Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee...
Transcript of Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee...
Dynamic Instruction Sequences Dynamic Instruction Sequences Monitor for Virus DetectionMonitor for Virus Detection
Jianyong Dai, Ratan Guha, Joohan LeeJianyong Dai, Ratan Guha, Joohan Lee
Wednesday, January 28, 2009Wednesday, January 28, 2009
Cho, Ho-GiCho, Ho-Gi
AbstractAbstract
• Dynamic instruction sequences monitor– refers to a special program which has the ability to launch a program and
capture the runtime instruction sequence of that program
• Problem– none of them are specially designed to launch a potentially malicious program
• Solution– intercept certain Win32 API and divert it to a safe version of that API– provide virus detection plug-in mechanism
23年 4月 20日 [WePu07] 2
Dynamic instruction sequence Dynamic instruction sequence monitormonitor
23年 4月 20日 [WePu07] 3
DebuggerDebugger
AnalyzingAnalyzing MonitorMonitor
mainmain
TargetTarget
LaunchLaunch
SystemSystem
Malicious code or program
InfectInfectInfectInfect
• Solution– built a dynamic instruction sequences monitor with a protection
mechanism• intercept potentially destructive Win32 API and divert it to a safe version
of that API• provide some mechanism to keep the original execution path as much as
possible
– plug-in mechanism• programmer can build different applications based on the dynamic
instruction sequences captured by the monitor
23年 4月 20日 [WePu07] 4
System ArchitectureSystem Architecture
• Overview
23年 4月 20日 [WePu07] 5
MonitorMonitor
mainmain
TargetTarget
LaunchLaunch
…ReadFile(..)CreateFile(..)CheckFile(..)WriteFile(..) …
Malicious code or program
InterpositionInterposition
Binary sequences
Classification
Models
CreateFile(..)CheckFile(..)WriteFile(..)
Classification
Models
CreateFile(..)CheckFile(..)WriteFile(..)
Compare andDecision
23年 4月 20日 [WePu07] 6
Program DebuggerProgram Debugger
InsulatorInsulator
Unknown ExecutableUnknown Executable
DisassemblerDisassembler
Instruction processing Plug-in
Instruction processing Plug-in
System Architecture for monitor
InstructionSequences
Logic assemblyconstruction
Logic assemblyconstruction
Abstract assembly
construction
Abstract assembly
construction
ClassificationClassification
Decision
Decision
Model ManagerModel Manager
Classification
Models
Classification
Models
Structure of virus detection plug-in
• Insulator– prevent certain Win32 API from executing– supply API with dummy output without actually invoking– use Microsoft Detour package
23年 4月 20日 [WePu07] 7
ReturnReturnFile and directory manipulation APIRegistry manipulation APIRemote memory manipulationRemote thread creationAdministration related APISocket creation, packet sending
ConclusionConclusion
• describe a dynamic instruction sequences monitor and a virus detection plug-in based the monitor– efficient and protect user computer in general case
• Problem– invoke the underlying ntdll.dll or interrupt 2E directly, which is not
protected
23年 4月 20日 [WePu07] 8