Rootkit可以隱藏電腦上任何的資訊,包括檔案、程序、驅動、網路連線等等。雖然Rootkit起源很早,但隨著電腦的進步與時間的演進,所使用的隱藏手法也越來越多。像是最常見的傳統Hooking技術,以及修改核心資料的DKOM (Direct Kernel Object Manipulation) 技術等,都是可以達到隱藏電腦資訊的效果。特別的是DKOM因為只修改核心資料結構,不需一直常駐於電腦,使得防毒軟體難以偵測。然而DKOM無法隱藏檔案。因為DKOM只能修改核心的資料結構,也就是記憶體上的資訊,而作業系統不會將所有檔案都載入核心的資料結構中,DKOM便無法隨心所欲地隱藏任一檔案。本篇論文提出一種隱藏檔案的方法,透過修改NTFS (New Technology File System) 上的資料結構,達到隱藏檔案的效果。此種隱藏方法不像Hooking技術容易偵測,根據實驗結果,防毒軟體無法偵測到被隱藏的病毒檔,說明著此系統能成功提升檔案的隱密性。為了加強隱藏檔案的機密性,我們另外將隱藏檔案加密,加密的檔案無法被應用程式正確的讀取。為了確認加密的檔案是否夠強大,我們讓檔案救援軟體試著恢復加密檔案。檔案救援軟體是套可以找回被刪除的檔案,或是損毀的檔案,或者是被格式化過後的硬碟。根據實驗結果,檔案救援軟體無法正常地恢復我們的加密檔案。 A rootkit can hide any information such as the files, processes, drivers, and network connections on your computer. With development of operating system, Rootkits have many hidden methods such as the traditional hooking or DKOM (Direct Kernel Object Manipulation). It is difficult to detect DKOM because DKOM only modifies the data structure of the kernel and does not change any program or code.Because not all files on the computer are loaded into memory, DKOM cannot only manipulate data structures of the kernel to hide any file. In this paper, we proposed a new hidden method that modify some information of NTFS (New Technology File System). The method is not like the traditional hooking which is detected by anti-virus software easily. According to our experiments, anti-virus software cannot detect the virus file which is hidden by our system.
We want to strengthen the confidentiality of the hidden files. In addition to hide file, our system encrypts the file. We did experiments with data recovery software. The data recovery software can restore the file which is deleted, name broken, size damage and so on. But according to our experiments, data recover software can not restore our encrypted files. Applications cannot read data of files until the files is decrypted by our system.
