windows api call sequences
play

Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit - PowerPoint PPT Presentation

Sep 16, 2022 •113 likes •358 views

SPACE - 2016 Malware Characterization using Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit Sharma Scientific Analysis Group DRDO Metcalfe House, Delhi 110054 AIM Extraction of run-time behaviour of Malware by monitoring

  1. SPACE - 2016 Malware Characterization using Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit Sharma Scientific Analysis Group DRDO Metcalfe House, Delhi – 110054

  2. AIM Extraction of run-time behaviour of Malware by monitoring • system calls Categorize unknown Malware • SCOPE Operating System : Windows OS Category of Malware : Five Classes 1. Worm 2. Trojan-Downloader 3. Trojan-Spy 4. Trojan-Dropper 5. Backdoor 2 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  3. Application Execution in Windows OS USER APPLICATION Windows-API (Kernel32.dll, Advapi32.dll & other Windows DLL ) User Level Operating System Native API (Ntdll.dll) Kernel API Kernel Level HARDWARE 3 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  4. Application Execution in Windows OS MALWARE Windows-API (Kernel32.dll, Advapi32.dll & other Windows DLL ) User Level Operating System Native API (Ntdll.dll) Kernel API Kernel Level HARDWARE 4 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  5. Application Execution in Windows OS Create a File CreateFile(..) (Kernel32.dll) User Level Operating System NtCreateFile() (ntdll.dll) NtCreateFile (SSDT) Kernel Level IRP_MJ_Write Driver DISK Write 5 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  6. Application Execution in Windows OS Well Documented Version Independent Create a File Many Hooking Libraries CreateFile(..) (Kernel32.dll) User Level Operating System NtCreateFile() (ntdll.dll) NtCreateFile (SSDT) Kernel Level IRP_MJ_Write Driver HARD DISK 6 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  7. Some Malicious Win-API Patterns Malicious Activity API Pattern (FindWindowA, ShowWindow, GetAsyncKeyState) (SetWindowsHookEx, Key Logger RegisterHotKey, GetMessage,UnhookWindowsHookEx) (GetDC, GetWindowDC), CreateCompatibleDC, CreateCompatibleBitmap, Screen Capture SelectObject, BitBlt, WriteFile (IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugStringA, Antidebugging OutputDebugStringW) Downloader URLDownloadToFile, (WinExec,ShellExecute) DLL Injection OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread Dropper FindResource, LoadResource, SizeOfResource For each Malicious Activity: 1. Identification of such Win-API Call sequences 2. Extraction of same 7 of 20

  8. Identification & Categorization of Win-APIs 534 Win – API Calls 1 2 3 4 ... 533 534 … OpenFile WriteFile Send GetHostbyName Connect GetSystemTime A B C D E ... Y Z … I/O I/O I/O I/O I/O Win- System Create Open Write Find Read Service Info 26 Category Win-APIs in ‘I/O create’ category is used to create I/O objects like file, folder, Stdin & Stdout. 8 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  9. CATEGORY SOME EXAMPLES Code No. of API 1 I/O Create CreatefileA, CreatePipe A 14 2 I/O Open OpenFile ,OpenFileMappingA B 10 3 I/O Write WriteFile, WriteConsoleW, WriteFileEx C 25 4 I/O Find FindFirstFileA, FindNextFileW D 13 5 I/O Read ReadFile, ReadFileEx, ReadConsoleA E 18 6 I/O Acces SetFileAttributesW, SetConsoleMode, F 19 7 Loading Library LoadLibraryExW ,FreeLibrary G 7 8 Registry Read RegOpenKeyExW, RegQueryValueA H 15 9 Registry Write RegSetValueA, RegSetValueW, I 13 ….. ………. 22 Internet Open/ Read InternetOpenUrlA, InternetReadFile V 13 23 Internet Write InternetWriteFile, TransactNamedPipe W 2 24 Win-Service Create CreateServiceW, CreateServiceA X 2 25 Win-Service Other StartServiceW, ChangeServiceConfigA Y 11 26 System Information GetSystemDirectoryW, GetSystemTime Z 35 TOTAL APIs 26 534

  10. Win-API Call Extraction of Malware Host Machine: UBUNTU 14.01 Guest Machine : Win-XP SP2 APP-MON Execute Malware 520 for each Malware Class Total Sample: 2,600 Time Taken: 40 days Win-API Call Sequence Higher Level Category Sequence 10 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  11. N-gram Analysis of final Call sequence Tool Used: AntConc LIMITATION: F inds exactly same consecutive patterns 11 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  12. Analysis of sequence: ssdeep Analysis ssdeep (Fuzzy Hash) Matches inputs that have homologies. Properties: • Non-Propagation • Alignment Robustness and • Signature Matching Criteria 12 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  13. Analysis of sequence: ssdeep Analysis (2) FILE LENGTH : 26 KB ssdeep Hash: 768:9tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPLJzOmu:9UY+iXnnKqhXEQPl3u 13 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences SPACE-2016 : Malware Characterization using Windows API Call Sequences

