由CERT的報告指出，近年來的網路安全問題或是攻擊事件中有高達一半以上的比例是由蠕蟲Worms與攻擊程式Exploits所造成的，就其原理而言蠕蟲 Worms與攻擊程式Exploits兩者其實是非常相似的，它們都是透過應用軟體或系統軟體在字串處理上的缺陷所造成的Buffer Overflow漏洞與Heap Overflow漏洞，並利用這些漏洞將一段小型的程式碼放入目標主機來進行感染與入侵，兩者的分歧在於其行為上的差異，Worms的主要特徵在於會對其它具有尚未修補漏洞的網路主機進行自動化的感染，在感染成功之後繼續自動重複這個行為，而攻擊程式Exploits的目標就在於入侵目標主機並且獲得一個可以下達命令的介面，以Microsoft Windows系統來說，Exploits就是將cmd.exe這個程式與網路連結並用其來操作系統。
在這篇論文中，提出了一個實作在Microsoft Windows OS API監視系統之上的方法來對抗這些蠕蟲與惡意程式的攻擊，其對Microsoft Windows作業系統的整體效能負擔不大且無需特殊的硬體裝置支援，或是冗長的先置處理步驟。這個系統的主要重點在於阻止蠕蟲Worms與攻擊程式Exploits兩者之運作原理的共通點上，兩者皆需要在具有缺陷的軟體之中利用漏洞放入一段小型的程式碼並執行這段程式碼來進行特殊的攻擊與入侵行為，此段大約數百Bytes的程式碼通稱ShellCode。
ShellCode得靠著系統所提供的system call來運行，因此需要特殊的撰寫方式，其結構與運作方式在兩大陣營的作業系統上各有不同，在Unix作業系統中system call可以直接呼叫因而不需特殊撰寫方式，但是在Microsoft Windows系統中的system call（也就是Win32 API Calls）則需要透過DLL-也就是系統中被自動載入到記憶體中的動態連結檔來取得，此點差異所造成的最直接的影響就是ShellCode的長度，一般而言，在Unix系統下運行的ShellCode大約數十至一百Bytes，然而在Microsoft Windows系統下要能正確運行的ShellCode卻得要兩百至一千Bytes左右，除了大小相差數倍之外，在Windows 系統上ShellCode的運行也較為複雜，雖然還有其他方面的差異，但是system call的取得方式的對ShellCode的整體結構影響最大。
在運行了我們的系統後，使ShellCode無法正確的在Microsoft Windows系統上執行之後，我們成功的阻擋了Worms與Exploits兩者對具有漏洞之應用軟體的攻擊，提升了系統的安全性。

Worms and Exploits attacks are currently the most prevalent security problems; they are responsible for over half of the CERT advisories issued in the last three years. Based on the principles, Worms and Exploits are very similar. In order to initiate an infection or intrusion, both of them inject a small size of binary code into software applications through buffer overflow or heap overflow vulnerabilities.
They are differentiated by their behavior after entering the system. For example, worms will automatically try to find and infect other hosts that have the same vulnerability continuously; however, exploits focus on creating an interface such as connect cmd.exe to one of ports, by connect to this port hackers will get a “Command Line Shell”.
In this thesis, we proposed a performance effective API monitoring system to get rid of Worms and Exploits attacks. The Microsoft Windows users in this system can defeat these attacks without hardware support. This mechanism focuses on how shellcodes (the hooks of worms or exploits) work on Windows NT series system (including Windows 2000, Windows XP and Windows 2003 server) and the methods that can be used to stop them. Both of them inject a small size of binary code into the target software process. These small size binary codes are called ShellCode and their sizes are about several hundred bytes.
ShellCode has unique structures that are essential for it to utilize system calls to interact with target operating system. Its structure and functioning methods vary among Unix-like and Microsoft Windows series operating system. For instance, ShellCode can use system calls directly in Unix-like operating systems, but it needs to go through more complex steps to acquire Win32 API calls, which are needed from DLL-Dynamic Load Library in Microsoft Windows.
