| Summary: | 碩士 === 國立清華大學 === 資訊系統與應用研究所 === 94 === With the wild spread of virues, trojans, worms, malware, and spyware, most people protect their personal computer by antivirus and firewall software. However, on October 31, 2005, the rootkit coming from a Sony BMG music CD was revealed. This rootkit will be secretly installed into Microsoft Windows operating system after inserting a Sony BMG music CD into the computer. In fact, it is a kind of Digital Rights Management (DRM) software that provides protection against unauthorized copies of the CD, but it hides its process information and activity from being detected. This informs us that malicious software may use similar approaches to avoid the protection of antivirus software, and even the detection of software firewalls.
In fact, there still exist potential threats. In Windows operating system, it is considered a legitimate behavior that a process creates a remote thread in another running process. Thus a malicious process may inject malicious code into an authorized process and then execute it to bypass the detection of software firewalls without causing a warning. In other words, malware, spyware, and rootkits can launch the attack inside the system to send data or open a backdoor silently even under the protection of firewall software.
In this thesis, we discuss the methods how to inject code into running processes and corresponding potential threats. By analyzing these methods, we propose a detecting mechanism called Detecting the Malicious Code Injection Engine (DMCIE) on the Microsoft Windows operating system. DMCIE is implemented as a loadable kernel-mode driver that is able to dynamically monitor every process in the system and provide users with more precise information about the suspected injecting behavior. The maximal overhead caused by DMCIE is less than 3.26%. The minor overhead makes DMCIE suitable to be installed on Windows OS or combine with other software to increase system security.
|
|---|
