欢迎访问中国科学院大学学报,今天是

中国科学院大学学报 ›› 2010, Vol. 27 ›› Issue (5): 695-703.DOI: 10.7523/j.issn.2095-6134.2010.5.018

• 论文 • 上一篇    下一篇

基于内核驱动的恶意代码动态检测技术

李伟1, 苏璞睿2   

  1. 1. 中国科学院研究生院,北京 100049;
    2. 中国科学院软件研究所,北京 100190
  • 收稿日期:2009-12-24 修回日期:2010-03-09 发布日期:2010-09-15

Detection of the malicious code injection by hooking system calls in kernel mode

LI Wei1, SU Pu-Rui2   

  1. 1. Graduate University of the Chinese Academy of Sciences, Beijing 100049, China;
    2. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
  • Received:2009-12-24 Revised:2010-03-09 Published:2010-09-15

摘要:

通过对Windows下的代码注入方法和Hook技术的详尽分析与研究,提出了一种基于内核驱动的恶意代码动态检测方法. 该方法采用驱动的方式运行于系统内核中,在不影响系统性能的前提下,动态监控系统中所有进程,同时及时准确地向用户报告任何攻击信息,增强了系统的整体安全性. 实验结果表明,该方法在性能和检测方面都达到较好的检测效果.

关键词: Hook技术, 系统服务描述符表, 系统服务表

Abstract:

Based on detailed analyses of all the methods about runtime process injection and hooking techniques in Windows operating system, we propose a method for dynamically detecting malicious code using the kernel-mode driver. It is implemented as a driver that is able to dynamically monitor every process, report attacks to the user accurately, and enhance overall system security.The experimental results show that this method achieves satisfactory detection effects in performance and detection.

Key words: Hook technology, system service descriptor table(SSDT), system service table(SST)

中图分类号: