CN101739519B - Monitoring apparatus and monitoring method for hardware - Google Patents
Monitoring apparatus and monitoring method for hardware Download PDFInfo
- Publication number
- CN101739519B CN101739519B CN2008101786590A CN200810178659A CN101739519B CN 101739519 B CN101739519 B CN 101739519B CN 2008101786590 A CN2008101786590 A CN 2008101786590A CN 200810178659 A CN200810178659 A CN 200810178659A CN 101739519 B CN101739519 B CN 101739519B
- Authority
- CN
- China
- Prior art keywords
- instruction
- address value
- hardware
- supervising
- point information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a monitoring apparatus and a monitoring method for hardware. The hardware comprises a central processing unit and a storage module. The monitoring apparatus comprises an acquisition module and an analysis module, wherein the acquisition module is used for acquiring the entry point information of a process before the process is executed; and the process comprises at least one command. The analysis module acquires a corresponding address value of the process according to the entry point information, wherein the address value can correspond to a storage block which stores the at least one command. When the central processing unit executes the at least one command of the process, the storage module records the at least one command of the process according to the address value.
Description
Technical field
The invention relates to a kind of supervising device for a hardware and method for supervising; Particularly a kind of hardware of avoiding is by supervising device and the method for supervising of a malicious process (malicious process) attack.
Background technology
Along with the development of information industry, computer and network occupies indispensable status in daily life.For example, with the various data of Computer Processing or with the various information of Web search, shopping and exchanges data etc., all be the habitual life styles of the mankind.Further say, the network credit card is checked out, shopping at network places an order and network cash machine (web ATM) etc., especially the network service that often uses of many people.
Yet, under computer and network is subject to prerequisite that the user so relies on for counsel, the computing machine that some Malwares (malware) just have an opportunity to encroach on the user.For example, some Malware will be stolen the user by network, USB flash memory, infrared ray or bluetooth and deposits in significant data in the computing machine, destroys computer-internal information, controls even user's computer system with restriction user's rights of using.In addition, some Malware more can be on user's computing machine installing advertisement software or spam software, and then cause user's puzzlement, waste simultaneously the resource of network preciousness.Accordingly, the security of computer and network is considerable problem.
In order to prevent that Malware from passing through the described variety of way of leading portion and destroying user's computing machine, normally stoped Malware that user's computing machine is carried out access or destruction with the gas defence program in the past.The gas defence program then is the destruction of detecting and stoping Malware according to the characteristic of malware that the malware analysis instrument is set up.In more detail, CWSandbox (malware analysis instrument) will set up different types of characteristic of malware by analyzing different Malwares, and Kaspersky (gas defence program) can detect and stop by these characteristic of malware the destruction of Malware.
Yet, no matter be which kind of gas defence program or malware analysis instrument, all be to be installed in the operating system of computing machine, its running is also identical with Malware, all operates by operating system.In detail, gas defence program or malware analysis instrument are carried out under same environment (being same operating system) with Malware.In other words, when some malware detection be that Malware can further destroy the normal operation of gas defence program or malware analysis instrument when being under the environment that a gas defence program or malware analysis instrument carrying out to itself.Perhaps, Malware can be carried out the various instructions of the normal procedure of some other kinds, causes sweep-drug program or malware analysis instrument to collect wrong data.Hence one can see that, if will be when being present in gas defence program in the operating system and detecting the execution that is present in equally the Malware in the operating system, the detectability of gas defence program be to be subject to suitable restriction.
Accordingly, under the situation that Malware spreads unchecked day by day, how to design a kind of is not the method for supervising of carrying out in operating system and can't being arrived by the Malware inverse detection, is the problem that industry is needed solution badly.
