CN114692144A - Dll injection detection method based on memory forensics - Google Patents
Dll injection detection method based on memory forensics Download PDFInfo
- Publication number
- CN114692144A CN114692144A CN202210372926.8A CN202210372926A CN114692144A CN 114692144 A CN114692144 A CN 114692144A CN 202210372926 A CN202210372926 A CN 202210372926A CN 114692144 A CN114692144 A CN 114692144A
- Authority
- CN
- China
- Prior art keywords
- file
- memory
- forensics
- detection method
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 36
- 239000007924 injection Substances 0.000 title claims abstract description 36
- 238000001514 detection method Methods 0.000 title claims abstract description 17
- 238000000034 method Methods 0.000 claims description 22
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000009432 framing Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a dll injection detection method based on memory forensics. Firstly, establishing a Hash set for a disk PE file; then, acquiring the version and configuration file information of the operating system by using a Volatinity evidence obtaining framework; traversing a progress VAD node under the support of the version of the operating system and the configuration file information, and acquiring a memory PE file through VAD node members; and computing the hash value after the PE file is relocated, matching the hash value with the disk hash set, and outputting the page with unmatched hash value as a suspicious page. The dll injection detection method based on memory forensics assists forensics analysts in detecting and extracting the memory area in which dll injection exists in the memory, and facilitates the subsequent malicious code analysis work.
Description
The technical field is as follows:
the invention relates to a dll injection detection method based on memory forensics, which is well applied to the field of computer memory forensics and is mainly used for detecting and extracting areas in a memory where dll injection occurs.
Background art:
with the development and popularization of internet technology, the accompanying network attacks are also gradually complicated and diversified. The computer forensics technology can acquire, analyze and store digital evidence for computer intrusion to serve as effective litigation evidence to be provided to a court. Disk forensics and memory forensics are taken as branches of computer forensics technology, and play a key role in fighting against network violation.
dll injection attacks have a variety of injection forms including modified registry injection, create remote thread injection, reflective dll injection, Windows message hook injection, APC thread injection, Atom-framing injection, and the like. The reflective dll injection, APC thread injection and Atom-marking injection technologies do not load malicious dll files into a disk, so that effective digital evidence cannot be obtained by traditional disk forensics, and the memory forensics technology for the physical memory of a computer can effectively analyze process memory data and extract key digital evidence. Therefore, it is of great significance to detect dll injection attacks using in-memory forensics techniques.
The invention content is as follows:
in order to assist forensics analysts in detecting memory dll injection attacks, the invention discloses a dll injection detection method based on memory forensics.
Therefore, the invention provides the following technical scheme:
1. a dll injection detection method based on memory forensics comprises the following steps:
step 1: and calculating the disk PE file hash set.
Step 2: and acquiring a dump file of a computer physical memory through software.
And step 3: and loading the memory dump file into a Volatinity evidence obtaining framework, identifying the matched operating system version, and importing the configuration file.
And 4, step 4: and acquiring a process memory PE file based on the VAD tree, and matching the memory PE file with the hash value of the disk PE file.
2. The dll injection detection method based on internal memory forensics according to claim 1, wherein in the step 1, a disk PE file hash set is calculated, and the specific steps are as follows:
step 1-1, traversing a file system to acquire all PE files;
step 1-2, simulating a process of loading a PE file into a memory, and calculating a hash value of a text code segment by taking the size of 0x1000 as a unit;
and 1-3, acquiring a relocation table copy of the PE file, and associating the relocation table copy with the computed hash set.
3. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 2, a dump file of a computer physical memory is obtained through software, and the specific steps are as follows:
step 2-1, setting monitoring for API related to dll injection in the system;
step 2-2, shooting a physical memory mirror image when monitoring a trigger condition;
4. the dll injection detection method based on memory forensics of claim 1, wherein in the step 3, a memory dump file is loaded into a vollatinity forensics framework, a matched operating system version is identified, and a configuration file is imported, and the specific steps are as follows:
step 3-1, leading the memory mirror image into a Volatinity memory forensics framework;
step 3-2, analyzing the kernel debugging data block information to obtain detailed version information of the operating system;
and 3-3, determining the configuration file through the version information.
5. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 4, the process memory PE file is obtained based on the VAD tree, and the hash value of the memory PE file and the disk PE file is matched, and the specific process is as follows:
step 4-1, acquiring a _ EPROCESS structural body of the injected process;
step 4-2, traversing VAdroot members of the _ EPROCESS structural body through VAdroot tree nodes;
step 4-3, if FileObject members of VAD nodes point to effective structures, extracting address spaces pointed by StartingVpn to EndingVpn as PE files, and repairing relocation by using a relocation table in a Hash set;
and 4-4, comparing the page with the executable authority in the memory PE file with the disk hash set, and outputting the matched page as a malicious dll page.
