计算机科学 ›› 2011, Vol. 38 ›› Issue (Z10): 44-49.

• 信息安全 • 上一篇    下一篇

一种基于JOP的rootkit构造方法

李正玉,茅兵,谢立   

  1. (计算机软件新技术国家重点实验室 南京210093)(南京大学计算机科学与技术系 南京210093)
  • 出版日期:2018-11-16 发布日期:2018-11-16
  • 基金资助:
    本文受国家自然科学基金项目(60721002)和国家973重点基础研究计划(2009CB320705)资助。

Construction Method of Rootkit Based on JOP

LI Zheng-yu,MAO Bing,XIE Li   

  • Online:2018-11-16 Published:2018-11-16

摘要: ROP是一种新的恶意代码构造方法,该方法可以利用系统中已有的代码来构造恶意程序,利用ROP构造的rootkit可以躲避目前已有的内核完整性保护机制的检测。由于ROP采用的以ret指令结尾的短指令序列具有一定的规律性,因此目前已经有很多防御手段能够对其进行防御。相比ROP而言,基于JOP的rootki、构造方法没有明显的规律可言,因此目前针对ROP的防御手段都无法对其进行防御。此外,较传统的ROP而言该方法不会受限于内核栈的大小,而且构造过程中所使用到的数据在内存中的布局也比较灵活。

关键词: ROP, JOP, 短指令序列

Abstract: ROP is a new programming method, this method can leverage existing code of system to construct malicious code, rootkit constructed by ROP can evade the detection of most kernel integrity protection mechanisms present. Because the instruction gadgets ending by jmp have a certain regularity, so, present there are many protection methods that can detect it. Compared with ROP, the construction method of rootkit based on JOP has no certain regularity, so, the methods of ROP detection present can't detect it. Moreover, compared with ROP, this new method will not be restricted by size of kernel stack and the memory layout of data will be more flexible in the process of construction.

Key words: ROP, JOP, Instruction gadget

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!