本文已被:浏览 1509次 下载 3412次
Received:February 13, 2012 Revised:April 10, 2012
Received:February 13, 2012 Revised:April 10, 2012
中文摘要: 分析了进程隐藏方法及常用检测方法, 论述了搜索系统内存检测隐藏进程的原理及实现方法, 即首先判断页面是否有效, 再根据EPROCESS 结构体特征及OBJECT 对象头特征来判断内存地址是否为EPROCESS 地址,并给出PAE 内存模式与普通内存模式的判别方法及两种内存模式判断页面是否有效的方法, 探讨了提高搜索效率的方法. 在windows 7、vista 等操作系统两种内存模式上实验表明可高效枚举所有进程, 包括通过挂钩枚举进程的函数或进入内核空间直接修改内核数据来达到隐藏自身目的的进程.
Abstract:The paper analyses the way of hiding processes and common method of detecting hidden Processes and discusses the principle and the way of searching system memory to detect hidden Processes. First judged whether the page is effective or not, Then judged whether memory address is address of eprocess or not according to eprocess’s character and object’s character. And bring up the way of judging pae memory mode or general memory mode, The way of judging whether the page is effective or not in two memory mode. Discusses the way of improving efficiency. Experiments on windows 7. vista operation system showed that the algorithm can enumerate all processes with high efficiency in two memory mode, These processes hided self by hooking functions, or directly entered into kernel space changed kernel data to hide self.
文章编号: 中图分类号: 文献标志码:
基金项目:
引用文本:
周利荣,廖建平.高效搜索系统内存检测隐藏进程.计算机系统应用,2012,21(10):188-193
ZHOU Li-Rong,LIAO Jian-Ping.Detect Hidden Processes by Searching System Memory with High Efficiency.COMPUTER SYSTEMS APPLICATIONS,2012,21(10):188-193
周利荣,廖建平.高效搜索系统内存检测隐藏进程.计算机系统应用,2012,21(10):188-193
ZHOU Li-Rong,LIAO Jian-Ping.Detect Hidden Processes by Searching System Memory with High Efficiency.COMPUTER SYSTEMS APPLICATIONS,2012,21(10):188-193
