摘要: 程序通过系统服务挂钩可改变系统控制流和数据流,甚至可过滤系统服务的输入输出。在恶意软件中使用的系统服务挂钩严重威胁计算机系统安全。针对该问题,通过内存补丁修改系统服务分发函数,改变系统服务调用的控制流程,防止系统服务分发表挂钩,采用检测与修复方案抵御系统服务函数的内联挂钩,设计hookWare程序验证2种挂钩对抗方案的有效性。
关键词:
对抗,
系统服务,
挂钩,
内存补丁
Abstract: Procedure through system service hooking can change data flow and control flow, and the input and output of system service can be filtered. System service hook in malware is a severe threaten to computer system security. Aiming at this problem, this paper amends system service dispatch routine by memory patch, changes control process of system service invocation, avoids System Service Dispatch Table(SSDT) hook, and uses detection and restoration scheme to resist inline hook of system service function. Design of hookWare procedure validates the effectiveness of two kinds of hook countermeasure scheme.
Key words:
countermeasure,
system service,
hook,
memory patch
中图分类号:
王全民, 朱二夫, 周清, 刘宇明. 内核态下的系统服务挂钩对抗[J]. 计算机工程, 2010, 36(11): 143-145.
WANG Quan-Min, SHU Er-Fu, ZHOU Qing, LIU Yu-Meng. System Service Hook Countermeasure in Kernel Mode[J]. Computer Engineering, 2010, 36(11): 143-145.