Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

郭津之,龙海,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.18.036

2009-01-01

Abstract:To prevent code injection by using message hook,a method of intercepting message hook and clean up the message hook objects in kernel mode is introduced based on analyzing Windows system service and message hook mechanism.Compared to current methods,this method can prevent intercept and cleanup from being bypassed by malware and works more effectively.Experiment proved that the method can prevent code injection effectively.

Hung-Min Sun,Yue-Hsun Lin,Ming-Fung Wu

DOI: https://doi.org/10.1007/11780656_14

2006-01-01

Abstract:Worms and Exploits attacks are currently the most prevalent security problems; they are responsible for over half of the CERT advisories issued in the last three years. To initiate an infection or intrusion, both of them inject a small piece of malicious code (ShellCode) into software through buffer or heap overflow vulnerabilities. Unlike Unix-like operating systems, ShellCodes for Microsoft Windows system need more complex steps to acquire Win32 API calls from DLL file (Dynamic Load Library) in Microsoft Windows. In this paper, we proposed an effective API monitoring system to get rid of worms and exploits attacks for the Microsoft Windows without hardware support. We address the problem by noticing that ShellCodes need the extra complex steps in accessing Win32 API calls. Through the API monitoring system we purposed, we can successfully stop the attacks made by worms and exploits. Moreover, the efficiency of Win32 API Calls hooking and monitoring system can be improved. Incapability to disassemble and analysis the protected software processes are overcome as well.

XU Si-ming,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.10.028

2010-01-01

Abstract:This paper mainly explores two basic techniques in the field of malicious-code attack and defense.For the malicious-code attack,it discusses respectively DLL injection technique and API hook technique,then analyzes the realization method in each technique,while for the malicious-code defense,the corresponding security detection methods based individually on compiler,virtual machine,and operating system are pointed out.In addition,their characteristics are analyzed,including their advantages and disadvantages.So this paper may offer certain beneficial helps to the relevant technologies of malicious-code attack and defense in the infosec research field.

ZHANG Jun,SU Pu-rui,FENG Deng-guo

2006-01-01

Journal of Computer Applications

Abstract:The technology of Intrusion Detection is one of the important measures to protect the networks.Host-based intrusion detection is used to protect the key hosts.A flexible loading intrusion detection based on system-call was introduced in this paper.This system improved the common data collection method,and adopted virtual equipment driversto acquire system call.This method brings small influence on system,is easy to load and unload,and provides the standard interface. The data analysis integrates the two detection methods: anomaly and misuse,which provides corresponding detection models and introduces the noise filtering function.

Hung-Min Sun,Hsun Wang,King-Hang Wang,Chien-Ming Chen

DOI: https://doi.org/10.1109/tc.2011.46

IF: 3.183

2011-01-01

IEEE Transactions on Computers

Abstract:As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

WANG Hai-chen,SHI Yong,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.04.023

2011-01-01

Abstract:Key-loggers for malicious purpose acquire the confidential information by capturing users' input key-stokes,thus resulting in serious threat on computers' security. Research and implementation of secure password input tools can protect the system from such threat. Aiming at various key-logging techniques,How to protect password input and implement one utility in combination of protection in both Ring 0 and Ring 3 is studied. In Ring 3,Windows Hooks and IAT Hook are applied to preventing message interceptions. In Ring 0,protection is realized by using IOAPIC to reassign the keyboard interrupt handler. This paper provides a useful way for guaranteeing the safety of password input.

Xinmei HOU,Kaikun DONG

DOI: https://doi.org/10.3969/j.issn.2095-2163.2016.05.009

2016-01-01

Abstract:With the advent of the information age, more and more people pay attention to the network security. Safety engineers have treated malicious virus and programs as the protection key, network security offensive and defensive game never stops. This paper proposes a malicious behavior backend monitoring scheme based on Windows Service, detecting and intercepting the abnormal behaviors with DLL injection and API HOOK caused by virus from Multi?Demensions. This method covers the shortage of single detection dimension. It is particularly worth mentioning here that this paper adopts a way of kernel?level injection by analysing kernel?level system calls, and works out the limitation on injection behaviors by mainstream OS, makes the cross?platform general injection possible. Finally, this system runs in backend in a Windows Service way, reduces the energy consumption and improves the operation stability. Meanwhile, the paper proposes the conception of “Selfish Protection Set”, which provides a deeper research direction for malicious behaviors monitoring.

