Abstract: Process hiding is a typical application of Rootkit technique. Hidden malicious codes are threats to computer security. By analyzing the Windows Rootkit technology used for process hiding both in the user mode and kernel mode, this paper puts forward several hidden process detection technologies which do not depend on the system services. These detection methods directly use the underlying data structure of the system, and have relatively strong detection ability.

Key words: Rootkit technique, process hiding, process detection, system kernel

摘要： 进程隐藏是Rootkit技术的一种典型应用，隐藏运行的恶意代码威胁到计算机的安全。为此，通过分析Windows系统中利用Rootkit技术对进程进行隐藏的原理，针对用户模式和内核模式2种模式下进程隐藏技术的特点，提出几种不依赖于系统服务的隐藏进程检测技术。此类检测方法直接利用系统底层的数据结构，检测能力强。

关键词: Rootkit技术, 进程隐藏, 进程检测, 系统内核

CLC Number: 

• TP316