Static Analysis Method on Portable Executable Files for REMNUX based Malware Identification

Salman, Muhammad; Husna, Diyanatul; Viani, Nindya

doi:10.1109/icawst.2019.8923331

Cited by 1 publication

(1 citation statement)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note Figure 8(Top), which shows that a new thread has been created and a start address is pointing to LoadLibrary(). TLS calls are the pre-entry executed subroutines, and there is a section in the PE header indicating where the TLS callback is [49]. Monitoring these calls helps in the early detection of process injections.…”

Section: Workflow Of the Slavesmentioning

confidence: 99%

A New Approach for Detecting Process Injection Attacks Using Memory Analysis

Nasereddin,

Al-Qassas

2023

Preprint

View full text Add to dashboard Cite

This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents (Slaves). A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached 99.93% with a false-positive rate of 0.068%. Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.

show abstract

Section: Workflow Of the Slavesmentioning

confidence: 99%