資料載入處理中...
跳到主要內容
臺灣博碩士論文加值系統
:::
網站導覽
|
首頁
|
關於本站
|
聯絡我們
|
國圖首頁
|
常見問題
|
操作說明
English
|
FB 專頁
|
Mobile
免費會員
登入
|
註冊
切換版面粉紅色
切換版面綠色
切換版面橘色
切換版面淡藍色
切換版面黃色
切換版面藍色
功能切換導覽列
(44.220.247.152) 您好!臺灣時間:2024/09/15 11:33
字體大小:
字級大小SCRIPT,如您的瀏覽器不支援,IE6請利用鍵盤按住ALT鍵 + V → X → (G)最大(L)較大(M)中(S)較小(A)小,來選擇適合您的文字大小,如為IE7或Firefoxy瀏覽器則可利用鍵盤 Ctrl + (+)放大 (-)縮小來改變字型大小。
字體大小變更功能,需開啟瀏覽器的JAVASCRIPT功能
:::
詳目顯示
recordfocus
第 1 筆 / 共 1 筆
/1
頁
論文基本資料
摘要
外文摘要
目次
參考文獻
紙本論文
論文連結
QR Code
本論文永久網址
:
複製永久網址
Twitter
研究生:
歐巡丞
研究生(外文):
Syun-cheng Ou
論文名稱(外文):
STEALTH: A Method of Hiding and Encrypting Files in NTFS
指導教授:
許富皓
指導教授(外文):
Fu-hau Hsu
學位類別:
碩士
校院名稱:
國立中央大學
系所名稱:
資訊工程學系
學門:
工程學門
學類:
電資工程學類
論文種類:
學術論文
論文出版年:
2013
畢業學年度:
101
語文別:
英文
論文頁數:
45
中文關鍵詞:
隱藏檔案
外文關鍵詞:
File Rootkit
、
NTFS
相關次數:
被引用:0
點閱:184
評分:
下載:0
書目收藏:0
Rootkit可以隱藏電腦上任何的資訊,包括檔案、程序、驅動、網路連線等等。雖然Rootkit起源很早,但隨著電腦的進步與時間的演進,所使用的隱藏手法也越來越多。像是最常見的傳統Hooking技術,以及修改核心資料的DKOM (Direct Kernel Object Manipulation) 技術等,都是可以達到隱藏電腦資訊的效果。特別的是DKOM因為只修改核心資料結構,不需一直常駐於電腦,使得防毒軟體難以偵測。
然而DKOM無法隱藏檔案。因為DKOM只能修改核心的資料結構,也就是記憶體上的資訊,而作業系統不會將所有檔案都載入核心的資料結構中,DKOM便無法隨心所欲地隱藏任一檔案。本篇論文提出一種隱藏檔案的方法,透過修改NTFS (New Technology File System) 上的資料結構,達到隱藏檔案的效果。此種隱藏方法不像Hooking技術容易偵測,根據實驗結果,防毒軟體無法偵測到被隱藏的病毒檔,說明著此系統能成功提升檔案的隱密性。
為了加強隱藏檔案的機密性,我們另外將隱藏檔案加密,加密的檔案無法被應用程式正確的讀取。為了確認加密的檔案是否夠強大,我們讓檔案救援軟體試著恢復加密檔案。檔案救援軟體是套可以找回被刪除的檔案,或是損毀的檔案,或者是被格式化過後的硬碟。根據實驗結果,檔案救援軟體無法正常地恢復我們的加密檔案。
A rootkit can hide any information such as the files, processes, drivers, and network connections on your computer. With development of operating system, Rootkits have many hidden methods such as the traditional hooking or DKOM (Direct Kernel Object Manipulation). It is difficult to detect DKOM because DKOM only modifies the data structure of the kernel and does not change any program or code.
Because not all files on the computer are loaded into memory, DKOM cannot only manipulate data structures of the kernel to hide any file. In this paper, we proposed a new hidden method that modify some information of NTFS (New Technology File System). The method is not like the traditional hooking which is detected by anti-virus software easily. According to our experiments, anti-virus software cannot detect the virus file which is hidden by our system.
