Windows7内核完整性验证机制研究-信息工程大学学报.PDF

Vo l. 12 No.6 信息工程大学学报 第 12 卷第 6 期 2011 年 12 月 Journal of Information Engineering University Dec.2011 Windows 7 内核完整性验证机制研究 韩卓1 ， 2 冉晓吴吕文高1 (1.信息工程大学信息工程学院，河南郑州 450002;2.65026 部队，吉林璋春 133300) 摘要:Windows 7 的内核完整性验证机制使得传统的内核级攻击代码失去作用。针对这一问 题，在对系统启动过程中的 bootmgr 和 winload. exe 两个文件进行详细分析的基础上，通过修改 这两个文件来绕过用于加载内核完整性验证过程的关键函数。测试表明，在获取提升权限的 前提下，将上述两个启动文件替换后系统仍然能够正常启动而没有发现异常，说明可以对 Windows 7 的部分完整性验证机制实现突破。 关键词:逆向分析;Windows 7 系统;完整性验证 中图分类号:TP316 文献标识码:A 文章编号:1671 -0673(2011)06 -0764 -05 Kernel Integrity Verification of Windows 7 I 2 l l HAN ZhUO • , RAN Xiao-min , LV Wen-gao (1. Institute of Information Engineering , Information Engineering University , Zhengzhou 450002 , China; 2. Unit 65026 , Hunchun 133300 , Chína) Abstract: Windows 7 s kernel integrity verification mechanism makes traditional kernel-level attacks useless. To solve this problem , this paper presents detailed analysis of two files in the system boot process , bootmgr and winload. exe. The key functions used to load the integrity verification process are bypassed by modifying these two files. Tests show that when privileges have been elevated , the Windows 7 system is still able to start with no abnormal syptoms found after the replacing of the two files. 50 with this method , the integrity verification mechanism of Windows 7 is partially broken. Key words: reverse analysis; Windows 7 oper