基于APIHOOK技术的个人防火墙

Personal Firewall Based on APIHOOK Technology

在深入研究 APIH OOK( Application programm ing interface HOOK)技术及其实现 ,并综合各种木马的行为特征的基础上构建防火墙。该防火墙的原理是借助 APIHOOK技术用自编的 DLL函数替代部分系统函数。新的函数实现了注册表监视 ,文件监视 ,网络监视和其他高级操作的监视。一旦发现类似木马的行为 ,就会根据用户可定制的规则实时作出反应。该防火墙能详细记录程序的行为 ,因此高级用户还可以用它来分析木马。由于该防火墙是针对木马行为特征的 ,因此其优点是可以预防目前一般防火墙不能预防的未知木马和新一代木马。实际的木马攻击试验证明 。

The application programming interface HOOK (APIHOOK) te chnology and its realization in personal firewalls are discussed and the behavio r characteristics of Trojans are analyzed. Based on the APIHOOK technology and a iming at the behavior of Trojans the personal firewall is developed. The basic i dea of the personal firewall is displacing certain API functions of the system D LL developed by us. The new API functions can monitor all the operations to reg istration table, file creation, network connection and communication port, and o ther advanced operations. Once a behavior like Trojan′s is detected, the firewa ll informs the users and response timely according to the rules, which can be cu s tomized by the users. As the firewall can record the behavior of all the program s in detail, the advanced users can analyze the behavior of Trojans. The firewal l is capable of guarding against known or any unknown Trojan for its behavior se nsitive. Attacks from a collection of the real Trojans are initiated to test the personal firewall′s performance. Results indicate that the firewall guards the kno wn or any unknown Trojans.