Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis


Willems, Carsten ; Freiling, Felix


[img]
Preview
PDF
DetectionAndExtractionOfIllegitimateCodeExecution_v2.pdf - Published

Download (369kB)

URL: http://ub-madoc.bib.uni-mannheim.de/3163
URN: urn:nbn:de:bsz:180-madoc-31639
Document Type: Working paper
Year of publication: 2011
Publication language: English
Institution: School of Business Informatics and Mathematics > Sonstige - Fakultät für Mathematik und Informatik
MADOC publication series: Veröffentlichungen der Fakultät für Mathematik und Informatik > Institut für Informatik > Technical Reports
Subject: 004 Computer science, internet
Classification: CCS: C.5.3 Micr ,
Subject headings (SWD): Speicherverwaltung , Malware , Computerforensik
Individual keywords (German): Schaddokumente
Keywords (English): Windows , PTE , Pagefault , PDF-Analysis
Abstract: Exploits that successfully attack computers are mostly based on some form of shellcode, i.e., illegitimate code that is injected by the attacker to take control of the system. Detecting and extracting such code is the first step to detailed analysis of malware containing illegitimate code. The amount and sophistication of modern malware calls for automated mechanisms that perform such detection and extraction. In this paper we present a novel generic and fully automatic approach to detect the execution of illegitimate code and extract such code upon detection. The basic idea of the approach is to flag critical memory pages as non-executable and use a modified page fault handler to dump corresponding memory pages. We present an implementation of the approach for the Windows platform called CWXDetector. Evaluations using malicious PDF documents as example show that CWXDetector produces no false positives and has a similarly low false negative rate.
Additional information:

Das Dokument wird vom Publikationsserver der Universitätsbibliothek Mannheim bereitgestellt.




+ Citation Example and Export

Willems, Carsten ; Freiling, Felix (2011) Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis. Open Access [Working paper]
[img]
Preview



+ Search Authors in

+ Download Statistics

Downloads per month over past year

View more statistics



You have found an error? Please let us know about your desired correction here: E-Mail


Actions (login required)

Show item Show item