Summary of the invention
A purpose of the present invention is to provide a kind of supervising device for a hardware.This hardware comprises a central processing unit and a memory module.This supervising device comprises an acquisition module and an analysis module.This acquisition module is before a process (process) is carried out, and this memory module captures an inlet point (entry point) information of this process certainly, and this process then comprises at least one instruction (instruction).This analysis module is then according to this inlet point information, and this central processing unit is obtained and the corresponding address value of this process certainly, and wherein this address value corresponds to the memory block of this at least one instruction of storage.When this central processing unit was carried out at least one instruction of this process, the memory module of this hardware recorded at least one instruction of this process according to this address value.
Another purpose of the present invention is to provide a kind of method for supervising.This method for supervising comprises following steps: before a process is carried out, capture an inlet point information of this process, wherein this process comprises at least one instruction; According to this inlet point information, obtain and the corresponding address value of this process, wherein this address value corresponds to the memory block of this at least one instruction of storage; Carry out at least one instruction of this process; And at least one instruction of recording this process according to this address value.Wherein, a hardware at least one instruction of capturing this inlet point information and recording this process according to this address value.
A further object of the present invention is to provide a kind of computer program, and the described method for supervising of leading portion can be carried out and finish to the program of a kind of method for supervising of interior storage, this program after being loaded a microprocessor.
In sum, disclosed supervising device and the method for supervising for a hardware of the present invention can be monitored all processes that are performed of this hardware.For this hardware, computing machine is when the instruction that these processes of execution comprise, and these instructions will be recorded and analyze according to its corresponding address value.Accordingly, the present invention does not need the operating system support directly to come detection of malicious software according to the corresponding address value of the instruction of process, and then improves the shortcoming of prior art.Simultaneously; by aforesaid mode detection of malicious software; but the present invention is the various important section of protection calculation machine (critical section) also; such as important section such as storeies, can't expected result (as skipping verification process, Control hijacking etc..) with the process generation that the destruction of avoiding Malware causes carrying out in the important section.
Description of drawings
Behind the embodiment of consulting accompanying drawing and describing subsequently, the knowledgeable that usually knows with the technical field of the invention just can understand other purpose of the present invention, advantage and technological means of the present invention and implement aspect, wherein:
Fig. 1 is the schematic diagram of first embodiment of the invention; And
Fig. 2 is the process flow diagram of second embodiment of the invention.
Embodiment
The invention relates to a kind of supervising device for a hardware and method for supervising.The invention has the advantages that the existence that to avoid being detected by malicious process supervising device, and can in this hardware, analyze the comparatively information of the program language of high-order.The person of should be noted, program (program) is to be defined as the file that can be loaded execution, process is to be defined as the program of carrying out.Yet for the sake of simplicity, the present invention is also named with process the program that is about to carry out.Following embodiment illustrates content of the present invention, is not to limit the present invention.In following examples and the accompanying drawing, the element that has nothing to do with the present invention omits and does not illustrate.
As shown in Figure 1, the first embodiment of the present invention is a kind of supervising device 13 for a hardware 11.Hardware 11 has a central processing unit 111 and a storer 113, and the user then passes through each element of an operating system 15 control hardwares 11.Operating system 15 can be the various operating systems of selling on the market, such as Microsft Windows (Windows) operating system, Apple computer Macintosh operating system, (SuSE) Linux OS or Unix operating system etc., in the first embodiment, operating system 15 is Microsft Windows operating system.Hardware 11 then can be personal computer (Personal Computer; PC) or the Macintosh (Macintosh that sells of Apple Computer; MAC), in the first embodiment, 11 on hardware is personal computer.The person of should be noted, the present invention do not limit the kind of operating system 15 and hardware 11, affiliated technical field usually know the knowledgeable also can with the operating system of other kind, hardware with and collocation finish the present invention, therefore do not repeat them here.
