Rootkit攻防机制与实现方法

李馥娟; 王群

doi:10.11959/j.issn.1000-0801.2018298

您当前的位置：

首页 >

文章列表页 >

Rootkit攻防机制与实现方法

研究与开发 | 更新时间：2024-06-05

- Rootkit攻防机制与实现方法
- Mechanism and implementation of Rootkit attack and defense
- 电信科学 2018年34卷第12期页码：33-45
- 作者机构：
- 作者简介：
  
  [ "李馥娟（1974-），女，江苏警察学院副教授，主要研究方向为计算机网络技术与应用、物联网、信息安全等。" ]
  [ "王群（1971-)，男，博士，江苏警察学院教授，主要研究方向为网络体系结构与协议、信息物理融合系统、信息安全等。" ]
- 基金信息：
  
  “十三五”江苏省重点建设学科建设工程资助项目;Key Construction Discipline Construction Project of Jiangsu Province During the 13th Five-Year Plan Period(2016-0838);江苏高校品牌专业建设工程资助项目;Jiangsu University Brand Professional Construction Project Subsidy Project(PZY2015C203);江苏省第五期“333工程”科研项目资助;Jiangsu Province Fifth Phase “333 Project” Scientific Research Project(BRA2017443);江苏高校哲学社会科学研究基金项目;Jiangsu University Philosophy and Social Science Research Fund Project(2018SJA0456)
- DOI：10.11959/j.issn.1000-0801.2018298
  中图分类号： TP393
- 网络出版日期：2018-12，
  
  纸质出版日期：2018-12-20
- 稿件说明：
移动端阅览
李馥娟, 王群. Rootkit攻防机制与实现方法[J]. 电信科学, 2018,34(12):33-45.

Fujuan LI, Qun WANG. Mechanism and implementation of Rootkit attack and defense[J]. Telecommunications science, 2018, 34(12): 33-45.
李馥娟, 王群. Rootkit攻防机制与实现方法[J]. 电信科学, 2018,34(12):33-45. DOI： 10.11959/j.issn.1000-0801.2018298.

Fujuan LI, Qun WANG. Mechanism and implementation of Rootkit attack and defense[J]. Telecommunications science, 2018, 34(12): 33-45. DOI： 10.11959/j.issn.1000-0801.2018298.

摘要

Rootkit是一类能够攻击系统内核且实现深度隐藏的恶意代码，已对网络安全造成了严重威胁。首先，介绍了Rootkit/Bootkit的基本特征，对比分析了用户模式和内核模式下Rootkit攻击的特点；接着，重点剖析了 Rootkit 攻击涉及的挂钩、DKOM 和虚拟化技术的实现原理及工作机制；最后，结合具体的攻击行为讨论了针对Rootkit攻击的主要检测方法和防御技术。

Abstract

Rootkit is a set of malicious codes that can attack the system kernel and achieve deep hiding

which has posed serious threats to cyber security.Firstly

the basic features of Rootkit/Bootkit were introduced

and the characteristics of Rootkit attacks in user mode and kernel mode were compared and analyzed.Thereafter

the implementation principles and working mechanisms of Hook

DKOM and virtualization technologies involved in Rootkit attacks were emphatically analyzed.Combined with the specific attack behaviors

the main detection methods and defense techniques for Rootkit attacks were discussed at the end.

关键词

Keywords

references

JERLIN M A . A review on advanced evasion techniques [J ] . International Journal of Pharmacy ＆ Technology , 2016 , 8 ( 4 ): 4917 - 4924 .

XIA H , XU Y , XIA H , et al . Design and research of safety test model based on advanced evasion techniques [C ] // Global Conference on Mechanics and Civil Engineering (GCMCE2017),April 21-23,2017,Nanjing,China.[S.l.:sn] . 2017 : 92 - 96 .

GURI M , POLIAK Y , SHAPIRA B , et al . JoKER:trusted detection of Kernel Rootkits in android devices via JTAG interface [C ] // IEEE Trustcom/BigDatase/ISPA,Aug 20-22,2015,Helsinki,Finland . Washington DC:IEEE Computer Society , 2015 : 65 - 73 .

DAMOPOULOS D , KAMBOURAKIS G , GRITZALIS S . iSAM:an iPhone stealth airborne malware [J ] . IFIP Advances in Information ＆ Communication Technology , 2017 : 17 - 28 .

VETTER J , JUNKER-PETSCHICK M , NORDHOLZ J , et al . Uncloaking Rootkits on mobile devices with a hypervisor-based detector [C ] // International Conference on Information Security and Cryptology,March 10,2016,Seoul,South Korea . Berlin:Springer Press , 2016 : 262 - 277 .

张瑜 , 刘庆中 , 李涛 , 等 . Rootkit研究综述 [J ] . 电子科技大学学报 , 2015 , 44 ( 4 ): 563 - 578 .

ZHANG Y , LIU Q Z , LI T , et al . Research and development of Rootkit [J ] . Journal of University of Electronic Science and Technology of China , 2015 , 44 ( 4 ): 563 - 578 .

