基于WMI技术的进程静音模型研究-计算机工程与应用.PDF

Computer Engineering and Applications 计算机工程与应用 2012 ，48 （27 ） 79 基于WMI 技术的进程静音模型研究 陈晶宁，康 绯，马亚南，王军博 CHEN Jingning, KANG Fei, MA Yanan, WANG Junbo 信息工程大学 信息工程学院 网络工程系，郑州 450002 Department of Network Engineering, College of Information Engineering, Information Engineering University, Zhengzhou 450002, China CHEN Jingning, KANG Fei, MA Yanan, et al. Silent control model of process based on WMI technology. Computer Engineering and Applications, 2012, 48 （27 ）：79-83. Abstract ：Process needs to occupy system resources while it is running, and it will increase the system load to some extent. The traditional technology of process concealment can not do very well while the process has high de- mand for hidden, because it doesn ’t do something to control the use of resources. A silent control model based on Windows Management Instrumentation （WMI ）is proposed. Under the guidance of this mode, the process of run- ning of a special process can be dynamically regulated by the current system load and the share of resources of the special process, and it can well overcome the impact on user caused by the sudden increase load of the system as well as improve the concealment of process and efficient use of resources. Key words ：Windows Management Instrumentation （WMI ）; silent control; process concealment; performance mon- itoring; device access 摘 要：进程运行时需要占用系统的资源，会在一定程度上增加系统的负载，传统进程隐藏技术无法控制进程 对资源的利用，不利于进程的隐藏。提出了一个基于Windows 管理规范（WMI ）的进程静音运行的模型，在此 模型的指导下，依据当前系统负载情况和进程所占资源可以动态调控进程下一时刻对资源的利用，很好地克 服了系统负载突增时对用户的影响，提高进程的隐蔽性，也使得资源得到了充分的利用。 关键词：Windows 管理规范（WMI ）；静音控制；进程隐藏；性能监控；设备访问 文章编号：1002-8331（2012 ）27-0079-05 文献标识码：A 中图分类号：TP393.08 1 引言 实现方法多为DLL 注入或远程线程插入等，因此“真 常见用于木马进程隐藏方法可分为“伪隐藏”和 隐藏”之后，木马进程根本就不会独立出现在进程列 [1] 表中，而是以合法进程的身份在运行。可见，两种方 “真隐藏”两大类 。“伪隐藏”的出发点基本就是在活 动进程链