Research On Security Mechanisms Evasion Of Windows 7 Based On Reverse Analysis

Windows 7 is the latest version of Microsoft's operating system. It is based on Vista system and used widely. For this operating system, the traditional method of network attacks is no longer work. How to bypass these security mechanisms has become a hot topic of current research. The information related to this domain shows that, Windows 7's security is mainly based on its memory protection mechanisms, access control mechanisms and the kernel protection mechanisms. These mechanisms pose a serious challenge to the network attacks. Then, with the support of a certain department's pre-research fund"Research on ** technologies and key problems of next-generation network environment", the thesis considers the security mechanisms and its vulnerabilities of Windows 7 based on reverse analysis, and seeks for the method of the security mechanisms evasion.The contributions present in this paper include:1.Based on the available reverse analysis tools, an analysis method for Windows 7's security mechanisms is proposed. The method makes use of the dynamic track in the most cases, and combines the advantages of static analysis to research the security mechanisms of Windows 7. Result proves that, the method can achieve the goal of analysis of the Windows 7's security mechanisms and get the flow chart of the key part.2.With regard to the memory protection mechanisms, the thesis proposes a break-though method based on the code-reusing. The method brings return-oriented programming technology into the traditional code-reusing method. It makes use of the vulnerability program module which ASLR mechanism is not enabled to get the address of the key functions. The trie structure is used to improve the gadget-finding technology in ROP. Experiments show that, in the premise of using the third-party software's vulnerabilities, the method can bypass the joint protection mechanism of DEP and ASLR under Windows 7 system.3.With regard to access control mechanisms, the thesis proposed a break-though method based on vulnerability exploit. The method makes use of the characteristic of Windows 7, that is, the process of high privilege level also has a child process with high-level permission, if the child is created by it. The method has two ways to elevation, one uses the known vulnerability MS11-012, and another uses the auto-elevation characteristic of UAC. Test shows that, the method can get high privilege without elevation prompt popup under Windows 7.4.With regard to the kernel protection mechanisms, the thesis proposes a break-though method based on reverse analysis. The method is based on detailed analysis of two files in the system boot process, bootmgr and winload.exe. It bypasses the key function in the loading process of the kernel integrity verification mechanism by modifying these two files. Results show that, in the premise of obtaining elevated privileges, system can still restart without abnormal after replacing the two key documents. Since, the method can bypass part of the Windows 7's kernel integrity verification mechanism.5.Designed and implemented an attack program model based on buffer overflow in Windows 7 system. It was tested in the actual machine environment. The results show that, the program can achieve the goal of bypassing parts of the Windows 7's security mechanisms.