Windows AutoUpdate Service Guardian

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：6

、訪客IP：13.58.77.98

姓名

何儒軒(Ju-Hsuan He) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Windows AutoUpdate Service Guardian)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

隨著電腦與網路的普及，使用者對於電腦基本安全防護的認
識也有提升，大部分使用者會安裝防毒軟體或是防火牆等的軟
體，使電腦有所防護。但是防毒軟體與防火牆都是安裝於作業
系統上，也因此即便電腦安裝了防毒軟體及防火牆，使用者也
有著良好的電腦使用習慣，攻擊者還是有可能透過系統漏洞，繞
過防火牆以及防毒軟體的防禦，奪走使用者的電腦控制權或是得
到使用者的私人資訊。所以說，作業系統的更新，對於電腦整體
的資訊安全，扮演著一個舉足輕重的腳色。而更新的行為，作業
系統通常會自動的執行，或是通知使用者去做系統更新。但是我
們發現，有一些惡意程式，會去關閉系統的自動更新服務，藉此
使得使用者的作業系統無法保持在最新的狀態。在更新補丁發布
之後，無法藉由更新來防護系統，使得使用者電腦暴露在危險之
中。
本篇論文以Windows XP 作業系統為平台，研究其自動更新
服務如何運作，依其相關知識提出數個關閉更新服務的方法。同
時分析數個惡意軟體樣本，了解它們關閉自動更新服務的原理，
最後提出一個以System Service Dispatch Table (SSDT) hook 為
基礎的解決方式，有效的防禦這一些攻擊。

摘要(英)

Nowadays, people rely on personal computer to do lots of
things. They would install some application to protect their com-
puters, such as antivirus software or rewall to make their comput-
ers safer from attacker’s attack. Because Antivirus software and
rewall are installed on top of the operating system, if there are
some bugs in the operating system, attackers can bypass antivirus
software and rewall through bugs and launch an attack to get the
private user data and control users’ computer. As a consequence,
updating operating system becomes an important method in whole
information security of computer.
The update behavior is usually done automatically by oper-
ating system. Users can also update his/her system when they get
the update notication. But we found there exist some malware
will disable the automatic update service of the operating system.
So users cannot download the newest patch to protect their own
computers in time and means that both of their computers and
data are in danger.
In this paper, we study how an automatic update service run-
ning on Windows XP system and show approaches to disable au-
tomatic update service. We also analyze some malware to nd
out what method they used to disable automatic update service.
Finally, we propose a solution based on SSDT hook, which named
Windows AutoUpdate Service Guardian (WASG) to protect Win-
dows automatic update service efficiently.

關鍵字(中)

★ 自動更新
★ 微軟
★ 服務
★ 關閉

關鍵字(英)

★ Windows
★ Automatic update
★ service

論文目次

Table of Contents
中文摘要................................................................................................. i
Abstract.................................................................................................. ii
Table of Contents ................................................................................... iii
List of Figures......................................................................................... iv
List of Tables .......................................................................................... v
1. Introduction ....................................................................................... 1
2. Background Knowledge ...................................................................... 3
2.1 Concept of Windows Service .................................................... 3
2.2 Concept of Windows API......................................................... 6
2.3 Ways to Disable Windows Automatic Update Service ............. 7
2.3.1 Modify Values in Registry.......................................... 8
2.3.2 Close Service by SCM................................................ 9
3. WASG ................................................................................................ 11
3.1 Ways to Intercept Windows API.............................................. 11
3.2 WASG Monitor ........................................................................ 15
3.2.1 Interceptor of WASG ................................................. 15
3.2.2 Filter of WASG.......................................................... 16
3.2.3 Blocker of WASG....................................................... 17
3.3 Security Controller of WASG................................................... 18
3.4 Limitation ................................................................................ 19
3.5 Discussion................................................................................. 21
4. Evaluation .......................................................................................... 23
4.1 Testbed Setup .......................................................................... 23
4.2 Eectiveness ............................................................................. 23
4.2.1 False Negative Experiments ....................................... 23
4.2.2 False Positive Experiments ........................................ 23
4.3 Performance Experiments ........................................................ 24
5. Related Work ..................................................................................... 28
5.1 Process Protected..................................................................... 28
5.2 Service Protected...................................................................... 28
5.3 Regisry Protected..................................................................... 28
5.4 Microsoft Fix It ........................................................................ 29
6. Conclusion.......................................................................................... 30
References ............................................................................................... 31
List of Figures
Figure 2.1 Windows services architecture . . . . . . . . . . . . . 4
Figure 2.2 Registry view in regedit.exe . . . . . . . . . . . . . . 5
Figure 2.3 Basic overview of registry . . . . . . . . . . . . . . . 6
Figure 2.4 Work
ow of Windows API . . . . . . . . . . . . . . 7
Figure 3.1 The structure of WASG . . . . . . . . . . . . . . . . 12
Figure 3.2 The structure denition of SDT and SST . . . . . . . 13
Figure 3.3 Work
ow of nding NtSetValueKey() address in Win-
dows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 3.4 Work
ow chart - before hooking . . . . . . . . . . . . 16
Figure 3.5 Work
ow chart - after hooking . . . . . . . . . . . . . 17
Figure 3.6 Text string format of SDDL, ACEs and the default
string of update service . . . . . . . . . . . . . . . . . . . . . 19
Figure 4.1 The result of CPU benchmark experiments . . . . . . 26
Figure 4.2 The result of memory benchmark experiments . . . . 27
List of Tables
Table 3.1 Hooked APIs . . . . . . . . . . . . . . . . . . . . . . . 15
Table 3.2 Desktop operating system market share . . . . . . . . 21
Table 4.1 False negative experiments . . . . . . . . . . . . . . . 24
Table 4.2 Ways to disable automatic update service . . . . . . . 25
Table 4.3 False positive experiments . . . . . . . . . . . . . . . . 26

