注册表是 Windows 系统资源管理核心组件，直接控制着 Windows 启动、硬 件驱动程序装载、系统及应用程序运行;同时注册表也是系统中最脆弱部分之 一，对其错误更改将引发系统异常;很多恶意软件利用注册表达到影响系统和 应用程序正常运行、窃取应用信息等恶意目的，因此注册表防护是 Windows 系统防护关键所在。Windows 应用兼容环境是运行于 Linux 系统之上、为 Windows 应用运行提供支持的特殊系统，在兼容环境下，Windows 安全软件无 法对注册表做全面防护;由于注册表是 Windows 特有机制，已有 Linux 安全软 件也无法对其提供防护，所以建立兼容环境下注册表保护机制至关重要。本文 主要研究在 Windows 应用兼容环境下对注册表进行操作行为监控、恶意行为判 别和响应技术。

兼容环境注册表与 Windows 注册表相比的一个重要特点是兼容环境注册表 以文本文件方式存放在 Linux 系统中，因此除 Windows 程序能够通过注册表 API 方式操作注册表外，Linux 程序也能通过直接修改注册表文件方式操作注册 表;本文针对 Windows 程序通过注册表 API 方式访问注册表和 Linux 程序通过 读写注册表文件方式访问注册表两种情况，分别进行操作行为监控、恶意行为 判别及恶意行为响应。本文主要工作和贡献如下:

1. 针对兼容环境注册表文件可被直接更改的问题，提出了注册表恶意行为 检测和响应机制。分别针对 Windows 程序和 Linux 程序访问注册表的两种情况 对兼容环境注册表进行恶意操作检测和响应，以确保兼容环境注册表不被恶意 更改，其中在 Linux 环境下对注册表进行防护是兼容环境特有场景。

2. 针对兼容环境开源特点，提出了一种 Windows 程序操作注册表行为的 API 级监控方法。通过直接从兼容环境注册表 API 中获取数据方式对注册表操 作进行监控，具有实现简单、监控更快、响应及时的优点。

3. 结合兼容环境跨平台特性，提出了一种在 Linux 下判别兼容环境注册表 文件更改恶意性的方法。由于在 Linux 下只有兼容环境需要访问注册表，因此 通过在兼容环境更改注册表的 API 中设置标志方式将兼容环境和其他 Linux 程 序对注册表文件的更改区分开，从而能判断注册表文件更改的恶意性。

4. 设计实现了兼容环境下针对注册表的恶意行为检测和响应机制，并通过 实验验证了其有效性。实验表明，本文提出的兼容环境下针对注册表的恶意行 为检测与响应机制在一定程度上确保了兼容环境注册表安全。

Registry is the core component of Windows system resource management, which directly controls Windows startup, hardware driver loading, system and application running. At the same time, the registry is one of the most vulnerable parts of the system, and erroneous changes to it will cause system exceptions. Much malicious software uses the registry to achieve malicious purposes, such as affecting the normal execution of system and applications, stealing application information, etc. Therefore, registry protection is the key to Windows system protection.

Windows application compatibility environment is a special system which runs on Linux system and supports the execution of Windows applications. Under the compatible environment, Windows security software cannot protect the registry completely. Because the registry is a unique mechanism of Windows, the existing Linux security software cannot provide protection for it either. It is an urgent need to establish the registry protection mechanism in compatible environment. This paper mainly studies the monitoring of registry operation behavior, malicious behavior discrimination and response under the Windows application compatibility environment.

Compared with the Windows registry, an important feature of the registry of compatible environment is that the registry is stored as text files in Linux system, so besides Windows program can operate the registry by APIs, Linux program can also operate the registry by modifying the registry file directly. This paper performs registry operation monitoring, malicious behavior discrimination, and malicious behavior response respectively for both the case of Windows program accesses the registry through APIs and Linux program accesses the registry through reading and writing registry files. The main work and contributions of this paper are as follows:

1. Since registry files can be changed directly in compatible environment, a mechanism for detecting and responding malicious behavior to the registry is proposed. In order to ensure that the registry of compatible environment is not changed maliciously, malicious behavior detection and response to compatible environment registry are performed for Windows program and Linux program respectively. Protecting the registry in Linux environment is a unique scenario of compatible environment.

2. According to the open source characteristic of the compatible environment, an API-level method for monitoring the behavior of Windows programs operating registry is proposed. Registry operations are monitored by retrieving data directly from the registry APIs of the compatible environment, which has the advantages of simple implementation, fast monitoring speed, and timely response.

3. According to the cross-platform feature of the compatible environment, this paper presents a method to distinguish malicious changes of registry files of compatible environment under Linux. Since only compatible environments need to access registry under Linux, the malicious nature of registry file changes can be judged by distinguishing compatible environments from other Linux programs by setting flags in the APIs that can change the registry.

4. A malicious behavior detection and response mechanism for registry in compatible environment is designed and implemented, and its effectiveness is verified by experiments. Experiments show that the proposed malicious behavior detection and response mechanism for registry in compatible environment ensures the security of registry in compatible environment to a certain extent.