期刊文献+

高效搜索系统内存检测隐藏进程

Detect Hidden Processes by Searching System Memory with High Efficiency
下载PDF
导出
摘要 分析了进程隐藏方法及常用检测方法,论述了搜索系统内存检测隐藏进程的原理及实现方法,即首先判断页面是否有效,再根据EPROCESS结构体特征及OBJECT对象头特征来判断内存地址是否为EPROCESS地址,并给出PAE内存模式与普通内存模式的判别方法及两种内存模式判断页面是否有效的方法,探讨了提高搜索效率的方法.在windows 7、vista等操作系统两种内存模式上实验表明可高效枚举所有进程,包括通过挂钩枚举进程的函数或进入内核空间直接修改内核数据来达到隐藏自身目的的进程. The paper analyses the way of hiding processes and common method of detecting hidden Processes and discusses the principle and the way of searching system memory to detect hidden Processes. First judged whether the page is effective or not, Then judged whether memory address is address of eprocess or not according to eprocess's character and object's character. And bring up the way of judging pae memory mode or general memory mode, The way of judging whether the page is effective or not in two memory mode. Discusses the way of improving efficiency. Experiments on windows 7. vista operation system showed that the algorithm can enumerate all processes with high efficiency in two memory mode, These processes hided self by hooking functions, or directly entered into kernel space changed kernel data to hide self.
出处 《计算机系统应用》 2012年第10期188-193,共6页 Computer Systems & Applications
关键词 进程 物理地址扩展 进程环境块 对象 process PAE peb object
  • 相关文献

参考文献3

二级参考文献22

  • 1梁晓,李毅超.基于线程调度的进程隐藏检测技术研究[J].计算机科学,2006,33(10):114-115. 被引量:8
  • 2BUTELER J R I L. Detecting compromises of core subsystems and kernel function in WindowsNT! 2000! XP[ D]. Baltimore County: University of Maryland, 2002.
  • 3MARK E R, DAVID A S. Microsoft Windows internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000[ M]. 4th ed. Seattle: Microsoft Corporation Press, 2007.
  • 4GREG H, JAMES B. Rootkit: Subverting the Windows kernel[ M]. Boston: Addison Wesley, 2005.
  • 5Detect hidden process[ EB/OL]. [ 2006 - 04 - 20]. http://wasm. ru/article, php?article = hiddndt.
  • 6NAGAR R . Windows NT file system internals [ M ] . New York : O'Reilly, 2007.
  • 7王建华,张焕生,侯丽坤,等.Windows核心编程[M].北京:机械工业出版社,2006.
  • 8HackerDefender[ EB/OL]. [ 2007 - 11 - 25]. http://hxdef, org/.
  • 9葛军,黄土平.灰鸽子远程控制系列[EB/OL].[2005-06-11].http://www.huigezi.net/index.asp.
  • 10Intox. Agony ringO rootKit [ EB/OL]. [ 2006 - 01 - 01 ]. http:// www. undergroundkonnekt, net.

共引文献16

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部