Windows下基于挂钩技术的数据标注
首发时间:2012-01-09
摘要:清晰标注网络数据对研究和实际工程都有很重要的意义,现阶段的研究主要是采用人工模拟和DPI分析。人工模拟引入人为因素,受到实验环境影响,可能掩盖网络数据本身的特点;DPI 不能发现"新"网络应用数据,并且对于加密数据流无法分析;两种方法都不能全面准确的标注实际网络数据。通过研究Windows下应用程序调用API的过程,本文提出利用挂钩接管Windows部分系统网络函数的方法来标注网络数据。本文介绍设计了Hook API系统以实现应用程序的数据标注。该系统包含Hook Server与Hook Driver两部分:Hook Server负责将Hook Driver注入到进程地址空间中,主要使用了远程线程等技术;Hook Driver负责挂钩系统函数,完成接管控制函数的任务。实验部分详述了如何使用Hook API系统标注网络数据。为了验证由Hook API得到的网络数据完整性与准确性,使用Wireshark捕获过滤数据,通过对比发现,Hook API标注的到的数据更为完备,实验证明本文提出的方法能够达准确完备的标注应用程序的网络数据。
关键词: windows API DPI 进程数据标注 Hook Server Hook Driver
For information in English, please click here
Data Identify in Programs of Windows by Hooking
Abstract:In this paper a method which used to match network data to the right application process was proposed.There were two main ways to biuld reference data.Firstly, reference data can be achieved by simulation. All the data which were produced by the specified process running at a fixed time peroid and fixed computers were assigned to this specified peocess. Simulation can lead to data useless because it brought about people's influences. Secondly, DPI can analyze network data and attatch them with the application name label which were keeped in signature database. However, DPI doesnot work when it is unware of signatures of new applicaations or the network data which had been encrypted. In this paper, we find it is available to identify network data by hooking and controling some system functions. API Hook system was composed of Hook Server and Hook Driver. Hook Server copied Hook Driver into address space of the process. Hook driver hooked and controled the system functions.The reserch shows that this method can identy the network data completely and exactly.
Keywords: Windows API DPI process data identify Hook Server Hook Driver
基金:
论文图表:
引用
No.****
同行评议
共计0人参与
勘误表
Windows下基于挂钩技术的数据标注
评论
全部评论0/1000