KR20170033115A - Detection method for injection, and apparatus applied to the same - Google Patents
Detection method for injection, and apparatus applied to the same Download PDFInfo
- Publication number
- KR20170033115A KR20170033115A KR1020150131029A KR20150131029A KR20170033115A KR 20170033115 A KR20170033115 A KR 20170033115A KR 1020150131029 A KR1020150131029 A KR 1020150131029A KR 20150131029 A KR20150131029 A KR 20150131029A KR 20170033115 A KR20170033115 A KR 20170033115A
- Authority
- KR
- South Korea
- Prior art keywords
- thread
- memory
- injection
- suspicious
- area
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to an injection detection method that enables detection of malicious PEs and codes injected into a process through a method of identifying a memory start address of a thread associated with the process or a memory type corresponding to a memory start address, And a device to be applied thereto is proposed.
Description
The present invention relates to a method for detecting malicious PE (Portable Executable) and code injected directly into a process.
Recently, an injection technique that injects PE (Portable Executable) or code into a process for malicious purposes has become an issue.
This injection technique can be implemented by injecting PE or code directly into the process, creating a thread using the injected memory area as the start address, and driving the generated thread.
However, PE or code injected into a process does not exist as a file. Therefore, by using an existing anti-virus (AV) engine that judges malicious code based on a file, malicious PE or code injected into the process There is a limitation that it can not be detected.
After all, you need to find a way to detect malicious PEs or code injected directly into the process.
SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and it is an object of the present invention to provide a method and apparatus for controlling an in- ) To detect malicious PEs and code.
According to an aspect of the present invention, there is provided an apparatus for detecting an injection in a memory, the apparatus comprising: a processor for identifying a suspicious region in a memory based on a memory start address of each thread associated with a process, An identifying unit for identifying an injection suspicious thread among the threads based on the identification information; And a generation unit generating a PE file related to the injection suspicious area or the suspicious injection thread, and determining whether the PE file is malicious or not.
More specifically, the verification unit is characterized in that the memory start address of each of the threads is identified based on whether or not the memory start address belongs to a memory address area of a normal module loaded in the memory in association with the process .
More specifically, if the memory start address of the thread is not included in the memory address area of the normal module, the verification unit may determine an area corresponding to the memory address area of the specific thread as the injection suspicious area .
More specifically, if the memory type corresponding to the memory start address of the thread is a specific thread other than the specific memory type associated with the PE, the identifying unit identifies the specific thread as the suspicious injection thread .
More specifically, the generation unit generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header.
More specifically, the injection detection apparatus may further include a determination unit for determining whether the PE file is malicious through static or motion analysis of the PE file.
According to a second aspect of the present invention, there is provided a method of operating an injection detection device, comprising: identifying a suspicious region in a memory based on a memory start address of each thread associated with a process; A checking step of checking an injection suspicious thread among the threads based on the memory type; And generating a PE file related to the injection suspicious area or the suspicious injection thread so as to judge whether or not the PE file is malicious.
More specifically, the checking step identifies the injection suspicious area based on whether a memory start address of each of the threads belongs to a memory address area of a normal module loaded in memory in association with the process do.
More specifically, in the checking step, if there is a specific thread in which the memory start address does not belong to the memory module address area of the normal module, the checking step determines an area corresponding to the memory address area of the specific thread as the injection suspicious area As shown in FIG.
More specifically, in the checking step, if a memory type corresponding to the memory start address of the thread exists in a specific thread other than the specific memory type associated with the PE, the identifying of the specific thread as the suspicious injection thread .
More specifically, the generating step generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header.
More specifically, the method may further include determining whether the PE file is malicious through static or dynamic analysis of the PE file.
The method of detecting an injection according to the present invention and an apparatus applied to the method according to the present invention allow a malicious process that is injected into a process through a method of identifying a memory start address of a thread associated with the process, The effect of enabling detection for PE and code is achieved.
1 is an illustration of an injection detection environment in accordance with an embodiment of the present invention;
2 is a schematic configuration diagram of an injection detection apparatus according to an embodiment of the present invention;
Figures 3 and 4 illustrate memory maps in accordance with one embodiment of the present invention.
5 and 6 are flowcharts illustrating an operation flow in an injection detection apparatus according to an embodiment of the present invention.
While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.
It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.
The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.
Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.
Hereinafter, an embodiment of the present invention will be described with reference to the accompanying drawings.
1 shows an injection detection environment according to an embodiment of the present invention.
