-
DLL可用于扩展应用程序功能和减少应用程序体积,是Windows平台提供的一种模块共享和重用机制,它不能直接独立运行,但可以被加载到其他进程中执行[1]。基于这种特性,DLL常被用于注入进程实现恶意行为。DLL的注入方式有很多种,如远线程注入、Windows消息钩子、修改注册表和静态修改PE输入表注入等。通过挂钩技术[2-5],能检测到前3种注入行为,而静态修改PE输入表注入DLL不会使用相关API,因此不能通过挂钩技术进行检测。除了挂钩技术,检测DLL是否恶意的方法还有动态检测和二进制数据检测。
从动态角度进行检测,方法有:模块枚举[6]和DLL抢占式注入[7]。这些方法均需使被检测程序完全进入运行状态,程序一旦进入运行状态,就会产生恶意行为或反检测行为。“环境感知”型恶意软件可以在运行期间检测运行环境,确定自己是否被分析,以便修改自身行为逃避检测[8]。文献[6]从动态的角度检测静态修改PE输入表注入的DLL,通过运行未被修改的程序,遍历其中的模块建立合法模块列表;然后再运行被修改的程序,遍历模块进行对比,不同者即为可疑模块。但是程序中的模块必定随着版本更新和需求变化而相应地增加或减少,这种检测方法就会失效。基于此,本文研究了DLL的加载原理和过程,提出了在进程初始化阶段进行检测的方法,无需使被检测程序完全进入运行状态。
从二进制数据角度进行检测,方法有:提取字符串或函数调用[9-10]、提取VERSIONINFO资源[11]和利用卷积神经网络进行特征提取[12]等。这些方法均需要解析DLL获取具体数据与良性DLL进行对比,以判断该DLL是否恶意。但是DLL容易被指令等价替换处理[13],或者使用加壳压缩[14-15]等技术改变原始结构,使得以上方法无法提取到正确信息。基于此,本文研究了PE文件输入表的数据排列规则,提出了从数据范围的角度进行检测的方法,无需获取DLL内部的具体数据。
本文研究静态修改PE输入表注入DLL的检测方法,其主要工作归纳如下:
1) 提出了基于合法范围的普通检测方法和基于异常回溯的深度检测方法。基于合法范围的普通检测方法对所有DLL的数据结构排列范围进行计算,无需解析DLL中的函数调用和字符串等具体信息来推断DLL的功能是否恶意。基于异常回溯的深度检测方法可控制目标程序的运行,跟踪目标程序的初始化阶段中的DLL加载过程。2) 将调试的思想用于恶意DLL检测。调试API用于编写调试工具,捕获程序运行中的错误,从而帮助开发者修改错误提高程序的健壮性。本文将调试API用于DLL加载过程中的异常捕获,从而实现检测功能。3) 开发检测工具DLL Detector,支持检测32位和64位可执行文件,并具有清除、恢复和备份功能。
Research on Detection of Dynamic Link Library Injected by Static Modifying Import Table of Portable Executable File
-
摘要: 该文研究静态修改PE输入表注入DLL的检测,提出了基于合法范围的普通检测方法和基于异常回溯的深度检测方法。第一种方法从静态的角度,对所有DLL的数据结构排列范围进行计算,无需解析DLL的功能来推断其是否恶意。第二种方法将调试的思想用于恶意DLL检测,控制目标程序的运行,跟踪目标程序初始化阶段中的DLL加载过程,并将调试API用于异常捕获,以实现检测。使用C++设计DLL检测实验,将编写的具有下载功能的DLL注入到目标程序,设计开发检测工具DLL Detector进行检测;实验成功地从静态阶段和程序初始化阶段检测出可疑模块。两种方法均支持32位和64位可执行文件,可防御恶意代码。Abstract: To study the detection of dynamic link library (DLL) injected by static modifying import table of portable executable (PE) file, a common detection method on legal scope and a depth detection method on exception backtracking are proposed. The first method calculates the range of data structure arrangement of all DLLs from a static point of view, without parsing the DLL’s function to infer whether it is malicious. The idea of debugging is used to detect malicious DLLs in second method, which control the running of the target program, and track the DLL loading process in the initialization phase of the target program. Also the debugging API is used for exception capture to realize detection. C++ was used to design DLL detection experiment: injected the DLL with download function into the target program. The detection tool DLL Detector was designed and developed for detection. The experiment successfully detects suspicious modules from the static phase and the program initialization phase. Both methods support 32-bit and 64-bit PE files and can be used to guard against malicious code.
