通过交叉验证堆栈和VAD信息检测Windows代码注入
Detect Windows Code Injection by Cross-validating Stack and VAD Information
翟继强 1韩旭 1王家乾 1孙海旭 1杨海陆1
作者信息
- 1. 哈尔滨理工大学 计算机科学与技术学院,哈尔滨 150000
- 折叠
摘要
Windows 32/64 位代码注入攻击是恶意软件常用的攻击技术,在内存取证领域,现存的代码注入攻击检测技术在验证完整性方面不能处理动态内容,并且在解析内存中数据结构方面无法兼容不同版本的Windows系统.因此提出了通过交叉验证进程堆栈和VAD信息定位注入代码方法,将基于遍历栈帧得到的函数返回地址、模块名等信息结合进程VAD结构来检测函数返回地址、匹配文件名以定位注入代码,并且研发了基于Volatility取证框架的Windows代码注入攻击检测插件codefind.测试结果表明,即使在VAD节点被恶意软件修改,方法仍能够有效定位Windows 32/64 位注入代码攻击.
Abstract
Windows 32/64-bit code injection attacks are a common attack technique by malware.In the field of memory forensics,the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity,and cannot be compatible with different versions of Windows systems in terms of parsing data structures in memory.Therefore,the method of locating injected code through cross validation of process stack and VAD information is proposed.The method first obtains data based on traversing stack frames,such as function return address,module name and other information.Then the data is combined with the process VAD structure to detect the function return address and match the file name to locate the injected code.And developed a Windows code injection attack detection plug-in codefind based on the Volatility forensics framework.The test results show that the method can effectively locate Windows 32/64 bit injected code attacks even if the VAD node is modified by malware.
关键词
VAD/堆栈/Windows代码注入/内存取证技术Key words
VAD/stack/Windows code inject/memory forensics引用本文复制引用
基金项目
国家自然科学基金(61403109)
黑龙江省自然科学基金(F2016024)
黑龙江省高等教育教学改革研究重点委托项目(SJGZ20220086)
黑龙江省高等教育学会高等教育研究课题(23GJYBB080)
出版年
2024
NETL
NSTL
万方数据