After the acquisition module 131 of supervising device 13 is obtained inlet point information 112, analysis module 133 will be obtained according to inlet point information 112 and be present in the central processing unit 111, with the process 150 corresponding CR3 values 110 that are about to carry out.Process 150 then is by a plurality of instructions, and for example instruction 150a, 150b and 150c combine, to reach a certain specific purpose, and for example recordable paper or editing files etc.And these instructions 150a, 150b and 150c all have the CR3 value 110 identical with process 150.In the storer 113 that these instructions 150a, the 150b that process 150 comprises and 150c then are stored in hardware 11.And process 150 is except reaching the specific purpose by a plurality of instruction 150a, 150b and 150c, and central processing unit 111 also can be stored in various system calling 152 in the operating system 15 is reached process 150 with house- keeping instruction 150a, 150b and 150c specific purpose by execution.
With the present embodiment, process 150 is a portable execute file (portable executable file; PEfile).The portable execute file is that operating system 15 employed standards can be carried out a grade form, for example: the executable file in the microsoft system (executable file:exe file) or dynamic link library file (dynamic linklibrary file; DLL file) etc.System calling 152 then can be that Microsoft's 32 system callings (win32systemcall) or natural system are called out (native system call).Similarly, system calling 152 also has the CR3 value 110 identical with process 150.Affiliated technical field has knows that usually the knowledgeable can be by the composition of existing technological document and itself knowledge understanding process 150, therefore do not repeat them here.
After process 150 began to be performed, will get instruction in storer 113 150a, 150b and 150c of central processing unit 111 processed, because these instructions 150a, 150b and 150c all have the CR3 value 110 identical with process 150.When instruction 150a, 150b and 150c were processed, supervising device 13 will be recorded to instruction 150a, 150b and 150c in the storer 113 of hardware 11 according to its CR3 value 110.On the other hand, obtain in operating system 15 when processing corresponding to the system calling 152 of process 150 when central processing unit 111, supervising device 13 also can be recorded to system calling 152 in the storer 113 of hardware 11 according to its CR3 value 110.
When process 150 is carried out or after complete, the judge module 137 of supervising device 13 will be obtained all instruction 150a, 150b and 150c and the system calling 152 that process 150 was carried out from storer 113, and with these instruction 150a, 150b that carried out and 150c and system calling 152 and a malicious process behavior model (figure does not illustrate) comparison, to judge that whether process 150 is as malicious process.
When process 150 when carrying out or after complete because meeting after the malicious process behavior model is judged as malicious process, the blocking module 139 of supervising device 13 can directly send shutdown signal 130 to central processing unit 111, to close the process 150 that is judged as malicious process.In more detail, if the instruction of process 150 one of them (such as instruction 150b) or its system calling 152, when the execution by central processing unit 111 comes a critical chunk 115 of access hardware 11, the blocking module 139 of supervising device 13 will send a shutdown signal 130 to central processing unit 111, closing the process 150 that is judged as malicious process, and then avoid the critical chunk 115 of process 150 access hardware 11.
When the present embodiment mainly utilizes supervising device 13 to carry out by record and collection process 150, instruction and system calling that central processing unit 111 is processed, and the behavior model of summarizing by this process 150.Subsequently, supervising device 13 utilizes the behavior model of process 150 and the behavior model of malicious process to compare, if closely similar, represents that namely the chance that this process 150 is malicious process is quite high between the two.Supervising device 13 can be tackled the process 150 that is judged as malicious process, with the stored data of each element in the protected data hardware.
The present invention does not limit the scope of the critical chunk 115 of hardware 11, and critical chunk 115 can be in the hardware, programmed counting (the program counter relevant with the program execution sequence; PC), conversion corresponding table buffering device (the translation lookaside buffer relevant with the conversion of virtual address code; TLB) if or other will cause the abnormal block of hardware 11 runnings after being modified or destroying.But affiliated technical field has the critical chunk 115 of usually knowing the knowledgeable's self-defining hardware 11, therefore do not repeat them here.
