Visible to the public Biblio

Filters: Keyword is Process Injection  [Clear All Filters]
2023-07-21
Wang, Juan, Ma, Chenjun, Li, Ziang, Yuan, Huanyu, Wang, Jie.  2022.  ProcGuard: Process Injection Behaviours Detection Using Fine-grained Analysis of API Call Chain with Deep Learning. 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). :778—785.

New malware increasingly adopts novel fileless techniques to evade detection from antivirus programs. Process injection is one of the most popular fileless attack techniques. This technique makes malware more stealthy by writing malicious code into memory space and reusing the name and port of the host process. It is difficult for traditional security software to detect and intercept process injections due to the stealthiness of its behavior. We propose a novel framework called ProcGuard for detecting process injection behaviors. This framework collects sensitive function call information of typical process injection. Then we perform a fine-grained analysis of process injection behavior based on the function call chain characteristics of the program, and we also use the improved RCNN network to enhance API analysis on the tampered memory segments. We combine API analysis with deep learning to determine whether a process injection attack has been executed. We collect a large number of malicious samples with process injection behavior and construct a dataset for evaluating the effectiveness of ProcGuard. The experimental results demonstrate that it achieves an accuracy of 81.58% with a lower false-positive rate compared to other systems. In addition, we also evaluate the detection time and runtime performance loss metrics of ProcGuard, both of which are improved compared to previous detection tools.

2022-10-20
Noman, Haitham Ameen, Al-Maatouk, Qusay, Noman, Sinan Ameen.  2021.  Design and Implementation of a Security Analysis Tool that Detects and Eliminates Code Caves in Windows Applications. 2021 International Conference on Data Analytics for Business and Industry (ICDABI). :694—698.
Process injection techniques on Windows appli-cations are considered a serious threat to software security specialists. The attackers use these techniques to exploit the targeted program or process and take advantage of it by injecting a malicious process within the address space of the hosted process. Such attacks could be carried out using the so-called reverse engineering realm” the code caves”. For that reason, detecting these code caves in a particular application/program is deemed crucial to prevent the adversary from exploiting the programs through them. Code caves are simply a sequence of null bytes inside the executable program. They form due to the unuse of uninitialized variables. This paper presents a tool that can detect code caves in Windows programs by disassembling the program and looking for the code caves inside it; additionally, the tool will also eliminate those code caves without affecting the program’s functionality. The tool has proven reliable and accurate when tested on various types of programs under the Windows operating system.