博碩士論文 etd-0427119-165427 詳細資訊


[回到前頁查詢結果 | 重新搜尋]

姓名 龍志雄(Jhih-Syong Long) 電子郵件信箱 E-mail 資料不公開
畢業系所 資訊管理學系研究所(Department of Information Management)
畢業學位 碩士(Master) 畢業時期 107學年第2學期
論文名稱(中) 在動態環境中阻擋DLL Injection
論文名稱(英) Defending DLL Injection in Runtime
檔案
  • etd-0427119-165427.pdf
  • 本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。
    請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
    論文使用權限

    紙本論文:5 年後公開 (2024-05-27 公開)

    電子論文:使用者自訂權限:校內 5 年後、校外 5 年後公開

    論文語文/頁數 中文/43
    統計 本論文已被瀏覽 5508 次,被下載 0 次
    摘要(中) 本研究開發出DIB(DLL Injection Blocker),一個能夠在DLL Injection攻擊發生時進行阻擋的防禦器。DIB能將攻擊者的資訊與被攻擊的目標資訊完整紀錄,提供資安鑑識人員很大的協助。
    DLL Injection是一種強制在受害者程序中注入惡意動態連結程式庫(DLL)的攻擊手法。這種注入攻擊使用的是Windows內建的API,受害者程序將在不知情的情況下做出並非原作者預期的行為。DLL Injection將惡意軟體藏在正常程序的背後,使得防毒軟體難以偵測。防毒軟體的偵測方式主要分為兩種,異常偵測與特徵偵測。透過異常偵測的方式,防毒軟體可以在受害者程序遭到DLL Injection後偵測出其正在進行異常的惡意活動。但是,異常偵測往往包含非常多的誤報,不僅如此,當異常偵測系統發出警報的同時,企業與組織早已受到惡意軟體的攻擊,造成的傷害可能已經無法估計。而特徵偵測的方式透過背後的惡意軟體特徵資料庫能夠達到高效率的偵測,然而必須仰賴資料庫與時俱進的更新。DLL是Microsoft Windows的一個共享程式庫的概念。其中可以包含許多導出函式(Export Function),每個導出函式都能代表一支程式,因此一個惡意的DLL可能實際上是一群惡意軟體的集合體。駭客可以輕易地修改惡意DLL的內容來產生完全不同的惡意軟體,如此一來,這些新型的惡意軟體與零時攻擊都能繞過特徵偵測的防禦,從而對系統進行攻擊。
    DIB能夠中斷DLL Injection的攻擊並將這些躲藏在背後的惡意軟體揭發出來。不論這些惡意DLL是木馬程式、勒索軟體或是零時攻擊,DIB保護企業與組織免於遭受到DLL Injection的攻擊。
    摘要(英) This paper presents DIB, a defender for DLL Injection attack. DIB hijacks DLL Injection attack and stop the malware. It records both malware’s information and the victim’s information, and gives forensic analysts a help.
    DLL Injection is a technique that forcing victim process to load a dynamic link library. This attack implements Windows API, and makes victim process do things which its author did not intend to. DLL Injection hides the malware behind the normal process, which makes antivirus a hard work to detect. There are two ways to detect malware in general –anomaly-based detection and signature-based detection. With the anomaly-based detection, antivirus can detect the abnormal behavior after the malicious DLL which was injected into the victim process starts to attack. However, there are a lot of false alarm, and the system was already compromised, and these make the anomaly-based detection a bad idea for detecting DLL Injection. The signature-based detection can get a high detection rate with its malware signature databases, but it relies on the rapid update of their databases. DLL is a shared library concept in Microsoft Windows. DLL contains a lot of export functions, each function can represent a program, which means a malicious DLL may be a collection of malwares. Hackers can easily modify the malicious DLL to create a unique malware which is not defined in the malware signature databases to bypass the signature-based detection.
    DIB interrupts the DLL Injection and brings the malware to light. No matter what the purposes of malicious DLLs are, DIB protects the system from being attacked by DLL Injection malwares.
    關鍵字(中)
  • 惡意軟體
  • DLL注入攻擊
  • 動態分析
  • 防毒軟體
  • 動態連結程式庫
  • 關鍵字(英)
  • DLL
  • Malware
  • Dynamic analysis
  • Antivirus
  • DLL Injection
  • 論文目次 目錄
    論文審定書 i
    摘要 ii
    Abstract iii
    目錄 iv
    圖次 v
    表次 vi
    第1章 緒論 1
    1.1 研究背景 1
    1.2 研究動機與目的 2
    第2章 文獻探討 4
    2.1 動態連結程式庫 4
    2.2 動態連結程式庫注入攻擊 5
    2.2.1 AppInit_DLLs Registry 5
    2.2.2 Windows Hook 6
    2.2.3 Remote Thread 9
    2.2.4 DLL Injector 11
    2.3 Windows API 13
    2.3.1 OpenProcess 13
