KR101781780B1 - System and Method for detecting malicious websites fast based multi-server, multi browser - Google Patents

Abstract

The present invention relates to a network security technology, and more particularly, to an automated malicious web site detection system and method for automatically detecting a web site that propagates malicious code to collect information.
According to the present invention, according to the present invention, attackers propagate a large amount of malicious code by exploiting the openness of the Internet, and automatically detect a malicious web site using the domain and block malicious codes propagated from those sites. It is a system that provides URL (uniform resource locator) information. It can identify a malicious web site promoting an infringement action at a high speed and extract a malicious web site that propagates malicious code for a short period of time at a high speed.

Description

TECHNICAL FIELD [0001] The present invention relates to a multi-server, multi-browser based high-speed malicious website detection system and method,

The present invention relates to a network security technology, and more particularly, to an automated malicious web site detection system and method for automatically detecting a web site that propagates malicious code to collect information.

More particularly, the present invention relates to a malicious web site detection system and method for detecting malicious web pages that propagate malicious code, and automatically detecting and collecting malicious malicious URLs and waypoint sites that are propagated.

Attackers who spread malware use the Web to spread malware. It attacks a vulnerable Web site and injects a malicious script to infect a connected user's computer. These malicious codes include various forms of attack such as Ransomware, pharming, and malicious code propagation.

Thus, there are various ways to detect such malicious Web sites, such as static detection methods, machine learning based analysis, and low-interaction dynamic methods.

Particularly, the high-interaction dynamic method has a problem that the detection rate is high but the performance is low.

1. Korean Patent Laid-Open No. 10-2009-0111416 (titled as malicious site inspection method, malicious site information collection method, apparatus, system, and computer program recorded medium)

1. Kim Dae-Cheong et al., "Blocking Malicious Sites Based on Android Platform", Journal of the Korea Institute of Information Security and Technology, Vol.24, No. 3, June 2014 pp.499-505

The present invention has been proposed in order to solve the problem described in the background art. It is a technical system for quickly detecting malicious pages using a high-speed detection technology for a large number of candidate domains, classifies malicious pages from normal pages, , And a system and method for high-speed malicious website detection based on multiple browsers.

In addition, the present invention can be applied to an attacker who uses a domain and / or a URL (Uniform) to automatically detect a malicious web site using the openness of the Internet and to block malicious code propagated from the malicious web site, A system and method for detecting a malicious web site that can identify a malicious web site promoting an infringing action at a high speed and extract a malicious web site that propagates malicious code for a short period of time There is another purpose.

In particular, according to the present invention, a separate DLL file for monitoring a malicious behavior is generated without the code modification of the browser, and malicious behavior is monitored by injecting the DLL file for each of a plurality of browsers .

The technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems which are not mentioned can be understood by those skilled in the art from the following description.

In order to accomplish the above-mentioned object, the present invention provides a technical system for quickly detecting malicious pages using a high-speed detection technology for a large number of candidate domains, which classifies malicious pages from normal pages, Provides a malicious website detection system.

The multi-server, multi-browser based high-

A domain storage management module for managing and distributing domain information to be detected;

A browser loading module for collecting the domain information and accessing the domain information through actual multiple browsers;

A dynamic linking library (DLL) file injection module for monitoring malicious activity through the actual multiple browsers loaded;

An API hooking module for identifying and operating an application programming interface (API) function requested through multiple injected multiple browsers to monitor malicious activity in the injected DLL file;

A detection monitoring module for monitoring whether a specific monitoring target API defined in advance through the API hooking is requested and determining whether or not the file is a malicious file;

A detection information collection module for collecting log information by logging information of processes judged to be malicious;

A DB management module for storing and managing the log information in a database; And

And a dashboard and management module for visualizing the risk level of the malicious domain using the log information of the database.

In this case, the domain information may include a candidate domain and a URL (uniform resource locator).

In addition, the domain collection module stores a CONFIG file in a local directory. The CONFIG file includes a queue server and queue name information of interest, and the request information of the browser loading module, based on the queue server and queue name information, And distributing the domain information according to the domain information.

In addition, the API hook module monitors malicious activity occurring from malicious code hidden in a web page of a corresponding web site while the actual multiple browsers are loaded.

In addition, a specific address is code-patched for hooking the API, and the monitoring is performed by intercepting an API function requested by a malicious web page planted by an attacker for a specific malicious action by modifying the specific address . ≪ / RTI >

In addition, the detection and monitoring module judges maliciousness as a malicious behavior when a malicious action occurs, and the malicious action includes application loading, file creation, registry change, other network port opening, And execution of a command through a line (cmdline).

The detection information collection module may generate a local folder for collecting the log information, and collect information by time, action, file, and link.

In addition, the DB management module may manage the history of the log information in a TOP-DOWN manner by the generated process ID, and store log information generated by the process in a time-based manner .

In addition, the domain storage management module may register the candidate domain through the management page.

In addition, the detection and monitoring module determines whether a malicious action has occurred during a specific waiting time to determine whether the log information collected from the API hooking is malicious or not, and terminates the abnormal connection state of the connection candidate domain quickly A role can be provided.

In addition, the API hooking module 140 inserts API hooking information into the DLL file connected to the browser through DLL injection to monitor an operation of the malicious web page loaded into multiple real browsers, List. And hooking up the API for each of multiple real browsers loaded with the API hooking information and performing termination normally through dead hooking to terminate the API.

According to another embodiment of the present invention, there is provided a method for managing domain information, comprising: managing and distributing domain information to be detected by a domain storage management module; Performing a role of the browser loading module collecting the domain information and actually connecting the domain information by accessing through the multiple browsers; Injecting a malicious activity monitoring DLL file into the actual browser for an initial task for monitoring malicious activity through the actual multiple browsers loaded with a dynamic linking library (DLL) module; Performing API hooking for identifying and operating an API for monitoring malicious behavior in the DLL file in which an application programming interface (API) hooking module is injected; Monitoring whether the detection monitoring module requests the corresponding API through the API hooking and judging the malicious file according to whether a predetermined malicious file is detected; Collecting log information by logging information of processes judged to be malicious by the detection information collection module; Storing and managing the log information in the database by the DB management module; And a dashboard and a management module visualizing a risk level of a malicious domain using log information of the database. The multiserver and multi-browser based malicious web site detection method according to claim 1, .

According to the present invention, since attackers propagate a large amount of malicious code using the openness of the Internet, a domain and a URL (uniform resource locator) for automatically detecting a malicious web site using the malicious code, ) Information system, it is possible to quickly identify malicious websites promoting infringement behavior, and to extract malicious websites that spread malicious code for a short period of time at a high speed.

Also, as another effect of the present invention, currently existing websites risks in addition to free run (drive-by download) malware C & C (Command & Control is collected from various zero-day (zero-day) attacks files and those files that are generated by that ) Information at the same time, and can identify additional malicious information.

In addition, another advantage of the present invention is that the information can be provided to various heterogeneous systems, and can be applied to block and protect malicious websites.

1 is a block diagram of a high-speed malicious web page detection system 100 according to an embodiment of the present invention.
FIG. 2 is a flowchart illustrating a process for detecting a high-speed malicious web page according to an exemplary embodiment of the present invention.
3 is a flowchart illustrating a process for monitoring malicious activity according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the invention to those skilled in the art. To fully disclose the scope of the invention to a person skilled in the art, and the invention is only defined by the scope of the claims. The dimensions and relative sizes of the components shown in the figures may be exaggerated for clarity of description.

Like reference numerals refer to like elements throughout the specification and " and / or " include each and every combination of one or more of the mentioned items.

The terminology used herein is for the purpose of illustrating embodiments and is not intended to be limiting of the present invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. As used herein, the terms "comprises" and / or "comprising" do not exclude the presence or addition of one or more other elements, steps, operations, and / or elements .

Although used to describe various components such as first, second, etc., it goes without saying that these components are not limited to these terms. These terms are used only to distinguish one component from another. Therefore, it goes without saying that the first component mentioned below may be the second component within the technical scope of the present invention.

Unless defined otherwise, all terms (including technical and scientific terms) used herein may be used in a sense commonly understood by one of ordinary skill in the art to which this invention belongs. Also, commonly used predefined terms are not ideally or excessively interpreted unless explicitly defined otherwise.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the present embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout.

