Detect Windows Code Injection by Cross-validating Stack and VAD Information
Windows 32/64-bit code injection attacks are a common attack technique by malware. In the field of memory forensics, the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity, and cannot be compatible with different versions of Windows...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Harbin University of Science and Technology Publications
2024-04-01
|
| Series: | Journal of Harbin University of Science and Technology |
| Subjects: | |
| Online Access: | https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2311 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Windows 32/64-bit code injection attacks are a common attack technique by malware. In the field of memory forensics, the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity, and cannot be compatible with different versions of Windows systems in terms of parsing data structures in memory. Therefore, the method of locating injected code through cross validation of process stack and VAD information is proposed. The method first obtains data based on traversing stack frames, such as function return address, module name and other information. Then the data is combined with the process VAD structure to detect the function return address and match the file name to locate the injected code. And developed a Windows code injection attack detection plug-in codefind based on the Volatility forensics framework. The test results show that the method can effectively locate Windows 32/64 bit injected code attacks even if the VAD node is modified by malware. |
|---|---|
| ISSN: | 1007-2683 |