在行動裝置上以攔截檔案處理函式機制防止病毒擴散

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：58

、訪客IP：18.223.106.205

姓名

葉怡群(Yi-chun Yeh) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

在行動裝置上以攔截檔案處理函式機制防止病毒擴散
(Kernel-mode File Monitoring on Windows Mobile Device)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來隨著行動裝置技術的快速進步，新的行動裝置在功能性方面遠遠超越過去，其中智慧型行動裝置所佔有的比重逐漸提高，今日的智慧型裝置如智慧型手機(smartphone)或個人行動助理(PDA)已普遍具備3.5G行動上網能力、GPS衛星定位系統、高解析度數位相機、無線網路、藍芽傳輸，這些特性讓裝置具備多樣化的資訊交換管道，使得智慧型裝置上所能進行的應用日漸豐富，也讓使用者能在裝置上進行更多的活動。而目前一台功能豐富的smartphone或PDA的價格相較過去也降低許多，因此智慧型行動裝置的普及率也大幅提昇。然而當行動裝置的功能越豐富，也將帶來更多可利用的弱點，其中包含了以往在個人電腦上出現的惡意程式威脅，如病毒(virus)、蠕蟲(worm)、木馬程式(trojan horse)、間諜程式(spyware)、隱匿程式(rootkit)，可能造成裝置的破壞、受害者資料外洩、增加電信支出等等。因此有必要在裝置上建立偵測以及防禦的相關機制來加強裝置的安全性。
目前行動裝置主要所採用之系統包含iPhone、Android、Windows Mobile、Symbian，其中Windows Mobile系統是微軟公司以Windows CE核心為基礎，針對行動裝置的特性來設計的系統，Windows CE包含了桌上型電腦Windows系統之Win32 API的子集，提供了原先運行在Windows上程式的相容性，讓一般在PC執行的應用程式，只需對原始程式碼進行少部份修改再重新編譯後，即可移至Windows CE上執行；而在Windows CE上的32位元執行檔格式和Windows NT-based系統一樣，為PE(Portable Executable)格式，因此典型的檔案感染型之病毒程式，亦能輕易移植到Windows CE系統上執行，對其他執行檔進行感染。本論文提出一個在安裝Windows Mobile作業系統之smartphone或PDA上之檔案存取監控系統，透過在核心模式攔截系統呼叫，對檔案系統動作相關的服務處理函式進行監控，並針對病毒的擴散行為進行阻擋的動作。

摘要(英)

In recent years, as the result of the evolution of mobile device technology, newer mobile devices have gained much greater functionality continuously. Especially intelligent devices such as smart phones and personal digital assistants (PDAs) have ability to connect to 3.5G network, and they are equipped with GPS, high-resolution digital camera, WLAN, and Bluetooth in general. These features make devices can exchange information with other devices in many ways, perform more applications, and let users can use them to do more activities. Nowadays the price of them is not so expensive, so the popularity of intelligent devices is increasing quickly. However, the greater functionality gains, the more vulnerabilities on devices may appear. Those vulnerabilities are similar to which already existed in personal computer’s world, including malware threats. Malware includes virus, worm, trojan, spyware, rootkit, and so on. They may smash data on the device, monitor the user’s activities, steal important information, exhaust system resources, and generate more costs. Therefore, it is necessary to develop detecting and protecting approaches to enhance mobile devices’ security.
Currently the most common operating systems used by mobile devices are iPhone, Android, Windows Mobile, and Symbian. The Windows Mobile system is based on Windows CE developed by Microsoft. Windows CE provides a subset of Win32 API which exists in desktop versions of Windows. This makes applications on desktop Windows compatible to Windows CE. The executable file format used on Windows CE is also Portable Executable as Windows NT-based system, therefore many traditional malware techniques can be ported to Windows CE easily. We aim at Windows Mobile devices and propose a kernel-mode file operation monitoring methods which can filter relative APIs to file operations in kernel space to prevent virus spreading.

