An Advanced Memory Introspection Technique to Detect Process Injection and Malwares of Varied Types in a Virtualized Environment
preprintposted on 07.07.2021, 06:35 by Darshan Tank, Akshai Aggarwal, Nirbhay Kumar Chaubey
Today’s advanced malware can easily avoid detection by adopting several evasion strategies. Process injection is one such strategy to evade detection from security products since the execution is masked under a legitimate process. Malicious activities are often enforced by injecting malicious code into running processes, which is often undetectable by traditional antimalware techniques. Various process injection techniques are employed by malware to gain more stealth and to bypass security tools/products. Our main focus in this research work is to propose an entirely out-of-VM approach based on advanced memory introspection to detect process injection of varied types in a virtualized environment. We have implemented a plugin using the open-source Volatility tool and successfully tested it on live VMs and malware-infected memory images. Experimental results show that our model classifies injected memory regions with high accuracy and completeness and has more true positives and fewer false positives when compared to other existing systems/solutions. Our proposed detection approach assures precise and reliable results and exactly pinpoint injected memory regions. Our proposed system detects an actual malicious memory region in the virtual address space of an infected process. Our proposed system detects more malware families and dominates the other approaches in all evaluation metrics.