CAJ | 학술논문

随着Rootkits技术在信息安全领域越来越受到重视,各种Anti-rootkits新技术不断出现.在各种Anti-root-kits工具的围剿下,常规的Rootkits隐藏技术难以遁形.在系统分析和深入研究传统内核级Rootkits隐藏技术的基础上,提出了一个集驱动模块整体移位、内核线程注入、IRP深度内联Hook 3种技术为一体的Rootkits隐藏技术体系.实验结果显示,基于该隐藏技术体系所实现的Rootkits能够很好地躲避专业的Anti-rootkits工具(如RootkitUnhooker和冰刃)的检测,从而充分表明了这种三位一体的Rootkits隐藏技术体系的有效性.
수착Rootkits기술재신식안전영역월래월수도중시,각충Anti-rootkits신기술불단출현.재각충Anti-root-kits공구적위초하,상규적Rootkits은장기술난이둔형.재계통분석화심입연구전통내핵급Rootkits은장기술적기출상,제출료일개집구동모괴정체이위、내핵선정주입、IRP심도내련Hook 3충기술위일체적Rootkits은장기술체계.실험결과현시,기우해은장기술체계소실현적Rootkits능구흔호지타피전업적Anti-rootkits공구(여RootkitUnhooker화빙인)적검측,종이충분표명료저충삼위일체적Rootkits은장기술체계적유효성.
With more and more attention being paid to the Rootkits technology in the fields of cyber-security,various new Anti-rootkits technologies have emerged continually.Under the detection of various Anti-rootkits tools,the conventional Rootkits stealth technology is difficulty to play its role.Based on systematic analysis and research of traditional kernel-level Rootkits stealth technology,this paper presented a three-in-one rootkits stealth technical architecture on the basis of driver module integral transposition,kernel threads injection and IRP inline Hook in depth.Experimental results show that the Rootkits based on this stealth architecture can well bypass the detection of some well-known Anti-root-kits tools (such as Rootkit Unhooker and IceSword),which fully demonstrates the effectiveness of this three-in-one Rootkits stealth technical architecture.