KR20170033115A - Detection method for injection, and apparatus applied to the same - Google Patents

Detection method for injection, and apparatus applied to the same Download PDF

Info

Publication number
KR20170033115A
KR20170033115A KR1020150131029A KR20150131029A KR20170033115A KR 20170033115 A KR20170033115 A KR 20170033115A KR 1020150131029 A KR1020150131029 A KR 1020150131029A KR 20150131029 A KR20150131029 A KR 20150131029A KR 20170033115 A KR20170033115 A KR 20170033115A
Authority
KR
South Korea
Prior art keywords
thread
memory
injection
suspicious
area
Prior art date
Application number
KR1020150131029A
Other languages
Korean (ko)
Other versions
KR101775602B1 (en
Inventor
김주현
송재민
정진성
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Priority to KR1020150131029A priority Critical patent/KR101775602B1/en
Publication of KR20170033115A publication Critical patent/KR20170033115A/en
Application granted granted Critical
Publication of KR101775602B1 publication Critical patent/KR101775602B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an injection detection method that enables detection of malicious PEs and codes injected into a process through a method of identifying a memory start address of a thread associated with the process or a memory type corresponding to a memory start address, And a device to be applied thereto is proposed.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an injection detection method,

The present invention relates to a method for detecting malicious PE (Portable Executable) and code injected directly into a process.

Recently, an injection technique that injects PE (Portable Executable) or code into a process for malicious purposes has become an issue.

This injection technique can be implemented by injecting PE or code directly into the process, creating a thread using the injected memory area as the start address, and driving the generated thread.

However, PE or code injected into a process does not exist as a file. Therefore, by using an existing anti-virus (AV) engine that judges malicious code based on a file, malicious PE or code injected into the process There is a limitation that it can not be detected.

After all, you need to find a way to detect malicious PEs or code injected directly into the process.

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and it is an object of the present invention to provide a method and apparatus for controlling an in- ) To detect malicious PEs and code.

According to an aspect of the present invention, there is provided an apparatus for detecting an injection in a memory, the apparatus comprising: a processor for identifying a suspicious region in a memory based on a memory start address of each thread associated with a process, An identifying unit for identifying an injection suspicious thread among the threads based on the identification information; And a generation unit generating a PE file related to the injection suspicious area or the suspicious injection thread, and determining whether the PE file is malicious or not.

More specifically, the verification unit is characterized in that the memory start address of each of the threads is identified based on whether or not the memory start address belongs to a memory address area of a normal module loaded in the memory in association with the process .

More specifically, if the memory start address of the thread is not included in the memory address area of the normal module, the verification unit may determine an area corresponding to the memory address area of the specific thread as the injection suspicious area .

More specifically, if the memory type corresponding to the memory start address of the thread is a specific thread other than the specific memory type associated with the PE, the identifying unit identifies the specific thread as the suspicious injection thread .

More specifically, the generation unit generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header.

More specifically, the injection detection apparatus may further include a determination unit for determining whether the PE file is malicious through static or motion analysis of the PE file.

According to a second aspect of the present invention, there is provided a method of operating an injection detection device, comprising: identifying a suspicious region in a memory based on a memory start address of each thread associated with a process; A checking step of checking an injection suspicious thread among the threads based on the memory type; And generating a PE file related to the injection suspicious area or the suspicious injection thread so as to judge whether or not the PE file is malicious.

More specifically, the checking step identifies the injection suspicious area based on whether a memory start address of each of the threads belongs to a memory address area of a normal module loaded in memory in association with the process do.

More specifically, in the checking step, if there is a specific thread in which the memory start address does not belong to the memory module address area of the normal module, the checking step determines an area corresponding to the memory address area of the specific thread as the injection suspicious area As shown in FIG.

More specifically, in the checking step, if a memory type corresponding to the memory start address of the thread exists in a specific thread other than the specific memory type associated with the PE, the identifying of the specific thread as the suspicious injection thread .

