CN114692144A - Dll injection detection method based on memory forensics - Google Patents

Dll injection detection method based on memory forensics Download PDF

Info

Publication number
CN114692144A
CN114692144A CN202210372926.8A CN202210372926A CN114692144A CN 114692144 A CN114692144 A CN 114692144A CN 202210372926 A CN202210372926 A CN 202210372926A CN 114692144 A CN114692144 A CN 114692144A
Authority
CN
China
Prior art keywords
file
memory
forensics
detection method
method based
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210372926.8A
Other languages
Chinese (zh)
Inventor
翟继强
白忆鸽
孙楷轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin University of Science and Technology
Original Assignee
Harbin University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin University of Science and Technology filed Critical Harbin University of Science and Technology
Priority to CN202210372926.8A priority Critical patent/CN114692144A/en
Publication of CN114692144A publication Critical patent/CN114692144A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a dll injection detection method based on memory forensics. Firstly, establishing a Hash set for a disk PE file; then, acquiring the version and configuration file information of the operating system by using a Volatinity evidence obtaining framework; traversing a progress VAD node under the support of the version of the operating system and the configuration file information, and acquiring a memory PE file through VAD node members; and computing the hash value after the PE file is relocated, matching the hash value with the disk hash set, and outputting the page with unmatched hash value as a suspicious page. The dll injection detection method based on memory forensics assists forensics analysts in detecting and extracting the memory area in which dll injection exists in the memory, and facilitates the subsequent malicious code analysis work.

