Research On Windows Code Injection Attack Detection Based On Memory Forensics Technology

In recent years,file free malware is increasingly favored by hackers.Because this technology does not use local persistence technology and tactics,it avoids the "landing" of malicious files on the disk,thus avoiding traditional detection methods.Code injection technology,as a typical technique for file free malware,is also one of the frequently used techniques by malicious attackers.The 64 bit process and 32-bit process(Wo W64 process)running simultaneously on the currently popular Windows x64 system are both targets of hackers.However,in the field of memory forensics,the detection methods for code injection attacks are no longer applicable to Windows x64 systems in terms of compatibility and effectiveness,and cannot effectively detect both 64 bit and 32-bit code injection attacks on Windows x64 systems.Therefore,detection methods for 32-bit and64-bit code injection attacks that are applicable to both Windows x64 systems are particularly important.After studying the implementation principles of code injection attacks and summarizing the reverse analysis of mal icious samples containing code injection techniques,this article extracts the behavioral characteristics of code injection attacks and classifies them.Corresponding detection methods are proposed for different t ypes of code injection attacks.The main research content of this article includes the following three aspects:1.For code injection attacks targeting system stored types of processes,a method is proposed to detect them using cross validation of process VAD and process stack information.The method first analyzes the data structure of the VAD tree maintained on the Windows platform,and extracts the content described by the key fields under this structure as one of the data sources for cross validation;Secondly,the process stack was analyzed bas ed on the operating system environment and process type,and key information in the function stack frame was extracted as another data source for cross validation.When analyzing proces When analyzing process stacks,the differences between different types of process stacks were analyzed.This part of the content can help forensics personnel understand the essence of code injection attacks.The experimental results show that the static detection method can replicate the memory layout of the process runtime stack and effectively locate the code injection memory area.2.For code injection attacks where the target process is a virus self built type,a method is proposed to obtain the actual executable state of the page based on the page table entries described for detection.The method also analyzed the data structure of maintaining page table items on the Windows platform,analyzed the data structure of page table items in different states,and proposed corresponding page execution state detection methods for each state.Methods The virtual address translation,shared memory and private memory of Windows are parsed at the same time.The experimental results indicate that the dynamic detection method can analyze the actual executable state of process memory page s and locate injected code.The dynamic detection method can effectively help forensics personnel capture malicious trace information,reduce the amount of data and analysis time analyzed by forensics personnel.3.Based on the above analysis results,detection plugins were implemented on the Volatility static memory forensics framework and the Rekall dynamic memory forensics framework,respectively.And select samples of frequently active malware families in recent years as test samples,and compare the detection method proposed in this paper with existing code injection detection methods in the field of memory forensics.The test results show that the detection method proposed in this article outperforms existing detection methods in terms of detection accuracy and effectiveness.