摘要： 对现有各类隐藏进程的实现方法以及隐藏进程检测技术进行研究,提出一种以进程结构与句柄结构间的关系作为内存检索标志获取完整进程信息的方法。该方法可避免检索标志被破坏导致的隐藏进程检测失败。运用交叉视图匹配技术,设计并实现了隐藏进程检测系统,在系统调用、内核结构表遍历、内存检索3个层次基础上获得进程信息。实验结果表明,该系统能实现对隐藏进程的检测及区分功能。

关键词: 内存检索, 结构关系, 隐藏进程, 句柄结构, 进程结构

Abstract: This paper researches the existing implementation methods and detection techniques of hidden processes,and proposes a method of getting process information by retrieving memory.The relationship between process structure and handle structure can be used as a memory retrieval flag to retrieve memory.This method avoids the problem of existing memory retrieval methods that the destroyed retrieval flag can lead to failure of detecting hidden process.This paper designs and implements a hidden process detection system by using cross-view matching technology.Experimental results show that the detection system can realize functions to detect and distinguish hidden processes.

Key words: memory retrieval, structural relationships, hidden process, handle structure, process structure

中图分类号: 

• TP 396