Windows下基于挂钩技术的数据标注.docVIP

 Windows 下基于挂钩技术的数据标注 王丽艳1，张志斌2** （1. 北京邮电大学计算机学院，北京 100876； 5 10 15 20 25 30 35 40 2. 中国科学技术研究院网络安全实验室，北京 100190） 摘要：清晰标注网络数据对研究和实际工程都有很重要的意义，现阶段的研究主要是采用人 工模拟和 DPI 分析。人工模拟引入人为因素，受到实验环境影响，可能掩盖网络数据本身的 特点；DPI 不能发现“新”网络应用数据，并且对于加密数据流无法分析；两种方法都不能 全面准确的标注实际网络数据。通过研究 Windows 下应用程序调用 API 的过程，本文提出利 用挂钩接管 Windows 部分系统网络函数的方法来标注网络数据。本文介绍设计了 Hook API 系统以实现应用程序的数据标注。该系统包含 Hook Server 与 Hook Driver 两部分：Hook Server 负责将 Hook Driver 注入到进程地址空间中，主要使用了远程线程等技术；Hook Driver 负责挂钩系统函数，完成接管控制函数的任务。实验部分详述了如何使用 Hook API 系统标注网络数据。为了验证由 Hook API 得到的网络数据完整性与准确性，使用 Wireshark 捕获过滤数据，通过对比发现，Hook API 标注的到的数据更为完备，实验证明本文提出的 方法能够达准确完备的标注应用程序的网络数据。 关键词：windows API；DPI；进程数据标注；Hook Server；Hook Driver 中图分类号：TP393.0 Data Identify in Programs of Windows by Hooking WANG Liyan1, Zhang Zhibin2 (1. BeiJing University of Post and Teconology, Beijing 100876; 2. Research Center of Information Security，Institute of Computing Technology,Chinese Academy of Sciences, Beijing 100190) Abstract: In this paper a method which used to match network data to the right application process was proposed.There were two main ways to biuld reference data.Firstly, reference data can be achieved by simulation. All the data which were produced by the specified process running at a fixed time peroid and fixed computers were assigned to this specified peocess. Simulation can lead to data useless because it brought about peoples influences. Secondly, DPI can analyze network data and attatch them with the application name label which were keeped in signature database. However, DPI doesnot work when it is unware of signatures of new applicaations or the network data which had been encrypted. In this paper, we find it is available to identify network data by hooking and controling some system functions. API Hook system was composed of Hook Server and Hook Driver. Hook Server copied Hook Driver into address space of the process. Hook driver hooked and controled the system functions.The reserch shows that this method can identy the netwo