| As process injection research in Windows matures,process injection research in Linux also develops.In recent years,with the emergence of various defense mechanisms,such as DEP and SSP,traditional code injection attacks have been well detected and contained.Process injection,on the other hand,acts as a legitimate process at runtime,which can better bypass some detection and defense mechanisms.At present,the process injection detection on Linux is mostly the method of monitoring the behavior characteristics of malicious code,and the process injection will leave some traces in the volatile memory that have not been discovered.At this time,the detection method based on memory forensics began to be widely used.This method is relatively mature on Windows,but it still needs to continue to be explored and studied under Linux.Therefore,a detection method for memory forensics injected by the Linux process is proposed.The research content of this paper mainly includes the following two aspects.1.A method for detecting Linux process injection based on memory forensics is proposed.First,traverse the memory map of the traversal process by bit,output the process whose protection bit permissions are readable,writable,and executable as a suspicious process,and perform a bit wise comparison analysis between the actual execution file of the process and the corresponding executable file(ELF file),a different process appears as the suspicious process output.2.Three Linux forensic detection methods based on general hidden process,shared memory,and PTE anti-forensic technologies are proposed.This method is used to detect hidden processes.First,for the general hidden process,traverse and detect the /proc file and the corresponding content for comparative analysis;for the shared memory,first,collect the file objects pointed to by the vm_file field and enumerate the content in the shared memory,and compare and analyze the collected file content.After filtering according to the rules,it is output as the result;for PTE entries,the PTE mapping of the process is collected and compared with the mapping in the VMA,and the process with different content is output as a hidden process.3.Based on Volatility,this paper develops the Linux process injection detection plug-in detcet_proc_inject,which can output most injected processes.Based on Rekall,the hidden process detection plug-ins detect_hid,detect_shm and detect_pte_hidden in Linux are implemented.The plug-in can output the hidden processes related to the injection behavior.The process injection detection method proposed in this paper can effectively detect a variety of injection methods,which makes up for the problems of low integrity and high false alarm rate of existing detection methods.The researched anti-forensic detection technology is suitable for a variety of anti-forensic methods,which can effectively detect the hidden processes in the system,to better assist the forensic personnel to conduct subsequent analyses.The combination of the two can more completely and effectively detect malicious processes in the system,to facilitate the subsequent analysis of malicious code by the detection personnel. |
