静态修改PE输入表注入DLL的检测方法研究  被引量：2

作　　者：于永斌[1] 余文健 莫洁虹 康峥非 YU Yong-bin;YU Wen-jian;MO Jie-hong;Kang Zheng-fei(School of Information and Software Engineering,University of Electronic Science and Technology,Chengdu 610054;Chengdu College of University of Electronic Science and Technology of China,Chendu 611731)

机构地区：[1]电子科技大学信息与软件工程学院,成都610054 [2]电子科技大学成都学院,成都611731

出　　处：《电子科技大学学报》2020年第6期854-859,共6页Journal of University of Electronic Science and Technology of China

基　　金：国家自然科学基金国际青年科学家研究基金(61550110248);四川省科技厅重大科技专项(2019YFG0190)。

摘　　要：该文研究静态修改PE输入表注入DLL的检测,提出了基于合法范围的普通检测方法和基于异常回溯的深度检测方法。第一种方法从静态的角度,对所有DLL的数据结构排列范围进行计算,无需解析DLL的功能来推断其是否恶意。第二种方法将调试的思想用于恶意DLL检测,控制目标程序的运行,跟踪目标程序初始化阶段中的DLL加载过程,并将调试API用于异常捕获,以实现检测。使用C++设计DLL检测实验,将编写的具有下载功能的DLL注入到目标程序,设计开发检测工具DLL Detector进行检测;实验成功地从静态阶段和程序初始化阶段检测出可疑模块。两种方法均支持32位和64位可执行文件,可防御恶意代码。To study the detection of dynamic link library(DLL)injected by static modifying import table of portable executable(PE)file,a common detection method on legal scope and a depth detection method on exception backtracking are proposed.The first method calculates the range of data structure arrangement of all DLLs from a static point of view,without parsing the DLL’s function to infer whether it is malicious.The idea of debugging is used to detect malicious DLLs in second method,which control the running of the target program,and track the DLL loading process in the initialization phase of the target program.Also the debugging API is used for exception capture to realize detection.C++was used to design DLL detection experiment:injected the DLL with download function into the target program.The detection tool DLL Detector was designed and developed for detection.The experiment successfully detects suspicious modules from the static phase and the program initialization phase.Both methods support 32-bit and 64-bit PE files and can be used to guard against malicious code.

关 键 词：DLL检测 DLL注入 输入表 PE文件格式 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]