针对Windows RootKit的安全监测系统的研究与实现
|
摘要
RootKit是攻击者在入侵系统后为了保持对系统的超级用户访问权限,创建后门和隐藏攻击痕迹而常采用的一种技术。RootKit存在于Linux, Solaris和Windows等各种操作系统上。由于Windows操作系统在我们生活中的广泛应用(个人、企业乃至于政府),使得其变成了RootKit攻击的重要目标。
根据对操作系统入侵的实现层次的不同,RootKit分为用户模式RootKit和内核模式RootKit两种类型。用户模式RootKit在操作系统用户空间修改系统文件或二进制数据。内核模式RootKit攻击操作系统内核,与用户模式RootKit相比功能更强大,更难检测。
目前Windows RootKit的形式与功能“多样性”的现实,使得现有的各种针对性强但功能相对单一的专用检测工具己经不能满足安全的实际需要。为了切实的消除Windows RootKit可能存在的危害,本文从Windows RootKit安全技术和安全策略方面出发,根据Windows RootKit安全的实际,制定“多样性检测”,“监控防御”与“自我保护”相结合的针对Windows系统下RootKit的安全策略。本文按照制定的安全策略实现方案,设计了一个Windows RootKit的监测系统。相对于常规的Windows RootKit检测技术,监测系统的“多样性检测”解决了普通检测技术单一性的问题,能适应Windows RootKit的多样性,比较全面的检测出各种现有的Windows RootKit,具有通用性的一面。“监控防御”技术以监测系统的主动监控防御取代了常规Windows RootKit安全策略中的被动检测防御,让系统安全处于更加主动的有利位置。“自我保护”措施的采用保证了整个监测系统的健壮性,能有效的保护自身、抵御RootKit的反攻击。
本文的研究工作对Windows RootKit的安全研究提供了比较完整的基础知识,所提出的多样性检测方法,弥补了现有专项检测方法的不足,可以有效地检测出各种Windows RootKit。同时提出的“多样性检测”、“监控防御”和“自我保护”三者结合的Anti-RootKit的安全策略,对Windows系统安全有着实用价值。
After intrusion a computer system, RootKits are used by attackers. RootKits can help the attackers maintain root access to the system and conduct malicious activities. RootKits exist in a variety of operating systems (OS), such as Linux, Solaris and Microsoft Windows. Because of the comprehensive application of Microsoft Windows Operating System in our lives, Microsoft Windows OS becomes the aim of RootKits’attacks.
RootKits are classified into application-mode RootKits and kernel-mode RootKits according to achieve level of their invasion in operating system. Application-mode RootKits modify system files or binary system data at the user level. Kernel-mode RootKits attack the operating system’s kernel, and are more powerful than application-mode ones. It is more difficult to detect kernel-mode RootKits.
In this article, we put forward a new security strategy for Windows RootKit, which combines“Multiple Detection”,“Monitor Defence”with“Self-Protection”together. And we design a Windows RootKit Monitoring System in according to the security strategy. Compared to the conventional Windows RootKit detection technology,“Multiple Detection”solves the problem of single detection, which is general in the conventional Windows RootKit detection technology.“Monitor Defence”takes active monitoring defense to replace the passive detection defense. "Self-Protection" ensures the robustness of the entire monitoring system.
The research work of this article provides complete basic knowledge for research on Windows RootKit. The novel method—“Multiple Detection”makes up for the deficiency of current detection methods, so it can find out all currently existing Windows RootKit. The strategy, which combines“Multiple Detection”,“Monitor Defence”with“Self-Protection”together, also has the practical value for Windows OS security.