More specifically, the generating step generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header.

More specifically, the method may further include determining whether the PE file is malicious through static or dynamic analysis of the PE file.

The method of detecting an injection according to the present invention and an apparatus applied to the method according to the present invention allow a malicious process that is injected into a process through a method of identifying a memory start address of a thread associated with the process, The effect of enabling detection for PE and code is achieved.

1 is an illustration of an injection detection environment in accordance with an embodiment of the present invention;
2 is a schematic configuration diagram of an injection detection apparatus according to an embodiment of the present invention;
Figures 3 and 4 illustrate memory maps in accordance with one embodiment of the present invention.
5 and 6 are flowcharts illustrating an operation flow in an injection detection apparatus according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, an embodiment of the present invention will be described with reference to the accompanying drawings.

1 shows an injection detection environment according to an embodiment of the present invention.

As shown in FIG. 1, an injection detection environment according to an embodiment of the present invention may include an injection detection device 100 for detecting a client terminal 10 and an injected PE and code in a process.

The client terminal 10 may correspond to the network equipment in which the process is performed or may be a personal equipment such as a PC, a notebook, a smart phone, a tablet PC, and a PDA, May all be included.

The injection detection device 100 refers to a device for detecting a PE and a code injected maliciously into a process performed in the client terminal 10. [

The injection detection apparatus 100 may be installed in the client terminal 10 or in the form of a separate device (e.g., a server). In an embodiment of the present invention, It is assumed that the injection detection apparatus 100 is installed in the client terminal 10. [

In addition, the injection detection apparatus 100 can be implemented so that, when a PE and a code injected into a process are detected, it is possible to directly determine whether or not the detected PE and code are malicious.

If it is not possible to directly determine whether the detected PE and code are malignant, the injection detection environment according to an embodiment of the present invention may include PE detected in the injection detection apparatus 100, It should be understood that the judgment server 200 (e.g., ASD) for judging whether or not the code is malicious may be further included.

Meanwhile, in the injection detection environment according to the embodiment of the present invention, as described above, the PE and the code injected for malicious purposes are detected in the process.

In this way, the PE and code injected into the process create a thread that uses the injected memory area as the start address, and execute the malicious behavior through a method of driving the generated thread.

However, in the case of the injected PE and code, the file has an attribute that does not exist. As a result, the AV engine which judges malicious code based on the existing file can not detect malicious PE or code to be.

Accordingly, in an embodiment of the present invention, a new method for detecting malicious PEs or codes directly injected into a process is proposed. Hereinafter, the structure of the injection detection device 100 will be described in detail.

FIG. 2 is a view showing a schematic configuration of an injection detection apparatus 100 according to an embodiment of the present invention.

2, the injection detection apparatus 100 according to an exemplary embodiment of the present invention includes a confirmation unit 110 for identifying an in-memory injection suspicious region or an injection suspicious thread, and an injection suspicious region or an injection suspicious thread And a generation unit 120 for generating a related PE file so as to determine whether the file is malicious.

In addition to the above-described configuration, the injection detection apparatus 100 according to an embodiment of the present invention further includes a determination unit 130 for determining whether an injection suspicious region or an injection suspicious thread is malicious through dynamic and static analysis of a PE file ). ≪ / RTI >

All or at least a part of the configuration of the injection detection apparatus 100 including the verification unit 110, the generation unit 120 and the determination unit 130 is driven by an engine or an application installed in the client terminal 10 Lt; / RTI > may be implemented in software module form.

As a result, the injection detection apparatus 100 according to an embodiment of the present invention determines maliciousness by checking in-memory injection suspicious regions or injection suspicious threads through the above configurations. Hereinafter, the injection detection apparatus 100 ) Will be described in detail.

In the meantime, the injection detection apparatus 100 according to an embodiment of the present invention identifies an in-memory injection suspicious region or an injection suspicious thread as described above, and determines maliciousness for each of them.

