| With the rapidly growing popularity of smartphones,the Android system also had rapid development.Now,Android mobile phone system market share has reached more than half,to become the favorite one of the mobile platform.The Android system uses the Linux kernel,a great deal of openness and ease of operation.However,due to the chaos of the Android application market,malicious programs on the Android platform are also very much,which caused a great threat to the security of the Android system.Rootkit is a hidden malicious program,After the attacker successful invasion system usually will leave a backdoor in the system,Rootkit is the best choice,it can help the attacker to collect the user’s private information,clear traces of the attack left,and it is difficult to discovered and cleared.Based on Rootkit characteristic and running environment,this thesis firstly give a detailed classification of the Android platform Rootkit,and expounded its specific function;then detailed analysis of the Android operating system,especially the Android system architecture,security mechanism,the telephone system and the loadable module;Finally,ARM processor is introduced in detail,and the process of ARM softirqs are analyzed.Subsequently,this thesis has conducted in-depth analysis of the principles and key technologies of the realization of the Android platform Rootkit,including system call hijacking,module hidden,files hidden,telephone system attacks and process hidden.Based on these principles and techniques,the thesis designed and realized corresponding Rootkit test cases.Finally,according to the characteristics of the Android platform Rootkit,the thesis presents a MD5Android kernel Rootkit detection and protection programs,and its design and implementation.The system includes three components,respectively,is the daemon module,the detection module,and the protection module.The daemon module is to provide data for detection module and the protection module,the detection module is the core part of the system,it is first to extract data from the daemon module as reference data standard for detection and protection;Followed by detection of hidden process,detection of the entry address of the system call function,detection of body of the system call function,detection of hidden files,detection of the hidden module, and the detection of the telephone system. The detection of the hidden module calculate the first module’s name,and compares it with the MD5value that extract from the daemon module,if they are equal,the hidden module does not exist in the system,using the MD5value of the new module’s name and the the module name to update the corresponding values in the daemon module;Otherwise,Rootkit may exist in the system,extract the module name from the daemon module,and it is the Rootkit’name.The protection module is mainly recovery the critical data in the system when the detection module they had been tampered with,the realization of the module integrated in the detection module. |
PDF Full Text Request