| The information security field always focuses on the implantation and concealment of the malicious code.With the improvement of the attack technique,the implantation and concealment of malicious programs are rising from the initial ring3 level to the ring0 level.Recent years,attackers could implement the implantation of malicious programs at the initial stage when the computer boots up.In terms of the security of computer system,one of the key jobs is to detect the malicious code accurately in time.However,the existing methods on the security detection mainly work after the system starts up.These methods cannot detect the malicious code which is implemented at the system startup stage efficiently.Since the attack happened on the startup,the detection methods should be built on the deep research of this attack technique.In this thesis,we first deeply analyze the representative prototypes about the implantation and concealment of the malicious code happened on the startup.Then,we design and implement the prototype of the implantation and concealment of the malicious code based on the multi-media collaborative boot system.After comparing and analyzing the way of multiple startup implantation of malicious code,we propose the defensive strategy for how to deal with this kind of attack.We start our research mainly in the following aspects :1.Research on startup mechanism of OS,including the process of BIOS and each boot module when the system is powered on.On this basis,we deeply study on the existing Bootkit prototype based on single boot medium,and summarize the technical features of these prototypes.Their shortcoming is that they cannot efficiently confront the proactive defense and static scan of mainstream security software.2.Aimed at the problem in the prototype of single boot medium,a Bootkit prototype based on multi-boot medium is designed and implemented.The execution module is written to the boot sector of the disc by implementing the bootable architecture of the disc.When the system is starting,we hijack the CD boot process and modify entry address of BIOS interrupt call,setup the hijacked environment of booting process.And then,we release the module used to hijack operating system boot process.Finally,we call the original MBR and transfer the control to the system disk to operate the operating system boot process.In the process of hijacking the operating system boot process,we hijack each boot module by means of chain hijacking,and the system control is passed until the custom kernel driver module is loaded.The dynamic release of the prototype works before the system starts up,which can effectively cope against dynamic,active defense of the security software.Moreover,the prototype implementation process will not modify the original structure of the system disk,it can also effectively cope against static scan analysis of the security software.3.Based on the deep analysis of various prototypes of Bootkit hijacking,we carry out research on the root because the problem summarizes the shortcomings of the existing booting architecture of computer system and puts forward the defense strategy against this kind of attack. |
PDF Full Text Request