WO2011002146A2 - System and method for detecting malicious code - Google Patents

System and method for detecting malicious code Download PDF

Info

Publication number
WO2011002146A2
WO2011002146A2 PCT/KR2010/002375 KR2010002375W WO2011002146A2 WO 2011002146 A2 WO2011002146 A2 WO 2011002146A2 KR 2010002375 W KR2010002375 W KR 2010002375W WO 2011002146 A2 WO2011002146 A2 WO 2011002146A2
Authority
WO
WIPO (PCT)
Prior art keywords
driver
malicious code
api
user process
analysis
Prior art date
Application number
PCT/KR2010/002375
Other languages
French (fr)
Korean (ko)
Other versions
WO2011002146A3 (en
Inventor
김윤동
서성원
연성호
이지남
정영석
한명호
최재영
이재홍
Original Assignee
(주)잉카인터넷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)잉카인터넷 filed Critical (주)잉카인터넷
Publication of WO2011002146A2 publication Critical patent/WO2011002146A2/en
Publication of WO2011002146A3 publication Critical patent/WO2011002146A3/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring

Definitions

  • the present invention relates to a malware detection system and method, and more particularly, to a system and method for accurately detecting whether any application contains malware by applying a heuristic technique.
  • malware malicious code
  • the actual definition of malware refers to all programs and executable parts designed to cause psychological and substantial harm to others.
  • the cracker's technology for producing malicious code increases, so does the security threat.
  • Methods for analyzing such malware include a signature test, a cyclic redundancy check (CRC) test, and a heuristic test.
  • Fingerprint scanning is one of the ways that security programs diagnose malware, as fingerprints are used to distinguish people. In other words, it collects unique strings (patterns) owned by malicious codes and stores them in the database, and analyzes the malicious codes using a method that the security program matches the patterns.
  • the fingerprint inspection method has a sequential string inspection method and a specific string inspection method.
  • the sequential string inspection method has a disadvantage in that the detection rate of the malware is fast, but the detection rate of the malicious code is low.
  • the fingerprint inspection method detects malicious code by comparing the same string pattern, there is a problem that the malicious code cannot be detected when some of the patterns of the malicious code are modified. For this reason, in order to increase the malware detection rate, there is a problem that the security company must repeat the operation of storing the modified pattern of the malware in the database every time the pattern of the malware is modified again.
  • the CRC test is an error detection method for verifying the reliability of data in serial transmission. It has a merit of low error rate. However, even if the data is modified by 1 byte, the malicious code cannot be diagnosed.
  • a heuristic technique that improves the function of the fingerprint inspection method is mainly used as a method for analyzing malicious codes, which is one of learning-based analysis methods that analyze itself or analyze the behavior of malicious codes.
  • a malicious virus program often uses a unique combination of API commands, and the heuristic technique learns a combination of these unique API commands to determine whether the malicious code is based on the API commands.
  • the object of the present invention which is devised to solve the above-mentioned problem, is to detect and deassemble API command patterns used by arbitrary application programs running on a computer system in a kernel level domain to grasp behavior patterns of the corresponding application programs. It is intended to provide a system and method for accurately detecting whether an application contains malicious code.
  • Kernel driver search unit for selecting the driver to be scanned
  • Kernel driver conversion unit for checking the API functions used by the driver to be scanned
  • a kernel driver analyzing unit that analyzes whether the malicious code suspect API is included among the API functions used by the test target driver, and disassembles the malicious code suspect API and parameter values used by the test target driver. It characterized in that it comprises a malicious code analysis unit for analyzing whether the malicious code suspect API is a malicious code API.
  • a kernel driver search step for selecting a driver to be scanned
  • a kernel driver conversion step for identifying the API functions used by the driver to be scanned
  • the test object Kernel driver analysis step of analyzing whether the malicious code suspect API is included among the API functions used by the driver, and the malicious code suspect API by disassembling the malicious code suspect API and parameter values used by the inspection target driver It is characterized by including a malicious code analysis step of analyzing whether the API is a malicious code API.
  • a kernel driver search unit for selecting a driver to be scanned, a kernel driver conversion unit for checking the API functions used by the driver to be scanned, and the test target
  • the kernel driver analysis unit that analyzes whether the malicious code suspect API is included among the API functions used by the driver, and the malicious code suspect API by disassembling the malicious code suspect API and parameter values used by the scan target driver
  • a malicious code analysis unit for analyzing whether an API is a malicious code API
  • a user process search unit for investigating a user process using the target driver when the malicious code API is included in the scan target driver as a result of the analysis of the malicious code analysis unit. And analyzing whether the user process calls the malicious code API. Characterized in that it comprises a user process analysis unit for detecting whether the malicious code API of the driver is actually executed.
  • a kernel driver search step for selecting a driver to be scanned, a kernel driver conversion step for confirming the API functions used by the driver to be scanned, and the test object Kernel driver analysis step of analyzing whether the malicious code suspect API is included among the API functions used by the driver, and the malicious code suspect API by disassembling the malicious code suspect API and parameter values used by the inspection target driver
  • a user process analysis step of detecting whether the malicious code API of the driver to be inspected is actually executed.
  • the above-described malicious code detection system and method according to the present invention has an effect of accurately detecting whether malicious code is included in any application program running on a computer system.
  • FIG. 1 is a functional block diagram of a malware detection system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a malicious code detection method according to an embodiment of the present invention
  • FIG. 3 is a functional block diagram of a malware detection system according to another embodiment of the present invention.
  • FIG. 4 is an operation flowchart showing a malicious code detection method according to another embodiment of the present invention.
  • the driver information store of the computer system stores the names of kernel level programs (commonly referred to as kernel drivers) of the executed application programs and memory address values referenced by each kernel driver. . All kernel drivers in the driver list stored in this driver information store are the drivers to be inspected in the present invention. If the driver to be scanned in the driver list is converted to a PE structure, the API functions used by the kernel driver and the memory address information of the corresponding API functions can be extracted.
  • an application program containing malicious code among application programs running on a computer system is called a malicious code program, and API functions used in the malicious code are called a malicious code suspect API.
  • FIG. 1 is a block diagram of a malicious code detection system according to an embodiment of the present invention.
