在藉由監聽 Windows API 來做防禦系統的領域中，還有一些問題値得研究。
第一個是對於動態載入的DLL的處理，這部分在過去的研究中沒有受到重視。
一個DLL通常都會被數個程式所共用，一旦這個DLL存在弱點的話，那所有共用這個DLL的程式都可能會被影響。第二個是對於模仿攻擊的抵擋能力不夠，尤其是藉由掃描記憶體來達到模仿的攻擊。模仿攻擊會隨著防禦系統檢查機制的不同而有不同的變化。在監聽Windows API的防禦系統中，通常都是以返回位址當作檢查的依據。模仿攻擊就可藉由掃描記憶體來尋找合法的Windows API 呼叫來取得合法的返回位址繞過檢查的機制。最後一個問題是監聽Windows API的方法是有可能被繞過的。我們建造了一個創新的系統來解決以上的問題，我們的系統會保護所有被載入的DLL，並且提供陷阱和隱藏Windows API 呼叫指令的機制。在Windows API的程式區段間放進陷阱，當攻擊者嘗試繞過我們的系統時，就會產生一個例外狀況，攻擊就會失敗。藉由將所有的Windows API 呼叫指令隱藏起來，讓攻擊者在掃描記憶體時無法分辨出哪個呼叫才是他想要的，提高模仿攻擊的門檻。我們的系統經過實驗，對於現實存在的攻擊程式能有效的阻擋，並且對於系統效能的影響不大，大概是8%左右。我們的系統也相當具有彈性，可以跟現有作在核心層的防禦機制合作，提供更全面的保護。

[1] An attack utlizes dlls to bypass antivirus programs. website:
http://www.hackbase.com/tech/2007-08-16/39260.html.
[2] Understanding the import address table. website:
http://sandsprite.com/CodeStu®/Understanding imports.html.
[3] P. Akritidis, E.P. Markatos, M. Polychronakis, and K. Anagnostakis. Stride: Poly-
morphic sled detection through instruction sequence analysis. In SEC05 Conference
Proceedings. IFIP, 2005.
[4] K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D.
Keromytis. Detecting targeted attacks using shadow honeypots. In SSYM05 Confer-
ence Proceedings, pages 9{9. USENIX Association, 2005.
[5] Piotr Bania. Windows syscall shellcode. website:
http://www.securityfocus.com/infocus/1844/1.
[6] Elena Gabriela Barrantes, David H. Ackley, Trek S. Palmer, Darko Stefanovic, and
Dino Dai Zovi. Randomized instruction set emulation to disrupt binary code injection
attacks. In CCS '03: Proceedings of the 10th ACM conference on Computer and
communications security, pages 281{289, New York, NY, USA, 2003. ACM.
[7] D. Bruschi, L. Cavallaro, A. Lanzi, and U.S. di Milano. An E±cient Technique for
Preventing Mimicry and Impossible Paths Execution Attacks. Performance, Comput-
ing, and Communications Conference, 2007. IPCCC 2007. IEEE Internationa, pages
418{425, 2007.
48
[8] Bulba and kil3r. Bypassing stackguard and stackshield. phrack, 10(56), May 2000.
[9] Microsoft Corp. "a detailed description of the data execution prevention (dep) feature
in windows xp service pack 2, windows xp tablet pc edition 2005, and windows server
2003". http://support.microsoft.com/kb/875352/en-us, Feb 2005.
[10] Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. PointguardTM: pro-
tecting pointers from bu®er over°ow vulnerabilities. In SSYM03 Conference Proceed-
ings. USENIX Association, 2003.
[11] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat
Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. Stackguard: au-
tomatic adaptive detection and prevention of bu®er-over°ow attacks. In SSYM98
Conference Proceedings. USENIX Association, 1998.
[12] J.R. Crandall, Z. Su, and S.F. Wu. On deriving unknown vulnerabilities from zero-
day polymorphic and metamorphic worm exploits. In CCS05 Conference Proceedings,
pages 235{248. ACM, 2005.
[13] J.R. Crandall, S.F. Wu, and F.T. Chong. Experiences using Minos as a tool for
capturing and analyzing novel worms for unknown vulnerabilities. Proceedings of
the Conference on Detection of Intrusions and Malware & Vulnerability Assessment
(DIMVA), 35, 2005.
[14] DataRescue. Ida pro. website: http://www.datarescue.com/idabase/, 1995.
[15] Metasploit development team. Metasploit. website: http://www.metasploit.com/,
2003.
[16] H. ETO and K. YODA. propolice: Improved stack-smashing attack detection. IEIC
Technical Report (Institute of Electronics, Information and Communication Engi-
neers), 101(214):181{188, 2001.
[17] D. Evans, J. Guttag, J. Horning, and Y.M. Tan. LCLint: a tool for using speci‾cations
to check code. Proceedings of the 2nd ACM SIGSOFT symposium on Foundations of
software engineering, pages 87{96, 1994.
49
[18] Holy father. Hooking windows api - technics of hooking api functions onwindows.
available: http://rootkit.host.sk, 2002.
[19] HH Feng, OM Kolesnikov, P. Fogla, and W. Lee. Anomaly detection using call stack
information. In SP03 Conference Proceedings, pages 62{75. IEEE, 2003.
[20] F. God³nez, D. Hutter, and R. Monroy. On the Use of Word Networks to Mimicry
Attack Detection. 2006.
[21] E. Haugh and M. Bishop. Testing C Programs for Bu®er Over°ow Vulnerabilities.
Proceedings of the Network and Distributed System Security Symposium, 2, 2003.
[22] G. Hunt and D. Brubacher. Detours: Binary interception of win32 functions. In
Windows NT 99 Symposium Proceeding. USENIX Association, July 1999.
[23] X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based" out-
of-the-box" semantic view reconstruction. Proceedings of the 14th ACM conference
on Computer and communications security, pages 128{138, 2007.
[24] R.W.M. Jones and P.H.J. Kelly. Backwards-compatible bounds checking for arrays
and pointers in C programs. Automated and Algorithmic Debugging, pages 13{26,
1997.
[25] Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. Countering code-
injection attacks with instruction-set randomization. In CCS 03 Conference Proceed-
ings, pages 272{280. ACM, 2003.
[26] G.S. Kc, G.S. Kc, and A.D. Keromytis. E-nexsh: achieving an e®ectively non-
executable stack and heap via system-call policing. In ACSAC05 Conference Pro-
ceedings. ACSA, 2005.
[27] J.C. King. Symbolic execution and program testing. Communications of the ACM,
19(7):385{394, 1976.
[28] B.A. Kuperman, C.E. Brodley, H. Ozdoganoglu, TN Vijaykumar, and A. Jalote.
Detection and prevention of stack bu®er over°ow attacks. Communications of the
ACM, 48(11):50{56, 2005.
50
[29] Kaspersky Lab. Kaspersky anti-virus personal. website: http://www.kaspersky.com/.
[30] D. Larochelle and D. Evans. Statically detecting likely bu®er over°ow vulnerabilities.
In Security07 Symposium Proceedings. USENIX Association, 2001.
[31] K. Lhee and S.J. Chapin. Type-assisted dynamic bu®er over°ow detection. In Secu-
rity02 Symposium Proceedings, pages 81{90. USENIX Association, 2002.
[32] C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, and J. H. Hart-
man. Protecting against unexpected system calls. In SSYM05 conference Proceedings.
USENIX Association, 2005.
[33] JP McGregor, DK Karig, Z. Shi, and RB Lee. A processor architecture defense
against bu®er over°ow attacks. Information Technology: Research and Education,
2003. Proceedings. ITRE2003. International Conference on, pages 243{250, 2003.
[34] L.Q. Nguyen, T. Demir, J. Rowe, F. Hsu, and K. Levitt. A framework for diversifying
windows native apis to tolerate code injection attacks. In ASIACCS07 Symposium
Proceedings, pages 392{394. ACM, 2007.
[35] C. Parampalli, R. Sekar, and R. Johnson. A Practical Mimicry Attack Against Power-
ful System-Call Monitors. Technical report, Technical Report SECLAB07-01, Secure
Systems Laboratory, Stony Brook University, 2007.
[36] A. Pasupulati, J. Coit, K. Levitt, SF Wu, SH Li, JC Kuo, and KP Fan. Buttercup:
on network-based detection of polymorphic bu®er over°ow vulnerabilities. Network
Operations and Management Symposium, 2004. NOMS 2004. IEEE/IFIP, 1, 2004.
[37] Matt Pietrek. Under the hood. website:
http://www.microsoft.com/msj/0997/hood0997.aspx.
[38] M. Prasad and T. Chiueh. A binary rewriting defense against stack based bu®er
over°ow attacks. Proceedings of the USENIX Annual Technical Conference, pages
211{224, 2003.
51
[39] J.C. Rabek, R.I. Khazan, S.M. Lewandowski, and R.K. Cunningham. Detection
of injected, dynamically generated, and obfuscated malicious code. In WORM03
Workshop Proceedings, pages 76{82. ACM, 2003.
[40] J. Richter. Load Your 32-bit DLL into another process's address space using INJLIB.
Microsoft Systems Journal, 1994.
[41] M. Rinard, C. Cadar, D. Dumitran, DM Roy, and T. Leu. A dynamic technique
for eliminating bu®er over°ow vulnerabilities (and other memory errors). Computer
Security Applications Conference, 2004. 20th Annual, pages 82{90, 2004.
[42] O. Ruwase and M.S. Lam. A practical dynamic bu®er over°ow detector. In NDSS04
Symposium Proceedings. INTERNET SOCIETY, 2004.
[43] S. Sidiroglou, G. Giovanidis, and A.D. Keromytis. A Dynamic Mechanism for Recov-
ering from Bu®er Over°ow Attacks. 8th Information Security Conference, 2005.
[44] skape. Understanding windows shellcode. http://www.hick.org/code/skape/papers/win32-
shellcode.pdf, 2003.
[45] Thomas Toth and Christopher Kruegel. Accurate bu®er over°ow detection via ab-
stract payload execution. In RAID05 Symposium Proceedings, 2002.
[46] N. Tuck, B. Calder, and G. Varghese. Hardware and Binary Modi‾cation Support for
Code Pointer Protection From Bu®er Over°ow. International Symposium on Microar-
chitecture: Proceedings of the 37 th annual IEEE/ACM International Symposium on
Microarchitecture: Portland, Oregon, 4(08):209{220, 2004.
[47] Vendicator. Stack shield. http://www.angel‾re.com/sk/stackshield/, Jan 2000.
[48] D. Wagner and R. Dean. Intrusion detection via static analysis. Security and Privacy,
2001. S&P 2001. Proceedings. 2001 IEEE Symposium on, pages 156{168, 2001.
[49] D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems.
In CCS02 Conference Proceedings, pages 255{264. ACM, 2002.
52
[50] K. Wang, J.J. Parekh, and S.J. Stolfo. Anagram: A Content Anomaly Detector
Resistant to Mimicry Attack. Proceedings of the International Symposium on Recent
Advances in Intrusion Detection (RAID), 2006.
[51] J. Xu, Z. Kalbarczyk, S. Patel, and R.K. Iyer. Architecture support for defending
against bu®er over°ow attacks. Workshop on Evaluating and Architecting Systems
for Dependability, 2002.
[52] Q. Zhang, D.S. Reeves, P. Ning, and S.P. Iyer. Analyzing network tra±c to detect
self-decrypting exploit code. In ASIACCS07 Symposium Proceedings, pages 4{12.
ACM, 2007.