基于计算机物理内存分析的Rootkit查找方法研究与实现

发布时间：2018-03-30 08:47

本文选题：计算机取证　切入点：rootkit检测　出处：《山东轻工业学院》2011年硕士论文

【摘要】：信息技术极大地促进了人类社会的进步,同时也带来了计算机犯罪问题。黑客入侵、网络诈骗、网络色情等案件的出现影响了互联网的健康发展,更是破坏了正常的经济发展和社会生活秩序。计算机取证(Computer Forensics)是打击计算机犯罪所使用的主要技术手段,是目前法律工作者和信息技术工作者共同研究重点内容。本文针对传统的rootkit查找方法的缺陷,根据物理内存分析技术的发展提出的。通过分析物理内存,得到所需的目标机器上存在rootkit木马或者不存在的证据。首先深入研究和分析了计算机物理内存镜像获取技术和Rootkit的攻击原理。在文中还介绍当今流行的Windows Rootkit。经过分析windows rootkit原理可知,rootkit用于隐藏的技术比较多,如在中断描述符表(IDT)和系统服务描述符表(SSDT)等地方设置钩子或直接修改某些内核数据结构。本文中详细的分析了几种rootkit的隐藏技术的原理,分析了几种常用的windows rootkit检测工具。无论Windows Rootkit是通过修改中断描述符表、驱动函数还是系统服务调度表等地方来实现欺骗系统,让系统执行其非法代码,实现其非法目的,都要把它的进程隐藏起来。为了不让系统或者反Rootkit程序发现而隐藏自身的进程是Windows Rootkit必须做的工作。根据这个原理,在检测Windows rootkit的时候,我们就以检测隐藏的进程为主要依据来检测当时的系统中是否存在rootkit。文章中利用基于交叉视图(Cross-View)的方法来来检测rootkit。在这个方法中获得真实的进程列表是一个难点,在实验的过程中通过Windbg调试内核来得到EPROCESS,HADLE_TABLE等重要的内核数据结构。通过对这些重要的内核数据结构的研究掌握了通过进程句柄表来列举当前系统进程列表的方法。论文主要研究内容如下: 1、对计算机取证的相关概念,背景及国内外的发展现状进行了详细介绍。 2、对Windows XP系统下的日志文件的格式进行了详细的分析。 3、详细的阐述windows系统下常用的几种获取物理内存镜像的方法,还介绍了内存镜像的分析方法。 4、概述了windows物理内存的管理机制,并且结合实例详细的介绍了虚拟地址到物理地址的转换方式。 5、对rootkit所使用的几种技术原理(如挂钩系统服务描述符表,直接内核操作法等)进行了详细的介绍。 6、给出了传统的rootkit检测的方法,并且在基于交叉视图(cross-view)的检测的基础上,提出了一种检测效果比较明显的检测方法,且给出了主要的代码。
[Abstract]:Information technology has greatly promoted the progress of human society, but also brought about computer crime.Hacking, network fraud, network pornography and other cases affect the healthy development of the Internet, but also undermine the normal economic development and social order.Computer Forensic Science (computer Forensic) is the main technical means to combat computer crime.Aiming at the defects of traditional rootkit lookup method, this paper puts forward a new method based on the development of physical memory analysis technology.By analyzing physical memory, evidence that rootkit Trojan exists or does not exist on the target machine is obtained.Firstly, the computer physical memory image acquisition technology and the attack principle of Rootkit are deeply studied and analyzed.This paper also introduces the popular Windows Rootkit.By analyzing the principle of windows rootkit, we know that rootkit is used to hide many techniques, such as setting hooks or modifying some kernel data structures directly in places such as interrupt descriptor table (IDT) and system service descriptor table (SSDT).In this paper, the principle of several rootkit hiding techniques is analyzed in detail, and several commonly used windows rootkit detection tools are analyzed.Hiding a process from being discovered by a system or anti-Rootkit program is a must for Windows Rootkit.According to this principle, when detecting Windows rootkit, we use the hidden process as the main basis to detect the existence of rootkits in the system at that time.In this paper, a cross-view based approach is used to detect rootkits.Through the study of these important kernel data structures, the method of listing the current system process list through the process handle table is discussed.The main contents of this thesis are as follows:1. The related concepts, background and development status of computer forensics are introduced in detail.2. The format of log files in Windows XP system is analyzed in detail.3. Several methods of obtaining physical memory image in windows system are described in detail, and the analysis method of memory mirror is also introduced.4. The management mechanism of windows physical memory is summarized, and the transformation from virtual address to physical address is introduced in detail with an example.5. Several technical principles used in rootkit are introduced in detail, such as linked system service descriptor table, direct kernel operation and so on.6. The traditional method of rootkit detection is given, and based on the cross-view detection, a detection method with obvious effect is proposed, and the main code is given.
【学位授予单位】：山东轻工业学院
【学位级别】：硕士
【学位授予年份】：2011
【分类号】：TP393.08;D918.2

【相似文献】