As shown in FIG. 1, an injection detection environment according to an embodiment of the present invention may include an
The client terminal 10 may correspond to the network equipment in which the process is performed or may be a personal equipment such as a PC, a notebook, a smart phone, a tablet PC, and a PDA, May all be included.
The
The
In addition, the
If it is not possible to directly determine whether the detected PE and code are malignant, the injection detection environment according to an embodiment of the present invention may include PE detected in the
Meanwhile, in the injection detection environment according to the embodiment of the present invention, as described above, the PE and the code injected for malicious purposes are detected in the process.
In this way, the PE and code injected into the process create a thread that uses the injected memory area as the start address, and execute the malicious behavior through a method of driving the generated thread.
However, in the case of the injected PE and code, the file has an attribute that does not exist. As a result, the AV engine which judges malicious code based on the existing file can not detect malicious PE or code to be.
Accordingly, in an embodiment of the present invention, a new method for detecting malicious PEs or codes directly injected into a process is proposed. Hereinafter, the structure of the
FIG. 2 is a view showing a schematic configuration of an
2, the
In addition to the above-described configuration, the
All or at least a part of the configuration of the
As a result, the
In the meantime, the
Hereinafter, for convenience of description, a first embodiment for determining whether maliciousness is suspected to an in-memory injection suspicious area and a second embodiment for determining maliciousness for an injection suspicious thread will be described separately.
First, referring to FIG. 3, a description will be made of a first embodiment for determining whether or not maliciousness with respect to an in-memory injection suspect area is determined.
Here, FIG. 3 shows a memory map of a process related to the first embodiment of the present invention.
The
More specifically, the
In this regard, the
Here, the memory start address of the
When the memory start address of each of the
In this regard, the
Here, it can be seen that the memory area of
The
At this time, the memory start address of the thread 2 is 0x54, and it belongs to the address area of the
The
Here, the memory area of the
The
More specifically, when the injection suspicious region is confirmed, the
In other words, the
For this, the generating
Next, with reference to FIG. 4, a description will be made of a second embodiment for determining whether or not maliciousness of an injection suspicious thread is determined.
Here, FIG. 4 shows a memory map of a process related to the second embodiment of the present invention.
However, in the memory map of the process related to the second embodiment, the memory start address of each thread operating in association with the process belongs to the memory area of the normal module.
In this way, the memory start address of each thread operating in relation to the process belongs to the memory area of the normal module if the injector executes its program, then unmaps the original memory area and writes it back to that area .
As a result, in the second embodiment of the present invention, when the memory start address of each thread operating in relation to the process belongs to the memory area of the normal module, unlike the first embodiment, And it is as follows.
The
More specifically, the
In this regard, the
Here, the memory start address of the
When the memory start address of each of the
In this regard, the
Here, it can be seen that the memory area of
On the other hand, the
Here, if it is a normal PE, the memory type of the corresponding address area has the MEM_IMAGE type.
The
At this time, the
The
More specifically, when the injection suspicious thread is identified, the
In other words, the
The
If the memory start address of the suspicious injected thread does not belong to the address range of the PE, then the address area of the suspected injected thread may be regarded as not being an injected malicious PE.
Accordingly, the
Here, it can be seen that the base address of the
As a result, the generating
If the base address of
As described above, different from the
Hereinafter, an operation flow in the
5, a description will be made of an operation flow in the case where the
First, the
At this time, the
Next, the
At this time, the
The
At this time, the memory start address of the thread 2 is 0x54, and it belongs to the address area of the
The
Here, the memory area of the
If the injection suspicious region is a PE, the
In other words, the
Thereafter, the
6, an operation flow according to the second embodiment for determining whether the
First, the
At this time, the
In addition, the
At this time, the
In this regard, the
Here, if it is a normal PE, the memory type of the corresponding address area has the MEM_IMAGE type.
The
At this time, the
Then, the
At this time, the
As a result, the generating
On the other hand, if the base address of
As described above, according to the operation flow of the
Meanwhile, the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, or may be embodied in a computer readable medium, in the form of a program instruction, which may be carried out through various computer means. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes and modifications can be made without departing from the scope of the present invention.
According to the injection detection method of the present invention and the apparatus to which the present invention is applied, it is possible to detect malicious PE (Portable Executable) and code injected directly into the process. Therefore, It is an invention that is industrially applicable because it is not only the use but also the possibility of commercialization or operation of the applicable device, but it is practically possible to carry out clearly.
100: Injection detector
110: Verification unit 120: Generation unit
130:
Claims (13)
And a generation unit generating a PE file related to the injection suspicious region or the suspicious injection thread, and determining whether the PE file is malicious or not.