  • the malware detection system of the present invention uses a kernel driver search unit (11) for selecting a driver to be inspected from a list of drivers stored in the driver information storage (1), and converts the driver to a PE structure to be used by the driver to be scanned. Kernel driver converting unit 12 to check the API functions that are being used, Kernel driver analysis unit 13 to analyze whether the malicious code suspect API among the API functions used by the test target driver, and the test target driver And a malicious code analysis unit 14 for analyzing whether the malicious code suspect API is a malicious code API by disassembling the malicious code suspect API and parameter values.
  • the malicious code detection system of the present invention further includes a disabling processor 15 for blocking the operation of the inspection target driver using the malicious code API as a result of the analysis of the malicious code analysis unit 14.
  • the kernel driver search unit 11 selects a driver to be inspected from a list of drivers stored in the driver information storage 1.
  • the kernel driver converting unit 12 converts the inspected driver into a PE structure, and then list information of API functions used by the inspected driver is obtained.
  • the kernel driver analyzing unit 13 analyzes whether the malicious code suspect API is included among the API functions used by the inspected driver.
  • the malicious code suspect API may be an API function related to key input / output or keyboard port access used by a key logger, an API function that reads or stores a USB input / output function or a file, It may be an associated API function or an API function related to memory manipulation.
  • the kernel driver analyzing unit 13 extracts address information of a memory in which the malicious code core API actually exists if the malicious code core API is included among the API functions used by the driver to be scanned.
  • the malicious code suspect API may or may not be a malicious code API, and the malicious code analyzing unit 14 analyzes whether the malicious code suspect API is a malicious code API.
  • the malicious code analysis unit 14 extracts and disassembles a code value of a predetermined byte (a disassembly target byte) around a memory address of the malicious code suspect API. At this time, the disassembly target byte is set to include the malicious code suspect API and the parameter value used by the malicious code suspect API in the code value to be disassembled. The malicious code analysis unit 14 analyzes the disassembled malicious code suspect API and its parameter values to check whether the malicious code suspect API accesses a resource to be protected, thereby determining whether the malicious code suspect API is a malicious code API. Judge.
  • a malicious code suspect API related to hardware has an address of a port as a parameter value.
  • the malicious code suspect API for example, ReadPortUChar API
  • the scanned driver using the malicious code suspect API will attempt to access the keyboard. Judging by the code
  • the neutralization processing unit 15 disables the driver to be inspected by the malicious code analysis unit 14 as including the malicious code.
  • the technique for disabling the driver can simply apply a conventionally known technique.
  • FIG. 2 is an operation flowchart illustrating a malicious code detection method of a malicious code detection system according to an exemplary embodiment of the present invention.
  • the inspection target driver is selected from the driver list (S21).
  • FIGS. 1 and 2 if the kernel driver contains malicious code, all of them are disabled to block its execution. However, even if the kernel driver contains malicious code, the malicious code is not executed unless the actual user level process executes it. However, the embodiment of FIGS. 1 and 2 has a problem of blocking all cases. 3 is a solution for solving this problem.
  • FIG. 3 is a block diagram illustrating a malicious code detection system according to another embodiment of the present invention.
  • the malware detection system of the present invention uses a kernel driver search unit 31 for selecting any driver to be scanned from a list of drivers stored in the driver information storage 1, and converts the driver to be a PE structure to be used by the driver to be scanned.
  • Kernel driver converting unit 32 for checking the API functions that are being used
  • Kernel driver analysis unit 33 for analyzing whether the malicious code suspect API among the API functions used by the inspection target driver, and the inspection target driver It analyzes whether the malicious code suspect API is a malicious code API by disassembling the malicious code suspect API and parameter values, and stores the driver handle and malicious code API information of a target driver that uses the malicious code API in a shared memory ( 2) Scan target dry by using the malicious code analysis unit 34 to store in the driver, and the driver handle information stored in the shared memory
  • a user process search section 35 for examining a user process list using the user
  • a user process analysis section 36 for checking whether each user process in the user process list calls the malicious code API, and a malicious code API for calling
  • the disable processing unit 37 blocks the execution of the malicious code by closing the driver handle of the inspection target driver or terminating the user process.
  • the functions and operations of the kernel driver search unit 31, the kernel driver conversion unit 32, and the kernel driver analysis unit 33 are the kernel driver search unit 11 and the kernel of FIG.
  • the functions and operations of the driver converter 32 and the kernel driver analyzer 33 are the same, and detailed descriptions thereof are omitted here.
  • the malware analysis unit 34 extracts and disassembles the code value of the disassembly target byte around the memory address of the malicious code suspect API, and analyzes the deassembled malicious code suspect API and its parameter values. By checking whether the malicious code suspect API accesses a resource to be protected, it is determined whether the malicious code suspect API is a malicious code API. If it is determined that the inspection target driver uses the malicious code API, the malicious code analysis unit 34 stores the driver handle of the inspection target driver and the malicious code API information in use in the shared memory 2.
  • the user process searching unit 35 uses the driver handle information stored in the shared memory to investigate the user processes using the driver to be inspected to create a user process list. Since kernel drivers and user processes are not in a one-to-one matching relationship, there may or may not be many user processes using the driver to be inspected.
  • the user process analysis unit 36 analyzes whether the user process of the user process list calls the malicious code API included in the inspection target driver. When the user process calls the malicious code API included in the inspection target driver, since the malicious code is executed, the neutralization processing unit 37 disables the malicious code so as not to be executed. If the user process does not call the malicious code API included in the scan target driver, there is no possibility of exploitation of the malicious code API.
  • the disabling processing unit 37 disables the malicious code so that the malicious code cannot be executed by closing the driver handle of the inspection target driver or terminating the user process.
  • FIG. 4 is a flowchart illustrating a malicious code detection method of a malicious code detection system according to another exemplary embodiment of the present invention.
  • the inspection target driver is selected from the driver list (S41).
  • the malicious code suspect API is included among the API functions (S43), and the malicious code suspect API and parameter values are disassembled (S44).
  • the driver handle of the driver of the inspection target driver using the malicious code API and the malware code in use are stored in the shared memory (S46).
  • the driver handle information is used to examine a list of user processes using the driver to be inspected (S47), and analyze whether the corresponding user process calls a malicious code API (S48). Finally, when the user process calls the malicious code API as a result of the analysis of step S48, the execution of the malicious code is disabled (S49). This may be achieved by closing the driver handle or terminating the user process.

