| Bootkit is the most stubborn malicious code at the present stage, which is one of rootkits. Although the function of bootkit is not different from the rootkit, it extends their habitats from the traditional operating system files to the hardware bios, mbr, etc. In addition, its launch time is the same as the windows system kernel, or even earlier, So bootkit can early gain control to the computer and achieve greater concealment and control functions. It can be considered the senior rootkit.Bootkit technology is not very mature at this stage. It is in development stage and has not caused serious harms, but the existing bootkit samples have demonstrated the strong harmfulness. Windows operating system is widely used in our lives, but the property, which is not open-source, lead to the user that can not recompile system files to enhance system security. Coupled with the system loopholes, these factors make Windows system become an important target of bootkit attack. So research of windows bootkit detection and prevention technology has great significance.In this paper, the existing windows bootkit samples are used as a starting point, and its implementation techniques and principles are analyzed. Then by combined with the traditional windows rootkit detecting technology, the article designs and implements a windows bootkit detection and prevention method by considering three areas of the real-time monitoring, diversity monitoring and self-protecting. Firstly, the method captures the current thread by analyzing the virtual machine memory, and can rapidly monitor the runs of the virtual machine. Then, the improved nearest neighbor clustering algorithm is used to detect whether there is the bootkit in the memory. If it is existence, the bootkit is cleared by filled with zeros to memory. Finally,the efficiency and reliability of this method is verified through experiments.The singularity of general detection technology is deal with by in this article. The cluster analysis method can adapt to the ever-changing complexity of the windows bootkit, and can more comprehensively detect a variety of existing windows bootkit. It has the generability. Moreover, detection program runs on the host computer, and can analyze virtual machine memory. It also can capture the current thread and obtain all running circumstances of inside program in the virtual machine. Thus, it can achieve real-time monitoring purposes. Because the detection procedures and bootkit run on different systems, bootkit can not carry out sabotage attacks to the testing process, and avoid detection procedure to call modified system function which is by bootkit. It can avoid wrong detection results and well implement the self-protection mechanism. |
PDF Full Text Request