-
Key words:
- DLL detection /
- DLL injection /
- import table /
- PE file format
-
[1] BERDAJS J, BOSNIC Z. Extending applications using an advanced approach to DLL injection and API hooking[J]. Software: Practice and Experience, 2010, 40(7): 567-584. [2] SHEN Jian-fang, CHENG Liang-lun, FU Xiu-fen. Implementation of program behavior anomaly detection and protection using Hook technology[C]//2009 WRI International Conference on Communications and Mobile Computing. Yunnan, China: IEEE, 2009, 3: 338-342. [3] LIU Xin, LIU Ren-ren, WU Xiang-bo. A secret inline Hook technology[C]//2013 8th International Conference on Computer Science & Education. Colombo, Sri Lanka: IEEE, 2013: 913-916. [4] SONG Yu-chen, SHEN Yong-jun, ZHANG Gui-dong. The new INLINE Hook technology combination of hard-code technology and independent code injection[C]//2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS). Beijing, China: IEEE, 2016: 521-525. [5] YOSHIZAKI K, YAMAUCHI T. Malware detection method focusing on anti-debugging functions[C]//2014 Second International Symposium on Computing and Networking. Shizuoka, Japan: IEEE, 2014: 563-566. [6] 陈庄, 王津梁, 张騠. 手工DLL注入的检测方法研究实现[J]. 信息安全研究, 2017, 3(3): 246-253. CHEN Zhuang, WANG Jin-liang, ZHANG Ti. Research and implementation of detection method of manual DLL injection[J]. Journal of Information Security Research, 2017, 3(3): 246-253. [7] GUO Yu-cheng, WU Peng, LIN Ju-wei, et al. A way to detect computer trojan based on DLL preemptive injection[C]//2011 10th International Symposium on Distributed Computing and Applications to Business, Engineering and Science. Wuxi, China: IEEE, 2011: 255-258. [8] SHAID S, MAAROF M. In memory detection of Windows API call hooking technique[C]//2015 International Conference on Computer, Communications, and Control Technology (i4CT). Kuching, Malaysia: IEEE, 2015: 294-298. [9] JOPHIN S, VIJAYAN M, DIJA S. Detecting forensically relevant information from PE executables[C]//2013 International Conference on Recent Trends in Information Technology (ICRTIT). Chennai, India: IEEE, 2013: 277-282. [10] KI Y, KIM E, KIM H K. A novel approach to detect malware based on API call sequence analysis[J]. International Journal of Distributed Sensor Networks, 2015, 2015: 1-9. [11] JANG M, KIM H, YUN Y. Detection of DLL inserted by Windows malicious code[C]//2007 International Conference on Convergence Information Technology (ICCIT 2007). Gyeongju, South Korea: IEEE, 2007: 1059-1064. [12] POONGUZHALI N P, RAJAKAMALAM T, UMA S, et al. Identification of malware using CNN and bio-inspired technique[C]//2019 IEEE International Conference on System, Computation, Automation and Networking (ICSCAN). Pondicherry, India: IEEE, 2019: 1-5. [13] 吴伟民, 范炜锋, 王志月, 等. 基于特征码的PE文件自动免杀策略[J]. 计算机工程, 2012, 38(12): 118-121. WU Wei-min, FAN Wei-feng, WANG Zhi-yue, et al. PE file auto free-antivirus strategy based on characteristic code[J]. Computer Engineering, 2012, 38(12): 118-121. [14] LI Ang, ZHANG Yue, ZHANG Jun-xing, et al. A token strengthened encryption packer to prevent reverse engineering PE files[C]//2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF). Harbin, China: IEEE, 2015: 307-312. [15] LI Lu, LIU Qiu-ju, XU Ting-rong. Research and implementation of compression shell unpacking technology for PE file[C]//2009 International Forum on Information Technology and Applications. Chengdu, China: IEEE, 2009, 1: 438-442. [16] YOUSAF M S, DURAD M H, ISMAIL M. Implementation of portable executable file analysis framework (PEFAF)[C]//2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST). Islamabad, Pakistan: IEEE, 2019: 671-675. [17] KIM Y, MOON J, CHO S J, et al. Efficient identification of windows executable programs to prevent software piracy[C]//2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. Birmingham, UK: IEEE, 2014: 236-240. [18] CHOI J C, HAN Y M, CHO S, et al. A static birthmark for MS windows applications using import address table[C]//2013 Seventh International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. Taichung, Taiwan, China: IEEE, 2013: 129-134. [19] WANG Xin-ran, JHI Y C, ZHU S, et al. Detecting software theft via system call based birthmarks[C]//2009 Annual Computer Security Applications Conference. Honolulu, HI, USA: IEEE, 2009: 149-158. [20] CABRALl B, MARQUES P. A transactional model for automatic exception handling[J]. Computer Languages, Systems & Structures, 2011, 37(1): 43-61. [21] CHANG H, MARIANI L, MAURO P. Exception handlers for healing component-based systems[J]. ACM Transactions on Software Engineering and Methodology (TOSEM), 2013, 22(4): 30. [22] GEORGE V, NEVILLE N. Forced exception handling[J]. Communications of the ACM, 2017, 60(6): 31-32. doi: 10.1145/3084356