检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
机构地区:[1]湘潭大学信息工程学院"智能计算与信息处理"教育部重点实验室,湖南湘潭411105
出 处:《计算机工程与科学》2015年第8期1472-1478,共7页Computer Engineering & Science
基 金:湖南省自然科学基金资助项目(12JJ3066)
摘 要:在信息安全领域,安全分析工具往往需要将监控模块注入到其他进程空间以实现监控功能,但恶意软件往往会通过检测自身空间是否有其他模块来逃避监控。因此,安全工具需要对注入模块加以隐藏。比较常见的隐藏方法有:断开进程的LDR_MODULE链、Hook枚举模块的函数、抹去PE头等,但这些方法都有比较大的局限性。针对这些局限性,提出了一种对注入模块进行隐藏的新方法。在注入时利用普通有模块注入方式,让恶意软件疏于防范;注入之后消除自身模块,让恶意软件无法检测到监控软件的存在。对于应用中的一些具体技术问题给出了解决方法。实验结果表明,该方法突破防御能力强,可兼容各种版本的Windows操作系统,并且隐蔽性比目前的通用方法更好。In the field of information security,security analysis tools often inject some modules into other process space for monitoring dangerous behaviors, but malwares will scan their own process space and find out the monitor modules to avoid anti-monitoring. So security analysis tools should hide the modules that are injected into the target process space. There are many methods for hiding modules, such as disconnecting the LDR_MODULE chain, hooking the function of the enumeration module, era- sing the PE header, and so on. But these methods have significant limitations. To make an improvement, we propose a novel method to hide the injected modules. Ordinary module injection is given so they can be neglected by malwares; then the modules are eliminated by themselves, so that malwares cannot detect the presence of the monitoring softwares. Besides, we list out solutions to some typical specific technical problems in practice. Experimental results show that the proposed method has good capability to break through the defense system, it is compatible with various versions of Windows operat- ing systems, and its concealment is better than the traditional methods.
关 键 词:信息安全 ROOTKIT 线程注入 隐藏模块 有模块注入 无模块注入
分 类 号:TP309.5[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.49
