静态修改PE输入表注入DLL的检测方法研究

该文研究静态修改PE输入表注入DLL的检测，提出了基于合法范围的普通检测方法和基于异常回溯的深度检测方法。第一种方法从静态的角度，对所有DLL的数据结构排列范围进行计算，无需解析DLL的功能来推断其是否恶意。第二种方法将调试的思想用于恶意DLL检测，控制目标程序的运行，跟踪目标程序初始化阶段中的DLL加载过程，并将调试API用于异常捕获，以实现检测。使用C++设计DLL检测实验，将编写的具有下载功能的DLL注入到目标程序，设计开发检测工具DLL Detector进行检测；实验成功地从静态阶段和程序初始化阶段检测出可疑模块。两种方法均支持32位和64位可执行文件，可防御恶意代码。

Research on Detection of Dynamic Link Library Injected by Static Modifying Import Table of Portable Executable File

To study the detection of dynamic link library (DLL) injected by static modifying import table of portable executable (PE) file, a common detection method on legal scope and a depth detection method on exception backtracking are proposed. The first method calculates the range of data structure arrangement of all DLLs from a static point of view, without parsing the DLL’s function to infer whether it is malicious. The idea of debugging is used to detect malicious DLLs in second method, which control the running of the target program, and track the DLL loading process in the initialization phase of the target program. Also the debugging API is used for exception capture to realize detection. C++ was used to design DLL detection experiment: injected the DLL with download function into the target program. The detection tool DLL Detector was designed and developed for detection. The experiment successfully detects suspicious modules from the static phase and the program initialization phase. Both methods support 32-bit and 64-bit PE files and can be used to guard against malicious code.