摘要
对传统SSDT钩挂(SSDT_Hook)及其检测方法进行了分析,同时分析了一种经过了二次跳转的SSDT钩挂方法。该方法使用了MOV指令跳转到可信任地址空间,再二次跳转到恶意代码中,突破了传统主动防御系统的JMP指令检测法和指令跳转分析法。最后,给出了一种针对该SSDT_Hook的检测方法,重点对传统检测方法中的SSDT寻址方法进行了改进,取得了较好的效果。
The traditional SSDT_Hook and its detection methods are analyzed, then it also analyzes a twice-jump SSDT_Hook. This method uses MOV to reach a trustable address, then makes processing jumps to its code. It has broken through the JMP-detection and jump-analysis in traditional IPS (Intrusion Prevention System). Finally, this paper presents a method for the detection of the SSDT_Hook. Focus on the improvements of addressing the SSDT, it has achieved good results.
出处
《计算机工程与应用》
CSCD
2012年第6期102-105,共4页
Computer Engineering and Applications
基金
河南省重点科技攻关计划工业类项目(No.082102210097)