Xiao-zhe LI,Mei-jun ZANG,Yi-qi DAI

DOI: https://doi.org/10.3969/j.issn.1672-464X.2008.04.015

2008-01-01

Abstract:Nowadays,Windows operating system is the most prevalent OS,and its security problem is widely concerned by users.System call interception is an efficient way to control accesses to the Windows system resource.This paper introduces and implements an API HOOK method to intercept Windows system calls,and exploits it to control host behaviors.By experiments,we prove that this system call interception method can control host access to system resources,which improves the security level of Windows OS.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.4028/www.scientific.net/amr.159.424

2010-01-01

Advanced Materials Research

Abstract:HOOK and injection are advanced programming techniques. The common windows injection and HOOK techniques are introduced and analyzed in this paper. (1) By using hooks; (2) By using registration table;（3）By Trojan Horse DLL; (4) By PE import table; (5) By using remote thread. Proposed a method of non-DLL and gives a machine code-level implementations of the technology. Finally the paper lists the key technology and gives the main code.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

Xinmei HOU,Kaikun DONG

DOI: https://doi.org/10.3969/j.issn.2095-2163.2016.05.009

2016-01-01

Abstract:With the advent of the information age, more and more people pay attention to the network security. Safety engineers have treated malicious virus and programs as the protection key, network security offensive and defensive game never stops. This paper proposes a malicious behavior backend monitoring scheme based on Windows Service, detecting and intercepting the abnormal behaviors with DLL injection and API HOOK caused by virus from Multi?Demensions. This method covers the shortage of single detection dimension. It is particularly worth mentioning here that this paper adopts a way of kernel?level injection by analysing kernel?level system calls, and works out the limitation on injection behaviors by mainstream OS, makes the cross?platform general injection possible. Finally, this system runs in backend in a Windows Service way, reduces the energy consumption and improves the operation stability. Meanwhile, the paper proposes the conception of “Selfish Protection Set”, which provides a deeper research direction for malicious behaviors monitoring.

Yong Wang,Dawu Gu,Wei Li,Jing Li,Mi Wen

DOI: https://doi.org/10.1109/ieec.2009.52

2009-01-01

Abstract:Rootkits Trojan virus, which can control attacked computers, delete import files and even steal password, are much popular now. Interrupt Descriptor Table (IDT) hook is rootkit technology in kernel level of Trojan. The paper makes deeply analysis on the IDT hooks handle procedure of rootkit Trojan according to previous other researchers methods. We compare its IDT structure and programs to find how Trojan interrupt handler code can respond the interrupt vector request in both real address mode and protected address mode. Finally, we analyze the IDT hook detection methods of rootkits Trojan by Windbg or other professional tools.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Irfan Ahmed,Golden G. Richard,Aleksandar Zoranic,Vassil Roussev

DOI: https://doi.org/10.1007/978-3-319-27659-5_1

2015-01-01

Abstract:With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function pointers that are potentially prone to malicious exploits. These areas of kernel memory are currently not monitored by kernel integrity checkers.We present a novel approach to monitoring the integrity of Windows kernel pools, based entirely on virtual machine introspection, called HookLocator. Unlike prior efforts to maintain kernel integrity, our implementation runs entirely outside the monitored system, which makes it inherently more difficult to detect and subvert. Our system also scales easily to protect multiple virtualized targets. Unlike other kernel integrity checking mechanisms, HookLocator does not require the source code of the operating system, complex reverse engineering efforts, or the debugging map files. Our empirical analysis of kernel heap behavior shows that integrity monitoring needs to focus only on a small fraction of it to be effective; this allows our prototype to provide effective real-time monitoring of the protected system.

