Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee Wednesday, January 28, 2009 Cho, Ho-Gi.

Slides:



Advertisements
Similar presentations
Windows 2000 I/O System, Cache Manager and File Systems Computing Department, Lancaster University, UK.
Advertisements

Operating System Structures
Optimizing single thread performance Dependence Loop transformations.
Chapter 2 Operating System Overview Operating Systems: Internals and Design Principles, 6/E William Stallings.
Operating System Security : David Phillips A Study of Windows Rootkits.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Windows 2000 System Architecture (continued) Computing Department, Lancaster University, UK.
Operating-System Structures
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Chapter 2: Operating-System Structures
Chapter 8 Operating System Support
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Computer Organization and Architecture
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
By Mr. Abdalla A. Shaame.  An operating system is a software component that acts as the core of a computer system.  It performs various functions and.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Operating Systems CS3502 Fall 2014 Dr. Jose M. Garrido
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Chapter 11 An Introduction to Visual Basic 2008 Why Windows and Why Visual Basic How You Develop a Visual Basic Application The Different Versions of Visual.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Windows XP. History Windows XP is based on the NT kernel developed in 1988 Windows XP is based on the NT kernel developed in 1988 XP was originally sold.
Windows 2000 Course Summary Computing Department, Lancaster University, UK.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
University of Virginia Department of Computer Science1 Applications of Software Dynamic Translation Jack Davidson University of Virginia February 27, 2002.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
OPERATING SYSTEM SUPPORT DISTRIBUTED SYSTEMS CHAPTER 6 Lawrence Heyman July 8, 2002.
Distributed System Concepts and Architectures Services
Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for.
Chapter 1 Computers, Compilers, & Unix. Overview u Computer hardware u Unix u Computer Languages u Compilers.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Chapter 2. System Structures
Chapter 1 Basic Concepts of Operating Systems Introduction Software A program is a sequence of instructions that enables the computer to carry.
VMM Based Rootkit Detection on Android
A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks Lynette Qu Nguyen, Tufan Demir, Jeff Rowe, Francis Hsu and Karl Levitt.
Major OS Components CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University
1 ROGUE Dynamic Optimization Framework Using Pin Vijay Janapa Reddi PhD. Candidate - Electrical And Computer Engineering University of Colorado at Boulder.
Plug-In Architecture Pattern. Problem The functionality of a system needs to be extended after the software is shipped The set of possible post-shipment.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Software Reverse Engineering Binary analysis: concepts, methods and tools. Catalin Patulea Mar 5, 2008.
Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Operating System Interface between a user and the computer hardware
Chapter 1: A Tour of Computer Systems
Chapter 2: System Structures
Malware Incident Response  Dynamic Analysis - 2
Intercept X for Server Early Access Program Sophos Tester
Assembler, Compiler, Interpreter
Chapter 2: Operating-System Structures
COSC121: Computer Systems
System Calls.
CGS 3763 Operating Systems Concepts Spring 2013
Assembler, Compiler, Interpreter
Shielding applications from an untrusted cloud with Haven
CSC-682 Advanced Computer Security
Chapter 2: Operating-System Structures
Chapter 2 Operating System Overview
Following Malware Execution in IDA
Chapter 2: Operating-System Structures
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Plug-In Architecture Pattern
Presentation transcript:

Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee Wednesday, January 28, 2009 Cho, Ho-Gi

Abstract Dynamic instruction sequences monitor – refers to a special program which has the ability to launch a program and capture the runtime instruction sequence of that program Problem – none of them are specially designed to launch a potentially malicious program Solution – intercept certain Win32 API and divert it to a safe version of that API – provide virus detection plug-in mechanism [WePu07] 2

Dynamic instruction sequence monitor [WePu07] 3 DebuggerAnalyzingMonitor mainTarget LaunchSystem Malicious code or program InfectInfect

Solution – built a dynamic instruction sequences monitor with a protection mechanism intercept potentially destructive Win32 API and divert it to a safe version of that API provide some mechanism to keep the original execution path as much as possible – plug-in mechanism programmer can build different applications based on the dynamic instruction sequences captured by the monitor [WePu07] 4

System Architecture Overview [WePu07] 5Monitor mainTarget Launch … ReadFile(..) CreateFile(..) CheckFile(..) WriteFile(..) … Malicious code or program Interposition Binary sequences Classification Models CreateFile(..) CheckFile(..) WriteFile(..) Classification Models CreateFile(..) CheckFile(..) WriteFile(..) Compare and Decision

[WePu07] 6 Program Debugger Insulator Unknown Executable Disassembler Instruction processing Plug-in System Architecture for monitor Instruction Sequences Logic assembly construction Logic assembly construction Abstract assembly construction Abstract assembly construction Classification Decision Model Manager Classification Models Classification Models Structure of virus detection plug-in

Insulator – prevent certain Win32 API from executing – supply API with dummy output without actually invoking – use Microsoft Detour package [WePu07] 7 Return File and directory manipulation API Registry manipulation API Remote memory manipulation Remote thread creation Administration related API Socket creation, packet sending

Conclusion describe a dynamic instruction sequences monitor and a virus detection plug-in based the monitor – efficient and protect user computer in general case Problem – invoke the underlying ntdll.dll or interrupt 2E directly, which is not protected [WePu07] 8

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.