Auto-start technique is a key technique to spreading and infracting for malicious code. Compare to other auto-start techniques, auto-start process based on kernel layer ifles patch is more hidden and more dififcult to be removed. Therefore, more in-depth study of auto-start technique is a precondition to detect and remove malicious code effectively. An auto-start method based on ifles patch is proposed in this paper. The method modiifes the disk port driver ifle by static patch technology, reads and writes data by hard disk reading and writing technique, and then makes the executable code run automatically by the start of operating system. Experimental results show that this method can avoid the detection from mainstream anti-virus software at home and abroad, and achieve auto-start with higher authority and better invisibility than other methods.%自启动技术是保证恶意代码持久运行的关键技术,基于内核层文件补丁的自启动技术比其他自启动技术更加隐蔽且难以清除。因此,深入研究基于文件补丁的自启动技术是有效检测与清除此类恶意代码的前提条件。文章设计了一种基于内核层文件补丁的自启动方法,该方法利用磁盘端口驱动文件,通过静态补丁技术修改该文件,结合直接读写硬盘技术读写数据,使可执行代码随操作系统启动而自动运行。实验结果表明,该方法可以规避国内外主流杀毒软件,能够实现自启动,具备执行权限高、隐蔽性好等特点。
展开▼