Journal of Software Assessment and Valuation (한국소프트웨어감정평가학회 논문지)

Korea Software Assessment and Valuation Society (한국소프트웨어감정평가학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Injection Attacks and Defenses on Microsoft Windows

MS Windows에서 인젝션 공격 및 방어 기법 연구

  • 성호준 (단국대학교 응용컴퓨터공학과) ;
  • 조창연 (단국대학교 소프트웨어학과) ;
  • 이호웅 (호서대학교 컴퓨터정보공학부) ;
  • 조성제 (단국대학교 컴퓨터학과)
  • Received : 2020.11.15
  • Accepted : 2020.12.21
  • Published : 2020.12.31
⟨ Previous Next ⟩

Abstract

Microsoft's Windows system is widely used as an operating system for the desktops and enterprise servers of companies or organizations, and is a major target of cyber attacks. Microsoft provides various protection technologies and strives for defending the attacks through periodic security patches, however the threats such as DLL injection and process injection still exist. In this paper, we analyze 12 types of injection techniques in Microsoft Windows, and perform injection attack experiments on four application programs. Through the results of the experiments, we identify the risk of injection techniques, and verify the effectiveness of the mitigation technology for defending injection attacks provided by Microsoft. As a result of the experiments, we have found that the current applications are vulnerable to several injection techniques. Finally, we have presented the mitigation techniques for these injection attacks and analyzed their effectiveness.

기업이나 기관의 데스크톱 및 엔터프라이즈 서버용 운영체제로 마이크로소프트사의 Windows가 많이 활용되고 있고 사이버 공격의 주요 대상이 되고 있다. 마이크로소프트사는 다양한 보호 기술을 제공하고 주기적인 보안 패치를 통해 노력하고 있지만, 여전히 DLL 인젝션(injection)이나 프로세스 인젝션 등의 공격 위협이 존재하고 있다. 본 논문에서는 Windows 시스템에서 12가지 인젝션 공격 기법에 대해 분석하고, 4개의 응용 프로그램들을 대상으로 인젝션 공격 실험을 수행한다. 실험 결과를 통해 인젝션 공격의 위험성을 파악하고, 마이크로소프트에서에서 제공하는 인젝션 공격에 대한 완화 기술의 유효성을 검증한다. 실험 결과, 현재 응용 프로그램들이 여러 인젝션 공격에 취약함을 알 수 있었다. 최종적으로, 이러한 인젝션 공격에 대한 완화 기법을 제시하고 효용성을 분석하였다.

Keywords

Acknowledgement

본 연구는 산업통상자원부(MOTIE)와 한국에너지기술평가원(KETEP)의 지원을 받아 수행한 연구과제임. (NO. 20171510102080)

