摘要
针对现有的隐藏进程检测方法存在易规避、兼容性差、对操作系统性能影响较大等问题,提出了一种基于劫持内核入口点的隐藏进程检测方法.该方法根据进程与内核交互的行为特征,劫持用户态进入内核态的3类入口:KiFastCallEntry、IDT和GDT,通过语义重构建立内核态进程列表,结合交叉视图检测隐藏进程.实验表明,与其他进程检测方法相比,该方法可以检测目前各种Rootkit隐藏进程方法;支持多种Windows操作系统版本,且对操作系统的性能影响较小;准确性高,兼容性好,实用价值高.
At present,hidden process detection methods are avoidable,poor compatibility or high wastage.A method based on intercepting the entry of system kernel was proposed to solve these problems.The method applies the process behavior of communicating with system kernel to intercept the three channels:KiFastCallEntry,IDT and GDT,which were from user layer to kernel layer.Furthermore,the method applied the semantic reconstruction to establish the process list of kernel layer,and then combined with cross-view to detect hidden processes.The experiments show that the method proposed in this paper can detect all kinds of hidden processes at present.The method can be used in the majority of Windows operating system and it has higher detection accuracy,better compatibility,lower wastage and stronger pragmatic value.
出处
《北京理工大学学报》
EI
CAS
CSCD
北大核心
2015年第5期545-550,共6页
Transactions of Beijing Institute of Technology
基金
北京理工大学科技创新计划重大项目(2011CX01015)
国家"二四二"计划项目(2005C48)