1 is a block diagram of a high-speed malicious web page detection system 100 according to an embodiment of the present invention. Referring to FIG. 1, in order to identify a malicious web page as described above, an identification value that can identify whether a web page is maliciously used is required. In an embodiment of the present invention, Define it as a web page. For each malicious web page, it is defined as a single malicious web page.

As will be described in detail later, a single malicious web page in the embodiment of the present invention means that one malicious web page among a plurality of web pages included in one candidate domain is used as a malicious web page, and actually one A malicious domain of a malicious web page may include malicious web pages having a plurality of malicious links and malicious web pages containing attack codes.

Most malicious domains reach malicious web pages with malicious redirect links embedded in the attack code. A link between a web page with these redirect links and a web page with malicious code may be a candidate domain used for initial landing, but most likely it is a different domain.

Referring to FIG. 1, a high-speed malicious web page detection system 100 according to an embodiment of the present invention includes a domain storage management module 110, a browser loading module 120, a DLL injection module 130, Module 140, a detection monitoring module 150, a detection information collection module 160, a DB management module 170, a dashboard and management module 180, and the like.

The domain storage management module 110 stores and manages domain information including a candidate domain and / or a URL (uniform resource locator), which is a candidate domain. To this end, the main storage management module 110 includes a candidate domain distribution queue (QUEUE) server 111 for managing and distributing domain information.

In other words, the domain storage management module 110 stores and distributes domain information (i.e., candidate domain) to the candidate domain queue server 111 having different queue names. The browser loading module 120 stores the domain information And distributes the domain according to the domain information collection request of the domain.

The high-speed malicious web page detection system 100 comprises a queue server and a detection system. In particular, a detection system has a plurality of virtual machines, and each virtual machine has a Windows operating system image having a vulnerable application version . This operating system can have windows XP, 7, 9, 10 and other windows environment images.

Each virtual image can have an image with the same operating system or different versions of the Windows image environment. The window image also refers to images with different versions of vulnerable application versions installed.

Each virtual machine image can have the same queue name or have different queue name servers. Since the high-speed malicious web page detection system 100 actually supports a multi-server multi-virtual image and a multi-browser environment, the queue name can be configured in various forms according to the number of servers and / or the operating environment.

Therefore, the domain collection module 110 has a CONFIG file in the local directory. The CONFIG file contains the queue server and the queue name information of interest, collects candidate domains based on the information, and generates a collection candidate group . Collection candidates can download multiple candidates at once or download one candidate each time they are requested.

Accordingly, the downloaded candidate domain may be different or the same for each virtual machine. If the virtual image is the same, the environment may include an operating system and an application of different environments. Generally, the downloaded candidate domain is stored in a local directory. At this time, the actual multiple browsers are sequentially loaded, and the candidate domains are read one by one and connected to the corresponding domain to browse. And is configured to simultaneously load a plurality of browsers.

The browser loading module 120 collects domain information from the candidate domain distribution queue server 111 and stores the collected domain information. To this end, the browser loading module 120 includes a domain collection module 121 for distributing the candidate domain of the domain information to a local directory, and a domain loading module 121 for accessing and loading the candidate domain of the domain information through a multi- And a loading module 122. Examples of actual multiple browsers include Chrome, Firefox, Internet Explorer, Safari, Web Browser, Hot Java, and Browser Engine.

The DLL (Dynamic Linking Library) injection module 130 injects a malicious behavior monitoring DLL file into an actual multi-browser for an initial operation for monitoring malicious activity through a real multi-browser. To this end, the DLL injection module 130 may include a DLL file injection module 131 for injecting a DLL file into an actual multiple browser. The malicious behavior monitoring DLL file can be malicious behavior monitoring module which is a software module.

The application programming interface (API) hooking module 140 monitors the malicious behavior monitoring DLL file to monitor various malicious behaviors generated from various malicious codes hidden in the web page of the corresponding web site while the actual multiple browsers are loaded. And to identify and operate the API for monitoring the behavior. To this end, the API hooking module 140 includes an API unhooking module 142 and an API hook module 141.

The API hook module 141 hooks various APIs to be monitored in the DLL file when the DLL file is injected and the actual multiple browsers are operated. For API hooking, a code address is patched to a specific address. By modifying this address, a malicious web page embedded by an attacker can intercept and monitor various API functions requested for a specific malicious behavior. This is called global API hooking.

