Hinweis zum Urheberrecht
Report (Bericht) zugänglich unter
URN: urn:nbn:de:bvb:29-opus-30925
URL: http://www.opus.ub.uni-erlangen.de/opus/volltexte/2012/3092/
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis
Willems, Carsten ;
Freiling, Felix C.
| SWD-Schlagwörter: |
| Computerforensik , Malware , Speicherverwaltung |
| Freie Schlagwörter (Englisch): |
| Reverse Engineering , Pagefault Handler |
| CCS - Klassifikation: |
| C5.3 |
| Fakultät: |
| Technische Fakultät |
| DDC-Sachgruppe: |
| Informatik |
| Dokumentart: |
| Report (Bericht) |
| Schriftenreihe: |
| Technical reports / Department Informatik, ISSN 2191-5008 |
| Bandnummer: |
| CS-2012,1 |
| Sprache: |
| Deutsch |
| Erstellungsjahr: |
| 2012 |
| Publikationsdatum: |
| 17.02.2012 |
| Kurzfassung in Englisch: |
| Exploits that successfully attack computers
are mostly based on some form of shellcode, i.e., illegitimate
code that is injected by the attacker to take
control of the system. Detecting and extracting such code
is the first step to detailed analysis of malware containing
illegitimate code. The amount and sophistication of modern
malware calls for automated mechanisms that perform
such detection and extraction. In this paper we present
a novel generic and fully automatic approach to detect the
execution of illegitimate code and extract such code upon
detection. The basic idea is to flag critical memory pages
as non-executable and use a modified page fault handler
to dump corresponding memory pages. We present an
implementation of the approach for the Windows platform
called CWXDetector. Evaluations using a large corpus of
malicious PDF documents show that our system produces
no false positives and has a similarly low false negative
rate. |
Sie benötigen weitere Informationen?
Fragen Sie uns!