发明名称 |
APPARATUS AND METHOD FOR DETECTING MALICIOUS SHELL CODE BY USING DEBUG EVENT |
摘要 |
<p>PURPOSE: A malicious shell code detection device using a debug event and a method thereof are provided to determine whether or not a non-executable file is malicious based on address range information, thereby detecting a malicious non-executable file before executing a malicious code. CONSTITUTION: An alarm setting unit(130) generates a debug event when a mother process executes a code excluding an execution attribute. The mother process is generated by a mother program executing a non-executable file. An information storage unit(140) stores address range information of a memory into which normal modules are loaded. The normal modules are used by the mother process. When the debug event is generated, a malicious determination unit(150) determines whether or not the non-executable file is malicious by using the address range information. When the debug event is generated, the alarm setting unit injects a data execution alarm thread into a detection object process. [Reference numerals] (100) Malicious shell code detection device; (110) Interface unit; (120) Process execution unit; (130) Alarm setting unit; (140) Information storage unit; (150) Malicious determination unit; (160) Cause analysis unit; (170) Malicious code extraction unit</p> |
申请公布号 |
KR101244731(B1) |
申请公布日期 |
2013.03.18 |
申请号 |
KR20120100255 |
申请日期 |
2012.09.11 |
申请人 |
AHNLAB, INC. |
发明人 |
LIM, CHA SUNG;LEE, JU SEOK |
分类号 |
G06F21/00;G06F11/30;G06F11/36 |
主分类号 |
G06F21/00 |
代理机构 |
|
代理人 |
|
主权项 |
|
地址 |
|