XU Si-ming,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.10.028

2010-01-01

Abstract:This paper mainly explores two basic techniques in the field of malicious-code attack and defense.For the malicious-code attack,it discusses respectively DLL injection technique and API hook technique,then analyzes the realization method in each technique,while for the malicious-code defense,the corresponding security detection methods based individually on compiler,virtual machine,and operating system are pointed out.In addition,their characteristics are analyzed,including their advantages and disadvantages.So this paper may offer certain beneficial helps to the relevant technologies of malicious-code attack and defense in the infosec research field.

Hung-Min Sun,Hsun Wang,King-Hang Wang,Chien-Ming Chen

DOI: https://doi.org/10.1109/tc.2011.46

IF: 3.183

2011-01-01

IEEE Transactions on Computers

Abstract:As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

Hung-Min Sun,Yue-Hsun Lin,Ming-Fung Wu

DOI: https://doi.org/10.1007/11780656_14

2006-01-01

Abstract:Worms and Exploits attacks are currently the most prevalent security problems; they are responsible for over half of the CERT advisories issued in the last three years. To initiate an infection or intrusion, both of them inject a small piece of malicious code (ShellCode) into software through buffer or heap overflow vulnerabilities. Unlike Unix-like operating systems, ShellCodes for Microsoft Windows system need more complex steps to acquire Win32 API calls from DLL file (Dynamic Load Library) in Microsoft Windows. In this paper, we proposed an effective API monitoring system to get rid of worms and exploits attacks for the Microsoft Windows without hardware support. We address the problem by noticing that ShellCodes need the extra complex steps in accessing Win32 API calls. Through the API monitoring system we purposed, we can successfully stop the attacks made by worms and exploits. Moreover, the efficiency of Win32 API Calls hooking and monitoring system can be improved. Incapability to disassemble and analysis the protected software processes are overcome as well.

YUAN Jian,ZHOU Xue-Si,HUANG Yong-Feng

DOI: https://doi.org/10.3969/j.issn.0490-6756.2011.03.011

2011-01-01

Abstract:Covert communication is a new security technology of information transmission other than the encryption.Along with the rapid development of Internet,the covert communication based on network protocols and streaming media is flourishing.The authors have suggested a basic framework to achieve covert communication using HOOK technology onto popular Internet instant messaging software.The basic approach of reusing the media stream by HOOK technology as well as specific implementation algorithm is focused on.An end-to-end covert communication system based on HOOK technology has also been developed which attaches to voice over IP(VoIP) software.Experimental results show that the framework suggested in this paper can effectively intercept the network data which is sent or received by the VoIP software.Furthermore,it can also exchange covert information,which means that the authors have achieved a new kind of covert communication system.

WANG Hai-chen,SHI Yong,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.04.023

2011-01-01

Abstract:Key-loggers for malicious purpose acquire the confidential information by capturing users' input key-stokes,thus resulting in serious threat on computers' security. Research and implementation of secure password input tools can protect the system from such threat. Aiming at various key-logging techniques,How to protect password input and implement one utility in combination of protection in both Ring 0 and Ring 3 is studied. In Ring 3,Windows Hooks and IAT Hook are applied to preventing message interceptions. In Ring 0,protection is realized by using IOAPIC to reassign the keyboard interrupt handler. This paper provides a useful way for guaranteeing the safety of password input.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.1109/ncis.2011.62

2011-01-01

Abstract:Aiming at the principles how root kit malicious action by hooking System Service Dispatch Table and utilizing inline function patching, this paper presents a method of integrity detection and restoration based on kernel file, which is proved to ensure correct implementation of the kernel function.

LI Xiao-dong,LUO Ping,ZENG Zhi-feng

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.05.044

2007-01-01

Abstract:Trojan horse is a new kind computer virus,which makes much damage to computer information resources in a local network.This paper represented a new method to detect Trojans using its auto-startup characteristic.This method uses hooking system services dispatch table,so as to monitor file system and registry table.Compared with traditional detective methods,it can detect not only known Trojans but unknown ones.It is difficult for Trojans to escape detection because it is implemented in the kernel.

