Title page for etd-0723116-202543


[Back to Results | New Search]

URN etd-0723116-202543
Author Tzu-Ching Chang
Author's Email Address No Public.
Statistics This thesis had been viewed 5357 times. Download 1 times.
Department Information Management
Year 2015
Semester 2
Degree Master
Type of Document
Language zh-TW.Big5 Chinese
Title Detecting Malware with DLL Injection And PE Infection
Date of Defense 2016-07-25
Page Count 74
Keyword
  • Malware
  • PE File
  • PE Infection
  • APT Attack
  • DLL Injection
  • Abstract Advanced Persistent Attack Threat is one of notorious in enterprises and organization. APT attack is a highly organized, well-funded attack against a specific target .Cyber Criminal using many ways to invade system to get sensitive information .It's applied to sophisticated state-level attacks which infiltrate specific networks to steal sensitive information, assets or cause system damage. DLL injection and PE Infection are common ways to hide their presence. APT attack stays there undetected for a long period of time. The average is a year and a half, however, in such case can be more than 3-year. Most Anti-Virus vendors use signature-based detection to get high detection rate, but on the other hand this technique has no protection against zero-day or unseen malware before they updating their database. Hacker can slightly change their malicious code to create a unique malware in order to escape from detection.
    In this paper, our target is to find potential DLL injection process, file and PE infection applications by using dynamic and static analysis. We propose 3 ways to detect the malicious file, PE infection applications and DLL injection’s process. Malware detection method based on extracting sensitive API(Application Programming Interface) calls from malware to detect unseen malware. For potential DLL injection process, scanning each thread context and its corresponding stack frames for possible instruction pointer address that does not belong to executable section in the target process .Using API distance and duplicated RVA(relative virtual address) import table to detect PE infection. This method only detect infection host file to distinguish malware from benign .Unlike signature-based detection , sensitive API of predicting malware and potential PE Infection inspect can detect unseen malware . Protecting sensitive data is the end goal of almost all IT security measures.
    Advisory Committee
  • Gu-Hsin Lai - chair
  • Hui-Tang Lin - co-chair
  • Chih-Hung Wang - co-chair
  • Chia-Mai Chen - advisor
  • Files
  • etd-0723116-202543.pdf
  • Indicate in-campus at 3 year and off-campus access at 3 year.
    Date of Submission 2016-08-23

    [Back to Results | New Search]


    Browse | Search All Available ETDs

    If you have more questions or technical problems, please contact eThesys