Hereinafter, for convenience of description, a first embodiment for determining whether maliciousness is suspected to an in-memory injection suspicious area and a second embodiment for determining maliciousness for an injection suspicious thread will be described separately.

First, referring to FIG. 3, a description will be made of a first embodiment for determining whether or not maliciousness with respect to an in-memory injection suspect area is determined.

Here, FIG. 3 shows a memory map of a process related to the first embodiment of the present invention.

The verification unit 110 performs a function of checking an in-memory injection suspicious area.

More specifically, the verification unit 110 identifies an in-memory injection suspect area based on the memory start address of each thread associated with the process.

In this regard, the verifier 110 checks the memory start addresses of each of the threads 1 and 2, which operate in conjunction with the process from the process memory map of FIG. 3, and thus identifies each of the threads 1 and 2 The memory start address is shown in [Table 1] below.

Thread Memory start address Thread 1 0x14 Thread 2 0x54

Here, the memory start address of the thread 1 is 0x14, and the memory start address of the thread 2 is identified as 0x54.

When the memory start address of each of the thread 1 and the thread 2 operating in relation to the process is checked from the process memory map, the verification unit 110 determines whether the memory start address of each of the thread 1 and the thread 2 is It is confirmed whether or not it belongs to the memory address area (band).

In this regard, the verification unit 110 checks the respective memory areas of modules 1, 2, and 3 that are modules (normal modules) normally loaded into memory in association with the process from the process memory map of FIG. 3 Thus, the memory areas identified for Module 1, Module 2, and Module 3 are as shown in Table 2 below.

Module (normal module) Memory start address Memory Size Module 1 0x50 0x10 Module 2 0x70 0x20 Module 3 0x100 0x20

Here, it can be seen that the memory area of module 1 is 0x50 to 0x60, the memory area of module 2 is 0x70 to 0x90, and the memory area of module 3 is 0x100 to 0x120.

The verification unit 110 confirms whether the memory start addresses of the threads 1 and 2 belong to the memory areas of the modules 1, 2, and 3 loaded in the memory, And the module 3 are identified, the address area of the thread is identified as a memory suspicious area.

At this time, the memory start address of the thread 2 is 0x54, and it belongs to the address area of the normal module 1, whereas the memory start address of the thread 1 is 0x14, and it is found that it does not belong to the address area of the normal modules 1 to 3 have.

The verification unit 110 checks the address area of the thread 1 not belonging to the address areas of the modules 1 to 3 which are normal modules as shown in Table 3 below and inputs the address area of the confirmed thread 1 to the PE This is confirmed as a suspect injection suspected area.

module Memory start address Memory Size Injected PE (Thread 1) 0x10 0x10

Here, the memory area of the thread 1 is 0x10 to 0x20, and it can be seen that the memory area of the thread 1 has been confirmed as the suspected injection area where the injection of the PE or the code is suspected.

The generation unit 120 generates a PE file for an injection suspicious region.

More specifically, when the injection suspicious region is confirmed, the generation unit 120 generates a PE file for the confirmed injection suspicious region, and the determination unit 130 determines whether the injection suspicious region Thereby determining whether the area is malicious.

In other words, the generation unit 120 generates an injection suspicious area as a PE file, so that it can detect malicious PEs and codes injected into the process using an AV engine that judges a malicious code based on an existing file.

For this, the generating unit 120 directly generates the PE file as an injection suspicious region in the case where the suspected injection region confirmed by the verification unit 110 is a PE, and if the injection suspicious region is not a PE, And is generated as a PE file.

Next, with reference to FIG. 4, a description will be made of a second embodiment for determining whether or not maliciousness of an injection suspicious thread is determined.

Here, FIG. 4 shows a memory map of a process related to the second embodiment of the present invention.

However, in the memory map of the process related to the second embodiment, the memory start address of each thread operating in association with the process belongs to the memory area of the normal module.

