Skip to main content
SpringerLink
Log in

API Monitoring System for Defeating Worms and Exploits in MS-Windows System

  • Conference paper
Book cover Information Security and Privacy (ACISP 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4058))

Included in the following conference series:

Abstract

Worms and Exploits attacks are currently the most prevalent security problems; they are responsible for over half of the CERT advisories issued in the last three years. To initiate an infection or intrusion, both of them inject a small piece of malicious code (ShellCode) into software through buffer or heap overflow vulnerabilities. Unlike Unix-like operating systems, ShellCodes for Microsoft Windows system need more complex steps to acquire Win32 API calls from DLL file (Dynamic Load Library) in Microsoft Windows. In this paper, we proposed an effective API monitoring system to get rid of worms and exploits attacks for the Microsoft Windows without hardware support. We address the problem by noticing that ShellCodes need the extra complex steps in accessing Win32 API calls. Through the API monitoring system we purposed, we can successfully stop the attacks made by worms and exploits. Moreover, the efficiency of Win32 API Calls hooking and monitoring system can be improved. Incapability to disassemble and analysis the protected software processes are overcome as well.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anton, B.: “ Process-wide API spying - an ultimate hack”, CodeProject website (February 2005), Available: http://www.codeproject.com/system/api_spying_hack.asp

  2. Anton, B.: Kernel-mode API spying - an ultimate hack, CodeProject website (February 2005), Available: http://www.codeproject.com/system/kernelspying.asp

  3. Michel, B.: Introduction to Shellcoding - How to exploit buffer overflows, Tigerteam’s website (2004), Available: http://tigerteam.se/dl/papers/intro_to_shellcoding.pdf

  4. Jesse, C., Rabek, R., Khazan, I., Scott, M., Robert, L., Cunningham, K.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proc. of 2003 ACM workshop on Rapid Malcode (October 2003)

    Google Scholar 

  5. Shannon, C., Moore, D.: The spread of the Witty worm. Security & Privacy Magazine 2(4), 46–50 (2004)

    Article  Google Scholar 

  6. Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proc. of 10th ACM Conf. Comp. and Comm. Sec.—CCS 2003, pp. 281–289. ACM Press, New York (2003)

    Chapter  Google Scholar 

  7. Levy, E.: Worm propagation and generic attacks. Security & Privacy Magazine 3(2), 63–65 (2005)

    Article  Google Scholar 

  8. Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions, Microsoft corp. research website (1999), Available: ftp://ftp.research.microsoft.com/pub/tr/tr-98-33.pdf

  9. Ivo, I.: API hooking revealed, CodeProject website (February 2005), Available: http://www.codeproject.com/system/hooksys.asp

  10. Richter, J.: Programming Applications for Microsoft Windows, 4th edn. (2001)

    Google Scholar 

  11. Riordan, J., Wespi, A., Zamboni, D.: How To Hook Worms. Spectrum 42(5), 32–36 (2005)

    Article  Google Scholar 

  12. Pincus, J., Baker, R.: Beyond stack smashing: recent advances in exploiting buffer over runs. Security & Privacy Magazine 2(4), 20–27 (2004)

    Article  Google Scholar 

  13. Pietrek, M.: Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format. MSDN Website (2002), Available: http://www.msdn.microsoft.co

  14. Sachin, R.S.: Need for Rebasing a DLL. Code Project website (March 2005), Available: http://www.codeproject.com/dll/RebaseDll.asp

  15. Sachin, R.S.: Need for Binding an Executable to DLLs. Code Project website (March 2005), Available: http://www.thecodeproject.com/dll/NeedBind.asp

  16. Payer, U., Teufl, P., Lamberger, M.: Hybrid Engine for Polymorphic Shellcode Detection. In: Second Int. Conf. of 2005 Intrusion and Malware Detection and Vulnerability Assessment (July 2005)

    Google Scholar 

  17. Kaplan, Y.: API Spying Techniques for Windows 9x, NT and 2000. From website of teaching API Hooking and Monitoring (June 2004), Available: http://www.internals.com/articles/apispy/apispy.htm

  18. The MetaSploit Project, ShellCode Archive, MetaSploit Project official website (November 2004), Available: http://www.metasploit.com/ShellCode.html

  19. Microsoft Corp., A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 and Windows XP Tablet PC Edition 2005, Microsoft Corp’s support website (February 2005), Available: http://support.microsoft.com/kb/875352/en-us

  20. The NTInternals. net team, Undocumented Functions for Microsoft Windows NT/2000, NTInternals. net website (November 28, 2004), Available: http://undocumented.ntinternals.net

  21. Phrack Inc., History and Advances in Windows ShellCode. In Phrack Magazine (November 2004), Available: http://www.phrack.org/phrack/62/p62-0x07_Advances_in_Windows_ShellCode.tx

  22. Smiler, The Art of Writing ShellCode, FreeGnu’s personal blog (June 2004), Available: http://blog.codelphi.com/freegnu/archive/2004/11/25/29682.aspx

  23. The ShellCode. org, The ShellCode Writing, ShellCode. org website. (November 2004), Available: http://ShellCode.org/

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, National Tsing-Hua University, Hsinchu, 30013, Taiwan

    Hung-Min Sun, Yue-Hsun Lin & Ming-Fung Wu

Authors
  1. Hung-Min Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yue-Hsun Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ming-Fung Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Technology, Deakin University,  

    Lynn Margaret Batten

  2. Department of Computer Science, University of Calgary, T2N 1N4, Calgary,  

    Reihaneh Safavi-Naini

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sun, HM., Lin, YH., Wu, MF. (2006). API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In: Batten, L.M., Safavi-Naini, R. (eds) Information Security and Privacy. ACISP 2006. Lecture Notes in Computer Science, vol 4058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11780656_14

Download citation

  • DOI: https://doi.org/10.1007/11780656_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-35458-1

  • Online ISBN: 978-3-540-35459-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation