An Effective Scheme for Protecting against Windows Kernel-mode Rootkits

• Main Authors: SHI-JIA Lin, 林士嘉
• Other Authors: Woei-Jiunn Tsaur
• Format: Others
• Language: zh-TW
• Published: 2010
• Online Access: http://ndltd.ncl.edu.tw/handle/12058051180668887068

碩士 === 大葉大學 === 資訊管理學系碩士班 === 98 === More and more malicious programs are combined with rootkits to shield their illegal activities so that result makes information security defense encounters a great challenge. It can be observed that most sophisticated kernel mode rootkits are implemented to execute hiding tasks through drivers in Windows Kernel.In the current prevention schemes, the memory shadowing, kernel-mode code signing walkthrough and host-based intrusion prevention system are all to passively protect the operating systems, and they cannot identify whether rootkits intrude in the operating systems. On the other hand, though many companies or individuals have developed rootkit detectors to the public and undoubtedly they can detect known rootkits effectively, they cannot foresee what the result is when meeting unknown rootkits and crashed operating systems. Hence, the thesis will develop a prevention mechanism which can identify driver-hidden rootkits to protect the Windows-based operating systems. Our research constructs an anti-rootkit scheme for protecting Windows kernel to higher system security, especially for safeguarding Windows kernel from the damages of unknown driver-hidden rootkits. Moreover, we also test the proposed prevention scheme by Windows XP SP3 on the Testbed@TWISC platform. We affirm that our efforts are extremely useful for improving the current techniques of preventing Windows driver-hidden rootkits.