References

  1. 위키백과, https://ko.wikipedia.org/wiki/Microsoft_Windows
  2. 황현욱; 채종호; 윤영태. 윈도우 환경에서의 메모리 인젝션 기술과 인젝션 된 DLL 분석 기술. 융합보안논문지, 2006, 6.3: 59-67. UCI : G704-001662.2006.6.3.004
  3. C. S. Wright, "Taking control, Functions to DLL injection", March 2007. https://dx.doi.org/10.2139/ssrn.3153492
  4. Amit Klein, Itzik Kotler, "Windows Process Injection in 2019", Black Hat USA 2019, 2019. https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
  5. Hosseini, Ashkan, "Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques", Endpoint Security Blog (2017). https://www.elastic.co/kr/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
  6. 보안뉴스, 파일리스 위협과 랜섬웨어의 결합으로 탄생한 멀웨어 등장, 2017.06, Available at: https://www.boannews.com/media/view.asp?idx=55391&page=1&kind=3
  7. 보안뉴스, 넷워커 랜섬웨어, 사업 모델 바꾸더니 순식간에 수익 불어나, 2020.08, Available at: https://www.boannews.com/media/view.asp?idx=90291&page=1&kind=1
  8. 보안뉴스, 2020년 1분기 최악의 신규 랜섬웨어 5종 꼽아보니... '코로나' 키워드 악용, 2020.06, Available at: https://www.boannews.com/media/view.asp?idx=89122&page=1&kind=1
  9. A. H. A. Kamal et al., "Cybersecurity Issues and Challenges during Covid-19 Pandemic", Preprints, 2020. 2020090249. https://doi.org/10.20944/preprints202009.0249.v1
  10. S. Fewer, "Reflective DLL injection", Harmony Security, Version 1, 2008 https://github.com/stephenfewer/ReflectiveDLLInjection
  11. M. Gorelik and R. Moshailov, "Fileless Malware: Attack Trend Exposed", Morphisec Ltd, 2017. https://blog.morphisec.com/fileless-malware-attack-trend-exposed
  12. B. L. Krishna, "Comparative Study of Fileless Ransomware", International Journal of Trend in Scientific Research and Development (IJTSRD), 4(3): pp. 608-616, April 2020. https://www.ijtsrd.com/engineering/computer-engineering/30600/comparative-study-of-fileless-ransomware/krishna-b-l
  13. K. McCammon, et al., "2020 Threat Detection Report", Red Canary: Improve Security with Threat Detection, 2020.03 https://redcanary.com/threat-detection-report/introduction/
  14. MITRE ATT&CK®, "Process Injection", https://attack.mitre.org/techniques/T1055/
  15. https://github.com/SafeBreach-Labs/pinjectra
  16. Microsoft Docs., "Process Explorer v16.32" https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
  17. Userland API Monitoring and Code Injection Detection, https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565
  18. Kaspersky Lab., https://encyclopedia.kaspersky.com/glossary/code-injection/
  19. Kaspersky Lab., https://encyclopedia.kaspersky.com/glossary/dll-injection/
  20. https://attack.mitre.org/techniques/T1055/008/
  21. https://attack.mitre.org/techniques/T1055/009/
  22. S. Sayeed, et al., "Control-flow integrity: Attacks and protections", Applied Sciences 9.20 (2019): 4229. https://doi.org/10.3390/app9204229
  23. Microsoft Docs., "Control Flow Guard", https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
  24. Z. Yunhai, "Bypass control flow guard comprehensively", Black Hat USA (2015). https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf
  25. Weston, David, and Matt Miller, "Microsoft's strategy and technology improvements toward mitigating arbitrary native code execution", CanSecWest 2017 (2017). https://cansecwest.com/slides/2017/CSW2017_Weston-Miller_Mitigating_Native_Remote_Code_Execution.pdf
  26. 임수민; 임을규, 프로세스 가상 메모리 데이터 유사성을 이용한 프로세스 할로윙 공격 탐지, 정보보호학회논문지, 2019, 29.2:431-438. https://doi.org/10.13089/JKIISC.2019.29.2.431
  27. Github Repository, "Captain", https://github.com/y3n11/Captain
  28. Github Repository, "UnRunPE", https://github.com/NtRaiseHardError/UnRunPE
  29. Github Repository, "Dreadnought", https://github.com/NtRaiseHardError/Dreadnought
  30. Github Repository, "Rekall discontinuation", https://github.com/google/rekall
  31. Github, "Volatility Foundation", https://github.com/volatilityfoundation
  32. SRIVASTAVA, Anurag; JONES, James H., Detecting code injection by cross-validating stack and VAD information in windo ws physical memory, In: 2017 IEEE Confe rence on Open Systems (ICOS). IEEE, 2017. pp. 83-89. https://doi.org/10.1109/ICOS.2017.8280279
  33. Balaoura, Sotiria, "Process injection techniques and detection using the Volatility Framework", MS thesis, University of Piraeus, 2018. http://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/11578/Balaoura_MTE1623.pdf?sequence=1&isAllowed=y
  34. BLOCK, Frank; DEWALD, Andreas, Windows Memory Forensics: Detecting (Un) Intentionally Hidden Injected Code by Examining Page Table Entries, Digital Investigation, 2019, 29: S3-S12. https://doi.org/10.1016/j.diin.2019.04.008
  35. InfoWorld, "Microsoft UWP boosts security for Windows apps", https://www.infoworld.com/article/3049955/microsoft-uwp-boosts-security-for-windows-apps.html
  36. Microsoft Docs., "DUMPBIN Reference", https://docs.microsoft.com/en-us/cpp/build/reference/dumpbin-reference?view=msvc-160