  14. Analysis of sequence: ssdeep Analysis (3) ssdeep Hash: 768:9tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPLJzOmu:9UY+iXnnKqhXEQPl3u CHANGE SSDEEP HASH MATCH ‘Annual’ 768:8tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL Removed from first 99 JzOmu:8UY+iXnnKqhXEQPl3u paragraph 768:XtshU9EFMiEHv1bDtNKm2tlfl5DXhAfQPL Replace 2016 with 2017 (15 83 JzObv:XUh+iinnK3hXEQPlCv replacements) 768:TtshG99FMiEHvcbDtNUq2twHl5DXhA9QVL Replace cryptography with 79 JzOIu:TUu+ijnnUshXGQVlVu cryptology (25 replacements) 768:TtshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL 99 Removes first 500 bytes JzOmu:TUY+iXnnKqhXEQPl3u 768:1tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL Removes first 1500 bytes and place 96 JzOm3:1UY+iXnnKqhXEQPl33 them in end 768:1tshU99FMiEHvUbDtNKm2tWHl5DXhAfQPL Remove first 1500 bytes and place 96 JzOmu:1UY+i5nnKqhXEQPl3u them in middle 768:9tshU99FMA&&vIbDtNKm2tWHl5DXhAfQPL 96 Remove 2000 bytes from middle JzOmu:9UY+/&nnKqhXEQPl3u 768:9tshU99FM91HvIbDtNKm2tWHl5DXhAfQPL Replace 800 bytes from middle with 97 JzOmu:9UY+6n&nKqhXEQPl3u random string SPACE-2016 : Malware Characterization using Windows API Call Sequences SPACE-2016 : Malware Characterization using Windows API Call Sequences

  15. Analysis of sequence : ssdeep Analysis (2) matching score as malware classification criteria. 15 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  16. Classification Results: Best Matching Class Training Data : 2000 Samples Testing Data : 120 samples per Malware Class MALWARE Worm Backdoor Trojan - Trojan - Trojan - CLASS Dropper Downloader Spy Worm 109 1 6 3 1 Backdoor 1 98 6 5 10 Trojan - 6 6 101 4 3 Dropper Trojan - 3 5 4 108 0 Downloader Trojan - 1 10 3 0 106 Spy 16 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  17. Classification Results Comparison Existing (Malware vs Benign) Our Model (One Malware Class vs All)

  18. Proposed Malware Classification Framework 18 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

  19. FUTURE DIRECTION More number of samples • More Malware Categories like rootkit, botnet etc. • Other Operating systems like Linux, Android etc. • 19 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
20-03-06 7. Learning Sequences/Behaviors How to use sequences/behaviors? Sequences and more

20-03-06 7. Learning Sequences/Behaviors How to use sequences/behaviors? Sequences and more

20-03-06 7. Learning Sequences/Behaviors How to use sequences/behaviors? Sequences and more generally behaviors are about Sequences are used integrating the concept of time into what is learned. In } to analyze time dependent data general,

298 views • 6 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Sequences Sequences are ordered lists of elements, e.g. 2, 3, 5, 7, 11, 13, 17, 19, . . . or a , b

Sequences Sequences are ordered lists of elements, e.g. 2, 3, 5, 7, 11, 13, 17, 19, . . . or a , b

Sequences, sums, cardinality 1 Myrto Arapinis School of Informatics University of Edinburgh October 1, 2014 1 Slides mainly borrowed from Richard Mayr 1 / 21 Sequences Sequences are ordered lists of elements, e.g. 2, 3, 5, 7, 11, 13, 17, 19, .

570 views • 39 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Sequences Sequences and Difference Equations "Sequences" is a central topic in

Sequences Sequences and Difference Equations "Sequences" is a central topic in

5mm. Sequences Sequences and Difference Equations "Sequences" is a central topic in mathematics: (Appendix A) x 0 , x 1 , x 2 , . . . , x n , . . . , Example: all odd numbers Hans Petter Langtangen 1 , 3 , 5 , 7 , . . . , 2 n + 1 , .

223 views • 10 slides
Sequences Sequences and Difference Equations "Sequences" is a central topic in

Sequences Sequences and Difference Equations "Sequences" is a central topic in

5mm. Sequences Sequences and Difference Equations "Sequences" is a central topic in mathematics: (Appendix A) x 0 , x 1 , x 2 , . . . , x n , . . . , Example: all odd numbers Hans Petter Langtangen 1 , 3 , 5 , 7 , . . . , 2 n + 1 , .

