二次跳转的SSDT钩挂及其检测方法研究

计算机工程与应用 ›› 2012, Vol. 48 ›› Issue (6): 102-105.

二次跳转的SSDT钩挂及其检测方法研究

何耀彬，李祥和，韩卓

解放军信息工程大学信息工程学院，郑州 450002

收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2012-02-21 发布日期:2012-02-21

Research on twice-jump SSDT_Hook and its detection

HE Yaobin, LI Xianghe, HAN Zhuo

Information Engineering College, Information Engineering University of PLA, Zhengzhou 450002, China

Received:1900-01-01 Revised:1900-01-01 Online:2012-02-21 Published:2012-02-21

摘要/Abstract

摘要： 对传统SSDT钩挂（SSDT_Hook）及其检测方法进行了分析，同时分析了一种经过了二次跳转的SSDT钩挂方法。该方法使用了MOV指令跳转到可信任地址空间，再二次跳转到恶意代码中，突破了传统主动防御系统的JMP指令检测法和指令跳转分析法。最后，给出了一种针对该SSDT_Hook的检测方法，重点对传统检测方法中的SSDT寻址方法进行了改进，取得了较好的效果。

关键词: SSDT钩挂, 可信任地址空间, KeServiceDescriptorTable, 二次跳转

Abstract: The traditional SSDT_Hook and its detection methods are analyzed, then it also analyzes a twice-jump SSDT_Hook. This method uses MOV to reach a trustable address, then makes processing jumps to its code. It has broken through the JMP-detection and jump-analysis in traditional IPS（Intrusion Prevention System）. Finally, this paper presents a method for the detection of the SSDT_Hook. Focus on the improvements of addressing the SSDT, it has achieved good results.

Key words: SSDT_Hook, trusted address space, KeServiceDescriptorTable, the twice-jump

何耀彬，李祥和，韩卓. 二次跳转的SSDT钩挂及其检测方法研究[J]. 计算机工程与应用, 2012, 48(6): 102-105.

HE Yaobin, LI Xianghe, HAN Zhuo. Research on twice-jump SSDT_Hook and its detection[J]. Computer Engineering and Applications, 2012, 48(6): 102-105.