一种隐藏注入模块的新方法

在信息安全领域,安全分析工具往往需要将监控模块注入到其他进程空间以实现监控功能,但恶意软件往往会通过检测自身空间是否有其他模块来逃避监控。因此,安全工具需要对注入模块加以隐藏。比较常见的隐藏方法有:断开进程的LDR_MODULE链、Hook枚举模块的函数、抹去PE头等,但这些方法都有比较大的局限性。针对这些局限性,提出了一种对注入模块进行隐藏的新方法。在注入时利用普通有模块注入方式,让恶意软件疏于防范;注入之后消除自身模块,让恶意软件无法检测到监控软件的存在。对于应用中的一些具体技术问题给出了解决方法。实验结果表明,该方法突破防御能力强,可兼容各种版本的Windows操作系统,并且隐蔽性比目前的通用方法更好。

A novel method of hiding the injected modules

In the field of information security,security analysis tools often inject some modules into other process space for monitoring dangerous behaviors, but malwares will scan their own process space and find out the monitor modules to avoid anti monitoring. So security analysis tools should hide the modules that are injected into the target process space. There are many methods for hiding modules, such as disconnecting the LDR_MODULE chain, hooking the function of the enumeration module, erasing the PE header, and so on. But these methods have significant limitations. To make an improvement, we propose a novel method to hide the injected modules. Ordinary module injection is given so they can be neglected by malwares; then the modules are eliminated by themselves, so that malwares cannot detect the presence of the monitoring softwares. Besides, we list out solutions to some typical specific technical problems in practice. Experimental results show that the proposed method has good capability to break through the defense system, it is compatible with various versions of Windows operating systems, and its concealment is better than the traditional methods.