企業及政府機關面臨APT攻擊的威脅，這種攻擊的特色為其隱蔽性，透過處理程序注入(Process Injection)等途徑以規避偵測，藏身於受感染的電腦中。
處理程序注入(Process Injection)是一種在另一個處理程序記憶體位址空間中執行程式碼的方法，可以對處理程序的記憶體、系統或網路資源進行存取，也能夠用以提升權限。由於是在合法處理程序中執行，因此被廣泛用於逃避安全產品的檢測。
惡意軟體開發人員對於混淆技術的廣泛使用產生大量的惡意軟體變種，來自同一惡意軟體家族的惡意檔案不斷地被修改和/或進行模糊處理。龐大的變種數量不僅對電腦系統使用者造成威脅，更加重資安人員分析惡意軟體時的負擔；尤其部分良性軟體運行時也會執行Process Injection注入DLL檔案，使判別是否為惡意檔案的過程更加不易。
本研究提出一個結合動態與靜態分析，以及機器學習的惡意DLL分類架構。歸納出與Process Injection相關的Windows API，利用Windows Hook機制為基礎進行惡意軟體偵測識別；當偵測到Process Injection行為發生時，將被注入的DLL利用VirusTotal網站，以及使用遷移學習(Transfer learning)特性、以Inception V3網路為基礎的CNN分類系統以辨別其是否為惡意檔案，以協助資安人員進行後續分析。

Enterprises and government agencies are confronted with the threat of Advanced Persistent Threats (APT), which is featured by its concealment. APT attacks can evade detection by means of Process Injection, and then hide in infected computers.
Process Injection is a skill which can be used to access the resources of the another process and perform privilege escalation by executing code in the memory address space of target process. Process Injection is widely used to evade detection of security products because it is executed in a legal process.
Malware developers widely use obfuscation techniques for malicious files from the same malware family, resulting in numerous malware variants. The large number of variants not only poses a threat to computer users, but also makes it more difficult for the security personnel to analyze malware. Especially, some benign software also uses Process Injection to inject DLL files, making it more difficult to discriminate malicious files.
In this paper, a malicious DLL classification system combining dynamic and static analysis and machine learning is proposed. The Windows API related to Process Injection is summarized and used to identify the malware based on Windows Hook mechanism. When the Process Injection behavior is detected, the system will use VirusTotal website and the CNN classification system based on the Inception V3 network to identify whether the injected DLL is a malicious file, so as to assist the security personnel for subsequent analysis.

目錄
論文審定書 i
摘要 ii
Abstract iii
目錄 iv
圖次 vi
表次 vii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 2
第二章 文獻探討 4
2.1 處理程序注入(Process Injection) 4
2.1.1 動態連結程式庫注入(DLL Injection) 4
2.1.1.1 動態連結程式庫 5
2.1.2 可移植可執行檔案注入(PE Injection) 6
2.1.2.1 反射型DLL注入(Reflective DLL Injection) 7
2.1.3 Process Hollowing 7
2.1.4 執行緒執行攔截(Thread Execution Hijacking) 7
2.1.5 HOOK注入(Hook Injection) 8
2.1.6 登錄檔修改 8
2.1.7 異步過程調用注入(APC Injection) 8
2.1.8 Extra Window Memory Injection(EWMI) 9