Abstract

The present invention relates to a system and method which accurately detect whether or not an arbitrary application program includes malicious code by applying a heuristic technique. A system for detecting malicious code according to the present invention includes a kernel driver searcher that selects a search target driver, a kernel driver converter that checks API functions used by the search target driver, a kernel driver analyzer that analyzes whether or not a suspected malicious code API is included in the API functions used by the search target driver, and a malicious code analyzer that disassembles the suspected malicious code API used by the search target driver and a parameter value to analyze whether or not the suspected malicious code API is a malicious code API.

Description

악성코드 탐지시스템 및 방법Malware Detection System and Method
이 발명은 악성코드 탐지시스템 및 방법에 관한 것으로서, 보다 상세하게는 경험적(heuristic) 기법을 적용하여 임의의 응용프로그램이 악성코드를 포함하는지 여부를 정확하게 탐지하는 시스템 및 방법에 관한 것이다.The present invention relates to a malware detection system and method, and more particularly, to a system and method for accurately detecting whether any application contains malware by applying a heuristic technique.
최근 정보보호의 위협은 악성코드(exploit code, malicious code)에 집중되고 있으며, 이러한 악성코드는 비밀성, 무결성, 가용성 등으로 집약되는 정보보호의 목적에 반하여 전반적인 문제를 일으키고 있다. 악성코드의 실질적 정의는 다른 사람에게 심리적, 실질적으로 피해를 주기 위하여 제작된 모든 프로그램과 실행가능한 부분을 말한다. 크래커들의 악성코드 제작 기술력이 증가함에 따라 보안 위협도 증가하고 있다.Recently, the threat of information protection has been concentrated on malicious codes (exploit code, malicious code), and these malicious codes are causing overall problems against the purpose of information protection, which is concentrated on confidentiality, integrity, and availability. The actual definition of malware refers to all programs and executable parts designed to cause psychological and substantial harm to others. As the cracker's technology for producing malicious code increases, so does the security threat.
이러한 악성코드를 분석하기 위한 방법에는 지문(signature) 검사법, CRC(Cyclic Redundancy Check) 검사법 및 경험적(heuristic) 검사법이 있다.Methods for analyzing such malware include a signature test, a cyclic redundancy check (CRC) test, and a heuristic test.
지문 검사법은 사람을 구별할 때 지문을 보듯이 보안프로그램이 악성코드를 진단하는 방법 중의 한 가지이다. 즉, 악성코드가 가지고 있는 독특한 문자열(패턴)을 수집하여 이를 데이터베이스에 저장하고, 보안프로그램이 패턴을 매칭하는 방법을 이용하여 악성코드를 분석한다. 이러한 지문 검사법에는 순차적 문자열 검사법과 특정 문자열 검사법이 있는데, 순차적 문자열 검사법은 속도는 빠르지만 악성코드 탐지율이 떨어지는 단점이 있고, 특정 문자열 검사법은 악성코드탐지율은 높으나 속도가 느리다는 단점이 있다.Fingerprint scanning is one of the ways that security programs diagnose malware, as fingerprints are used to distinguish people. In other words, it collects unique strings (patterns) owned by malicious codes and stores them in the database, and analyzes the malicious codes using a method that the security program matches the patterns. The fingerprint inspection method has a sequential string inspection method and a specific string inspection method. The sequential string inspection method has a disadvantage in that the detection rate of the malware is fast, but the detection rate of the malicious code is low.
이 지문 검사법은 동일한 문자열 패턴 비교를 통해 악성코드를 탐지하기 때문에, 악성코드의 패턴 중 일부가 수정될 경우에는 해당 악성코드를 탐지할 수 없는 문제점이 있다. 이 때문에, 악성코드 탐지율을 높이려면, 보안업체는 악성코드의 패턴이 수정될 때마다 매번 다시 분석하여 수정된 악성코드의 패턴을 데이터베이스에 저장해야 하는 작업을 반복해야 하는 문제점이 있다.Since the fingerprint inspection method detects malicious code by comparing the same string pattern, there is a problem that the malicious code cannot be detected when some of the patterns of the malicious code are modified. For this reason, in order to increase the malware detection rate, there is a problem that the security company must repeat the operation of storing the modified pattern of the malware in the database every time the pattern of the malware is modified again.
CRC 검사법은 시리얼 전송에서 데이터의 신뢰성을 검증하기 위한 에러검출방법의 일종으로 오진율이 낮다는 장점이 있으나, 데이터가 1 바이트라도 변형되면 악성코드를 진단할 수 없는 단점이 있다.The CRC test is an error detection method for verifying the reliability of data in serial transmission. It has a merit of low error rate. However, even if the data is modified by 1 byte, the malicious code cannot be diagnosed.
따라서, 최근에는 악성코드 분석방법으로서 지문 검사법의 기능을 향상시킨 경험적(heuristic) 기법이 주로 사용되는데, 이는 악성코드의 행동을 분석하거나 방식을 분석하여 자체적으로 학습하는 학습기반 분석법 중 하나이다. 즉, 악성 바이러스프로그램의 경우 독특한 조합의 API 명령을 사용하는 경우가 많은데, 경험적 기법은 이와 같이 독특한 API 명령의 조합을 학습하여 API 명령을 기반으로 악성코드 여부를 판단한다.Therefore, in recent years, a heuristic technique that improves the function of the fingerprint inspection method is mainly used as a method for analyzing malicious codes, which is one of learning-based analysis methods that analyze itself or analyze the behavior of malicious codes. In other words, a malicious virus program often uses a unique combination of API commands, and the heuristic technique learns a combination of these unique API commands to determine whether the malicious code is based on the API commands.
그러나, 통상적으로 악성코드와 보안프로그램이 유사한 API 명령어 조합을 사용하는 경우가 많으며, 이로 인해 임의의 응용프로그램의 악성코드 포함 여부를 경험적 기법으로 판단할 경우 보안프로그램을 악성코드로 오탐지하게 될 문제점이 있다.However, in general, malicious code and security programs often use similar API command combinations, which causes false detection of security programs as malicious code when an empirical technique determines whether any application contains malicious code. There is this.
상술한 문제점을 해결하기 위하여 안출된 이 발명의 목적은, 컴퓨터시스템에서 구동되는 임의의 응용프로그램이 사용하는 API 명령어 패턴을 커널레벨 영역에서 검출하고 디어셈블링하여 해당 응용프로그램의 행동패턴을 파악함으로써, 해당 응용프로그램이 악성코드를 포함하는지 여부를 정확하게 탐지하는 시스템 및 방법을 제공하기 위한 것이다.Disclosure of Invention The object of the present invention, which is devised to solve the above-mentioned problem, is to detect and deassemble API command patterns used by arbitrary application programs running on a computer system in a kernel level domain to grasp behavior patterns of the corresponding application programs. It is intended to provide a system and method for accurately detecting whether an application contains malicious code.
상기한 목적을 달성하기 위한 이 발명의 한 실시예에 따른 악성코드 탐지시스템은, 검사대상드라이버를 선택하는 커널드라이버검색부와, 상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환부와, 상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석부와, 상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석부를 포함한 것을 특징으로 한다.Malware detection system according to an embodiment of the present invention for achieving the above object, Kernel driver search unit for selecting the driver to be scanned, Kernel driver conversion unit for checking the API functions used by the driver to be scanned And a kernel driver analyzing unit that analyzes whether the malicious code suspect API is included among the API functions used by the test target driver, and disassembles the malicious code suspect API and parameter values used by the test target driver. It characterized in that it comprises a malicious code analysis unit for analyzing whether the malicious code suspect API is a malicious code API.