We want to strengthen the confidentiality of the hidden files. In addition to hide file, our system encrypts the file. We did experiments with data recovery software. The data recovery software can restore the file which is deleted, name broken, size damage and so on. But according to our experiments, data recover software can not restore our encrypted files. Applications cannot read data of files until the files is decrypted by our system.
摘要 i
Abstract ii
謝誌 iii
Contents iv
List of Figures v
List of Tables vi
1. Introduction 1
2. Background 4
2.1 NTFS 4
2.2 Windows Device Driver 8
2.3 ZwXxx Routines 9
3. Related Work 12
3.1 Alternate Data Stream (ADS) 12
3.2 Rootkits 13
3.3 Hide Data in NTFS 13
4. System Design 14
4.1 Overview 14
4.2 Concealer 16
4.3 Obfuscator 19
4.4 File Cache Cleaner 22
4.5 Original Backup Text 22
4.6 File Recovery 23
5. Evaluation 24
5.1 Implementation Environment 24
5.2 Anti-Virus Software Experiment 24
5.3 Data Recovery Software Experiment 25
5.4 Performance Evaluation 27
5.5 Weakness Analysis 28
6. Conclusion and Future Work 29
6.1 Conclusion 29
6.2 Future Work 29
References 31
[1] James Butler and Greg Hoglund. Vice–catch the hookers. Black
Hat USA, 61, 2004.
[2] Chew Keong Tan. Defeating kernel native api hookers by direct
service dispatch table restoration. July, 8:1–12, 2004.
[3] Greg Hoglund and Jamie Butler. Rootkits: subverting the Windows
kernel, pages 171–171. Addison-Wesley Professional, 2005.
[4] Richard Russon and Yuval Fledel. NTFS documentation.
http://dubeyko.com/development/FileSystems/NTFS/
ntfsdoc.pdf, 2004.
[5] MSDN. ZwXxx routines. http://msdn.microsoft.com/en-us/
library/windows/hardware/ff567122(v=vs.85).aspx, May
2013.
[6] Adamantini I Martini, Alexandros Zaharis, and Christos Ilioudis.
Detecting and Manipulating Compressed Alternate Data Streams in
a Forensics Investigation. In Third International Annual Workshop
on Digital Forensics and Incident Analysis, 2008. WDFIA ’08.,
pages 53–59, October 2008.
[7] Ryan L Means. Alternate data streams: out of the shadows and
into the light. SANS Institute InfoSec Reading Room, 2003.
[8] Cyril Wang. Alternate data streams (
國圖紙本論文
連結至畢業學校之論文網頁
點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
推文
當script無法執行時可按︰
推文
網路書籤
當script無法執行時可按︰
網路書籤
推薦
當script無法執行時可按︰
推薦
評分
當script無法執行時可按︰
評分
引用網址
當script無法執行時可按︰
引用網址
轉寄
當script無法執行時可按︰
轉寄
top
相關論文
相關期刊
熱門點閱論文
無相關論文
無相關期刊
1.
A Solution to Protect Your Android from Sending Unknown SMS Messages
2.
Handover:A Mechanism to Improve the Availability of Network Services after Live Migration under Private Networks
3.
NINJA: A New Android UI State Inference Attack and Defense Mechanism
4.
程式控制流程劫持反制措施
5.
Windows AutoUpdate Service Guardian
6.
A Light-weight Method to Send and Receive SMS messages in an Emulator
7.
Heap Detective : Detect Heap-based Memory Corruption by Simulating Heap
8.
Spoofed SYN Packet Detector Using a Probe Packet
9.
CatPaw: A Cloud-based Real-Time Mechanism to Protect End Hosts
10.
自動更新的黑暗面: 新型軟體自動更新弱點解決方案
11.
TRAP: A TCP Three-Way Handshake Server for TCP Connection Establishment
12.
AHA: An Event-Driven Solution to Activity Hijacking Attacks
13.
RootGuard: A Behavioral-based Solution to Android Root Privilege Escalation
14.
ArcticTern: A Live Migration-based Mechanism to Maintain the Availability of Network Services
15.
Libra: A Compatible Method for Defending Against Arbitrary Memory Overwrite
簡易查詢
|
進階查詢
|
熱門排行
|
我的研究室