2.1.9 使用Shim注入 9
2.1.10 IAT Hooking與Inline Hooking 9
2.1.11 Process Injection與API 10
2.2 Windows API 11
2.2.1 OpenProcess 11
2.2.2 WriteProcessMemory 11
2.2.3 LoadLibrary 12
2.3 惡意行為偵測 12
2.3.1 PID(PE Infection Detector)系統 13
2.3.2 DIB(DLL Injection Blocker)系統 14
2.4 惡意軟體分類 14
2.4.1 CNN(Convolutional Neural Network) 15
第三章 研究方法 17
3.1 特徵選取 17
3.2 監測程式行為 18
3.3 DLL分類 18
3.3.1 將惡意DLL轉為可視化圖像 18
3.3.2 模型概述 20
3.3.3 調整模型 23
3.3.4 取得VirusTotal掃描報告 28
第四章 系統評估 29
4.1 實驗一 Process Injection偵測系統驗證 29
4.2 實驗二 DLL辨別系統驗證 32
4-3 實驗三 與VirusTotal偵測率比較 34
第五章 研究貢獻與未來展望 38
參考資料 39

 
圖次
圖2- 1 OpenProcess結構 11
圖2- 2 WriteProcessMemory結構 12
圖2- 3 LoadLibrary結構 12
圖2- 4 DIB系統流程圖 14
圖3- 1 系統架構圖 17
圖3- 2 wininet.dll轉化成可視圖像 19
圖3- 3 Inception V3網路架構圖 20
圖3- 4 3*3卷積拆解過程 20
圖3- 5 Inception V3模型程式碼顯示該網路整體結構 21
圖3- 6 Inception V3中前三層卷積層程式碼 22
圖3- 7 Inception V3中第一層池化層程式碼 22
圖3- 8 Inception V3中混合層程式碼 23
圖3- 9 採用Inception V3的遷移學習 24
圖3- 10 依據分類區分子資料夾，資料夾名稱即為該分類的label 24
圖3- 11 利用Inception V3模型對圖片提取特徵向量 25
圖3- 12 將原始圖片轉換後的張量 25
圖3- 13 訓練樣本數不足造成準確度下降(良性：1000，惡意：719) 26
圖3- 14 各類別訓練樣本數不均造成準確度下降(良性：2038，惡意：719) 26
圖3- 15 良性樣本數：5000，惡意樣本數：5000，訓練4000次 27
圖3- 16 良性樣本數：5000，惡意樣本數：5000，訓練8000次 27
圖4- 1 模擬惡意軟體攻擊 29
圖4- 2 惡意軟體要求取得記憶體寫入的權限 30
圖4- 3 系統偵測到DLL Injection後進行阻擋並記錄相關資訊 30
圖4- 4 系統產出的事件紀錄檔案 31
圖4- 5 使用scurve轉換的JPG圖片 32
圖4- 6 將惡意檔案之圖片輸入DLL識別系統後產生辨別結果 33
圖4- 7 惡意檔案之VirusTotal掃描報告 33
圖4- 8 將良性檔案之圖片輸入DLL識別系統後產生辨別結果 34
圖4- 9 惡意檔案之VirusTotal掃描報告 34

 
表次
表2- 1 Process Injection技術與API對應表 10
表3- 1 敏感Windows API 17
表4- 1 VirusTotal偵測率及DLL識別系統辨別結果 34

[1]Trend Labs, "什麼是APT進階持續性威脅(Advanced Persistent Threat, APT)," 資安趨勢部落格, 2011. [Online]. Available: https://blog.trendmicro.com.tw/?p=123. [Accessed: Jul. 19, 2018].
[2]"高級長期威脅," Wikipedia, 2018. [Online]. Available: https://zh.wikipedia.org/wiki/高级长期威胁. [Accessed: Jul. 19, 2018].
[3]W. Rafferty, "M-Trends: Advanced Persistent Threat Malware," FireEye, 2010. [Online]. Available: https://www.fireeye.com/blog/threat-research/2010/01/m-trends-advanced-persistent-threat-malware.html. [Accessed: Jul. 19, 2018].
[4]"Process Injection," Attack.mitre.org, 2018. [Online]. Available: https://attack.mitre.org/wiki/Technique/T1055. [Accessed: Jul. 19, 2018].
[5]Symantec, "Internet security threat report (April 2017)," [Online]. Available: https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf. [Accessed: Jul. 19, 2018].
[6]L. Nataraj, S. Karthikeyan and B. S. Manjunath, "Sattva: Sparsity inspired classification of malware variants," in Proceedings of the 3rd ACM Workshop on Information Hiding and Multimedia Security. ACM, 2015, pp. 135–140.
