抽象的

Authenticating Service Request in Kernel Mode against Malicious Code

D. Raghu Raman, K.Rajan

The dominant operating system in the world today is windows. There are some of the weaknesses present in the window architecture. Using this weakness rootkit malware wants to utilize an administrative control of the windows, rootkit malwares refers to software that is used to conceal the presence and permit an attacker to take control of a system. So, an attacker can capture the sensitive information that present in a system. To reduce the number of rootkit injection first, we classify the legitimate and suspicious code using an algorithm if the process is a legitimate one means that the legitimate process is directly permitted to get the system service through the ntdll.dll which acts as a gateway to the kernel mode from the user mode. If it is a suspicious code means, it will be processed through the customized ntdll.dll. Monitor program is used to customize the ntdll.dll by hook.dll, using which the pre-validation and validation function is added in the ntdll.dll. Pre-validation is done by generating password for a suspicious code using a scrambling technique, then by using we unscramble the dispatch-ID which was scrambled in the user mode and redirect the control to the validation function if it matches with any of the system services, otherwise the control will be disallowed. It provides an additional protection that avoids the system crash and allows only the legitimate program to accomplish the system services.

免责声明: 此摘要通过人工智能工具翻译,尚未经过审核或验证