Research Of Code Cave Detection Technology On The Windows Platform

As a technology that can change the execution flow of a program,Code Cave has been widely used.In the absence of source code,you can use Code Cave technology to add,remove,or modify the functionality of the program without having to make a big change to the program itself.However,Code Cave can also be exploited maliciously for injecting and executing arbitrary code.There are few studies on the definition and detection of Code Cave,and this thesis will try to define it.The relevant detection methods are: integrity detection,instruction jump analysis method and execution path detection.However,these methods have obvious shortcomings,as follows:(1)Integrity detection needs to assume that the original backup is correct and not tampered with,which in reality is often not guaranteed.(2)Due to the diversity of the location of Code Cave and the diversity of jump instructions,there are some limitations in the instruction jump analysis method at this stage.(3)Because in different circumstances,the same program execution path may be different,and the number of instructions is different,so the execution path detection method is prone to misjudgment.The main contents of this thesis are:(1)This thesis gives a relatively reasonable Code Cave definition,that is to write a piece of code into a piece of free memory in the process space,and redirect the program execution flow to this code,thus changing the original program execution flow.This thesis also defines the complex Code Cave and the composition and attributes of Code Cave,and demonstrates the use of Code Cave through a concrete example.(2)The thesis analyzes the shortcomings of the existing correlation detection method,and proposes the instruction analysis method based on the feature interval for the detection of Code Cave and its detection principle is analyzed.According to the characteristics of Code Cave,this thesis divides the feature interval of PE file,establishes a list of characteristic instruction is called JumpList,and studies the way that the code of Code Cave gets the execution right and the relationship between Code Cave.(3)This thesis designs and implements the Code Cave detection system CCDSystem.According to the difference of detection objects,CCDSystem is divided into two subsystems: SDSystem and DDSystem,respectively,for the detection of EXE files on the disk and EXE module in the memory.(4)This thesis tested the detection system CCDSystem from the static and dynamic aspects,and compared with other tools.The test results show that the CCDSystem system can effectively detect the existence of Code Cave in the EXE on the disk or in the memory,and the comparison result with other detection tools also proves its superiority.