The Comparative Analysis of Operational Malware Dynamic Link Library (DLL) Injection Live Response vs. Memory Image

Authors

  • Author papers Institute of Information System & Research Cent
  • Ahmed Alasiri Concordia University College of Alberta, Edmonton
  • Muteb Alzaidi Concordia University College of Alberta
  • Dale Lindskog Concordia University College of Alberta
  • Pavol Zavarsky Concordia University College of Alberta
  • Ron Ruhl Concordia University College of Alberta
  • Shafi Alassmi Concordia University College of Alberta

Keywords:

DLL, Memory Image, Live Response, DLL Injection, Create Remote Thread

Abstract

One advanced tactic used to deliver a malware payload to a target operating system is Dynamic Link Library (DLL) injection, which has the capabilities to bypass many security settings. In cases of compromise involving DLL injection, volatile memory contains critical evidence, as these attacks typically leave no footprint on the hard disk. In this paper, we describe the results of our comparative analysis between a particular live response . utility, Redline, and a particular memory image utility, Volatility, in cases where malware is using DLL injection. We show that Redline is significantly limited, by comparison with Volatility, in its ability to collect relevant evidence from memory. Based upon these observations, we draw general conclusions about the
advantages of memory image analysis over live response.

Author Biographies

Ahmed Alasiri, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Muteb Alzaidi, Concordia University College of Alberta

Master of Information Systems Security Management

Dale Lindskog, Concordia University College of Alberta

Master of Information Systems Security Management

Pavol Zavarsky, Concordia University College of Alberta

Master of Information Systems Security Management

Ron Ruhl, Concordia University College of Alberta

Master of Information Systems Security Management

Shafi Alassmi, Concordia University College of Alberta

Master of Information Systems Security Management

References

Scott Daly, “Preventing Malicious Dll Library Injection,” M.S. thesis, Dept. Comput and Eng

Systems., Abertay Univ., Dundee, UK, 2011.

Brian D. Carrier, Joe Grand (2004, March). Hardware – Based Memory Acquisition Procedure for Digital Investigations. [Online]. Available:http://www.digital-evidence.org/papers/tribble-preprint.pdf

Cal Waits, Joseph Ayo Akinyele , Richard Nolan, Larry Rogers (2008): [Online]:

ftp://ftp.sei.cmu.edu/pub/documents/08.reports/08tn017.pdf

Amer Aljaedi , Dale Lindskog, Pavol Zavarsky, Ron Ruhl, Fares Almari ,“Comparative Analysis of Volatile Memory Forensics” IEEE International Conference on Privacy, Security, Risk and Trust and IEEE International Conference on Social Computing, Boston, USA , pp 1253-1258 ,Oct. 2011.

(2011) Windows Dynamic-Link Libraries [Online]: http://msdn.microsoft.com/en

us/library/windows/desktop/ms682589(v=vs.85).aspx

(2011) The Dynamic-Link Library Search Order [Online]: http://msdn.microsoft.com/enus/

library/windows/desktop/ms682586(v=vs.85).aspx

Jeffrey Richter, Christophe Nasarre “DLL Advanced Techniques” , “Windows via C/C++ (softcover)”, Fifth Edition, Microsoft Press,2011, ch 20 , pp 553-595.

Skape, Jarkko Turkulainen (2004) Remote Library Injection [Online]. Available:

http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf

James Graham , Richard Howard, Ryan Olson (2011) “DLL Injection”, “Cyber Security Essentials”, CRC Press, 2011 , ch 4, pp 253- 259.

(2011) Using Load-Time Dynamic Linking (2011), [Online].:

http://msdn.microsoft.com/enus/library/ms684184(v=VS.85).aspx

(2011) Using Run-Time Dynamic Linking , [Online]. http://msdn.microsoft.com/enus/library/windows/desktop/ms686944(v=vs.85).aspx

(2011) CreateRemoteThread function, [Online]: http://msdn.microsoft.com/enus/library/windows/desktop/ms682437(v=vs.85).aspx

2011) DllMain entry point [Online].

http://msdn.microsoft.com/enus/library/windows/desktop/ms682583(v=vs.85).aspx Hale Ligh, Adair,

Michael Hale Ligh, Steven Adair, Blake Hartstein , Matthew Richard “Working with DLL” “Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code”, Wiley Publishing, Inc 2011,ch 13, pp 487- 510.

Bill Blunden ”Hooking Call Table”, “The Rootkit Arsenal”, Wordware Publishing, Inc, 2009, ch 5, pp 246 . 255.

(2006) Volatility [Online]: https://www.volatilesystems.com/default/volatility#overview

(2011) IDA Pro, [Online] http://www.hex-rays.com/products/ida/index.shtml

Ulrich Bayer, Andreas Moser, Christopher Kruegel , Engin Kirda(2006) [Online]. Available: Journal in Computer Virology

Abhishek Singh, Baibhav Singh “Assembly Language” ,”Identifying Malicious Reverse Engineering Code”, (2009), Springer,2009, ch 1 , pp 1-28.

Redline Mandiant [Online]: http://www.mandiant.com/products/free_software/redline/

Nicolaou George, (2009) Win Vista DLL Injection (32bit) ,[Online]. Available:

http://www.insecure.in/papers/vista_dll_injection.pdf

Mark E Russinovich, David A. Solomon, Alex Ionescu “Processes, Threads, and Jobs” ,”Windows Internals”, 5th Edition Microsoft Press, 2009, ch 5, pp 320- 419.

Brendan Dolan Gavitt , “The VAD tree: A process-eye view of physical memory”, DFRWS, US , pp s62- s64, 2007.

VirScan.org [Online]: http://r.virscan.org/bb9f65800c81c2c3c832ace29a966715

Clampi trojan [Online]. http://www.kernelmode.info

Win32.Scars trojan [Online]: http://contagiodump.blogspot.com

Shylock trojan [Online]: http://contagiodump.blogspot.com

StraceNT - A System Call Tracer for Windows [Online]. at

http://www.intellectualheaven.com/default.asp?BH=projects&H=strace.htm

(2008) The WIN32 Memory Model, [Online]:

http://grayscaleresearch.org/new/pdfs/The%20WIN32%20Memory%20Model.pdf

(2008) Reconstructing the Scene of the Crime, [Online]: http://www.blackhat.com/presentations/bhusa-09/SILBERMAN/BHUSA09-Silberman-MetasploitAutopsy-PAPER.pdf

Alex Ionescu ,“Processes, Threads, Fibers and Jobs” (2004), [Online]:

http://www.alexionescu.com/part1.pdf

James Shewmaker , “Analyzing DLL Injection” (2006), [Online]: http://www.scribd.com/rahul_agarwal_42/d/75989904 Shewmaker- 2006

Published

2020-08-30

How to Cite

papers, A., Alasiri, A. ., Alzaidi, M., Lindskog, D. ., Zavarsky, P. ., Ruhl, R., & Alassmi, S. . (2020). The Comparative Analysis of Operational Malware Dynamic Link Library (DLL) Injection Live Response vs. Memory Image. International Journal on Information Technology and Computer Science, 4(1), 14. Retrieved from http://ijitcs.info/index.php/ijitcs/article/view/2

Issue

Section

Research Articles

Most read articles by the same author(s)

1 2 > >>