Yang Liu,Hao Huang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.10.002

2014-01-01

Abstract:To restrain the malicious behaviour of the applications,we put forward the approach for access and capability control in regard to applications in Windows 7 operating system by studying the access control mechanism of Windows platform and analysing the means of resource management by the object manager.This method is implemented by integrating the access control and resource monitoring,it uses the restricted access token and job object to restrain the privileges of program process,and realises to monitor the resources access by the applications through expanding the function of object manager callback.At last,the feasibility and availability of the method is validated with experiment,it achieves the fine-grained monitoring on system resources.

Yang Shen,Min Xie,Wenzhe Zhang,Tao Wu

2024-12-08

Abstract:Intercepting system calls is crucial for tools that aim to modify or monitor application behavior. However, existing system call interception tools on the ARM platform still suffer from limitations in terms of performance and completeness. This paper presents an efficient and comprehensive binary rewriting framework, ASC-Hook, specifically designed for intercepting system calls on the ARM platform. ASC-Hook addresses two key challenges on the ARM architecture: the misalignment of the target address caused by directly replacing the SVC instruction with br x8, and the return to the original control flow after system call interception. This is achieved through a hybrid replacement strategy and our specially designed trampoline mechanism. By implementing multiple completeness strategies specifically for system calls, we ensured comprehensive and thorough interception. Experimental results show that ASC-Hook reduces overhead to at least 1/29 of that of existing system call interception tools. We conducted extensive performance evaluations of ASC-Hook, and the average performance loss for system call-intensive applications is 3.7\% .

Hardware Architecture,Performance,Programming Languages

Qiang Zeng,Zhi Xin,Dinghao Wu,Peng Liu,Bing Mao

2013-01-01

Abstract:The system call interface defines the services an operating system kernel provides to user space programs. An operating system usually provides a uniform system call interface to all user programs, while in practice no programs utilize the whole set of the system calls. Existing system call based sandboxing and intrusion detection systems focus on confining program behavior using sophisticated finite state or pushdown automaton models. However, these automata generally incur high false positives when modeling program behavior such as signal handling and multithreading, and the runtime overhead is usually significantly high. We propose to use a stateless model, a whitelist of system calls needed by the target program. Due to the simplicity we are able to construct the model via static analysis on the program’s binary with much higher precision that incurs few false positives. We argue that this model is not “trivial” as stated by Wagner and Dean. We have validated this hypothesis on a set of common benign benchmark programs against a set of real-world shellcode, and shown that this simple model is, instead, very effective in preventing exploits. The model, encoded as an per-process tailored system call table, incurs virtually no runtime overhead, and should be practical to be deployed to enhance application and system security.

ZHU Ying-ying,YE Mao,LIU Nai-qi,LI Zheng,ZHENG Kai-yuan

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.18.034

2008-01-01

Computer Engineering and Applications Journal

Abstract:Considering the shortcomings of Windows system intrusion detection and the advantages of the Linux system intrusion detection based on the sequence of the system call,a kernel-level host intrusion detection program based on the BP neural network algorithm to study and classify the sequence of Windows Native API is proposed in this paper.Experiment results prove that the sequence of Native API can be used for intrusion detection.Windows Native API means the kernel model API,which is similar to the Linux system call.The neural network is trained to learn the normal and abnormal sequence of Native API.In the intrusion detection,use the trained neural network to classify the emerging Native API sequence,and find whether the intrusion happens.

Jin YU,Hao HUANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.00414

2017-01-01

Abstract:How to effectively ensure the operation security of the guest virtual machine on a cloud computing platform is a hot topic at present.The system function hook and control method is one of the key technologies that are used to monitor the client system.Although the function hook and control method adopted in the security monitoring program based on the kernel interface of the operation system and the introspection program of the virtual machine based on the virtualization technology can meet the requirements of the security monitoring,the system still has some defects:the function hook can be easily bypassed;the system call hook method is single and limited;the internal function of the client application can't be hooked;the executing process of the function cannot be controlled;the security mechanism may result in extra large performance overhead.In this paper,an automatic function hook and control program of the guest virtual machine system based on virtualization technology (VMSPY) is proposed.The main functions of the modules are realized in the VMM,the codes of the guest system are analyzed automatically and generated dynamically via the disassembly engine.Besides,the privileged instruction sequence designed is inserted in a proper position to realize the system call hook.The internal function of the application is intercepted under the condition that it is not affected by the address space layout randomization (ASLR) technology.The code instruction sequence of the hooked function is simulated and executed automatically in the VMM according to the strategy to realize the control of the executing process of the system call and the application function.The privileged instruction sequence inserted in the guest system is protected through the memory page authorization mechanism to prevent the impact of the guest system.A cache mechanism is used to reduce the extra performance overhead as much as possible.

