Research And Application Of Rootkit Technology Under Windows NT6.X Family Of Operating Systems

In recent years, with the rapid development of Internet applications,more and morepeople are inseparable from network,network security issues have become increasinglyprominent,the computer network penetration, sensitive information theft incidents haveoccurred from time to time.Users enjoy the convenience and fast network, also underthreats such as viruses, Trojans, and other malicious programs.Rootkit is the underlyingtechnology of an operating system, usually as used by attackers to hide their tracks androot access, its ultimate purpose to be achieved: files hidden,network connectionshidden, registry keys hidden and hidden process and so on.Rootkit technology as arelatively low-level network security intrusion technology and core technologyincreasingly by the attacker and the defender of the information security seriously, onlygood for this type of attack technology, in order to further study how thistechnologydetection and prevention.The thesis mainly researches the rootkit technology on the Windows NT OS, and itis divided into the following two parts: implementing the rootkit technology on theWindows NT x86system and breaking through the Windows NT safe mechanisms.First, this thesis introduces the background and the significance of this subject,describes the rootkit technology’s development and the researching about the WindowsNT OS, analyses the challenge that Windows NT OS has brought to restrict the rootkittechnology.Then, the thesis analyses two important safe mechanisms that Windows NT OSimpacts the rootkit severely, which are UAC and Mandatory Driver Signing, andespecially focuses on the Windows NT OS.After that, the thesis discusses how to break through proactive defense in detail, therootkit’s application on the Windows NT32-bit system and breaking through theWindows NT’s safe mechanisms. The aspect of implementing rootkit technology on theWindows NT32-bit system firstly analyses the differences between the New WindowsNT32-bit system and Windows2000/XP system, especially on the network module andthe kernel data structures, with the result, the thesis implements the following functions:hide connection, hide process, hide regedit’s key, kernel injection and so on.Finally, the thesis tests the rootkit program based on the subject’s research, and points out what will be done in the future.