基于内存搜索的隐藏进程检测技术

计算机应用

基于内存搜索的隐藏进程检测技术

胡和君范明钰

电子科技大学计算机科学与工程学院；电子科技大学信息安全研究中心电子科技大学信息安全研究中心

收稿日期:2008-07-25 修回日期:2008-09-23 发布日期:2009-01-01 出版日期:2009-01-01
通讯作者: 胡和君

Hidden process detection technique based on memory search

He-Jun Hu Ming-Yu Fan

Received:2008-07-25 Revised:2008-09-23 Online:2009-01-01 Published:2009-01-01
Contact: He-Jun Hu

摘要/Abstract

摘要： 对现有的Windows下各种隐藏进程检测技术及其反检测技术进行了研究，提出了基于内存搜索的隐藏进程检测技术，并针对该技术的性能提出了改进。该种检测技术利用进程的固有特征对系统地址空间的遍历建立完整的进程列表来检测隐藏进程。通过实验表明，该技术具有较好的可靠性、检测效率和完整性。

关键词: Rootkit, 内存搜索, 进程隐藏

Abstract: To research the existing hidden process detection techniques and its anti-detection techniques in Windows, a new detect method based on the memory search was brought forth and its performance was improved. This technique made use of the inherent characteristics of process to traverse the system address space for establishing integrated process list, and then detected hidden process. Experiments show that this detection method is of higher reliability, efficiency and integrity.

Key words: rootkit, memory search, hidden process

胡和君范明钰. 基于内存搜索的隐藏进程检测技术[J]. 计算机应用.

He-Jun Hu Ming-Yu Fan. Hidden process detection technique based on memory search[J]. Journal of Computer Applications.

[1]	周天阳朱俊虎王清贤. 基于多特征匹配的隐藏进程检测方法[J]. 计算机应用, 2011, 31(09): 2362-2366.
[2]	温研赵金晶王怀民. 基于本地虚拟化技术的隐藏进程检测[J]. 计算机应用, 2008, 28(7): 1769-1771.
[3]	何志范明钰. 基于HSC的进程隐藏检测技术[J]. 计算机应用, 2008, 28(7): 1772-1775.