University of Twente Student Theses
Nefertum : The fallout of Windows code injection in benign programs
Bals, Jordi (2025) Nefertum : The fallout of Windows code injection in benign programs.
|
PDF
282kB |
| Abstract: | Code injection is a technique utilized by malware that injects a section of its code into other processes and tricks them into executing it. Many state-of-the-art detection systems only determine malicious behavior by looking at the malware sample. Not looking at the target process of code injection means they miss part of the malicious behavior. No research studies the effects of code injection on benign injected processes, so it is unclear how much malicious process behavior (e.g., system calls) modern solutions miss. We propose a framework that automatically identifies behavior exhibited by injecting malware samples and their victim processes after being targeted by code injection. The framework utilizes dynamic analysis to find the system calls of the malware sample and its victim and matches the found system calls to SIGMA rules that define behavior. We then use this framework to gather the behaviors of 436 real-life samples and their victims to approximate the behavior missed in modern detection systems. Our experiments suggest that solutions miss, on average, 56.3% of behavior when looking strictly at the amount of tracked system calls and 64% of behavior when looking at the amount of SIGMA rules found. |
| Item Type: | Essay (Master) |
| Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
| Subject: | 54 computer science |
| Programme: | Computer Science MSc (60300) |
| Link to this item: | https://purl.utwente.nl/essays/106170 |
| Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Show download statistics for this publication
Show download statistics for this publicationRepository Staff Only: item control page