skip to main content
10.1145/3440943.3444734acmconferencesArticle/Chapter ViewAbstractPublication PagesiceaConference Proceedingsconference-collections
research-article

Research on PEB-LDR Data Analysis Technique for DLL Injection Detection on ICS Engineering Workstation

Published: 27 September 2021 Publication History

Abstract

In the field of Industrial Control Systems (ICS), engineering workstations are used to manage and control processes better. It can involve monitoring the status of the PLC (Programming Logic Controller) constituting the ICS and observing the PLC data in real time using the HMI function. Nonetheless, it is possible to gain control of SCADA through a DLL injection, which can cause a fatal accident. Therefore, this paper proposes a method of detecting the DLL Injection of engineering workstations used in the ICS environment and a technique to detect data change due to DLL Injection by analyzing PEB-LDR data. We also propose a method of detecting malicious DLL when such is suspected to have been loaded. As a result, successful detection was realized using the suggested method when DLL Injection occurred, and a warning message could be displayed.

References

[1]
Nicolas Falliere, Liam O. Murchu and Eric Chien. 2011. "W32. Stuxnet Dossier". NortonLifeLock Inc., (Feb. 2011), 12--20.
[2]
JunSeok Koo, Hy Kang Kim. 2015. "A research on detection techniques of Proxy DLL malware disguised as a Windows library: Focus on the case of Winnti". Journal of The Korea Institute of In formation Security & Cryptology VOL.25, NO.6 (Dec. 2015), 5--7.
[3]
Amit Klein, Itzik Kotler. 2019. Windows Process Injection in 2019. Safebreach Labs, BlackHat USA, (2019), accessed Aug 24, 2020, https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Pro cess-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
[4]
Chul-Woo Park, Ji-Woong Son, Hyun-Ki Hwang, Ki-Chang K im. 2015. Detection of systems infected with C&C Zeus through technique of Windows API hooking. Asia-pacific Journal of Multi media Services Convergent with Art, Humanities, and Sociology Vol.5, No.1 (2015), 297-304
[5]
Jun-ho Hwang, Seon-bin Hwang, Ho-gyeong Kim, Ji-hee Ha a nd Tae-jin Lee. 2017, "Malware Analysis Based on Section, DL L". Journal of the Korea Institute of Information Security & Crypt ology 27(5), (2017.10), 1077--1086.
[6]
Ji-hee Ha, Su-jeong Kim, Tae-jin Lee. 2018. Feature Extraction using DLL/API Statistical Analysis and Malware Detection based on Machine Learning. The Journal of Korean Institute of Comm unications and Information Sciences 43(4), (2018.4), 730--739.
[7]
Syed Z. Mohd Shid and Mohd A. Maarof. 2015. In memory de tection of Windows API call hooking technique. 2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), 294--298.
[8]
"PEB structure (winternl.h)", Microsoft, last modified Dec, 12, 2018, accessed Aug 27, 2020, https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
[9]
"PEB_LDR_DATA structure (winternl.h)", Microsoft, last mo dified Dec, 5, 2018, accessed Aug 27, 2020. https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data
[10]
Sun HM., Lin YH., Wu MF. (2006) API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In: Ba tten L.M., Safavi-Naini R. (eds) Information Security and Privacy. ACISP 2006. Lecture Notes in Computer Science, vol 4058. Spri nger, Berlin, Heidelberg.
[11]
"nlohmann/json: JSON for Modern C++", Github, accessed Sep 11, 2020. https://github.com/nlohmann/json

Index Terms

  1. Research on PEB-LDR Data Analysis Technique for DLL Injection Detection on ICS Engineering Workstation

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ACM ICEA '20: Proceedings of the 2020 ACM International Conference on Intelligent Computing and its Emerging Applications
    December 2020
    219 pages
    ISBN:9781450383042
    DOI:10.1145/3440943
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 September 2021

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Application Programming Interface (API)
    2. Dynamic Link Library (DLL)
    3. Engineering Workstation (EWS)
    4. Field
    5. Industrial Control System (ICS)
    6. Process Environment Block (PEB)

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Funding Sources

    Conference

    ACM ICEA '20
    Sponsor:

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 80
      Total Downloads
    • Downloads (Last 12 months)8
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 15 Feb 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media