Responsive image
博碩士論文 etd-0427119-165427 詳細資訊
Title page for etd-0427119-165427
論文名稱
Title
在動態環境中阻擋DLL Injection
Defending DLL Injection in Runtime
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
43
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2017-07-25
繳交日期
Date of Submission
2019-05-27
關鍵字
Keywords
惡意軟體、DLL注入攻擊、動態分析、防毒軟體、動態連結程式庫
DLL, Malware, Dynamic analysis, Antivirus, DLL Injection
統計
Statistics
本論文已被瀏覽 5908 次,被下載 0
The thesis/dissertation has been browsed 5908 times, has been downloaded 0 times.
中文摘要
本研究開發出DIB(DLL Injection Blocker),一個能夠在DLL Injection攻擊發生時進行阻擋的防禦器。DIB能將攻擊者的資訊與被攻擊的目標資訊完整紀錄,提供資安鑑識人員很大的協助。
DLL Injection是一種強制在受害者程序中注入惡意動態連結程式庫(DLL)的攻擊手法。這種注入攻擊使用的是Windows內建的API,受害者程序將在不知情的情況下做出並非原作者預期的行為。DLL Injection將惡意軟體藏在正常程序的背後,使得防毒軟體難以偵測。防毒軟體的偵測方式主要分為兩種,異常偵測與特徵偵測。透過異常偵測的方式,防毒軟體可以在受害者程序遭到DLL Injection後偵測出其正在進行異常的惡意活動。但是,異常偵測往往包含非常多的誤報,不僅如此,當異常偵測系統發出警報的同時,企業與組織早已受到惡意軟體的攻擊,造成的傷害可能已經無法估計。而特徵偵測的方式透過背後的惡意軟體特徵資料庫能夠達到高效率的偵測,然而必須仰賴資料庫與時俱進的更新。DLL是Microsoft Windows的一個共享程式庫的概念。其中可以包含許多導出函式(Export Function),每個導出函式都能代表一支程式,因此一個惡意的DLL可能實際上是一群惡意軟體的集合體。駭客可以輕易地修改惡意DLL的內容來產生完全不同的惡意軟體,如此一來,這些新型的惡意軟體與零時攻擊都能繞過特徵偵測的防禦,從而對系統進行攻擊。
DIB能夠中斷DLL Injection的攻擊並將這些躲藏在背後的惡意軟體揭發出來。不論這些惡意DLL是木馬程式、勒索軟體或是零時攻擊,DIB保護企業與組織免於遭受到DLL Injection的攻擊。
Abstract
This paper presents DIB, a defender for DLL Injection attack. DIB hijacks DLL Injection attack and stop the malware. It records both malware’s information and the victim’s information, and gives forensic analysts a help.
DLL Injection is a technique that forcing victim process to load a dynamic link library. This attack implements Windows API, and makes victim process do things which its author did not intend to. DLL Injection hides the malware behind the normal process, which makes antivirus a hard work to detect. There are two ways to detect malware in general –anomaly-based detection and signature-based detection. With the anomaly-based detection, antivirus can detect the abnormal behavior after the malicious DLL which was injected into the victim process starts to attack. However, there are a lot of false alarm, and the system was already compromised, and these make the anomaly-based detection a bad idea for detecting DLL Injection. The signature-based detection can get a high detection rate with its malware signature databases, but it relies on the rapid update of their databases. DLL is a shared library concept in Microsoft Windows. DLL contains a lot of export functions, each function can represent a program, which means a malicious DLL may be a collection of malwares. Hackers can easily modify the malicious DLL to create a unique malware which is not defined in the malware signature databases to bypass the signature-based detection.
DIB interrupts the DLL Injection and brings the malware to light. No matter what the purposes of malicious DLLs are, DIB protects the system from being attacked by DLL Injection malwares.
