摘要： 分析直接操作内核对象和调用门的实现机制，提出通过使用调用门，在无驱动情况下提升用户程序的特权级，进而修改内核中的进程双向链表实现进程隐藏。设计并实现一个基于该思路的木马程序，在实验条件下验证该木马的隐蔽性和存活能力，分析应对该类型木马的检测策略。实验证明，该木马可以有效实现进程隐藏，躲过常见安全防护软件的检测与查杀。

关键词: 木马, 直接操作内核对象, 调用门, 进程隐藏

Abstract: The realization mechanism of the Direct Kernel Object Manipulation(DKOM) and call gate are analyzed and proposed. By using call gate, it can promote the program’s privilege to modify the kernel’s process list to hide the process without the driver. A Trojan program is designed and implemented, and the hidden and survival functions are verified in experimental conditions based on the proposal. The experiments have proved that the Trojan can hide the process effectively and escape the detection and killing of the common security software. It also analyzes the Trojan program’s detection method.

Key words: Trojan, Direct Kernel Object Manipulation(DKOM), call gate, process hiding

中图分类号: 

• N945