Research on monitoring hiding technology in protection system

With the growing number of domestic and international computer crime, remote monitoring for suspicious computers is becoming an important means to prevent computer crime and computer forensics. At the same time, remote monitoring technology plays an important role in information confrontation and cyber warfare of military. Such remote monitoring program must not be found by security defense or network monitoring software run on monitored computer, and then hide operation and communication. Hiding technology for remote monitoring is discussed in depth and implemented in this paper. The security defense soft- ware run on monitored computer captures the user access to sensitive information by intercepting system calls. In windows operating system, the interception is achieved by replacing system function entry addresses in SSDT (system service dispatch table) with own function addresses. In order not to be found by security defense program, remote monitoring must first recover function entry addresses in SSDT before it accesses to sensitive resources. This paper provides the method of SSDT recovering which recalculates and recovers the original addresses in function entry address table. The security defense software can capture network packets on the TDI(Transport Driver Interface) layer and NDIS(Network Driver Interface Specification) layer so as to monitor communication. To enable the communication between the monitored computer and the monitoring computer not to be found, it is necessary to penetrate through monitoring on TDI layer and the NDIS layer. This paper describes windows network architecture and network packet disposal process on NDIS and TDI layer, analyses the theory of security defense software capturing network communication, and puts forward the method for penetrating through the network monitoring on NDIS layer and TDI layer.