摘要
Bootkit通过将加载时间点提前到引导阶段,能够对其操作系统下的恶意行为进行隐藏以绕过多数安全软件。为此,对Bootkit的动态行为隐藏机制进行形式化建模,扩展协同隐藏机制以揭示Bootkit高隐蔽性,并且利用大部分Bootkit在磁盘上隐藏恶意PE文件的特点,设计并实现一种PE文件匹配算法。实验结果表明,该算法在磁盘隐蔽扇区中匹配特定的模式串以寻找潜在的恶意PE文件,在针对Bootkit样本的检测中取得了较好效果。
Bootkit originates from Rootkit and can bypass most security software through loading the malicious code during windows booting period. This paper uses formal description to depict the procedure of malicious operation hiding and develops the cooperative concealment. Because most Bootkit hide malicious PE files in disks, a PE matching algorithm is designed and implemented. This algorithm will search some byte sequences with specific pattern to find potential hidden PE files and experiments show that this algorithm can gain a high detecting accuracy towards some Bootkit samples.
出处
《计算机工程》
CAS
CSCD
北大核心
2015年第6期116-120,共5页
Computer Engineering
基金
国家自然科学基金资助项目"云计算环境下软件可靠性和安全性理论
技术与实证研究"(61332010)
关键词
恶意行为
协同隐藏
形式化描述
PE文件
静态检测
malicious behavior
cooperative concealment
formal description
PE file
static detection