根据对操作系统入侵的实现层次的不同,RootKit分为用户模式RootKit和内核模式RootKit两种类型。用户模式RootKit在操作系统用户空间修改系统文件或二进制数据。内核模式RootKit攻击操作系统内核,与用户模式RootKit相比功能更强大,更难检测。
目前Windows RootKit的形式与功能“多样性”的现实,使得现有的各种针对性强但功能相对单一的专用检测工具己经不能满足安全的实际需要。为了切实的消除Windows RootKit可能存在的危害,本文从Windows RootKit安全技术和安全策略方面出发,根据Windows RootKit安全的实际,制定“多样性检测”,“监控防御”与“自我保护”相结合的针对Windows系统下RootKit的安全策略。本文按照制定的安全策略实现方案,设计了一个Windows RootKit的监测系统。相对于常规的Windows RootKit检测技术,监测系统的“多样性检测”解决了普通检测技术单一性的问题,能适应Windows RootKit的多样性,比较全面的检测出各种现有的Windows RootKit,具有通用性的一面。“监控防御”技术以监测系统的主动监控防御取代了常规Windows RootKit安全策略中的被动检测防御,让系统安全处于更加主动的有利位置。“自我保护”措施的采用保证了整个监测系统的健壮性,能有效的保护自身、抵御RootKit的反攻击。
本文的研究工作对Windows RootKit的安全研究提供了比较完整的基础知识,所提出的多样性检测方法,弥补了现有专项检测方法的不足,可以有效地检测出各种Windows RootKit。同时提出的“多样性检测”、“监控防御”和“自我保护”三者结合的Anti-RootKit的安全策略,对Windows系统安全有着实用价值。
After intrusion a computer system, RootKits are used by attackers. RootKits can help the attackers maintain root access to the system and conduct malicious activities. RootKits exist in a variety of operating systems (OS), such as Linux, Solaris and Microsoft Windows. Because of the comprehensive application of Microsoft Windows Operating System in our lives, Microsoft Windows OS becomes the aim of RootKits’attacks.
RootKits are classified into application-mode RootKits and kernel-mode RootKits according to achieve level of their invasion in operating system. Application-mode RootKits modify system files or binary system data at the user level. Kernel-mode RootKits attack the operating system’s kernel, and are more powerful than application-mode ones. It is more difficult to detect kernel-mode RootKits.
In this article, we put forward a new security strategy for Windows RootKit, which combines“Multiple Detection”,“Monitor Defence”with“Self-Protection”together. And we design a Windows RootKit Monitoring System in according to the security strategy. Compared to the conventional Windows RootKit detection technology,“Multiple Detection”solves the problem of single detection, which is general in the conventional Windows RootKit detection technology.“Monitor Defence”takes active monitoring defense to replace the passive detection defense. "Self-Protection" ensures the robustness of the entire monitoring system.
The research work of this article provides complete basic knowledge for research on Windows RootKit. The novel method—“Multiple Detection”makes up for the deficiency of current detection methods, so it can find out all currently existing Windows RootKit. The strategy, which combines“Multiple Detection”,“Monitor Defence”with“Self-Protection”together, also has the practical value for Windows OS security.
引文
[1]张新宇,卿斯汉.特洛伊木马隐藏技术研究.通信学报, 2004, Vol 25, No 7: 153-159.
[2] Dorothy E. Denning,Information Warfare and Security [M].Boston: Addison Wesley, 2001.
[3]博文. RootKit:病毒的庇护所.计算机世界, 2006-6-5,第B24版.
[4] Greg H, James B. RootKit: Subverting the Windows Kernel [M]. Boston: Addison Wesley,2005.
[5] Halflife. Abuse of the Linux Kernel for Fun and Profit. Phrack Magazine, 1997, Vol 7, Issue 50, File 5.
[6] Greg Hoglund. A REAL NT RootKit, patching the NT Kernel [EB/OL]. Available via URL: http://www.phrack.org/phrack/55/P55-05, 1999-09-09.
[7]尤晋元,史美林等. Windows操作系统原理.北京:机械工业出版社, 2001, 59-60.
[8] Buteler J.R. Detecting Compromises of Core Subsystems and Kernel Function in Windows NT/2000/XP: M.S. Thesis [D]. University of Maryland, Baltimore County,2002.
[9] Intel Company. Privilege Levels. Intel Architecture Software Developers Manual-Basic Architecture, 1997, Vol 3, 112-113.
[10]李大伟. Windows系统木马攻击技术研究[硕士学位论文].信息工程大学, 2002.
[11] Sven B, Schreiber. Undocumented Windows 2000 Secrets: a programmer’s cookbook [M]. Boston:Addison Wesley,2001.