또한, 이 발명의 한 실시예에 따른 악성코드 탐지방법은, 검사대상드라이버를 선택하는 커널드라이버검색단계와, 상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환단계와, 상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석단계와, 상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석단계를 포함한 것을 특징으로 한다.In addition, the malware detection method according to an embodiment of the present invention, a kernel driver search step for selecting a driver to be scanned, a kernel driver conversion step for identifying the API functions used by the driver to be scanned, and the test object Kernel driver analysis step of analyzing whether the malicious code suspect API is included among the API functions used by the driver, and the malicious code suspect API by disassembling the malicious code suspect API and parameter values used by the inspection target driver It is characterized by including a malicious code analysis step of analyzing whether the API is a malicious code API.
또한, 이 발명의 다른 실시예에 따른 악성코드 탐지시스템은, 검사대상드라이버를 선택하는 커널드라이버검색부와, 상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환부와, 상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석부와, 상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석부와, 상기 악성코드분석부의 분석결과 상기 검사대상드라이버에 상기 악성코드API가 포함되면 상기 검사대상드라이버를 사용하는 유저프로세스를 조사하는 유저프로세스검색부와, 상기 유저프로세스가 상기 악성코드API를 호출하는지 분석하여 상기 검사대상드라이버의 상기 악성코드API가 실제 실행되는지를 탐지하는 유저프로세스분석부를 포함한 것을 특징으로 한다.In addition, the malware detection system according to another embodiment of the present invention, a kernel driver search unit for selecting a driver to be scanned, a kernel driver conversion unit for checking the API functions used by the driver to be scanned, and the test target The kernel driver analysis unit that analyzes whether the malicious code suspect API is included among the API functions used by the driver, and the malicious code suspect API by disassembling the malicious code suspect API and parameter values used by the scan target driver A malicious code analysis unit for analyzing whether an API is a malicious code API, and a user process search unit for investigating a user process using the target driver when the malicious code API is included in the scan target driver as a result of the analysis of the malicious code analysis unit. And analyzing whether the user process calls the malicious code API. Characterized in that it comprises a user process analysis unit for detecting whether the malicious code API of the driver is actually executed.
또한, 이 발명의 다른 실시예에 따른 악성코드 탐지방법은, 검사대상드라이버를 선택하는 커널드라이버검색단계와, 상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환단계와, 상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석단계와, 상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석단계와, 상기 악성코드분석단계의 분석결과 상기 검사대상드라이버에 상기 악성코드API가 포함되면 상기 검사대상드라이버를 사용하는 유저프로세스를 조사하는 유저프로세스검색단계와, 상기 유저프로세스가 상기 악성코드API를 호출하는지 분석하여 상기 검사대상드라이버의 상기 악성코드API가 실제 실행되는지를 탐지하는 유저프로세스분석단계를 포함한 것을 특징으로 한다.In addition, the malware detection method according to another embodiment of the present invention, a kernel driver search step for selecting a driver to be scanned, a kernel driver conversion step for confirming the API functions used by the driver to be scanned, and the test object Kernel driver analysis step of analyzing whether the malicious code suspect API is included among the API functions used by the driver, and the malicious code suspect API by disassembling the malicious code suspect API and parameter values used by the inspection target driver A malicious code analysis step of analyzing whether an API is a malicious code API, and a user process search for investigating a user process using the target driver when the malicious code API is included in the driver to be scanned as a result of the analysis of the malicious code analysis step. And analyzing whether the user process calls the malicious code API. And a user process analysis step of detecting whether the malicious code API of the driver to be inspected is actually executed.
이상과 같이 상술한 이 발명에 따른 악성코드 탐지시스템 및 방법은 컴퓨터시스템에서 구동되는 임의의 응용프로그램의 악성코드 포함 여부를 정확하게 탐지할 수 있는 효과가 있다.As described above, the above-described malicious code detection system and method according to the present invention has an effect of accurately detecting whether malicious code is included in any application program running on a computer system.
도 1은 이 발명의 한 실시예에 따른 악성코드 탐지시스템의 기능 블록도,1 is a functional block diagram of a malware detection system according to an embodiment of the present invention;
도 2는 이 발명의 한 실시예에 따른 악성코드 탐지방법을 도시한 동작 흐름도,2 is a flowchart illustrating a malicious code detection method according to an embodiment of the present invention;
도 3은 이 발명의 다른 실시예에 따른 악성코드 탐지시스템의 기능 블록도,3 is a functional block diagram of a malware detection system according to another embodiment of the present invention;
도 4는 이 발명의 다른 실시예에 따른 악성코드 탐지방법을 도시한 동작 흐름도이다.4 is an operation flowchart showing a malicious code detection method according to another embodiment of the present invention.
< 도면의 주요 부분에 대한 부호의 간단한 설명 >     <Brief description of symbols for the main parts of the drawings>
1 : 드라이버정보 저장소 2 : 공유메모리1: Driver Information Store 2: Shared Memory
11, 31 : 커널드라이버검색부 12, 32 : 커널드라이버변환부11, 31: kernel driver search unit 12, 32: kernel driver conversion unit
13, 33 : 커널드라이버분석부 14, 34 : 악성코드분석부13, 33: kernel driver analysis unit 14, 34: malware analysis unit
15 : 무력화처리부 35 : 유저프로세스검색부15: disable processing unit 35: user process search unit
36 : 유저프로세스분석부 37 : 무력화처리부36: user process analysis unit 37: neutralization processing unit
이하, 첨부된 도면을 참조하여 이 발명의 한 실시예에 따른 악성코드 탐지시스템 및 방법을 보다 상세하게 설명하면 다음과 같다.Hereinafter, a malicious code detection system and method according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.
컴퓨터시스템에 응용프로그램들이 실행되면, 해당 컴퓨터시스템의 드라이버정보 저장소에는 그 실행되는 응용프로그램의 커널레벨프로그램(통상적으로 커널드라이버라고 칭함) 이름들과, 각 커널드라이버가 참조하는 메모리 번지값이 저장된다. 이 드라이버정보 저장소에 저장된 드라이버 리스트의 모든 커널드라이버가 이 발명의 검사대상드라이버이다. 드라이버 리스트의 검사대상드라이버를 PE 구조체로 변환하면 해당 커널드라이버가 사용하고 있는 API 함수들과 해당 API 함수가 실제 존재하는 메모리 번지 정보를 추출할 수 있다.When an application program is executed on a computer system, the driver information store of the computer system stores the names of kernel level programs (commonly referred to as kernel drivers) of the executed application programs and memory address values referenced by each kernel driver. . All kernel drivers in the driver list stored in this driver information store are the drivers to be inspected in the present invention. If the driver to be scanned in the driver list is converted to a PE structure, the API functions used by the kernel driver and the memory address information of the corresponding API functions can be extracted.
이 발명에서는 컴퓨터시스템에 구동되는 응용프로그램들 중 악성코드를 포함하는 응용프로그램을 악성코드프로그램이라고 하고, 악성코드에서 사용하는 API 함수들을 악성코드의심API라고 명명한다.In the present invention, an application program containing malicious code among application programs running on a computer system is called a malicious code program, and API functions used in the malicious code are called a malicious code suspect API.
도 1은 이 발명의 한 실시예에 따른 악성코드 탐지시스템의 구성 블록도이다. 1 is a block diagram of a malicious code detection system according to an embodiment of the present invention.
이 발명의 악성코드 탐지시스템은 드라이버정보저장소(1)에 저장된 드라이버 리스트 중 임의의 검사대상드라이버를 선택하는 커널드라이버검색부(11)와, 검사대상드라이버를 PE구조체로 변환하여 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환부(12)와, 검사대상드라이버가 사용하고 있는 API함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석부(13)와, 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석부(14)를 포함한다. 이 발명의 악성코드 탐지시스템은 악성코드분석부(14)의 분석 결과, 악성코드API를 사용하는 검사대상드라이버의 작동을 차단하는 무력화처리부(15)를 더 포함한다.The malware detection system of the present invention uses a kernel driver search unit (11) for selecting a driver to be inspected from a list of drivers stored in the driver information storage (1), and converts the driver to a PE structure to be used by the driver to be scanned. Kernel driver converting unit 12 to check the API functions that are being used, Kernel driver analysis unit 13 to analyze whether the malicious code suspect API among the API functions used by the test target driver, and the test target driver And a malicious code analysis unit 14 for analyzing whether the malicious code suspect API is a malicious code API by disassembling the malicious code suspect API and parameter values. The malicious code detection system of the present invention further includes a disabling processor 15 for blocking the operation of the inspection target driver using the malicious code API as a result of the analysis of the malicious code analysis unit 14.
커널드라이버검색부(11)는 드라이버정보 저장소(1)에 저장된 드라이버 리스트 중 임의의 검사대상드라이버를 선택한다. 커널드라이버변환부(12)는 검사대상드라이버를 PE 구조체로 변환하는데, 그러면 검사대상드라이버가 사용하고 있는 API 함수들의 리스트 정보가 얻어진다.The kernel driver search unit 11 selects a driver to be inspected from a list of drivers stored in the driver information storage 1. The kernel driver converting unit 12 converts the inspected driver into a PE structure, and then list information of API functions used by the inspected driver is obtained.
커널드라이버분석부(13)는 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석한다. 여기서, 악성코드의심API는 키로거가 사용하는 키 입출력이나 키보드 포트 접근 관련 API 함수일 수도 있고, USB 입출력함수나 파일을 읽기 또는 저장하는 API 함수일 수도 있으며, 온라인게임핵이 사용하는 키보드나 마우스의 입력과 관련된 API 함수 또는 메모리 조작과 관련된 API 함수일 수도 있다.The kernel driver analyzing unit 13 analyzes whether the malicious code suspect API is included among the API functions used by the inspected driver. Here, the malicious code suspect API may be an API function related to key input / output or keyboard port access used by a key logger, an API function that reads or stores a USB input / output function or a file, It may be an associated API function or an API function related to memory manipulation.
커널드라이버분석부(13)는 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있으면 해당 악성코드의심API가 실제 존재하는 메모리의 번지 정보를 추출한다. 이 악성코드의심API는 악성코드API일 수도 있고 아닐 수도 있으며, 악성코드분석부(14)는 해당 악성코드의심API가 악성코드API인지 아닌지를 분석한다.The kernel driver analyzing unit 13 extracts address information of a memory in which the malicious code core API actually exists if the malicious code core API is included among the API functions used by the driver to be scanned. The malicious code suspect API may or may not be a malicious code API, and the malicious code analyzing unit 14 analyzes whether the malicious code suspect API is a malicious code API.
악성코드분석부(14)는 악성코드의심API의 메모리 번지를 주변으로 기설정된 바이트(디어셈블링대상바이트)의 코드값을 추출하여 디어셈블링한다. 이때 디어셈블링하는 코드값에 해당 악성코드의심API와 그 악성코드의심API가 사용하는 파라미터값이 포함되도록 디어셈블링대상바이트를 설정한다. 악성코드분석부(14)는 디어셈블링된 악성코드의심API와 그 파라미터값을 분석하여 해당 악성코드의심API가 보호해야 할 자원에 접근하는지를 검사함으로써, 해당 악성코드의심API가 악성코드API인지 여부를 판단한다.The malicious code analysis unit 14 extracts and disassembles a code value of a predetermined byte (a disassembly target byte) around a memory address of the malicious code suspect API. At this time, the disassembly target byte is set to include the malicious code suspect API and the parameter value used by the malicious code suspect API in the code value to be disassembled. The malicious code analysis unit 14 analyzes the disassembled malicious code suspect API and its parameter values to check whether the malicious code suspect API accesses a resource to be protected, thereby determining whether the malicious code suspect API is a malicious code API. Judge.
예컨대, 하드웨어와 관련된 악성코드의심API는 포트의 주소를 파라미터값으로 갖는다. 키보드보안을 하고자 할 경우 키보드 입출력에 관련된 악성코드의심API(예컨대, ReadPortUChar API)가 파라미터값으로서 60h 또는 64h를 갖는다면, 그 악성코드의심API를 사용하는 검사대상드라이버는 키보드에 접근을 시도하는 악성코드로 판단한다.For example, a malicious code suspect API related to hardware has an address of a port as a parameter value. In order to secure the keyboard, if the malicious code suspect API (for example, ReadPortUChar API) related to the keyboard input / output has 60h or 64h as a parameter value, the scanned driver using the malicious code suspect API will attempt to access the keyboard. Judging by the code
무력화처리부(15)는 악성코드분석부(14)가 악성코드를 포함하는 것으로 판단한 검사대상드라이버를 무력화한다. 드라이버를 무력화하는 기술은 종래 공지된 기술을 단순 적용할 수 있다.The neutralization processing unit 15 disables the driver to be inspected by the malicious code analysis unit 14 as including the malicious code. The technique for disabling the driver can simply apply a conventionally known technique.
도 2는 이 발명의 한 실시예에 따른 악성코드 탐지시스템의 악성코드 탐지방법을 도시한 동작 흐름도이다.2 is an operation flowchart illustrating a malicious code detection method of a malicious code detection system according to an exemplary embodiment of the present invention.
먼저, 드라이버 리스트 중 검사대상드라이버를 선정한다(S21). 검사대상드라이버를 PE구조체로 변환하여 해당 검사대상드라이버가 사용하는 API함수들을 확인한다(S22). 그 API함수들 중 악성코드의심API가 포함되는지 분석하고(S23), 악성코드의심API와 파라미터값을 디어셈블링한다(S24). 그리고, 디어셈블링된 악성코드의심API와 파라미터값을 이용하여 해당 악성코드의심API가 악성코드API인지 분석한다(S25). 마지막으로, 단계 S25의 분석결과 악성코드API를 사용하는 검사대상드라이버를 무력화한다(S26).First, the inspection target driver is selected from the driver list (S21). Check the API functions used by the inspected driver by converting the inspected driver into a PE structure (S22). It analyzes whether the malicious code suspect API is included among the API functions (S23), and disassembles the malicious code suspect API and parameter values (S24). Then, it is analyzed whether the malicious code core API is a malicious code API using the disassembled malicious code core API and parameter values (S25). Finally, the analysis result of step S25 disables the inspection target driver using the malicious code API (S26).
상술한 도 1 및 도 2의 실시예에 따르면 커널드라이버가 악성코드를 포함하고 있으면 모두 무력화하여 그 실행을 차단한다. 그러나, 커널드라이버가 악성코드를 포함하고 있더라도 실제 유저레벨의 프로세스가 이를 실행시키지 않으면 해당 악성코드는 실행되지 않는데, 도 1 및 도 2의 실시예는 이러한 경우까지 모두 차단하는 문제점이 있다. 도 3은 이러한 문제를 해결하기 위한 해결방안이다.1 and 2, if the kernel driver contains malicious code, all of them are disabled to block its execution. However, even if the kernel driver contains malicious code, the malicious code is not executed unless the actual user level process executes it. However, the embodiment of FIGS. 1 and 2 has a problem of blocking all cases. 3 is a solution for solving this problem.
도 3은 이 발명의 다른 실시예에 따른 악성코드 탐지시스템의 구성 블록도이다.3 is a block diagram illustrating a malicious code detection system according to another embodiment of the present invention.
