Abstract
In this paper, a tracking and capturing method for abnormal behavior in marketing system is designed. The main steps of the method include: (1) Trace generation based on function injection. This method selects NOP, HLT and other instructions of untrusted processes to fill the memory area, and injects the test. The function and control process execute the function to obtain Trace; (2) Trace & capture-based sandbox interception system function analysis method, first establish a finite state automaton model describing the instruction address translation of the untrusted process call system function, according to the state of the automaton. The conversion determines whether the system function calling process has interception behavior, and further identifies the system function of the sandbox interception according to the position of the state machine conversion instruction in the automatic machine. This paper designs and implements the prototype system, called TC-analyser, and solves the key problems of the function injection timing selection, Trace intermediate representation and other implementation processes. Finally, choose Chromium and Adobe Reader to test the TC-analyser’s interception recognition capability and compare it with Hooks hark. The experimental results show that the TC-analyser has good interception and recognition capabilities.
Reference20 articles.
1. Yee Bennet, Sehr David, Dardyk Gregory, et al. Native Client: a sandbox for portable, untrusted x86 native code [J]. Commun. ACM, 2010 (1): 91-99.
2. Inside Adobe Reader Protect Mode [OL]. http://blogs.adobe.com/security, 2010.
3. CVE-2011-1353[OL], https://web.nvd.nist.gov, 2011.
4. CVE-2013-0641[OL], https://web.nvd.nist.gov, 2013.
5. CVE-2013-3186[OL], https://web.nvd.nist.gov, 2013.