
针对Windows RootKit的安全监测系统的研究与实现

【作者】 何志

【导师】 范明钰;

【作者基本信息】 电子科技大学 , 信息与通信工程, 2008, 硕士

【摘要】 RootKit是攻击者在入侵系统后为了保持对系统的超级用户访问权限,创建后门和隐藏攻击痕迹而常采用的一种技术。RootKit存在于Linux, Solaris和Windows等各种操作系统上。由于Windows操作系统在我们生活中的广泛应用(个人、企业乃至于政府),使得其变成了RootKit攻击的重要目标。根据对操作系统入侵的实现层次的不同,RootKit分为用户模式RootKit和内核模式RootKit两种类型。用户模式RootKit在操作系统用户空间修改系统文件或二进制数据。内核模式RootKit攻击操作系统内核,与用户模式RootKit相比功能更强大,更难检测。目前Windows RootKit的形式与功能“多样性”的现实,使得现有的各种针对性强但功能相对单一的专用检测工具己经不能满足安全的实际需要。为了切实的消除Windows RootKit可能存在的危害,本文从Windows RootKit安全技术和安全策略方面出发,根据Windows RootKit安全的实际,制定“多样性检测”,“监控防御”与“自我保护”相结合的针对Windows系统下RootKit的安全策略。本文按照制定的安全策略实现方案,设计了一个Windows RootKit的监测系统。相对于常规的Windows RootKit检测技术,监测系统的“多样性检测”解决了普通检测技术单一性的问题,能适应Windows RootKit的多样性,比较全面的检测出各种现有的Windows RootKit,具有通用性的一面。“监控防御”技术以监测系统的主动监控防御取代了常规Windows RootKit安全策略中的被动检测防御,让系统安全处于更加主动的有利位置。“自我保护”措施的采用保证了整个监测系统的健壮性,能有效的保护自身、抵御RootKit的反攻击。本文的研究工作对Windows RootKit的安全研究提供了比较完整的基础知识,所提出的多样性检测方法,弥补了现有专项检测方法的不足,可以有效地检测出各种Windows RootKit。同时提出的“多样性检测”、“监控防御”和“自我保护”三者结合的Anti-RootKit的安全策略,对Windows系统安全有着实用价值。

【Abstract】 After intrusion a computer system, RootKits are used by attackers. RootKits can help the attackers maintain root access to the system and conduct malicious activities. RootKits exist in a variety of operating systems (OS), such as Linux, Solaris and Microsoft Windows. Because of the comprehensive application of Microsoft Windows Operating System in our lives, Microsoft Windows OS becomes the aim of RootKits’attacks.RootKits are classified into application-mode RootKits and kernel-mode RootKits according to achieve level of their invasion in operating system. Application-mode RootKits modify system files or binary system data at the user level. Kernel-mode RootKits attack the operating system’s kernel, and are more powerful than application-mode ones. It is more difficult to detect kernel-mode RootKits.In this article, we put forward a new security strategy for Windows RootKit, which combines“Multiple Detection”,“Monitor Defence”with“Self-Protection”together. And we design a Windows RootKit Monitoring System in according to the security strategy. Compared to the conventional Windows RootKit detection technology,“Multiple Detection”solves the problem of single detection, which is general in the conventional Windows RootKit detection technology.“Monitor Defence”takes active monitoring defense to replace the passive detection defense. "Self-Protection" ensures the robustness of the entire monitoring system.The research work of this article provides complete basic knowledge for research on Windows RootKit. The novel method—“Multiple Detection”makes up for the deficiency of current detection methods, so it can find out all currently existing Windows RootKit. The strategy, which combines“Multiple Detection”,“Monitor Defence”with“Self-Protection”together, also has the practical value for Windows OS security.
