||In recent years, as the result of the evolution of mobile device technology, newer mobile devices have gained much greater functionality continuously. Especially intelligent devices such as smart phones and personal digital assistants (PDAs) have ability to connect to 3.5G network, and they are equipped with GPS, high-resolution digital camera, WLAN, and Bluetooth in general. These features make devices can exchange information with other devices in many ways, perform more applications, and let users can use them to do more activities. Nowadays the price of them is not so expensive, so the popularity of intelligent devices is increasing quickly. However, the greater functionality gains, the more vulnerabilities on devices may appear. Those vulnerabilities are similar to which already existed in personal computer’s world, including malware threats. Malware includes virus, worm, trojan, spyware, rootkit, and so on. They may smash data on the device, monitor the user’s activities, steal important information, exhaust system resources, and generate more costs. Therefore, it is necessary to develop detecting and protecting approaches to enhance mobile devices’ security.|
Currently the most common operating systems used by mobile devices are iPhone, Android, Windows Mobile, and Symbian. The Windows Mobile system is based on Windows CE developed by Microsoft. Windows CE provides a subset of Win32 API which exists in desktop versions of Windows. This makes applications on desktop Windows compatible to Windows CE. The executable file format used on Windows CE is also Portable Executable as Windows NT-based system, therefore many traditional malware techniques can be ported to Windows CE easily. We aim at Windows Mobile devices and propose a kernel-mode file operation monitoring methods which can filter relative APIs to file operations in kernel space to prevent virus spreading.
||. Cyrus Peikari, Seth Fogie, and Ratter/29A. “Details Emerge on the First Windows Mobile Virus”, September 2004.|
. Ken Dunham, Saeed Abu-Nimeh, Michael Becher, Seth Fogie, Brian Hernacki, Jose Andre Morales, Craig Wright, “Mobile Malware: Attacks and Defense”, Syngress, 2009.
. Michael Becher, Felix C. Freiling, “Towards Dynamic Malware Analysis to Increase Mobile Device Security”, In Proc. of SICHERHEIT, 2008.
. Zhu Cheng, “Mobile Malware: Threats and Prevention”, McAfee Avert Labs Technical White Papers, September 2007.
. Michael Becher and Ralf Hund, “Kernel-Level Interception and Applications on Mobile Devices”, Technical Report, Department for Mathematics and Computer Science, University of Mannheim, 2009.
. A.K. Jain, Amogh Asgekar, Jeevan Chalke, Manoj Kumar, Ramdas Rao, “Mobile Worms and Viruses”, project report of Network Security, Kanwal Rekhi School of Information Technology, 2006.
. Abhijit Bose, “Propagation, Detection and Containment of Mobile Malware”, PhD Thesis, University of Michigan, 2008.
. Windows Mobile, http://en.wikipedia.org/wiki/Windows_Mobile
. Matt Pietrek,“An In-Depth Look into the Win32 Portable Executable File Format”, http://msdn.microsoft.com/en-us/magazine/cc301805.aspx, MSDN Magazine, 2002.
. Managing Applications on Storage Cards with Autorun.exe, http://msdn.microsoft.com/en-us/library/aa454179.aspx
. Dmitri Leman, “Spy: A Windows CE API Interceptor”, Dr. Dobb's Journal, October 2003.
. san, “Hacking Windows CE”, Phrack Magazin, #6(63), July 2005.
. Platform Builder for Microsoft Windows CE 5.0 - Memory Architecture, http://msdn.microsoft.com/en-us/library/aa450572.aspx
. Seth Fogie. Embedded Reverse Engineering: Cracking Mobile Binaries. In DEFCON, August 2003.
. Petr Matousek, “Subverting Windows CE Kernel for Fun and Profit”, Syscan Conference 2008.
. Tim Hurman, “Exploring Windows CE Shellcode”, September 2005.
. Windows CE初探, http://www.xfocus.net/articles/200411/747.html
. Windows CE API機制初探, http://www.xfocus.net/releases/200507/a809.html
. Creating, Registering, and Using a Handle-based API Set, http://msdn.microsoft.com/en-us/library/bb202802.aspx
. Sue Loh, Windows CE Base Team Blog: Inside Windows CE API Calls, http://blogs.msdn.com/ce_base/archive/2006/02/02/Inside-Windows-CE-API-Calls.aspx