Description

Dll injection detection method based on memory forensics
The technical field is as follows:
the invention relates to a dll injection detection method based on memory forensics, which is well applied to the field of computer memory forensics and is mainly used for detecting and extracting areas in a memory where dll injection occurs.
Background art:
with the development and popularization of internet technology, the accompanying network attacks are also gradually complicated and diversified. The computer forensics technology can acquire, analyze and store digital evidence for computer intrusion to serve as effective litigation evidence to be provided to a court. Disk forensics and memory forensics are taken as branches of computer forensics technology, and play a key role in fighting against network violation.
dll injection attacks have a variety of injection forms including modified registry injection, create remote thread injection, reflective dll injection, Windows message hook injection, APC thread injection, Atom-framing injection, and the like. The reflective dll injection, APC thread injection and Atom-marking injection technologies do not load malicious dll files into a disk, so that effective digital evidence cannot be obtained by traditional disk forensics, and the memory forensics technology for the physical memory of a computer can effectively analyze process memory data and extract key digital evidence. Therefore, it is of great significance to detect dll injection attacks using in-memory forensics techniques.
The invention content is as follows:
in order to assist forensics analysts in detecting memory dll injection attacks, the invention discloses a dll injection detection method based on memory forensics.
Therefore, the invention provides the following technical scheme:
1. a dll injection detection method based on memory forensics comprises the following steps:
step 1: and calculating the disk PE file hash set.
Step 2: and acquiring a dump file of a computer physical memory through software.
And step 3: and loading the memory dump file into a Volatinity evidence obtaining framework, identifying the matched operating system version, and importing the configuration file.
And 4, step 4: and acquiring a process memory PE file based on the VAD tree, and matching the memory PE file with the hash value of the disk PE file.
2. The dll injection detection method based on internal memory forensics according to claim 1, wherein in the step 1, a disk PE file hash set is calculated, and the specific steps are as follows:
step 1-1, traversing a file system to acquire all PE files;
step 1-2, simulating a process of loading a PE file into a memory, and calculating a hash value of a text code segment by taking the size of 0x1000 as a unit;
and 1-3, acquiring a relocation table copy of the PE file, and associating the relocation table copy with the computed hash set.
3. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 2, a dump file of a computer physical memory is obtained through software, and the specific steps are as follows:
step 2-1, setting monitoring for API related to dll injection in the system;
step 2-2, shooting a physical memory mirror image when monitoring a trigger condition;
4. the dll injection detection method based on memory forensics of claim 1, wherein in the step 3, a memory dump file is loaded into a vollatinity forensics framework, a matched operating system version is identified, and a configuration file is imported, and the specific steps are as follows:
step 3-1, leading the memory mirror image into a Volatinity memory forensics framework;
step 3-2, analyzing the kernel debugging data block information to obtain detailed version information of the operating system;
and 3-3, determining the configuration file through the version information.
5. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 4, the process memory PE file is obtained based on the VAD tree, and the hash value of the memory PE file and the disk PE file is matched, and the specific process is as follows:
step 4-1, acquiring a _ EPROCESS structural body of the injected process;
step 4-2, traversing VAdroot members of the _ EPROCESS structural body through VAdroot tree nodes;
step 4-3, if FileObject members of VAD nodes point to effective structures, extracting address spaces pointed by StartingVpn to EndingVpn as PE files, and repairing relocation by using a relocation table in a Hash set;
and 4-4, comparing the page with the executable authority in the memory PE file with the disk hash set, and outputting the matched page as a malicious dll page.
Has the advantages that:
1. the invention discloses a dll injection detection method based on memory forensics. The method mainly aims at analyzing the physical memory of the computer, and makes up the defect that the traditional disk cannot access the memory data for evidence collection.
2. The traditional method obtains the FILE OBJECT _ FILE _ OBJECT through traversing the process handle, and the FILE OBJECT _ FILE _ OBJECT is easy to be deceived by Rootkit stealth attack.
3. The conventional dll injection technology is various, the method can detect various dll injection technologies, and the method has good universality.
Description of the drawings:
fig. 1 is a flowchart of computing a disk PE file hash set according to an embodiment of the present invention.
Fig. 2 is a flowchart of acquiring a process memory PE file based on a VAD tree and matching the hash value of the memory PE file and a disk PE file according to the embodiment of the present invention.
The specific implementation mode is as follows:
in order to clearly and completely describe the technical solutions in the embodiments of the present invention, the present invention is further described in detail below with reference to the drawings in the embodiments.
The process of obtaining the memory dump file in the step 1 is as follows:
take Windows 1064-bit system host as an example.
The flowchart for calculating the disk PE file hash set according to the embodiment of the present invention, as shown in fig. 1, includes the following steps.
Step 1-1, traversing a file system to obtain all files;
step 1-2, judging whether the file is a PE file;
step 1-3, simulating loading the PE file into a memory, and calculating the hash value of the text code segment by taking 0x1000 as a unit;
and step 1-4, integrating and storing the hash value into a hash set file.
And 2, acquiring a dump file of the physical memory of the computer through software.
Step 2-1, setting API hook, and injecting related functions into a monitoring dll, wherein the related functions comprise APIs such as VirtualAlloc, WriteProcessMemory, CreateRemoteThread and the like;
and 2, shooting the memory snapshot when the related API of the step 2-2 is called.
Step 3, loading the memory dump file into a Volatinity evidence obtaining framework, identifying the matched operating system version, and importing a configuration file
Step 3-1, searching a kernel debugging data block from a memory dump file;
and 3-2, finding a constructed character string contained in the kernel debugging data block, wherein the target operating system is a Windows 1064-bit system.
Step 3-3 imports the configuration file Win10x64_17134 of the target operating system.
Step 4, acquiring a process memory PE file based on the VAD tree, and matching the hash value of the memory PE file and the hash value of the disk PE file, wherein the specific steps are as follows:
the embodiment of the present invention is a flowchart for acquiring a process memory PE file based on a VAD tree and matching a hash value of the memory PE file and a disk PE file, as shown in fig. 2, and includes the following steps.
Step 4-1, traversing each node of VAD number, and judging whether the FileObject member of the node is effective or not;
step 4-2, if the FileObject member is valid, acquiring the starting address and the ending address of PE file allocation by accessing StartingVpn and EndingVpn;
step 4-3, after the PE file is extracted, restoring the PE file relocation according to the relocation table in the Hash set;
step 4-4, traversing the process PTE, and calculating a PE file page with executable authority;
and 4-5, matching the hash of the memory PE file page with the hash set of the hash of the PE file stored in the disk.
And 4-6, judging whether the page with the unmatched hash value appears or not, and if the page with the unmatched hash value appears, outputting the page as a suspicious page.

Claims (5)

