APPARATUS AND METHOD FOR DETECTING MALICIOUS SHELL CODE BY USING DEBUG EVENT

摘要

PURPOSE: A malicious shell code detection device using a debug event and a method thereof are provided to determine whether or not a non-executable file is malicious based on address range information, thereby detecting a malicious non-executable file before executing a malicious code. CONSTITUTION: An alarm setting unit(130) generates a debug event when a mother process executes a code excluding an execution attribute. The mother process is generated by a mother program executing a non-executable file. An information storage unit(140) stores address range information of a memory into which normal modules are loaded. The normal modules are used by the mother process. When the debug event is generated, a malicious determination unit(150) determines whether or not the non-executable file is malicious by using the address range information. When the debug event is generated, the alarm setting unit injects a data execution alarm thread into a detection object process. [Reference numerals] (100) Malicious shell code detection device; (110) Interface unit; (120) Process execution unit; (130) Alarm setting unit; (140) Information storage unit; (150) Malicious determination unit; (160) Cause analysis unit; (170) Malicious code extraction unit