이 발명의 악성코드 탐지시스템은 드라이버정보저장소(1)에 저장된 드라이버 리스트 중 임의의 검사대상드라이버를 선택하는 커널드라이버검색부(31)와, 검사대상드라이버를 PE구조체로 변환하여 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환부(32)와, 검사대상드라이버가 사용하고 있는 API함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석부(33)와, 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하고 악성코드API를 사용하는 검사대상드라이버의 드라이버핸들 및 악성코드API 정보를 공유메모리(2)에 저장하는 악성코드분석부(34)와, 상기 공유메모리에 저장된 드라이버핸들 정보를 이용하여 검사대상드라이버를 사용하는 유저프로세스 리스트를 조사하는 유저프로세스검색부(35)와, 유저프로세스 리스트의 각 유저프로세스가 상기 악성코드API를 호출하는지를 검사하는 유저프로세스 분석부(36)와, 악성코드API를 호출하는 유저프로세스를 무력화하는 무력화처리부(37)를 포함한다.The malware detection system of the present invention uses a kernel driver search unit 31 for selecting any driver to be scanned from a list of drivers stored in the driver information storage 1, and converts the driver to be a PE structure to be used by the driver to be scanned. Kernel driver converting unit 32 for checking the API functions that are being used, Kernel driver analysis unit 33 for analyzing whether the malicious code suspect API among the API functions used by the inspection target driver, and the inspection target driver It analyzes whether the malicious code suspect API is a malicious code API by disassembling the malicious code suspect API and parameter values, and stores the driver handle and malicious code API information of a target driver that uses the malicious code API in a shared memory ( 2) Scan target dry by using the malicious code analysis unit 34 to store in the driver, and the driver handle information stored in the shared memory A user process search section 35 for examining a user process list using the user, a user process analysis section 36 for checking whether each user process in the user process list calls the malicious code API, and a malicious code API for calling And a disabling process 37 for disabling the user process.
무력화처리부(37)는 검사대상드라이버의 드라이버핸들을 닫거나, 유저프로세스를 종료시킴으로써, 악성코드의 실행을 차단한다.The disable processing unit 37 blocks the execution of the malicious code by closing the driver handle of the inspection target driver or terminating the user process.
상기와 같이 구성된 악성코드 탐지시스템에서 커널드라이버검색부(31)와 커널드라이버변환부(32)와, 커널드라이버분석부(33)의 기능 및 동작은 도 1의 커널드라이버검색부(11)와 커널드라이버변환부(32)와 커널드라이버분석부(33)의 기능 및 동작과 동일한 바, 여기에서는 상세한 설명은 생략한다.In the malware detection system configured as described above, the functions and operations of the kernel driver search unit 31, the kernel driver conversion unit 32, and the kernel driver analysis unit 33 are the kernel driver search unit 11 and the kernel of FIG. The functions and operations of the driver converter 32 and the kernel driver analyzer 33 are the same, and detailed descriptions thereof are omitted here.
악성코드분석부(34)는 악성코드의심API의 메모리 번지를 주변으로 디어셈블링대상바이트의 코드값을 추출하여 디어셈블링하고, 디어셈블링된 악성코드의심API와 그 파라미터값을 분석하여 해당 악성코드의심API가 보호해야 할 자원에 접근하는지를 검사함으로써, 해당 악성코드의심API가 악성코드API인지 여부를 판단한다. 그리고, 악성코드분석부(34)는 검사대상드라이버가 악성코드API를 사용하는 것으로 판단되면, 해당 검사대상드라이버의 드라이버핸들 및 사용중인 악성코드API 정보를 공유메모리(2)에 저장한다.The malware analysis unit 34 extracts and disassembles the code value of the disassembly target byte around the memory address of the malicious code suspect API, and analyzes the deassembled malicious code suspect API and its parameter values. By checking whether the malicious code suspect API accesses a resource to be protected, it is determined whether the malicious code suspect API is a malicious code API. If it is determined that the inspection target driver uses the malicious code API, the malicious code analysis unit 34 stores the driver handle of the inspection target driver and the malicious code API information in use in the shared memory 2.
유저프로세스검색부(35)는 공유메모리에 저장된 드라이버핸들 정보를 이용하여 검사대상드라이버를 사용하고 있는 유저프로세스들을 조사하여 유저프로세스 리스트를 만든다. 커널드라이버와 유저프로세스들은 일대일 매칭 관계가 아니므로, 검사대상드라이버를 사용하는 유저프로세스가 다수 존재하거나 없을 수도 있다.The user process searching unit 35 uses the driver handle information stored in the shared memory to investigate the user processes using the driver to be inspected to create a user process list. Since kernel drivers and user processes are not in a one-to-one matching relationship, there may or may not be many user processes using the driver to be inspected.
유저프로세스분석부(36)는 유저프로세스 리스트의 유저프로세스가 검사대상드라이버에 포함된 악성코드API를 호출하는 지를 분석한다. 유저프로세스가 검사대상드라이버에 포함된 악성코드API를 호출할 경우, 악성코드가 실행되는 것이기 때문에 무력화처리부(37)는 해당 악성코드가 실행되지 못하도록 무력화 처리한다. 유저프로세스가 검사대상드라이버에 포함된 악성코드API를 호출하지 않은 경우에는 악성코드API의 악용 가능성이 없는 것이므로 검사대상드라이버와 유저프로세스가 정상적으로 동작하도록 한다.The user process analysis unit 36 analyzes whether the user process of the user process list calls the malicious code API included in the inspection target driver. When the user process calls the malicious code API included in the inspection target driver, since the malicious code is executed, the neutralization processing unit 37 disables the malicious code so as not to be executed. If the user process does not call the malicious code API included in the scan target driver, there is no possibility of exploitation of the malicious code API.
무력화처리부(37)는 검사대상드라이버의 드라이버핸들을 닫거나, 유저프로세스를 종료시킴으로써, 해당 악성코드가 실행되지 못하도록 무력화 처리한다.The disabling processing unit 37 disables the malicious code so that the malicious code cannot be executed by closing the driver handle of the inspection target driver or terminating the user process.
도 4는 이 발명의 다른 실시예에 따른 악성코드 탐지시스템의 악성코드 탐지방법을 도시한 동작 흐름도이다.4 is a flowchart illustrating a malicious code detection method of a malicious code detection system according to another exemplary embodiment of the present invention.
먼저, 드라이버 리스트 중 검사대상드라이버를 선정한다(S41). 검사대상드라이버를 PE구조체로 변환하여 해당 검사대상드라이버가 사용하는 API함수들을 확인한다(S42). 그 API함수들 중 악성코드의심API가 포함되는지 분석하고(S43), 악성코드의심API와 파라미터값을 디어셈블링한다(S44). 그리고, 디어셈블링된 악성코드의심API와 파라미터값을 이용하여 해당 악성코드의심API가 악성코드API인지 분석한다(S45). 단계 S45의 분석결과, 악성코드API를 사용하는 검사대상드라이버의 드라이버의 드라이버핸들 및 사용중인 악성코드API 정보를 공유메모리에 저장한다(S46).First, the inspection target driver is selected from the driver list (S41). Check the API functions used by the inspected driver by converting the inspected driver into a PE structure (S42). The malicious code suspect API is included among the API functions (S43), and the malicious code suspect API and parameter values are disassembled (S44). Then, it is analyzed whether the malicious code core API is a malicious code API using the disassembled malicious code core API and parameter values (S45). As a result of the analysis of step S45, the driver handle of the driver of the inspection target driver using the malicious code API and the malware code in use are stored in the shared memory (S46).
드라이버핸들 정보를 이용하여 검사대상드라이버를 사용하는 유저프로세스 리스트를 조사하고(S47), 해당 유저프로세스가 악성코드API를 호출하는지를 분석한다(S48). 마지막으로, 단계 S48의 분석결과 유저프로세스가 악성코드API를 호출할 경우에는 해당 악성코드의 실행을 무력화하는데(S49), 이는 해당 드라이버핸들을 닫거나 유저프로세스를 종료시킴으로써 이룰 수 있다.The driver handle information is used to examine a list of user processes using the driver to be inspected (S47), and analyze whether the corresponding user process calls a malicious code API (S48). Finally, when the user process calls the malicious code API as a result of the analysis of step S48, the execution of the malicious code is disabled (S49). This may be achieved by closing the driver handle or terminating the user process.
이상에서 본 발명에 대한 기술사상을 첨부도면과 함께 서술하였지만, 이는 본 발명의 가장 양호한 실시예를 예시적으로 설명한 것이지 본 발명을 한정하는 것은 아니다. 또한, 이 기술분야의 통상의 지식을 가진 자라면 누구나 본 발명의 기술사상의 범주를 이탈하지 않는 범위 내에서 다양한 변형 및 모방이 가능함은 명백한 사실이다.The technical spirit of the present invention has been described above with reference to the accompanying drawings, but this is by way of example only for describing the best embodiment of the present invention and not for limiting the present invention. In addition, it is obvious that any person skilled in the art can make various modifications and imitations without departing from the scope of the technical idea of the present invention.

