• Journal of Advanced Navigation Technology
• /
• v.13 no.6
• /
• pp.884-893
• /
• 2009

Recently, malicious attacks for Windows operate through Window API hooking in the Windows Kernel. This paper presents the API hooking attack and protection techniques based on Windows kernel. Also this paper develops a detection tool for Windows API hooking that enables to detect dll files which are operated in the kernel. Proposed tool can detect behaviors that imports from dll files or exports to dll files such as kernel32.dll, snmpapi.dll, ntdll.dll and advapidll.dll, etc.. Test results show that the tool can check name, location, and behavior of API in testing system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.2
• /
• pp.111-117
• /
• 2011

Advances in encryption technology to secret communication and information security has been strengthened. Cryptovirus is the advent of encryption technology to exploit. Also, anyone can build and deploy malicious code using windows CAPI. Cryptovirus and malicious code using windows CAPI use the normal windows API. So vaccine software and security system are difficult to detect and analyze them. This paper examines and make hooking tool against Crytovirus and malicious code using windows CAPI.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06d
• /
• pp.135-136
• /
• 2012

윈도우기반 게임 프로그램의 엔진은 대부분 DirectX를 사용하고 있다. 이는 게임 프로세스를 탐지하는데에 있어서 수많은 게임의 이름을 알고 있지 않아도, DirectX의 사용여부로 게임 프로세스를 탐지할 수 있음을 의미한다. 본 논문은 유저모드 후킹 Windows Message Hooking과 Direct3D Hooking을 이용하여 게임 프로세스를 탐지하는 방법을 제안하고자 한다.

• Asia-pacific Journal of Multimedia Services Convergent with Art, Humanities, and Sociology
• /
• v.5 no.2
• /
• pp.297-304
• /
• 2015

Zeus is one of the will-published malwares. Generally, it infects PC by executing a specific binary file downloaded on the internet. When infected, try to hook a particular Windows API of the currently running processes. If process runs hooked API, this API executes a particular code of Zeus and your private information is leaked. This paper describes techniques to detect and hook Windows API. We believe the technique should be able to detect modern P2P Zeus.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.2
• /
• pp.766-783
• /
• 2012

Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.15 no.4
• /
• pp.51-60
• /
• 2005

The riles or intellectual property on computer systems have increasingly been exposed to such threats that they can be flowed out by internal users or outer attacks through the network. The File Outflow Monitoring System monitors file outflows at server by making the toe when users copy files on client computers into storage devices or print them, The monitoring system filters I/O Request packet by I/O Manager in kernel level if files are flowed out by copying, while it uses Win32 API hooking if printed. As a result, it has exactly made the log and monitored file outflows, which is proved through testing in Windows 2000 and XP.

• The KIPS Transactions:PartB
• /
• v.11B no.1
• /
• pp.45-52
• /
• 2004

We propose ESS_WMCE. This paper explains the design and implementation of the EDSS running on ESS_WMCE. EDSS is a synchronization error control system for web based multimedia collaboration environment. We have an error detection approach by using hooking method. The technique of an error transmission is a mended model of utilizing an application sharing system. DOORAE is a good framework model for supporting development on application for computer supported cooperated works. It has primitive service functions. Service functions are implemented with an object oriented concept. It is a system that is suitable for detecting and sharing a software error rapidly occurring on web based multimedia collaboration environment by using software techniques. It is able to share an error as well as providing URL synchronization to access shared objects. When an error occurs, this system detects an error by using hooking methods in MS-Windows API(Application Program Interface) function. If an error is found, it is able to provide an error sharing to access shared objects.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2011.10a
• /
• pp.551-553
• /
• 2011

The popularization and development of 3D display makes common users easy to experience a solid 3D virtual reality, the demand for virtual reality contents are increasing. This paper proposes VR panorama system using vanishing point location-based depth map generation method. VR panorama using depth map gives an effect that makes users feel staying at real place and looking around nearby circumstances.

• Convergence Security Journal
• /
• v.6 no.2
• /
• pp.1-11
• /
• 2006

The files of intellectual property on computer systems have increasingly been exposed to such threats that they can be flowed out by internal users or outer attacks through the network. The File Outflow Protection System detects file outflow when users not only copy files on client computers into storage devices, but also print them. This Protection system has been designed to Win32 API hooking by I/O Manager in kernel level if files are flowed out by copying. As a result, the monitoring system has exactly detected file outflows, which is proved through testing.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1271-1280
• /
• 2017

The android packer service using runtime execution compression technology switches to the original application using DexClassLoader. However the API interface of the DexClassLoader receives the path of the loaded DEX(Dalvik EXcutable) and the path of the compiled file. So there is a problem that the original file is exposed to the file system. Therefore, it is not safe to use the API for the packer service. In this paper, we solve this problem by changing the compile and load flow of the DexClassLoader API. Due to this changed execution flow, the complied file can be encrypted and stored in the file system or only in the memory and it can be decrypted or substituted at the time of subsequent loading to enable the original application conversion. we expected that the stability of the packer will increase beacause the proposed method does not expose the original file to the file system.