Research On Implementation And Detection Of Improved Rootkit

With the rapid development of Internet technologies, computer security issues are increasingly prominent. At present a major threat to computer security is the Rootkit attack techniquesm. Technological innovation around implementation and detection of Rootkit become important work for computer security. In this thesis, research is started around the improved methods of attacks and detection of Rootkit. Some improved methods are conceived and implemented. After system testing, the Rootkit attack codes and testing softwares can achieve the desired objectives. SSD exactly addressing, driver stack hidden, disk-accessing, have a certain value of engineering to anti-virus software, encryption software, etc.The main contents include:(1) The implementation, advantages and disadvantages of attacks and detection of Rootkit are analyzed, and the two major improved methods of Rootkit (improvement of the original Rootkit techniques, new hidden points) are detailed analyzed. On this basis, priority-startup behavior analysis system is designed. The system stops unconventional loading in driver layer, and uses priority-startup technology, in order to protect the deployment of probe in behavior analysis technology. Besides, report generation module is designed to share information with other software.(2) In order to solve the definition of trusted address is not accurate enough, addressing method is easy to be affected in traditional SSDT detection software. An improved SSDT detection method has been designed. This method defined the trusted address range precisely by establishing driven into Kernel's Process Control Region, While establishing a more complex process to calculate the exact address of SSDT function. Test results show that this detection method can detect a variety of SSDT_Hook and less impact on the system.(3) In order to avoid the detection of File-filter-based Detection System. Based on the characteristics of file filter driver, through modifying I/O stack location, two kinds of Rootkit with a new hidden point are implemented: DeviceObject Rootkit and Completion Routine Rootkit. They can break the monitoring of File-filter-based Detection System. Test result shows that the two Rootkit can avoid the File-filter Detection System.(4) In order to detect these two Rootkit, a disk-accessing system has been designed. This system uses an independent I/O access mechanism, can send commands directly to the disk, in order to avoid the impact of IO_STACK_LOCATION. Test results show that disk-accessing system can detect both DeviceObject Rootkit and Completion Routine Rootkit, while the impact on the disk and the system is relatively small.