||Advanced Persistent Attack Threat is one of notorious in enterprises and organization. APT attack is a highly organized, well-funded attack against a specific target .Cyber Criminal using many ways to invade system to get sensitive information .It's applied to sophisticated state-level attacks which infiltrate specific networks to steal sensitive information, assets or cause system damage. DLL injection and PE Infection are common ways to hide their presence. APT attack stays there undetected for a long period of time. The average is a year and a half, however, in such case can be more than 3-year. Most Anti-Virus vendors use signature-based detection to get high detection rate, but on the other hand this technique has no protection against zero-day or unseen malware before they updating their database. Hacker can slightly change their malicious code to create a unique malware in order to escape from detection.|
In this paper, our target is to find potential DLL injection process, file and PE infection applications by using dynamic and static analysis. We propose 3 ways to detect the malicious file, PE infection applications and DLL injection’s process. Malware detection method based on extracting sensitive API(Application Programming Interface) calls from malware to detect unseen malware. For potential DLL injection process, scanning each thread context and its corresponding stack frames for possible instruction pointer address that does not belong to executable section in the target process .Using API distance and duplicated RVA(relative virtual address) import table to detect PE infection. This method only detect infection host file to distinguish malware from benign .Unlike signature-based detection , sensitive API of predicting malware and potential PE Infection inspect can detect unseen malware . Protecting sensitive data is the end goal of almost all IT security measures.