The second embodiment of the present invention is a kind of method for supervising as shown in Figure 2.An its suitable supervising device, for example described supervising device 13 of the first embodiment of can be used for.More specifically, the described method for supervising of the second embodiment can be carried out by a computer program, after a microprocessor loads this computer program and carries out a plurality of instructions that this computer program comprises, can finish the described method for supervising of the second embodiment.Aforesaid computer program can be stored in the computer-readable medium storing, for example ROM (read-only memory) (read onlymemory; ROM), flash memory, floppy disk, hard disk, CD, flash memory, tape, can be had now and had in any other Storage Media of identical function by the database of network access or the person that is familiar with the technique.
The described method for supervising of the second embodiment comprises the following step: at first, execution in step 301 before a process is carried out, captures an inlet point information of this process, and wherein this process comprises at least one instruction.Then, execution in step 303 distributes an address value to this process.Execution in step 305 again, according to this inlet point information, obtain and the corresponding address value of this process.Execution in step 307 is carried out at least one instruction corresponding to this process.Follow execution in step 309, according at least one instruction of this address value record corresponding to this process.
Execution in step 311 is carried out at least one system calling corresponding to this process.Follow execution in step 313, according at least one system calling of this address value record corresponding to this process.Execution in step 315 again, according at least one instruction that is recorded and at least one system calling, judge whether this process is a malicious process.If then execution in step 317, respond for this process.If this process is not to be malicious process, then repeated execution of steps 301 judges then to step 315 whether other process is malicious process.
In sum, the present invention is the instruction of the process that directly the monitoring central processing unit is processed in a hardware, for this hardware, the user is when carrying out instruction that these processes comprise or system calling, and these instructions and system calling will be recorded and analyze according to its corresponding address value.Accordingly, the present invention does not need the operating system support directly to come detection of malicious software according to the corresponding address value of the instruction of process, and then improves the shortcoming that prior art need be passed through the auxiliary ability detection of malicious software of operating system.
The above embodiments only are used for exemplifying enforcement aspect of the present invention, and explain technical characterictic of the present invention, are not to limit protection category of the present invention.Any be familiar with this operator can unlabored change or the arrangement of isotropism all belong to the scope that the present invention advocates, the scope of the present invention should be as the criterion with claim.
Claims (10)
1. method for supervising comprises the following step:
Before a process is carried out, capture an inlet point information of this process, wherein this process comprises at least one instruction;
According to this inlet point information, obtain and the corresponding address value of this process, wherein this address value corresponds to the memory block of this at least one instruction of storage;
Carry out at least one instruction of this process; Record at least one instruction of this process according to this address value;
According at least one instruction of this process that is recorded, judge whether this process is malicious process; And
When judging that this process is malicious process, respond for this process;
Wherein, a hardware at least one instruction of capturing this inlet point information and recording this process according to this address value.
2. method for supervising according to claim 1 is characterized in that also comprising the following step:
Distribute this address value to this process.
3. method for supervising according to claim 1 is characterized in that this inlet point information is a processor mark.
4. method for supervising according to claim 1 is characterized in that also comprising the following step:
Execution is corresponding at least one system calling of this process; And
According to this this at least one system calling of address value record.
5. method for supervising according to claim 4 is characterized in that this system calling is that a Microsoft 32 system callings and a natural system are called out one of them.
6. supervising device that is used for a hardware, this hardware comprises a central processing unit, a memory module and a critical chunk, and this supervising device comprises:
One acquisition module, before a process was carried out, this memory module captured an inlet point information of this process certainly, and wherein this process comprises at least one instruction;
One analysis module, in order to according to this inlet point information, this central processing unit is obtained and the corresponding address value of this process certainly, and wherein this address value corresponds to a memory block that stores this at least one instruction;
One judge module according at least one instruction of this process of the memory module of this hardware record, judges whether this process is malicious process; And
One blocking module when judging that this process is malicious process, responds for this process;
Wherein, when this central processing unit was carried out at least one instruction of this process, the storage module of this hardware recorded at least one instruction of this process according to this address value.
7. supervising device according to claim 6 is characterized in that, an operating system distributes this address value to this process.
8. supervising device according to claim 6 is characterized in that, this inlet point information is a processor mark.