In this way, the memory start address of each thread operating in relation to the process belongs to the memory area of the normal module if the injector executes its program, then unmaps the original memory area and writes it back to that area .

As a result, in the second embodiment of the present invention, when the memory start address of each thread operating in relation to the process belongs to the memory area of the normal module, unlike the first embodiment, And it is as follows.

The verification unit 110 performs a function of checking an in-memory injection suspicious area.

More specifically, the verification unit 110 identifies an injection suspicious thread based on the memory type corresponding to the memory start address of each thread associated with the process.

In this regard, the verifier 110 will check the memory start addresses of each of the threads 1 and 2 operating in relation to the process from the process memory map of FIG. 4, The memory start address is shown in [Table 4] below.

Thread Memory start address Thread 1 0x54 Thread 2 0x80

Here, the memory start address of the thread 1 is 0x54, and the memory start address of the thread 2 is identified as 0x80.

When the memory start address of each of the thread 1 and the thread 2 operating in relation to the process is checked from the process memory map, the verification unit 110 determines whether the memory start address of each of the thread 1 and the thread 2 is It is confirmed whether or not it belongs to the memory address area (band).

In this regard, the verification unit 110 checks the respective memory areas of modules 1, 2, and 3 that are modules (normal modules) normally loaded into memory in association with the process from the process memory map of FIG. 3 Thus, the memory areas identified for Module 1, Module 2, and Module 3 are as shown in Table 5 below.

Module (normal module) Memory start address Memory Size Module 1 0x50 0x10 Module 2 0x70 0x20 Module 3 0x100 0x20

Here, it can be seen that the memory area of module 1 is 0x50 to 0x60, the memory area of module 1 is 0x70 to 0x90, and the memory area of module 3 is 0x100 to 0x120.

On the other hand, the verification unit 110 can confirm that the memory start addresses of the threads 1 and 2 belong to the memory areas of the modules 1, 2, and 3 loaded in the memory, respectively. In this case, 110) checks whether the memory type corresponding to the memory start address of each of the thread 1 and the thread 2 is 'MEM_IMAGE' which is a memory type related to the PE.

Here, if it is a normal PE, the memory type of the corresponding address area has the MEM_IMAGE type.

The verification unit 110 checks whether the memory type corresponding to the memory start address of each of the thread 1 and the thread 2 is MEM_IMAGE so that whether each of the thread 1 and the thread 2 operates in a normal PE region.

At this time, the verification unit 110 can confirm that the memory type corresponding to the memory start address of the thread 1 is not MEM_IMAGE. In this case, the verification unit 110 can confirm the thread 1 as an injection suspicious thread.

The generation unit 120 generates a PE file for an injection suspicious region.

More specifically, when the injection suspicious thread is identified, the generation unit 120 generates a PE file for the confirmed suspicious injection thread so that the determination unit 130 determines whether the injection suspicious thread Thereby making it possible to judge whether or not the area is malicious.

In other words, the generation unit 120 generates an injection suspicious area as a PE file, so that it can detect malicious PEs and codes injected into the process using an AV engine that judges a malicious code based on an existing file.

The generation unit 120 must check whether the memory start address of the injection suspicious thread belongs to the address area of the PE before generating the PE file for the injection suspicious thread.

If the memory start address of the suspicious injected thread does not belong to the address range of the PE, then the address area of the suspected injected thread may be regarded as not being an injected malicious PE.

Accordingly, the generator 120 checks the base address of the thread 1, which is an injection suspicious thread, as shown in Table 6 below, and checks whether the confirmed base address is a PE header (PE format).

Thread Base address Thread 1 0x50

Here, it can be seen that the base address of the thread 1 is identified by the PE header with 0x50.

As a result, the generating unit 120 generates an address region in which the thread 1 operates as a PE file only when the base address of the suspicious thread of thread 1 is the PE header (PE format), and the determination unit 130 generates Through the static and dynamic analysis of the PE file, it is possible to judge whether the address area in which the thread 1 operates is malicious.

