摘要
针对目前基于隐藏的进程保护方法容易被Rootkit检测工具检测出而失效的情况,提出了一种基于直接内核对象操作(DKOM)的进程伪装保护方法.该方法将进程隐藏方法中较为常用的DKOM技术与传统的伪装技术相结合,通过直接修改操作系统内核空间中存储进程相关信息的数据结构,使进程在任务管理器中显示为一些系统进程,以此达到保护进程的目的.进程信息的修改涉及内核的操作,由Windows驱动实现,该驱动兼容Windows 2000以上多个版本的操作系统,具有广泛适用性.实验结果显示,经过该方法修改后,进程查看工具查看到的进程信息与正常的系统进程没有差别.伪装效果较好,用户无法发觉,Rootkit检测工具也不会提示异常.验证了基于DKOM的进程伪装保护方法的有效性.
Current process-protecting method based on process-hiding is easy to be detected by Root- kit detection tools and hence fails to protect processes. To solve this problem, a novel process-protecting method using camouflage techniques based on direct kernel object manipulation (DKOM) is proposed. This method combines DKOM techniques with traditional process-disguising techniques. To protect the process, it is made to display as a system process in the task manager by altering structures storing process information in the kernel space of the operating system. To manipulate the kernel object, the modification should be implemented by a Windows driver, which is compatible with Windows 2 000 and Subsequent versions. The experimental results show that the process information retrieved from process explorer tools is identical to the system process. The process being disguised cannot be perceived by users or detected by Rootkit detection tools. The effectiveness of this process-protecting method using camouflage techniques based on DKOM is verified.
出处
《东南大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2013年第1期24-29,共6页
Journal of Southeast University:Natural Science Edition
基金
国家发改委信息安全专项资助项目
关键词
直接内核对象操作
进程伪装
进程保护
DKOM (direct kernel object manipulation)
process camouflage
process protection
作者简介
蓝智灵(1988-),男,硕士生;
宋宇波(联系人),男,博士,副教授,songyubo@seu.edu.cn.