The API unhook module 142 performs a function for restoring the state before the API hook by the API hook module 141, that is, for returning to the original form.

The detection monitoring module 150 monitors whether the malicious web page requests the corresponding API. In addition, the detection monitoring module 150 includes monitoring of hooking APIs for monitoring all information generated and generated by threads (threads) generated through a malicious web page, thereby judging a process judged to be malicious do.

In other words, when various kinds of malicious files defined in advance are detected after monitoring various information collected through API hooking, maliciousness is judged. In particular, various malicious programs such as Java, Flash, etc. are loaded, files are created, the registry is changed, a new network pod is opened, the connectivity of a pod that is not used well or the command via cmdline is executed When an action occurs, it is judged to be malicious by seeing the overall phenomenon.

When an ordinary user visits a web page containing malicious code, the malicious code checks the system environment of the accessing user (for example, Windows 7) and the vulnerable application version (vulnerable JAVA version, Flash version) The malicious code that operates on the user's system is operated.

At that time, malicious code is downloaded (drive-by downloads), then a small file (vbscript) is downloaded, and attack files are created in the user system, and various certificate information, personal information and malicious code are installed in the user system.

Also, modify the registry start entry, or create a new network to download the necessary files so that the malicious code acts as described above, so that the user system can operate even when rebooting, or execute commands in the user system through cmdline While creating and modifying files.

This kind of behavior is judged to be an abnormal behavior by monitoring the API function of the DLL file and monitoring the executed command. In general, the act of doing such a series of acts by not doing this is judged to be malicious.

It does not judge it as malicious by recognizing whether the normal file (iexplore.exe) of other window is loaded as normal file. It also monitors network information during the process of being requested and received through HTTP (hypertext transfer protocol) through send and recv of winsock to monitor malicious redirection information. The monitoring information includes and monitors the analysis information at the same time.

In addition, the API hooking module 140 inserts API hooking information into the DLL file connected to the browser through DLL injection to monitor an operation of the malicious web page loaded into multiple real browsers, And hooks up the API for each of the multiple real browsers in which the API hooking information is loaded and performs termination through dead hooking for termination.

The malicious web page detection system according to an exemplary embodiment of the present invention provides basic information for tracking various processes generated through an API request from a malicious web page.

Referring to FIG. 1, the detection information collection module 160 logs information of processes determined to be malicious and collects log information. In other words, the detection information collection module 160 collects all the information generated on the malicious web page determined by the detection and monitoring module 150 (that is, a malicious process), downloads and manages the source of the malicious web page .

In particular, the detection information collection module 160 generates a local folder to collect the log information, and collects information by time, action, file, and link. In particular, it contains various information detected through the detection monitoring module 150.

The DB management module 170 stores the collected log information. And may include a database 175 for this purpose. Of course, the database 175 may be configured to be connected to the server by configuring a database server in a separate space. 1, although the information to be stored is collected through the detection information collection module 160, the detection information collection module 160 generates the process ID (Identification) It stores the various information generated by the process in a time-based manner and transfers this information to the DB in a compressed form. The DB receives the information and decompresses it to DB .

The dashboard and management module 180 generates the result information using the collected log information in cooperation with the DB management module 170, and performs presentation of the result information. In addition, these results can be used to visualize the risk level of malicious domains. The visualization can be made of a combination of graphics, characters, and the like.

In addition, since all data processing is visualized and processed in the candidate domain, it shows the history of collected data. And the log information (file, web source information, etc.) can be inquired through the dashboard, and the candidate group domain is registered in the domain storage management module 110 through the management page It may contain a management page.

In this management page, if it is determined whether the candidate group is to be checked, only the determined candidate group domain and / or URL are registered in the domain storage management module 110.

Accordingly, the high-speed malicious website detection system 100 provides malicious web page information, malicious domain, and malicious URL information collected in various external security systems (i.e., the web server 190 and the like) It can be effectively used for malicious code attack by blocking it in security equipment.

FIG. 2 is a flowchart illustrating a process for detecting a high-speed malicious web page according to an exemplary embodiment of the present invention. 2, the domain storage management module 110 manages and distributes domain information to be detected, the browser loading module 120 collects the domain information, accesses the domain information through an actual multiple browser, loads the domain information (Steps S210, S211, S220).