    2.3.2 WriteProcessMemory 14
    2.4 DLL Injection偵測 15
    第3章 研究方法 17
    3.1 DLL Injection流程 17
    3.2 系統流程 18
    3.3 攔截與阻擋 19
    第4章 系統評估 21
    4.1 實驗一 系統驗證 21
    4.2 實驗二 DLL Injection偵測工具比較 24
    4.3 實驗三 冒牌小算盤惡意軟體 26
    4.4 實驗四 各家防毒軟體比較 29
    第5章 研究貢獻與未來展望 32
    第6章 參考資料 33
    圖次
    圖 2 1、登錄檔中的AppInit_DLLs 6
    圖 2 2、Windows Hook運作機制[18] 7
    圖 2 3、透過SetWindowsHookEx將DLL注入到受害者程序中 8
    圖 2 4、使用Remote Thread注入DLL到受害者程序中[22] 10
    圖 2 5、Superject提供自行撰寫DLL程式碼的使用者介面 13
    圖 2 6、OpenProcess定義 13
    圖 2 7、WriteProcessMemory定義 15
    圖 3 1、DLL Injection系統流程 17
    圖 3 2、calc.exe程序中已載入的所有DLL 17
    圖 3 3、受保護的系統遭受攻擊時的流程示意圖 18
    圖 3 4、本研究系統流程圖 19
    圖 3 5、應用程式呼叫Windows API 19
    圖 3 6、DIB攔截API的呼叫並進行控制 20
    圖 4 1、惡意軟體要求取得對calc.exe進行記憶體寫入的權限 22
    圖 4 2、OpenProcess的參數設定包含欲請求的權限類型 22
    圖 4 3、系統偵測到DLL Injection後進行阻擋並記錄相關資訊 23
    圖 4 4、遭受攻擊後,calc.exe並未受到感染 23
    圖 4 5、本研究系統產出的事件紀錄檔案 24
    圖 4 6、3S Labs偵測工具產出的紀錄檔 24
    圖 4 7、3S Labs偵測工具提示可能的注入記憶體位址 25
    圖 4 8、冒牌小算盤以及其欲注入的DLL 27
    圖 4 9、使用IDA Pro對惡意小算盤反組譯後取得的字串資訊 27
    圖 4 10、使用IDA Pro對惡意小算盤反組譯後取得的字串列表 28
    圖 4 11、本研究系統偵測結果 28
    圖 5 1、本研究的貢獻 32
    表次
    表 2 1、Windows Hook的種類 8
    表 2 2、三種動態連結程式庫注入攻擊手法統整 11
    表 2 3、DLL Injector資訊 11
    表 2 4、OpenProcess能要求的存取權限 14
    表 4 1、3S Labs偵測工具與本研究系統的偵測結果比較 26
    表 4 2、防毒軟體病毒碼更新時間 29
    表 4 3、防毒軟體與本研究系統的防禦結果比較 30
    表 4 4、良性樣本在進行不同行為時的誤判率 31
    參考文獻 [1] Symantec, "網路安全威脅研究報告," Internet Security Threat Report, vol. 21, Apr-2016.
    [2] A. Malik, "DLL Injection and Hooking," Security Xploded. [Online]. Available: http://securityxploded.com/dll-injection-and-hooking.php. [Accessed: 17-Jul-2017].
    [3] J. Shewmaker, "Analyzing dll injection." GSM Presentation, 2006
    [4] N. Idika and A. Mathur, "A survey of malware detection techniques." Purdue University, 48, 2007
    [5] A. Malik, "Injector," Google Sites. [Online]. Available: https://sites.google.com/site/mamit30/home/injector. [Accessed: 17-Jul-2017].
    [6] W. C. Chen, "針對 DLL 型態惡意程式的病毒特徵萃取." 交通大學資訊科學與工程研究所學位論文, pp. 1-24, 2013
    [7] D. Allan, "Windows XP still the third most popular OS two years after end-of-life," Tech Radar, 08-Apr-2016. [Online]. Available: http://www.techradar.com/news/software/operating-systems/windows-xp-still-the-third-most-popular-os-two-years-after-end-of-life-1318572. [Accessed: 17-Jul-2017].
    [8] Atkinson, "蘋果 Mac 用戶持續成長,過去 9 年間成長了 2 倍!," TechNews 科技新報, 06-May-2016. [Online]. Available: http://finance.technews.tw/2016/05/06/apple-mac/. [Accessed: 17-Jul-2017].
    [9] Microsoft, "DLLs in Visual C ," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/1ez7dh12(v=vs.140).aspx. [Accessed: 17-Jul-2017].
    [10] Microsoft, "DLLs ," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/1ez7dh12(VS.80).aspx. [Accessed: 17-Jul-2017].
    [11] Microsoft, "Differences Between Applications and DLLs," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/d1587c1h.aspx. [Accessed: 17-Jul-2017].
    [12] Microsoft, "Advantages of Using DLLs," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/dtba4t8b.aspx. [Accessed: 17-Jul-2017].
    [13] D. Vidyarthi, "Detection of Stealth Process using Hooking," Proceedings of the Third International Symposium on Women in Computing and Informatics - WCI 15, 2015.
    [14] S. Kim, J. Park and K. Lee, "A brief survey on rootkit techniques in malicious codes." Journal of Internet Services and Information Security. pp. 134-147, 2012.
