本論文主要是提出一個在Windows 7 64 bit下的新的rootkit及其偵測,本研究之rootkit程式係透過兩種攻擊手法進行實機研究,第一種攻擊手法是透過DKOM的技術修改記憶體核心ePROCESS物件的Flink及Blink欄位,將eProcess相互連結的Link打斷,以達到隱藏指定process的目的。第二種攻擊手法係透過SSDT Hook技術,運用核心函數KeBugCheckEx做為橫跨Kernel Space 與User Space的跳轉函數,將原SSDT表格中記載的 NtTerminateProcess或NtQueryDirectoryFile核心函數的記憶體位置,透過跳轉函數至rootkit程式,藉以達到限制刪除程序與隱藏檔案的攻擊目的。
透過以上的攻擊手法了解現行Windows 7 64 bit下的弱點,為強化防護這些弱點,必須透過記憶體狀態的掃描方式,分析核心函數的記憶體空間與核心物件連結之變化,才能強化偵測攻擊的能力。
結果本研究發現,Windows 7 64 bit在排除PatchGuard的保護下,仍存在有kernel space的核心函數被設為跳轉,以及核心物件被修改的弱點,因此補強這兩個弱點,才能強化Windows 7 64 bit的安全防護能力,以防止新型Rootki的攻擊。
This thesis is a study on a new rootkit in the Windows 7 64 bit operating system and its detection. This rootkit has two types of attack techniques. The first attack techniques is using DKOM technology to modify the ePROCESS object in the windows memory that for hiding process. And the second attack techniques is using the SSDT hook technology to change two kernel API, NtTerminateProcess and NtQueryDirectoryFile, for restricting deletion process and hidden files.
It is through the above attack techniques to understand the weakness of the Windows 7 64 bit operating system. So we can find new rootkit by analysis of the SSDT memory address and kernel object’s flink and blink fields。
This study found that a new rootkit can attack the Windows 7 64 bit operating system by using the jump function in the kernel space of the memory, and change the kernel object by bypassing the PatchGuard protection.
