摘要
随着网络技术的发展,基于传统隐藏技术的木马已经很难生存,木马隐藏技术开始由Ring 3级转入Ring 0级.运行在Ring 0级的木马,拥有与系统核心同等级的权限,隐藏与伪装更为容易.笔者讨论了Windows内核系统服务调用机制,分析了删除进程双向链表中的进程对象、SSDT内核挂钩注册表隐藏、端口隐藏等Rootkit木马的隐藏机理,最后对Rookit木马的几种检测技术作了详细的剖析.研究内容对增强人们防患意识、更好地维护计算机系统的安全有一定的参考价值.
With the development of cyber technology ,the Trojans are difficult to exist based on traditional hiding techniques. As a result, the hiding of Trojans starts to shift from level Ring 3 to Ring 0. The Trojans run in level Ring 0 with the same class of authority of the system and can be , more easily hidden and disguised. The essay discusses kernel system of windows and analyses the Process objects in the doubly linked list, of the deleting process. Registry hiding by SSDT kernel hooking,port hiding,etc. In the end, the essay makes detailed analysis about several detection techniques against Rookit Trojan. The essay study has some reference value in enhancing people's awareness of prevention and better safeguarding the security of computer systems.
出处
《辽宁师范大学学报(自然科学版)》
CAS
2009年第2期174-176,共3页
Journal of Liaoning Normal University:Natural Science Edition
