Detecting Malware with DLL Injection And PE Infection
碩士 === 國立中山大學 === 資訊管理學系研究所 === 104 === Advanced Persistent Attack Threat is one of notorious in enterprises and organization. APT attack is a highly organized, well-funded attack against a specific target .Cyber Criminal using many ways to invade system to get sensitive information .It'&am...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | zh-TW |
| Published: |
2016
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/xyq2en |
| id |
ndltd-TW-104NSYS5396061 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-TW-104NSYS53960612019-05-15T23:01:39Z http://ndltd.ncl.edu.tw/handle/xyq2en Detecting Malware with DLL Injection And PE Infection 偵測以注入惡意DLL檔案之惡意程式研究 Tzu-Ching Chang 張子敬 碩士 國立中山大學 資訊管理學系研究所 104 Advanced Persistent Attack Threat is one of notorious in enterprises and organization. APT attack is a highly organized, well-funded attack against a specific target .Cyber Criminal using many ways to invade system to get sensitive information .It''s applied to sophisticated state-level attacks which infiltrate specific networks to steal sensitive information, assets or cause system damage. DLL injection and PE Infection are common ways to hide their presence. APT attack stays there undetected for a long period of time. The average is a year and a half, however, in such case can be more than 3-year. Most Anti-Virus vendors use signature-based detection to get high detection rate, but on the other hand this technique has no protection against zero-day or unseen malware before they updating their database. Hacker can slightly change their malicious code to create a unique malware in order to escape from detection. In this paper, our target is to find potential DLL injection process, file and PE infection applications by using dynamic and static analysis. We propose 3 ways to detect the malicious file, PE infection applications and DLL injection’s process. Malware detection method based on extracting sensitive API(Application Programming Interface) calls from malware to detect unseen malware. For potential DLL injection process, scanning each thread context and its corresponding stack frames for possible instruction pointer address that does not belong to executable section in the target process .Using API distance and duplicated RVA(relative virtual address) import table to detect PE infection. This method only detect infection host file to distinguish malware from benign .Unlike signature-based detection , sensitive API of predicting malware and potential PE Infection inspect can detect unseen malware . Protecting sensitive data is the end goal of almost all IT security measures. Chia-Mai Chen 陳嘉玫 2016 學位論文 ; thesis 74 zh-TW |
| collection |
NDLTD |
| language |
zh-TW |
| format |
Others
|
| sources |
NDLTD |
| description |
碩士 === 國立中山大學 === 資訊管理學系研究所 === 104 === Advanced Persistent Attack Threat is one of notorious in enterprises and organization. APT attack is a highly organized, well-funded attack against a specific target .Cyber Criminal using many ways to invade system to get sensitive information .It''s applied to sophisticated state-level attacks which infiltrate specific networks to steal sensitive information, assets or cause system damage. DLL injection and PE Infection are common ways to hide their presence. APT attack stays there undetected for a long period of time. The average is a year and a half, however, in such case can be more than 3-year. Most Anti-Virus vendors use signature-based detection to get high detection rate, but on the other hand this technique has no protection against zero-day or unseen malware before they updating their database. Hacker can slightly change their malicious code to create a unique malware in order to escape from detection.
In this paper, our target is to find potential DLL injection process, file and PE infection applications by using dynamic and static analysis. We propose 3 ways to detect the malicious file, PE infection applications and DLL injection’s process. Malware detection method based on extracting sensitive API(Application Programming Interface) calls from malware to detect unseen malware. For potential DLL injection process, scanning each thread context and its corresponding stack frames for possible instruction pointer address that does not belong to executable section in the target process .Using API distance and duplicated RVA(relative virtual address) import table to detect PE infection. This method only detect infection host file to distinguish malware from benign .Unlike signature-based detection , sensitive API of predicting malware and potential PE Infection inspect can detect unseen malware . Protecting sensitive data is the end goal of almost all IT security measures.
|
| author2 |
Chia-Mai Chen |
| author_facet |
Chia-Mai Chen Tzu-Ching Chang 張子敬 |
| author |
Tzu-Ching Chang 張子敬 |
| spellingShingle |
Tzu-Ching Chang 張子敬 Detecting Malware with DLL Injection And PE Infection |
| author_sort |
Tzu-Ching Chang |
| title |
Detecting Malware with DLL Injection And PE Infection |
| title_short |
Detecting Malware with DLL Injection And PE Infection |
| title_full |
Detecting Malware with DLL Injection And PE Infection |
| title_fullStr |
Detecting Malware with DLL Injection And PE Infection |
| title_full_unstemmed |
Detecting Malware with DLL Injection And PE Infection |
| title_sort |
detecting malware with dll injection and pe infection |
| publishDate |
2016 |
| url |
http://ndltd.ncl.edu.tw/handle/xyq2en |
| work_keys_str_mv |
AT tzuchingchang detectingmalwarewithdllinjectionandpeinfection AT zhāngzijìng detectingmalwarewithdllinjectionandpeinfection AT tzuchingchang zhēncèyǐzhùrùèyìdlldàngànzhīèyìchéngshìyánjiū AT zhāngzijìng zhēncèyǐzhùrùèyìdlldàngànzhīèyìchéngshìyánjiū |
| _version_ |
1719139952044802048 |