The Design and Research of Rootkit Detection System Based on Windows API

doi:10.3969/j.issn.1671-1122.2014.11.009

Abstract

Abstract:

Rootkit is referred to the malicious software that hides the traces of processes, network ports, files, etc. It is now widely used for the hacker intruding and attacking other peoples’ computer systems. Many computer viruses and spywares also use Rootkit to lurk in the operation system and watch for the proper moment for action. How to detect Rootkit efficiently becomes the key problem to counter these kinds of attacks. On the basis of previous works,this paper discusses the underlying principles of Windows, and developes a Rootkit detection system based on the WINDOWS API. With its help, the user can not only discover different kinds of hidden information of the operation system, but also easily find out the virus and Trojan which are running in the computer and clean them up. To a certain extent, this system enriches the research productions on Rootkit detection, and can offer reference for the follow-up studies.

Key words: Rootkit detection, Windows kernel, operating system

CLC Number:

TP309

YUAN Yu-heng, HUANG Geng-xing, GONG Zheng. The Design and Research of Rootkit Detection System Based on Windows API[J]. Netinfo Security, 2014, 14(11): 52-58.

Figures/Tables 9

References 23

[1]	康治平,向宏,胡海波. Windows系统Rootkit隐藏技术研究与实践[J]. 计算机工程与设计,2007,28(14):3337-3343.
[2]	杨彦,黄皓. Windows Rootkit隐藏技术研究[J].计算机工程,2008,34(12):152-156.
[3]	白光冬, 郭耀, 陈向群. 一种基于交叉视图的Windows Rootkit检测方法[J]. 计算机科学,2009,36(8):133-137.
[4]	左黎明,蒋兆峰,汤鹏志. Windows Rootkit隐藏技术与综合检测方法[J]. 计算机工程,2009,35(10):118-120.
[5]	刘喆,张家旺. Rootkit木马隐藏技术分析与检测技术综述[J]. 信息安全与通信保密,2010,(11):61-65.
[6]	王雷,凌翔. Windows Rootkit进程隐藏与检测技术[J]. 计算机工程,2010,36(5):140-142.
[7]	潘剑锋,奚宏生,谭小彬.一种利用程序行为分析的rootkit异常检测方法[J]. 中国科学技术大学学报,2010,40(8):863-869.
[8]	Wang J.A rule-based approach for rootkit detection[C]//Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on. IEEE, 2010: 405-408.
[9]	Fu D, Zhou S, Cao C.A Windows rootkit detection method based on cross-view[J]. E-Product E-Service and E-Entertainment (ICEEE), 2010, 2(110): 1-3.
[10]	Tsaur W, Chen Y C.Exploring Rootkit Detectors' Vulnerabilities Using a New Windows Hidden Driver Based Rootkit[C]//Social Computing (SocialCom), 2010 IEEE Second International Conference on. IEEE, 2010: 842-848.
[11]	Mahapatra C, Selvakumar S.An online cross view difference and behavior based kernel rootkit detector[J]. ACM SIGSOFT Software Engineering Notes, 2011, 36(4): 1-9.
[12]	Arnold T, Yang T A.Rootkit attacks and protection: a case study of teaching network security[J]. Journal of Computing Sciences in Colleges, 2011, 26(5): 122-129.
[13]	Alexander J S, Dean T, Knight S, et al.Spy: counter-intelligence methods for backtracking malicious intrusions[C]//Proceedings of the 2011 Conference of the Center for Advanced Studies on Collaborative Research. IBM Corp., 2011: 1-14.
[14]	Jeffrey Richter.Windows核心编程[M].黄陇,李虎,译.4版.北京:机械工业出版社,2008.
[15]	段钢. 加密与解密第三版[M].北京:电子工业出版社,2008.
[16]	Kris Kaspersky.黑客反汇编揭秘[M].谭明金译.2版.北京:电子工业出版社,2010.
[17]	张银奎. 软件调试[M].北京:电子工业出版社,2008.
[18]	Russinovich M E, Solomon D A.Microsoft Windows internals (4th ed.)[M]. Redmond:Microsoft Press, 2005.
[19]	Hoglund G, Butler J.Rootkits: subverting the Windows kernel[M]. Stoughton: Addison-Wesley Professional, 2005.
[20]	潘爱民. Windows内核原理与实现[M].北京:电子工业出版社,2009.
[21]	谭文,邵坚磊.从汇编语言到Windows内核编程[M].北京:电子工业出版社,2008.
[22]	张佩,马勇,董鉴远.深入浅出windows驱动开发[M].北京:电子工业出版社,2011.
[23]	Nagar R.Windows NT file system internals: a developer's guide[M]. Amherst: O'Reilly & Associates, Inc., 1997.