進階持續性攻擊(APT)一直以來都是令組織集團、企業等相當頭痛的議題，針對特定對象設計專屬的攻擊策略，駭客透過各種不同的手法入侵受害者的主機，利用精巧的攻擊竊取具機密性、敏感性等資料造成企業組織損失。常見的技術是透過DLL Injection或是PE Infection來達到躲藏的目的。APT攻擊的潛伏期平均為一年半，有的甚至超過三年以上。現今防毒軟體大部分採取特徵偵測的技術，雖然可以達到極高的偵測率，但是此方法的缺點在於唯有當防毒軟體的資料庫建立好自己的特徵碼後，才能有效的偵測有害的惡意程式，而駭客僅須透過修改部分程式碼便能夠產生獨一無二的病毒，使得主機以及系統在偵測到病毒前都有很大的機會已經遭受到感染。
本研究的目的是要找出潛在的DLL注入以及感染的PE檔案，為了找尋惡意程式，會從兩個角度去偵測惡意行為，分別是動態的記憶體檢測以及擷取應用程式使用的API和它所在的記憶體位置當作特徵值進行分析。本研究透過三種方法來檢測系統是否遭受駭客汙染；分別是透過動態記憶體模組的檢測，把應用程式呼叫的模組中的路徑進行比較來判斷是否遭受到DLL Injection。而靜態方面，DLL Injection需要透過特殊的API進行，因此透過敏感的API呼叫來判斷是否為惡意程式。透過API間記憶體位置和可執行檔中的RVA Import Table重複性來判斷應用程式是否受到駭客感染，僅需檢測受感染的宿主便能偵測受感染的檔案。有別於特徵偵測的被動更新資料庫的方法，藉由以上方法可以在第一時間搶救受害者的系統降低組織、企業的損失。

Advanced Persistent Attack Threat is one of notorious in enterprises and organization. APT attack is a highly organized, well-funded attack against a specific target .Cyber Criminal using many ways to invade system to get sensitive information .It's applied to sophisticated state-level attacks which infiltrate specific networks to steal sensitive information, assets or cause system damage. DLL injection and PE Infection are common ways to hide their presence. APT attack stays there undetected for a long period of time. The average is a year and a half, however, in such case can be more than 3-year. Most Anti-Virus vendors use signature-based detection to get high detection rate, but on the other hand this technique has no protection against zero-day or unseen malware before they updating their database. Hacker can slightly change their malicious code to create a unique malware in order to escape from detection.
In this paper, our target is to find potential DLL injection process, file and PE infection applications by using dynamic and static analysis. We propose 3 ways to detect the malicious file, PE infection applications and DLL injection’s process. Malware detection method based on extracting sensitive API(Application Programming Interface) calls from malware to detect unseen malware. For potential DLL injection process, scanning each thread context and its corresponding stack frames for possible instruction pointer address that does not belong to executable section in the target process .Using API distance and duplicated RVA(relative virtual address) import table to detect PE infection. This method only detect infection host file to distinguish malware from benign .Unlike signature-based detection , sensitive API of predicting malware and potential PE Infection inspect can detect unseen malware . Protecting sensitive data is the end goal of almost all IT security measures.

論文審定書 i
致謝 ii
摘要 iii
Abstract iv
第一章 緒論 1
1.1 研究背景: 1
1.2 研究動機: 3
第二章 文獻探討 4
2.1 動態分析 5
2.2 靜態分析 6
2.3 DLL Injection: 8
2.4 PE 檔案結構: 9
2.5 駭客攻擊手法(感染PE): 12
2.6 研究貢獻與比較 17
第三章 系統評估 18
3.1 記憶體檢測: 18
3.2 PE Infection樣本描述: 23
3.3 PeFile介紹: 31
3.4 特徵選取: 33
3.5 PE Infection系統流程: 35
第四章 系統驗證 43
4.1 Process Scan 44
4.2 PE Infection驗證 46
4.3 特徵選取 54
4.4 Ten Folds實驗 54
4.5 600 Training Set測試 55
4.6 Virus Total比較 55
第五章 未來展望 59
參考資料 60

[1] Symantec, “Underground black market: Thriving trade in stolen data, malware, and attackservices,”http://www.symantec.com/connect/blogs/underground-black-market-thriving-
trade-stolen-data-malware-and-attack-services
[2] McAfee Lab, “Malware Trend Continues Relentless Climb” , https://blogs.mcafee.com
/mcafee-labs/malware-trend-continues-relentless-climb/
[3] Silvio Cesare,Yang Xiang and Wanlei Zhou , ”Malwise–An Effective and Efficient Classification System for Packed and Polymorphic Malware” , IEEE Transactions On Computers, vol. 62, No. 6, Jun. 2013.
