Research On Memory Forensic Analysis Technology For Windows Malicious Code Attacks

Malware attacks pose a serious security threat to Windows users.Traditional static detection methods for malware have low accuracy,while dynamic detection methods consume more resources and cannot comprehensively detect the security status of the system.However,Windows memory forensics technology has the advantages of high detection accuracy,the ability to detect file free attacks,and comprehensive detection of system security status when dealing with malware attacks.However,the current malicious code attack detection method based on memory forensics still faces problems such as low automation and intelligence,low accuracy in detecting new code injection attacks,and difficulty in effectively extracting evidence of malicious code attacks.Aiming at the above problems,from the perspective of Windows memory forensics,this paper proposes intelligent detection methods for memory malicious processes,a hidden memory page detection method for code injection attacks,and a memory malware code carving method.These methods can detect malicious processes in Windows user space and hidden injected code modules,and improve detection accuracy compared to existing methods.In addition to malware detection,this paper further studied the memory code carving method,which can complete the entire process of detecting and carving malicious code in memory,providing a comprehensive solution for malware detection and analysis.The primary research contents of this paper are:(1)Detection of malicious process in memory based on DGCNNAiming at the problem that the existing research is mostly based on byte feature detection and malicious process detection,and the insufficient detection accuracy,this paper proposes the Proc GCN model,a deep learning model based on DGCNN(Deep Graph Constructive Neural Network),to detect malicious processes in memory images.First,the process dump is extracted from the whole system memory image;then,the FCG(Function Call Graph)of the process is extracted,and feature vectors for the function node names in the FCG are generated based on the word bag model;finally,the FCG is input to the Proc GCN model for classification detection.Using an open data set for experiments,the Proc GCN model achieved an accuracy of 98.33%,ab F1 score of 0.9834,and an AUC value of 0.996.It shows a better detection effect than the existing machine learning methods based on static features,and its detection speed is faster,which demonstrates the effectiveness of the method based on static function features and graph representation learning in memory forensics.(2)A memory-reverse-based code injection forensics algorithmAiming at the low accuracy of the existing injection detection methods for the new injection attack forensics detection,this paper proposes a code injection covert memory page detection and forensic detection forensic algorithm based on memory structure reverse analysis named MRCIF.First,the physical memory pages containing DLL features from the memory image are located,and a sub-algorithm is designed for mapping physical memory space and virtual memory space,thus realizing the reverse reconstruction of the physical page subset corresponding to the DLL code module.Then,in the virtual memory space,the LDR linked list structure of the process is reversely reconstructed,and a reverse reconstruction algorithm of the DLL virtual page subset is developed to reconstruct its virtual space.Finally,a DLL injection covert page detection subalgorithm is designed based on the physical memory page subset and virtual space page subset.The experimental results indicate that MRCIF achieves an accuracy of 88.89%,which is much higher than that of the traditional DLL module injection detection method,and only MRCIF can accurately detect the Virtual Address Descriptor(VAD)remapping attack.(3)A malicious code evidence carving algorithm based on memory process reverseAiming at the problem of difficult extraction of key evidence during malicious code attacks in Windows memory,a malicious code attack event evidence carving model was designed.A malicious code carving algorithm based on memory process reverse and a memory fragment file carving algorithm based on the reverse of the structure chain was proposed.For malicious code module,rebuild the VAD tree to obtain the memory dump,and then restore the function import table and other PE structures based on the information such as the loaded module of the process,so that the module can be restored to the original PE format.The file mapping of the malicious process is then reversed,and by analyzing the feature fields of file objects and related structures in memory images,the data file with malicious code embedded is carved out by identifying memory data file connections and reconstructing file metadata.The experimental results show that the accuracy of metadata carving is 100% and the accuracy of content carving reaches 87.5% under typical application conditions,which is much higher than the disk file carving algorithm.