• • 上一篇    下一篇

基于 Minifilter 的多层次文件操作行为提取技术研究

张陈磊%周安民%刘亮%卿粼波   

  • 出版日期:2014-11-15
  • 基金资助:
    教育部高等学校博士学科点专项科研基金(20110181120009)

Multi-level File Operations Recording System Based on Minifilter Driver

ZHANG Chen-lei%ZHOU An-min%LIU Liang%QING Lin-bo   

  • Online:2014-11-15
  • About author:四川大学电子信息学院,四川成都,610065

摘要: 文章研究了对于不同层次的文件操作行为的提取及监控,旨在针对目前存在的绕过过滤驱动的检测方法进行改进,更加有效地针对恶意软件行为进行监控,多层次提取其文件操作的技术。文章首先概述了文件过滤驱动技术工作原理及当前应用现状,介绍了目前被广泛应用的微文件过滤驱动(Minifilter)技术的开发原理、步骤和应用领域。随后对文件操作的底层行为全过程进行了分析,并对 Minifilter 在其中的检测原理进行了相关介绍,对其安全性进行分析,提出当前能绕过过滤驱动检测的几种方法原理,包括通过增加过滤驱动以及 Hook 派遣函数等原理绕过过滤驱动,从而造成过滤驱动无法检测。列出了目前存在的从不同层次绕过过滤驱动的几种攻击方法,包括附着新的过滤驱动,直接访问内核,对底层文件结构的派遣函数进行不同的 Hook 等。针对其攻击原理进行分析,提出对应的检测方法。通过在原有 Minifilter的基础上添加以上几种检测方法,可实现对目前存在的多种攻击手段进行多层次检测,从而添加相应的防护措施。在之后对改进后的过滤驱动进行功能及性能上的针对性测试中,表明改进后的检测驱动能利用更小的时间成完成更深层次的检测。因此,改进后的行为提取技术能绕过普通文件过滤驱动的恶意行为进行拓展检测,更深层次地提取恶意软件的文件操作行为,从而实现对目标程序的可疑文件操作进行更加全面的监控。

Abstract: This paper studied for different levels of extraction and monitoring the behavior of file operations, aimed at the existing bypass filter drivers detection method was improved, more effective against malicious software behavior, multi-level technology to extract the file operations. Firstly the paper introduces the file filter driver technology , principle and current application situation,then introduces the widely application of micro file filter driver (Minifilter) technology development principle, steps and application field. Subsequent to the underlying behavior of file operations process are analyzed, and the Minifilter detection principle of the related introduction. To analyze its security and puts forward several methods of current can bypass the filter drivers detection principle. Including by adding filter drivers and send Hook function principle to bypass filter drivers, which the filter driver behavior cannot be detected.Lists the existing several attack methods from different levels to bypass the filter driver, including attached new filter drivers, direct access to the kernel, the sending of the underlying file structure function of different hook skills and so on. According to its attack principle is analyzed, puts forward corresponding detection methods.By adding the above on the basis of the original Minifilter several detection methods, which can realize to test the present a variety of means of attack, so as to add multi-layered protective measures. And then the improved filter drivers for targeted on the function and performance test, shows that the improved test drive to be able to use a smaller time cost to complete more deeper detection. Therefore the behavior of the improved extraction technology can bypass the normal file filter driver to expand to detect malicious behavior, the extraction of deeper malicious software file operations, so as to realize the target of suspicious file operations for a more comprehensive monitoring.