If the base address of thread 1, the suspected injection thread, is not the PE header (PE format), then the address space in which thread 1 operates may be considered not to be an injected malicious PE.

As described above, different from the injection detection apparatus 100 according to the present invention, the process is injected into the process through a method of identifying a memory start address of a thread associated with the process, or a memory type corresponding to a memory start address The effect of enabling detection of malicious PEs and codes is achieved.

Hereinafter, an operation flow in the injection detection apparatus 100 according to an embodiment of the present invention will be described with reference to FIGS. 5 and 6. FIG.

5, a description will be made of an operation flow in the case where the injection detection apparatus 100 according to the embodiment of the present invention is in the first embodiment for determining whether maliciousness is caused in the in-memory injection suspect region .

First, the verification unit 110 checks the memory start address of each of the threads 1 and 2 operating in relation to the process from the process memory map of FIG. 3 (S11).

At this time, the verification unit 110 can confirm that the memory start address of the thread 1 is 0x14 and the memory start address of the thread 2 is 0x54.

Next, the verification unit 110 identifies the respective memory areas of the modules 1, 2, and 3 that are modules (normal modules) normally loaded in the memory in relation to the process from the process memory map of FIG. 3 (S12) .

At this time, the verification unit 110 can check 0x50 to 0x60 in the memory area of the module 1, 0x70 to 0x90 in the memory area of the module 2, and 0x100 to 0x120 in the memory area of the module 3.

The verification unit 110 then checks whether the memory start address of each of the threads 1 and 2 belongs to the memory area of each of the modules 1, 2, and 3 loaded in the memory, And the module 3 are identified, the address area of the thread is identified as a memory suspicious area (S13).

At this time, the memory start address of the thread 2 is 0x54, and it belongs to the address area of the normal module 1, whereas the memory start address of the thread 1 is 0x14, and it is found that it does not belong to the address area of the normal modules 1 to 3 have.

The verification unit 110 checks the address area of the thread 1 not belonging to the address area of the modules 1 to 3 which are the normal modules and sets the address area of the confirmed thread 1 as a suspected injection area where the injection of the PE or code is suspected It will confirm.

Here, the memory area of the thread 1 is 0x10 to 0x20, and the memory area of the thread 1 can be identified as the suspected injection area where the injection of the PE or the code is suspected.

If the injection suspicious region is a PE, the generation unit 120 generates a PE file as it is as an injection suspicious region. If the injection suspicious region is not a PE, the generation unit 120 transforms the suspected injection region into a PE And generates a PE file (S14-S16).

In other words, the generation unit 120 generates an injection suspicious area as a PE file, so that it can detect malicious PEs and codes injected into the process using an AV engine that judges a malicious code based on an existing file.

Thereafter, the determination unit 130 determines whether the injection suspicious region is malicious through static and dynamic analysis of the generated PE file (S17).

6, an operation flow according to the second embodiment for determining whether the injection detection apparatus 100 according to an embodiment of the present invention is malicious for an injection suspicious thread will be described.

First, the verification unit 110 checks the memory start address of each of the threads 1 and 2 operating in relation to the process from the process memory map of FIG. 4 (S21).

At this time, the verification unit 110 can confirm that the memory start address of the thread 1 is 0x54 and the memory start address of the thread 2 is 0x80.

In addition, the verification unit 110 identifies the respective memory areas of modules 1, 2, and 3 that are modules (normal modules) normally loaded into memory in association with the process from the process memory map of FIG.

At this time, the verification unit 110 can check 0x50 to 0x60 in the memory area of the module 1, 0x70 to 0x90 in the memory area of the module 2, and 0x100 to 0x120 in the memory area of the module 3.

In this regard, the verification unit 110 can confirm that the memory start addresses of the threads 1 and 2 belong to the memory areas of the modules 1, 2, and 3 loaded in the memory, respectively. In this case, The processor 110 checks whether the memory type corresponding to the memory start address of each of the thread 1 and the thread 2 is 'MEM_IMAGE', which is a memory type related to the PE (S22).

