STEALTH: A Method of Hiding and Encrypting Files in NTFS

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：10

、訪客IP：18.221.85.33

姓名

歐巡丞(Syun-cheng Ou) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(STEALTH: A Method of Hiding and Encrypting Files in NTFS)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

Rootkit可以隱藏電腦上任何的資訊，包括檔案、程序、驅動、網路連線等等。雖然Rootkit起源很早，但隨著電腦的進步與時間的演進，所使用的隱藏手法也越來越多。像是最常見的傳統Hooking技術，以及修改核心資料的DKOM (Direct Kernel Object Manipulation) 技術等，都是可以達到隱藏電腦資訊的效果。特別的是DKOM因為只修改核心資料結構，不需一直常駐於電腦，使得防毒軟體難以偵測。
然而DKOM無法隱藏檔案。因為DKOM只能修改核心的資料結構，也就是記憶體上的資訊，而作業系統不會將所有檔案都載入核心的資料結構中，DKOM便無法隨心所欲地隱藏任一檔案。本篇論文提出一種隱藏檔案的方法，透過修改NTFS (New Technology File System) 上的資料結構，達到隱藏檔案的效果。此種隱藏方法不像Hooking技術容易偵測，根據實驗結果，防毒軟體無法偵測到被隱藏的病毒檔，說明著此系統能成功提升檔案的隱密性。
為了加強隱藏檔案的機密性，我們另外將隱藏檔案加密，加密的檔案無法被應用程式正確的讀取。為了確認加密的檔案是否夠強大，我們讓檔案救援軟體試著恢復加密檔案。檔案救援軟體是套可以找回被刪除的檔案，或是損毀的檔案，或者是被格式化過後的硬碟。根據實驗結果，檔案救援軟體無法正常地恢復我們的加密檔案。

摘要(英)

A rootkit can hide any information such as the files, processes, drivers, and network connections on your computer. With development of operating system, Rootkits have many hidden methods such as the traditional hooking or DKOM (Direct Kernel Object Manipulation). It is difficult to detect DKOM because DKOM only modifies the data structure of the kernel and does not change any program or code.
Because not all files on the computer are loaded into memory, DKOM cannot only manipulate data structures of the kernel to hide any file. In this paper, we proposed a new hidden method that modify some information of NTFS (New Technology File System). The method is not like the traditional hooking which is detected by anti-virus software easily. According to our experiments, anti-virus software cannot detect the virus file which is hidden by our system.

We want to strengthen the confidentiality of the hidden files. In addition to hide file, our system encrypts the file. We did experiments with data recovery software. The data recovery software can restore the file which is deleted, name broken, size damage and so on. But according to our experiments, data recover software can not restore our encrypted files. Applications cannot read data of files until the files is decrypted by our system.

關鍵字(中)

★ 隱藏檔案

關鍵字(英)

★ File Rootkit
★ NTFS

論文目次

摘要 i
Abstract ii
謝誌 iii
Contents iv
List of Figures v
List of Tables vi
1. Introduction 1
2. Background 4
2.1 NTFS 4
2.2 Windows Device Driver 8
2.3 ZwXxx Routines 9
3. Related Work 12
3.1 Alternate Data Stream (ADS) 12
3.2 Rootkits 13
3.3 Hide Data in NTFS 13
4. System Design 14
4.1 Overview 14
4.2 Concealer 16
4.3 Obfuscator 19
4.4 File Cache Cleaner 22
4.5 Original Backup Text 22
4.6 File Recovery 23
5. Evaluation 24
5.1 Implementation Environment 24
5.2 Anti-Virus Software Experiment 24
5.3 Data Recovery Software Experiment 25
5.4 Performance Evaluation 27
5.5 Weakness Analysis 28
6. Conclusion and Future Work 29
6.1 Conclusion 29
6.2 Future Work 29
References 31

參考文獻

[1] James Butler and Greg Hoglund. Vice–catch the hookers. Black
Hat USA, 61, 2004.
[2] Chew Keong Tan. Defeating kernel native api hookers by direct
service dispatch table restoration. July, 8:1–12, 2004.
[3] Greg Hoglund and Jamie Butler. Rootkits: subverting the Windows
kernel, pages 171–171. Addison-Wesley Professional, 2005.
[4] Richard Russon and Yuval Fledel. NTFS documentation.
http://dubeyko.com/development/FileSystems/NTFS/
ntfsdoc.pdf, 2004.
[5] MSDN. ZwXxx routines. http://msdn.microsoft.com/en-us/
library/windows/hardware/ff567122(v=vs.85).aspx, May
2013.
[6] Adamantini I Martini, Alexandros Zaharis, and Christos Ilioudis.
Detecting and Manipulating Compressed Alternate Data Streams in
a Forensics Investigation. In Third International Annual Workshop
on Digital Forensics and Incident Analysis, 2008. WDFIA ’08.,
pages 53–59, October 2008.
[7] Ryan L Means. Alternate data streams: out of the shadows and
into the light. SANS Institute InfoSec Reading Room, 2003.
[8] Cyril Wang. Alternate data streams (

指導教授

許富皓(Fu-hau Hsu)

審核日期

2013-7-24

推文