基于API Hook的Stealth Loader局部堆问题解决  

Solving Local Heap of Stealth Loader Based on API Hook

在线阅读下载全文

作  者:徐晓亭 Xu Xiaoting(School of Cyber Science and Engineering,Sichuan University,Chengdu 610207)

机构地区:[1]四川大学网络空间安全学院,成都610207

出  处:《现代计算机》2021年第35期20-26,共7页Modern Computer

摘  要:API(application programming interface)混淆是一种阻挠自动化沙箱或逆向分析人员识别程序调用API名称的技术,达到隐藏程序真实意图的目的,常被恶意软件开发者利用。该方向的最新成果为Kawakoya等人提出的Stealth Loader方法,已成功阻止了多种动静态分析工具对程序行为的跟踪记录。但该系统本身也存在诸多问题,包括ntdll模块初始化、多个模块之间局部堆共享、消息回调函数注册失败等,造成加壳后程序无法稳定运行。利用API Hook原理,劫持与BaseHeapHandleTable全局变量写入相关的API函数,实现该变量在两种不同模块管理系统之间的信息同步,成功解决该问题。除此之外,将基于空闲链表的内存管理系统与该方法相结合,删除加壳后程序的IAT(import address table,导入地址表),使得程彬林等人提出的检测算法失效,脱壳失败。未来将进一步解决该方法的其他问题。API(Application Programming Interface)obfuscation was a kind of technique,obstructing automatic sandbox or re⁃verse engineers identifying API calls name,hiding the real destination of program,which was always abused by malware developers.The latest approach in API obfuscation was Stealth Loader proposed by Kawakoya et al.,which could hinder multiple static and dy⁃namic reverse analysis software to trace.However,it still had several limitations to be solved,including ntdll initialization,local heap sharing between multiple modules,message callback function failing to register and so on,causing packed program unstable to run.The local heap sharing between multiple modules can be addressed by adopting API Hook mechanism,hijacking some APIs writing to global variant BaseHeapHandleTable to synchronize its data between two different modules management system.Further,this paper combines memory management system based on free list and Stealth Loader,more deleting packed program IAT(Import Address Table),inducing the detection algorithm introduced by Binlin Cheng unavailable and failing to unpack.The other drawbacks will be ad⁃dressed in the future.

关 键 词:API混淆 API Hook  局部堆 恶意代码攻击 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象