Detection of malicious code in user mode

A particular type of executable malware code is malicious code that harms the computer or networks without the user intervention. Static analysis is used to identify the location of system calls from service request and monitor the executables at runtime, but difficult to determine the obfuscated code because code uses dynamic code generation and obfuscation techniques. This technique hides the win32 API calls at runtime. Malicious code can interact with operating system through Win32 API usage. Malicious executables can hide their win32 API usage during Static analysis. Our proposed approach is used to distinguish the software executables and analyze the virtual address and API names of instructions from system calls are recorded to match with the interrupt address table. The recorded instructions are found in Address table, the services are forwarded to kernel mode. Filter is mainly focus on separating the address belongs to its local id and remote id for validating the dispatch id in system service dispatch table. Through filter using the process creation algorithm to finalize it service request from legitimate user. The overall processing is done by user mode before the injected code entering into the kernel mode.

[1]  Arati Baliga,et al.  Detecting Kernel-Level Rootkits Using Data Structure Invariants , 2011, IEEE Transactions on Dependable and Secure Computing.

[2]  Eric Uday Kumar User-mode memory scanning on 32-bit & 64-bit windows , 2008, Journal in Computer Virology.

[3]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.

[4]  Zhi Wang,et al.  Countering Persistent Kernel Rootkits through Systematic Hook Discovery , 2008, RAID.

[5]  Peter J. Clarke,et al.  Identification of file infecting viruses through detection of self-reference replication , 2010, Journal in Computer Virology.

[6]  Guofei Gu,et al.  Shadow attacks: automatically evading system-call-behavior based malware detection , 2011, Journal in Computer Virology.

[7]  Luigi V. Mancini,et al.  A Host Intrusion Prevention System for Windows Operating Systems , 2004, ESORICS.

[8]  Zhi Wang,et al.  Comprehensive and Efficient Protection of Kernel Control Data , 2011, IEEE Transactions on Information Forensics and Security.

[9]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[10]  Hung-Min Sun,et al.  A Native APIs Protection Mechanism in the Kernel Mode against Malicious Code , 2011, IEEE Transactions on Computers.

[11]  Li Shuo,et al.  Kernel rootkits implement and detection , 2008, Wuhan University Journal of Natural Sciences.

[12]  FuYong Zhang,et al.  Run-time malware detection based on positive selection , 2011, Journal in Computer Virology.