Research On Program Concealment Technique On Windows

Rootkit which provides concealment function for malware is a common technique used in various attacks. And accordingly, in order to protect users'computer security, it is necessary to do some research on Windows Rootkit technology, which either has academic and practical meanings on remote criminal monitor and specific remote information retrieving, or has significant value on specific user information protecting.Main technique exploited by Rootkit program is analyzed both in user mode and kernel mode. Technique and theory of Rootkit detecting are also concluded and described. On the basis of this, design method of Program Concealment Tools system which based on Rootkit technology and enveloped two communication methods, Transmission Control Protocol and Network Driver Interface Specification, is discussed, including analyzing application scenario of PCTS, specifying function necessities of PCTS, such as communication, concealment. Following the top-down design principle, architecture and workflow of PCTS system is given. Meanwhile, specific designs of startup module, communication module, command analyzing module and hidden module is detailed.Based on the principle of NDIS protocol driver and communication functions encapsulation, implementation of NDIS protocol driver, interaction between application and driver and communication insurance mechanisms adopted by NDIS driver are explained. On the basis of this, based on the NDIS driver a middle layer application programming interface which can hide the communication port is realized. Detail implementation of self-startup module, command analyzing module, hiding module of PCTS is expounded. Especially, it places emphasis on the hiding module, and illuminates thread injection technique of user mode process hiding, two-way jump hook technique of import table, System Service Dispatcher Table hook of kernel module and Direct Kernel Object Manipulation technique and so on.The result show that PCTS can start with the system startup, hide specified information including port, registry, file, process and so on. Meanwhile, PCTS also can restore information according to the user configuration on different needs.