University of Twente Student Theses


Analysis and automated detection of host-based code injection techniques in malware

Starink, J.A.L (2021) Analysis and automated detection of host-based code injection techniques in malware.

[img] PDF
Abstract:For malware to be successful, it should stay undetected by anti-virus software for as long as possible. One method for avoiding detection is the use of code injection, which is the process of injecting code into another running application. Despite code injection becoming one of the main features of today's malware, there has been a general lack of a systematic approach in analyzing and detecting the use of it. In this research, we conduct a study on well-known methods for performing code injection, and propose a taxonomy that groups these methods into classes based on common characteristics. We then introduce Behavior Nets, our novel modelling language that we use to express these methods in terms of observable events. We continue by implementing a system that uses these models to collect empirical evidence for the prevalence of code injection in the malware scene. Our experiments suggest that at least 11.15% of malware between 2017 and 2020 performs some type of injection. They also show that Process Hollowing is the most commonly used technique, but that this trend is slowly shifting towards other, less traditional methods.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page