475 views • 5 slides
Beyond NX An attackers guide to Windows anti-exploitation technology Ben Nagy bnagy@eeye.com

Beyond NX An attackers guide to Windows anti-exploitation technology Ben Nagy bnagy@eeye.com

Beyond NX An attackers guide to Windows anti-exploitation technology Ben Nagy bnagy@eeye.com Basics Windows Process Memory Page 2 How functions use the stack Page 3 (CALL pushes EIP)

736 views • 32 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Call Up of Permit for Clerestory Windows Anastazia Aziz, AICP, Director, Community Development

Call Up of Permit for Clerestory Windows Anastazia Aziz, AICP, Director, Community Development

Library Renewal Project: Call Up of Permit for Clerestory Windows Anastazia Aziz, AICP, Director, Community Development Department Scott Bauer, Library Director Karin Payson, AIA, LEED AP, Principal, Karin Payson Architecture + Design April

580 views • 14 slides
Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System Requirements A PC running MS Windows 2000, or Windows XP Matlab (6.5, 2007a/b or 2008a/b) Python 2.5 Download the Windows installer from

288 views • 10 slides
Prequatization, differential cohomology and the genus integration Rui Loja Fernandes Department

Prequatization, differential cohomology and the genus integration Rui Loja Fernandes Department

Prequatization, differential cohomology and the genus integration Rui Loja Fernandes Department of Mathematics University of Illinois at Urbana-Champaign, USA 2nd Workshop S ao Paulo J. of Math. Sci. USP, November 2019 This talk is an

978 views • 71 slides
INTRODUCTION I to MARSDEN and SYMMETRY Alan Weinstein University of California, Berkeley

INTRODUCTION I to MARSDEN and SYMMETRY Alan Weinstein University of California, Berkeley

INTRODUCTION I to MARSDEN and SYMMETRY Alan Weinstein University of California, Berkeley ICIAM Vancouver July 20, 2011 1 [ slide #1] Jerrold (Jerry) Marsden August 17 1942 September 21, 2010 Berkeley, 1997; George Bergman Websites:

722 views • 38 slides
A topological model for studying branching and merging homologies of time flows Philippe Gaucher

A topological model for studying branching and merging homologies of time flows Philippe Gaucher

A topological model for studying branching and merging homologies of time flows Philippe Gaucher http://www.pps.jussieu.fr/gaucher Preuves, Programmes et Syst` emes, CNRS UMR 7126 et Paris 7 A topological model for studying branching and

618 views • 14 slides
Decoding problem for topological quantum codes Guillaume Duclos-Cianci Dpartement de Physique

Decoding problem for topological quantum codes Guillaume Duclos-Cianci Dpartement de Physique

Decoding problem for topological quantum codes Guillaume Duclos-Cianci Dpartement de Physique Universit de Sherbrooke Joint work with: David Poulin and Hector Bombin Second International Conference on Quantum Error Correction University of

1.66k views • 151 slides
Quasi-invariants of 2-knots and quantum integrable systems Dmitry Talalaev MSU, ITEP May,2015,

Quasi-invariants of 2-knots and quantum integrable systems Dmitry Talalaev MSU, ITEP May,2015,

Preliminaries Results Appendices Quasi-invariants of 2-knots and quantum integrable systems Dmitry Talalaev MSU, ITEP May,2015, GGI, Firenze D. Talalaev Quasi-invariants of 2-knots and quantum integrable systems Preliminaries Results

825 views • 55 slides
Classifying spaces of quandles and low dimensional topology Takefumi Nosaka Kyoto

Classifying spaces of quandles and low dimensional topology Takefumi Nosaka Kyoto

Classifying spaces of quandles and low dimensional topology Takefumi Nosaka Kyoto univ. RIMS Introduction X : a quandle BX : a rack space [95, Fenn-Rourke-Sanderson] [FRS] studied BX ,

455 views • 23 slides
ELIXIR competence center Three months remaining Kimmo Mattila / CSC www.elixir-europe.org

ELIXIR competence center Three months remaining Kimmo Mattila / CSC www.elixir-europe.org

ELIXIR competence center Three months remaining Kimmo Mattila / CSC www.elixir-europe.org ELIXIR competence center ELIXIR : Research infrastructure focused on life science data. Supported by EMBL-EBI and 20 European countries The

776 views • 19 slides
On the geometric nature of mutual exclusion Eric Goubault & Samuel Mimram Work in progress

On the geometric nature of mutual exclusion Eric Goubault & Samuel Mimram Work in progress

On the geometric nature of mutual exclusion Eric Goubault & Samuel Mimram Work in progress CEA LIST and Ecole Polytechnique, France ACAT Conference, Bremen 15th of July 2013 E. Goubault & S. Mimram Contents of the talk Mostly trying

955 views • 81 slides

More recommend