作者:翟继强，韩旭，王家乾，孙海旭，杨海陆
Authors:ZHAI Jiqiang,HAN Xu,WANG Jiaqian, SUN Haixu,YANG Hailu摘要:Windows 32/64 位代码注入攻击是恶意软件常用的攻击技术,在内存取证领域,现存的代码注入攻击检测技术在验证完整性方面不能处理动态内容,并且在解析内存中数据结构方面无法兼容不同版本的 Windows 系统 。因此提出了通过交叉验证进程堆栈和 VAD 信息定位注入代码方法,将基于遍历栈帧得到的函数返回地址、模块名等信息结合进程 VAD 结构来检测函数返回地址、匹配文件名以定位注入代码 ,并且研发了基于 Volatility 取证框架的Windows 代码注入攻击检测插件 codefind。测试结果表明,即使在 VAD 节点被恶意软件修改 ,方法仍能够有效定位 Windows 32/64 位注入代码攻击。
Abstract:Windows 32/64-bit code injection attacks are a common attack technique by malware. In the field of memory forensics, the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity, and cannot be compatible with different versions of Windows systems in terms of parsing data structures in memory. Therefore, the method of locating injected code through cross validation of process stack and VAD information is proposed. The method first obtains data based on traversing stack frames, such as function return address, module name and other information. Then the data is combined with the process VAD structure to detect the function return address and match the file name to locate the injected code. And developed a Windows code injection attack detection plug-in codefind based on the Volatility forensics framework. The test results show that the method can effectively locate Windows 32/64 bit injected code attacks even if the VAD node is modified by malware.

PDF全文下载地址:

可免费Download/下载PDF全文