(3.231.226.13) 您好!臺灣時間:2020/05/27 01:33
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
本論文永久網址: 
line
研究生:歐巡丞
研究生(外文):Syun-cheng Ou
論文名稱(外文):STEALTH: A Method of Hiding and Encrypting Files in NTFS
指導教授:許富皓
指導教授(外文):Fu-hau Hsu
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文出版年:2013
畢業學年度:101
語文別:英文
論文頁數:45
中文關鍵詞:隱藏檔案
外文關鍵詞:File RootkitNTFS
相關次數:
  • 被引用被引用:0
  • 點閱點閱:96
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
Rootkit可以隱藏電腦上任何的資訊,包括檔案、程序、驅動、網路連線等等。雖然Rootkit起源很早,但隨著電腦的進步與時間的演進,所使用的隱藏手法也越來越多。像是最常見的傳統Hooking技術,以及修改核心資料的DKOM (Direct Kernel Object Manipulation) 技術等,都是可以達到隱藏電腦資訊的效果。特別的是DKOM因為只修改核心資料結構,不需一直常駐於電腦,使得防毒軟體難以偵測。

然而DKOM無法隱藏檔案。因為DKOM只能修改核心的資料結構,也就是記憶體上的資訊,而作業系統不會將所有檔案都載入核心的資料結構中,DKOM便無法隨心所欲地隱藏任一檔案。本篇論文提出一種隱藏檔案的方法,透過修改NTFS (New Technology File System) 上的資料結構,達到隱藏檔案的效果。此種隱藏方法不像Hooking技術容易偵測,根據實驗結果,防毒軟體無法偵測到被隱藏的病毒檔,說明著此系統能成功提升檔案的隱密性。

為了加強隱藏檔案的機密性,我們另外將隱藏檔案加密,加密的檔案無法被應用程式正確的讀取。為了確認加密的檔案是否夠強大,我們讓檔案救援軟體試著恢復加密檔案。檔案救援軟體是套可以找回被刪除的檔案,或是損毀的檔案,或者是被格式化過後的硬碟。根據實驗結果,檔案救援軟體無法正常地恢復我們的加密檔案。
A rootkit can hide any information such as the files, processes, drivers, and network connections on your computer. With development of operating system, Rootkits have many hidden methods such as the traditional hooking or DKOM (Direct Kernel Object Manipulation). It is difficult to detect DKOM because DKOM only modifies the data structure of the kernel and does not change any program or code.

Because not all files on the computer are loaded into memory, DKOM cannot only manipulate data structures of the kernel to hide any file. In this paper, we proposed a new hidden method that modify some information of NTFS (New Technology File System). The method is not like the traditional hooking which is detected by anti-virus software easily. According to our experiments, anti-virus software cannot detect the virus file which is hidden by our system.

We want to strengthen the confidentiality of the hidden files. In addition to hide file, our system encrypts the file. We did experiments with data recovery software. The data recovery software can restore the file which is deleted, name broken, size damage and so on. But according to our experiments, data recover software can not restore our encrypted files. Applications cannot read data of files until the files is decrypted by our system.
摘要 i
Abstract ii
謝誌 iii
Contents iv
List of Figures v
List of Tables vi
1. Introduction 1
2. Background 4
2.1 NTFS 4
2.2 Windows Device Driver 8
2.3 ZwXxx Routines 9
3. Related Work 12
3.1 Alternate Data Stream (ADS) 12
3.2 Rootkits 13
3.3 Hide Data in NTFS 13
4. System Design 14
4.1 Overview 14
4.2 Concealer 16
4.3 Obfuscator 19
4.4 File Cache Cleaner 22
4.5 Original Backup Text 22
4.6 File Recovery 23
5. Evaluation 24
5.1 Implementation Environment 24
5.2 Anti-Virus Software Experiment 24
5.3 Data Recovery Software Experiment 25
5.4 Performance Evaluation 27
5.5 Weakness Analysis 28
6. Conclusion and Future Work 29
6.1 Conclusion 29
6.2 Future Work 29
References 31
[1] James Butler and Greg Hoglund. Vice–catch the hookers. Black
Hat USA, 61, 2004.
[2] Chew Keong Tan. Defeating kernel native api hookers by direct
service dispatch table restoration. July, 8:1–12, 2004.
[3] Greg Hoglund and Jamie Butler. Rootkits: subverting the Windows
kernel, pages 171–171. Addison-Wesley Professional, 2005.
[4] Richard Russon and Yuval Fledel. NTFS documentation.
http://dubeyko.com/development/FileSystems/NTFS/
ntfsdoc.pdf, 2004.
[5] MSDN. ZwXxx routines. http://msdn.microsoft.com/en-us/
library/windows/hardware/ff567122(v=vs.85).aspx, May
2013.
[6] Adamantini I Martini, Alexandros Zaharis, and Christos Ilioudis.
Detecting and Manipulating Compressed Alternate Data Streams in
a Forensics Investigation. In Third International Annual Workshop
on Digital Forensics and Incident Analysis, 2008. WDFIA ’08.,
pages 53–59, October 2008.
[7] Ryan L Means. Alternate data streams: out of the shadows and
into the light. SANS Institute InfoSec Reading Room, 2003.
[8] Cyril Wang. Alternate data streams (
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