Research And Implementation Of Rootkit Detection And Anti-detection Technology

In the field of information security, technology of Rootkit plays a very important role. In the common attacks of Trojan virus and other ways, often use Rootkit to hide their own files,processes, network links and other informations so that reach the long-term lurking in the target system , in order to combat the detection of target system.This paper focuses on researching rootkit detection and anti-detection technology. First introduced the characteristics of Rootkit technology, the development process and related operating system principles involved. And then analyzed the user-level rootkit and kernel-level rootkit, on the basis of which implemented the differently hidden solution. Based on this, a new method is proposed to attack the system service function in SSDT table. Research the memory management mechanism of Windows system, clear the informations of the address translation mechanism to hide the code page in the virtual address space is mapped to the physical address space in the process. and through hijack interrupt service function to hide the code page of virtual address space. Selected the system easyly to attack the table carried out related to the detection of the study. By analyzing whether the function address in the IAT table is in the address range of the derived function, it is judged whether IAT is modified. The integrity of the kernel module is analyzed by the comparison method based on the module and the comparison method based on the derivation function. Finally, the rootkit’s hidden functionality is implemented, specifically the following: (1) To hide the process, the normal system service function in the system call table in the system call table is replaced by the default malicious program, in the malicious program to modify the relevant process information, to achieve the attack of a process hidden; (2) To hide file, the file operation of the system service function on the system call table is replaced with a function that is similar with the primitive system service function, in the function to filter the relevant file information to achieve the attack of a file hidden; ; (3) To hide driver, remove the double linked list of specific node of the system kernelAt the end of the paper, the results are verified and analyzed by the relevant tools. The test results show that they have reached the desired target.