These differences make direct impact on the size of ShellCode. In general, for ShellCode that runs on Unix-like operating system, the size is about 20 bytes to 100 bytes. Conversely, it is about 200 bytes to 1000 bytes for ShellCode running on Microsoft Windows system. Despite the difference in ShellCode size, Windows ShellCode also acts in a more complicated way than the Unix ones. Since Shellcode requires more steps to get address of system’s Win32 API Calls to work on Microsoft Windows platform, we have found some ways specifically for Microsoft Windows system to stop them.
Through the API monitoring system we purposed, we can stop the attacks made by worms and exploits to vulnerable software processes successfully by making Shellcode run incorrectly on windows system. In addition, the efficiency of Win32 API Calls hooking and monitoring system can be improved. Through the mechanism, our incapability to disassemble and analysis the protected software processes can be overcame as well.

[1] B.Anton, (Feb 20 2005)“Process-wide API spying - an ultimate hack.”
From CodeProject website. [online].
Available: http://www.codeproject.com/system/api_spying_hack.asp
[2] B.Anton, (Feb 20 2005)”Kernel-mode API spying - an ultimate hack.”
From CodeProject website. [online].
Available: http://www.codeproject.com/system/kernelspying.asp
[3] B.Michel, (2004) “Introduction to Shellcoding - How to exploit buffer overflows.“ From tigerteam’s website. [online].
Available: http://tigerteam.se/dl/papers/intro_to_shellcoding.pdf
[4] C.Jesse, R.Rabek. I.Khazan, M.Scott, L.Robert and K.Cunningham, “Detection of Injected, Dynamically Generated,and Obfuscated Malicious Code” Proceedings of the 2003 ACM workshop on Rapid Malcode October 2003
[5] C.Shannon and D.Moore. “The spread of the Witty worm”
In Security & Privacy Magazine, IEEE Volume 2, Issue 4, July-Aug. 2004 Page(s):46 – 50
[6] D.Moore, V.Paxson, S.Savage, C.Shannon, S.Staniford and N.Weaver,
“Inside the Slammer worm.” In Security & Privacy Magazine, IEEE
Volume 1, Issue 4, July-Aug. 2003 Page(s):33 - 39
[7] E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. “Randomized instruction set emulation to disrupt binary code injection attacks.” In Proc. 10th ACM Conf. Comp. and Comm.Sec.—CCS 2003, pages 281–9. ACM Press, Oct. 2003.
[8] E.Levy. “Worm propagation and generic attacks”
In Security & Privacy Magazine, IEEE Volume 3, Issue 2, March-April2005 Page(s):63 – 65
[9] E.Levy “The making of a spam zombie army. Dissecting the Sobig worms.”
In Security & Privacy Magazine, IEEE Volume 1, Issue 4, July-Aug. 2003 Page(s):58 – 59
[10] G.Hunt and D.Brubacher(1999), “Detours: Binary Interception of Win32 Functions. “ From Microsoft corp research website. [online].
Available: ftp://ftp.research.microsoft.com/pub/tr/tr-98-33.pdf
[11] G. S. Kc, A.D. Keromytis, and V.Prevelakis. “Countering code-injection attacks with instruction-set randomization.” In Proc. 10th ACM Conf. Comp. and Comm. Sec., pages 272–80. ACM Press, Oct. 2003.
[12] I.Ivo, (Feb 25 2005) “API hooking revealed”
From CodeProject website. [online].
Available: http://www.codeproject.com/system/hooksys.asp
[13] J.Richter, “Programming Applications for Microsoft Windows 4th Edition” 2001
[14] J.Riordan, A.Wespi and D.Zamboni, “How To Hook Worms”
In Spectrum, IEEE Volume 42, Issue 5, May 2005 Page(s):32 – 36
[15] J.Pincus and R.Baker, “Beyond stack smashing: recent advances in exploiting buffer overruns” in Security & Privacy Magazine, IEEE Volume 2, Issue 4, July-Aug. 2004 Page(s):20 – 27
[16] M.Pietrek, (2002) “Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format (Part I)”. From MSDN Website. [online].
