基于进程和通信隐藏的木马设计与实现

包括论文,设计,论文字数:11613,页数:27

摘  要
近年来，特洛伊木马等恶意代码己经成为网络安全的重要威胁。很多国家都采取积极的网络安全防御措施,投入大量的人力和物力研究网络信息安全技术。文章首先分析了传统木马的一般工作原理及其植入、加载、隐藏等关键技术。随着网络技术的不断更新和发展，木马技术也在不断地更新换代,现代木马的进程隐藏和通信隐藏等等都发生了变化。
进程的隐藏和通信的隐藏一直是木马程序设计者不断探求的重要技术。攻击者为达到进程隐藏的目的，采用远程线程和动态链接库，将木马作为线程隐藏在其他进程中。选用一般安全策略都允许的端口通信,如80端口，则可轻易穿透防火墙和避过入侵检测系统等安全机制的检测,从而具有很强的隐蔽性。
本文研究了如何将Windows环境下的动态链接库(DLL)技术与远程线程插入技术结合起来实现特洛伊木马植入的新方案。在该方案中，提出了特洛伊木马程序DLL模块化,并且创建了独立的特洛伊木马植入应用程序，将木马程序的DLL模块植入宿主进程。实验结果证明该方案能实现的木马植入，具有很好的隐蔽性和灵活性。

关键词：特洛伊木马；动态连接库；进程插入；远程线程

The Design and Implementation of Trojan Horses Base on Process Hiding and Communications Hiding
Abstract
In recent years, malicious codes including Trojan have threatened network information security, and more and more countries paid attention to take active measures to protect the network, and spent a lot in research to develop network information security technology mentally and materially. This paper firstly analyses the basic principle, entry technology, load technology and hiding technology of traditional Trojan horse. With the development of network technology, Trojan horse technology is upgrading constantly. Modern Trojan horse is changed in process hiding and communication hiding.
 The process hiding and communications hiding are important technology being explored by Trojan horse programmers all long. Adopting the measure of dynamic link storage, and Remote Thread technology, and hiding Trojan horse behind the other processes as a thread program, it is easy to hide. Choosing the port correspondence which is permitted by almost all the ordinary security policy, likes 80port, may easily penetrate the firewall and avoid the examine of security systems as invasion-checking mechanisms and so on. Thus, it has a very strong covered.
This paper is implemented the injection of Trojan horse by combining the technology of DLL (dynamic linking library) and of remote thread injection on the Windows platform. In this paper, modularization of Trojan horse process is proposed to create an independent Trojan horse injection process, thus, to inject Trojan horse DLL module to the host process. Experimental results show that the program could realize the Trojan injected with good covered and flexibility.

Key Words：Trojan Horse；DLL；Process Injection；Remote Thread

目  录

1 引言 1
2 特洛伊木马简介 1
2.1 认识木马 2
2.2 木马原理 2
2.3 木马的危害 3
2.4 常见木马的介绍 3
3 木马隐藏概述 4
3.1 本地隐藏 4
3.2 通信隐藏 8
4 隐藏技术的实现 10
4.1 隐藏进程 10
4.2 隐藏通信 14
4.3 木马功能的实现 15
5 系统测试 19
5．1 功能测试 19
5．2 性能测试 20
结    论 21
参考文献 21
致    谢 22
声    明 23