文化大學機構典藏 CCUR:Item 987654321/27060
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 47249/51115 (92%)
Visitors : 14356455      Online Users : 498
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://irlib.pccu.edu.tw/handle/987654321/27060


    Title: Windows 7 64bit下新的Rootkit及其偵測
    A New Rootkit and Its Detection in Windows 7 64bit
    Authors: 王文楷
    Contributors: 資訊安全產業碩士專班
    Keywords: 檔案隱藏
    程序隱藏
    rootkit
    SSDT hook
    DKOM
    Date: 2014
    Issue Date: 2014-03-07 14:10:34 (UTC+8)
    Abstract: 本論文主要是提出一個在Windows 7 64 bit下的新的rootkit及其偵測,本研究之rootkit程式係透過兩種攻擊手法進行實機研究,第一種攻擊手法是透過DKOM的技術修改記憶體核心ePROCESS物件的Flink及Blink欄位,將eProcess相互連結的Link打斷,以達到隱藏指定process的目的。第二種攻擊手法係透過SSDT Hook技術,運用核心函數KeBugCheckEx做為橫跨Kernel Space 與User Space的跳轉函數,將原SSDT表格中記載的 NtTerminateProcess或NtQueryDirectoryFile核心函數的記憶體位置,透過跳轉函數至rootkit程式,藉以達到限制刪除程序與隱藏檔案的攻擊目的。
    透過以上的攻擊手法了解現行Windows 7 64 bit下的弱點,為強化防護這些弱點,必須透過記憶體狀態的掃描方式,分析核心函數的記憶體空間與核心物件連結之變化,才能強化偵測攻擊的能力。
    結果本研究發現,Windows 7 64 bit在排除PatchGuard的保護下,仍存在有kernel space的核心函數被設為跳轉,以及核心物件被修改的弱點,因此補強這兩個弱點,才能強化Windows 7 64 bit的安全防護能力,以防止新型Rootki的攻擊。
    This thesis is a study on a new rootkit in the Windows 7 64 bit operating system and its detection. This rootkit has two types of attack techniques. The first attack techniques is using DKOM technology to modify the ePROCESS object in the windows memory that for hiding process. And the second attack techniques is using the SSDT hook technology to change two kernel API, NtTerminateProcess and NtQueryDirectoryFile, for restricting deletion process and hidden files.
    It is through the above attack techniques to understand the weakness of the Windows 7 64 bit operating system. So we can find new rootkit by analysis of the SSDT memory address and kernel object’s flink and blink fields。
    This study found that a new rootkit can attack the Windows 7 64 bit operating system by using the jump function in the kernel space of the memory, and change the kernel object by bypassing the PatchGuard protection.
    Appears in Collections:[Department of Computer Science and Information Engineering] thesis

    Files in This Item:

    There are no files associated with this item.



    View Licence

    All items in CCUR are protected by copyright, with all rights reserved.

    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback