期刊文献+

二次跳转的SSDT钩挂及其检测方法研究 被引量:3

Research on twice-jump SSDT_Hook and its detection
下载PDF
导出
摘要 对传统SSDT钩挂(SSDT_Hook)及其检测方法进行了分析,同时分析了一种经过了二次跳转的SSDT钩挂方法。该方法使用了MOV指令跳转到可信任地址空间,再二次跳转到恶意代码中,突破了传统主动防御系统的JMP指令检测法和指令跳转分析法。最后,给出了一种针对该SSDT_Hook的检测方法,重点对传统检测方法中的SSDT寻址方法进行了改进,取得了较好的效果。 The traditional SSDT_Hook and its detection methods are analyzed, then it also analyzes a twice-jump SSDT_Hook. This method uses MOV to reach a trustable address, then makes processing jumps to its code. It has broken through the JMP-detection and jump-analysis in traditional IPS (Intrusion Prevention System). Finally, this paper presents a method for the detection of the SSDT_Hook. Focus on the improvements of addressing the SSDT, it has achieved good results.
出处 《计算机工程与应用》 CSCD 2012年第6期102-105,共4页 Computer Engineering and Applications
基金 河南省重点科技攻关计划工业类项目(No.082102210097)
关键词 SSDT钩挂 可信任地址空间 KeServiceDescriptorTable 二次跳转 SSDT_Hook trusted address space KeServiceDescriptorTable the twice-jump
  • 相关文献

参考文献11

  • 1RichterJ,NasarreC.Windows核心编程[M].5版.北京:清华大学出版社,2008.
  • 2Levine J G,Grizzard J B,Hutto P W.A methodology to characterize kernel level rootkit exploits that overwrite the system call table[C]//proceedings of Southeast Con 2004.[S.1.] : IEEE, 2004: 25-31.
  • 3Hoglund G, Butler J.ROOTKITS-Windows内核的安全保护[M].韩智文,译.北京:清华大学出版社,2007.
  • 4李晓东,罗平,曾志峰.利用木马的自启动特性对其进行监控[J].计算机应用研究,2007,24(5):141-143. 被引量:7
  • 5刘邦明,邬浙艳,孙黉杰.SSDT挂钩:基于Windows内核的RootKit技术样本[J].网络安全技术与应用,2009(3):62-64. 被引量:6
  • 6Lobo D, Watters P.Rootkit behavioral analysis and classification system[C]//Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining(WKDD' 10),Phuket, Thailand, 2010: 75-80.
  • 7左黎明,蒋兆峰,汤鹏志.Windows Rootkit隐藏技术与综合检测方法[J].计算机工程,2009,35(10):118-120. 被引量:5
  • 8Bassov A.Hooking the native API and controlling process creation on a system-wide basis [EB/OL]. (2005 - 10-18 ) .URL: http:// www.codeproject.com/KB/system/sovietAarotector.aspx.
  • 9Zhang Jiayuan, Liu Shufen, Peng Jun.Techniques of user-mode detecting system service descriptor table[C]//Proceedings of the 13th International Conference on Computer Supported Cooperative Work in Design,Santiago,Chile,2009:96-101.
  • 10PJF.Icesword[EB/OL]. ( 2006-04-09 ) .http://www.blogcn.com/user 17/ pj f/index.html.

二级参考文献12

共引文献18

同被引文献22

  • 1白剑,徐迎晖,杨榆.利用文本载体的信息隐藏算法研究[J].计算机应用研究,2004,21(12):147-148. 被引量:12
  • 2符凯,陈晓江,何路,房鼎益.电子文档保护系统的设计与实现[J].微电子学与计算机,2006,23(9):176-178. 被引量:12
  • 3毛德操.Windows内核情景分析[M].北京:电子工业出版社,2009.
  • 4RICHTERJ 王建华 等 译.Windows核心编程[M].北京:机械工业出版社,2000..
  • 5Greg Hoglund,James Buffer.R00TKIrrS--Windows内核的安全防护[M].北京:清华大学出版社,2007.
  • 6Johnston G P, Bowen D V. The benefits of electronic records management systems:a general review of published and some unpublished cases[J] . Records Management Journal, 2005, 15(3):131-140.
  • 7Ling Jinqian, Guan Xiaohong. A virtual disk environment for providing file system recovery[J] . Computers and Security, 2006, 25(8):589-599.
  • 8Robshaw M J B, Yin Y L. Elliptic curve cryptosystems[M] . New York:RSA Laboratories, 1997.
  • 9Hoglund G, Butler J. Rootkits:subverting the windows kernel[M] . [S. l.] :Addison Wesley Professional, 2005.
  • 10小伟的小伟.Ring0下恢复SSDT Shadow[J].黑客防线,2008(10):46-50. 被引量:1

引证文献3

二级引证文献4

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部