1. A dll injection detection method based on memory forensics is characterized by comprising the following steps:
step 1: and calculating the disk PE file hash set.
Step 2: and acquiring a dump file of a computer physical memory through software.
And step 3: and loading the memory dump file into a Volatibility evidence obtaining framework, identifying the matched operating system version, and importing the configuration file.
And 4, step 4: and acquiring a process memory PE file based on the VAD tree, and matching the memory PE file with the hash value of the disk PE file.
2. The dll injection detection method based on internal memory forensics, according to claim 1, wherein in the step 1, a disk PE file hash set is calculated, and the specific steps are as follows:
step 1-1, traversing a file system to acquire all PE files;
step 1-2, simulating a process of loading a PE file into a memory, and calculating a hash value of a text code segment by taking the size of 0x1000 as a unit;
and 1-3, acquiring a relocation table copy of the PE file, and associating the relocation table copy with the computed hash set.
3. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 2, a dump file of a computer physical memory is obtained through software, and the specific steps are as follows:
step 2-1, setting monitoring for API related to dll injection in the system;
and 2-2, shooting the physical memory mirror image when monitoring the trigger condition.
4. The dll injection detection method based on memory forensics of claim 1, wherein in the step 3, a memory dump file is loaded into a vollatinity forensics framework, a matched operating system version is identified, and a configuration file is imported, and the specific steps are as follows:
step 3-1, leading the memory mirror image into a Volatinity memory forensics framework;
step 3-2, analyzing the kernel debugging data block information to obtain detailed version information of the operating system;
and 3-3, determining the configuration file through the version information.
5. The dll injection detection method based on memory forensics according to claim 1, wherein in the step 4, the process memory PE file is obtained based on the VAD tree, and the hash value of the memory PE file and the disk PE file is matched, and the specific process is as follows:
step 4-1, acquiring a _ EPROCESS structural body of the injected process;
step 4-2, traversing VAdroot members of the _ EPROCESS structural body through VAdroot tree nodes;
step 4-3, if FileObject members of the VAD node point to an effective structure, extracting address spaces pointed by StartingVpn to EndingVpn as PE files, and repairing and relocating by using a relocating table in a Hash set;
and 4-4, comparing the page with the executable authority in the memory PE file with the disk hash set, and outputting the matched page as a malicious dll page.
CN202210372926.8A 2022-04-08 2022-04-08 Dll injection detection method based on memory forensics Pending CN114692144A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210372926.8A CN114692144A (en) 2022-04-08 2022-04-08 Dll injection detection method based on memory forensics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210372926.8A CN114692144A (en) 2022-04-08 2022-04-08 Dll injection detection method based on memory forensics

Publications (1)

Publication Number Publication Date
CN114692144A true CN114692144A (en) 2022-07-01

Family

ID=82143465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210372926.8A Pending CN114692144A (en) 2022-04-08 2022-04-08 Dll injection detection method based on memory forensics

Country Status (1)

Country Link
CN (1) CN114692144A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080096031A (en) * 2007-04-26 2008-10-30 김귀남 A collection method of volatile evidence data with computer
CN109033828A (en) * 2018-07-25 2018-12-18 山东省计算中心(国家超级计算济南中心) A kind of Trojan detecting method based on calculator memory analytical technology
CN113761595A (en) * 2021-09-13 2021-12-07 哈尔滨理工大学 Code signature verification method based on computer memory forensics technology

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080096031A (en) * 2007-04-26 2008-10-30 김귀남 A collection method of volatile evidence data with computer
CN109033828A (en) * 2018-07-25 2018-12-18 山东省计算中心(国家超级计算济南中心) A kind of Trojan detecting method based on calculator memory analytical technology
CN113761595A (en) * 2021-09-13 2021-12-07 哈尔滨理工大学 Code signature verification method based on computer memory forensics technology

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANDREW WHITE ET AL: ""Integrity verification of user space code"", 《DIGITAL INVESTIGATION》, 31 December 2013 (2013-12-31), pages 59 *
翟继强等: ""面向Windows 10系统段堆的内存取证研究"", 西北工业大学学报》, vol. 39, no. 5, 31 October 2021 (2021-10-31), pages 1139 - 1149 *

Similar Documents

Publication Publication Date Title
US10417424B2 (en) Method of remediating operations performed by a program and system thereof
US11507663B2 (en) Method of remediating operations performed by a program and system thereof
US8375450B1 (en) Zero day malware scanner
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
US7607122B2 (en) Post build process to record stack and call tree information
CN109918907B (en) Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform
JP5558997B2 (en) Method, information processing system, and computer program for mutual search and alert (mutual search and alert between structured and unstructured data sources)
WO2015081791A1 (en) Method and apparatus for scanning and removing kernel-level malware
JP2010182019A (en) Abnormality detector and program
WO2017084557A1 (en) File scanning method and device
WO2008098495A1 (en) Method and device for determing object file
CN113312615A (en) Terminal detection and response system
Wagner et al. Detecting database file tampering through page carving
Breitinger et al. Evaluating detection error trade-offs for bytewise approximate matching algorithms
US10169582B2 (en) System, method, and computer program product for identifying a file used to automatically launch content as unwanted
CN115509960A (en) Shellcode injection detection method based on page table entry
Saur et al. Locating× 86 paging structures in memory images
CN114692144A (en) Dll injection detection method based on memory forensics
CN117009964A (en) Method and system for identifying malicious intention of malicious code and constructing attack chain based on custom semantic block
Rodríguez et al. A tool to compute approximation matching between windows processes
Srivastava et al. Detecting code injection by cross-validating stack and VAD information in windows physical memory
Zdzichowski et al. Anti-forensic study
CN110674501B (en) Malicious drive detection method, device, equipment and medium
White Identifying the unknown in user space memory
Booker Data Carving Against Known File Obfuscation Techniques: A Proposed Data Carving Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination