MRCIF: A Memory-Reverse-Based Code Injection Forensics Algorithm

Abstract

The new DLL injection method and its variants can prevent the injected process from calling the common system API to load the injected DLL module so that the malicious module is invisible to the LDR linked list of the process. Traditional injection detection methods have low accuracy in forensic detection of new injection attacks. To solve this problem, this paper proposes a code injection covert memory page detection and forensic detection forensic algorithm based on a memory structure reverse analysis named MRCIF. First, the physical memory pages containing DLL features from the memory image are located, and a sub-algorithm is designed for mapping physical memory space and virtual memory space, thus realizing the reverse reconstruction of the physical page subset corresponding to the DLL code module. Then, in the virtual memory space, the LDR linked list structure of the process is reversely reconstructed, and a reverse reconstruction algorithm of the DLL virtual page subset is developed to reconstruct its virtual space. Finally, a DLL injection covert page detection sub-algorithm is designed based on the physical memory page subset and virtual space page subset. The experimental results indicate that MRCIF achieves an accuracy of 88.89%, which is much higher than that of the traditional DLL module injection detection method, and only MRCIF can accurately detect the Virtual Address Descriptor (VAD) remapping attack.