Testing Platform Invoke as a Tool for Shellcode Injection in Windows Applications

Abstract This paper investigates software attacks based on shellcode injection in Windows applications. The attack uses platform invoke to inject binary code by means of system calls. This creates a separate threat that carries the payload. The paper overviews protections against shellcode injection and thus analyzes the injection methods as well. Analysis models the injection of malicious code in a Windows app process. As a result, the paper proposes a step-by-step injection method. Experimental injection of user code in PowerShell is performed to test the method. The paper further shows the assembly code of the system call as an example of finding their IDs in the global system call table; it also shows part of the source code for the injection of binary executable code. Various counterattacks are proposed in the form of software control modules based on architecture drivers. The paper analyzes the feasibility of using dynamic invoke, which the authors plan to do later on.

Download Full-text

Design of Malicious Code Detection System Based on Binary Code Slicing

電腦學刊 ◽

10.53106/199115992021083204018 ◽

2021 ◽

Vol 32 (4) ◽

pp. 225-238

Author(s):

Zhiyuan Zhang Zhiyuan Zhang ◽

Zhenjiang Zhang Zhiyuan Zhang ◽

Bo Shen Zhenjiang Zhang

Keyword(s):

Binary Code ◽

Detection System ◽

Malicious Code ◽

Malicious Code Detection

Download Full-text

An Approach to Mitigate Malware Attacks Using Netfilter's Hybrid Frame in Firewall Security

International Journal of Open Source Software and Processes ◽

10.4018/ijossp.2018010103 ◽

2018 ◽

Vol 9 (1) ◽

pp. 32-61 ◽

Cited By ~ 1

Author(s):

Nivedita Nahar ◽

Prerna Dewan ◽

Rakesh Kumar

Keyword(s):

Source Code ◽

Research Work ◽

Hybrid Approach ◽

Optimal Level ◽

Malicious Code ◽

Traffic Load ◽

Activity Detection ◽

Web Content ◽

Packet Filtering ◽

Malicious Activity

With the steady advancements in the technology, the network security is really important these days to protect information from attackers. In this research, the main focus is on designing strong firewall filtering rules so that detection of malicious code is achieved to an optimal level. A proposed framework is introduced to improve the performance parameters such as Server response time, Web content analysis, Bandwidth, and the performance of the Network traffic load. This research work defines a new set of IPtable rules achieved by modifying the kernel source code. This is done using OpenBSD kernel source code, which results in the formation of a mini-firewall. Therefore, a new hybrid approach is proposed by adding packet filtering rules and SNORT technology in mini-firewall for malicious activity detection. It is an efficient and practical technique which will be helpful to mitigate the malware attacks and secure LAMP server. Experimental analysis has been done to conclude that around 70-75% malicious activity can be reduced by using the proposed technique.

Download Full-text

Taint Graph of System Call Arguments for Intrusion Detection in Mobile Intelatrac

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.546-547.1101 ◽

2012 ◽

Vol 546-547 ◽

pp. 1101-1106

Author(s):

Dan Nie ◽

Yu Hui Wang

Keyword(s):

Intrusion Detection ◽

Control Flow ◽

System Call ◽

Mobile Telecommunication ◽

Control Data ◽

Critical Data ◽

Buffer Overflows ◽

System Calls ◽

Flow Information ◽

Behavior Profile

The intended data-flow in a vulnerable program is subject to be subverted by attacks which exploit buffer overflows or format string vulnerabilities to write data to unintended location. In Mobile Telecommunication it is especially important on data safety. These attacks can be classified into two types: control-flow-attacks exploit buffer overflows or other vulnerabilities to overwrite a return address, a function pointer, or some other piece of control-data; non-control-data attacks exploit similar vulnerabilities to overwrite security critical data without subverting the intended control-flow in the program. The control-flow attacks are well studied and widely used, so there are several typical approaches to prevent them, which monitor the sequence of system calls emitted by the application being monitored and utilize control-flow information of the system calls for intrusion detection. However, the non-control-data attacks are rare for the reason that they rely on specific semantics of the target applications, and there are only few works that defend them to some extent. In order to prevent non-control-data attacks, we leverage dynamic taint technique to track the instruction level relationship between different system call arguments and construct taint graph which can represent behavior profile of a benign program in this paper..

Download Full-text

The SQALE Quality and Analysis Models for Assessing the Quality of Ada Source Code

Reliable Software Technologies - Ada-Europe 2011 - Lecture Notes in Computer Science ◽

10.1007/978-3-642-21338-0_5 ◽

2011 ◽

pp. 61-74 ◽

Cited By ~ 1

Author(s):

Thierry Coq ◽

Jean-Pierre Rosen

Keyword(s):

Source Code ◽

Analysis Models

Download Full-text

Intrusion Detection Based on Self-Organizing Map and Artificial Immunisation Algorithm

Key Engineering Materials ◽

10.4028/www.scientific.net/kem.439-440.29 ◽

2010 ◽

Vol 439-440 ◽

pp. 29-34 ◽

Cited By ~ 1

Author(s):

