基于内核驱动的恶意代码动态检测技术

doi:10.7523/j.issn.2095-6134.2010.5.018

中国科学院大学学报 ›› 2010, Vol. 27 ›› Issue (5): 695-703.DOI: 10.7523/j.issn.2095-6134.2010.5.018

基于内核驱动的恶意代码动态检测技术

李伟¹, 苏璞睿²

1. 中国科学院研究生院,北京 100049;
2. 中国科学院软件研究所,北京 100190

收稿日期:2009-12-24 修回日期:2010-03-09 发布日期:2010-09-15

Detection of the malicious code injection by hooking system calls in kernel mode

LI Wei¹, SU Pu-Rui²

1. Graduate University of the Chinese Academy of Sciences, Beijing 100049, China;
2. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China

Received:2009-12-24 Revised:2010-03-09 Published:2010-09-15

摘要/Abstract

摘要：

通过对Windows下的代码注入方法和Hook技术的详尽分析与研究,提出了一种基于内核驱动的恶意代码动态检测方法. 该方法采用驱动的方式运行于系统内核中,在不影响系统性能的前提下,动态监控系统中所有进程,同时及时准确地向用户报告任何攻击信息,增强了系统的整体安全性. 实验结果表明,该方法在性能和检测方面都达到较好的检测效果.

关键词: Hook技术, 系统服务描述符表, 系统服务表

Abstract:

Based on detailed analyses of all the methods about runtime process injection and hooking techniques in Windows operating system, we propose a method for dynamically detecting malicious code using the kernel-mode driver. It is implemented as a driver that is able to dynamically monitor every process, report attacks to the user accurately, and enhance overall system security.The experimental results show that this method achieves satisfactory detection effects in performance and detection.

Key words: Hook technology, system service descriptor table(SSDT), system service table(SST)

中图分类号:

TP309.5

李伟, 苏璞睿. 基于内核驱动的恶意代码动态检测技术[J]. 中国科学院大学学报, 2010, 27(5): 695-703.

LI Wei, SU Pu-Rui. Detection of the malicious code injection by hooking system calls in kernel mode[J]. , 2010, 27(5): 695-703.

参考文献

[1] Nguyen, Reiher N, Kuenning P, et al. Detecting insider threats by monitoring system call activity . Information Assurance Workshop, IEEE Systems, Man and Cybernetics Society, 2003: 45-52.

[2] Iyer A, Ngo H Q. Towards a theory of insider threat assessment //Proceedings of the 2005 International Conference on Dependable Systems and Networks, 2005:108-117.

[3] Liu A, Martin C, Hetherington T, et al. A comparison of system call feature representations for insider threat detection . Information Assurance Workshop, IEEE Systems, Man and Cybernetics Society, 2005: 340-347.

[4] Yariv K. API Spying Techniques for Windows 9x, NT and 2000 . 2000 . http://www.internals.com/articles/apispy/apispy.htm.

[5] Jeffrey R. Windows核心编程
[M]. 北京:机械工业出版社,2000.

[6] Ivo I. API hooking revealed . 2002 . http://www.codeproject.com/system/hooksys.asp.

[7] Jeffrey R. Load your 32-bit DLL into another processs address space using INJLIB
[J]. Microsoft Systems Journal, 1994, 9(5).

[8] Keith B. Windows安全性编程
[M]. 北京:中国电力出版社, 2004.

[9] Keith B. Security Briefs . Microsoft Systems Journal, 1999, 14(8) .http://www.microsoft.com/msj/0899/security/security0899.aspx.

[10] Robert K. Three ways to Inject Your Code into Another Process . (2006-07-02) http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5767.

[11] Rattle. Using process infection to bypass Windows software firewalls phrack , 2004, 11: 62-0x0d .http://www.phrack.org/show.php?p=62&a=13.

[12] Matt P. Learn system-level Win32 coding techniques by writing and API spy program
[J]. Microsoft systems Journal, 1994,9(12).

[13] Matt P. Under the Hood . Microsoft Systems Journal, 1997,12(9) .http://www.microsoft.com/msj/0997/hood0997.aspx.

[14] Holy_F. Technics of hooking API functions on Windows . 2002 .http://www.hxdef.org.

[15] Crazyload. Playing with Windows/dev/(k)mem
[J]. Phrack, 2002,0x0b:p59-0x10.

[16] Hoglund G, Butler J. Rootkits-Windows内核的安全防护
[M]. 北京:清华大学出版社, 2007.

[17] Tan CK. Defeating Kernel Native API Hookers by Direct Service dispatch Table Restoration . Special Interest Group in Securtiy and Information Integrity(SIG^2), 2004-07-08 http://www.security.org.sg.

基于内核驱动的恶意代码动态检测技术

Detection of the malicious code injection by hooking system calls in kernel mode

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	李伟, 苏璞睿, 时云峰. 基于空间向量计算的恶意文档检测技术[J]. 中国科学院大学学报, 2010, 27(2): 267-274.
[2]	潘剑锋, 刘守群, 奚宏生, 谭小彬. 一种利用动态控制流路径分析的隐藏恶意代码异常检测方法[J]. 中国科学院大学学报, 2010, 27(1): 138-143.