[12]李平,张云麟. Windows 2000内核模式驱动程序设计.重庆邮电学院学报, 2002-9, Vol 14, No.3: 34-40.
[13] Ivo Ivanov. API hooking revealed [EB/OL]. Available via URL: http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667, 2006
[14] Hunt G, D Brubacher. Detours Binary Interception of Win32 Functions [EB/OL]. Available via URL: http://www.research.microsoft.com/Detours, 1999.
[15] Yariv Kaplan. API spying techniques for Windows 9x, NT and 2000 [EB/OL]. Available via URL: http://www.internals.com/articles/apispy/apispy.htm, 2006.
[16]雷校勇,黄小平. Windows RootKit技术原理及防御策略[硕士学位论文].上海:上海交通大学, 2006.
[17] Hoglund Kernel Object Hooking RootKits (KOH RootKits) [EB/OL]. Available via URL: http://www.rootkit.com/newsread.php?newsid=501, 2005-06-02.
[18]王建华,张焕生,侯丽坤. Windows核心编程.北京:机械工业出版社, 2000. 88-96.
[19] Grey Hoglund. Loading Rootkit using SystemLoadAndCallImage [EB/OL].
[20] Joanna R. Thoughts about Cross-View based Rootkit Detection [EB/OL] Available via URL: http://invisablethings.org, 2005-08-15.
[21]朱若磊.利用核心态挂钩技术防止代码注入攻击[硕士学位论文].广东:广东商学院, 2006.
[22] Joanna Rutkowska. Rootkits_detection_with_patchfinder2. Available via URL: http://www.rootkit.com/vault/joanna/rootkits_detection_with_patchfinder2.pdf.
[23]阮文波,张长河,刘胜利.基于指令跳转分析的WindowsRootKit动态检测技术.信息工程大学学报, 2007-7, Vol 8, NO.2: 221-227.
[24] Joanna B. Concepts for the Stealth Windows RootKit [EB/OL]. Available via URL: http://www.invisablethings.org, 2004-10.
[25] Joanna Rutkowska. Klister Project. Available via URL: http://www.rootkit.com/vault/joanna/klister-0.4.zip, 2003-11.
[26] Butler J, Jeffrey L, John Pinkson. Hidden Processes: The Implication for Intrusion Detection [C]. Proceedings of the 2003 IEEE Workshop on Assurance United States Military Academy, West Point, NY, 2003-7.
[27] Holy Father. Hacker Defender Rootkit [EB/OL]. Available via URL: http://www.rootkit.host.sk/, 2005-05-18.
[28]葛军,黄土平.灰鸽子远程控制系列Available via URL: http://www.huigezi.net/index.asp, 2005-06.
[29] Intox. Agony Ring0 RootKit [EB/OL]. Available via URL: http://www.undergroundkonnekt.net, 2006-01.
[30] Greg Hoglund. Ntrootkit [EB/OL]. Available via URL: http://www.rootkit.com/project.php?id=11, 2005-12-19
[31] Fuzen_op. FU RootKit [EB/OL]. Available via URL: http://www.rootkit.com/project.php?id=12, 2005-09-15
[32] Janes B. VICE-Catch the hookers in Blackhat [EB/OL]. Available via URL: http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf, 2004-10-17
[33] Bryce Cogswell, Mark Russinovich. Rootkit Revealer [EB/OL]. Available via URL: http://www.sysinternals.com/Files/RootkitRevealer.zip, 2005-08-15
[34] F-Secure Corporation. Corporation F-Secure B1ackLight [EB/OL]. Available via URL: http://www.fsecure.com/blacklight/, 2005-04-03
[35] Wang Y. Detecting Stealth Software with Strider GhostBusters[C]. Proceedings of the 2005 International Conference on Dependable Systems and Networks. Washington, DC, USA. 2005: 368-377.
[36] Tripwire Company. Tripwire [EB/OL]. Available via URL: http://www.tripwire.com.
