Abstract:

In the field of information security,security analysis tools often inject some modules into other process space for monitoring dangerous behaviors, but malwares will scan their own process space and find out the monitor modules to avoid antimonitoring. So security analysis tools should hide the modules that are injected into the target process space. There are many methods for hiding modules, such as disconnecting the LDR_MODULE chain, hooking the function of the enumeration module, erasing the PE header, and so on. But these methods have significant limitations. To make an improvement, we propose a novel method to hide the injected modules. Ordinary module injection is given so they can be neglected by malwares; then the modules are eliminated by themselves, so that malwares cannot detect the presence of the monitoring softwares. Besides, we list out solutions to some typical specific technical problems in practice. Experimental results show that the proposed method has good capability to break through the defense system, it is compatible with various versions of Windows operating systems, and its concealment is better than the traditional methods.

Key words: information security;Rootkit;thread injection;hide module;thread injection with module;thread injection without module