[7]"Desktop Operating System Market Share Worldwide," StatCounter Global Stats, 2017. [Online]. Available: http://gs.statcounter.com/os-market-share/desktop/worldwide [Accessed: Nov. 26, 2017].
[8]"Operating System Market Share," NetMarketShare, 2017. [Online]. Available: https://www.netmarketshare.com/. [Accessed: Nov. 26, 2017].
[9]A. Hosseini, "Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques," Endgame, 2017. [Online]. Available: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process. [Accessed: Jul. 19, 2018].
[10]D. Vidyarthi, "Detection of Stealth Process using Hooking," in Proceedings of the Third International Symposium on Women in Computing and Informatics. ACM, 2015, pp. 602-607.
[11]S. Kim, J. Park, K. Lee, I. You and K. Yim, "A Brief Survey on Rootkit Techniques in Malicious Codes," Journal of Internet Services and Information Security (JISIS), vol. 3, no. 4, pp. 134-147, 2012.
[12]"Working with the AppInit_DLLs registry value," [Online]. Available: https://support.microsoft.com/en-us/help/197571. [Accessed: Nov. 27, 2017].
[13]J. Berdajs and Z. Bosnić, "Extending applications using an advanced approach to Dll injection and Api hooking," Software: Practice and Experience, vol. 40, no. 7, pp. 567-584, 2010.
[14]R. Kuster, "Three Ways to Inject Your Code into Another Process," Codeproject, 2003. [Online]. Available: https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces. [Accessed: Nov. 27, 2017].
[15]B. Antoniewicz, "Windows DLL Injection Basics," Open Security Research, 2013. [Online]. Available: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html. [Accessed: Nov. 27, 2017].
[16]"Differences Between Applications and DLLs," [Online]. Available: https://msdn.microsoft.com/en-us/library/d1587c1h.aspx. [Accessed: Nov. 26, 2017].
[17]"Advantages of Using DLLs," [Online]. Available: https://msdn.microsoft.com/en-us/library/dtba4t8b.aspx. [Accessed: Nov. 26, 2017].
[18]"AppInit DLLs and Secure Boot," Microsoft Developer Network, 2018. [Online]. Available: https://msdn.microsoft.com/en-us/library/dn280412.aspx. [Accessed: Jul. 17, 2017].
[19]"Extra Window Memory Injection," Attack.mitre.org, 2018. [Online]. Available: https://attack.mitre.org/wiki/Technique/T1181. [Accessed: Jul. 19, 2018].
[20]M. Christodorescu, S. Jha, S. A. Seshia, D. Song and R. E. Bryant, "Semantics-aware malware detection," 2005 IEEE Symposium on Security and Privacy (S&P''05), 2005, pp. 32-46.
[21]N. Idika and A. P. Mathur, "A survey of malware detection techniques," Purdue University, 2007.
[22]M. Egele, T. Scholte, E. Kirda and C. Kruegel, "A survey on automated dynamic malware-analysis techniques and tools," ACM computing surveys (CSUR), vol. 44, no. 2, 2012.
[23]林志鴻 and 楊中皇, "用於網路鑑識分析之惡意程式搜集系統設計與實作," in 全國資訊安全會議, 2011.
[24]H. I. Lim, "Detecting Malicious Behaviors of Software through Analysis of API Sequence k-grams," Computer Science and Information Technology, vol. 4, no. 3, pp. 85-91, 2016.
[25]C. Wang, J. Pang, R. Zhao and X. Liu, "Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior," 2009 International Conference on Communication Software and Networks, 2009, pp. 544-548.
[26]M. Alazab, S. Venkataraman and P. Watters, "Towards understanding malware behaviour by the extraction of API calls," 2010 Second Cybercrime and Trustworthy Computing Workshop, 2010, pp. 52-59.
[27]R. Veeramani and N. Rai, "Windows API based malware detection and framework analysis," in International Conference on Networks and Cyber Security, vol. 25, 2012.
