The fallout of Windows code injection in benign programs

MASTER Assignment

The fallout of Windows code injection in benign programs

Type : Master M-CS

Period: November, 2024 - April, 2025

Student : Bals, J. (Jordi, Student CS)

Date Final project: April 10, 2025

Thesis

Supervisors:

dr.ir. A. Continella (Andrea) Associate Professor

+31534892752

 a.continella@utwente.nl

Building: Zilverling 2023

Personal page

dr. A. Affinito (Antonia) Assistant Professor

+31534899885

 a.affinito@utwente.nl

Building:

Personal page

J.A.L. Starink MSc (Jerre) PhD Candidate

+31534899236

 j.a.l.starink@utwente.nl

Building: Zilverling 2042

Personal page

Abstract:

Code injection is a technique utilized by malware that injects a section of its code into other processes and tricks them into executing it. Many state-of-the-art detection systems only determine malicious behavior by looking at the malware sample. Not looking at the target process of code injection means they miss part of the malicious behavior. No research studies the effects of code injection on benign injected processes, so it is unclear how much malicious process behavior (e.g., system calls) modern solutions miss. We propose a framework that automatically identifies behavior exhibited by injecting malware samples and their victim processes after being targeted by code injection. The framework utilizes dynamic analysis to find the system calls of the malware sample and its victim and matches the found system calls to SIGMA rules that define behavior. We then use this framework to gather the behaviors of 436 real-life samples and their victims to approximate the behavior missed in modern detection systems. Our experiments suggest that solutions miss, on average, 56.3% of behavior when looking strictly at the amount of tracked system calls and 64% of behavior when looking at the amount of SIGMA rules found.