Abstract
Worms and Exploits attacks are currently the most prevalent security problems; they are responsible for over half of the CERT advisories issued in the last three years. To initiate an infection or intrusion, both of them inject a small piece of malicious code (ShellCode) into software through buffer or heap overflow vulnerabilities. Unlike Unix-like operating systems, ShellCodes for Microsoft Windows system need more complex steps to acquire Win32 API calls from DLL file (Dynamic Load Library) in Microsoft Windows. In this paper, we proposed an effective API monitoring system to get rid of worms and exploits attacks for the Microsoft Windows without hardware support. We address the problem by noticing that ShellCodes need the extra complex steps in accessing Win32 API calls. Through the API monitoring system we purposed, we can successfully stop the attacks made by worms and exploits. Moreover, the efficiency of Win32 API Calls hooking and monitoring system can be improved. Incapability to disassemble and analysis the protected software processes are overcome as well.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Anton, B.: “ Process-wide API spying - an ultimate hack”, CodeProject website (February 2005), Available: http://www.codeproject.com/system/api_spying_hack.asp
Anton, B.: Kernel-mode API spying - an ultimate hack, CodeProject website (February 2005), Available: http://www.codeproject.com/system/kernelspying.asp
Michel, B.: Introduction to Shellcoding - How to exploit buffer overflows, Tigerteam’s website (2004), Available: http://tigerteam.se/dl/papers/intro_to_shellcoding.pdf
Jesse, C., Rabek, R., Khazan, I., Scott, M., Robert, L., Cunningham, K.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proc. of 2003 ACM workshop on Rapid Malcode (October 2003)
Shannon, C., Moore, D.: The spread of the Witty worm. Security & Privacy Magazine 2(4), 46–50 (2004)
Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proc. of 10th ACM Conf. Comp. and Comm. Sec.—CCS 2003, pp. 281–289. ACM Press, New York (2003)
Levy, E.: Worm propagation and generic attacks. Security & Privacy Magazine 3(2), 63–65 (2005)
Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions, Microsoft corp. research website (1999), Available: ftp://ftp.research.microsoft.com/pub/tr/tr-98-33.pdf
Ivo, I.: API hooking revealed, CodeProject website (February 2005), Available: http://www.codeproject.com/system/hooksys.asp
Richter, J.: Programming Applications for Microsoft Windows, 4th edn. (2001)
Riordan, J., Wespi, A., Zamboni, D.: How To Hook Worms. Spectrum 42(5), 32–36 (2005)
Pincus, J., Baker, R.: Beyond stack smashing: recent advances in exploiting buffer over runs. Security & Privacy Magazine 2(4), 20–27 (2004)
Pietrek, M.: Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format. MSDN Website (2002), Available: http://www.msdn.microsoft.co
Sachin, R.S.: Need for Rebasing a DLL. Code Project website (March 2005), Available: http://www.codeproject.com/dll/RebaseDll.asp
Sachin, R.S.: Need for Binding an Executable to DLLs. Code Project website (March 2005), Available: http://www.thecodeproject.com/dll/NeedBind.asp
Payer, U., Teufl, P., Lamberger, M.: Hybrid Engine for Polymorphic Shellcode Detection. In: Second Int. Conf. of 2005 Intrusion and Malware Detection and Vulnerability Assessment (July 2005)
Kaplan, Y.: API Spying Techniques for Windows 9x, NT and 2000. From website of teaching API Hooking and Monitoring (June 2004), Available: http://www.internals.com/articles/apispy/apispy.htm
The MetaSploit Project, ShellCode Archive, MetaSploit Project official website (November 2004), Available: http://www.metasploit.com/ShellCode.html
Microsoft Corp., A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 and Windows XP Tablet PC Edition 2005, Microsoft Corp’s support website (February 2005), Available: http://support.microsoft.com/kb/875352/en-us
The NTInternals. net team, Undocumented Functions for Microsoft Windows NT/2000, NTInternals. net website (November 28, 2004), Available: http://undocumented.ntinternals.net
Phrack Inc., History and Advances in Windows ShellCode. In Phrack Magazine (November 2004), Available: http://www.phrack.org/phrack/62/p62-0x07_Advances_in_Windows_ShellCode.tx
Smiler, The Art of Writing ShellCode, FreeGnu’s personal blog (June 2004), Available: http://blog.codelphi.com/freegnu/archive/2004/11/25/29682.aspx
The ShellCode. org, The ShellCode Writing, ShellCode. org website. (November 2004), Available: http://ShellCode.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sun, HM., Lin, YH., Wu, MF. (2006). API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In: Batten, L.M., Safavi-Naini, R. (eds) Information Security and Privacy. ACISP 2006. Lecture Notes in Computer Science, vol 4058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11780656_14
Download citation
DOI: https://doi.org/10.1007/11780656_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-35458-1
Online ISBN: 978-3-540-35459-8
eBook Packages: Computer ScienceComputer Science (R0)