Claims (16)

  1. 검사대상드라이버를 선택하는 커널드라이버검색부와,Kernel driver search unit for selecting the driver to be scanned,
    상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환부와,A kernel driver converting unit for checking API functions used by the inspected driver;
    상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석부와,A kernel driver analysis unit for analyzing whether a malicious code suspect API is included among the API functions used by the inspected driver;
    상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석부를 포함한 것을 특징으로 하는 악성코드 탐지시스템.And a malicious code analysis unit for analyzing whether the malicious code core API is a malicious code API by disassembling the malicious code core API and parameter values used by the inspection target driver.
  2. 제 1 항에 있어서, 상기 악성코드분석부의 분석 결과 상기 검사대상드라이버가 상기 악성코드API를 사용하면 상기 검사대상드라이버의 동작을 무력화 처리하는 무력화처리부를 더 포함한 것을 특징으로 하는 악성코드 탐지시스템.The malware detection system of claim 1, further comprising a disabling processing unit configured to disable operation of the inspection target driver when the inspection target driver uses the malware API as a result of the analysis of the malware analysis unit.
  3. 제 2 항에 있어서, 상기 무력화처리부는 상기 검사대상드라이버의 드라이버핸들을 닫는 것을 특징으로 하는 악성코드 탐지시스템.The malware detection system of claim 2, wherein the disabling processor closes the driver handle of the driver to be inspected.
  4. 검사대상드라이버를 선택하는 커널드라이버검색단계와,Kernel driver search step of selecting the driver to be scanned,
    상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환단계와,A kernel driver converting step of checking API functions used by the inspected driver;
    상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석단계와,A kernel driver analysis step of analyzing whether a malicious code suspect API is included among API functions used by the target driver;
    상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석단계를 포함한 것을 특징으로 하는 악성코드 탐지방법.And a malicious code analysis step of analyzing whether the malicious code core API is a malicious code API by disassembling the malicious code core API and parameter values used by the inspection target driver.
  5. 제 4 항에 있어서, 상기 악성코드분석단계의 분석 결과 상기 검사대상드라이버가 상기 악성코드API를 사용하면 상기 검사대상드라이버의 동작을 무력화 처리하는 무력화처리단계를 더 포함한 것을 특징으로 하는 악성코드 탐지방법.The method of claim 4, further comprising disabling a processing step of disabling the operation of the inspection target driver when the inspection target driver uses the malware API as a result of the analysis of the malware analysis step. .
  6. 제 5 항에 있어서, 상기 무력화처리단계는 상기 검사대상드라이버의 드라이버핸들을 닫는 것을 특징으로 하는 악성코드 탐지방법.The method of claim 5, wherein the disabling process closes the driver handle of the driver to be inspected.
  7. 검사대상드라이버를 선택하는 커널드라이버검색부와,Kernel driver search unit for selecting the driver to be scanned,
    상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환부와,A kernel driver converting unit for checking API functions used by the inspected driver;
    상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석부와,A kernel driver analysis unit for analyzing whether a malicious code suspect API is included among the API functions used by the inspected driver;
    상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석부와,A malicious code analysis unit for analyzing whether the malicious code core API is a malicious code API by disassembling the malicious code core API and parameter values used by the inspection target driver;
    상기 악성코드분석부의 분석결과 상기 검사대상드라이버에 상기 악성코드API가 포함되면 상기 검사대상드라이버를 사용하는 유저프로세스를 조사하는 유저프로세스검색부와,A user process search unit for investigating a user process using the scan target driver when the malicious code API is included in the scan target driver;
    상기 유저프로세스가 상기 악성코드API를 호출하는지 분석하여 상기 검사대상드라이버의 상기 악성코드API가 실제 실행되는지를 탐지하는 유저프로세스분석부를 포함한 것을 특징으로 하는 악성코드 탐지시스템. And a user process analyzer for analyzing whether the user process calls the malicious code API to detect whether the malicious code API of the driver to be inspected is actually executed.
  8. 제 7 항에 있어서, 상기 유저프로세스분석부의 분석 결과 상기 유저프로세스가 상기 악성코드API를 호출하면 상기 검사대상드라이버의 동작을 무력화 처리하는 무력화처리부를 더 포함한 것을 특징으로 하는 악성코드 탐지시스템.8. The malicious code detection system according to claim 7, further comprising a disabling processing unit for disabling the operation of the inspection target driver when the user process calls the malicious code API as a result of the analysis of the user process analyzing unit.
  9. 제 8 항에 있어서, 상기 무력화처리부는 상기 검사대상드라이버의 드라이버핸들을 닫는 것을 특징으로 하는 악성코드 탐지시스템.The system of claim 8, wherein the disabling processor closes the driver handle of the driver to be inspected.
  10. 제 8 항에 있어서, 상기 무력화처리부는 상기 유저프로세스를 종료시키는 것을 특징으로 하는 악성코드 탐지시스템.The system of claim 8, wherein the disabling processing unit terminates the user process.
  11. 제 8 항에 있어서, 상기 악성코드분석부는 상기 검사대상드라이버에 상기 악성코드API가 포함되면 상기 검사대상드라이버의 드라이버핸들과 악성코드API 정보를 공유메모리에 저장하고, 상기 유저프로세스검색부는 상기 검사대상드라이버의 드라이버핸들을 이용하여 상기 검사대상드라이버를 사용하는 유저프로세스를 조사하는 것을 특징으로 하는 악성코드 탐지시스템.The method of claim 8, wherein when the malicious code analysis unit includes the malicious code API, the malicious code analysis unit stores the driver handle and malicious code API information of the scanning target driver in a shared memory, and the user process searching unit stores the scanning target. And a user process using the driver to be scanned using a driver handle of a driver.
  12. 검사대상드라이버를 선택하는 커널드라이버검색단계와,Kernel driver search step of selecting the driver to be scanned,
    상기 검사대상드라이버가 사용하고 있는 API 함수들을 확인하는 커널드라이버변환단계와,A kernel driver converting step of checking API functions used by the inspected driver;
    상기 검사대상드라이버가 사용하고 있는 API 함수들 중 악성코드의심API가 포함되어 있는지를 분석하는 커널드라이버분석단계와,A kernel driver analysis step of analyzing whether a malicious code suspect API is included among API functions used by the target driver;
    상기 검사대상드라이버가 사용하고 있는 악성코드의심API 및 파라미터값을 디어셈블링하여 상기 악성코드의심API가 악성코드API인지를 분석하는 악성코드분석단계와,A malicious code analysis step of analyzing whether the malicious code core API is a malicious code API by disassembling the malicious code core API and parameter values used by the inspection target driver;
    상기 악성코드분석단계의 분석결과 상기 검사대상드라이버에 상기 악성코드API가 포함되면 상기 검사대상드라이버를 사용하는 유저프로세스를 조사하는 유저프로세스검색단계와,A user process search step of examining a user process using the scan target driver if the malicious code API is included in the scan target driver as a result of the analysis of the malicious code analysis step;
    상기 유저프로세스가 상기 악성코드API를 호출하는지 분석하여 상기 검사대상드라이버의 상기 악성코드API가 실제 실행되는지를 탐지하는 유저프로세스분석단계를 포함한 것을 특징으로 하는 악성코드 탐지방법. And a user process analysis step of detecting whether the malicious code API of the driver to be inspected is actually executed by analyzing whether the user process calls the malicious code API.
  13. 제 12 항에 있어서, 상기 유저프로세스분석단계의 분석 결과 상기 유저프로세스가 상기 악성코드API를 호출하면 상기 검사대상드라이버의 동작을 무력화 처리하는 무력화처리단계를 더 포함한 것을 특징으로 하는 악성코드 탐지방법.The malicious code detection method according to claim 12, further comprising a disabling process for disabling the operation of the driver to be inspected when the user process calls the malicious code API as a result of the analysis of the user process analysis step.
  14. 제 13 항에 있어서, 상기 무력화처리단계는 상기 검사대상드라이버의 드라이버핸들을 닫는 것을 특징으로 하는 악성코드 탐지방법.The method of claim 13, wherein the disabling process closes the driver handle of the driver to be inspected.
  15. 제 13 항에 있어서, 상기 무력화처리단계는 상기 유저프로세스를 종료시키는 것을 특징으로 하는 악성코드 탐지방법.14. The malicious code detection method according to claim 13, wherein said disabling process terminates said user process.
  16. 제 12 항에 있어서, 상기 악성코드분석단계는 상기 검사대상드라이버에 상기 악성코드API가 포함되면 상기 검사대상드라이버의 드라이버핸들과 악성코드API 정보를 공유메모리에 저장하고, 상기 유저프로세스검색단계는 상기 검사대상드라이버의 드라이버핸들을 이용하여 상기 검사대상드라이버를 사용하는 유저프로세스를 조사하는 것을 특징으로 하는 악성코드 탐지방법.The method of claim 12, wherein when the malicious code API is included in the driver to be scanned, the malicious code analysis step stores the driver handle and malicious code API information of the driver to be scanned in a shared memory. And detecting a user process using the driver to be scanned using the driver handle of the driver to be scanned.
PCT/KR2010/002375 2009-06-30 2010-04-16 System and method for detecting malicious code WO2011002146A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2009-0058960 2009-06-30
KR1020090058960A KR101161008B1 (en) 2009-06-30 2009-06-30 system and method for detecting malicious code