Zhen Guo Chen ◽

Guang Hua Zhang ◽

Li Qin Tian ◽

Zi Lin Geng

Keyword(s):

Intrusion Detection ◽

Computer Security ◽

Real World ◽

User Behavior ◽

Experimental Result ◽

System Call ◽

Self Organizing Map ◽

System Calls ◽

Real World Datasets ◽

Self Organizing

The rate of false positives which caused by the variability of environment and user behavior limits the applications of intrusion detecting system in real world. Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. To solve the intrusion detection question, we introduce the self-organizing map and artificial immunisation algorithm into intrusion detection. In this paper, we give an method of rule extraction based on self-organizing map and artificial immunisation algorithm and used in intrusion detection. After illustrating our model with a representative dataset and applying it to the real-world datasets MIT lpr system calls. The experimental result shown that We propose an idea of learning different representations for system call arguments. Results indicate that this information can be effectively used for detecting more attacks with reasonable space and time overhead. So our experiment is feasible and effective that using in intrusion detection.

Download Full-text

Mal-Netminer: Malware Classification Approach Based on Social Network Analysis of System Call Graph

Mathematical Problems in Engineering ◽

10.1155/2015/769624 ◽

2015 ◽

Vol 2015 ◽

pp. 1-20 ◽

Cited By ~ 5

Author(s):

Jae-wook Jang ◽

Jiyoung Woo ◽

Aziz Mohaisen ◽

Jaesung Yun ◽

Huy Kang Kim

Keyword(s):

Social Network ◽

Social Network Analysis ◽

Network Analysis ◽

Clustering Coefficient ◽

Component Ratio ◽

System Call ◽

Degree Centrality ◽

Call Graph ◽

System Calls ◽

Graph Metrics

As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that “influence-based” graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.

Download Full-text

System Call Monitoring Using Authenticated System Calls

IEEE Transactions on Dependable and Secure Computing ◽

10.1109/tdsc.2006.41 ◽

2006 ◽

Vol 3 (3) ◽

pp. 216-229 ◽

Cited By ~ 19

Author(s):

M. Rajagopalan ◽

M.A. Hiltunen ◽

T. Jim ◽

R.D. Schlichting

Keyword(s):

System Call ◽

System Calls ◽

Call Monitoring

Download Full-text

Finding Software License Violations Through Binary Code Clone Detection - A Retrospective

ACM SIGSOFT Software Engineering Notes ◽

10.1145/3468744.3468752 ◽

2021 ◽

Vol 46 (3) ◽

pp. 24-25

Author(s):

Armijn Hemel ◽

Karl Trygve Kalleberg ◽

Rob Vermaas ◽

Eelco Dolstra

Keyword(s):

Open Source ◽

Original Problem ◽

Binary Code ◽

Source Code ◽

Clone Detection ◽

Problem Statement ◽

Open Source Code ◽

Code Clone ◽

Software License ◽

The Impact

Ten years ago, we published the article Finding software license violations through binary code clone detection at the MSR 2011 conference. Our paper was motivated by the tendency of em- bedded hardware vendors to only release binary blobs of their rmware, often violating the licensing terms of open-source soft- ware present inside those blobs. The techniques presented in our paper were designed to accurately identify open-source code hid- den inside binary blobs. Here, we give our perspectives on the impact of our work, both industrially and academically, and re- visit the original problem statement to see what has happened in the eld of open-source compliance in the intervening decade.

Download Full-text

Feature representation and selection in malicious code detection methods based on static system calls

Computers & Security ◽

10.1016/j.cose.2011.05.007 ◽

2011 ◽

Vol 30 (6-7) ◽

pp. 514-524 ◽

Cited By ~ 27

Author(s):

Ding Yuxin ◽

Yuan Xuebing ◽

Zhou Di ◽

Dong Li ◽

An Zhanchao

Keyword(s):

Malicious Code ◽

Feature Representation ◽

Detection Methods ◽

Static System ◽

System Calls ◽

Malicious Code Detection

Download Full-text

Estimation of similarity between functions extracted from x86 executable files

Serbian Journal of Electrical Engineering ◽

10.2298/sjee1502253b ◽

2015 ◽

Vol 12 (2) ◽

pp. 253-262

Author(s):

Katarina Berta ◽

Sasa Stojanovic ◽

Milos Cvetanovic ◽

Zaharije Radivojevic

Keyword(s):

Machine Learning ◽

Software Engineering ◽

Binary Code ◽

Source Code ◽

Future Research ◽

Malware Analysis ◽

Previous Knowledge ◽

The Third

Comparison of functions is required in various domains of software engineering. In most domains, comparison is done using source code, but in some domains, such as license violation or malware analysis, only binary code is available. The goal of this paper is to evaluate whether the existing solution meant for ARM architecture can be applied to x86 architecture. The existing solution encompasses multiple approaches, but for the purpose of this paper three representative approaches are implemented; two are based on machine learning, and the third does not require previous knowledge. Results show that the best recalls obtained for the first ten positions on both architectures are comparable and do not differ significantly. The results confirm that adaptation of all approaches of the existing solution is not only possible but also promising and represent adequate basis for future research.

Download Full-text