| Bootkit is one kind of Rootkit, and the wide use of the Windows operating system provides a reliable platform for its development and spreading. At present, Bootkit can get their start earlier by inject itself to the hardware such as MBR and BIOS, and get the control of the system by means of varies of technology. Bootkit becomes more powerful and harmful. Only by paying more close attention to the new development and seeking the main characteristics of Bootkits can we face the threats of them.The rapid development of Bootkits based on Windows technically benefits from the open organizations and individuals which have kept trying to improve the performance of them. More importantly, as a special Trojan, Bootkit can refer to the previous model.It turns out that powerful theoretical guidance help increase the upgrading Bootkits. Therefore, to efficiently and effectively detect Bootkit, on the one hand, we need to do more research about all kinds of behavior characteristics of Bootkit, on the other hand, a detecting model is needed.In this thesis, the hidden features of Bootkits are concluded according to the main behavior of Bootkit.Then the traditional detection methods are introduced, and their disadvantages indicate that the detection methods are required to improve themselves and a detection model needs to be put forward.Afer that the feasibility and the significance of the model are analyzed based on the hidden features and the Trojan model.Bootkits’ hidden relationship among the internal components are studied by the analysis and abstract of their hidden behavior characteristics.Accordding to that, the three elements of model are confirmed with which a detection model based on layered perception is built. And the model is called perception model.In order to verify the proposed perception model, a detection system is established and analyzed. The function and design of each module in the system are explained in detail. In the process of the realization of each module, in order to improve the detection result, new solutions are come up with and realized, taking the place of the old methods.And, to be specific, in protect mode, scanning the kernel space which is used when the system is still in real mode is used to observe the kernel behaviors of Bootkits and hidden driver and process detecting help realize the layered perception.In the end, the detection system based on perception model is used to make tests for the main Bootkits currently, and debugging technique helps verify the results and the validity and generality. Then the detection results of perception system are compared with other detection tools, the superiority of the system has been proved. |
PDF Full Text Request