Abstract: According to the problem that registry item hidden by Rootkit Trojan can not be effectively detected, this paper proposes a prefect solution by analyzing the Windows registry system and registry concealment technique. The crucial problems are solved, such as the lower-level data copying algorithm which is used to copy registry files, the multi-level match algorithm which is used to detect the hidden position. Experimental result shows that the solution can breakthrough restrictions of Windows, detect all hidden nodes from the kernel layer to application layer unaffected, and get rid of interference of Rootkit.

Key words: registry concealment, lower-level data copying, concealment detection, registry information extraction, multi-level matching algorithm, Rootkit trojan

摘要： 在分析Windows注册表系统及注册表隐藏技术的基础上，提出一个完全解决方案用于检测被Rootkit等木马隐藏的注册表项。设计底层数据复制算法来复制注册表文件，以解决无法直接读取注册表信息的问题，通过多层次匹配算法检测得到注册表的隐藏位置。实验结果证明，该方案可以突破Windows系统的限制，检测到从内核层到应用层所有被隐藏和修改的注册表信息及其隐藏位置，且不受Rootkit木马干扰。

关键词: 注册表隐藏, 底层数据复制, 隐藏检测, 注册表信息提取, 多层次匹配算法, Rootkit木马

CLC Number: 

• TP393.08