全部 标题 作者
关键词 摘要

OALib Journal期刊
ISSN: 2333-9721
费用:99美元
投递稿件

查看量下载量

相关文章

更多...

基于劫持内核入口点的隐藏进程检测方法

DOI: 10.15918/j.tbit1001-0645.2015.05.021

Keywords: 隐藏进程检测 交叉视图 Rootkit 隐藏进程

Full-Text   Cite this paper   Add to My Lib

Abstract:

针对现有的隐藏进程检测方法存在易规避、兼容性差、对操作系统性能影响较大等问题,提出了一种基于劫持内核入口点的隐藏进程检测方法. 该方法根据进程与内核交互的行为特征,劫持用户态进入内核态的3类入口:KiFastCallEntry、IDT和GDT,通过语义重构建立内核态进程列表,结合交叉视图检测隐藏进程. 实验表明,与其他进程检测方法相比,该方法可以检测目前各种Rootkit隐藏进程方法;支持多种Windows操作系统版本,且对操作系统的性能影响较小;准确性高,兼容性好,实用价值高

 References

[1]  Hoglund G, Butler J. Rootkits: subverting the Windows kernel[M]. California: Addison Wesley Professional, 2005.
[2]  白光冬,郭耀,陈向群.一种基于交叉视图的Windows Rootkit检测方法[J].计算机科学,2009,36(8):217-223. Bai Guangdong, Guo Yao, Chen Xiangqun. A Windows Rootkit detection method based on cross-view[J]. Computer Science, 2009,36(8):217-223. (in Chinese)
[3]  Fu Desheng. A Windows Rootkit detection method based on cross-view[C]//Proceedings of E-Product E-Service and E-Entertainment. Henan, China: ICEEE, 2010:1-3.
[4]  Ying W, Chunming H, Bo L. VMDetector: a VMM-based platform to detect hidden process by multi-view comparison[C]//Proceedings of High-Assurance Systems Engineering. Los Alamitos, USA: IEEE Computer Society, 2011:307-312.
[5]  Bill Blunden. The rootkit arsenal escape and evasion in the dark corners of the system[M].[S.l.] : Wordware Publishing,Inc, 2012.
[6]  Jie H, Yu-Jie H, Zhi-Jian D, et al. A methodology to detect kernel level rootkits based on detecting hidden processes[C]//Proceedings of Apperceiving Computing and Intelligence Analysis. Piscataway, USA: IEEE, 2008:359-361.
[7]  Zhang C, Lin X, Lin S, et al. Study of handles mechanism in WRK[C]//Proceedings of Information Technology and Computer Science Kiev. Ukraine: IEEE Computer Society, 2010: 543-547.
[8]  Zhu J, Zhou T, Wang Q. Towards a novel approach for hidden process detection based on physical memory scanning[C]//Proceedings of Multimedia Information Networking and Security. Nanjing, Jiangsu, China: IEEE Computer Society, 2012:662-665.
[9]  何志,范明钰.基于HSC的进程隐藏检测技术[J].计算机应用,2008,28(7):1772-1775. He Zhi, Fan Mingvu. Research of HSC-based hidden process detection technique[J]. Journal of Computer Applications, 2008,28(7):1772-1775. (in Chinese)
[10]  Pu W, Yu J, Chang J, et al. A method for hidden process detection based on routines of thread scheduling list[C]//Proceedings of Internet Technology and Application. Piscataway, NJ, USA: IEEE, 2010:1-5.
[11]  Chen L, Liu B, Hu H, et al. Detecting hidden malware method based on "In-VM" model[J]. China Communications, 2011,8(4):99-108.
[12]  闫广禄,罗森林.基于线程调度的隐藏进程检测技术研究[J].信息网络安全,2013(2):38-40. Yan Guanglu, Luo Senlin. The detection of hidden process technology based on thread scheduling[J]. Netinfo Security, 2013(2):38-40. (in Chinese)
[13]  Chen L, Liu B, Zhang J, et al. An advanced method of process reconstruction based on VMM[C]//Proceedings of 2011 International Conference on Computer Science and Network Technology(ICCSNT). Harbin, China:[s.n.], 2012:987-992.
[14]  Guofu X, Hai J, Deqing Z. A comprehensive monitoring framework for virtual computing environment[C]//Proceedings of Information Networking. Piscataway, NJ, USA: IEEE, 2012:551-556.
[15]  Wang Y, Gu D, Li W, et al. Virus analysis on IDT hooks of rootkits trojan[C]//Proceedings of Information Engineering and Electronic Commerce. Ternopil, Ukraine: IEEE Computer Society, 2009:224-228.

Full-Text

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133