摘要： 隐蔽木马程序的设计本质是劫持常规的执行路径流，当前大多数检测手段无法全面检测出隐蔽性日益增强的木马程序。该文结合操作系统程序执行流程的局部相关性与确定性，在分析用户进程空间与内核空间中系统函数调用标志信息的基础上，检测系统中是否存在木马程序设置的隐蔽性系统调用挂钩，设计并实现了相应的检测方法。与现有的检测方法相比，该方案弥补了检测未知木马的不足，检测结果更全面。

关键词: 特洛伊木马, RootKit, 系统调用, 挂钩, 入侵检测

Abstract: Trojan horses design essence lies in hijacking execution routine, and most of current detection methods fail to completely identify such ever-increasingly covert Trojan horses. The paper presents an approach to detect the existence of system call hooks set by Trojan horses based on the locality and determinacy of execution flows, and the analysis of system function call labs in both user and kernel levels, then designs and realizes corresponding prototype. Compared with current detections, the method offsets the deficiency in identifying unknown Trojan horses with more complete detection results.

Key words: Trojan horse, Rootkit, system call, hook, intrusion detection

中图分类号: 

• TP393