Here, if it is a normal PE, the memory type of the corresponding address area has the MEM_IMAGE type.

The verification unit 110 checks whether the memory type corresponding to the memory start address of each of the thread 1 and the thread 2 is MEM_IMAGE so that whether each of the thread 1 and the thread 2 operates in a normal PE region.

At this time, the verification unit 110 can confirm that the memory type corresponding to the memory start address of the thread 1 is not MEM_IMAGE. In this case, the verification unit 110 can confirm the thread 1 as an injection suspicious thread.

Then, the generation unit 120 checks the base address of the thread 1, which is an injection suspicious thread, and checks whether the base address is the PE header (PE format) (S23-S24).

At this time, the generator 120 can confirm that the base address of the thread 1 is 0x50, and that the confirmed base address is the PE header.

As a result, the generating unit 120 generates an address region in which the thread 1 operates as a PE file only when the base address of the suspicious thread of thread 1 is the PE header (PE format), and the determination unit 130 generates Through the static and dynamic analysis of the PE file, it is determined whether the address area in which the thread 1 operates is malicious (S25-S26).

On the other hand, if the base address of thread 1, which is an injection suspect thread, is not the PE header (PE format), then the address region in which thread 1 operates may be considered not to be an injected malicious PE.

As described above, according to the operation flow of the injection detection apparatus 100 according to the present invention, it is possible to detect an in-process injection (for example, a memory start address of a thread associated with a process or a memory type corresponding to a memory start address injection) of malignant PEs and codes can be achieved.

Meanwhile, the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, or may be embodied in a computer readable medium, in the form of a program instruction, which may be carried out through various computer means. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes and modifications can be made without departing from the scope of the present invention.

According to the injection detection method of the present invention and the apparatus to which the present invention is applied, it is possible to detect malicious PE (Portable Executable) and code injected directly into the process. Therefore, It is an invention that is industrially applicable because it is not only the use but also the possibility of commercialization or operation of the applicable device, but it is practically possible to carry out clearly.

100: Injection detector
110: Verification unit 120: Generation unit
130:

Claims (13)

A confirmation unit for checking an in-memory injection suspicious area based on a memory start address of each thread associated with the process or a suspicious injection thread in the thread based on a memory type corresponding to the memory start address; And
And a generation unit generating a PE file related to the injection suspicious region or the suspicious injection thread, and determining whether the PE file is malicious or not. The method according to claim 1,
The checking unit,
Wherein the injection suspicious region is identified based on whether a memory start address of each of the threads belongs to a memory address region of a normal module loaded in memory in association with the process. 3. The method of claim 2,
The checking unit,
Wherein if the memory start address of the thread does not belong to the memory address area of the normal module, then an area corresponding to the memory address area of the specific thread is identified as the injection suspicious area. Device. The method according to claim 1,
The checking unit,
If the memory type corresponding to the memory start address of the thread is different from the specific memory type related to the PE, the specific thread is identified as the injection suspicious thread. The method according to claim 1,
Wherein the generation unit comprises:
And generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header. The method according to claim 1,
The injection detection device comprises:
Further comprising a determination unit for determining whether the PE file is malicious through static or motion analysis of the PE file. Checking an in-memory injection suspicious area based on a memory start address of each thread associated with the process, or checking an injection suspicious thread in the thread based on a memory type corresponding to the memory start address; And
And generating a PE file related to the injection suspicious area or the suspicious injection thread so as to judge whether the PE file is malicious or not. 8. The method of claim 7,
Wherein,
Wherein the injection suspicious region is identified based on whether a memory start address of each of the threads belongs to a memory address region of a normal module loaded in memory in association with the process. 9. The method of claim 8,
Wherein,
Wherein if the memory start address of the thread does not belong to the memory address area of the normal module, then an area corresponding to the memory address area of the specific thread is identified as the injection suspicious area. Method of operation of the device. 8. The method of claim 7,
Wherein,
And if the memory type corresponding to the memory start address of the thread is different from the specific memory type associated with the PE, the specific thread is identified as the suspicious injection thread. . 8. The method of claim 7,
Wherein the generating comprises:
And generates the PE file associated with the suspicious injection thread only when the base address of the suspicious injection thread is a PE header. 8. The method of claim 7,
The method comprises:
Further comprising the step of determining whether the PE file is malicious through static or dynamic analysis of the PE file. 13. A computer-readable recording medium recording a program for performing the method of any one of claims 7 to 12.
KR1020150131029A 2015-09-16 2015-09-16 Detection method for injection, and apparatus applied to the same KR101775602B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150131029A KR101775602B1 (en) 2015-09-16 2015-09-16 Detection method for injection, and apparatus applied to the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150131029A KR101775602B1 (en) 2015-09-16 2015-09-16 Detection method for injection, and apparatus applied to the same