[4] Symantec, ”Internet Security Threat Report” , https://www.symantec.com/content/dam/
symantec/docs/reports/istr-21-2016-appendices-en.pdf?aid=elq_&om_sem_kw=elq_16094
845&om_ext_cid=biz_email_elq_&elqTrackId=4d82501a2e9e465d9fd77442e0c22384&elqaid=2910&elqat=2
[5] 數位時代, “臺灣APT攻擊比全球平均高出一倍！FireEye：應建立即時分享平台” ,
http://www.bnext.com.tw/article/view/id/35852
[6] iThome, “賽門鐵克疾呼防毒軟體已死” , http://www.ithome.com.tw/news/87821
[7] Nightmare(BioHazard) , ”PE Infection – How to Inject a dll” , March 5 , 2009.
https://www.exploit-db.com/docs/344.pdf
[8] dtm Law Abiding Citizen , ”PE File Infection” , May 19 , 2016.
https://0x00sec.org/t/pe-file-infection/401
[9] LiTlLe VxW, “PE INFECTION TUTORIAL FOR BEGINNER”, October , 2002.
https://vxheaven.org/29a/29a-7/Articles/29A-7.023
[10] Ciro Sisman Pereira, ”Portable Executable (P.E.) Code Injection: Injecting an Entire C Compiled Application”, March 16 , 2008.
http://www.codeproject.com/Articles/24417/Portable-Executable-P-E-Code-Injection-Injecting-a
[11] TICZY, “Chronicles of a PE Infector”, February 7 , 2014.
http://www.adlice.com/chronicles-pe-infector/
[12] Wikipedia, “DLL injection,” https://en.wikipedia.org/wiki/DLL_injection
[13] Drew_Benton, “A More Complete DLL Injection Solution Using CreateRemoteThread”, August 17,2007. http://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat
[14] Kim, Sungkwan, et al. "A brief survey on rootkit techniques in malicious codes." Journal of Internet Services and Information Security 3.4 (2012): 134-147.
[15] Robert Kuster, “Three Ways to Inject Your Code into Another Process”, August 20 , 2003.http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces
[16] Jang, Moonsu, Hongchul Kim, and Youngtae Yun. "Detection of DLL inserted by Windows malicious code." Convergence Information Technology, 2007. International Conference on. IEEE, 2007.
[17] Ki, Youngjoon, Eunjin Kim, and Huy Kang Kim. "A novel approach to detect malware based on API call sequence analysis." International Journal of Distributed Sensor Networks 2015 (2015): 4.
[18] Kaspersky, “Dealing with Svchost.exe Virus' Sneak Attack” ,
https://usa.kaspersky.com/internet-security-center/threats/svchost-exe-virus-attack#.V4Y-pPl95hE,2014
[19] TrendMicro Blog, “<APT 攻擊>透過自動啟動機制，攻擊者在一亞洲政府內部取得立足”, June 8,2015. http://blog.trendmicro.com.tw/?p=12660
[20] Yin Hong Chang Fireeye , “APT GROUP SENDS SPEAR PHISHING EMAILS TO INDIAN GOVERNMENT OFFICIALS”,June 3 2016.
https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
[21] Fireeye , “POISON IVY: Assessing Damage and Extracting Intelligence “,2014
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
[22] Christodorescu, Mihai, et al. "Semantics-aware malware detection." 2005 IEEE Symposium on Security and Privacy (S&P'05). IEEE, 2005.
[23] Idika, Nwokedi, and Aditya P. Mathur. "A survey of malware detection techniques." Purdue University 48 (2007).
[24] Egele, Manuel, et al. "A survey on automated dynamic malware-analysis techniques and tools." ACM Computing Surveys (CSUR) 44.2 (2012): 6.
[25] iThome, ”對抗APT是企業必須面臨的長期戰爭”,March 24,
2016.http://www.ithome.com.tw/news/104780
[26] 資安人：Ed Skoudis, “新的惡意攻擊程式讓軟體捉襟見肘”, 2004 .
http://www.informationsecurity.com.tw/article/article_print.aspx?aid=176
[27] Kolter, J. Zico, and Marcus A. Maloof. "Learning to detect and classify malicious executables in the wild." Journal of Machine Learning Research7.Dec (2006): 2721-2744.
[28] Wikipedia,”加殼壓縮” https://zh.wikipedia.org/wiki/加殼壓縮
[29] 呂守箴 ,”病毒加殼技術與脫殼殺毒方法”, 2007 .
http://anti-hacker.blogspot.tw/2007/05/blog-post_29.html
[30] Wikipedia , “IDA Pro”,
https://en.wikipedia.org/wiki/Interactive_Disassembler
[31] Rieck, Konrad, et al. "Automatic analysis of malware behavior using machine learning." Journal of Computer Security 19.4 (2011): 639-668.
[32] Firdausi, Ivan, Alva Erwin, and Anto Satriyo Nugroho. "Analysis of machine learning techniques used in behavior-based malware detection." Advances in Computing, Control and Telecommunication Technologies (ACT), 2010 Second International Conference on. IEEE, 2010.
[33] Rieck, Konrad, et al. "Learning and classification of malware behavior."International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer Berlin Heidelberg, 2008.
[34] Wikipedia , “Virtual Machine “, https://en.wikipedia.org/wiki/Virtual_machine
[35] CWSandbox, http://cwsandbox.org/
[36] Cuckoo Sandbox, https://cuckoosandbox.org/
[37] Firdausi, Ivan, Alva Erwin, and Anto Satriyo Nugroho. "Analysis of machine learning techniques used in behavior-based malware detection." Advances in Computing, Control and Telecommunication Technologies (ACT), 2010 Second International Conference on. IEEE, 2010.
[38] Willems, Carsten, Thorsten Holz, and Felix Freiling. "Toward automated dynamic malware analysis using cwsandbox." IEEE Security and Privacy 5.2 (2007): 32-39.
[39] Zhang, J., Porras, P., & Yegneswaran, V. (2009). Host-Rx:Automated Malware Diagnosis Based on Probabilistic Behavior Models, Technical report, SRI International.
[40] Nataraj, L., Yegneswaran, V., Porras, P., & Zhang, J. (2011). A Comparative Assessment of Malware Classification Using Binary Texture Analysis and Dynamic Analysis. Proceedings of the 4th ACM workshop on Security and artificial intelligence, 21-30.
[41] Uppal, Dolly, et al. "Malware detection and classification based on extraction of API sequences." Advances in Computing, Communications and Informatics (ICACCI, 2014 International Conference on. IEEE, 2014.
[42] Inoue, Daisuke, et al. "nicter: An incident analysis system toward binding network monitoring with malware analysis." Information Security Threats Data Collection and Sharing, 2008. WISTDCS'08. WOMBAT Workshop on. IEEE, 2008.
[43] Li, Wei-Jen, et al. "Fileprints: Identifying file types by n-gram analysis."Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop. IEEE, 2005.Santos, Igor, et al. "N-grams-based File Signatures for Malware Detection."ICEIS (2) 9 (2009): 317-320.
[44] Abou-Assaleh, Tony, et al. "N-gram-based detection of new malicious code."Computer Software and Applications Conference, 2004. COMPSAC 2004. Proceedings of the 28th Annual International. Vol. 2. IEEE, 2004.
[45] Santos, Igor, et al. "N-grams-based File Signatures for Malware Detection."ICEIS (2) 9 (2009): 317-320.
[46] Bilar, Daniel. "Opcodes as predictor for malware." International Journal of Electronic Security and Digital Forensics 1.2 (2007): 156-168.
[47] Santos, Igor, et al. "Idea: Opcode-sequence-based malware detection."International Symposium on Engineering Secure Software and Systems. Springer Berlin Heidelberg, 2010.
[48] Nataraj, Lakshmanan, et al. "Malware images: visualization and automatic classification." Proceedings of the 8th international symposium on visualization for cyber security. ACM, 2011.
[49] Tian, Ronghua, et al. "Differentiating malware from cleanware using behavioural analysis." Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, 2010.
[50] Lee, Jinkyung, Chaetae Im, and Hyuncheol Jeong. "A study of malware detection and classification by comparing extracted strings." Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication. ACM, 2011.
[51] Veeramani, R., and Nitin Rai. "Windows api based malware detection and framework analysis." International conference on networks and cyber security. Vol. 25. 2012.
[52] Altaher, Altyeb, et al. "Malware detection based on evolving clustering method for classification." Scientific Research and Essays 7.22 (2012): 2031-2036.
[53] Ye, Yanfang, et al. "SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging." Journal in computer virology 5.4 (2009): 283-293.
[54] Cesare, Silvio, and Yang Xiang. "Malware variant detection using similarity search over sets of control flow graphs." 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 2011.
[55] Shabtai, Asaf, et al. "Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey." Information Security Technical Report 14.1 (2009): 16-29.
[56] Zen, Kartinah, DN F. Awang Iskandar, and Ongkir Linang. "Using Latent Semantic Analysis for automated grading programming assignments." 2011 International Conference on Semantic Technology and Information Retrieval. IEEE, 2011.
[57] Amit Malik, “DLL Injection and Hooking” ,
http://securityxploded.com/dll-injection-and-hooking.php
[58] Brad Antoniewicz , ”Windows DLL Injection Basics”,January ,2013.
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html 2013
[59] Malarkey,” DLL Injection Part 1: SetWindowsHookEx” , May 17,201 . https://warroom.securestate.com/dll-injection-part-1-setwindowshookex/
[60] Malarkey, “DLL Injection Part 2: CreateRemoteThread and More”, April 23,2015.
https://warroom.securestate.com/dll-injection-part-2-createremotethread-and-more/
[61] Microsoft , “Peering Inside the PE: A Tour of the Win32 Portable Executable File Format” , 1994 .https://msdn.microsoft.com/en-us/library/ms809762.aspx
[62] Stud_PE , http://www.cgsoftlabs.ro/studpe.html,2002
[63] 3sLabs, “Scanning Process Memory for Injected Code” ,January 25 ,2013.
http://blog.3slabs.com/2013/01/scanning-process-memory-for-injected.html
[64] erocarrera PEFile, https://github.com/erocarrera/pefile
[65] AV-Comparactives, “File Detection Tests”,April , 2016 . http://www.av-comparatives.org/detection-test/