惡意程式隨著攻擊手法不斷演進,逐漸從檔案類型惡意程式演變為搭配無檔案攻擊技術的惡意程式,為了防禦惡意程式攻擊,傳統防毒軟體大多是屬於檔案類型的掃描技術,透過資料庫中的特徵碼偵測檔案類型惡意程式,但無法有效應對無檔案惡意程式攻擊,例如Windows Office文件的巨集功能所提供的腳本指令,或使用Microsoft PowerShell系統管理工具,將惡意程式直接載入到記憶體執行,而不會將惡意程式以檔案形式存放在儲存裝置中,藉此躲避防毒軟體偵測,同時減少留在目標裝置中的足跡,而增加調查攻擊手法的困難度。因此我們提出一套基於Antimalware Scan Interface Provider的檢測機制APJudge,當PowerShell執行腳本指令載入惡意程式內容時,會攔截其內容並進行檢測,再依據檢測結果判斷是否為惡意程式,並終止惡意程式的執行,藉此防止無檔案惡意攻擊的威脅。;With the continuous evolution of attack techniques, malware has gradually evolved from file-based malware to fileless attacks. To defend against fileless malware, traditional antivirus software is generally file-based scanning techniques to detect file-based malware. However, they usually can’t effectively deal with fileless malware attacks, such as scripts in the macro of Windows Office documents, or the system administrator tool Microsoft PowerShell. Those attacks can execute malware in memory directly without the need to store the malware in a filesystem. Evade detection by antivirus software, and reduce the trace left on the target device to increase the difficulty of investigating fileless attacks. Therefore, we propose a detection mechanism APJudge based on Antimalware Scan Interface Provider. When PowerShell executes scripts to load malicious contents, it will intercept the contents and distinguish them between benign and malicious according to the detection result. Finally terminate the malicious process to prevent the threat of fileless malicious attacks.