{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T03:24:42Z","timestamp":1768447482310,"version":"3.49.0"},"publisher-location":"Cham","reference-count":61,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031649530","type":"print"},{"value":"9783031649547","type":"electronic"}],"license":[{"start":{"date-parts":[[2024,10,15]],"date-time":"2024-10-15T00:00:00Z","timestamp":1728950400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,10,15]],"date-time":"2024-10-15T00:00:00Z","timestamp":1728950400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-64954-7_25","type":"book-chapter","created":{"date-parts":[[2024,10,14]],"date-time":"2024-10-14T10:02:17Z","timestamp":1728900137000},"page":"490-514","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Understanding and\u00a0Measuring Inter-process Code Injection in\u00a0Windows Malware"],"prefix":"10.1007","author":[{"given":"Jerre","family":"Starink","sequence":"first","affiliation":[]},{"given":"Marieke","family":"Huisman","sequence":"additional","affiliation":[]},{"given":"Andreas","family":"Peter","sequence":"additional","affiliation":[]},{"given":"Andrea","family":"Continella","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,10,15]]},"reference":[{"key":"25_CR1","unstructured":"ANY.RUN - Interactive Malware Hunting Service (2022). https:\/\/any.run\/"},{"key":"25_CR2","unstructured":"CAPE Sandbox (2022). https:\/\/capesandbox.com\/"},{"key":"25_CR3","unstructured":"Cuckoo Sandbox (2022). https:\/\/cuckoosandbox.org\/"},{"key":"25_CR4","unstructured":"Joe Sandbox - Deep Malware Analysis (2022). https:\/\/www.joesandbox.com\/"},{"key":"25_CR5","unstructured":"User Account Control (2022). https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/user-account-control\/user-account-control-overview"},{"key":"25_CR6","doi-asserted-by":"crossref","unstructured":"Aghakhani, H., et al.: When malware is packin\u2019 heat; limits of machine learning classifiers based on static analysis features. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2020)","DOI":"10.14722\/ndss.2020.24310"},{"key":"25_CR7","unstructured":"Alrawi, O., et al.: Forecasting malware capabilities from cyber attack memory images. In: Proceedings of the USENIX Security Symposium (2021)"},{"key":"25_CR8","unstructured":"AVTest: Malware Statistics & Trends Report (2021). https:\/\/www.av-test.org\/en\/statistics\/malware\/"},{"key":"25_CR9","doi-asserted-by":"crossref","unstructured":"Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: detecting host-based code injection attacks in memory dumps. In: Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2017)","DOI":"10.1007\/978-3-319-60876-1_10"},{"key":"25_CR10","doi-asserted-by":"crossref","unstructured":"Barabosch, T., Eschweiler, S., Gerhards-Padilla, E.: Bee master: detecting host-based code injection attacks. In: Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) (2014)","DOI":"10.1007\/978-3-319-08509-8_13"},{"key":"25_CR11","doi-asserted-by":"crossref","unstructured":"Barabosch, T., Gerhards-Padilla, E.: Host-based code injection attacks: a popular technique used by malware. In: Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE) (2014)","DOI":"10.1109\/MALWARE.2014.6999410"},{"key":"25_CR12","doi-asserted-by":"crossref","unstructured":"Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. (2006)","DOI":"10.1007\/s11416-006-0012-2"},{"key":"25_CR13","doi-asserted-by":"crossref","unstructured":"Biondi, F., Given-Wilson, T., Legay, A., Puodzius, C., Quilbeuf, J.: Tutorial: an overview of malware detection and evasion techniques. In: Proceedings of the International Symposium on Leveraging Applications of Formal Methods (2018)","DOI":"10.1007\/978-3-030-03418-4_34"},{"key":"25_CR14","doi-asserted-by":"crossref","unstructured":"Borello, J.M., M\u00e9, L.: Code Obfuscation Techniques for Metamorphic Viruses. J. Comput. Virol. (2008)","DOI":"10.1007\/s11416-008-0084-2"},{"issue":"4","key":"25_CR15","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1007\/s11416-019-00333-y","volume":"15","author":"M Botacin","year":"2019","unstructured":"Botacin, M., de Geus, P.L., Gr\u00e9gio, A.: \u201cVANILLA\" malware: vanishing antiviruses by interleaving layers and layers of attacks. J. Comput. Virol. Hacking Techn. 15(4), 233\u2013247 (2019)","journal-title":"J. Comput. Virol. Hacking Techn."