| Rookit木马的隐藏机理与检测技术剖析 |
| |
| 引用本文: | 李锦.Rookit木马的隐藏机理与检测技术剖析[J].辽宁师范大学学报(自然科学版),2009,32(2):174-176. |
| |
| 作者姓名: | 李锦 |
| |
| 作者单位: | 辽宁警官高等专科学校,辽宁,大连,116036 |
| |
| 摘 要: | 随着网络技术的发展,基于传统隐藏技术的木马已经很难生存,木马隐藏技术开始由Ring 3级转入Ring 0级.运行在Ring 0级的木马,拥有与系统核心同等级的权限,隐藏与伪装更为容易.笔者讨论了Windows内核系统服务调用机制,分析了删除进程双向链表中的进程对象、SSDT内核挂钩注册表隐藏、端口隐藏等Rootkit木马的隐藏机理,最后对Rookit木马的几种检测技术作了详细的剖析.研究内容对增强人们防患意识、更好地维护计算机系统的安全有一定的参考价值.
|
| 关 键 词: | Rookit木马 系统调用 隐藏机理 入侵检测 |
The hiding theory of Rookit trojan and analysis of the detection technique |
| |
| LI Jin.The hiding theory of Rookit trojan and analysis of the detection technique[J].Journal of Liaoning Normal University(Natural Science Edition),2009,32(2):174-176. |
| |
| Authors: | LI Jin |
| |
| Institution: | LI Jin (Liaoning Police Academy, Dalian 116036, China) |
| |
| Abstract: | With the development of cyber technology ,the Trojans are difficult to exist based on traditional hiding techniques. As a result, the hiding of Trojans starts to shift from level Ring 3 to Ring 0. The Trojans run in level Ring 0 with the same class of authority of the system and can be , more easily hidden and disguised. The essay discusses kernel system of windows and analyses the Process objects in the doubly linked list, of the deleting process. Registry hiding by SSDT kernel hooking,port hiding,etc. In the end, the essay makes detailed analysis about several detection techniques against Rookit Trojan. The essay study has some reference value in enhancing people's awareness of prevention and better safeguarding the security of computer systems. |
| |
| Keywords: | Rootkit trojan system call hiding theory intrusion detection |
| 本文献已被 维普 万方数据 等数据库收录! |
|
