APPARATUS AND METHOD FOR DETECTING DLL INSERTED BY MALICIOUS CODE

US 20090133126A1
Filed: 10/31/2008
Published: 05/21/2009
Est. Priority Date: 11/20/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting a Dynamic Link Library (DLL) inserted by a malicious code, comprising:

collecting first DLL information from an image file of a process before the process is executed;

collecting second DLL information loaded into a memory as the process is executed;

comparing the first DLL information with the second DLL information to extract information on an explicit DLL; and

determining whether the explicit DLL is a DLL inserted by a malicious code or not.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are an apparatus and method for detecting a Dynamic Link Library (DLL) inserted by a malicious code. The method includes collecting first DLL information from an image file of a process before the process is executed; collecting second DLL information loaded into a memory as the process is executed; comparing the first DLL information with the second DLL information to extract information on an explicit DLL; and determining whether the explicit DLL is a DLL inserted by a malicious code or not.

107 Citations

12 Claims

1. A method of detecting a Dynamic Link Library (DLL) inserted by a malicious code, comprising:
- collecting first DLL information from an image file of a process before the process is executed;
  
  collecting second DLL information loaded into a memory as the process is executed;
  
  comparing the first DLL information with the second DLL information to extract information on an explicit DLL; and
  
  determining whether the explicit DLL is a DLL inserted by a malicious code or not.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the collecting of the first DLL information from the image file is performed by tracking a Portable Executable (PE) file in a binary file format in a Windows operating system.
  - 3. The method of claim 1, wherein the collecting of the second DLL information is performed using a Process Status Application Programming Interface (PSAPI) library that provides information on a process list in an operating system.
  - 4. The method of claim 1, wherein the information on the explicit DLL is DLL information that is not included in the first DLL information but is included in the second DLL information.
  - 5. The method of claim 1, further comprising extracting information on PE header and structural characteristics of DLLs manufactured by manufacturers and storing the extracted information in a profiling DB.
  - 6. The method of claim 5, wherein the determining whether the explicit DLL is a DLL inserted by a malicious code includes comparing the information on the PE header and the structural characteristics of the DLLs stored in the profiling DB with that of the explicit DLL;
    - and, when there is a difference between them, determining that the explicit DLL has been inserted by a malicious code.

7. An apparatus for detecting a DLL inserted by a malicious code, comprising:
- a DLL information collector that collects first DLL information from an image file of a process before the process is executed and collects second DLL information that is loaded into a memory as the process is executed; and
  
  a malicious DLL detector that compares the first DLL information with the second DLL information to extract information on an explicit DLL and determines whether the extracted explicit DLL is a DLL that is inserted by a malicious code or not.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the DLL information collector includes a first DLL information collector that collects the first DLL information from the image file by tracking a PE file in a binary file format in a Windows environment.
  - 9. The apparatus of claim 7, wherein the DLL information collector includes a second DLL information collector that collects second DLL information that is loaded into the memory using a PSAPI library providing information on a process list in the operating system.
  - 10. The apparatus of claim 7, wherein the malicious DLL detector extracts information on the explicit DLL that is not included in the first DLL information but is included in the second DLL information.
  - 11. The apparatus of claim 7, further comprising a profiling database that stores information on PE header and of structural characteristics of DLLs manufactured by manufacturers.
  - 12. The apparatus of claim 11, wherein the malicious DLL detector compares the information on the PE header of the DLLs stored in the profiling DB with that of the explicit DLL, and, when there is a difference between them, determines the explicit DLL as a DLL inserted by a malicious code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
JANG, Moon Su, KIM, Hong Chul, YUN, Young Tae

Application Number

US12/262,745
Publication Number

US 20090133126A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

APPARATUS AND METHOD FOR DETECTING DLL INSERTED BY MALICIOUS CODE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR DETECTING DLL INSERTED BY MALICIOUS CODE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links