MRCIF: A Memory-Reverse-Based Code Injection Forensics Algorithm

The new DLL injection method and its variants can prevent the injected process from calling common system API to load module so that malicious is invisible LDR linked list of process. Traditional detection methods have low accuracy in forensic attacks. To solve this problem, paper proposes a code covert memory page algorithm based on structure reverse analysis named MRCIF. First, physical pages containing features image are located, sub-algorithm designed for mapping space virtual space, thus realizing reconstruction subset corresponding module. Then, reversely reconstructed, developed reconstruct space. Finally, subset. experimental results indicate MRCIF achieves an 88.89%, which much higher than traditional method, only accurately detect Virtual Address Descriptor (VAD) remapping attack.