Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps
نویسندگان
چکیده
Malware predominantly employs code injections, which allow to run code in the trusted context of another process. This enables malware, for instance, to secretly operate or to intercept critical information. It is crucial for analysts to quickly detect injected code. While there are systems to detect code injections in memory dumps, they suffer from unsatisfying detection rates or their detection granularity is too coarse. In this paper, we present Quincy to overcome these drawbacks. It employs 38 features commonly associated with code injections to classify memory regions. We implemented Quincy for Windows XP, 7 and 10 and compared it to the current state of the art, Volatility ’s malfind as well as hollowfind. For this sake, we created a high quality data set consisting of 102 current representatives of code injecting malware families. Quincy improves significantly upon both approaches, with up to 19.49% more true positives and a decrease in false positives by up to 94,76%.
منابع مشابه
Bee Master: Detecting Host-Based Code Injection Attacks
A technique commonly used by malware for hiding on a targeted system is the host-based code injection attack. It allows malware to execute its code in a foreign process space enabling it to operate covertly and access critical information of other processes. Since there exists a plethora of different ways for injecting and executing code in a foreign process space, a generic approach spanning a...
متن کاملSide channel parameter characteristics of code injection attacks
Embedded systems are suggestive targets for code injection attacks in the recent years. Software protection mechanisms, and in general computers, are not usually applicable in embedded systems since they have limited resources like memory and process power. In this paper we investigate side channel characteristics of embedded systems and their applicability in code injection attack detection. T...
متن کاملA mathematical approach to NAND flash-memory descrambling and decoding
New mathematical techniques for analysis of raw dumps of NAND flash memory were developed. These techniques are aimed at detecting, by analysis of the raw NAND flash dump only, the use of LFSR-based scrambling and the use of a binary cyclic code for errorcorrection. If detected, parameter values for both LFSR and cyclic error-correcting code are determined simultaneously. These can subsequently...
متن کاملDwarf Frankenstein is still in your memory: tiny code reuse attacks
Code reuse attacks such as return oriented programming and jump oriented programming are the most popular exploitation methods among attackers. A large number of practical and non-practical defenses are proposed that differ in their overhead, the source code requirement, detection rate and implementation dependencies. However, a usual aspect among these methods is consideration of the common be...
متن کاملDetecting peripheral-based attacks on the host memory
Adversaries can deploy rootkit techniques on the target platform to persistently attack computer systems in a stealthy manner. Industrial and political espionage, surveillance of users as well as conducting cybercrime require stealthy attacks on computer systems. Utilizing a rootkit technique means, that a part of the implemented attack code is responsible for concealing the attack. Attack code...
متن کامل