隨著日益猖獗的病毒(Virus)、木馬(Trojan)、蠕蟲(Worm)、惡意程式(Malware)及間諜程式(Spyware)，大部分的使用者透過防毒及防火牆軟體來保護個人電腦。然而在2005年的10月31日，唱片公司Sony BMG被揭露出該公司所販賣的音樂光碟裡藏有Rootkit，只要在個人電腦上播放此音樂光碟，該Rootkit便會在使用者不知的情況下植入該台個人電腦。實際上，此Rootkit為一數位版權管理(Digital Rights Management，DRM)軟體，然而為了防止使用者盜拷光碟，利用Rootkit技術攔截核心和Windows APIs之間的通訊，並修改指令和資訊，隱藏執行時的資訊及活動狀況來避免被偵測到。從另一方面來說，一惡意程式可能透過類似的技術來躲過防毒軟體的保護，甚至是防火牆軟體的偵測。
實際上，目前已發現使用類似技術的潛在威脅。在Windows作業系統中，我們可以合法的在另一個執行中的程序(Process)裡建立一新的執行緒(Thread)，也因此，一惡意程式可能藉由注入惡意程式碼片斷到一合法程序中，並立即建立一新執行緒執行所注入的惡意程式碼片斷，來躲過防火牆軟體的偵測並存取網路。換句話說，即使在防火牆軟體的保護下，惡意程式、間諜程式及Rootkit仍可藉由在系統中發動內部攻擊後，任意地向外傳送資料或開啟後門(Backdoor)。
因此在此篇論文中，我先探討注入惡意程式碼片斷的方法及其相關的潛在威脅模式，並藉由分析這些方法及威脅模式，在微軟的Windows作業系統上提出一個偵測機制 – 惡意程式入侵偵測引擎(Detecting Malicious Code Injection Engine，DMCIE)，我將此機制實作成在核心模式下執行的驅動程式，因此可動態地監控系統中所有的執行程序，並提供使用者更明確的入侵資訊，而系統在安裝此偵測機制後，其系統效能並不會有大幅度的下滑，整體效能最多只下降3.26%，也因此，此惡意程式入侵偵測引擎適合安裝在Windows作業系統中，或者與其他系統安全軟體結合，來加強整體系統安全。

With the wild spread of virues, trojans, worms, malware, and spyware, most people protect their personal computer by antivirus and firewall software. However, on October 31, 2005, the rootkit coming from a Sony BMG music CD was revealed. This rootkit will be secretly installed into Microsoft Windows operating system after inserting a Sony BMG music CD into the computer. In fact, it is a kind of Digital Rights Management (DRM) software that provides protection against unauthorized copies of the CD, but it hides its process information and activity from being detected. This informs us that malicious software may use similar approaches to avoid the protection of antivirus software, and even the detection of software firewalls.
In fact, there still exist potential threats. In Windows operating system, it is considered a legitimate behavior that a process creates a remote thread in another running process. Thus a malicious process may inject malicious code into an authorized process and then execute it to bypass the detection of software firewalls without causing a warning. In other words, malware, spyware, and rootkits can launch the attack inside the system to send data or open a backdoor silently even under the protection of firewall software.
In this thesis, we discuss the methods how to inject code into running processes and corresponding potential threats. By analyzing these methods, we propose a detecting mechanism called Detecting the Malicious Code Injection Engine (DMCIE) on the Microsoft Windows operating system. DMCIE is implemented as a loadable kernel-mode driver that is able to dynamically monitor every process in the system and provide users with more precise information about the suspected injecting behavior. The maximal overhead caused by DMCIE is less than 3.26%. The minor overhead makes DMCIE suitable to be installed on Windows OS or combine with other software to increase system security.

[1] Agnitum. Outpost Firewall Pro & Free.
Available: http://www.agnitum.com/
[2] Aleph One, Smashing The Stack For Fun And Profit Phrack, vol. 7 p49-0x14, Nov, 1996.
[3] J.L. Art Barker. The Windows 2000 device driver book : a guide for programmers , Upper Saddle River, NJ: Prentice Hall, 2001.
[4] bugsbunny. CopyCat.
Available: http://mc.webm.ru/
[5] CAIDA. CAIDA Analysis of Code-Red. 2006.
[6] CERT. CERT Advisory CA-2001-26 Nimda Worm. 2001.
Available: http://www.cert.org/advisories/CA-2001-26.html
[7] CERT. CERT Advisory CA-2003-20 W32/Blaster worm. 2003.
Available: http://www.cert.org/advisories/CA-2003-20.html
[8] Chew Keong TAN. Defeating Kernel Native API Hookers by Direct Service dispatch Table Restoration. 2004.
[9] Chinchani, R., Iyer, A., Ngo, H. Q., and Upadhyaya, S., "Towards a theory of insider threat assessment," Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on, pp. 108-117, 2005.
[10] crazylord, Playing with Windows /dev/(k)mem Phrack, vol. 0x0b p59-0x10, Jul, 2002.
[11] FutureMark. PCMark05.
Available: http://futuremark.com/products/pcmark05/
[12] fuzen_op. FU rootkit.
Available: http://www.rootkit.com/project.php?id=12
[13] Holy_Father. Techniqs of hooking API functions on Windows. 2002.
Available: http://www.hxdef.org
[14] Intel Corporation. IA-32 Intel Architecture Software Developer's Manual Volume 3A: System Programming Guide, Part 1, Intel Corporation, 2006.
[15] Israel G. Lugo, Don Parker. Software Firewalls: Made of Straw? Part 1 of 2. 2005.
