[1]蓝智灵,宋宇波,唐磊.基于直接内核对象操作的进程伪装保护方法[J].东南大学学报(自然科学版),2013,43(1):24-29.[doi:10.3969/j.issn.1001-0505.2013.01.005]
 Lan Zhiling,Song Yubo,Tang Lei.Novel process-protecting method using camouflage techniques based on direct kernel object manipulation[J].Journal of Southeast University (Natural Science Edition),2013,43(1):24-29.[doi:10.3969/j.issn.1001-0505.2013.01.005]
点击复制

基于直接内核对象操作的进程伪装保护方法()
分享到:

《东南大学学报(自然科学版)》[ISSN:1001-0505/CN:32-1178/N]

卷:
43
期数:
2013年第1期
页码:
24-29
栏目:
计算机科学与工程
出版日期:
2013-01-20

文章信息/Info

Title:
Novel process-protecting method using camouflage techniques based on direct kernel object manipulation
作者:
蓝智灵宋宇波唐磊
东南大学信息安全研究中心, 南京 210096
Author(s):
Lan Zhiling Song Yubo Tang Lei
Information Security Research Center, Southeast University, Nanjing 210096, China
关键词:
直接内核对象操作 进程伪装 进程保护
Keywords:
DKOM(direct kernel object manipulation) process camouflage process protection
分类号:
TP309.5
DOI:
10.3969/j.issn.1001-0505.2013.01.005
摘要:
针对目前基于隐藏的进程保护方法容易被Rootkit检测工具检测出而失效的情况,提出了一种基于直接内核对象操作(DKOM)的进程伪装保护方法.该方法将进程隐藏方法中较为常用的DKOM技术与传统的伪装技术相结合,通过直接修改操作系统内核空间中存储进程相关信息的数据结构,使进程在任务管理器中显示为一些系统进程,以此达到保护进程的目的.进程信息的修改涉及内核的操作,由Windows驱动实现,该驱动兼容Windows 2000以上多个版本的操作系统,具有广泛适用性.实验结果显示,经过该方法修改后,进程查看工具查看到的进程信息与正常的系统进程没有差别.伪装效果较好,用户无法发觉,Rootkit检测工具也不会提示异常.验证了基于DKOM的进程伪装保护方法的有效性.
Abstract:
Current process-protecting method based on process-hiding is easy to be detected by Rootkit detection tools and hence fails to protect processes. To solve this problem, a novel process-protecting method using camouflage techniques based on direct kernel object manipulation(DKOM)is proposed. This method combines DKOM techniques with traditional process-disguising techniques. To protect the process, it is made to display as a system process in the task manager by altering structures storing process information in the kernel space of the operating system. To manipulate the kernel object, the modification should be implemented by a Windows driver, which is compatible with Windows 2 000 and Subsequent versions. The experimental results show that the process information retrieved from process explorer tools is identical to the system process. The process being disguised cannot be perceived by users or detected by Rootkit detection tools. The effectiveness of this process-protecting method using camouflage techniques based on DKOM is verified.

参考文献/References:

[1] 张家旺.Windows系统进程安全保护技术分析和实现[C]//第十七届全国信息保密学术会议论文集.襄樊,2007:229-235.
[2] 马金鑫,袁丁.基于Windows环境下的进程保护技术的研究与实现[J].计算机应用与软件,2010,27(3):18-21.
  Ma Jinxin,Yuan Ding. On process-protecting based on windows and its implementation[J]. Computer Application and Software, 2010, 27(3): 18-21.(in Chinese)
[3] 何涛.基于Windows NT的隐藏进程检测系统的研究与实现[D].北京:北京工业大学计算机学院,2009.
[4] Tsaur Woei Jiunn, Chen Yuh Chen. Exploring rootkit detectors vulnerabilities using a new Windows hidden driver based rootkit [C]//2010 IEEE Second International Conference on Social Computing. Minneapolis, MN, USA, 2010: 842-848.
[5] Fu Desheng, Zhou Shu, Cao Chenglong. A Windows rootkit detection method based on cross-view [C]//2010 International Conference on E-Product E-Service and E-Entertainment. Zhengzhou, China, 2010: 1-3.
[6] 潘茂如,曹天杰.基于直接操作内核对象的进程隐藏技术研究[J].计算机工程,2010,36(18):138-140.
  Pan Maoru, Cao Tianjie. Research on process hiding technology based on direct kernel object manipulation[J]. Computer Engineering, 2010, 36(18): 138-140.(in Chinese)
[7] 梁晓,李毅超.基于线程调度的进程隐藏检测技术研究[J].计算机科学,2006,33(10):114-115,118.
  Liang Xiao,Li Yichao. Research on thread dispatch based hidden process detection technique[J]. Computer Science, 2006, 33(10): 114-115, 118.(in Chinese)
[8] 周利荣,马文龙.Windows 7遍历PspCidTable表检测隐藏进程[J].计算机系统应用,2011,20(9):222-225.
  Zhou Lirong,Ma Wenlong. Windows 7 ergodice PspCidTable to detect hidden processes[J]. Computer Systems & Applications, 2011, 20(9): 222-225.(in Chinese)
[9] Rutkowski J K. Execution path analysis: finding kernel based rootkits[EB/OL].(2002-07-28)[2012-08-08]. http://www.phrack.org/issues.html?issue=59&id=10#article.
[10] Wen Yan, Zhao Jinjing, Wang Huaimin. Implicit detection of hidden processes with a local-booted virtual machine[C]//International Conference on Information Security and Assurance. Busan,Korea, 2008: 150-155.
[11] Alsagoff S N. Malware self protection mechanism[C]//International Symposium on Information Technology. Kuala Lumpur, Malaysia, 2008: 1-8.
[12] Linxer. XueTr[EB/OL].(2011-12-03)[2012-08-08].http://www.xuetr.com/?p=25.

备注/Memo

备注/Memo:
作者简介: 蓝智灵(1988—),男,硕士生;宋宇波(联系人),男,博士,副教授,songyubo@seu.edu.cn.
基金项目: 国家发改委信息安全专项资助项目.
引文格式: 蓝智灵,宋宇波,唐磊.基于直接内核对象操作的进程伪装保护方法[J].东南大学学报:自然科学版,2013,43(1):24-29. [doi:10.3969/j.issn.1001-0505.2013.01.005]
更新日期/Last Update: 2013-01-20