目次 Table of Contents
目錄
論文審定書 i
摘要 ii
Abstract iii
目錄 iv
圖次 v
表次 vi
第1章 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 2
第2章 文獻探討 4
2.1 動態連結程式庫 4
2.2 動態連結程式庫注入攻擊 5
2.2.1 AppInit_DLLs Registry 5
2.2.2 Windows Hook 6
2.2.3 Remote Thread 9
2.2.4 DLL Injector 11
2.3 Windows API 13
2.3.1 OpenProcess 13
2.3.2 WriteProcessMemory 14
2.4 DLL Injection偵測 15
第3章 研究方法 17
3.1 DLL Injection流程 17
3.2 系統流程 18
3.3 攔截與阻擋 19
第4章 系統評估 21
4.1 實驗一 系統驗證 21
4.2 實驗二 DLL Injection偵測工具比較 24
4.3 實驗三 冒牌小算盤惡意軟體 26
4.4 實驗四 各家防毒軟體比較 29
第5章 研究貢獻與未來展望 32
第6章 參考資料 33

圖次
圖 2 1、登錄檔中的AppInit_DLLs 6
圖 2 2、Windows Hook運作機制[18] 7
圖 2 3、透過SetWindowsHookEx將DLL注入到受害者程序中 8
圖 2 4、使用Remote Thread注入DLL到受害者程序中[22] 10
圖 2 5、Superject提供自行撰寫DLL程式碼的使用者介面 13
圖 2 6、OpenProcess定義 13
圖 2 7、WriteProcessMemory定義 15
圖 3 1、DLL Injection系統流程 17
圖 3 2、calc.exe程序中已載入的所有DLL 17
圖 3 3、受保護的系統遭受攻擊時的流程示意圖 18
圖 3 4、本研究系統流程圖 19
圖 3 5、應用程式呼叫Windows API 19
圖 3 6、DIB攔截API的呼叫並進行控制 20
圖 4 1、惡意軟體要求取得對calc.exe進行記憶體寫入的權限 22
圖 4 2、OpenProcess的參數設定包含欲請求的權限類型 22
圖 4 3、系統偵測到DLL Injection後進行阻擋並記錄相關資訊 23
圖 4 4、遭受攻擊後,calc.exe並未受到感染 23
圖 4 5、本研究系統產出的事件紀錄檔案 24
圖 4 6、3S Labs偵測工具產出的紀錄檔 24
圖 4 7、3S Labs偵測工具提示可能的注入記憶體位址 25
圖 4 8、冒牌小算盤以及其欲注入的DLL 27
圖 4 9、使用IDA Pro對惡意小算盤反組譯後取得的字串資訊 27
圖 4 10、使用IDA Pro對惡意小算盤反組譯後取得的字串列表 28
圖 4 11、本研究系統偵測結果 28
圖 5 1、本研究的貢獻 32

表次
表 2 1、Windows Hook的種類 8
表 2 2、三種動態連結程式庫注入攻擊手法統整 11
表 2 3、DLL Injector資訊 11
表 2 4、OpenProcess能要求的存取權限 14
表 4 1、3S Labs偵測工具與本研究系統的偵測結果比較 26
表 4 2、防毒軟體病毒碼更新時間 29
表 4 3、防毒軟體與本研究系統的防禦結果比較 30
表 4 4、良性樣本在進行不同行為時的誤判率 31
參考文獻 References
[1] Symantec, "網路安全威脅研究報告," Internet Security Threat Report, vol. 21, Apr-2016.
[2] A. Malik, "DLL Injection and Hooking," Security Xploded. [Online]. Available: http://securityxploded.com/dll-injection-and-hooking.php. [Accessed: 17-Jul-2017].
[3] J. Shewmaker, "Analyzing dll injection." GSM Presentation, 2006
[4] N. Idika and A. Mathur, "A survey of malware detection techniques." Purdue University, 48, 2007
[5] A. Malik, "Injector," Google Sites. [Online]. Available: https://sites.google.com/site/mamit30/home/injector. [Accessed: 17-Jul-2017].
[6] W. C. Chen, "針對 DLL 型態惡意程式的病毒特徵萃取." 交通大學資訊科學與工程研究所學位論文, pp. 1-24, 2013
[7] D. Allan, "Windows XP still the third most popular OS two years after end-of-life," Tech Radar, 08-Apr-2016. [Online]. Available: http://www.techradar.com/news/software/operating-systems/windows-xp-still-the-third-most-popular-os-two-years-after-end-of-life-1318572. [Accessed: 17-Jul-2017].
[8] Atkinson, "蘋果 Mac 用戶持續成長,過去 9 年間成長了 2 倍!," TechNews 科技新報, 06-May-2016. [Online]. Available: http://finance.technews.tw/2016/05/06/apple-mac/. [Accessed: 17-Jul-2017].
[9] Microsoft, "DLLs in Visual C ," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/1ez7dh12(v=vs.140).aspx. [Accessed: 17-Jul-2017].
