| With the rapid development of computer and information technology,network attack methods have graduallyf focus on memory,and cyber crimes have become more covert.Obtaining key digital evidence stored in volatile storage media in a short period of time has become an important me thod of combating cybercrime,and the main technology used is the computer memory forensics.The current computer forensics technology has the disadvantages of long scanning time and low efficiency,which can not meet the time requirement of emergency response in a production environment.Effective detection of kernel objects and rootkits in a short time is of great significance for emergency response and attack source tracing to security researchers.This paper improves and optimizes the memory pool tag fast scanning technology,develops a new scanning plugin for the Windows kernel driver object,and proposes an automated detection framework for the Windows kernel rootkit.Based on the study of the memory pool tag quick scanning technolog y,this paper analyzes the points where the forensics technology in the Windows platform needs to be improved,reduces the scope of key memory scanning,adds constraints for the Windows kernel driver object,and develops the kernel driver object scanning plugin qdriverscan.By testing the qdriverscan plugin in a multi-dimensional environment,the results show that the plugin can significantly reduce the time spent on the Windows kernel driver objects' scanning and improve the scanning efficiency,while ensuring that the scan accuracy is unchanged.By summarizing and analyzing the advantages and disadvantages of the Windows kernel rootkit detection technology,and combined with the existing internal forensics framework,this paper has improved and optimized Volatility's modscan,pstree,devicetree,driverirp,ssdt,callbacks and unloadedmodules plugins,and then proposed a kind of Windows kernel rootkit auto-detection framework.Some typical Windows kernel rootkits is used for experimental tests.The test results show that this framework can automatically and quickly scan the relevant information of each Windows kernel rootkit,locate suspicious memory,and provide sufficient reference materials for subsequent in depth analysis.This paper has studied and implemented the Windows kernel driver object scanning plugin and the automated scanning framework for Windows kernel rootkits based on the improved memory pool tag quick scanning technology,and the test data shows that the framework can greatly reduce the detection time.So that,the framework can detect and obtain attack traces in the shortest time after the victim host or system is attacked,collect attack informati on effectively,provide data support and entry point reference for subsequent in depth analysis,and solve the difficulty that security researchers can not quickly obtain attack information in a short time. |
PDF Full Text Request