},{"key":"25_CR16","doi-asserted-by":"crossref","unstructured":"Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering. Association for Computing Machinery (2007)","DOI":"10.1145\/1287624.1287628"},{"key":"25_CR17","doi-asserted-by":"crossref","unstructured":"de la Cuadra, F.: The geneology of malware. Network Security (2007)","DOI":"10.1016\/S1353-4858(07)70047-8"},{"key":"25_CR18","unstructured":"Lukan, D.: Using CreateRemoteThread for DLL Injection on Windows (2013). https:\/\/resources.infosecinstitute.com\/topic\/using-createremotethread-for-dll-injection-on-windows\/"},{"key":"25_CR19","unstructured":"Lukan, D.: Using SetWindowsHookEx for DLL Injection on Windows (2013). https:\/\/resources.infosecinstitute.com\/topic\/using-setwindowshookex-for-dll-injection-on-windows\/"},{"key":"25_CR20","doi-asserted-by":"crossref","unstructured":"Du, M., Hu, W., Hewlett, W.: AutoCombo: automatic malware signature generation through combination rule mining. In: Proceedings of the ACM International Conference on Information & Knowledge Management (2021)","DOI":"10.1145\/3459637.3481896"},{"key":"25_CR21","unstructured":"Elastic Security: Hunting In Memory (2019). https:\/\/www.elastic.co\/blog\/hunting-memory"},{"key":"25_CR22","unstructured":"F-Secure: Hunting for Application Shim Databases (2018). https:\/\/blog.f-secure.com\/hunting-for-application-shim-databases\/"},{"key":"25_CR23","unstructured":"Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossier. White paper, Symantec Corp., Security Response (2011)"},{"key":"25_CR24","doi-asserted-by":"crossref","unstructured":"Galloro, N., Polino, M., Carminati, M., Continella, A., Zanero, S.: A systematical and longitudinal study of evasive behaviors in windows malware. Comput. Secur. (2021)","DOI":"10.1016\/j.cose.2021.102550"},{"key":"25_CR25","doi-asserted-by":"crossref","unstructured":"Griffin, K., Schneider, S., Hu, X., Chiueh, T.c.: Automatic generation of string signatures for malware detection. In: Proceedings of the International Workshop on Recent Advances in Intrusion Detection (RAID) (2009)","DOI":"10.1007\/978-3-642-04342-0_6"},{"key":"25_CR26","unstructured":"Hasherezade: PE-Sieve (2018). https:\/\/github.com\/hasherezade\/pe-sieve"},{"key":"25_CR27","unstructured":"Intel: Intel 64 and IA-32 Architectures Software Developer\u2019s Manual, Volume 2 (2A, 2B, 2C & 2D): Instruction Set Reference, A-Z (2022)"},{"key":"25_CR28","unstructured":"iRed.team: Import Adress Table (IAT) Hooking (2020). https:\/\/www.ired.team\/offensive-security\/code-injection-process-injection\/import-adress-table-iat-hooking"},{"key":"25_CR29","unstructured":"Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: Proceedings of the USENIX Security Symposium (2016)"},{"key":"25_CR30","doi-asserted-by":"crossref","unstructured":"Korczynski, D., Yin, H.: Capturing malware propagations with code injections and code-reuse attacks. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS) (2017)","DOI":"10.1145\/3133956.3134099"},{"key":"25_CR31","doi-asserted-by":"crossref","unstructured":"K\u00fcchler, A., Mantovani, A., Han, Y., Bilge, L., Balzarotti, D.: Does every second count? time-based evolution of malware behavior in sandboxes. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2021)","DOI":"10.14722\/ndss.2021.24475"},{"key":"25_CR32","doi-asserted-by":"crossref","unstructured":"Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC) (2014)","DOI":"10.1145\/2664243.2664252"},{"key":"25_CR33","doi-asserted-by":"crossref","unstructured":"Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol.(2012)","DOI":"10.1007\/s11416-011-0157-5"},{"key":"25_CR34","doi-asserted-by":"crossref","unstructured":"Mantovani, A., Aonzo, S., Ugarte-Pedrero, X., Merlo, A., Balzarotti, D.: Prevalence and impact of low-entropy packing schemes in the malware ecosystem. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2020)","DOI":"10.14722\/ndss.2020.24297"},{"key":"25_CR35","unstructured":"Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID) (2008)"},{"key":"25_CR36","unstructured":"Microsoft: Understanding Shims (2012). https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-7\/dd837644(v=ws.10)"},{"key":"25_CR37","unstructured":"MITRE ATT &CK: Process Injection: Thread Execution Hijacking. https:\/\/attack.mitre.org\/techniques\/T1055\/011\/ (0220)"},{"key":"25_CR38","unstructured":"MITRE ATT &CK: Process Injection: Asynchronous Procedure Call (2020). https:\/\/attack.mitre.org\/techniques\/T1055\/004\/"},{"key":"25_CR39","unstructured":"MITRE ATT &CK: Event Triggered Execution: AppCert DLLs (2020). https:\/\/attack.mitre.org\/techniques\/T1546\/009\/"},{"key":"25_CR40","unstructured":"MITRE ATT &CK: Event Triggered Execution: AppInit DLLs (2020). https:\/\/attack.mitre.org\/techniques\/T1546\/010\/"},{"key":"25_CR41","unstructured":"MITRE ATT &CK: Event Triggered Execution: Component Object Model Hijacking (2020). https:\/\/attack.mitre.org\/techniques\/T1546\/015\/"},{"key":"25_CR42","unstructured":"MITRE ATT &CK: Process Injection: Dynamic-link Library Injection (2020). https:\/\/attack.mitre.org\/techniques\/T1055\/001\/"},{"key":"25_CR43","unstructured":"MITRE ATT &CK: Process Injection: Extra Window Memory Injection (2020). https:\/\/attack.mitre.org\/techniques\/T1055\/011\/"},{"key":"25_CR44","unstructured":"MITRE ATT &CK: Process Injection: Process Hollowing (2020). https:\/\/attack.mitre.org\/techniques\/T1055\/012\/"},{"key":"25_CR45","doi-asserted-by":"crossref","unstructured":"Murata, T.: Petri nets: properties, analysis and applications. In: Proceedings of the IEEE (1989)","DOI":"10.1109\/5.24143"},{"key":"25_CR46","doi-asserted-by":"crossref","unstructured":"Olaimat, M.N., Aizaini\u00a0Maarof, M., Al-rimy, B.A.S.: Ransomware anti-analysis and evasion techniques: a survey and research directions. In: Proceedings of the International Cyber Resilience Conference (CRC) (2021)","DOI":"10.1109\/CRC50527.2021.9392529"},{"key":"25_CR47","unstructured":"Pavithran, J., Patnaik, M., Rebeiro, C.: D-TIME: distributed threadless independent malware execution for runtime obfuscation. In: Proceedings of the USENIX Workshop on Offensive Technologies (WOOT 19) (2019)"},{"key":"25_CR48","unstructured":"Arntz, P.: An Introduction to Image File Execution Options (2015). https:\/\/blog.malwarebytes.com\/101\/2015\/12\/an-introduction-to-image-file-execution-options\/"},{"key":"25_CR49","unstructured":"Polska, C.: More human than human - Flame\u2019s code injection techniques (2014)"},{"key":"25_CR50","doi-asserted-by":"crossref","unstructured":"Quarta, D., Salvioni, F., Continella, A., Zanero, S.: Toward systematically exploring antivirus engines. In: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) (2018)","DOI":"10.1007\/978-3-319-93411-2_18"},{"key":"25_CR51","doi-asserted-by":"crossref","unstructured":"Rossow, C., et al.: Prudent practices for designing malware experiments: status quo and outlook. In: Proceedings of the IEEE Symposium on Security & Privacy (S &P) (2012)","DOI":"10.1109\/SP.2012.14"},{"key":"25_CR52","doi-asserted-by":"crossref","unstructured":"Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1) (2000)","DOI":"10.1145\/353323.353382"},{"key":"25_CR53","doi-asserted-by":"crossref","unstructured":"Sebasti\u00e1n, M., Rivera, R., Kotzias, P., Caballero, J.: Avclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID). Cham (2016)","DOI":"10.1007\/978-3-319-45719-2_11"},{"key":"25_CR54","unstructured":"Sevagas: PE Injection Explained (2014). https:\/\/blog.sevagas.com\/PE-injection-explained"},{"key":"25_CR55","unstructured":"Statcounter: Desktop Operating System Market Share Worldwide (2021). https:\/\/gs.statcounter.com\/os-market-share\/desktop\/worldwide\/"},{"key":"25_CR56","unstructured":"Alvarez, V.M.: YARA (2021). http:\/\/virustotal.github.io\/yara\/"},{"key":"25_CR57","unstructured":"VirusTotal: VirusTotal Malware Academic Dataset (2021). https:\/\/www.virustotal.com\/"},{"key":"25_CR58","doi-asserted-by":"crossref","unstructured":"Wang, Q., et\u00a0al.: You are what you do: hunting stealthy malware via data provenance analysis. In: Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) (2020)","DOI":"10.14722\/ndss.2020.24167"},{"key":"25_CR59","doi-asserted-by":"crossref","unstructured":"White, A., Schatz, B., Foo, E.: Integrity verification of user space code. In: Proceedings of the Thirteenth Annual DFRWS Conference (2013)","DOI":"10.1016\/j.diin.2013.06.007"},{"key":"25_CR60","unstructured":"Wyke, J.: The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain. Sophos Technical Paper (2012)"},{"key":"25_CR61","unstructured":"Zhu, S., et al.: Measuring and modeling the label dynamics of online anti-malware engines. In: Proceedings of the USENIX Security Symposium (2020)"}],"container-title":["Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","Security and Privacy in Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-64954-7_25","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,14]],"date-time":"2024-10-14T10:09:42Z","timestamp":1728900582000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-64954-7_25"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,15]]},"ISBN":["9783031649530","9783031649547"],"references-count":61,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-64954-7_25","relation":{},"ISSN":["1867-8211","1867-822X"],"issn-type":[{"value":"1867-8211","type":"print"},{"value":"1867-822X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,10,15]]},"assertion":[{"value":"15 October 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SecureComm","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Security and Privacy in Communication Systems","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Hong Kong","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 October 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 October 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"securecomm2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/securecomm.eai-conferences.org\/2023\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Confy +","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"180","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"50","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"28% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}