Detect Windows Code Injection by Cross-validating Stack and VAD Information
Windows 32/64-bit code injection attacks are a common attack technique by malware. In the field of memory forensics, the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity, and cannot be compatible with different versions of Windows...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Harbin University of Science and Technology Publications
2024-04-01
|
| Series: | Journal of Harbin University of Science and Technology |
| Subjects: | |
| Online Access: | https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2311 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849320992754630656 |
|---|---|
| author | ZHAI Jiqiang HAN Xu WANG Jiaqian SUN Haixu YANG Hailu |
| author_facet | ZHAI Jiqiang HAN Xu WANG Jiaqian SUN Haixu YANG Hailu |
| author_sort | ZHAI Jiqiang |
| collection | DOAJ |
| description | Windows 32/64-bit code injection attacks are a common attack technique by malware. In the field of memory forensics, the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity, and cannot be compatible with different versions of Windows systems in terms of parsing data structures in memory. Therefore, the method of locating injected code through cross validation of process stack and VAD information is proposed. The method first obtains data based on traversing stack frames, such as function return address, module name and other information. Then the data is combined with the process VAD structure to detect the function return address and match the file name to locate the injected code. And developed a Windows code injection attack detection plug-in codefind based on the Volatility forensics framework. The test results show that the method can effectively locate Windows 32/64 bit injected code attacks even if the VAD node is modified by malware. |
| format | Article |
| id | doaj-art-4b454ebe2bd1484dac7f9a4b318cf964 |
| institution | Kabale University |
| issn | 1007-2683 |
| language | zho |
| publishDate | 2024-04-01 |
| publisher | Harbin University of Science and Technology Publications |
| record_format | Article |
| series | Journal of Harbin University of Science and Technology |
| spelling | doaj-art-4b454ebe2bd1484dac7f9a4b318cf9642025-08-20T03:49:54ZzhoHarbin University of Science and Technology PublicationsJournal of Harbin University of Science and Technology1007-26832024-04-012902435110.15938/j.jhust.2024.02.006Detect Windows Code Injection by Cross-validating Stack and VAD InformationZHAI Jiqiang0HAN Xu1WANG Jiaqian2SUN Haixu3YANG Hailu4School of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150000 , ChinaSchool of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150000 , ChinaSchool of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150000 , ChinaSchool of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150000 , ChinaSchool of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150000 , ChinaWindows 32/64-bit code injection attacks are a common attack technique by malware. In the field of memory forensics, the existing code injection attack detection technologies cannot handle dynamic content in terms of verification integrity, and cannot be compatible with different versions of Windows systems in terms of parsing data structures in memory. Therefore, the method of locating injected code through cross validation of process stack and VAD information is proposed. The method first obtains data based on traversing stack frames, such as function return address, module name and other information. Then the data is combined with the process VAD structure to detect the function return address and match the file name to locate the injected code. And developed a Windows code injection attack detection plug-in codefind based on the Volatility forensics framework. The test results show that the method can effectively locate Windows 32/64 bit injected code attacks even if the VAD node is modified by malware.https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2311vadstackwindows code injectmemory forensics |
| spellingShingle | ZHAI Jiqiang HAN Xu WANG Jiaqian SUN Haixu YANG Hailu Detect Windows Code Injection by Cross-validating Stack and VAD Information Journal of Harbin University of Science and Technology vad stack windows code inject memory forensics |
| title | Detect Windows Code Injection by Cross-validating Stack and VAD Information |
| title_full | Detect Windows Code Injection by Cross-validating Stack and VAD Information |
| title_fullStr | Detect Windows Code Injection by Cross-validating Stack and VAD Information |
| title_full_unstemmed | Detect Windows Code Injection by Cross-validating Stack and VAD Information |
| title_short | Detect Windows Code Injection by Cross-validating Stack and VAD Information |
| title_sort | detect windows code injection by cross validating stack and vad information |
| topic | vad stack windows code inject memory forensics |
| url | https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2311 |
| work_keys_str_mv | AT zhaijiqiang detectwindowscodeinjectionbycrossvalidatingstackandvadinformation AT hanxu detectwindowscodeinjectionbycrossvalidatingstackandvadinformation AT wangjiaqian detectwindowscodeinjectionbycrossvalidatingstackandvadinformation AT sunhaixu detectwindowscodeinjectionbycrossvalidatingstackandvadinformation AT yanghailu detectwindowscodeinjectionbycrossvalidatingstackandvadinformation |