Skip to main content
SpringerLink
Log in

A new approach for detecting process injection attacks using memory analysis

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached \(99.93\%\) with a false-positive rate of \(0.068\%\). Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20

Similar content being viewed by others

Notes

  1. To go deeper and read more about the memory management process, Virtual Address Descriptors (VAD)s, Handles, and PE files format, you can refer to the following references: [11, 13, 40, 61, 70].

References

  1. Afreen, A., Aslam, M., Ahmed, S.: Analysis of fileless malware and its evasive behavior. In: 2020 International Conference on Cyber Warfare and Security (ICCWS), Islamabad, Pakistan, 2020, pp. 1–8 (2020). https://doi.org/10.1109/ICCWS48432.2020.9292376.

  2. Angelystor Process Injection Techniques used by Malware. Accessed July 10, 2022, (2020, June 24). from Medium: https://medium.com/csg-govtech/process-injection-techniques-used-by-malware-1a34c078612c

  3. Aslan, Ö.A., Samet, R.: A comprehensive review on malware detection approaches. IEEE Access 8, 6249–6271 (2020). https://doi.org/10.1109/ACCESS.2019.2963724

    Article  Google Scholar 

  4. Attaallah, A., Alsuhabi, H., Shukla, S., Kumar, R., Gupta, B.K., Khan, R.A.: Analyzing the big data security through a unified decision-making approach. Intell. Autom. Soft Comput. 32(2), 1071–1088 (2022)

    Article  Google Scholar 

  5. Almulihi, A.H., Alassery, F., Khan, A.I., Shukla, S., Gupta, B.K., Kumar, R.: Analyzing the implications of healthcare data breaches through computational technique. Intell. Autom. Soft Comput. 32(3), 1763–1779 (2022)

    Article  Google Scholar 

  6. AV-TEST. Malware Statistics & Trends Report | AV-TEST. Accessed May 13, 2023, (2023)from AV-TEST: https://www.av-test.org/en/statistics/malware/

  7. AVTEST. The IT Security Status at a Glance: The AV-TEST Security Report 2016/2017. Accessed November 02, 2022, (2017, July 05) from Tech. Rep.: https://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2015-2016.pdf

  8. Balaoura, S.: Process injection techniques and detection using the Volatility Framework. Master’s thesis, University of Piraeus, Piraeus, Greece (2018)

  9. Blaam, M.: Great explanation of Process Hollowing (a Technique often used in Malware). Accessed November 2, 2022, from GitHub: https://github.com/m0n0ph1/Process-Hollowing (2021, August 21)

  10. Block, F., Dewald, A.: Windows memory forensics: detecting (un) intentionally hidden injected code by examining page table entries. Digit. Investig. 29, S3–S12 (2019). https://doi.org/10.1016/j.diin.2019.04.008

    Article  Google Scholar 

  11. Bridge, K., Abram, N., Kennedy, J., Batchelor, D., Coulter, D., Krell, J., LeBLanc, M.: PE Format. MS Docs. Accessed November 25, 2022 (2021a, November 8)

  12. Bridge, K., Sharkey, K., Coulter, D., Jacobs, M., Satran, M.: About event tracing. MS Docs. Accessed December 20, 2022 (2021b, January 7)

  13. Bridge, K., Sharkey, K., Coulter, D., Batchelor, D., Satran, M.: Thread handles and identifiers. MS Docs. Accessed November 8, 2022 (2021c, January 7)

  14. Chang, T.: Detecting Malware with DLL Injection And PE Infection. Master’s thesis, National Sun Yat-sen University, Taiwan (2016)

  15. Chen, C., Lai, G., Cai, Z., Chang, T., Lee, B.: Detecting pe-infection based malware. Int. J. Secur. Netw. 16(3), 191–199 (2021). https://doi.org/10.1504/IJSN.2021.117871

    Article  Google Scholar 

  16. Cooper, S.: Fileless malware attacks explained (with examples). Accessed May 18, 2022, (2021, May 14). from Comparitech: https://www.comparitech.com/blog/information-security/fileless-malware-attacks/

  17. Cruz, M., de la Pena Perona, M., Rivera, B., Ang, K.: Washington, DC: U.S. Patent and Trademark Office Patent No. 8,572,739 (2013)

  18. Dai, Y., Li, H., Qian, Y., Lu, X.: A malware classification method based on memory dump grayscale image. Digit. Investig. 27, 30–37 (2018). https://doi.org/10.1016/j.diin.2018.09.006

    Article  Google Scholar 

  19. Das, S., Mathew, M., Vijayaraghavan, P.: An Approach for optimal feature subset selection using a new term weighting Scheme and mutual information. In: Proceeding of the International Conference on Advanced Science, Engineering and Information Technology, pp. 273–278. Academia, Putrajaya, Malaysia (2011)

    Google Scholar 

  20. Duan, Y., Fu, X., Luo, B., Wang, Z., Shi, J., Du, X.: Detective: Automatically identify and analyze malware processes in forensic scenarios via DLLs. In: 2015 IEEE International Conference on Communications (ICC), pp. 5691–5696. London, UK, IEEE (2015)

    Chapter  Google Scholar 

  21. Dubyk, M.: Leveraging the PE Rich Header for Static Malware Detection and Linking. SANS Institute, Bethesda, Maryland, United States (2019)

    Google Scholar 

  22. Fewer, S.: ReflectiveDLLInjection. Accessed October 26, 2022, (2013, September 5). from GitHub: https://github.com/stephenfewer/ReflectiveDLLInjection

  23. Firch, J.: 2021 Cyber security statistics: the ultimate list of stats, data & trends. Accessed September 10, 2021, (2021). from Purplesec: https://purplesec.us/resources/cyber-security-statistics/

  24. GitHub, & OpenAI. Your AI pair programmer. Accessed October 22, 2022, (2021). from GitHub Copilot: https://copilot.github.com/

  25. Github-milkdevil. injectAllTheThings. Accessed October 29, 2022, (2017, July 21). from GitHub: https://github.com/milkdevil/injectAllTheThings

  26. Gorelik, M., Moshailov, R.: Fileless Malware: Attack Trend Exposed. Morphisec Ltd. (2017)

  27. Gorelik, M.: Machine learning can’t protect you from fileless attacks. Accessed August 27, 2022, (2020, May 13). from SecurityBoulevard: https://securityboulevard.com/2020/05/machine-learning-cant-protect-you-from-fileless-attacks/

  28. Hasherezade. Process Doppelganging meets Process Hollowing in Osiris dropper. Accessed September 20, 2022, (2018, September 25). from Malwarebytes Labs: https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/

  29. Hosseini, A.: Ten process injection techniques: A technical survey of common and trending process injection techniques. Accessed September 3, 2022, (2017). from Elastic: https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

  30. Javaheri, D., Hosseinzadeh, M.: A Solution for Early Detection and Negation of Code and DLL Injection Attacks of Malwares. J. Adv. Def. Sci. Technol. 10(4), 393–406 (2020)

    Google Scholar 

  31. Javeed, D., Khan, M., Ahmad, I., Iqbal, T., Badamasi, U., Ndubuisi, C., Umar, A.: An efficient approach of threat hunting using memory forensics. Int. J. Comput. Netw. Commun. Secur. 8(5), 37–45 (2020)

    Article  Google Scholar 

  32. Khasaia, L.: InjectProc - Process Injection Techniques. (2019, February 10). Accessed October 25, 2022, from GitHub: https://github.com/secrary/InjectProc

  33. KSLGroup. Threadmap Volatility Plugin. Accessed November 02, 2022, (2021, August 23) from GitHub: https://github.com/kslgroup/threadmap

  34. Li, Y., Li, W., Jiang, C.: A survey of virtual machine system: Current technology and future trends. In: 2010 Third International Symposium on Electronic Commerce and Security, pp. 332–336. Nanchang, China, IEEE (2010)

    Chapter  Google Scholar 

  35. Liang, H., Rugerio, D., Chen, L., Xu, S.: What is a DLL. MS Docs. Accessed February 11, 2023 (2022, January 23)

  36. Lim, S., Im, E.: Proposal of process hollowing attack detection using process virtual memory data similarity. J. Korea Inst. Inf. Secur. Cryptol. 29(2), 431–438 (2019). https://doi.org/10.13089/JKIISC.2019.29.2.431

    Article  Google Scholar 

  37. Liu, W., Steven, G.: A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Accessed October 2, 2022, (2021). from Process Hacker: https://processhacker.sourceforge.io/

  38. Microsoft Developer. Download a Windows 10 virtual machine. Accessed September 22, 2022, (2021). from Microsoft Developer: https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

  39. Mikben Batchelor, D., Sharkey, K., Coulter, D., Kennedy, J., Satran, M.: Memory Protection Constants. MS Docs. Accessed October 11, 2022 (2021, March 22)

  40. Mikben, Sharkey, K., Satran, M.: About Memory Management. MS Docs. Accessed November 8, 2022 (2021, January 7)

  41. Mohd Yusof, M., Mokhtar, M.: A review of predictive analytic applications of bayesian network. Int. J. Adv. Sci. Eng. Inf. Technol. 6(6), 857–867 (2016). https://doi.org/10.18517/ijaseit.6.6.1382

    Article  Google Scholar 

  42. Monnappa, K.: Detecting deceptive process hollowing techniques using hollowfind volatility plugin. Accessed August 25, 2022, (2016a, September 22). from Cysinfo: https://cysinfo.com/detecting-deceptive-hollowing-techniques/

  43. Monnappa, K.: Hollowfind Volatility Plugin. Accessed August 25, 2022, (2016b, September 24). from GitHub: https://github.com/monnappa22/HollowFind

  44. Monnappa, K.: Psinfo Volatility Plugin. Accessed August 25, 2022, (2016c, September 24). from GitHub: https://github.com/monnappa22/Psinfo

  45. Mosli, R., Li, R., Yuan, B., Pan, Y.: A behavior-based approach for malware detection. In: IFIP International Conference on Digital Forensics, pp. 187–201. Springer, Cham, Orlando, FL, USA (2017)

    Google Scholar 

  46. Mosli, R., Li, R., Yuan, B., Pan, Y.: Automated malware detection using artifacts in forensic memory images. In: 2016 IEEE Symposium on Technologies for Homeland Security (HST), pp. 1–6. IEEE, Waltham, MA, USA (2016)

    Google Scholar 

  47. Otsuki, Y., Kawakoya, Y., Iwamura, M., Miyoshi, J., Faires, J., Lillard, T.: Toward the analysis of distributed code injection in post-mortem forensics. In: 14th International Workshop on Security, IWSEC 2019. 11689, pp. 391–409. Tokyo, Japan: Springer, Cham (2019)

  48. Pingios, A., Beek, C., Becwar, R.: Process injection, technique T1055 - enterprise. Accessed November 8, 2022, (2017, May 31). from MITRE ATT &CK: https://attack.mitre.org/techniques/T1055/

  49. Rathnayaka, C., Jamdagni, A.: An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1145–1150. IEEE, Sydney, NSW, Australia (2017)

    Chapter  Google Scholar 

  50. Red Teaming Experiments. Code & Process Injection. Accessed November 5, 2022, (2021). from ired.team: https://www.ired.team/offensive-security/code-injection-process-injection

  51. Sahu, K., Srivastava, R.K.: Needs and importance of reliability prediction: an industrial perspective. Inf. Sci. Lett. 9(1), 33–37 (2020)

    Article  ADS  Google Scholar 

  52. Sahu, K., Srivastava, R.K.: Predicting software bugs of newly and large datasets through a unified neuro-fuzzy approach: reliability perspective. Adv. Math. Sci. J. 10(1), 543–555 (2021)

    Article  Google Scholar 

  53. Sahu, K., Srivastava, R.K., Kumar, S., Saxena, M., Gupta, B.K., Verma, R.P.: Integrated hesitant fuzzy-based decision-making framework for evaluating sustainable and renewable energy. Int. J. Data Sci. Anal. 16(3), 371–390 (2023)

    Article  Google Scholar 

  54. Sahu, K., Alzahrani, F.A., Srivastava, R.K., Kumar, R.: Evaluating the impact of prediction techniques: software reliability perspective. Comput. Mater. Continua 67(2), 1471–1488 (2021)

    Article  Google Scholar 

  55. Sahu, K., Alzahrani, F.A., Srivastava, R.K., Kumar, R.: Hesitant fuzzy sets based symmetrical model of decision-making for estimating the durability of web application. Symmetry 12(11), 1770 (2020)

    Article  ADS  Google Scholar 

  56. Sahu, K., Srivastava, R.K.: Soft computing approach for prediction of software reliability. Neural Netw. 17, 19 (2018)

    Google Scholar 

  57. Salman, M., Husna, D., Viani, N.: Static Analysis Method on Portable Executable Files for REMNUX based Malware Identification. In: 2019 IEEE 10th International Conference on Awareness Science and Technology (iCAST), pp. 1–6. IEEE, Morioka, Japan (2019)

    Google Scholar 

  58. Sihwail, R., Omar, K., Ariffin, K.: An effective memory analysis for malware detection and classification. CMC-Comput. Mater. Continua 67(2), 2301–2320 (2021). https://doi.org/10.32604/cmc.2021.014510

    Article  Google Scholar 

  59. Sihwail, R., Omar, K., Ariffin, K.: A survey on malware analysis techniques: static, dynamic, hybrid and memory analysis. Int. J. Adv. Sci. Eng. Inf. Technol. 8(4–2), 1662–1671 (2018). https://doi.org/10.18517/ijaseit.8.4-2.6827

    Article  Google Scholar 

  60. Srivastava, A., Jones, J.: Detecting code injection by cross-validating stack and VAD information in windows physical memory. In: 2017 IEEE Conference on Open Systems (ICOS), pp. 83–89. IEEE, Miri, Malaysia (2017)

    Chapter  Google Scholar 

  61. Subedi, K., Budhathoki, D., Dasgupta, D.: Forensic analysis of ransomware families using static and dynamic analysis. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 180–185. IEEE, San Francisco, CA, USA (2018)

    Chapter  Google Scholar 

  62. Teller, T., Hayon, A.: Enhancing automated malware analysis machines with memory analysis. London, England and Wales: BlackHat, InformaTech. Retrieved from https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Teller-Automated-Memory-Analysis-WP.pdf (2014)

  63. Thompson, E.: Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents, 1st edn. Apress, New York, USA (2018)

    Book  Google Scholar 

  64. VMware Docs. VMware Workstation 15.5.1 Pro Release Notes. Accessed September 22, 2022, (2019, November 12). from VMware Docs: https://docs.vmware.com/en/VMware-Workstation-Pro/15.5/rn/VMware-Workstation-1551-Pro-Release-Notes.html

  65. Volatility Foundation. The Volatility Foundation - Open-Source Memory Forensics. Accessed March 29, 2023, (2020). from VolatilityFoundation: https://www.volatilityfoundation.org/

  66. Webb, M.: Evaluating tool based automated malware analysis through persistence mechanism detection. Doctoral dissertation, Kansas State University, Manhattan, USA (2018)

  67. White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digit. Investig. 10, S59–S68 (2013). https://doi.org/10.1016/j.diin.2013.06.007

  68. Xiao, C., Zheng, C.: New IoT/Linux Malware Targets DVRs, Forms Botnet. Accessed September 19, 2022, (2017, April 6). from Paloaltonetworks: https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