參考文獻

References
[1] Microsoft, Concker," Retrieved July, 16, 2013, http:
//www.microsoft.com/security/portal/threat/encyclopedia/
entry.aspx?Name=Worm%3aWin32%2fConficker.B
[2] Microsoft, Understanding Windows Services Architecture," Retrieved
July, 16, 2013, http://technet.microsoft.com/en-us/library/
881d8b23-d274-4313-a666-88f80c2cfd92.aspx
[3] Windows, Windows Registry," Retrieved July, 16, 2013,
http://msdn.microsoft.com/en-us/library/windows/desktop/
ms724871%28v=vs.85%29.aspx
[4] Microsoft,DNS Registry Entries," Retrieved July, 16, 2013,
http://technet.microsoft.com/zh-tw/library/dd197418%28v=
ws.10%29.aspx
[5] J. Butler, and G. Hoglund, VICE{catch the hookers," Black Hat USA
2004, Caesars Palace, Las Vegas, 28-29 July, 2004.
[6] IceSword, Retrieved July, 16, 2013, http://www.antirootkit.com/
software/IceSword.htm
[7] J. Rutkowska,System virginity verier: Dening the roadmap for
malware detection on windows systems," Hack In the Box Security
Conference, Kuala Lumpur, Malaysia, September 28-29, 2005.
[8] Heng Yin, Z. Liang, and D. Song, HookFinder: Identifying and un-
derstanding malware hooking behaviors," the 15th Annual Network
and Distributed System Security Symposium (NDSS’08), San Diego,
CA, 8-11 February, 2008.
[9] C. K. Tan, Defeating kernel native API hookers by direct
Service Dispatch Table restoration," July, 2004. Retrieved
July, 16, 2013, http://www.security.org.sg/code/SIG2_
DefeatingNativeAPIHookers.pdf
[10] M. Aslam, Naveed Idrees, Muzammil Baig, Asif Arshad, Anti-Hook
Shield against Software Key-loggers," National Conference on Emerg-
ing Technologies, SZABIST Karachi, December, 2004.
[11] NetMarketShare, Retrieved July, 16, 2013, http://www.
netmarketshare.com/
[12] VirusTotal, Retrieved July, 16, 2013, https://www.virustotal.com
[13] Passmark Software, Retrieved July, 16, 2013, http://www.passmark.
com/index.html
[14] F. H. Hsu, M. H. Wu, C. K. Tso, C. H. Hsu, and C. W. Chen, An-
tivirus Software Shield Against Antivirus Terminators," IEEE Trans-
actions on Information Forensics and Security, October, 2012.
[15] Core Technologies Consulting, Retrieved July, 16, 2013, http://www.
coretechnologies.com/
[16] F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. Stolfo, Detect-
ing malicious software by monitoring anomalous windows registry ac-
cesses," Recent Advances in Intrusion Detection, Springer Berlin Hei-
delberg, 36-53, 2002.
[17] Timothy D. Morgan, Recovering deleted data from the Windows reg-
istry," digital investigation 5, S33-S41, 2008
[18] Microsoft, Microsoft Fix it Solution Center," Retrieved July, 16, 2013,
http://www.microsoft.com/fixit/
[19] Windows, Support," Retrieved July, 16, 2013, http://support.
microsoft.com/kb/914392/en-us
32

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2013-8-12

推文