防毒軟體是保護資訊安全重要的一環,能有效偵測並刪除惡意程式,而傳統的防毒軟體大部分以靜態分析的簽章 (signature-based) 技術來偵測病毒。然而,在面對新型態的攻擊手法時,僅使用靜態分析則無法發揮保護效果。傳統攻擊手法會先將惡意程式檔案寫入磁碟,再執行此惡意程式才能達成其惡意行為,而無檔案惡意程式不像傳統惡意程式那樣容易被偵測,攻擊者會利用各種技巧來隱藏惡意程式,使惡意程式不需要先被寫入磁碟,而是能直接在記憶體中執行,藉此規避防毒軟體的偵測。因此在本篇論文中我們提出一套檢查機制,命名為Check-on-Execute(COE),當程式要執行可寫又可執行之記憶體區段中的一段程式碼或僅存於記憶體的檔案時,COE 會暫停這個未經檢查的執行,並對其程式碼進行檢查。然後再依據檢查的結果判斷是否允許執行,防止系統遭到無檔案惡意程式攻擊。;Anti-virus software is an important part of protecting information security, which can effectively detect and delete malicious programs, and most of the traditional anti-virus software uses static analysis (signaturebased) technology to detect viruses. However, in the face of a new type of attack methods, only using static analysis can not play a protective effect. Traditional attack methods will first store the malware to disk, and then execute this malware to achieve its malicious behavior. Fileless malware is not as easily detected as traditional malware. Attackers will use various techniques to hide malicious programs. And the malware can be directly executed in the memory without being loaded into the disk first, and can avoid the detection of anti-virus software. Therefore, in this paper, we propose a set of defense mechanisms, named Check-on-Execute (COE). When a program wants to execute a piece of code in a writable and executable memory area or a in-memoryonly file , COE will suspend this unchecked execution and check its code. And then judge whether to allow execution based on the results of the check to prevent the system from being attacked by fileless malware.