[10] Microsoft, "DLLs ," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/1ez7dh12(VS.80).aspx. [Accessed: 17-Jul-2017].
[11] Microsoft, "Differences Between Applications and DLLs," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/d1587c1h.aspx. [Accessed: 17-Jul-2017].
[12] Microsoft, "Advantages of Using DLLs," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/dtba4t8b.aspx. [Accessed: 17-Jul-2017].
[13] D. Vidyarthi, "Detection of Stealth Process using Hooking," Proceedings of the Third International Symposium on Women in Computing and Informatics - WCI 15, 2015.
[14] S. Kim, J. Park and K. Lee, "A brief survey on rootkit techniques in malicious codes." Journal of Internet Services and Information Security. pp. 134-147, 2012.
[15] M. Jang, H. Kim, and Y. Yun, "Detection of DLL Inserted by Windows Malicious Code," 2007 International Conference on Convergence Information Technology (ICCIT 2007), 2007.
[16] Microsoft, "Working with the AppInit_DLLs registry value," Microsoft Help and Support. [Online]. Available: https://support.microsoft.com/en-us/help/197571. [Accessed: 17-Jul-2017].
[17] Microsoft, "AppInit DLLs and Secure Boot," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/dn280412.aspx. [Accessed: 17-Jul-2017].
[18] I. Ivanov, "API hooking revealed," Code Project, 02-Dec-2002. [Online]. Available: https://www.codeproject.com/Articles/2082/API-hooking-revealed. [Accessed: 17-Jul-2017].
[19] J. Berdajs and Bosnić Z., "Extending applications using an advanced approach to DLL injection and API hooking," Software: Practice and Experience, pp. 567–584, 2010.
[20] R. Kuster, "Three Ways to Inject Your Code into Another Process," Code Project, 21-Aug-2003. [Online]. Available: https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces. [Accessed: 17-Jul-2017].
[21] Microsoft, "CreateRemoteThread function," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/ms682437.aspx. [Accessed: 17-Jul-2017].
[22] B. Antoniewicz, "Windows DLL Injection Basics," Open Security Research, 08-Jan-2013. [Online]. Available: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html. [Accessed: 17-Jul-2017].
[23] Superject, "Superject," Superject. [Online]. Available: http://super-ject.weebly.com/. [Accessed: 17-Jul-2017].
[24] 7199670, "Pro Injector,DLL Injector,roblox injector,extreme injector," Pro Injector. [Online]. Available: http://www.proinjector.com/. [Accessed: 17-Jul-2017].
[25] hongtae2013, "DLL Vaccine," Source Forge. [Online]. Available: https://sourceforge.net/projects/dllvaccine/. [Accessed: 17-Jul-2017].
[26] R. Hare, "Injector," Apponic, 28-May-2010. [Online]. Available: http://injector.apponic.com/. [Accessed: 17-Jul-2017].
[27] Riukuzaki, "Injector Gadget," Softpedia, 01-Oct-2015. [Online]. Available: http://www.softpedia.com/get/Programming/File-Editors/Injector-Gadget.shtml. [Accessed: 17-Jul-2017].
[28] Zoxc, "DLL Injector for x86/x64," Git Hub, 27-Jun-2012. [Online]. Available: https://gist.github.com/Zoxc/2906730. [Accessed: 17-Jul-2017].
[29] SmallGCOk, "DLL自動注入器," Blogspot, 02-Feb-2015. [Online]. Available: http://long-ay.blogspot.co.id/p/blog-page_80.html. [Accessed: 17-Jul-2017].
[30] Microsoft, "Windows API," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/library/cc433218.aspx. [Accessed: 17-Jul-2017].
[31] Microsoft, "Process Security and Access Rights," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx. [Accessed: 17-Jul-2017].
[32] 3S Labs, "Scanning Process Memory for Injected Code," 3S Labs Blog | High Quality Information Security Services, 25-Jan-2014. [Online]. Available: http://blog.3slabs.com/2013/01/scanning-process-memory-for-injected.html. [Accessed: 17-Jul-2017].
[33] J. C. Rabek, R. I. Khazan, S. M. Lewandowski, and R. K. Cunningham, "Detection of injected, dynamically generated, and obfuscated malicious code," Proceedings of the 2003 ACM workshop on Rapid Malcode - WORM03, pp. 76–82, 2003.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code