MEMORY SCANNING UNDER WINDOWS NT
暂无分享,去创建一个
The number of 32-bit viruses is growing at an alarming rate. Most of these viruses are only able to replicate under Windows 95 but more and more viruses are becoming capable of doing it under Windows NT, too. This paper provides practical information about the problems of memory scanning and their possible solutions under Windows NT. Memory scanning is a must for all operating systems. Once the virus is executed and active in memory it has the potential to hide itself from scanners by using stealth techniques. Even if the virus does not use any stealth techniques, removing the virus from the system becomes more difficult when the virus is active in memory since such a virus can infect the already previously disinfected objects again and again. There are many viruses which use the directory stealth technique under Windows 95 and Windows NT, respectively. We have also seen the first implementation of a Windows 95 full stealth virus (Win95/Zerg.3849). While it is not an easy task to develop a memory scanner for Windows 95, the problem is much more complex under Windows NT. In my paper I am going to introduce the different ways 32-bit viruses stay in memory as a particular process and describe the possible methods of detecting and deactivating them. At the end of 1998 we saw the first implementation of a native Windows NT virus (WinNT/RemEx) which runs as a service. While it is possible to detect such a virus in memory even from a User mode application, the problem will become more difficult with a native Windows NT virus which is implemented as a device driver running in Kernel mode. Such a virus cannot be detected in memory in User mode but only in Kernel mode only since the system address space is protected from read and write access under Windows NT unlike Windows 95. This is probably the most important reason why a memory scanner under Windows NT should be implemented as a Kernel mode driver. In my paper I’m going to introduce both User and Kernel mode implementations of a memory scanner under Windows NT.
[1] Peter Viscarola,et al. Windows NT Device Driver Development , 1998 .
[2] Jeffrey Richter,et al. Advanced Windows NT , 1995 .