Abstract: To research the existing hidden process detection techniques and its anti-detection techniques in Windows, a new detect method based on the memory search was brought forth and its performance was improved. This technique made use of the inherent characteristics of process to traverse the system address space for establishing integrated process list, and then detected hidden process. Experiments show that this detection method is of higher reliability, efficiency and integrity.

Key words: rootkit, memory search, hidden process

摘要： 对现有的Windows下各种隐藏进程检测技术及其反检测技术进行了研究，提出了基于内存搜索的隐藏进程检测技术，并针对该技术的性能提出了改进。该种检测技术利用进程的固有特征对系统地址空间的遍历建立完整的进程列表来检测隐藏进程。通过实验表明，该技术具有较好的可靠性、检测效率和完整性。

关键词: Rootkit, 内存搜索, 进程隐藏