| With the continuous development of network technology, the phenomenon that use malware to implement and hidden crime is also increasingly common. Memory mirroring analysis technology extracts the target system?s current time?s status information to find out the relevant malware?s information through analyzing the affected machine volatile memory. The main idea of current memory mirroring analysis is to find out the objects? methods while the Windows system is running, combining the list traversal to achieve the objects? retrieval and analysis. Moreover, many are based on the analysis of the specific object, which could not be linked to other factors in the memory.It has researched the memory mirroring analysis method of malware towards the drawbacks of these current methods. Firstly it locates and extracts the memory mirroring objects and the tag scanning method towards the location of the memory object has been proposed. This method regards the specific tag in the object structures of operation system memory pool as the symbol to indentify the object, it can effectively identifies the operating system's process, network, registry, drivers, services and other various system objects, relationship between each other. And it also can effectively finds all system objects hidden by malware with Rootkit. On the basis of it, combined with the memory object permissions, attribute and content; subordinate relationship between different memory objects and the number relation analysis and detect malware in many way. Analysis method to malware?s abnormal behavior based on the memory objects is proposed. Finally, the malware behaviors are further complemented and verified through finding the differences among object properties in different memory mirroring.Finally, the prototype system is realized. and we have an detection with Stuxnet sample and 44 kinds of malware samples. then compared the result with File B-Chao. It shows that memory mirroring analysis can accurately detect malware?s suspicious behavior in process, Hook, DLL, code injection, registry, etc. It indicates that the memory mirroring analysis methods? effectiveness proposed in this paper. Experiment about Hydraq and 44 kinds of samples was made on that basis. Multiple memory image comparison found the suspicious file, network behavior and new service in the detection of Hydraq.it effectively help to determine malware?s activity. In the 44 kinds of sample test results, the number of malware detection increased by 19.7% based on the analysis of memory,it increase the accuracy of th memory mirroring analysis method. |
PDF Full Text Request