【摘要】：隨著網(wǎng)絡(luò)的發(fā)展,網(wǎng)絡(luò)信息安全問(wèn)題日益成為人們關(guān)注的話題。從過(guò)去病毒猖獗到現(xiàn)在的木馬泛濫,以竊取信息為目標(biāo)的木馬開(kāi)始替代病毒成為網(wǎng)絡(luò)安全的頭號(hào)敵人,它已經(jīng)成為幕后灰色利益集團(tuán)“互聯(lián)網(wǎng)轉(zhuǎn)型”的重要工具,制造,傳播,盜竊賬戶信息,獲取非法利益,洗錢(qián),分成,形成了一條以木馬為軸心,以竊取用戶財(cái)產(chǎn)為目的的完整的“黑客經(jīng)濟(jì)鏈條”。 本文工作如下： 一、梳理了木馬的分類(lèi),介紹了木馬發(fā)展中歷經(jīng)的五代技術(shù)及今后的發(fā)展趨勢(shì)。具體分析了木馬的工作原理,以及在植入、啟動(dòng)、隱蔽、建立通信等四個(gè)方面運(yùn)用到的各種具體技術(shù),詳細(xì)的分析了木馬隱藏自身資源方面所用到的掛鉤技術(shù),遠(yuǎn)程線程插入技術(shù),端口復(fù)用技術(shù)等,同時(shí)介紹了動(dòng)態(tài)鏈接庫(kù)的具體使用原理。 二、具體介紹了現(xiàn)階段已有的五種反木馬技術(shù)：特征碼技術(shù)、虛擬機(jī)技術(shù)、靜態(tài)啟發(fā)式技術(shù)、動(dòng)態(tài)啟發(fā)式技術(shù)(行為檢測(cè)技術(shù))、入侵檢測(cè)技術(shù),比較了每種技術(shù)的優(yōu)缺點(diǎn),以及各自的優(yōu)勢(shì)領(lǐng)域。 三、針對(duì)現(xiàn)階段主流的木馬種類(lèi),分析操作系統(tǒng)的服務(wù)流程,在內(nèi)核態(tài)和用戶態(tài)切換的方法以及API函數(shù)的使用,在此基礎(chǔ)上針對(duì)現(xiàn)在主流的高隱藏性的Rootkit木馬,提出自己的檢測(cè)思路：從底層直接解析系統(tǒng)資源來(lái)獲取所有的信息,再與用戶態(tài)的資源對(duì)比從而檢測(cè)出隱藏資源。利用上述思路建立起一個(gè)木馬檢測(cè)系統(tǒng)模型,將內(nèi)存完整性檢測(cè)和進(jìn)程、注冊(cè)表、文件隱藏檢測(cè)結(jié)合起來(lái),并在章節(jié)中闡述每種檢測(cè)模塊的思路和具體步驟。 四、對(duì)木馬檢測(cè)系統(tǒng)進(jìn)行測(cè)試,結(jié)果表明對(duì)于高隱藏性的Rootkit木馬具有較好的檢測(cè)效果,對(duì)比同類(lèi)檢測(cè)軟件有一定的優(yōu)勢(shì),但也發(fā)現(xiàn)了本檢測(cè)系統(tǒng)的不足之處。
[Abstract]:With the development of network, network information security has become a topic of concern. From the rampant virus in the past to the current proliferation of Trojan horses, the Trojan horse, which aims to steal information, has begun to replace the virus as the number one enemy of network security. It has become an important tool for the "Internet transformation" of the grey interest group behind the scenes. Stealing account information, obtaining illegal profit, money laundering, dividing, forming a complete "hacker economic chain" which takes the Trojan horse as the axis and takes stealing the user's property as the purpose. The main work of this paper is as follows: firstly, the classification of Trojan horse is combed, and the five generation technology and the development trend of Trojan horse are introduced. The working principle of Trojan horse is analyzed in detail, as well as the specific techniques used in four aspects, such as implantation, startup, concealment, establishment of communication, etc., and the hook technology used by Trojan horse in concealing its own resources is analyzed in detail. The technology of remote thread insertion, port reuse and so on are introduced, and the principle of dynamic link library is also introduced. Secondly, it introduces five kinds of anti-Trojan techniques: signature technology, virtual machine technology, static heuristic technology, dynamic heuristic technology (behavior detection technology), intrusion detection technology, and compares the advantages and disadvantages of each technology. And their respective areas of advantage. Third, aiming at the current mainstream Trojan horse, this paper analyzes the service flow of the operating system, the method of switching between kernel and user and the use of API function. On this basis, it aims at the current mainstream Rootkit Trojan with high concealment. This paper proposes its own detection idea: directly parse the system resources from the bottom to obtain all the information, and then compare with the resources in the user state to detect hidden resources. A Trojan horse detection system model is established by using the above ideas, which combines memory integrity detection with process, registry and file hiding detection, and explains the ideas and concrete steps of each detection module in the chapter. Fourth, the Trojan horse detection system is tested, the results show that the Rootkit Trojan horse with high concealment has better detection effect, compared with the similar detection software, it has some advantages, but also found the shortcomings of this detection system.
【學(xué)位授予單位】：內(nèi)蒙古大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 孔令華;宋致虎;;木馬隱藏技術(shù)分析[J];電腦知識(shí)與技術(shù);2010年12期

2 史國(guó)川;張璐璐;;進(jìn)程隱藏技術(shù)的研究和實(shí)現(xiàn)[J];合肥學(xué)院學(xué)報(bào)(自然科學(xué)版);2009年02期

3 侯春明;劉林;;基于文件系統(tǒng)過(guò)濾驅(qū)動(dòng)的內(nèi)核Rootkit隱藏技術(shù)[J];吉首大學(xué)學(xué)報(bào)(自然科學(xué)版);2010年03期

4 王彤彤;韓文報(bào);王航;;基于API監(jiān)控的服務(wù)程序防御技術(shù)[J];計(jì)算機(jī)工程與科學(xué);2007年07期

5 何志;范明鈺;羅彬杰;;基于遠(yuǎn)程線程注入的進(jìn)程隱藏技術(shù)研究[J];計(jì)算機(jī)應(yīng)用;2008年S1期

6 張登銀;高德華;李鵬;;一種新的注冊(cè)表隱藏Rootkit檢測(cè)方案[J];江蘇大學(xué)學(xué)報(bào)(自然科學(xué)版);2010年03期

7 張河新;楊璐珍;;基于VC++6.0的BMP圖像顯示[J];科技信息;2010年32期

，

本文編號(hào)：2399772