[28]C. Wang, J. Pang, R. Zhao, W. Fu and X. Liu, "Malware Detection Based on Suspicious Behavior Identification," 2009 First International Workshop on Education Technology and Computer Science, 2009, pp. 198-202.
[29]P. Faruki, V. Laxmi, M. S. Gaur and P. Vinod, "Behavioural detection with API call-grams to identify malicious PE files," in Proceedings of the First International Conference on Security of Internet of Things. ACM, 2012, pp. 85-91.
[30]M. Alazab, R. Layton, S. Venkataraman and P. Watters, "Malware detection based on structural and behavioural features of api calls," in Proceedings of the 1st International Cyber Resilience Conference, 2010.
[31]C. Ravi and R. Manoharan, "Malware Detection using Windows Api Sequence and Machine Learning," International Journal of Computer Applications, vol. 43, no. 17, pp. 12-16, 2012.
[32]張子敬, "偵測以注入惡意DLL檔案之惡意程式研究," 碩士論文, 國立中山大學資訊管理學系, 2016.
[33]龍志雄, "在動態環境中偵測動態連結程式庫的注入攻擊," 碩士論文, 國立中山大學資訊管理學系, 2017.
[34]L. Nataraj, S. Karthikeyan, G. Jacob and B. S. Manjunath, "Malware images: visualization and automatic classification," in Proceedings of the 8th international symposium on visualization for cyber security. ACM, 2011, p. 4.
[35]W. Hardy, L. Chen, S. Hou, Y. Ye and X. Li, "Dl4md: A deep learning framework for intelligent malware detection," in Proceedings of the International Conference on Data Mining (DMIN), 2016, p. 61.
[36]M. G. Schultz, E. Eskin, F. Zadok and S. J. Stolfo, "Data mining methods for detection of new malicious executables," Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001, Oakland, CA, USA, 2001, pp. 38-49.
[37]J. Z. Kolter and M. A. Maloof, "Learning to detect malicious executables in the wild," in Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 2004, pp. 470–478.
[38]D. Gibert, "Convolutional neural networks for malware classification," Master’s thesis, Universitat Politecnica de Catalunya, 2016.
[39]M. Kalash, M. Rochan, N. Mohammed, N. D. B. Bruce, Y. Wang and F. Iqbal, "Malware Classification with Deep Convolutional Neural Networks," 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, 2018, pp. 1-5.
[40]Y. LeCun, "LeNet-5, convolutional neural networks," 2015. [Online]. Available: http://yann.lecun.com/exdb/lenet/. [Accessed: Aug. 2, 2018].
[41]"Intro to convolutional neural networks," TensorFlow, [Online]. Available: https://www.tensorflow.org/tutorials/layers. [Accessed: Aug. 2, 2018].
[42]K. Simonyan and A. Zisserman, "Very deep convolutional networks for large-scale image recognition," arXiv preprint arXiv:1409.1556, 2014.
[43]A. Cortesi, "scurve," GitHub, [Online]. Available: https://github.com/cortesi/scurve. [Accessed: Jul. 19, 2018].
[44]C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens and Z. Wojna, "Rethinking the inception architecture for computer vision," in Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2818-2826, 2016.
[45]A. Alemi, "Improving Inception and Image Classification in TensorFlow," Google AI Blog, 2016. [Online]. Available: https://ai.googleblog.com/2016/08/improving-inception-and-image.html. [Accessed: Sep. 3, 2018].
[46]J. Donahue, Y. Jia, O. Vinyals, J. Hoffman, N. Zhang, E. Tzeng and T. Darrell, "Decaf: A deep convolutional activation feature for generic visual recognition," in International conference on machine learning, pp. 647-655, 2014.
[47]"Module google/imagenet/inception_v3/feature_vector/1," TensorFlow, [Online]. Available: https://www.tensorflow.org/hub/modules/google/imagenet/inception_v3/feature_vector/1. [Accessed: Aug. 2, 2018].