9. supervising device according to claim 6 is characterized in that, when this central processing unit was carried out at least one system calling corresponding to this process, the memory module of this hardware was according to this this at least one system calling of address value record.
10. supervising device according to claim 9 is characterized in that, this system calling is that a Microsoft 32 system callings and a natural system are called out one of them.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101786590A CN101739519B (en) | 2008-11-24 | 2008-11-24 | Monitoring apparatus and monitoring method for hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101786590A CN101739519B (en) | 2008-11-24 | 2008-11-24 | Monitoring apparatus and monitoring method for hardware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101739519A CN101739519A (en) | 2010-06-16 |
| CN101739519B true CN101739519B (en) | 2013-01-16 |
Family
ID=42462995
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101786590A Expired - Fee Related CN101739519B (en) | 2008-11-24 | 2008-11-24 | Monitoring apparatus and monitoring method for hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101739519B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102017106016A1 (en) * | 2016-03-22 | 2017-09-28 | TrustPipe LLC | System and method for detecting instruction sequences of interest |
| CN113239364A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting vulnerability exploitation |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728106A (en) * | 2004-07-26 | 2006-02-01 | 中兴通讯股份有限公司 | Method for positioning malfunction of application program |
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| WO2007071999A1 (en) * | 2005-12-20 | 2007-06-28 | Symbian Software Limited | Malicious software detection in a computing device |
| CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
-
2008
- 2008-11-24 CN CN2008101786590A patent/CN101739519B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728106A (en) * | 2004-07-26 | 2006-02-01 | 中兴通讯股份有限公司 | Method for positioning malfunction of application program |
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| WO2007071999A1 (en) * | 2005-12-20 | 2007-06-28 | Symbian Software Limited | Malicious software detection in a computing device |
| CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101739519A (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI401582B (en) | Monitor device, monitor method and computer program product thereof for hardware | |
| US8621624B2 (en) | Apparatus and method for preventing anomaly of application program | |
| EP1543396B1 (en) | Method and apparatus for the automatic determination of potentially worm-like behaviour of a program | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| US10121004B2 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
| KR20090051956A (en) | The method and apparatus for judging dll inserted by malicious code in an operation system | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| KR101816751B1 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
| WO2018070404A1 (en) | Malware analysis device, malware analysis method, and storage medium having malware analysis program contained therein | |
| CN101739519B (en) | Monitoring apparatus and monitoring method for hardware | |
| KR101308866B1 (en) | Open type system for analyzing and managing malicious code | |
| CN104200162A (en) | Computer program product for information security monitoring and defense and method thereof | |
| JP7235126B2 (en) | BACKDOOR INSPECTION DEVICE, BACKDOOR INSPECTION METHOD, AND PROGRAM | |
| CN112632547A (en) | Data processing method and related device | |
| KR101724412B1 (en) | Apparatus for analysis application using expansion code and method usnig the same | |
| JP5679347B2 (en) | Failure detection device, failure detection method, and program | |
| CN113032785A (en) | Document detection method, device, equipment and storage medium | |
| US20090133124A1 (en) | A method for detecting the operation behavior of the program and a method for detecting and clearing the virus program | |
| KR101650445B1 (en) | Apparatus and method for detecting webshell in real time using kernel-based file event notification function | |
| US11838414B2 (en) | Apparatus and method for recovering encryption key based on memory analysis | |
| WO2023073822A1 (en) | Backdoor detection device, backdoor detection method, and recording medium | |
| KR102016967B1 (en) | Method of processing vulnerability/risk through data correlation/association analysis of system information for system and processing the vulnerability/risk of system and apparatus therefor | |
| KR101871407B1 (en) | Apparatus for identifying work history of removable storage media and method using the same | |
| TWI522837B (en) | Portable system safety inspection of nuclear installations | |
| CN117370981A (en) | eBPF Rootkit attack formalized modeling method based on behavior characteristics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130116 Termination date: 20201124 |