Implementation of program behavior anomaly detection and protection using hook technology

Windows is an operating system based on message which is built on event—driven mechanism. Hook is one of surveillance point of message processing mechanism in Windows system. In this paper using Windows kernel technology, using Hook Service Table to replace Native's API, detect process and thread behavior, and realize detection and protection of registry and file and process. A program behavior anomaly detection and protection system is designed and implemented in Windows operating system. Hook and some key techniques of Hook are introduced, system frame and key technology of this system. At last, the experimental result validated the feasibility and availability of this system¿