Publications (2)

Publication Number Publication Date
KR20170033115A true KR20170033115A (en) 2017-03-24
KR101775602B1 KR101775602B1 (en) 2017-09-07

Family

ID=58500527

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150131029A KR101775602B1 (en) 2015-09-16 2015-09-16 Detection method for injection, and apparatus applied to the same

Country Status (1)

Country Link
KR (1) KR101775602B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220036063A (en) * 2020-09-15 2022-03-22 주식회사 안랩 System and method to detect injection attack type malicious code

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102170737B1 (en) 2020-03-30 2020-10-27 국방과학연구소 Apparatus and method for tracking malicious threads

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220036063A (en) * 2020-09-15 2022-03-22 주식회사 안랩 System and method to detect injection attack type malicious code

Also Published As

Publication number Publication date
KR101775602B1 (en) 2017-09-07

Similar Documents

Publication Publication Date Title
US10025931B1 (en) Method and system for malware detection
US9185338B2 (en) System and method for fingerprinting video
US10372444B2 (en) Android dynamic loading file extraction method, recording medium and system for performing the method
CN104966053A (en) Face recognition method and recognition system
CN108763951B (en) Data protection method and device
TW201508534A (en) Method of generating distillation malware program, method of detecting malware program and system thereof
US9516056B2 (en) Detecting a malware process
US10121004B2 (en) Apparatus and method for monitoring virtual machine based on hypervisor
WO2016015680A1 (en) Security detection method and security detection apparatus for mobile terminal input window
CN104933352A (en) Weak password detection method and device
KR20170068814A (en) Apparatus and Method for Recognizing Vicious Mobile App
CN104866770B (en) Sensitive data scanning method and system
US20130262090A1 (en) System and method for reducing semantic ambiguity
US9378367B2 (en) Systems and methods for identifying a source of a suspect event
US20140325409A1 (en) Active & Efficient Monitoring of a Graphical User Interface
CN111191243A (en) Vulnerability detection method and device and storage medium
KR101775602B1 (en) Detection method for injection, and apparatus applied to the same
KR101741131B1 (en) Apparatus and method for analysing crash, and computer-readable medium storing program for method thereof
CN105550573B (en) The method and apparatus for intercepting bundled software
EP3108400B1 (en) Virus signature matching method and apparatus
US20170116417A1 (en) Apparatus and method for detecting malicious code
KR102149711B1 (en) An apparatus for detecting and preventing ransom-ware behavior using camouflage process, a method thereof and computer recordable medium storing program to perform the method
CN115408667A (en) Method and system for detecting infringement of application program content
CN106778276B (en) Method and system for detecting malicious codes of entity-free files
KR101562109B1 (en) Forgery verification system by comaparing pixels of a screenshot

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
AMND Amendment
E601 Decision to refuse application
AMND Amendment
X701 Decision to grant (after re-examination)