Publications (2)

Publication Number Publication Date
WO2011002146A2 true WO2011002146A2 (en) 2011-01-06
WO2011002146A3 WO2011002146A3 (en) 2011-02-17

Family

ID=43411537

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2010/002375 WO2011002146A2 (en) 2009-06-30 2010-04-16 System and method for detecting malicious code

Country Status (2)

Country Link
KR (1) KR101161008B1 (en)
WO (1) WO2011002146A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103150513A (en) * 2013-03-20 2013-06-12 北京奇虎科技有限公司 Method and device for intercepting embedded information in application program
US10242200B1 (en) * 2015-03-06 2019-03-26 Tripwire, Inc. Static analysis of vulnerabilities in application packages

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101206853B1 (en) * 2011-06-23 2012-11-30 주식회사 잉카인터넷 System and method for controlling network access
CN103186740B (en) * 2011-12-27 2015-09-23 北京大学 A kind of automated detection method of Android malware
KR101404882B1 (en) * 2013-01-24 2014-06-11 주식회사 이스트시큐리티 A system for sorting malicious code based on the behavior and a method thereof
KR101724412B1 (en) * 2015-09-23 2017-04-10 한국전자통신연구원 Apparatus for analysis application using expansion code and method usnig the same

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001025870A2 (en) * 1999-10-01 2001-04-12 Infraworks Corporation System and method for providing data security
WO2004003710A1 (en) * 2002-06-27 2004-01-08 Koninklijke Philips Electronics N.V. Security processor with bus configuration
KR20040080845A (en) * 2003-03-14 2004-09-20 주식회사 안철수연구소 Method to detect malicious scripts using code insertion technique
KR20040083409A (en) * 2004-09-10 2004-10-01 (주) 세이프아이 method for computer protection with real-time monitoring and thereby computer and thereby system
US20060021054A1 (en) * 2004-07-21 2006-01-26 Microsoft Corporation Containment of worms
KR100628869B1 (en) * 2004-12-14 2006-09-27 한국전자통신연구원 Detection apparatus of embedded malicious code in office document and method thereof
KR100666562B1 (en) * 2005-08-11 2007-01-09 주식회사 웨어플러스 Method for protecting kernel driver and process
KR20090025146A (en) * 2007-09-05 2009-03-10 라이오닉 코포레이션 Method and apparatus for preventing web page attacks

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001025870A2 (en) * 1999-10-01 2001-04-12 Infraworks Corporation System and method for providing data security
WO2004003710A1 (en) * 2002-06-27 2004-01-08 Koninklijke Philips Electronics N.V. Security processor with bus configuration
KR20040080845A (en) * 2003-03-14 2004-09-20 주식회사 안철수연구소 Method to detect malicious scripts using code insertion technique
US20060021054A1 (en) * 2004-07-21 2006-01-26 Microsoft Corporation Containment of worms
KR20040083409A (en) * 2004-09-10 2004-10-01 (주) 세이프아이 method for computer protection with real-time monitoring and thereby computer and thereby system
KR100628869B1 (en) * 2004-12-14 2006-09-27 한국전자통신연구원 Detection apparatus of embedded malicious code in office document and method thereof
KR100666562B1 (en) * 2005-08-11 2007-01-09 주식회사 웨어플러스 Method for protecting kernel driver and process
KR20090025146A (en) * 2007-09-05 2009-03-10 라이오닉 코포레이션 Method and apparatus for preventing web page attacks

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103150513A (en) * 2013-03-20 2013-06-12 北京奇虎科技有限公司 Method and device for intercepting embedded information in application program
US10242200B1 (en) * 2015-03-06 2019-03-26 Tripwire, Inc. Static analysis of vulnerabilities in application packages

Also Published As

Publication number Publication date
WO2011002146A3 (en) 2011-02-17
KR101161008B1 (en) 2012-07-02
KR20110001426A (en) 2011-01-06

Similar Documents

Publication Publication Date Title
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
US8627478B2 (en) Method and apparatus for inspecting non-portable executable files
US8763128B2 (en) Apparatus and method for detecting malicious files
US7870612B2 (en) Antivirus protection system and method for computers
WO2011002146A2 (en) System and method for detecting malicious code
Stolfo et al. Towards stealthy malware detection
US20100100963A1 (en) System and method for attack and malware prevention
KR100945247B1 (en) The method and apparatus for analyzing exploit code in non-executable file using virtual environment
WO2011055945A2 (en) Apparatus and method for detecting malicious sites
WO2012176978A2 (en) Network access control system and method
US9804948B2 (en) System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing
CN101183414A (en) Program detection method, device and program analyzing method
KR100628869B1 (en) Detection apparatus of embedded malicious code in office document and method thereof
CN113162945B (en) Vulnerability detection analysis method and device and vulnerability verification method and system based on vulnerability detection analysis method and device
CN113158197B (en) SQL injection vulnerability detection method and system based on active IAST
WO2014042344A1 (en) Apparatus and method for detecting malicious shellcode by using debug event
KR20100073126A (en) Apparatus and method for detecting malicious code using packed file properties
JP6407184B2 (en) Attack countermeasure determination system, attack countermeasure determination method, and attack countermeasure determination program
WO2010093071A1 (en) Internet site security system and method thereof
CN111291377A (en) Application vulnerability detection method and system
WO2014168406A1 (en) Apparatus and method for diagnosing attack which bypasses memory protection mechanisms
WO2011037321A2 (en) Windows kernel alteration searching method
CN112347479B (en) False alarm correction method, device, equipment and storage medium for malicious software detection
Albabtain et al. The process of reverse engineering GPU malware and provide protection to GPUs
CN107368740B (en) Detection method and system for executable codes in data file

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10794281

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10794281

Country of ref document: EP

Kind code of ref document: A2