The checking unit,
Wherein the injection suspicious region is identified based on whether a memory start address of each of the threads belongs to a memory address region of a normal module loaded in memory in association with the process.
The checking unit,
Wherein if the memory start address of the thread does not belong to the memory address area of the normal module, then an area corresponding to the memory address area of the specific thread is identified as the injection suspicious area. Device.
The checking unit,
If the memory type corresponding to the memory start address of the thread is different from the specific memory type related to the PE, the specific thread is identified as the injection suspicious thread.
Wherein the generation unit comprises:
And generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header.
The injection detection device comprises:
Further comprising a determination unit for determining whether the PE file is malicious through static or motion analysis of the PE file.
And generating a PE file related to the injection suspicious area or the suspicious injection thread so as to judge whether the PE file is malicious or not.
Wherein,
Wherein the injection suspicious region is identified based on whether a memory start address of each of the threads belongs to a memory address region of a normal module loaded in memory in association with the process.
Wherein,
Wherein if the memory start address of the thread does not belong to the memory address area of the normal module, then an area corresponding to the memory address area of the specific thread is identified as the injection suspicious area. Method of operation of the device.
Wherein,
And if the memory type corresponding to the memory start address of the thread is different from the specific memory type associated with the PE, the specific thread is identified as the suspicious injection thread. .
Wherein the generating comprises:
And generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header.
The method comprises:
Further comprising the step of determining whether the PE file is malicious through static or dynamic analysis of the PE file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150131029A KR101775602B1 (en) | 2015-09-16 | 2015-09-16 | Detection method for injection, and apparatus applied to the same |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150131029A KR101775602B1 (en) | 2015-09-16 | 2015-09-16 | Detection method for injection, and apparatus applied to the same |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170033115A true KR20170033115A (en) | 2017-03-24 |
KR101775602B1 KR101775602B1 (en) | 2017-09-07 |
Family
ID=58500527
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150131029A KR101775602B1 (en) | 2015-09-16 | 2015-09-16 | Detection method for injection, and apparatus applied to the same |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101775602B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20220036063A (en) * | 2020-09-15 | 2022-03-22 | 주식회사 안랩 | System and method to detect injection attack type malicious code |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102170737B1 (en) | 2020-03-30 | 2020-10-27 | 국방과학연구소 | Apparatus and method for tracking malicious threads |
-
2015
- 2015-09-16 KR KR1020150131029A patent/KR101775602B1/en active IP Right Grant
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20220036063A (en) * | 2020-09-15 | 2022-03-22 | 주식회사 안랩 | System and method to detect injection attack type malicious code |
Also Published As
Publication number | Publication date |
---|---|
KR101775602B1 (en) | 2017-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10025931B1 (en) | Method and system for malware detection | |
US9185338B2 (en) | System and method for fingerprinting video | |
US10372444B2 (en) | Android dynamic loading file extraction method, recording medium and system for performing the method | |
CN104966053A (en) | Face recognition method and recognition system | |
CN108763951B (en) | Data protection method and device | |
TW201508534A (en) | Method of generating distillation malware program, method of detecting malware program and system thereof | |
US9516056B2 (en) | Detecting a malware process | |
US10121004B2 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
WO2016015680A1 (en) | Security detection method and security detection apparatus for mobile terminal input window | |
CN104933352A (en) | Weak password detection method and device | |
KR20170068814A (en) | Apparatus and Method for Recognizing Vicious Mobile App | |
CN104866770B (en) | Sensitive data scanning method and system | |
US20130262090A1 (en) | System and method for reducing semantic ambiguity | |
US9378367B2 (en) | Systems and methods for identifying a source of a suspect event | |
US20140325409A1 (en) | Active & Efficient Monitoring of a Graphical User Interface | |
CN111191243A (en) | Vulnerability detection method and device and storage medium | |
KR101775602B1 (en) | Detection method for injection, and apparatus applied to the same | |
KR101741131B1 (en) | Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof | |
CN105550573B (en) | The method and apparatus for intercepting bundled software | |
EP3108400B1 (en) | Virus signature matching method and apparatus | |
US20170116417A1 (en) | Apparatus and method for detecting malicious code | |
KR102149711B1 (en) | An apparatus for detecting and preventing ransom-ware behavior using camouflage process, a method thereof and computer recordable medium storing program to perform the method | |
CN115408667A (en) | Method and system for detecting infringement of application program content | |
CN106778276B (en) | Method and system for detecting malicious codes of entity-free files | |
KR101562109B1 (en) | Forgery verification system by comaparing pixels of a screenshot |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) |