| Along with the rapid development of the Internet technology, people are paying moreand more attention to network security. Viruses and Trojan were no longer simply aimed atdamaging the system and showing off their technologies, but sneaking into system to hidethemselves, collecting data and damaging the system to extract money. In order to avoiddetection, backdoors adopt technologies to hide themselves, among which process-hiding isthe most basic one.The current situation of Rootkit was presented, followed by the Rootkits’ workingprinciple including API hooking, system memory modification and kernel objectmanipulation. IAT Hook and Inline Hook under user mode, IDT Hook, SSDT Hook andDirect Kernel Object Manipulation (DKOM) under kernel mode were analyzed in this paper.Furthermore, several classical Rootkit detection tools targeted to specific objects werepresented.Based on analysis of process-hiding technologies used by Rootkit, a multilayer andmutimethod hidden-process-detecting system with perfect self-integrity protecting functionwas designed. This system can prevent detection system from malicious codes’ attack anddetect the Rootkit both on user mode and kernel mode, in which the Rootkit may bemodified. On user mode, detection system employs kernel function call; on kernel mode,memory scanning based hook detection, process list based detection, thread list baseddetection and thread dispatch based detection are used, malicious code can’t cope with somany detection methods, and make the objects designed universal and efficient. Moreover,hidden-process treatment was realized by analyzing process management on kernel mode.Finally, the system was analyzed by VS2005and tested by a serial of experiments, and thesystem achieved the expected results. |
PDF Full Text Request