| Summary: | 碩士 === 國立交通大學 === 資訊科學與工程研究所 === 101 === In the field of malware detection research, DLL (Dynamic-Link Library) type malware are often overlooked since EXE type malware take major percentage of the whole malware. Despite the fact that there are differences between DLL malware and EXE malware, EXE malware analysis tools are used for DLL malware detection. To enhance DLL malware detection accuracy, a different analysis methodology is proposed based on the trait that differentiates a DLL file and an EXE file, namely the export functions of a DLL file entry point. A single DLL can contain multiple export functions.
In the recent researches, signatures are generated from a group of malware by finding their common context like analysis with CFG(Control Flow Graph). With the feature of DLL, a single DLL malware can be viewed as a collection of malware which start from different entry points.
In this paper, we first construct relation between the DLL attack methods and the export function. Second, we present the phenomenon of common instruction in DLL malware. Third, we propose a detection method based on the common instructions.
|
|---|