HAO Dong-bai,YAN Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.06.100

2008-01-01

Abstract:Against the leakiness means of confidential computer, a confidential computer monitor and audit system is established, by using the technology of driver filter, SPI, message broadcast interrupt, virtual printing monitor and hook on Windows platform, key algorithms and implementation methods of this system are focused. Experimental result and practice validate the availability of this system.

Fei Chen,Yan Fu

DOI: https://doi.org/10.1109/DBTA.2009.127

2009-01-01

Abstract:In this paper, we propose a new approach for the dynamic detection of malicious executables on the platform of Windows. Our approach extracts signatures of malicious executable's behaviors by using API (Application Program Interface) interception technique which makes possible the detection of unknown malicious executables. The dynamic detection of unknown malicious executables is achieved in three major steps: getting the sequence of API function calls of the executable, processing the API sequence to generate a vector, calculating the similarity between the vector and the feature library constructed by security policies to verify if the executable is malicious. The experiment confirms that this approach is effective in detection of unknown malicious executables.

Yang Min,Xu Bingquan,Zhang Yuan,Yang Zhemin

2013-01-01

Abstract:The invention belongs to the technical field of mobile platform access control, and particularly discloses an immediate access conferring method aiming at low interference of a mobile platform. According to the fact that a system call interceptor is designed and achieved on the interior of a mobile platform operating system, direct access of application programs on the mobile platform to sensitive resources can be effectively intercepted. According to the fact that communication information among courses is recorded in operating system nucleus, the fact that the application programs indirectly access the sensitive resources through open interfaces of other application programs can be effectively controlled, and therefore all standing of access of the sensitive resources is achieved. According to the immediate access conferring method aiming at the low interference of the mobile platform, safety is guaranteed, most of harmless access can be filtered at the same time, for tiny minority of access possibly triggering the safe problems, access information can be immediately provided for a user so as to help the user to make correct access conferring.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.4028/www.scientific.net/amr.159.424

2010-01-01

Advanced Materials Research

Abstract:HOOK and injection are advanced programming techniques. The common windows injection and HOOK techniques are introduced and analyzed in this paper. (1) By using hooks; (2) By using registration table;（3）By Trojan Horse DLL; (4) By PE import table; (5) By using remote thread. Proposed a method of non-DLL and gives a machine code-level implementations of the technology. Finally the paper lists the key technology and gives the main code.

Edward L Amoruso,Richard Leinecker,Cliff C Zou

DOI: https://doi.org/10.3390/s24165106

2024-08-06

Abstract:The Windows registry contains a plethora of information in a hierarchical database. It includes system-wide settings, user preferences, installed programs, and recently accessed files and maintains timestamps that can be used to construct a detailed timeline of user activities. However, these data are unencrypted and thus vulnerable to exploitation by malicious actors who gain access to this repository. To address this security and privacy concern, we propose a novel approach that efficiently encrypts and decrypts sensitive registry data in real time. Our developed proof-of-concept program intercepts interactions between the registry's application programming interfaces (APIs) and other Windows applications using an advanced hooking technique. This enables the proposed system to be transparent to users without requiring any changes to the operating system or installed software. Our approach also implements the data protection API (DPAPI) developed by Microsoft to securely manage each user's encryption key. Ultimately, our research provides an enhanced security and privacy framework for the Windows registry, effectively fortifying the registry against security and privacy threats while maintaining its accessibility to legitimate users and applications.

CHEN Hui,ZHOU Xue-Hai,CHEN Xiang-Lan

DOI: https://doi.org/10.3969/j.issn.1003-3254.2010.12.003

2010-01-01

Abstract:Security is always a hot topic with the development of computer technologies.Currently,mechanisms like active defense,detection and anti-detection are proposed.They could be implemented on different levels such as application-level and kernel-level in the system.We manage to go to the system-level.Linux owns mature security-enhanced version SELinux.For Windows,we focus on mandatory access control and propose a mechanism with improved efficiency,compatibility and stability.

Nai Xia,Bing Mao,Qingkai Zeng,Li Xie

DOI: https://doi.org/10.1007/978-3-540-77505-8_8

2007-01-01

Abstract:Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a progam's source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs' dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.