    [15] M. Jang, H. Kim, and Y. Yun, "Detection of DLL Inserted by Windows Malicious Code," 2007 International Conference on Convergence Information Technology (ICCIT 2007), 2007.
    [16] Microsoft, "Working with the AppInit_DLLs registry value," Microsoft Help and Support. [Online]. Available: https://support.microsoft.com/en-us/help/197571. [Accessed: 17-Jul-2017].
    [17] Microsoft, "AppInit DLLs and Secure Boot," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/dn280412.aspx. [Accessed: 17-Jul-2017].
    [18] I. Ivanov, "API hooking revealed," Code Project, 02-Dec-2002. [Online]. Available: https://www.codeproject.com/Articles/2082/API-hooking-revealed. [Accessed: 17-Jul-2017].
    [19] J. Berdajs and Bosnić Z., "Extending applications using an advanced approach to DLL injection and API hooking," Software: Practice and Experience, pp. 567–584, 2010.
    [20] R. Kuster, "Three Ways to Inject Your Code into Another Process," Code Project, 21-Aug-2003. [Online]. Available: https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces. [Accessed: 17-Jul-2017].
    [21] Microsoft, "CreateRemoteThread function," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/ms682437.aspx. [Accessed: 17-Jul-2017].
    [22] B. Antoniewicz, "Windows DLL Injection Basics," Open Security Research, 08-Jan-2013. [Online]. Available: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html. [Accessed: 17-Jul-2017].
    [23] Superject, "Superject," Superject. [Online]. Available: http://super-ject.weebly.com/. [Accessed: 17-Jul-2017].
    [24] 7199670, "Pro Injector,DLL Injector,roblox injector,extreme injector," Pro Injector. [Online]. Available: http://www.proinjector.com/. [Accessed: 17-Jul-2017].
    [25] hongtae2013, "DLL Vaccine," Source Forge. [Online]. Available: https://sourceforge.net/projects/dllvaccine/. [Accessed: 17-Jul-2017].
    [26] R. Hare, "Injector," Apponic, 28-May-2010. [Online]. Available: http://injector.apponic.com/. [Accessed: 17-Jul-2017].
    [27] Riukuzaki, "Injector Gadget," Softpedia, 01-Oct-2015. [Online]. Available: http://www.softpedia.com/get/Programming/File-Editors/Injector-Gadget.shtml. [Accessed: 17-Jul-2017].
    [28] Zoxc, "DLL Injector for x86/x64," Git Hub, 27-Jun-2012. [Online]. Available: https://gist.github.com/Zoxc/2906730. [Accessed: 17-Jul-2017].
    [29] SmallGCOk, "DLL自動注入器," Blogspot, 02-Feb-2015. [Online]. Available: http://long-ay.blogspot.co.id/p/blog-page_80.html. [Accessed: 17-Jul-2017].
    [30] Microsoft, "Windows API," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/library/cc433218.aspx. [Accessed: 17-Jul-2017].
    [31] Microsoft, "Process Security and Access Rights," Microsoft Developer Network. [Online]. Available: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx. [Accessed: 17-Jul-2017].
    [32] 3S Labs, "Scanning Process Memory for Injected Code," 3S Labs Blog | High Quality Information Security Services, 25-Jan-2014. [Online]. Available: http://blog.3slabs.com/2013/01/scanning-process-memory-for-injected.html. [Accessed: 17-Jul-2017].
    [33] J. C. Rabek, R. I. Khazan, S. M. Lewandowski, and R. K. Cunningham, "Detection of injected, dynamically generated, and obfuscated malicious code," Proceedings of the 2003 ACM workshop on Rapid Malcode - WORM03, pp. 76–82, 2003.
    口試委員
  • 官大智 - 召集委員
  • 范俊逸 - 委員
  • 賴谷鑫 - 委員
  • 鄭伯炤 - 委員
  • 陳嘉玫 - 指導教授
  • 口試日期 2017-07-25 繳交日期 2019-05-27

    [回到前頁查詢結果 | 重新搜尋]


    如有任何問題請與論文審查小組聯繫