作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2006, Vol. 32 ›› Issue (20): 95-96. doi: 10.3969/j.issn.1000-3428.2006.20.035

• 软件技术与数据库 • 上一篇    下一篇

Windows(2000/XP)下隐藏进程的检测机制

王驎峰,董亮卫   

  1. (电子科技大学计算机学院,成都 610054)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2006-10-20 发布日期:2006-10-20

Detection on Windows(2000/XP) Hidden Process

WANG Linfeng, DONG Liangwei   

  1. (Department of Computer, University of Electronic Science and Technology, Chengdu 610054)
  • Received:1900-01-01 Revised:1900-01-01 Online:2006-10-20 Published:2006-10-20

摘要: 随着计算机技术的不断发展,近期出现了利用Windows(2000/XP)内核设计上的漏洞隐藏自身进程的入侵技术。针对这种隐藏技术提出了利用内核进程环境控制块(KPEB)、内核线程环境控制块(KTEB)以及Windows操作系统的调度机制来检测这些隐藏进程的新方法,并给出了代码示例。

关键词: 进程, 隐藏, 内核进程环境控制块, 内核线程环境控制块, 检测

Abstract: With the development of computer technology, lately some malicious code use the leak of Windows(2000/XP) kernel design to hide their processes. In order to detect the hidden processes created by malicious code, a new technology has been described with the example of program. The technology involved includes: the kernel process environment block(KPEB), the kernel thread environment block(KTEB), the mechanism of traditional processes detection and dispatcher.

Key words: Process, Hidden, Kernel process environment block(KPEB), Kernel thread environment block(KTEB), Detection