A Study on Injection Attacks and Defenses on Microsoft Windows

Ho Jun Seong; Jo Chang Yeon; LEE HO WOONG; SEONG JE CHO

Microsoft's Windows system is widely used as an operating system for the desktops and enterprise servers of companies or organizations, and is a major target of cyber attacks. Microsoft provides various protection technologies and strives for defending the attacks through periodic security patches, however the threats such as DLL injection and process injection still exist. In this paper, we analyze 12 types of injection techniques in Microsoft Windows, and perform injection attack experiments on four application programs. Through the results of the experiments, we identify the risk of injection techniques, and verify the effectiveness of the mitigation technology for defending injection attacks provided by Microsoft. As a result of the experiments, we have found that the current applications are vulnerable to several injection techniques. Finally, we have presented the mitigation techniques for these injection attacks and analyzed their effectiveness.

Citation status

KCI Citation Counts (0)
REFERENCES (36)
열림/닫힘 버튼
* 2021년 이후 발행 논문의 참고문헌은 현재 구축 중입니다.

[web] / 위키백과 / https://ko.wikipedia.org/wiki/Microsoft_Windows

[journal] 황현욱 / 2006 / Memory Injection Technique and Injected DLL Analysis Technique in Windows Environment / 융합보안 논문지 / 한국융합보안학회 6(3) : 59~67

[journal] Craig S Wright / 2007 / Taking Control, Functions to DLL Injection / SSRN Electronic Journal / Elsevier BV / https://dx.doi.org/10.2139/ssrn.3153492

[web] Amit Klein / 2019 / Windows Process Injection in 2019 / Black Hat / https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf

[web] Hosseini, Ashkan / 2017 / Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques / Endpoint Security Blog / https://www.elastic.co/kr/blog/tenprocess-injection-techniques-technical-survey-common-and-trending-process

[web] 보안뉴스 / 2017 / 파일리스 위협과 랜섬웨어의 결합으로 탄생한 멀웨어 등장 / https://www.boannews.com/media/view.asp?idx=55391&page=1&kind=3

[web] 보안뉴스 / 2020 / 넷워커 랜섬웨어, 사업 모델 바꾸더니 순식간에 수익 불어나 / https://www.boannews.com/media/view.asp?idx=90291&page=1&kind=1

[web] 보안뉴스 / 2020 / 2020년 1분기 최악의 신규 랜섬웨어 5종 꼽아보니... ‘코로나’ 키워드 악용 / https://www.boannews.com/media/view.asp?idx=89122&page=1&kind=1

[journal] A. H. A. Kamal / 2020 / Cybersecurity Issues and Challenges during Covid-19Pandemic / https://doi.org/10.20944/preprints202009.0249.v1

[web] S. Fewer / 2008 / “Reflective DLL injection”, Harmony Security, Version 1 / https://github.com/stephenfewer/ReflectiveDLLInjection

[web] M. Gorelik / 2017 / Fileless Malware: Attack Trend Exposed / Morphisec Ltd / https://blog.morphisec.com/fileless-malware-attack-trend-exposed

[journal] B. L. Krishna / 2020 / Comparative Study of Fileless Ransomware / International Journal of Trend in Scientific Research and Development (IJTSRD) 4(3) : 608~616

[web] K. McCammon / 2020 / 2020 Threat Detection Report / Red Canary: Improve Security with Threat Detection / https://redcanary.com/threat-detection-report/introduction/

[web] MITRE ATT&CK® / Process Injection / https://attack.mitre.org/techniques/T1055/

[web] / https://github.com/SafeBreach-Labs/pinjectra / https://github.com/SafeBreach-Labs/pinjectra

[web] Microsoft Docs / Process Explorer v16.32 / https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

[web] / Userland API Monitoring and Code Injection Detection / https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565

[web] / Kaspersky Lab / https://encyclopedia.kaspersky.com/glossary/code-injection/

[web] / Kaspersky Lab / https://encyclopedia.kaspersky.com/glossary/dll-injection/

[web] / https://attack.mitre.org/techniques/T1055/008/ / https://attack.mitre.org/techniques/T1055/008/

[web] / https://attack.mitre.org/techniques/T1055/009/ / https://attack.mitre.org/techniques/T1055/009/

[journal] Sarwar Sayeed / 2019 / Control-Flow Integrity: Attacks and Protections / Applied Sciences / MDPI AG 9(20) : 4229~ / https://doi.org/10.3390/app9204229

[web] Microsoft Docs / Control Flow Guard / https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard

[web] Z. Yunhai / 2015 / Bypass control flow guard comprehensively / Black Hat USA / https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf

[web] Weston, David / 2017 / Microsoft’s strategy and technology improvements toward mitigating arbitrary native code execution / CanSecWest / https://cansecwest.com/slides/2017/CSW2017_Weston-Miller_Mitigating_Native_Remote_Code_Execution.pdf

[journal] 임수민 / 2019 / Proposal of Process Hollowing Attack Detection Using Process Virtual Memory Data Similarity / 정보보호학회논문지 / 한국정보보호학회 29(2) : 431~438 / https://doi.org/10.13089/JKIISC.2019.29.2.431

[web] Github Repository / Captain / https://github.com/y3n11/Captain

[web] Github Repository / UnRunPE / https://github.com/NtRaiseHardError/UnRunPE

[web] Github Repository / Dreadnought / https://github.com/NtRaiseHardError/Dreadnought

[web] Github Repository / Rekall discontinuation / https://github.com/google/rekall

[web] Github / Volatility Foundation / https://github.com/volatilityfoundation

[confproc] SRIVASTAVA, Anurag / 2017 / Detecting code injection by cross-validating stack and VAD information in windows physical memory / 2017 IEEE Conference on Open Systems (ICOS). IEEE : 83~89

[thesis] Balaoura, Sotiria / 2018 / Process injection techni ques and detection using the Volatility Framework / MS / University of Piraeus

[journal] Frank Block / 2019 / Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries / Digital Investigation / Elsevier BV 29 : S3~S12 / https://doi.org/10.1016/j.diin.2019.04.008

[web] InfoWorld / Microsoft UWP boosts security for Windows apps / https://www.infoworld.com/article/3049955/microsoft-uwp-boosts-security-for-windows-apps.html

[web] Microsoft Docs / DUMPBIN Reference / https://docs.microsoft.com/en-us/cpp/build/reference/dumpbin-reference?view=msvc-160

KJC Korea
Journal Central

Statistics

Tools

Sharing

Issue List

Citation status