CAJ | 학술논문

内核态恶意代码作为破坏操作系统内核，隐藏其他恶意代码的一种恶意程序，已经成为了操作系统安全的重要威胁。近年来出现的一种新的伴随操作系统启动加载的恶意程序通过对计算机启动过程进行劫持，在操作系统启动完成之前实现自身的加载和运行。其结合了普通内核级恶意代码特点和优先于操作系统启动并根植于系统硬件等优势，比普通内核级恶意代码具有更强的隐蔽性和破坏性。分析这种新型恶意代码。首先对其技术发展进行梳理，然后重点针对Windows下典型的启动型恶意代码，分析其在操作系统启动过程的不同阶段中环环相扣的实现技术原理。最后分析了目前检测技术现状，指出现有的检测方法过于依赖在线检测和完整性检测，从两方面提出了改进建议。
내핵태악의대마작위파배조작계통내핵，은장기타악의대마적일충악의정서，이경성위료조작계통안전적중요위협。근년래출현적일충신적반수조작계통계동가재적악의정서통과대계산궤계동과정진행겁지，재조작계통계동완성지전실현자신적가재화운행。기결합료보통내핵급악의대마특점화우선우조작계통계동병근식우계통경건등우세，비보통내핵급악의대마구유경강적은폐성화파배성。분석저충신형악의대마。수선대기기술발전진행소리，연후중점침대Windows하전형적계동형악의대마，분석기재조작계통계동과정적불동계단중배배상구적실현기술원리。최후분석료목전검측기술현상，지출현유적검측방법과우의뢰재선검측화완정성검측，종량방면제출료개진건의。
Kernel mode malicious codes,as a kind of malware compromising the OS kernel and hiding the evidence and activities of other malicious codes,have become a significant threat to the security of OS.A new type of malware emerged in recent years,which loads accompanying the boot-up of OS,achieves the loading and running of itself before the completion of OS boot-up through hijacking the boot-up process of computer.Its advantages such as combining the characteristics of normal kernel-level malicious codes,booting up precedent over OS and embedding itself deep in system hardware,etc.,make it be more invisible and destructive than normal kernel-level malicious codes. We analysed such novel malicious codes.First,we sorted out their technology evolvement.Then we put the emphasis on typical boot-up hijacking based malicious codes for Windows OS,analysed their technical rationale of interlocking implementation in different stages of OS booting up process.Finally,we analysed the status quo of current detecting approaches for this type of malware,and pointed out that the existing detecting approaches excessively relying on integrity-checking method and online-detection mode,then brought out some suggestions on detecting approaches from two aspects.