關鍵字(中)

★ 行動裝置
★ 惡意程式
★ 感染執行檔

關鍵字(英)

★ file infector
★ malware
★ mobile device

論文目次

中文摘要 i
英文摘要 ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 vii
第一章緒論 1
1-1 研究背景 1
1-2 研究動機與目的 1
第二章行動裝置安全 3
2-1 與個人電腦安全性之比較 3
2-2 惡意程式之攻擊向量 4
2-2-1 藍芽裝置 4
2-2-2 文字訊息 4
2-2-3 多媒體訊息 4
2-2-4 無線及行動網路 5
2-2-5 記憶卡 5
2-2-6 同步處理 5
2-2-7 作業系統漏洞 5
2-3 典型的惡意程式攻擊步驟 6
2-3-1 感染目標裝置 6
2-3-2 執行惡意行為 6
2-3-3 傳播至其他目標裝置 6
2-4 程式動態攔截技術 7
2-4-1 CeApiSpy 7
2-4-2 MobileSandBox 7
第三章核心模式病毒攔截系統設計 8
3-1 Windows Mobile系統重要特性 8
3-1-1 Process 9
3-1-2 Thread 10
3-1-3 Memory 11
3-1-4 系統呼叫機制 12
3-2 系統架構 15
3-2-1 監控用之DLL 15
3-2-2 控制端應用程式 16
3-2-3 整合 17
3-3 防禦策略 18
3-4 系統保護 19
第四章實驗測試 20
4-1 實驗軟硬體 20
4-2 概念驗證病毒程式 20
4-2-1 感染行為設計 20
4-2-2 Shellcode行為 21
4-3 防禦測試 22
4-4 效能測試 25
4-4-1 單一系統呼叫測試 25
第五章結論與未來研究方向 27
參考文獻 28

參考文獻

[1]. Cyrus Peikari, Seth Fogie, and Ratter/29A. “Details Emerge on the First Windows Mobile Virus”, September 2004.
[2]. Ken Dunham, Saeed Abu-Nimeh, Michael Becher, Seth Fogie, Brian Hernacki, Jose Andre Morales, Craig Wright, “Mobile Malware: Attacks and Defense”, Syngress, 2009.
[3]. Michael Becher, Felix C. Freiling, “Towards Dynamic Malware Analysis to Increase Mobile Device Security”, In Proc. of SICHERHEIT, 2008.
[4]. Zhu Cheng, “Mobile Malware: Threats and Prevention”, McAfee Avert Labs Technical White Papers, September 2007.
[5]. Michael Becher and Ralf Hund, “Kernel-Level Interception and Applications on Mobile Devices”, Technical Report, Department for Mathematics and Computer Science, University of Mannheim, 2009.
[6]. A.K. Jain, Amogh Asgekar, Jeevan Chalke, Manoj Kumar, Ramdas Rao, “Mobile Worms and Viruses”, project report of Network Security, Kanwal Rekhi School of Information Technology, 2006.
[7]. Abhijit Bose, “Propagation, Detection and Containment of Mobile Malware”, PhD Thesis, University of Michigan, 2008.
[8]. Windows Mobile, http://en.wikipedia.org/wiki/Windows_Mobile
[9]. Matt Pietrek,“An In-Depth Look into the Win32 Portable Executable File Format”, http://msdn.microsoft.com/en-us/magazine/cc301805.aspx, MSDN Magazine, 2002.
[10]. Managing Applications on Storage Cards with Autorun.exe, http://msdn.microsoft.com/en-us/library/aa454179.aspx
[11]. Dmitri Leman, “Spy: A Windows CE API Interceptor”, Dr. Dobb's Journal, October 2003.
[12]. san, “Hacking Windows CE”, Phrack Magazin, #6(63), July 2005.
[13]. Platform Builder for Microsoft Windows CE 5.0 - Memory Architecture, http://msdn.microsoft.com/en-us/library/aa450572.aspx
[14]. Seth Fogie. Embedded Reverse Engineering: Cracking Mobile Binaries. In DEFCON, August 2003.
[15]. Petr Matousek, “Subverting Windows CE Kernel for Fun and Profit”, Syscan Conference 2008.
[16]. Tim Hurman, “Exploring Windows CE Shellcode”, September 2005.
[17]. Windows CE初探, http://www.xfocus.net/articles/200411/747.html
[18]. Windows CE API機制初探, http://www.xfocus.net/releases/200507/a809.html
[19]. Creating, Registering, and Using a Handle-based API Set, http://msdn.microsoft.com/en-us/library/bb202802.aspx
[20]. Sue Loh, Windows CE Base Team Blog: Inside Windows CE API Calls, http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx

指導教授

許富皓(Fu-hau Hsu)

審核日期

2009-7-24

推文