本机盗取U盘文件的流氓软件设计

论文字数:8226,页数:22 附源程序

摘要：
 本文介绍了本机盗取U盘文件和为增强程序隐蔽性而采用的进程隐藏技术的原理解析，源代码基于Win32的应用程序（Win32-based applications）编写，VC 6.0环境下编译通过。文章详细叙述了操作系统如何将USB端口状态改变通知系统中的运行进程，运行进程如何利用操作系统发送的消息判断USB接口中有可移动存储设备插入。作为关键部分，文章用较大篇幅介绍了本设计采用的利用API HOOK（挂接 SSDT）技术实现进程隐藏（基于Windows NT系统）原理和编程思想。作为日志记录部分，本设计采用ODBC API + Microsoft Access数据库实现。
关键词：
 盗取U盘文件；进程隐藏；API HOOK ；挂接SSDT ；ODBC API；Microsoft Access
 

A malicious software design for stealing USB flash disk files based on local machine 

Abstract:
 This paper introduces stealing USB Flash Disk files in local machine, and the common process concealment technologies used in Windows-NT operating system environment. The source code for application was written based on Win32 (Win32-based applications) and compiled successfully in VC 6.0 environment. It describes, in detail, how the operating system send messages ,for the notification of USB port status changes ,to the running processes, the process which received messages how to judge a portable storage device is plugged. As key parts of design, the theory of API HOOK (hooking SSDT) technology for the hidden process (based on Windows NT operating systems) and programming ideas were introduced by large spaces. In log recording chapter, the design was implemented by ODBC API and Microsoft Access database.
Keywords:
  Win32-based applications; concealing running processes; API HOOK; hooking SSDT; ODBC API; Microsoft Access

目录
1.简介 - 1 -
2.关键原理和相应技术解析 - 1 -
2.1.识别U盘插入系统 - 1 -
2.1.1本小节理论和技术原理 - 1 -
2.1.2本小节部分源代码示例 - 4 -
2.2.利用API HOOK技术实现进程隐藏 - 4 -
2.2.1进程隐藏技术综论 - 4 -
2.2.2 API Hook、挂接SSDT以及内核驱动原理 - 4 -
2.2.3 Windows基本架构与挂接SSDT基本原理 - 5 -
2.2.4用户模式和内核模式 - 7 -
2.2.5 Windows基本内存体系结构 - 7 -
2.2.6 利用API Hook挂接SSDT 实现进程隐藏的原理[8] - 8 -
2.3.利用Shell API实现文件复制简述 - 9 -
2.3.1 Shell综述 - 9 -
2.3.2 SHFileOperation()函数实现文件复制操作 - 9 -
2.3.3 为文件复制所做准备 - 10 -
2.4.日志记录 - 11 -
2.4.1 ODBC简介 - 11 -
2.4.2日记记录模块编程实现 - 12 -
3.测试运行结果 - 14 -
主要参考文献： - 17 -
致谢 - 17 -