Detection of DLL Inserted by Windows Malicious Code

As the individual PC hacking and game hacking by economical purpose increase rapidly recently, malicious codes attacking Windows system are often represented. Techniques to insert DLL within memory of target process are widely spread in order to acquire concealment channel of malicious code, detour ways of avoiding security systems and get specified information. This paper presented the technology that judge whether or not DLL inserted in memory area of target process is malicious. In order to take DLL injected in the process within hacked systems, we draw the explicit loaded DLL in two steps; analyzing the imported DLL by the use of PE format and then taking DLL that is loaded in the process. Finally, we describe techniques to judge if DLL taken like this is malicious or not by using characteristics of DLL that make in Microsoft. We have judged malicious DLL or narrowed the scope of the investigation by taking advantage of technology at the damage system analysis.