Abstract: Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions. This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use, and classifies them into two categories: modifying kernel object data structures and changing execution paths. The technical principles are described and compared in detail. The future development directions are discussed.

Key words: Windows Rootkit technology, Hook technology, system kernel, system call, Interrupt Descriptor Table(IDT)

摘要： Rootkit是恶意软件用于隐藏自身及其他特定资源和活动的程序集合。该文分析和研究现有的针对Windows系统的代表性Rookit隐藏技术，将其总结为2类：通过修改系统内核对象数据实现隐藏和通过修改程序执行路径实现隐藏。说明并比较了相应的技术原理，展望了Rootkit隐藏技术未来的发展趋势。

关键词: Windows Rootkit技术, Hook技术, 系统内核, 系统调用, 中断描述符表

CLC Number: 

• TP393.08