Dll injection detection method based on memory forensics

A technology of memory forensics and detection methods, applied in the field of dll injection detection based on memory forensics, can solve problems such as inability to obtain effective digital evidence, and achieve the effect of good versatility

Pending Publication Date: 2022-07-01
HARBIN UNIV OF SCI & TECH
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Among them, reflective dll injection, APC thread injection and Atom-bombing injection technologies will not load malicious dll files into the disk, making traditional disk forensics

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Dll injection detection method based on memory forensics
  • Dll injection detection method based on memory forensics

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0033] In order to clearly and completely describe the technical solutions in the embodiments of the present invention, the present invention will be further described in detail below with reference to the accompanying drawings in the embodiments.

[0034] Step 1 The process of obtaining the memory dump file is as follows:

[0035] Take Windows 10 64-bit system host as an example.

[0036] The flow chart of calculating the hash set of the disk PE file according to the embodiment of the present invention is as follows: figure 1 shown, including the following steps.

[0037] Step 1-1 Traverse the file system to obtain all files;

[0038] Steps 1-2 determine whether the file is a PE file;

[0039] Steps 1-3 simulate the loading of the PE file into the memory, and calculate the hash value of the text code segment in units of 0x1000;

[0040] Steps 1-4 integrate and save the hash values ​​into a hash set file.

[0041] Step 2 Obtain the dump file of the physical memory of the ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a dll injection detection method based on memory evidence obtaining. The method comprises the following steps: firstly, establishing a hash set for a disk PE file; then, obtaining an operating system version and configuration file information by utilizing a Volativity evidence obtaining framework; traversing a process VAD node under the support of an operating system version and configuration file information, and obtaining a memory PE file through a VAD node member; and after the PE file is repositioned, calculating a hash value and matching the hash value with a disk hash set, and outputting a page with an unmatched hash value as a suspicious page. According to the dll injection detection method based on memory forensics, forensics analysts are assisted in detecting and extracting the memory area with dll injection in the memory, and subsequent malicious code analysis work can be conveniently carried out.

Description

Technical field: [0001] The invention relates to a dll injection detection method based on memory forensics. The method has good application in the field of computer memory forensics and is mainly used for detecting and extracting the area where dll injection occurs in the memory. Background technique: [0002] With the development and popularization of Internet technology, the subsequent network attacks are also gradually complicated and diversified. Computer forensics technology can obtain, analyze and save digital evidence for computer intrusion, and provide it to the court as effective litigation evidence. As a branch of computer forensics technology, disk forensics and memory forensics play a key role in combating network violations. [0003] dll injection attacks have various forms of injection, including registry modification injection, remote thread creation injection, reflective dll injection, Windows message hook injection, APC thread injection, and Atom-bombing i...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/55G06F21/56
CPCG06F21/552G06F21/566
Inventor 翟继强白忆鸽孙楷轩
Owner HARBIN UNIV OF SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap