Process injection techniques and detection using the Volatility Framework
Τεχνικές εισαγωγής σε διεργασία και ανίχνευσή τους με τη χρήση του εργαλείου Volatility
KeywordsRemote or Classic DLL Injection ; Hollow Process Injection ; Volatility Framework ; PE file ; IAT (Import Address Table) ; Process injection ; Process replacement ; Memory analysis ; Injection detection
Malware usually incorporate mechanisms to avoid their detection. Process Injection is a technique that causes malicious code execution by injecting the code into a remote running process and forcing the process to execute it, in such a way that is concealed from the user. The program that performs the injection is called injector. The purpose of this thesis is to propose methodologies to detect malware in memory. Regarding the malware type, it focuses on two different process injection techniques: Hollow process and Classic DLL (Dynamic Link Library) or otherwise called, Remote DLL. Various injectors are used. The malwares are executed on Windows 10 VMware virtual machines and their memory is acquired. Dynamic malware analysis is performed using the Volatility Framework. The Hollow process injection technique is presented in detail and applied producing various testing memory images. A complete methodology of detection using the Volatility Framework is proposed that reveals and detects the anomalies that hollow process injection causes to the memory. This methodology has incorporated and organized in distinct steps most of the current literature, relevant articles on the web and research on the subject. The described steps are performed on the test images and the results are confirmed. The Remote DLL injection is analyzed and injections are performed in various systems resulting various test memory images. A completely new methodology of detection is proposed, verified, implemented and tested. The whole idea is implemented in a python script of approximately 200 lines of code that has to be executed inside Volatility’s volshell plugin environment. The results of the script executed on 12 distinct memory images, presented in the relative table, indicate that the script works satisfactory.