  69. Yadav, A., Garg, M.: Docker containers versus virtual machine-based virtualization. In: Emerging Technologies in Data Mining and Information Security, pp. 141–150. Springer, Singapore (2019)

    Chapter  Google Scholar 

  70. Yosifovich, P., Solomon, D., Ionescu, A.: Windows Internals, Part 1: System architecture, processes, threads, memory management, 7th edn. Microsoft Press, Redmond (2017)

    Google Scholar 

  71. Zadeh, L.: Fuzzy logic. Computer 21(4), 83–93 (1988). https://doi.org/10.1109/2.53

    Article  Google Scholar 

  72. Zhang, S., Hu, Y., Bian, G.: Research on string similarity algorithm based on Levenshtein Distance. In: 2017 IEEE 2nd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC), pp. 2247–2251. IEEE, Chongqing, China (2017)

    Chapter  Google Scholar 

Download references

Funding

No funds, grants, or other support was received for the submitted work.

Author information

Authors and Affiliations

  1. Institute of Theoretical and Applied Informatics, Polish Academy of Sciences (IITiS PAN), 44100, Gliwice, Poland

    Mohammed Nasereddin

  2. Department of Computer Science, Princess Sumaya University for Technology, Amman, Jordan

    Raad Al-Qassas

Authors
  1. Mohammed Nasereddin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raad Al-Qassas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammed Nasereddin.

Ethics declarations

Conflict of interest

The authors assert that there is no potential conflicts of interest. The authors have no relevant financial or non-financial interests to disclose.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix: main tools and experiments

Appendix: main tools and experiments

1.1 Main tools

Three main tools were programmed as follows: The first is an integrated project called "Injection Tool" for process injection attacks, where each injection technique is a complete project with sequential steps and lines of code extracted from its sources (Fig. 21).

Fig. 21
figure 21

Manual injection tool

Full size image

Secondly, the "Automated Injection Tool" was developed to implement a larger number of attacks at the same time, in addition to implementing more than one type of attack at the same time. It works the same as the Manual Injection Tool but with more options (Fig. 22).

Fig. 22
figure 22

Automated injection tool

Full size image

Third, C/C++ was used to develop the "Automated Detection Tool," which enumerates the processes and organizes the work of the agents used in detection (Fig. 23).

Fig. 23
figure 23

Automated detection tool

Full size image

1.2 Process injection attacks: execution and detection

This part explains some experiments conducted on the most common process injection attacks to evaluate the performance of the proposed approach. For each experiment, we first analyze the memory state manually using the ProcessHacker 2 software before injection. Then, during the attack, we check the results of the Automated Detection Tool that was developed from the proposed approach in conjunction with monitoring the memory changes using ProcessHacker during and after the attack.

  • The first experiment: The attack was carried out on one process using four different attack techniques: DLL Injection via “CreateRemoteThread()”, Reflective DLL Injection, DLL Injection via “SetWindowsHook(), and Process Hollowing. The attacks were launched at separate intervals, and each time the tool was able to accurately detect the attack in a time ranging \(0.738-1.592 Seconds\).

  • The Second Experiment: The Automated Injection Tool was used to target a large number of processes simultaneously. In the first execution, 73 processes were injected using the Reflective DLL Injection technique, and the tool succeeded in detecting all of them within 4.156Seconds. While in the second execution, 445 processes were injected using the DLL Injection via Stealth “CreateRemoteThread()” technique, and it took 24.478Seconds to detect 444 of the 445 injected processes.

  • The Third Experiment: An attack was performed using two different techniques (.NET DLL Injection and Shellcode DLL Injection) on two different processes at the same time. The tool was able to detect them in 2.066Seconds.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Nasereddin, M., Al-Qassas, R. A new approach for detecting process injection attacks using memory analysis. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00836-w

Download citation

  • Published:

  • DOI: https://doi.org/10.1007/s10207-024-00836-w

Keywords

Search

Navigation