Research Of Shadow Reduction System Based On Proactive Defense

With the rapid development of Internet technology,network security issues havebecome more and more serious.Attack means such as viruses,Trojans and malicious codehave flowed. Especially by means such as transforming from traditional Trojan horses tothe new interest-driven Trojan,using group development model,separating the parts suchas sales,development,updating,disseminating,and billing,improving the efficiency of thedevelopment and dissemination,bypassing the security software monitoring,using instantmessaging tool QQ to establish group model for Trojan upgrading,so as to implementingthe Trojan production chain which is used to gain commercial intrest illegally.The transformation of Trojans has greatly impacted the security model of securitysoftware.Espessially the Trojans which can penetrate shadow reduction system hasbecome the mainstream means of attack,and such stubborn Trojan is very difficult to beeffectively killed and removed completely.Insdead,they use the virtual rectore of theshadow reduction system as the means of protection.In this paper,through IDA static disassembly and Windbg debugging,it analysed theprinciple of shadow reduction system and the technology of restoring Trojansampling.Against shadow reduction system’own security flaws and lack of productdesign,and combined with the security features of the security software,it developed ashadow reduction system,VDSS, with active defensive function.VDSS system is made upof virtual restore module,trusted program detection module and anti-Trojan penetrationmodule.In this paper,it analyse, design and code the VDSS system’s core modules indetail,by writing filter drivers it achieved virtual reduction;using the open-sourceanti-virus software ClamAV and Microsoft’s digital signature library to achieve reliableprogram detection;inline hook MmLoadSystemImage(),use kernel callback functionPsSetCreateProcessNotifyRoutine(),PsSetLoadImageNotifyRoutine() to monitoring thePE file; through combinating with the filter drivers,it achieves an anti-Trojan penetrationmodule eventually.Finally,this paper used Trojan samples such as machine dog,ghost shadow to do thecomparison test on VDSS system,common shadow reduction system and securitysoftware,and found that VDSS could defend against these Trojan samples’ penetrationattacks,and achieve good security protection effect.