基于Windows内核的进程隐藏工具的设计与实现本科毕业设计.doc

- 本科毕业设计（论文） 基于Windows内核的进程隐藏工具的设计与实现 摘 要 随着计算机技术和互联网技术的快速发展，信息安全技术显得格外重要，其中的rootkit技术在安全领域越来越重要，是21世纪威胁计算机安全的最大挑战之一。rootkit是电脑上存在的持久的难以检测的一组程序和代码，包括隐藏进程，注册表隐藏文件隐藏，后门木马等。其中最重要的是进程隐藏技术，它是rootkit技术中非常典型的一种应用。本文主要介绍Windows系统的内核rootkit的一种，通过直接操作windows内核对象实现进程隐藏。Windows的许多公开的rootkit都是在用户空间实现的，但内核rootkit比较复杂，也最难检测。本文主要的研究环境包括Windows xp，Win7x86和Win7x64，因为这3种系统占据国内大部分的市场份额，比较具有代表性。这3类Windows系统，在运行的时候，会在内存中保留内核对象信息，包括进程对象。每个内核对象的本质就是一个由操作系统分配的内存块。这个内存块是一个数据结构，其成员维护着与内核对象相关的信息，应用程序只能通过调用系统API访问这块内存。最后介绍了Windows为进程对象建立的结构体和链表，阐述了一个常用内核态进程隐藏技术的原理，直接操作内核对象，并使用该技术设计并实现一个基于Windows内核进程隐藏工具，提供可操作界面，进行一系列测试，在实际中能够实现批量隐藏进程。 关键词：进程隐藏；rootkit；DKOM；直接操作内核对象；windows内核 Abstract With the rapid development of computer technology and Internet technology, information security technology is particularly important where the rootkit technology is increasingly important in the field of security, one of the greatest challenges of the 21st century threats to computer security. A rootkit is a set of procedures and enduring difficult to detect the presence of the code on the computer, including hidden processes, registry hidden files hidden, backdoor Trojans. One of the most important is the hidden process technology, it is rootkit techniques is very typical kind of application.This paper describes a Windows system kernel rootkit through direct manipulation of windows kernel objects hidden process. Many public rootkit Windows are implemented in user space, but the kernel rootkit is more complex, but also the most difficult to detect.In this paper, the main research environment including Windows xp, Win7x86 and Win7x64, because these three systems account for most of the domestic market share, compared with a representative. These three types of Windows systems, at run time, the information will be retained in memory and kernel objects, including the process object. Each kernel object is essentially an operating system