[37] Joanna B. System Virginity Verifier [EB/OL]. Available via URL: http://invisiblethings.org/, 2006-03-08
[38] R. Rivest. RFC 1321[EB/OL]. Available via URL: http://www.ietf.org/rfc/rfc1321.txt, 1992-08.
[39]加密技术及流行加密算法[EB/OL]. Available via URL: http://www.chip.cn/info/showArticle.jsp?article_id=3699&iPath=7&icPath=44, 2005-11.
[40] Ntoskrnl Windows File Protection: How To Disable It On The Fly [EB/OL]. Available via URL: http://www.egocrew.de/boarl/archive/3838/thread.html, 2005-10.
[41]看雪学院.软件加密技术内幕.北京:电子工业出版社, 2004-08.
[42] The last Stage of Delirium Research Group. Win32 Assembly Components [EB/OL]. Available via URL: http://lsd-pl/.net/windows_components.html, 2002-12.
[43] PJF. IcesWord [EB/OL]. Available via URL: http://www.blogcn.com/user17/pjf/index.html, 2006-04-09.
[44]王雨,傅鹤岗.挂接系统服务调度表对Win2k的访问控制.计算机工程与设计, 2005, Vol 26, No 2: 407-409.
[45]李凡,刘学照,卢安. WindowsNT内核下文件系统过滤驱动程序开发.华中科技大学学报, 2003, Vol 31, NO 1: 19-22.
[46] Jeffrey R. Programming application for Microsoft Windows. Washington: Microsoft Press, 1999. 102-110.
[2] Dorothy E. Denning,Information Warfare and Security [M].Boston: Addison Wesley, 2001.
[3]博文. RootKit:病毒的庇护所.计算机世界, 2006-6-5,第B24版.
[4] Greg H, James B. RootKit: Subverting the Windows Kernel [M]. Boston: Addison Wesley,2005.
[5] Halflife. Abuse of the Linux Kernel for Fun and Profit. Phrack Magazine, 1997, Vol 7, Issue 50, File 5.
[6] Greg Hoglund. A REAL NT RootKit, patching the NT Kernel [EB/OL]. Available via URL: http://www.phrack.org/phrack/55/P55-05, 1999-09-09.
[7]尤晋元,史美林等. Windows操作系统原理.北京:机械工业出版社, 2001, 59-60.
[8] Buteler J.R. Detecting Compromises of Core Subsystems and Kernel Function in Windows NT/2000/XP: M.S. Thesis [D]. University of Maryland, Baltimore County,2002.
[9] Intel Company. Privilege Levels. Intel Architecture Software Developers Manual-Basic Architecture, 1997, Vol 3, 112-113.
[10]李大伟. Windows系统木马攻击技术研究[硕士学位论文].信息工程大学, 2002.
[11] Sven B, Schreiber. Undocumented Windows 2000 Secrets: a programmer’s cookbook [M]. Boston:Addison Wesley,2001.
[12]李平,张云麟. Windows 2000内核模式驱动程序设计.重庆邮电学院学报, 2002-9, Vol 14, No.3: 34-40.
[13] Ivo Ivanov. API hooking revealed [EB/OL]. Available via URL: http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667, 2006
[14] Hunt G, D Brubacher. Detours Binary Interception of Win32 Functions [EB/OL]. Available via URL: http://www.research.microsoft.com/Detours, 1999.
[15] Yariv Kaplan. API spying techniques for Windows 9x, NT and 2000 [EB/OL]. Available via URL: http://www.internals.com/articles/apispy/apispy.htm, 2006.
[16]雷校勇,黄小平. Windows RootKit技术原理及防御策略[硕士学位论文].上海:上海交通大学, 2006.
[17] Hoglund Kernel Object Hooking RootKits (KOH RootKits) [EB/OL]. Available via URL: http://www.rootkit.com/newsread.php?newsid=501, 2005-06-02.
[18]王建华,张焕生,侯丽坤. Windows核心编程.北京:机械工业出版社, 2000. 88-96.
[19] Grey Hoglund. Loading Rootkit using SystemLoadAndCallImage [EB/OL].
[20] Joanna R. Thoughts about Cross-View based Rootkit Detection [EB/OL] Available via URL: http://invisablethings.org, 2005-08-15.
