||Enterprises and government agencies are confronted with the threat of Advanced Persistent Threats (APT), which is featured by its concealment. APT attacks can evade detection by means of Process Injection, and then hide in infected computers.|
Process Injection is a skill which can be used to access the resources of the another process and perform privilege escalation by executing code in the memory address space of target process. Process Injection is widely used to evade detection of security products because it is executed in a legal process.
Malware developers widely use obfuscation techniques for malicious files from the same malware family, resulting in numerous malware variants. The large number of variants not only poses a threat to computer users, but also makes it more difficult for the security personnel to analyze malware. Especially, some benign software also uses Process Injection to inject DLL files, making it more difficult to discriminate malicious files.
In this paper, a malicious DLL classification system combining dynamic and static analysis and machine learning is proposed. The Windows API related to Process Injection is summarized and used to identify the malware based on Windows Hook mechanism. When the Process Injection behavior is detected, the system will use VirusTotal website and the CNN classification system based on the Inception V3 network to identify whether the injected DLL is a malicious file, so as to assist the security personnel for subsequent analysis.