Of course, at this time, a DLL (Dynamic Linking Library) file for malicious activity monitoring is injected into the actual browser for an initial task for monitoring the malicious behavior through the actual multiple browsers loaded with the DLL injection module 130 (step S231) .

In step S241, the API hooking module 140 performs API hooking to identify and operate an application programming interface (API) for monitoring malicious behavior in the injected DLL file.

Then, it is determined whether the waiting time, normal connection, and the like are normally performed (step S230). In other words, the detection monitoring module 150 determines whether the information collected from the API hooking is malicious or not. It waits for the occurrence of a malicious action during a specific waiting time and terminates the abnormal connection state of the connection candidate domain quickly Role.

As a result of the determination, if it is abnormal in step S230 or if the waiting time is exceeded, the browser is terminated and steps S211 to S230 are repeated (step S251).

Otherwise, if it is determined in step S230 that it is normal or does not exceed the waiting time, the detection monitoring module 150 determines whether or not the detection monitoring module 150 is malicious.

As a result of the determination, when it is determined to be malicious, information of processes determined to be malicious by the detection information collection module 160 is logged to collect log information, and the log information is stored in the database 175 via the DB management module 170 And is stored and managed.

The dashboard and management module 180 then visualizes the risk level of the malicious domain using the log information in the database.

On the other hand, if it is determined in step S240 that it is not malicious, steps S211 to S240 are repeatedly performed.

3 is a flowchart illustrating a process for monitoring malicious activity according to an embodiment of the present invention. 3, the domain storage management module 110 manages and distributes the domain information to be detected through the management page, the browser loading module 120 collects the domain information and accesses the domain information through the actual multiple browsers, And plays the role of loading domain information (steps S310, S320, S330). Of course, manual input is possible (step S311).

Of course, at this time, a DLL (Dynamic Linking Library) file for malicious activity monitoring is injected into the actual browser for an initial task for monitoring the malicious behavior through the actual multiple browsers loaded with the DLL injection module 130 (step S343) .

In step S341, the API hooking module 140 performs API hooking to identify and operate an application programming interface (API) for monitoring malicious behavior in the injected DLL file.

Thereafter, the detection monitoring module 150 monitors the malicious behavior according to the API hooking (step S340).

Thereafter, information of processes determined to be malicious by the detection information collection module 160 is logged to collect log information, and the log information is stored and managed in the database 175 through the DB management module 170 (Step S360).

Then, the dashboard and management module 180 visualizes the risk level of the malicious domain using the log information of the database (step S370).

The term of the modules shown in Figs. 1 to 3 means a unit for processing at least one function or operation, which can be implemented by hardware, software, or a combination of hardware and software. (DSP), a programmable logic device (PLD), a field programmable gate array (FPGA), a processor, a controller, a microprocessor, and the like, which are designed to perform the above- , Other electronic units, or a combination thereof. In software implementation, it may be implemented as a module that performs the above-described functions. The software may be stored in a memory unit and executed by a processor. The memory unit or processor may employ various means well known to those skilled in the art

In addition, the term "zero day attack" refers to a vulnerability of a core system, such as an operating system (OS) or a network device, before a patch is issued to prevent the vulnerability. It refers to the method of using malicious code or hacking attack.

In addition, "Drive by Download" refers to a malicious code infiltration method using a web server. A malicious code is planted on a web server running a specific home page, and the malicious code is downloaded to the PC and installed and executed only by visiting this homepage.

100: High-Speed Malicious Website Detection System
110: Domain storage management module
120: Browser loading module
130: DLL (Dynamic Linking Library) injection module
140: application programming interface (API) hooking module
150: detection monitoring module
160: Detection information collection module
170: DB (Database) management module
170: Database
180: Dashboard and Management Module

Claims (12)

