| 摘要: | Windows 登錄檔蘊含著許多關於使用者的各種訊息,可以視為
是一種資料庫。微軟提供用戶客製化設定的同時,卻也讓其成為一
個攻擊者可以充分利用其資源的地方,來達到入侵持久化,無檔案
攻擊等等惡意行為。本論文首先針對登錄檔的結構進行介紹,包括
了其邏輯結構以及登錄檔於 Windows 核心的資料結構。再來探討現
今 Windows 10 作業系統,有哪些關於登錄檔的攻擊以及其所對應
之防禦。最後介紹本論文基於 Windows 內建之日誌系統,ETW,實
作的系統。監測程式寫入登錄檔的行為,將擷取過濾到的資料,透
過資料分析元件上傳至 VirusTotal 來判斷該程式寫入之資料是否是
惡意的。本研究基於 ETW,實現了一個高效、可靠的登錄檔攻擊檢
測系統。透過和 VirusTotal 的結合,我們可以更快速、準確地偵測
並防止登錄檔攻擊或是濫用,並保護用戶系統安全。;Windows Registry contains various information about users and can
be viewed as a database. While Microsoft provides users with
customization options, it also inadvertently becomes a resource that
attackers can fully exploit to achieve intrusion persistence, fileless attacks,
and other malicious activities. This paper begins by introducing the
structure of the registry, including its logical structure and data structures
within the Windows core. It then explores the attacks on the registry and
corresponding defense mechanisms in the current Windows 10 operating
system. Finally, it presents the implementation of a system based on
Windows′ built-in logging system, ETW. The monitoring program captures
and filters data related to registry write operations, and the filtered data is
analyzed and uploaded to VirusTotal to determine the maliciousness of the
written data. This research realizes an efficient and reliable registry attack
detection system based on ETW. By integrating with VirusTotal, we can
detect and prevent registry attacks or misuse more quickly and accurately,
thereby safeguarding the security of user systems. |
