Detecting House of Spirit Attacks by Glibc Heap Information Extraction

• 出版年: Journal of Harbin University of Science and Technology
• 主要な著者: ZHAI Jiqiang, WANG Jiaqian, HAN Xu, SUN Haixu
• フォーマット: 論文
• 言語: 中国語
• 出版事項: Harbin University of Science and Technology Publications 2024-02-01
• 主題: glibc heap; information extraction; heap attack detection; rekall framework
• オンライン･アクセス: https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2299
• ISSN: 1007-2683

The current forensic research on heaps mainly extracts information from the heap and the NT heap of Windows. However，the study of how to extract the information on the Glibc heap in the Linux from dump files is not sufficient. To reproduce the internal information on the Glibc heap，this paper proposes a method to extract the internal information of Glibc heap in the Linux according to the field offset in the vtype description information of memory object combined with Glibc heap implementation in memory. Based on this method，three heap information extraction plugins were developed on the Rekall framework. In addition，the House of Spirit heap attack is studied，established an attack model，and extracted its attack features. A detection algorithm for House of Spirit attack is designed based on the extracted attack features. The attack detection plug-in is developed based on the heap information extraction plugins. The experimental results show that this method can effectively extract the heap information in the memory of the Linux system process，and successfully detect the House of Spirit attack in the memory based on the information combined with the attack detection algorithm.