RICHER T J , NEALE G , OSBORNE G . On the effectiveness of virtualisation assisted view comparison for Rootkit detection [C ] // The 13th Australasian Information Security Conference July 7-9,2008,Sydney,Australia . Berlin:Springer Press , 2008 : 35 - 44 .

DAWSON J A , MCDONAID J T , SHROPSHIRE J , et al . Rootkit detection through phase-space analysis of power voltage measurements [C ] // International Conference on Malicious and Unwanted Software,Oct 11-14,2017,Fajardo,Puerto Rico . Piscataway:IEEE Press , 2017 : 19 - 27 .

YANG H Y , ZHUGE J W , LIU H M , et al . A tool for volatile memory acquisition from android devices [C ] // 12th IFIP WG 11.9 International Conference,September 20,2016,New Delhi,India . Berlin:Springer , 2016 : 365 - 378 .

JOY J , JOHN A , JOY J . Rootkit detection mechanism:a survey [J ] . Communications in Computer ＆ Information Science , 2011 ( 203 ): 366 - 374 .

SYED R , GABRIEL L , MATT G , et al . Advocating for hybrid intrusion detection prevention system and framework improvement [J ] . Procedia Computer Science , 2016 ( 95 ): 369 - 374 .

SUN H M , WANG H , WANG K H , et al . A native APIs protection mechanism in the Kernel mode against malicious code [J ] . IEEE Transactions on Computers , 2011 , 60 ( 6 ): 813 - 823 .

SHAID S Z M , MAAROF M A . In memory detection of Windows API call hooking technique [C ] // International Conference on Computer,Communications,and Control Technology,April 21-23,2015,Kuching,Malaysia . Piscataway:IEEE Press , 2015 : 294 - 298 .

WANG Y , GU D , LI W , et al . Virus analysis on IDT hooks of Rootkits Trojan [C ] // International Symposium on Information Engineering and Electronic Commerce,May 6-17,2009,Ternopil,Ukraine . Washington DC:IEEE Computer Society , 2009 : 224 - 228 .

PAN M R , CAO T J . Research on process hiding technology based on direct kernel object manipulation [J ] . Computer Engineering , 2010 , 36 ( 18 ): 138 - 140 .

GRANISEWSKI W , ARCISXEWKI A . Performance analysis of selected hypervisors (virtual machine monitors-VMMs) [J ] . International Journal of Electronics ＆ Telecommunications , 2016 , 62 ( 3 ): 231 - 236 .

UHLIG R , NEIGER G , RODGERS D , et al . Intel virtualization technology [J ] . Computer , 2005 , 38 ( 5 ): 48 - 56 .

KING S T , CHEN P M . Sub Virt:implementing malware with virtual machines [C ] // 2006 IEEE Symposium on Security and Privacy,May 21-24,2006,Berkeley/Oakland,CA,USA . Washington DC:IEEE Computer Society , 2006 : 314 - 327 .

SERGEEV A , MINCHENKOV V , BASHUN V . Malicious hypervisor and hidden virtualization of operation systems [C ] // International Conference on Application of Information and Communication Technologies,Oct 14-16,2015,Rostov on Don,Russia . Piscataway:IEEE Press , 2015 : 178 - 182 .

EMBLETON S , SPARKS S , ZOU C . SMM Rootkits:a new breed of OS independent malware [J ] . Security ＆ Communication Networks , 2013 , 6 ( 12 ): 1590 - 1605 .

LUCKETT P , MCDONALD J T , DAWSON J . Neural network analysis of system call timing for Rootkit detection [C ] // Cyber Security Symposium,April 18-20,2016,Coeur d’Alene,ID,USA . Piscataway:IEEE Press , 2016 .

CASE A , III G G R . Advancing mac OS X Rootkit detection [J ] . Digital Investigation , 2015 ( 14 ): S25 - S33 .

ECKERT M , PODEORAD I , KLAUER B . Hardware based security enhanced direct memory access [Z ] . 2017 .

ZHU J , ZHOU T , WANG Q . Towards a novel approach for hidden process detection based on physical memory scanning [C ] // Fourth International Conference on Multimedia Information Networking and Security,Nov 2-4,2012,Nanjing,China . Washington DC:IEEE Computer Society , 2012 : 662 - 665 .

MAENE P , GOTZFRIED J , CLERERCQ R D , et al . Hardware-based trusted computing architectures for isolation and attestation [J ] . IEEE Transactions on Computers , 2018 , 67 ( 3 ): 361 - 374 .

DESNOS A , FILIOL E , LEFOU I . Detecting (and creating!) a HVM Rootkit (aka blue Pill-like) [J ] . Journal in Computer Virology , 2011 , 7 ( 1 ): 23 - 50 .

ZHANG L , SHETTY S , LIU P , et al . Rootkit Det:practical end-to-end defense against kernel Rootkits in a cloud environment [C ] // European Symposium on Research in Computer Security,September 10,2014,Wroclaw,Poland . Berlin:Springer , 2014 : 475 - 493 .

浏览量

856

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

5G网络量子安全算法应用研究

基于改进长短期记忆网络的新能源场站网络安全评估方法研究

基于RPA技术的网络安全运营自动化实践应用研究

天地一体化网络安全挑战及创新方案

信息通信技术若干发展趋势