• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

J4 ›› 2015, Vol. 37 ›› Issue (08): 1472-1478.

• 论文 • 上一篇    下一篇

一种隐藏注入模块的新方法

吴建,刘新   

  1. (湘潭大学信息工程学院“智能计算与信息处理”教育部重点实验室,湖南 湘潭 411105)
  • 收稿日期:2014-08-11 修回日期:2014-12-02 出版日期:2015-08-25 发布日期:2015-08-25
  • 基金资助:

    湖南省自然科学基金资助项目(12JJ3066)

A novel method of hiding the injected modules

WU Jian,LIU Xin   

  1. (Key Laboratory of Intelligent Computing and Information Processing,Ministry of Education,
    College of Information Engineering of Xiangtan University,Xiangtan 411105,China)
  • Received:2014-08-11 Revised:2014-12-02 Online:2015-08-25 Published:2015-08-25

摘要:

在信息安全领域,安全分析工具往往需要将监控模块注入到其他进程空间以实现监控功能,但恶意软件往往会通过检测自身空间是否有其他模块来逃避监控。因此,安全工具需要对注入模块加以隐藏。比较常见的隐藏方法有:断开进程的LDR_MODULE链、Hook枚举模块的函数、抹去PE头等,但这些方法都有比较大的局限性。针对这些局限性,提出了一种对注入模块进行隐藏的新方法。在注入时利用普通有模块注入方式,让恶意软件疏于防范;注入之后消除自身模块,让恶意软件无法检测到监控软件的存在。对于应用中的一些具体技术问题给出了解决方法。实验结果表明,该方法突破防御能力强,可兼容各种版本的Windows操作系统,并且隐蔽性比目前的通用方法更好。

关键词: 信息安全, Rootkit, 线程注入, 隐藏模块, 有模块注入, 无模块注入

Abstract:

In the field of information security,security analysis tools often inject some modules into other process space for monitoring dangerous behaviors, but malwares will scan their own process space and find out the monitor modules to avoid antimonitoring. So security analysis tools should hide the modules that are injected into the target process space. There are many methods for hiding modules, such as disconnecting the LDR_MODULE chain, hooking the function of the enumeration module, erasing the PE header, and so on. But these methods have significant limitations. To make an improvement, we propose a novel method to hide the injected modules. Ordinary module injection is given so they can be neglected by malwares; then the modules are eliminated by themselves, so that malwares cannot detect the presence of the monitoring softwares. Besides, we list out solutions to some typical specific technical problems in practice. Experimental results show that the proposed method has good capability to break through the defense system, it is compatible with various versions of Windows operating systems, and its concealment is better than the traditional methods.

Key words: information security;Rootkit;thread injection;hide module;thread injection with module;thread injection without module