| The architecture of Windows NT-based operating system, was originally designedwithout too much consideration to host security problems, but emphasized the powerfulfunctionality of the system with a user-friendly interface. However, with thedevelopment of network information technology, widespread concern for the Windowsplatform virus and Trojans’ technology and research, Windows host security problemwas exposed in a steady stream. How to protect the security of the host, to block theattack of virus and rootkit from the host system in a timely manner, to minimize the hostsystem security risk has become an important area of security research content. Virus,Trojans and security software products are the attacker and defender of host security,they are using rootkit technology in vary different levels of steal information andprotection. Only has a more in-depth knowledge and understanding of this type ofattack techniques, in order to further study how to use anti-virus and anti-rootkittechnology to detect and to make the strategy of proactive defense.This thesis firstly introduces the widly and mature technologies used by rootkit,these technologies are the bedding of followed proactive defense system, only has amore knowledge of such technologies can we introduce detection and proactive defensestrategy. Secondly, researches and realizes detection module and proactive defensemodule. According to the rootkit technology’s diversity characteristics, we introducerootkit detection method based on cross-comparison, to overcome the traditional rootkitdetection tool for rootkit’s unity of shortcomings. Through the analysis of applicationbehavior monitoring module, an innovative way by hooking the only way, which isfrom the user layer into the kernel layer KiFastCallEntry kernel function. We design andimplement an easy way to modify and control the framework of proactive defense withgood scalability. This strategy does not depend on the proliferation of maliciousprograms. Through virtual execution environment experimental result shows that theframework has a very good stability and scalability. Behind the proactive defense forthe process, the registry proactive defense and file proactive defense research andimplementation are all based on the framework. The final design of the thesis is the driver firewall, setting up a barrier to prevent rootkit from loading drivers to attack theproactive defense system. And the proactive defense system has strong robustnesscompared to traditional anti-virus, anti-Trojan software. On the other hand, through theanalysis of the behavior of the application, overcomes the traditional anti-virussignature scanning method’s shortcoming, which the only known viruses can be foundwhile an unknown virus can not. |
PDF Full Text Request