Issue No. 06 - June (2011 vol. 60)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2011.46
Hung-Min Sun , National Tsing Hua University, Hsinchu
Hsun Wang , National Tsing Hua University, Hsinchu
King-Hang Wang , National Tsing Hua University, Hsinchu
Chien-Ming Chen , National Tsing Hua University, Hsinchu
As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.
API hooking, Windows API, code injection.
C. Chen, H. Wang, K. Wang and H. Sun, "A Native APIs Protection Mechanism in the Kernel Mode against Malicious Code," in IEEE Transactions on Computers, vol. 60, no. , pp. 813-823, 2011.