信息网络安全 ›› 2021, Vol. 21 ›› Issue (12): 38-43.doi: 10.3969/j.issn.1671-1122.2021.12.006

• 入选论文 • 上一篇    下一篇

基于删除PE文件头的恶意代码内存取证方法

李鹏超1,2(), 刘彦飞1,3   

  1. 1.重庆警察学院,重庆 401331
    2.西南大学,重庆 400715
    3.天津大学,天津 300072
  • 收稿日期:2021-10-20 出版日期:2021-12-10 发布日期:2022-01-11
  • 通讯作者: 李鹏超 E-mail:lipengchao61@qq.com
  • 作者简介:李鹏超(1983—),男,重庆,讲师,博士研究生,主要研究方向为电子数据取证、网络犯罪侦查|刘彦飞(1985—),男,重庆,讲师,博士研究生,主要研究方向为知识图谱、网络舆情分析
  • 基金资助:
    重庆市教育委员会科学技术研究项目(KJQN201901702)

Research on Forensics Technology of Malicious Code Based on Deleted PE File Header

LI Pengchao1,2(), LIU Yanfei1,3   

  1. 1. Chongqing Police College, Chongqing 401331, China
    2. Southwest University, Chongqing 400715, China
    3. Tianjin University, Tianjin 300072, China
  • Received:2021-10-20 Online:2021-12-10 Published:2022-01-11
  • Contact: LI Pengchao E-mail:lipengchao61@qq.com

摘要:

电子数据取证领域,一些恶意程序通过删除PE可执行文件头部后将其复制到具有执行保护权限内存页面的方式躲避取证人员的检验。文章针对文件头被恶意删除的PE可执行文件分析后,提出一种通过分析存储在具有保护权限的内存页面中的进程Section表的方法,检测头被恶意删除的可执行文件。首先通过特征元素选择出虚拟地址描述符(VAD)中具有执行保护的non-private页面,这些页面很可能存储有恶意代码。然后对相应Section表中的Section头标识进行检索,并计算它们之间的偏移间隔是否为Section头大小的倍数以检验Section表特征。另外,文章将提出的算法实现为可以在内存取证工具Volatility 3框架中执行的插件,并通过使用该插件分析被Ursnif恶意软件感染的内存数据,以检验其有效性。

关键词: 内存取证, 虚拟地址描述符, Volatility 3, 恶意代码

Abstract:

In particular, malware removes the headers of executable file and copy them to the memory pages which have the execute protection to prevent code exposure during the memory forensic analysis. This paper proposed a method to detect executable files without headers by searching the Section table in the memory dump. Therefore, this paper explore the Section header signatures and check whether the offset intervals among them are a multiple of the Section header size to detect Section tables. We select the non-private pages with execute protection in Virtual Address Descriptor (VAD) which are highly likely to be hidden by malicious code and scan the Section Tables. In addition, this paper verified the detection performance by implementing the proposal as a plug-in that can be executed in Volatility 3 Framework and analyzing the memory of the system infected with Ursnif.

Key words: memory forensics, virtual address descriptor, volatility3, malicious code

中图分类号: