform, user can hide the object by choosing one or several Rootkit technics for different requirement. Except that, the hiding software integrated with memory camouflage technology can avoid the detecting of security software based on character scanning. The design of platform and functionality of all modules are described in details in this thesis, after fully testing of the platform, we get expected result. |
PDF Full Text Request