Abstract: Because of permanently storing and hiding intruder’s codes, persistent Rootkit becomes a very important issue of computer security. This paper applies the cross-view method to construct the monitor system. It is implemented to decide whether the system is installed persistent windows Rootkit by analyzing system’s behaviors using file system filter driver and hooking system services. The system detectes Rootkit-hacker defender which is the most classical Rootkit in the real world and some malwares protected by it. Due to the use of low-level driver and not depending on signature, it also has good performance in detecting kernel level and unknown Rootkit.

Key words: monitor system, persistent Rootkit, cross-view

摘要： 永久型Rootkit可以长期隐秘在系统中，并隐藏恶意代码，威胁计算机的安全。该文应用cross-view方法构建监控系统，采用文件系统过滤驱动与钩挂系统服务分析系统行为，判定系统是否已被装入永久型Windows Rootkit，并完成对经典Rootkit-hacker defender及它所保护的恶意程序的检测。由于该检测技术使用底层驱动监测，不依赖特征码，因此对内核级和将来出现的Rootkit具有良好的检测
效果。

关键词: 监控系统, 永久型Rootkit, cross-view方法

CLC Number: 

• TP311.5