摘要
RootKit是用来维持黑客对计算机控制,使之无法检测的强力工具。当前传统的RootKit技术都有相对应的检测技术。文章介绍了内核对象内联挂接技术,延伸了现有的代码重定向技术,通过对内核对象调用路径的内联挂接,实现隐藏。现有的RootKit检测技术很难检测这种新型RootKit。因此,文章提出了基于指令跳转分析的动态RootKit检测技术,可以动态检测内核对象内联挂接的RootKit,并且能够指出这些RootKit程序的加载映像。
RootKit is a set of powerful tools used by hackers to gain the access to the computers and make itself undetectable. This paper introduces a technique named kernel object inline hooking, which extends existing technique of code redirection, hides tracks through inline hooking of kernel object~ dispatch routines. Existing detecting methodology of rootkit is difficult to detect this kind of new rootkit, So this paper illustrates a branch instruction analysis based dynamic detecting methodol- ogy of rootkit. This methodology could find running rootkit programs dynamically in the system, and point out the loading images of these rootkits.
出处
《信息工程大学学报》
2007年第2期221-226,共6页
Journal of Information Engineering University
基金
国家自然科学基金资助项目(60473021)