[21]朱若磊.利用核心态挂钩技术防止代码注入攻击[硕士学位论文].广东:广东商学院, 2006.
[22] Joanna Rutkowska. Rootkits_detection_with_patchfinder2. Available via URL: http://www.rootkit.com/vault/joanna/rootkits_detection_with_patchfinder2.pdf.
[23]阮文波,张长河,刘胜利.基于指令跳转分析的WindowsRootKit动态检测技术.信息工程大学学报, 2007-7, Vol 8, NO.2: 221-227.
[24] Joanna B. Concepts for the Stealth Windows RootKit [EB/OL]. Available via URL: http://www.invisablethings.org, 2004-10.
[25] Joanna Rutkowska. Klister Project. Available via URL: http://www.rootkit.com/vault/joanna/klister-0.4.zip, 2003-11.
[26] Butler J, Jeffrey L, John Pinkson. Hidden Processes: The Implication for Intrusion Detection [C]. Proceedings of the 2003 IEEE Workshop on Assurance United States Military Academy, West Point, NY, 2003-7.
[27] Holy Father. Hacker Defender Rootkit [EB/OL]. Available via URL: http://www.rootkit.host.sk/, 2005-05-18.
[28]葛军,黄土平.灰鸽子远程控制系列Available via URL: http://www.huigezi.net/index.asp, 2005-06.
[29] Intox. Agony Ring0 RootKit [EB/OL]. Available via URL: http://www.undergroundkonnekt.net, 2006-01.
[30] Greg Hoglund. Ntrootkit [EB/OL]. Available via URL: http://www.rootkit.com/project.php?id=11, 2005-12-19
[31] Fuzen_op. FU RootKit [EB/OL]. Available via URL: http://www.rootkit.com/project.php?id=12, 2005-09-15
[32] Janes B. VICE-Catch the hookers in Blackhat [EB/OL]. Available via URL: http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf, 2004-10-17
[33] Bryce Cogswell, Mark Russinovich. Rootkit Revealer [EB/OL]. Available via URL: http://www.sysinternals.com/Files/RootkitRevealer.zip, 2005-08-15
[34] F-Secure Corporation. Corporation F-Secure B1ackLight [EB/OL]. Available via URL: http://www.fsecure.com/blacklight/, 2005-04-03
[35] Wang Y. Detecting Stealth Software with Strider GhostBusters[C]. Proceedings of the 2005 International Conference on Dependable Systems and Networks. Washington, DC, USA. 2005: 368-377.
[36] Tripwire Company. Tripwire [EB/OL]. Available via URL: http://www.tripwire.com.
[37] Joanna B. System Virginity Verifier [EB/OL]. Available via URL: http://invisiblethings.org/, 2006-03-08
[38] R. Rivest. RFC 1321[EB/OL]. Available via URL: http://www.ietf.org/rfc/rfc1321.txt, 1992-08.
[39]加密技术及流行加密算法[EB/OL]. Available via URL: http://www.chip.cn/info/showArticle.jsp?article_id=3699&iPath=7&icPath=44, 2005-11.
[40] Ntoskrnl Windows File Protection: How To Disable It On The Fly [EB/OL]. Available via URL: http://www.egocrew.de/boarl/archive/3838/thread.html, 2005-10.
[41]看雪学院.软件加密技术内幕.北京:电子工业出版社, 2004-08.
[42] The last Stage of Delirium Research Group. Win32 Assembly Components [EB/OL]. Available via URL: http://lsd-pl/.net/windows_components.html, 2002-12.
[43] PJF. IcesWord [EB/OL]. Available via URL: http://www.blogcn.com/user17/pjf/index.html, 2006-04-09.
[44]王雨,傅鹤岗.挂接系统服务调度表对Win2k的访问控制.计算机工程与设计, 2005, Vol 26, No 2: 407-409.
[45]李凡,刘学照,卢安. WindowsNT内核下文件系统过滤驱动程序开发.华中科技大学学报, 2003, Vol 31, NO 1: 19-22.
[46] Jeffrey R. Programming application for Microsoft Windows. Washington: Microsoft Press, 1999. 102-110.