Has the advantages that:
1. the invention discloses a dll injection detection method based on memory forensics. The method mainly aims at analyzing the physical memory of the computer, and makes up the defect that the traditional disk cannot access the memory data for evidence collection.
2. The traditional method obtains the FILE OBJECT _ FILE _ OBJECT through traversing the process handle, and the FILE OBJECT _ FILE _ OBJECT is easy to be deceived by Rootkit stealth attack.
3. The conventional dll injection technology is various, the method can detect various dll injection technologies, and the method has good universality.
Description of the drawings:
fig. 1 is a flowchart of computing a disk PE file hash set according to an embodiment of the present invention.
Fig. 2 is a flowchart of acquiring a process memory PE file based on a VAD tree and matching the hash value of the memory PE file and a disk PE file according to the embodiment of the present invention.
The specific implementation mode is as follows:
in order to clearly and completely describe the technical solutions in the embodiments of the present invention, the present invention is further described in detail below with reference to the drawings in the embodiments.
The process of obtaining the memory dump file in the step 1 is as follows:
take Windows 1064-bit system host as an example.
The flowchart for calculating the disk PE file hash set according to the embodiment of the present invention, as shown in fig. 1, includes the following steps.
Step 1-1, traversing a file system to obtain all files;
step 1-2, judging whether the file is a PE file;
step 1-3, simulating loading the PE file into a memory, and calculating the hash value of the text code segment by taking 0x1000 as a unit;
and step 1-4, integrating and storing the hash value into a hash set file.
And 2, acquiring a dump file of the physical memory of the computer through software.
Step 2-1, setting API hook, and injecting related functions into a monitoring dll, wherein the related functions comprise APIs such as VirtualAlloc, WriteProcessMemory, CreateRemoteThread and the like;
and 2, shooting the memory snapshot when the related API of the step 2-2 is called.
Step 3, loading the memory dump file into a Volatinity evidence obtaining framework, identifying the matched operating system version, and importing a configuration file
Step 3-1, searching a kernel debugging data block from a memory dump file;
and 3-2, finding a constructed character string contained in the kernel debugging data block, wherein the target operating system is a Windows 1064-bit system.
Step 3-3 imports the configuration file Win10x64_17134 of the target operating system.
Step 4, acquiring a process memory PE file based on the VAD tree, and matching the hash value of the memory PE file and the hash value of the disk PE file, wherein the specific steps are as follows:
the embodiment of the present invention is a flowchart for acquiring a process memory PE file based on a VAD tree and matching a hash value of the memory PE file and a disk PE file, as shown in fig. 2, and includes the following steps.
Step 4-1, traversing each node of VAD number, and judging whether the FileObject member of the node is effective or not;
step 4-2, if the FileObject member is valid, acquiring the starting address and the ending address of PE file allocation by accessing StartingVpn and EndingVpn;
step 4-3, after the PE file is extracted, restoring the PE file relocation according to the relocation table in the Hash set;
step 4-4, traversing the process PTE, and calculating a PE file page with executable authority;
and 4-5, matching the hash of the memory PE file page with the hash set of the hash of the PE file stored in the disk.
And 4-6, judging whether the page with the unmatched hash value appears or not, and if the page with the unmatched hash value appears, outputting the page as a suspicious page.
Claims (5)
1. A dll injection detection method based on memory forensics is characterized by comprising the following steps:
step 1: and calculating the disk PE file hash set.
Step 2: and acquiring a dump file of a computer physical memory through software.
And step 3: and loading the memory dump file into a Volatibility evidence obtaining framework, identifying the matched operating system version, and importing the configuration file.
And 4, step 4: and acquiring a process memory PE file based on the VAD tree, and matching the memory PE file with the hash value of the disk PE file.
2. The dll injection detection method based on internal memory forensics, according to claim 1, wherein in the step 1, a disk PE file hash set is calculated, and the specific steps are as follows:
step 1-1, traversing a file system to acquire all PE files;
step 1-2, simulating a process of loading a PE file into a memory, and calculating a hash value of a text code segment by taking the size of 0x1000 as a unit;
and 1-3, acquiring a relocation table copy of the PE file, and associating the relocation table copy with the computed hash set.
3. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 2, a dump file of a computer physical memory is obtained through software, and the specific steps are as follows:
step 2-1, setting monitoring for API related to dll injection in the system;
and 2-2, shooting the physical memory mirror image when monitoring the trigger condition.
