Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Quincy: Detecting host-based code injection attacks in memory dumps

: Barabosch,Thomas; Bergmann, Nikla; Padilla, Elmar; Dombeck, Adrian


Polychronakis, Michalis:
Detection of intrusions and malware, and vulnerability assessment. 14th international conference, DIMVA 2017 : Bonn, Germany, July 6-7, 2017; Proceedings
Cham: Springer International Publishing, 2017 (Lecture Notes in Computer Science 10327)
ISBN: 978-3-319-60875-4 (Print)
ISBN: 978-3-319-60876-1 (Online)
International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) <14, 2017, Bonn>
Conference Paper
Fraunhofer FKIE ()

Malware predominantly employs code injections, which allow to run code in the trusted context of another process. This enables malware, for instance, to secretly operate or to intercept critical information. It is crucial for analysts to quickly detect injected code. While there are systems to detect code injections in memory dumps, they suffer from unsatisfying detection rates or their detection granularity is too coarse. In this paper, we present Quincy to overcome these drawbacks. It employs 38 features commonly associated with code injections to classify memory regions. We implemented Quincy for Windows XP, 7 and 10 and compared it to the current state of the art, Volatility’s malfind as well as hollowfind. For this sake, we created a high quality data set consisting of 102 current representatives of code injecting malware families. Quincy improves significantly upon both approaches, with up to 19.49% more true positives and a decrease in false positives by up to 94,76%.