Chengyu Song,Jianwei Zhuge,Xinhui Han,Zhiyuan Ye

DOI: https://doi.org/10.1145/1755688.1755705

2010-01-01

Abstract:Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks. Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.

Yuning Cui,Yi Sun,Zhaowen Lin

DOI: https://doi.org/10.1007/s10515-023-00378-w

IF: 1.677

2023-02-26

Automated Software Engineering

Abstract:With the popularity of Android devices, mobile apps are prevalent in our daily life, making them a target for attackers to steal private data and push advertisements. Dynamic analysis is an effective approach to detect runtime behavior of Android malware and can reduce the impact of code obfuscation. However, some dynamic sandboxes commonly used by researchers are usually based on emulators with older versions of Android, for example, the state-of-the-art sandbox, DroidBox. These sandboxes are vulnerable to evasion attacks and may not work with the latest apps. In this paper, we propose a prototype framework, DroidHook, as a novel automated sandbox for Android malware dynamic analysis. Unlike most existing tools, DroidHook has two obvious advantages. Firstly, the set of APIs to be monitored by DroidHook can be easily modified, so that DroidHook is ideally suitable for diverse situations, including the detection of a specific family of malware and unknown malware. Secondly, DroidHook does not depend on a specific Android OS but only on Xposed, so it can work with multiple Android versions and can perform normally on both emulators and real devices. Experiments show that DroidHook can provide more fine-grained and precise results than DroidBox. Moreover, with the support for real devices and new versions of Android, DroidHook can run most samples properly and acquire stronger detection results, compared to emulator-based tools.

computer science, software engineering

Jin YU,Hao HUANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.00414

2017-01-01

Abstract:How to effectively ensure the operation security of the guest virtual machine on a cloud computing platform is a hot topic at present.The system function hook and control method is one of the key technologies that are used to monitor the client system.Although the function hook and control method adopted in the security monitoring program based on the kernel interface of the operation system and the introspection program of the virtual machine based on the virtualization technology can meet the requirements of the security monitoring,the system still has some defects:the function hook can be easily bypassed;the system call hook method is single and limited;the internal function of the client application can't be hooked;the executing process of the function cannot be controlled;the security mechanism may result in extra large performance overhead.In this paper,an automatic function hook and control program of the guest virtual machine system based on virtualization technology (VMSPY) is proposed.The main functions of the modules are realized in the VMM,the codes of the guest system are analyzed automatically and generated dynamically via the disassembly engine.Besides,the privileged instruction sequence designed is inserted in a proper position to realize the system call hook.The internal function of the application is intercepted under the condition that it is not affected by the address space layout randomization (ASLR) technology.The code instruction sequence of the hooked function is simulated and executed automatically in the VMM according to the strategy to realize the control of the executing process of the system call and the application function.The privileged instruction sequence inserted in the guest system is protected through the memory page authorization mechanism to prevent the impact of the guest system.A cache mechanism is used to reduce the extra performance overhead as much as possible.

HAO Dong-bai,GUO Lin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.18.016

2007-01-01

Abstract:This paper started with monitoring system resource of program access. Registry and file and process resource creation are fo- cused on and associated to detect program behavior anomaly at runtime, a program behavior anomaly detection system is designed and implemented based on operating system service Hook some key techniques of Hook are introduced as well as the design structure and im- plementation points of this system. At last,the experimental result validated the feasibility and availability of this system.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

GUAN Yun-tao,DUAN Hai-xin

2009-01-01

Abstract:With the application of polymorphism,metamorphism and packing techniques,the analysis and detection of modern malware becomes more difficult.Manual malware analysis fails to handle this situation due to its unacceptable cost and human force involvement.The author design and implement an automated malware dynamic analysis system named MwDAS using kernel hooking and filter driver technologies,which can automatically analyze malware sample,extract and detail malware's behaviors into a well-organized report.The experiment shows that MwDAS can dramatically improve the analysis efficiency.