计算机工程与应用 ›› 2012, Vol. 48 ›› Issue (6): 102-105.

• 网络、通信、安全 • 上一篇    下一篇

二次跳转的SSDT钩挂及其检测方法研究

何耀彬,李祥和,韩 卓   

  1. 解放军信息工程大学 信息工程学院,郑州 450002
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2012-02-21 发布日期:2012-02-21

Research on twice-jump SSDT_Hook and its detection

HE Yaobin, LI Xianghe, HAN Zhuo   

  1. Information Engineering College, Information Engineering University of PLA, Zhengzhou 450002, China
  • Received:1900-01-01 Revised:1900-01-01 Online:2012-02-21 Published:2012-02-21

摘要: 对传统SSDT钩挂(SSDT_Hook)及其检测方法进行了分析,同时分析了一种经过了二次跳转的SSDT钩挂方法。该方法使用了MOV指令跳转到可信任地址空间,再二次跳转到恶意代码中,突破了传统主动防御系统的JMP指令检测法和指令跳转分析法。最后,给出了一种针对该SSDT_Hook的检测方法,重点对传统检测方法中的SSDT寻址方法进行了改进,取得了较好的效果。

关键词: SSDT钩挂, 可信任地址空间, KeServiceDescriptorTable, 二次跳转

Abstract: The traditional SSDT_Hook and its detection methods are analyzed, then it also analyzes a twice-jump SSDT_Hook. This method uses MOV to reach a trustable address, then makes processing jumps to its code. It has broken through the JMP-detection and jump-analysis in traditional IPS(Intrusion Prevention System). Finally, this paper presents a method for the detection of the SSDT_Hook. Focus on the improvements of addressing the SSDT, it has achieved good results.

Key words: SSDT_Hook, trusted address space, KeServiceDescriptorTable, the twice-jump