A domain storage management module for managing domain information to be detected and distributing the information through a queue server;
A browser loading module for collecting the domain information and loading the actual multiple browsers to connect through actual multiple browsers;
A dynamic linking library (DLL) file injection module for monitoring malicious activity through the actual multiple browsers loaded;
An API hooking module for identifying and operating an application programming interface (API) function requested through multiple injected multiple browsers to monitor malicious activity in the injected DLL file;
A detection monitoring module for monitoring whether predetermined specific monitoring target APIs are requested through API hooking to determine whether malicious files are requested;
A detection information collection module for collecting log information by logging information of processes judged to be malicious;
A DB management module for storing and managing the log information in a database; And
And a dashboard and management module for visualizing a risk level of a malicious domain using log information of the database,
The API hooking module monitors malicious activity generated from malicious code hidden in a web page of a corresponding web site while the actual multiple browsers are loaded,
API hooking is performed for multiple real browsers that load API hooking information, and normal termination is performed through dead hooking for termination, so that malicious pages are classified as normal pages,
The API hooking module lists APIs requested by malicious web pages in order to monitor malicious web page loads that are loaded into multiple real browsers by inserting API hooking information into a DLL file connected through a browser through DLL injection,
The DLL file is a separate DLL file for monitoring a malicious behavior without modifying the code of the actual multiple browsers,
Wherein the monitoring is performed by intercepting an API function requested by a malicious web page planted by an attacker for a specific malicious behavior by modifying a specific address in the middle.
The method according to claim 1,
Wherein the domain information includes a candidate domain and a uniform resource locator (URL).
3. The method of claim 2,
The domain collection module stores a CONFIG file in a local directory. The CONFIG file includes a queue server and queue name information to be targeted. Based on the queue server and the queue name information, And distributing the domain information to the malicious web site.
delete The method according to claim 1,
And a specific address is code-patched to hook up the API. The multi-server, multi-browser based high-speed malicious website detection system according to claim 1,
The method according to claim 1,
The detection and monitoring module judges maliciousness as a malicious behavior when a malicious action occurs. The malicious action includes application program loading, file creation, registry change, other network port opening, connection of a port that is not used well, Wherein the malicious web site is a malicious web site.
The method according to claim 1,
Wherein the detection information collection module generates a local folder for collecting the log information, and collects information by time, action, file, and link, based on multiple servers and multiple browsers.
The method according to claim 1,
Wherein the DB management module is configured to manage the history of the log information in a TOP-DOWN manner in accordance with the generated process ID, and to store the log information generated by the process in a time-based manner. , A multi-browser based high-speed malicious website detection system.
3. The method of claim 2,
Wherein the domain storage management module performs registration of the candidate domain through a management page.
3. The method of claim 2,
The detection and monitoring module determines whether a malicious action has occurred during a specific waiting time to determine whether the log information collected from the API hooking is malicious or not, and plays a role of terminating an abnormal connection state of a connection candidate domain quickly Based multi-server, multi-browser based high-speed malicious website detection system.
delete Managing the domain information to be detected by the domain storage management module and distributing the domain information through the queue server;
Performing a role of the browser loading module to collect the domain information and load the actual multiple browsers to access through actual multiple browsers;
Injecting a malicious activity monitoring DLL file into the actual multiple browser for an initial task for monitoring malicious activity through the actual multiple browsers loaded with a dynamic linking library (DLL) module;
Performing API hooking for identifying and operating an API for monitoring malicious behavior in the DLL file in which an application programming interface (API) hooking module is injected;
Monitoring whether the detection monitoring module is requesting the API through API hooking, and judging the malicious file according to whether a predetermined malicious file is detected;
Collecting log information by logging information of processes judged to be malicious by the detection information collection module;
Storing and managing the log information in the database by the DB management module; And
And dashboard and management module visualizing the risk level of malicious domain using log information of the database,
The API hooking module monitors malicious activity generated from malicious code hidden in a web page of a corresponding web site while the actual multiple browsers are loaded,
API hooking is performed for multiple real browsers that load API hooking information, and normal termination is performed through dead hooking for termination, so that malicious pages are classified as normal pages,
The API hooking module lists APIs requested by malicious web pages in order to monitor malicious web page loads that are loaded into multiple real browsers by inserting API hooking information into a DLL file connected through a browser through DLL injection,
The DLL file is a separate DLL file for monitoring a malicious behavior without modifying the code of the actual multiple browsers,
Wherein the monitoring is performed by intercepting an API function requested by a malicious web page planted by an attacker for a specific malicious behavior by modifying a specific address in the middle.

Images