Published in International Journal of Advanced Research in Computer Science Engineering and Information Technology
ISSN: 2321-3337 Impact Factor:1.521 Volume:5 Issue:1 Year: 24 March,2015 Pages:400-408
in the latest trends, Malware discovery and analysis approaches unit of measurement targeted in code-centric aspects of malicious programs. Keep with the current state of affairs, advanced tools unit of measurement utilized within the ways in which of malware secret writing that has reusing legitimate code or obfuscating malware code to avoid the detection. Our projected approach is deal with the code-centric approaches by proposing a kernel malware characterization to detects, characterize and stop the malware attacks supported the properties of data objects manipulated throughout the attacks. This Approach postulates unit of measurement a kernel object mapping technique in runtime that reads the kernel objects to identify the malware nonhereditary supported the signature and patterns of the malware. The familiar malware unit of measurement prevented by an observation application that utilizes a memory unit based totally scanner. This approach has associate extended coverage that detects and prevents not entirely the malware with the signatures but to boot the malware attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a kind of real-world kernel root kits demonstrate the effectiveness of malware signatures. Hybrid Malware sight memory Mapped provides associate optimized resolution to research windows kernel-level code and extract malicious behaviors from root kits, also as sensitive information access, modification and triggers. A fresh technique provides a mixture of patch making and memory mapping in kernel level. It’s going to confirm the malware influenced sensitive information and accomplishable resolution for this draw back.
triggers, kernel malware characterization, kernel object mapping technique.
[1] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie,et al., “StackGuard: Automatic adaptive detection and prevention of Buffer-overflow attacks,” in Proc. 7th USENIX Sec. Conf., Jan. 1998, pp. 63–78. [2] A. Seshadri, M. Luk, N. Qu, and A. Perrig, “SecVisor: A tiny hypervisorto provide lifetime kernel code integrity for commodity OSes,” in Proc.21st SOSP, Oct. 2007, pp. 1–17. [3] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, “DROP:Detecting return-oriented programming malicious code,” in Proc. 5th ICISS, Dec. 2009, pp. 163–177. [4] L. Davi, A.-R. Sadeghi, and M. Winandy, “ROPdefender: A detectiontool to defend against return-oriented programming attacks,” Syst. Sec. Lab., Tech. Univ. Darmstadt, Darmstadt, Germany, Tech. Rep. HGI-TR-2010-001, 2010. [5] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, “Automatic reverse engineering,of malware emulators,” in Proc. 30th IEEE Symp. Sec. Privacy,Mar. 2009, pp. 1–16. [6] 2001, Dec. 28). Linux on-the-Fly Kernel Patching Without LKM [Online]. Available: http://www.phrack.com/issues.html?issue=58&id=7 [7] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, “Automatic reverse engi- neering of malware emulators,” in Proc. 30th IEEE Symp. Sec. Privacy, Mar. 2009, pp. 1–16. [8] R. Riley, X. Jiang, and D. Xu, “An architectural approach to preventing code injection attacks,” IEEE Trans. Dependable Secure Comput., vol. 7, no. 4, pp. 351–365, Dec. 2009. [9] H. Etoh. (2011, May). GCC Extension for Protecting Applica- tions From Stack-Smashing Attacks [Online]. Available: http://www.trl. ibm.com/projects/security/ssp/ [10] A. Seshadri, M. Luk, N. Qu, and A. Perrig, “SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes,” in Proc. 21st SOSP, Oct. 2007, pp. 1–17. [11] F. Bellard, “QEMU: A fast and portable dynamic translator,” in Proc. USENIX Annu. Tech. Conf., Mar. 2005, pp. 41–46. [12] E. Buchanan, R. Roemer, H. Shacham, and S. Savage, “When good instructions go bad: Generalizing return-oriented programming to RISC,” in Proc. 15th ACM Conf. CCS, Oct. 2008, pp. 27–38. [13] J. Butler. (2012, Dec. 12). DKOM (Direct Kernel Object Manipulation) [Online]. Available: http://www.blackhat.com/presentations/winusa- 04/bh-win-04-butler.pdf. [14] (2010). Bypassing Non-Executable-Stack during Exploitation Using Return-to-Libc [Online]. Available: http://www. citeulike.org/user/rvermeulen/author/C0ntex [15] M. Carbone, W. Cui, L. Lu,W. Lee, M. Peinado, and X. Jiang, “Mapping kernel objects to enable systematic integrity checking,” in Proc. 16th ACM Conf. CCS, Nov. 2009, pp. 555–565. [16] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, “DROP: Detecting return-oriented programming malicious code,” in Proc. 5th ICISS, Dec. 2009, pp. 163–177.