Available:http://www.msdn.microsoft.com
[17] O.Aleph, (Nov 1996) “Smashing the stack for fun and profit.”
In Phrack Magazine, 49(14). From Phrack website. [online].
Available: http://www.phrack.org/phrack/49/P49-14.
[18] P.G.Capek, D.M.Chess, S.R.White and A.Fedeli, “Merry christma: an early network worm.” InSecurity & Privacy Magazine, IEEE Volume 1, Issue 5, Sept.-Oct. 2003 Page(s):26 – 34
[19] R.S.Sachin, (March 2005) “Need for Rebasing a DLL”
From Code Project website. [online].
Available: http://www.codeproject.com/dll/RebaseDll.asp
[20] R.S.Sachin, (March 2005) “Need for Binding an Executable to DLLs”
From Code Project website. [online].
Available: http://www.thecodeproject.com/dll/NeedBind.asp
[21] S.Hovav.S, P.Matthew, P.Ben, G.Eu-Jin, M.Nagendra and B.Dan, “On the Effectiveness of Address-Space Randomization” in CCS’04 October 25-29 2004
From website of Standford University. [online].
[22] T.Durden, (June 2002) “Bypassing PaX ASLR protection.” In Phrack Magazine, 59(9). From Phrack website. [online].
Available: http://www.phrack.org/phrack/59/p59-0x09.
[23] T.M.Chen and J.M.Robert, “Worm epidemics in high-speed networks”
In Computer Volume 37, Issue 6, June 2004 Page(s):48 – 53
[24] Y.Kaplan, (2004) “API Spying Techniques for Windows 9x, NT and 2000.”
From website of teaching API Hooking and Monitoring. [online].
Available:http://www.internals.com/articles/apispy/apispy.htm
[25] The Last Stage of Delerium Rearch Group, (Nov 27 2004) “Win32 Assembly Components.” From Last Stage of Delerium website. [online].
Available:http://www.lsd-pl.net/documents/winasm-1.0.1.pdf
[26] Iczelion, (Dec 20 2004) “Iczelion's tutorial Series-PE Tutorials “
From Iczelion’s personal website. [online].
Available:http://iczelion.51.net/iczelion/
[27] Iczelion, (Dec 20 2004)”Win32Asm Programming”
From Iczelion’s personal website. [online].
Available: http://win32asm.cjb.net/
[28] Intel Corp, (March 2003)”Developing Platform Consistent Multithreaded Applications: Memory Management.” From Intel Corp website. [online]. Available:http://cache-www.intel.com/cd/00/00/05/15/51533_chapter_5_memory_management02.pdf
[29] The MetaSploit Project, (Nov 27 2004) “Shellcode Archive. “
From MetaSploit Project official website. [online].
Available:http://www.metasploit.com/shellcode.html
[30] Microsoft Corp, (Feb 02 2005)“A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 and Windows XP Tablet PC Edition 2005.” From Microsoft Corp’s support website. [online].
Available: http://support.microsoft.com/kb/875352/en-us
[31] The NTInternals.net team, (Nov 28 2004) “Undocumented Functions for Microsoft Windows NT/2000.” From NTInternals.net website. [online].
Available:http://undocumented.ntinternals.net
[32] Phrack Inc, (June 22 2004) “History and Advances in Windows Shellcode.“ In Phrack Magazine. From Phrack website. [online].
Available:http://www.phrack.org/phrack/62/p62-0x07_Advances_in_Windows_Shellcode.txt
[33] Smiler,(Jan 25 2004)“The Art of Writing Shellcode”
From FreeGnu’s personal blog. [online].
Available: http://blog.codelphi.com/freegnu/archive/2004/11/25/29682.aspx
[34] The ShellCode.org, (Nov 2004) “The ShellCode Writing”
From ShellCode.org’s website. [online].
Available:http://shellcode.org/