Shellcoding: Hunting for Kernel32 Base Address

Tarek Ahmed; Shengjie Xu

doi:10.1109/INFOCOMWKSHPS54753.2022.9798057

Shellcoding: Hunting for Kernel32 Base Address

Tarek Ahmed
, Shengjie Xu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Kernel32 is one of the most used dynamic link libraries (DLLs) for application programming interface (API) calls on the Microsoft Windows operating system. Each DLL file contains many functions, and each function has its own memory address once loaded in memory. The API memory address is essential for any API call. In the past, the memory address for each API was fixed to a specific hex value. If an attacker was able to obtain these API addresses on one operating system, it could be used on any other Windows operating system as well. In this paper, we examine two existing methods and propose two novel methods to find kernel32 base address. The objective is to optimally combine all the methods to increase the detection rate of unknown malware, and perform experimental evaluation for malware detection in next-generation communication networks.

Original language	English (US)
Title of host publication	INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781665409261
DOIs	https://doi.org/10.1109/INFOCOMWKSHPS54753.2022.9798057
State	Published - 2022
Externally published	Yes
Event	2022 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2022 - Virtual, Online, United States Duration: May 2 2022 → May 5 2022

Publication series

Name	INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops

Conference

Conference	2022 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2022
Country/Territory	United States
City	Virtual, Online
Period	5/2/22 → 5/5/22

ASJC Scopus subject areas

Artificial Intelligence
Computer Networks and Communications
Information Systems
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/INFOCOMWKSHPS54753.2022.9798057

Cite this

Shellcoding: Hunting for Kernel32 Base Address. / Ahmed, Tarek; Xu, Shengjie.
INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops. Institute of Electrical and Electronics Engineers Inc., 2022. (INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ahmed, T & Xu, S 2022, Shellcoding: Hunting for Kernel32 Base Address. in INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops. INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops, Institute of Electrical and Electronics Engineers Inc., 2022 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2022, Virtual, Online, United States, 5/2/22. https://doi.org/10.1109/INFOCOMWKSHPS54753.2022.9798057

@inproceedings{874d234ba3b9466fa91a85a27314fc29,

title = "Shellcoding: Hunting for Kernel32 Base Address",

abstract = "Kernel32 is one of the most used dynamic link libraries (DLLs) for application programming interface (API) calls on the Microsoft Windows operating system. Each DLL file contains many functions, and each function has its own memory address once loaded in memory. The API memory address is essential for any API call. In the past, the memory address for each API was fixed to a specific hex value. If an attacker was able to obtain these API addresses on one operating system, it could be used on any other Windows operating system as well. In this paper, we examine two existing methods and propose two novel methods to find kernel32 base address. The objective is to optimally combine all the methods to increase the detection rate of unknown malware, and perform experimental evaluation for malware detection in next-generation communication networks.",

author = "Tarek Ahmed and Shengjie Xu",

note = "Publisher Copyright: {\textcopyright} 2022 IEEE.; 2022 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2022 ; Conference date: 02-05-2022 Through 05-05-2022",

year = "2022",

doi = "10.1109/INFOCOMWKSHPS54753.2022.9798057",

language = "English (US)",

series = "INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops",

}

TY - GEN

T1 - Shellcoding

T2 - 2022 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2022

AU - Ahmed, Tarek

AU - Xu, Shengjie

PY - 2022

Y1 - 2022

N2 - Kernel32 is one of the most used dynamic link libraries (DLLs) for application programming interface (API) calls on the Microsoft Windows operating system. Each DLL file contains many functions, and each function has its own memory address once loaded in memory. The API memory address is essential for any API call. In the past, the memory address for each API was fixed to a specific hex value. If an attacker was able to obtain these API addresses on one operating system, it could be used on any other Windows operating system as well. In this paper, we examine two existing methods and propose two novel methods to find kernel32 base address. The objective is to optimally combine all the methods to increase the detection rate of unknown malware, and perform experimental evaluation for malware detection in next-generation communication networks.

AB - Kernel32 is one of the most used dynamic link libraries (DLLs) for application programming interface (API) calls on the Microsoft Windows operating system. Each DLL file contains many functions, and each function has its own memory address once loaded in memory. The API memory address is essential for any API call. In the past, the memory address for each API was fixed to a specific hex value. If an attacker was able to obtain these API addresses on one operating system, it could be used on any other Windows operating system as well. In this paper, we examine two existing methods and propose two novel methods to find kernel32 base address. The objective is to optimally combine all the methods to increase the detection rate of unknown malware, and perform experimental evaluation for malware detection in next-generation communication networks.

UR - https://www.scopus.com/pages/publications/85133919088

UR - https://www.scopus.com/pages/publications/85133919088#tab=citedBy

U2 - 10.1109/INFOCOMWKSHPS54753.2022.9798057

DO - 10.1109/INFOCOMWKSHPS54753.2022.9798057

M3 - Conference contribution

AN - SCOPUS:85133919088

T3 - INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops

BT - INFOCOM WKSHPS 2022 - IEEE Conference on Computer Communications Workshops

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 2 May 2022 through 5 May 2022

ER -

Shellcoding: Hunting for Kernel32 Base Address

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this