Membrane: A Posteriori Detection of Malicious Code Loading by Memory Paging Analysis

  • Gábor PékEmail author
  • Zsombor Lázár
  • Zoltán Várnagy
  • Márk Félegyházi
  • Levente Buttyán
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


In this paper, we design and implement Membrane, a memory forensics tool to detect code loading behavior by stealthy malware. Instead of trying to detect the code loading itself, we focus on the changes it causes on the memory paging of the Windows operating system. As our method focuses on the anomalies caused by code loading, we are able to detect a wide range of code loading techniques. Our results indicate that we can detect code loading malware behavior with 86–98 % success in most cases, including advanced targeted attacks. Our method is generic enough and hence could significantly raise the bar for attackers to remain stealthy and persist for an extended period of time.


Code loading Memory paging Windows Memory forensics 


  1. 1.
    AlienVault. Batchwiper: Just another wiping malware. Accessed 13 Nov 2014
  2. 2.
    Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of stuxnet: duqu, flame, and gauss. Future Internet 4(4), 971–1003 (2012)CrossRefGoogle Scholar
  3. 3.
    CERT.PL. More human than human - Flame’s code injection techniques. Accessed 13 Nov 2014
  4. 4.
    Hand, S., Lin, Z., Gu, G., Thuraisingham, B.: The vad tree: a process-eye view of physical memory. Digit. Invest. 4, 62–64 (2007)CrossRefGoogle Scholar
  5. 5.
    Idika, N., Mathur, A.P.: A survey of malware detection techniques. Technical report, Purdue University (2007)Google Scholar
  6. 6.
    INetSim. Accessed 10 Nov 2014
  7. 7.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 128–138. ACM, New York (2007)Google Scholar
  8. 8.
    Kornblum, J.D.: Using every part of the buffalo in windows memory analysis. Digit. Invest. 4(1), 24–29 (2007)CrossRefGoogle Scholar
  9. 9.
    Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: Gq: practical containment for measuring modern malware systems. In: Proceedings of the 2011 ACM SIGCOMM Internet Measurement Conference (IMC), pp. 397–412. ACM (2011)Google Scholar
  10. 10.
    Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, December 2014 (to appear)Google Scholar
  11. 11.
    Mandiant. APT1: Exposing One of China’s Cyber Espionage Units (2013).
  12. 12.
    Pék, G.: New methods for detecting malware infections and new attacks against hardware virtualization. Ph.D. thesis, Budapest University of Technology and Economics (2015)Google Scholar
  13. 13.
    Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association, Berkeley (2006)Google Scholar
  14. 14.
    ReactOS. A free open source operating system based on the best design principles found in the Windows NT architecture. Accessed 8 Nov 2014
  15. 15.
    Rossow, C., Dietrich, C.J., Grier, C., Kreibich, C., Paxson, V., Pohlmann, N., Bos, H., Van Steen, M.: Prudent practices for designing malware experiments: status quo and outlook. In: 2012 IEEE Symposium on Security and Privacy, pp. 65–79. IEEE (2012)Google Scholar
  16. 16.
    Russinovich, M., Solomon, D.A., Ionescu, A.: Windows Internals, 6th ed. Microsoft Press (2012)Google Scholar
  17. 17.
    Srivastava, A., Giffin, J.: Automatic discovery of parasitic malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 97–117. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Volatility. The Volatility Framework. Accessed 13 Nov 2014
  19. 19.
    White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digit. Invest. 10, 59–S68 (2013)CrossRefGoogle Scholar
  20. 20.
    Willems, C.: Internals of windows memory management (not only) for malware analysis. Technical report, Ruhr Universität Bochum (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Gábor Pék
    • 1
    Email author
  • Zsombor Lázár
    • 1
  • Zoltán Várnagy
    • 1
  • Márk Félegyházi
    • 1
  • Levente Buttyán
    • 1
  1. 1.CrySyS LabBudapest University of Technology and EconomicsBudapestHungary

Personalised recommendations