A native APIs protection mechanism in the kernel mode against malicious code

Hung Min Sun; Hsun Wang; King Hang Wang; Chien Ming Chen

doi:10.1109/TC.2011.46

A native APIs protection mechanism in the kernel mode against malicious code

Hung Min Sun^*
, Hsun Wang
, King Hang Wang
, Chien Ming Chen

^*Corresponding author for this work

Department of Computer Science

Research output: Contribution to journal › Journal article › peer-review

21 Citations (Scopus)

Abstract

As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

Original language	English
Pages (from-to)	813-823
Number of pages	11
Journal	IEEE Transactions on Computers
Volume	60
Issue number	6
Early online date	17 Feb 2011
DOIs	https://doi.org/10.1109/TC.2011.46
Publication status	Published - Jun 2011

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 16 Peace, Justice and Strong Institutions

User-Defined Keywords

API hooking
code injection.
Windows API

Access to Document

10.1109/TC.2011.46

Cite this

@article{337fdeda632e4690b2f7276b72ca9615,

title = "A native APIs protection mechanism in the kernel mode against malicious code",

abstract = "As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.",

keywords = "API hooking, code injection., Windows API",

author = "Sun, \{Hung Min\} and Hsun Wang and Wang, \{King Hang\} and Chen, \{Chien Ming\}",

note = "The authors would like to thank anonymous reviewers for their valuable comments and suggestions, which certainly led to improvements of this paper. This work was supported in part by the National Science Council, Taiwan, under Contract NSC 97-2221-E-007-055-MY3 and NSC 99-2218-E-007-012. The corresponding author is Professor Hung-Min Sun. Publisher Copyright: {\textcopyright} 2011 IEEE",

year = "2011",

month = jun,

doi = "10.1109/TC.2011.46",

language = "English",

volume = "60",

pages = "813--823",

journal = "IEEE Transactions on Computers",

issn = "0018-9340",

publisher = "IEEE Computer Society",

number = "6",

}

TY - JOUR

T1 - A native APIs protection mechanism in the kernel mode against malicious code

AU - Sun, Hung Min

AU - Wang, Hsun

AU - Wang, King Hang

AU - Chen, Chien Ming

N1 - The authors would like to thank anonymous reviewers for their valuable comments and suggestions, which certainly led to improvements of this paper. This work was supported in part by the National Science Council, Taiwan, under Contract NSC 97-2221-E-007-055-MY3 and NSC 99-2218-E-007-012. The corresponding author is Professor Hung-Min Sun. Publisher Copyright: © 2011 IEEE

PY - 2011/6

Y1 - 2011/6

N2 - As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

AB - As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

KW - API hooking

KW - code injection.

KW - Windows API

UR - https://www.scopus.com/pages/publications/79955544932

U2 - 10.1109/TC.2011.46

DO - 10.1109/TC.2011.46

M3 - Journal article

AN - SCOPUS:79955544932

SN - 0018-9340

VL - 60

SP - 813

EP - 823

JO - IEEE Transactions on Computers

JF - IEEE Transactions on Computers

IS - 6

ER -

A native APIs protection mechanism in the kernel mode against malicious code

Abstract

UN SDGs

User-Defined Keywords

Access to Document

Other files and links

Fingerprint

Cite this