Detecting the Code Injection by Hooking System Calls in Windows Kernel Mode

Abstract

In present Microsoft Windows operating system, there are unofficial approaches to inject code into other running processes. We discuss the methods and corresponding potential threats in this paper. Malicious software may use these approaches to infect authorized processes to launch attacks inside the system even under the protection of antivirus and firewall software. After analyzing these runtime code injections, we proposed the mechanism – Detecting the Code Injection Engine (DCIE). DCIE is implemented as a loadable kernel-mode driver that is able to detect runtime code injections, and the maximal overhead caused by DCIE is less than 3.26%. The minor overhead makes DCIE suitable to be installed on Windows OS or combine with other software to increase system security.