Available: http://www.securityfocus.com/infocus/1839
[16] Israel G. Lugo, Don Parker. Software Firewalls: Made of Straw? Part 2 of 2. 2005.
Available: http://www.securityfocus.com/print/infocus/1840
[17] Ivo Ivanov. API hooking revealed. 2002.
Available: http://www.codeproject.com/system/hooksys.asp
[18] Jeffrey Richter, Load Your 32-bit DLL into Another Process's Address Space Using INJLIB Microsoft Systems Journal, vol. 9 Number 5, May, 1994.
[19] Jeffrey Richter. Programming Applications for Microsoft Windows, Redmond, Washington: Microsoft Press, 1999.
[20] John Gulbrandsen. System Call Optimization with the SYSENTER Instruction. 2004.
Available: http://www.codeguru.com/cpp/w-p/system/devicedriverdevelopment/print.php/c8223/
[21] Kaspersky Lab . Kaspersky Anti-Hacker.
Available: http://www.kaspersky.com/
[22] Keith Brown . Programming Windows Security, Upper Saddle River, NJ: Addison-Wesley, 2000.
[23] Keith Brown, Security Briefs Microsoft Systems Journal, vol. 14 Number 8, 1999.
Available: http://www.microsoft.com/msj/0899/security/security0899.aspx
[24] Liu, A., Martin, C., Hetherington, T., and Matzner, S., "A comparison of system call feature representations for insider threat detection," Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005. Proceedings from the Sixth Annual IEEE, pp. 340-347, 2005.
[25] Look 'n' Stop. Look 'n' Stop - Personal Firewall.
Available: http://www.looknstop.com/En/looknstop.htm
[26] Mark Russinovich. Sony, Rootkits and Digital Rights Management Gone Too Far. 2005.
Available: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
[27] Matt Pietrek. An In-Depth Look into the Win32 Portable Executable File Format, Part 1. 2002.
Available: http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
[28] Matt Pietrek. An In-Depth Look into the Win32 Portable Executable File Format, Part 2. 2002.
Available: http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx
[29] Matt Pietrek, Learn System-Level Win32 Coding Techniques by Writing and API Spy Program Microsoft Systems Journal, vol. 9 Number 12, Dec, 1994.
[30] Matt Pietrek, Peering Inside the PE: A Tour of the Win32 Portable Executable File Format Microsoft Systems Journal, vol. 9 Number 3, Mar, 1994.
[31] Matt Pietrek, Under the Hood Microsoft Systems Journal, vol. 12 Number 9, Sep, 1997.
Available: http://www.microsoft.com/msj/0997/hood0997.aspx
[32] Matt Pietrek. Windows 95 System Programming Secrets, Foster City, CA: IDG Books Worldwide, Inc., 1995.
[33] McAfee. McAfee Personal Firewall.
Available: http://us.mcafee.com/root/package.asp?pkgid=103
[34] Metasploit. Metasploit Project.
Available: http://www.metasploit.com/shellcode.html
[35] Microsoft. AppInit_DLLs Registry Value and Windows 95 . 2005.
Available: http://support.microsoft.com/kb/134655/
[36] Microsoft. How To Subclass a Window in Windows 95. 2005.
Available: http://support.microsoft.com/kb/q125680/
[37] Microsoft. NDIS - Network Driver Interface Specification.
Available: http://www.microsoft.com/whdc/device/network/ndis/default.mspx
[38] Microsoft. Working with the AppInit_DLLs registry value. 2005.
Available: http://support.microsoft.com/kb/q197571/
[39] Microsoft Research. Detours.
Available: http://research.microsoft.com/sn/detours/
[40] Nguyen, N., Reiher, P., and Kuenning, G. H., "Detecting insider threats by monitoring system call activity," Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society, pp. 45-52, 2003.
[41] Norman. Norman Personal Firewall.
Available: http://www.norman.com/Product/Home_Home_office/Personal_Firewall/en
[42] Oliver Lavery. Thermite. 2003.
[43] rattle, Using Process Infection to Bypass Windows Software Firewalls Phrack, vol. 11 p62-0x0d, Jul, 2004.
[44] Robert Kuster. Three Ways to Inject Your Code into Another Process. 2003.
Available: http://www.codeproject.com/threads/winspy.asp
[45] Robin Keir. FireHole. 2002.
Available: http://keir.net/firehole.html
[46] Schmid, M., Hill, F., Ghosh, A. K., and Bloch, J. T., "Preventing the execution of unauthorized Win32 applications," DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings, pp. 175-183 vol.2, 2001.
[47] Soft4ever. Yalta.
Available: http://www.soft4ever.com/security_test/En/index.htm/
[48] Sven B. Schreiber. Undocumented Windows 2000 secrets : a programmer's cookbook , Boston: Addison-Wesley, 2001.
[49] Symantec Corporation. Norton Internet Security 2006 .
Available: http://www.symantec.com/index.htm
[50] Weidong Cui., Randy H. Katz, and Wai-tian Tan, "Design and Implementation of an Extrusion-based Break-In Detector for Personal Computers," 21st Annual Computer Security Applications Conference (ACSAC'05), pp. 361-370, 2005.
[51] Yariv Kaplan. API Spying Techniques for Windows 9x, NT and 2000. 2000.
Available: http://www.internals.com/articles/apispy/apispy.htm
[52] Zone Labs. Zone Alarm Firewall Pro & Free.
Available: http://www.zonelabs.com/store/content/home.jsp
[53] Zou, C. C., Towsley, D., Weibo Gong, and Cai, S., "Routing worm: a fast, selective attack worm based on IP address information," Principles of Advanced and Distributed Simulation, 2005. PADS 2005. Workshop on, pp. 199-206, 2005.