基于进程隐藏的恶意软件检测规避分析

2018 3rd International Conference on Contemporary Computing and Informatics (IC3I) Pub Date : 2018-10-01 DOI:10.1109/IC3I44769.2018.9007293

Mariya Shafat Kirmani, M. T. Banday

{"title":"基于进程隐藏的恶意软件检测规避分析","authors":"Mariya Shafat Kirmani, M. T. Banday","doi":"10.1109/IC3I44769.2018.9007293","DOIUrl":null,"url":null,"abstract":"The fact that any program to be executed must be loaded in random access memory makes it forensically critical and target-rich search location for evidence. Digital forensic investigation is incomplete without analyzing the physical memory. Random access memory holds the insights of a running system which constitutes the plethora of information some of which is unique to it. Among other information, random access memory holds running processes and process related information maintained in well-defined data structures. The threads spawned by specific processes also reside in this memory. With the advancement in cyber-attacks, malware tends to be memory resident that is hidden from the operating system to avoid detection via security or forensic tools. Both the user space and kernel space is exploited by hidden. This paper is focused towards analyzing the techniques used by rootkits to hide their processes in the memory achieved via hooking and Direct Kernel Object Manipulation (DKOM), the working of a rootkit and its detection. Having the active malicious processes hidden leads to incorrect results of the forensic investigation, rendering it unacceptable before court of law.","PeriodicalId":161694,"journal":{"name":"2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Analyzing Detection Avoidance of Malware by Process Hiding\",\"authors\":\"Mariya Shafat Kirmani, M. T. Banday\",\"doi\":\"10.1109/IC3I44769.2018.9007293\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The fact that any program to be executed must be loaded in random access memory makes it forensically critical and target-rich search location for evidence. Digital forensic investigation is incomplete without analyzing the physical memory. Random access memory holds the insights of a running system which constitutes the plethora of information some of which is unique to it. Among other information, random access memory holds running processes and process related information maintained in well-defined data structures. The threads spawned by specific processes also reside in this memory. With the advancement in cyber-attacks, malware tends to be memory resident that is hidden from the operating system to avoid detection via security or forensic tools. Both the user space and kernel space is exploited by hidden. This paper is focused towards analyzing the techniques used by rootkits to hide their processes in the memory achieved via hooking and Direct Kernel Object Manipulation (DKOM), the working of a rootkit and its detection. Having the active malicious processes hidden leads to incorrect results of the forensic investigation, rendering it unacceptable before court of law.\",\"PeriodicalId\":161694,\"journal\":{\"name\":\"2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)\",\"volume\":\"37 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IC3I44769.2018.9007293\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC3I44769.2018.9007293","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

任何要执行的程序都必须加载在随机存取存储器中，这一事实使其成为法医鉴定的关键和目标丰富的证据搜索位置。如果不分析物理内存，数字取证调查是不完整的。随机存取存储器保存了运行系统的洞察力，它构成了过多的信息，其中一些是它独有的。在其他信息中，随机访问内存保存运行的进程和进程相关的信息，这些信息保存在定义良好的数据结构中。由特定进程生成的线程也驻留在该内存中。随着网络攻击的发展，恶意软件往往隐藏在内存中，不被操作系统发现，以避免被安全或取证工具发现。用户空间和内核空间都被hidden所利用。本文的重点是分析rootkit使用的技术，通过hook和直接内核对象操作(DKOM)将其进程隐藏在内存中，rootkit的工作及其检测。隐藏活跃的恶意进程会导致错误的法医调查结果，使其在法庭上无法接受。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Analyzing Detection Avoidance of Malware by Process Hiding

The fact that any program to be executed must be loaded in random access memory makes it forensically critical and target-rich search location for evidence. Digital forensic investigation is incomplete without analyzing the physical memory. Random access memory holds the insights of a running system which constitutes the plethora of information some of which is unique to it. Among other information, random access memory holds running processes and process related information maintained in well-defined data structures. The threads spawned by specific processes also reside in this memory. With the advancement in cyber-attacks, malware tends to be memory resident that is hidden from the operating system to avoid detection via security or forensic tools. Both the user space and kernel space is exploited by hidden. This paper is focused towards analyzing the techniques used by rootkits to hide their processes in the memory achieved via hooking and Direct Kernel Object Manipulation (DKOM), the working of a rootkit and its detection. Having the active malicious processes hidden leads to incorrect results of the forensic investigation, rendering it unacceptable before court of law.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 3rd International Conference on Contemporary Computing and Informatics (IC3I)

自引率

0.00%

发文量