4. The dll injection detection method based on memory forensics of claim 1, wherein in the step 3, a memory dump file is loaded into a vollatinity forensics framework, a matched operating system version is identified, and a configuration file is imported, and the specific steps are as follows:
step 3-1, leading the memory mirror image into a Volatinity memory forensics framework;
step 3-2, analyzing the kernel debugging data block information to obtain detailed version information of the operating system;
and 3-3, determining the configuration file through the version information.
5. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 4, the process memory PE file is obtained based on the VAD tree, and the hash value of the memory PE file and the disk PE file is matched, and the specific process is as follows:
step 4-1, acquiring a _ EPROCESS structural body of the injected process;
step 4-2, traversing VAdroot members of the _ EPROCESS structural body through VAdroot tree nodes;
step 4-3, if FileObject members of the VAD node point to an effective structure, extracting address spaces pointed by StartingVpn to EndingVpn as PE files, and repairing and relocating by using a relocating table in a Hash set;
and 4-4, comparing the page with the executable authority in the memory PE file with the disk hash set, and outputting the matched page as a malicious dll page.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210372926.8A CN114692144A (en) | 2022-04-08 | 2022-04-08 | Dll injection detection method based on memory forensics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210372926.8A CN114692144A (en) | 2022-04-08 | 2022-04-08 | Dll injection detection method based on memory forensics |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114692144A true CN114692144A (en) | 2022-07-01 |
Family
ID=82143465
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210372926.8A Pending CN114692144A (en) | 2022-04-08 | 2022-04-08 | Dll injection detection method based on memory forensics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114692144A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080096031A (en) * | 2007-04-26 | 2008-10-30 | 김귀남 | A collection method of volatile evidence data with computer |
CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
CN113761595A (en) * | 2021-09-13 | 2021-12-07 | 哈尔滨理工大学 | Code signature verification method based on computer memory forensics technology |
-
2022
- 2022-04-08 CN CN202210372926.8A patent/CN114692144A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080096031A (en) * | 2007-04-26 | 2008-10-30 | 김귀남 | A collection method of volatile evidence data with computer |
CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
CN113761595A (en) * | 2021-09-13 | 2021-12-07 | 哈尔滨理工大学 | Code signature verification method based on computer memory forensics technology |
Non-Patent Citations (2)
Title |
---|
ANDREW WHITE ET AL: ""Integrity verification of user space code"", 《DIGITAL INVESTIGATION》, 31 December 2013 (2013-12-31), pages 59 * |
翟继强等: ""面向Windows 10系统段堆的内存取证研究"", 西北工业大学学报》, vol. 39, no. 5, 31 October 2021 (2021-10-31), pages 1139 - 1149 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10417424B2 (en) | Method of remediating operations performed by a program and system thereof | |
US11507663B2 (en) | Method of remediating operations performed by a program and system thereof | |
US8375450B1 (en) | Zero day malware scanner | |
US10097569B2 (en) | System and method for tracking malware route and behavior for defending against cyberattacks | |
US7607122B2 (en) | Post build process to record stack and call tree information | |
CN109918907B (en) | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform | |
JP5558997B2 (en) | Method, information processing system, and computer program for mutual search and alert (mutual search and alert between structured and unstructured data sources) | |
WO2015081791A1 (en) | Method and apparatus for scanning and removing kernel-level malware | |
JP2010182019A (en) | Abnormality detector and program | |
WO2017084557A1 (en) | File scanning method and device | |
WO2008098495A1 (en) | Method and device for determing object file | |
CN113312615A (en) | Terminal detection and response system | |
Wagner et al. | Detecting database file tampering through page carving | |
Breitinger et al. | Evaluating detection error trade-offs for bytewise approximate matching algorithms | |
US10169582B2 (en) | System, method, and computer program product for identifying a file used to automatically launch content as unwanted | |
CN115509960A (en) | Shellcode injection detection method based on page table entry | |
Saur et al. | Locating× 86 paging structures in memory images | |
CN114692144A (en) | Dll injection detection method based on memory forensics | |
CN117009964A (en) | Method and system for identifying malicious intention of malicious code and constructing attack chain based on custom semantic block | |
Rodríguez et al. | A tool to compute approximation matching between windows processes | |
Srivastava et al. | Detecting code injection by cross-validating stack and VAD information in windows physical memory | |
Zdzichowski et al. | Anti-forensic study | |
CN110674501B (en) | Malicious drive detection method, device, equipment and medium | |
White | Identifying the unknown in user space memory | |
Booker | Data Carving Against Known File Obfuscation Techniques: A Proposed Data Carving Algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |