CN104714831A - Method and device for detecting parasitic process in virtual machine - Google Patents
Method and device for detecting parasitic process in virtual machine Download PDFInfo
- Publication number
- CN104714831A CN104714831A CN201510149766.0A CN201510149766A CN104714831A CN 104714831 A CN104714831 A CN 104714831A CN 201510149766 A CN201510149766 A CN 201510149766A CN 104714831 A CN104714831 A CN 104714831A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- target process
- designated virtual
- address space
- dll
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for detecting a parasitic process in a virtual machine. The method for detecting the parasitic process in the virtual machine comprises the following steps: determining one or multiple processes in a designated virtual machine as target processes; for each target process, reconstructing a process management structure of the target process, inside the designated virtual machine, of the target process outside the designated virtual machine; by analyzing the reconstructed process management structure, determining whether the target process is a parasitic process in which a malicious code or a malicious dynamic link library DLL is injected. According to the technical scheme provided by the invention, the process management structure of the target process inside the designated virtual machine is reconstructed according to behavioural characteristics of malicious software parasitic in a process, and whether the process operating in the virtual machine becomes the parasitic process of the malicious software is comprehensively judged by analyzing the reconstructed process management structure. Compared with the prior art, the detection scheme has high instantaneity, flexibility, universality and accuracy, and the joint demand of a cloud service supplier and a user is met.
Description
Technical field
The present invention relates to field of computer technology, be specifically related to a kind of method and apparatus of the parasitic process detected in virtual machine.
Background technology
Intel Virtualization Technology achieves the virtual of the IT resources such as calculating, storage, network, is the basis of cloud computing Industry Quick Development.Virtual machine (Virtual Machine) is the most basic a kind of service form that cloud environment externally provides, the virtual network that cloud service provider provides single virtual machine or multiple virtual machine to form to individual, organizing user, to meet the demand that user serves the elastic cloud of easy care, high availability.In virtualized environment, serve and be supplied to user's use with the form of virtual machine, cloud service provider can only utilize the interfaces such as Libvirt to obtain the CPU of target virtual machine from virtual machine outside, internal memory, disk, the information of the Resourse Distribute such as network and use, the granularity of the process behavior run in virtual machine can not be monitored, once the Malware that virtual machine victim is implanted controls, it is all huge threat to the safety and stablization of the safety of virtual machine in same virtual network and even cloud platform itself, safety monitoring when therefore running virtual machine becomes the joint demand of cloud service provider and user.
But in order to realize portless, without process, mode of infection without file, Malwares a large amount of at present uses the mode injected to colonize in normal procedure to realize hiding of self, concrete grammar comprises DLL and injects, without the code injection etc. of file.No matter use which kind of method, this injection behavior all can change process and perform flow process normally, and produce abnormal state in process structure aspect, such as in process structure, process can load abnormal DLL, produces abnormal VAD region etc.
Malicious code injection can cause some abnormal behaviours of process, but the mode of code injection, content, position constantly can change along with the development of technology, lack versatility by the method for existing signature detection or memory headroom scanning, the today that cannot to occur in a large number every day at Malware and mutation thereof meets the needs detecting real-time.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of a kind of method and apparatus of the parasitic process detected in virtual machine overcoming the problems referred to above or solve the problem at least in part.
According to one aspect of the present invention, provide a kind of method of the parasitic process detected in virtual machine, the method comprises:
Determine that one or more processes in designated virtual machine are as target process;
For each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside;
By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
Alternatively, the described one or more processes determined in designated virtual machine comprise as target process:
Using one or more processes of the generation network behavior in described designated virtual machine as target process.
Alternatively, described designated virtual machine outside reconstruct this target process comprise in the management of process structure of described designated virtual machine inside:
Obtain the related content of this target process in the internal memory of described designated virtual machine.
Alternatively, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises:
Use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework;
Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework;
Described script obtains the related content of this target process by the memory address space of the Domain 0 after mapping.
Alternatively, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises:
The DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space;
With the DLL information obtaining the loading of this target process from the virtual address descriptor VAD structure being arranged in kernel address space.
Alternatively, the described process context block PEB from being positioned at user address space obtain this target process load DLL information comprise:
The DLL information of this target process loading is obtained from the doubly linked list be made up of record DLL information node of three PEB;
Wherein, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.
Alternatively, the described virtual address descriptor VAD structure from being arranged in kernel address space obtain this target process load DLL information comprise:
Traversal EPROCESS chained list, obtains the EPROCESS address of this target process;
The address VadRoot of the root node of VAD tree is obtained from the EPROCESS data structure the EPROCESS address of this target process;
Use preorder traversal algorithm to travel through VAD tree, extraction has execution authority and FileName is not empty VAD node;
According to the DLL information that this target process of acquisition of information in the VAD node extracted loads.
Alternatively, the DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space, determine whether this target process is the parasitic process being injected into malice DLL in the following way:
If a DLL does not exist in the DLL information obtained from PEB, and exists in the DLL information obtained from VAD structure, then this DLL is malice DLL, and this target process is the parasitic process being injected into malice DLL.
Alternatively, the described management of process structure by analyzing reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises:
In the data of the management of process structure of described reconstruct, if there is the header structure of PE formatted file, then using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
Alternatively, describedly to comprise in the management of process structure of described designated virtual machine inside at this target process of described designated virtual machine outside reconstruct: obtain in the internal memory of described designated virtual machine and be arranged in the executable code relevant to this target process that difference can perform memory block;
The described management of process structure by analyzing reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises:
Calculate the entropy of the executable code in described different memory block respectively, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.
According to another aspect of the present invention, provide a kind of device of the parasitic process detected in virtual machine, this device comprises:
Target process determining unit, is suitable for determining that one or more processes in designated virtual machine are as target process;
Reconstruction progress management structure unit, is suitable for for each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside;
Safety detection unit, is suitable for the management of process structure by analyzing reconstruct, determines whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
Alternatively, described target process determining unit, is suitable for one or more processes of the generation network behavior in described designated virtual machine as target process.
Alternatively, described reconstruction progress management structure unit, be suitable for the related content of this target process obtained in the internal memory of described designated virtual machine, according to the related content of this target process obtained, reconstruct the management of process structure of this target process in described designated virtual machine inside.
Alternatively, described reconstruction progress management structure unit, is suitable for using Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provides address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; And be suitable for using described script to obtain the related content of this target process by the memory address space of the Domain 0 after mapping.
Alternatively, described reconstruction progress management structure unit, is suitable for the DLL information obtaining the loading of this target process from the process context block PEB being positioned at user address space; Be suitable for from the virtual address descriptor VAD structure being arranged in kernel address space obtain this target process load DLL information.
Alternatively, described reconstruction progress management structure unit, is suitable for the DLL information obtaining the loading of this target process from the doubly linked list be made up of record DLL information node of three PEB;
Wherein, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.
Alternatively, described reconstruction progress management structure unit, be suitable for traversal EPROCESS chained list, obtain the EPROCESS address of this target process, the address VadRoot of the root node of VAD tree is obtained from the EPROCESS data structure the EPROCESS address of this target process, use preorder traversal algorithm to travel through VAD tree, extraction has execution authority and FileName is not empty VAD node, according to the DLL information of this target process of the acquisition of information loading in the VAD node extracted.
Alternatively, when described reconstruction progress management structure unit obtains the DLL information of this target process loading from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space
Described safety detection unit, be suitable for working as a DLL not exist in the DLL information obtained from PEB, and when existing in the DLL information obtained from VAD structure, determine that this DLL is for malice DLL, determine that this target process is the parasitic process being injected into malice DLL further.
Alternatively, described safety detection unit, is suitable for the header structure that whether there is PE formatted file in the data of the management of process structure detecting described reconstruct, if existed, using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
Alternatively, described reconstruction progress management structure unit, is suitable for obtaining in the internal memory of described designated virtual machine and is arranged in the executable code relevant to this target process that difference can perform memory block;
Described safety detection unit, be suitable for the entropy of the executable code calculated respectively in described different memory block, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.。
From the above, technical scheme provided by the invention infects virtual machine for Malware, behavioral characteristic executable code or dll file colonized in process, in the management of process structure of designated virtual machine outside reconstruct target process in designated virtual machine inside, by analyzing the management of process structure of reconstruct, the parasitic process whether becoming Malware to the process run in virtual machine has been done and has relatively comprehensively been judged.Compared with the method scanned with existing signature detection or memory headroom, this detection scheme has higher real-time, dirigibility, versatility and accuracy, the parasitizing behavior of Malware to process can be found timely and effectively, meet the joint demand of cloud service provider and user.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention method of the parasitic process detected in virtual machine;
Fig. 2 shows the logical schematic of the method for the related content of the target process in the internal memory of acquisition designated virtual machine according to an embodiment of the invention;
Fig. 3 shows the schematic diagram of management of process structure according to an embodiment of the invention;
Fig. 4 shows the schematic diagram of VAD data structure according to an embodiment of the invention;
Fig. 5 A shows in the process address space according to an embodiment of the invention can the cumulative distribution schematic diagram of information entropy of execution area;
Fig. 5 B shows in the process address space according to an embodiment of the invention can the distribution schematic diagram of information entropy of execution area;
Fig. 5 C shows in the process address space in accordance with another embodiment of the present invention can the cumulative distribution schematic diagram of information entropy of execution area;
Fig. 5 D shows in the process address space in accordance with another embodiment of the present invention can the distribution schematic diagram of information entropy of execution area;
Fig. 6 shows a kind of according to an embodiment of the invention schematic diagram of device of the parasitic process detected in virtual machine.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Fig. 1 shows a kind of according to an embodiment of the invention method of the parasitic process detected in virtual machine.As shown in Figure 1, the method comprises:
Step S110, determines that one or more processes in designated virtual machine are as target process.
Step S120, for each target process, in the management of process structure of designated virtual machine outside this target process of reconstruct in designated virtual machine inside.
Step S130, by analyzing the management of process structure of reconstruct, determines whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
Visible, method shown in Fig. 1 infects virtual machine for Malware, behavioral characteristic executable code or dll file colonized in process, in the management of process structure of designated virtual machine outside reconstruct target process in designated virtual machine inside, by analyzing the management of process structure of reconstruct, the parasitic process whether becoming Malware to the process run in virtual machine has been done and has relatively comprehensively been judged.Compared with the method scanned with existing signature detection or memory headroom, this detection scheme has higher real-time, dirigibility, versatility and accuracy, the parasitizing behavior of Malware to process can be found timely and effectively, meet the joint demand of cloud service provider and user.
In one embodiment of the invention, consider efficiency, simultaneously in order to extract more abnormal behaviour in same sense cycle, the behavior Network Based of method shown in Fig. 1 drives, and namely step S110 determines that the one or more processes in designated virtual machine comprise as target process: using one or more processes of the generation network behavior in designated virtual machine as target process.
The safety detection of designated virtual machine internal process granularity is realized at virtualization layer, its prerequisite is that the input view of safety analysis is promoted to rank same as the process of designated virtual machine inside, therefore needs the management of process structure of condition reconstruct target process in designated virtual machine inside utilizing designated virtual machine outside.In one embodiment of the invention, the step S120 of method shown in Fig. 1 comprises in the management of process structure of designated virtual machine inside at this target process of designated virtual machine outside reconstruct: the related content obtaining this target process in the internal memory of designated virtual machine.
VMM (Virtual Machine Monitor) provides following condition for this restructuring procedure: the scheduling of VMM control VCPU, the contextual information that the virtual machine of in store current operation is complete; Address mapping relation in VMM kernel between in store virutal machine memory and physical machine internal memory, for the related content realizing the target process obtained in virutal machine memory from VMM provides precondition; VMM provides the physical memory that shared drive mechanism makes can share between different virtual machine the same area.
As can be seen from above-mentioned condition, the related content of the target process in the internal memory of designated virtual machine can be mapped to complete the acquisition of the related content to the target process in the internal memory of designated virtual machine in the address space of Domain0 in Domain0, and can add at Xen kernel the function that the Interface realization communicated with Domain0 obtains designated virtual machine VCPU register and non-register running status.The subject matter that this process faces is: the location and the reconstruct that how to realize the management of process structure of designated virtual machine inside, thus is reconstructed into the raw data in the register of bottom and internal memory to the significant management structure of operating system.In order to address this problem, in the present invention, have employed the mode that internal memory forensic technologies combines with Intel Virtualization Technology.
Internal memory evidence obtaining is a kind of technology that searching invasion evidence or recovery data use in core dump file.Volatility is the Open Framework that of internal memory evidence obtaining field is famous, support the treatment and analysis to the core dump file of the systems such as Linux, Mac, Windows, its Plugin Mechanism provided simplifies the flow process utilizing this framework to carry out secondary development, the present invention is based on the acquisition that this framework achieves the related content to the target process in virutal machine memory.
The analysis supporting virutal machine memory when running to make Volatility, the present invention utilizes Libvmi to provide a compatible address space for Volatility.To be virtual community to examine oneself instrument to a kind of virtual machine of increasing income that researchist provides Libvmi, also can realize the read-write to designated virtual machine address space and the supervision to particular event based on this instrument, and realize the acquisition to the related content of the target process in virutal machine memory further.But realize this function and need to carry out conversed analysis to the system management structure of dissimilar operating system, determine the side-play amount in upper layer data structure of target variable, lack versatility; Therefore, the present invention only uses Libvmi and maps memory address space corresponding to this target process of designated virtual machine in Domain 0 for Volatility framework provides the function of address space.Particularly, in one embodiment of the invention, the related content of this target process in the internal memory of above-mentioned acquisition designated virtual machine comprises:
Step S121, uses Libvmi to map the memory address space of memory address space corresponding to this target process of designated virtual machine to Domain 0, thus provides address space support for Volatility framework.
Step S122, generates the script for carrying out analyzing reading to designated virtual machine internal memory when running based on Volatility framework.
Step S123, this script obtains the related content of this target process by the memory address space of the Domain 0 after mapping.
Fig. 2 shows the logical schematic of the method for the related content of the target process in the internal memory of acquisition designated virtual machine according to an embodiment of the invention, explain the enforcement principle of clear step S121-step S123 further, as shown in Figure 2, the method uses Libvmi to provide address space support for Volatility framework, use the script based on Volatility framework to obtain the related content of the target process in the internal memory of virtual machine, namely achieve in the designated virtual machine outside reconstruct management of process mechanism of this target process in designated virtual machine inside.The present invention, by the management of process mechanism of this reconstruct, can inject and code injection by the DLL in monitoring objective process.
Fig. 3 shows the schematic diagram of management of process structure according to an embodiment of the invention.Windows system within it core address space uses EPROCESS data structure to be that each process maintenance resources takies and the management information such as running status, this data structure is that kernel is used for the core of managing process, can obtain the information such as dynamic link file, Memory Allocation situation, thread state that process imports from this structure.As shown in Figure 3, EPROCESS data structure comprises the following member important to management of process:
(1) PCB: the section start being positioned at EPROCESS structure, for the structure of KPROCESS type, i.e. kernel process controll block, preserves the page directory/page directory pointer address of this process, thread management chained list, working time etc. at user model and kernel mode.
(2) CreateTime/ExitTime: record time when process creation and process exit.
(3) UniqueProcessId: the ID of record the process.
(4) VadRoot: the memory headroom that operating system uses tree structure maintenance process to distribute, the information such as region of memory, authority and File Mapping that each nodes records in tree construction is distributed, such node is called as VAD (Virtual Address Descriptor) node, and namely VadRoot member points to the root node of this tree.
(5) Peb: point to process context block (Process Environment Block, PEB), this data structure is positioned at user address space, can be obtained the information such as heap space of module that process loads, command line parameter, distribution by this data structure.
According to the information of above-mentioned management of process structure, in one embodiment of the invention, the related content of this target process that the step S120 of method shown in Fig. 1 obtains in the internal memory of designated virtual machine comprises: obtain from the process context block PEB being positioned at user address space the DLL information that this target process loads; With the DLL information obtaining the loading of this target process from the virtual address descriptor VAD structure being arranged in kernel address space.
Dynamic link library (Dynamic Link Library, DLL) be in Windows system to run time linking mechanism realization, it is one of fundamental mechanism of Windows system realization, no matter be that operating system or application program all provide and employ a large amount of dll files, the function that program uses DLL to provide by address space DLL being mapped to oneself interface called wherein.
Particularly, in order to obtain the DLL information that target process is recorded, in one embodiment of the invention, the described process context block PEB from being arranged in user address space obtains the DLL information that this target process loads and comprises: the DLL information obtaining the loading of this target process from three of PEB doubly linked lists be made up of record DLL information node; As shown in Figure 3, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.
Except obtaining except DLL information by PEB, operating system uses the service condition of the tree structure maintenance process address space of VAD structure composition, Fig. 4 shows the schematic diagram of VAD data structure according to an embodiment of the invention, as shown in Figure 4, it uses the section distributed in MMVAD structure record the process address space, maintain starting page number at (StartVpn) of this section, last page (EndingVpn), the information such as the file (FilePointer) that capability identification (VadFlags) and this block may map, also the DLL information of process loading can be obtained from this structure.
Particularly, in one embodiment of the invention, the above-mentioned virtual address descriptor VAD structure from being arranged in kernel address space obtain this target process load DLL information comprise:
Step S124, traversal EPROCESS chained list, obtains the EPROCESS address of this target process.
Step S125, obtains the address VadRoot of the root node of VAD tree from the EPROCESS data structure the EPROCESS address of this target process.
Step S126, uses preorder traversal algorithm to travel through VAD tree, and extraction has execution authority and FileName is not empty VAD node.
Step S127, according to the DLL information that this target process of acquisition of information in the VAD node extracted loads.
One of difference maximum between the DLL of normal load and the DLL injected by Malware is just the hidden behaviour of the dll file loaded.Above-described embodiment respectively illustrates and obtains the DLL information that this target process loads and the embodiment obtaining the DLL information that this target process loads from the virtual address descriptor VAD structure being positioned at kernel address space from the process context block PEB being arranged in user address space, can know, the DLL information that target process loads is kept in three doubly linked lists of the pointer member sensing in PEB structure, because PEB is positioned at user address space, therefore Malware is easy to just can realize unwinding to target DLL, this also becomes numerous Malware and hides the modal mode of dll file at client layer, and for VAD structure, owing to being positioned at kernel address space, Malware is not easy to realize hiding dll file, and therefore, the DLL information that the target process obtained from VAD structure loads obtains target process loading DLL information than from PEB has higher confidence level.
Therefore, in order to detect the hiding dll file that target process loads, in one embodiment of the invention, the DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space, determine whether this target process is the parasitic process being injected into malice DLL in the following way: if a DLL does not exist in the DLL information obtained from PEB, and exist in the DLL information obtained from VAD structure, then this DLL is malice DLL, this target process is the parasitic process being injected into malice DLL.
Except Malware is hidden except dll file at user address space, Malware is also exist in the phenomenon of the dll file that kernel address space hidden process loads.In this case, the relevant fields such as the FILE OBJECT that the Malware operating in kernel address space is pointed to by amendment VAD node make also cannot obtain from VAD structure the DLL information of target process loading, now, memory block under VAD node administration become there is no a File Mapping can execution area, this VAD node type formed with the code injection of file is identical.In order to detect the injection result of the type, make use of following feature: dll file is as a kind of content be suitable for equally in PE format organization file of executable file, therefore the header structure that to retain after in target process in PE file is loaded into, the characteristic feature of such as load address the first two byte to be " MZ " be executable file, this structural feature still can as the target of safety monitoring.
Therefore, in one embodiment of the invention, the step S130 of method shown in Fig. 1 is by analyzing the management of process structure of reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises: in the data of the management of process structure of described reconstruct, if there is the header structure of PE formatted file, then using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
Generally, the memory block at the code place injected in target process can comprise complicated steering logic to realize its function, and often uses the obfuscations such as encryption to improve the complicacy of conversed analysis; In order to detect this code injection behavior, the present invention proposes the safety detection method based on information entropy, characterizing the complicacy of the executable code be loaded in target process with the value of information entropy.
Particularly, in one embodiment of the invention, the step S120 of method shown in Fig. 1 comprises in the management of process structure of designated virtual machine inside at this target process of designated virtual machine outside reconstruct: obtain in the internal memory of designated virtual machine and be arranged in the executable code relevant to this target process that difference can perform memory block; Step S130 is by analyzing the management of process structure of reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises: the entropy calculating the executable code in described different memory block respectively, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.
Further, in order to study the distribution situation of the information entropy being loaded into executable code district in target process, the present invention when system cloud gray model in all process address spaces of dump can execution area in file independent separately, these files are sampled and calculates entropy, add up the distribution situation within the scope of each entropy, draw histogram as shown in figs. 5 a-5d, wherein, Fig. 5 A shows in the process address space according to an embodiment of the invention can the cumulative distribution schematic diagram of information entropy of execution area, Fig. 5 B shows in the process address space according to an embodiment of the invention can the distribution schematic diagram of information entropy of execution area, Fig. 5 C shows in the process address space in accordance with another embodiment of the present invention can the cumulative distribution schematic diagram of information entropy of execution area, Fig. 5 D shows in the process address space in accordance with another embodiment of the present invention can the distribution schematic diagram of information entropy of execution area, wherein, Fig. 5 A and Fig. 5 B does not consider any filtercondition, can see that the information entropy of the mapping area having 10% is about 0, by analyzing dump file corresponding to these regions, find that these can execution area not be actually loaded in corresponding physical memory space, therefore information entropy is very low, Fig. 5 C and Fig. 5 D be filter out that reality do not load can result is corresponding after execution area histogram, can find out, entropy be more than 0.8 performed memory block account for the overwhelming majority of the performed block of all dumps, therefore in the present embodiment, using 0.8 as predetermined threshold value.
Fig. 6 shows a kind of according to an embodiment of the invention schematic diagram of device of the parasitic process detected in virtual machine.As shown in Figure 6, the device 600 of the parasitic process in this detection virtual machine comprises:
Target process determining unit 610, is suitable for determining that one or more processes in designated virtual machine are as target process.
Reconstruction progress management structure unit 620, is suitable for for each target process, in the management of process structure of designated virtual machine outside this target process of reconstruct in designated virtual machine inside.
Safety detection unit 630, is suitable for the management of process structure by analyzing reconstruct, determines whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
Visible, device shown in Fig. 6 is cooperatively interacted by each unit, infect virtual machine for Malware, behavioral characteristic executable code or dll file colonized in process, in the management of process structure of designated virtual machine outside reconstruct target process in designated virtual machine inside, by analyzing the management of process structure of reconstruct, the parasitic process whether becoming Malware to the process run in virtual machine has been done and has relatively comprehensively been judged.Compared with the scheme scanned with existing signature detection or memory headroom, this detection scheme has higher real-time, dirigibility, versatility and accuracy, the parasitizing behavior of Malware to process can be found timely and effectively, meet the joint demand of cloud service provider and user.
In one embodiment of the invention, consider efficiency, simultaneously in order to extract more abnormal behaviour in same sense cycle, the behavior Network Based of device shown in Fig. 6 drives, namely in one embodiment of the invention, target process determining unit 610, is suitable for one or more processes of the generation network behavior in designated virtual machine as target process.
In one embodiment of the invention, reconstruction progress management structure unit 620, be suitable for the related content of this target process obtained in the internal memory of designated virtual machine, according to the related content of this target process obtained, reconstruct the management of process structure of this target process in described designated virtual machine inside.Particularly, reconstruction progress management structure unit 620, is suitable for using Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provides address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on Volatility framework; And be suitable for using script to obtain the related content of this target process by the memory address space of the Domain 0 after mapping.The enforcement principle of the present embodiment as shown in Figure 2, above describes in detail, does not repeat them here.
As shown in Figure 3, the EPROCESS data structure of management of process structure comprises the following member important to management of process: PCB, CreateTime/ExitTime, UniqueProcessId, VadRoot and Peb.According to the information of these management of process structures, in one embodiment of the invention, reconstruction progress management structure unit 620, is suitable for the DLL information obtaining the loading of this target process from the process context block PEB being positioned at user address space; Be suitable for from the virtual address descriptor VAD structure being arranged in kernel address space obtain this target process load DLL information.
Particularly, reconstruction progress management structure unit 620, is suitable for the DLL information obtaining the loading of this target process from the doubly linked list be made up of record DLL information node of three PEB; Wherein, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.And, reconstruction progress management structure unit 620, be suitable for traversal EPROCESS chained list, obtain the EPROCESS address of this target process, the address VadRoot of the root node of VAD tree is obtained from the EPROCESS data structure the EPROCESS address of this target process, use preorder traversal algorithm to travel through VAD tree, extraction has execution authority and FileName is not empty VAD node, according to the DLL information of this target process of the acquisition of information loading in the VAD node extracted.Wherein, VAD data structure as shown in Figure 4, does not repeat them here.
In order to detect the hiding dll file that target process loads, in one embodiment of the invention, when described reconstruction progress management structure unit obtains the DLL information of this target process loading from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space, safety detection unit 630, be suitable for working as a DLL not exist in the DLL information obtained from PEB, and when existing in the DLL information obtained from VAD structure, determine that this DLL is for malice DLL, determine that this target process is the parasitic process being injected into malice DLL further.
In order to detect code injection or be hidden in the injection result of dll file of kernel address space, make use of following feature: dll file is as a kind of content be suitable for equally in PE format organization file of executable file, therefore the header structure that to retain after in target process in PE file is loaded into, the characteristic feature of such as load address the first two byte to be " MZ " be executable file, this structural feature still can as the target of safety monitoring.Therefore, in one embodiment of the invention, safety detection unit 630, is suitable for the header structure that whether there is PE formatted file in the data of the management of process structure detecting described reconstruct, if existed, using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
Generally, the memory block at the code place injected in target process can comprise complicated steering logic to realize its function, and often uses the obfuscations such as encryption to improve the complicacy of conversed analysis; In order to detect this code injection behavior, the present invention proposes the safety detection method based on information entropy, characterizing the complicacy of the executable code be loaded in target process with the value of information entropy.Particularly, in one embodiment of the invention, reconstruction progress management structure unit 620, is suitable for obtaining in the internal memory of described designated virtual machine and is arranged in the executable code relevant to this target process that difference can perform memory block; Accordingly, safety detection unit 630, be suitable for the entropy of the executable code calculated respectively in described different memory block, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.The enforcement principle of the present embodiment as shown in figs. 5 a-5d, does not repeat them here.
In sum, technical scheme provided by the invention infects virtual machine for Malware, behavioral characteristic executable code or dll file colonized in process, propose a kind of scheme of the parasitic process detected in virtual machine, the program combines Intel Virtualization Technology and memory analysis technology, achieve virtual machine to examine oneself, in the management of process structure of designated virtual machine outside reconstruct target process in designated virtual machine inside, by analyzing the management of process structure of reconstruct, the parasitic process whether becoming Malware to the process run in virtual machine has been done and has relatively comprehensively been judged.Compared with the method scanned with existing signature detection or memory headroom, this detection scheme has higher real-time, dirigibility, versatility and accuracy, the parasitizing behavior of Malware to process can be found timely and effectively, meet the joint demand of cloud service provider and user.
It should be noted that:
Intrinsic not relevant to any certain computer, virtual bench or miscellaneous equipment with display at this algorithm provided.Various fexible unit also can with use based on together with this teaching.According to description above, the structure constructed required by this kind of device is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the device of a kind of parasitic process detected in virtual machine of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention discloses a kind of method of A1, parasitic process detected in virtual machine, wherein, the method comprises:
Determine that one or more processes in designated virtual machine are as target process;
For each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside;
By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
A2, method as described in A1, wherein, the described one or more processes determined in designated virtual machine comprise as target process:
Using one or more processes of the generation network behavior in described designated virtual machine as target process.
A3, method as described in A1, wherein, describedly to comprise in the management of process structure of described designated virtual machine inside at this target process of designated virtual machine outside reconstruct:
Obtain the related content of this target process in the internal memory of described designated virtual machine.
A4, method as described in A3, wherein, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises:
Use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework;
Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework;
Described script obtains the related content of this target process by the memory address space of the Domain 0 after mapping.
A5, method as described in A3, wherein, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises:
The DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space;
With the DLL information obtaining the loading of this target process from the virtual address descriptor VAD structure being arranged in kernel address space.
A6, method as described in A5, wherein, the described process context block PEB from being positioned at user address space obtains the DLL information that this target process loads and comprises:
The DLL information of this target process loading is obtained from the doubly linked list be made up of record DLL information node of three PEB;
Wherein, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.
A7, method as described in A5, wherein, the described virtual address descriptor VAD structure from being arranged in kernel address space obtains the DLL information that this target process loads and comprises:
Traversal EPROCESS chained list, obtains the EPROCESS address of this target process;
The address VadRoot of the root node of VAD tree is obtained from the EPROCESS data structure the EPROCESS address of this target process;
Use preorder traversal algorithm to travel through VAD tree, extraction has execution authority and FileName is not empty VAD node;
According to the DLL information that this target process of acquisition of information in the VAD node extracted loads.
A8, method as described in A5, wherein, the DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space, determine whether this target process is the parasitic process being injected into malice DLL in the following way:
If a DLL does not exist in the DLL information obtained from PEB, and exists in the DLL information obtained from VAD structure, then this DLL is malice DLL, and this target process is the parasitic process being injected into malice DLL.
A9, method according to any one of A1-A8, wherein, the described management of process structure by analyzing reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises:
In the data of the management of process structure of described reconstruct, if there is the header structure of PE formatted file, then using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
A10, method according to any one of A1-A8, wherein,
Describedly to comprise in the management of process structure of described designated virtual machine inside at this target process of described designated virtual machine outside reconstruct: obtain in the internal memory of described designated virtual machine and be arranged in the executable code relevant to this target process that difference can perform memory block;
The described management of process structure by analyzing reconstruct, determine that whether this target process is that the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL) comprises:
Calculate the entropy of the executable code in described different memory block respectively, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.
The invention also discloses the device of B11, a kind of parasitic process detected in virtual machine, wherein, this device comprises:
Target process determining unit, is suitable for determining that one or more processes in designated virtual machine are as target process;
Reconstruction progress management structure unit, is suitable for for each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside;
Safety detection unit, is suitable for the management of process structure by analyzing reconstruct, determines whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
B12, device as described in B11, wherein,
Described target process determining unit, is suitable for one or more processes of the generation network behavior in described designated virtual machine as target process.
B13, device as described in B11, wherein,
Described reconstruction progress management structure unit, is suitable for the related content of this target process obtained in the internal memory of described designated virtual machine, according to the related content of this target process obtained, reconstructs the management of process structure of this target process in described designated virtual machine inside.
B14, device as described in B13, wherein,
Described reconstruction progress management structure unit, is suitable for using Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provides address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; And be suitable for using described script to obtain the related content of this target process by the memory address space of the Domain 0 after mapping.
B15, device as described in B13, wherein,
Described reconstruction progress management structure unit, is suitable for the DLL information obtaining the loading of this target process from the process context block PEB being positioned at user address space; Be suitable for from the virtual address descriptor VAD structure being arranged in kernel address space obtain this target process load DLL information.
B16, device as described in B15, wherein,
Described reconstruction progress management structure unit, is suitable for the DLL information obtaining the loading of this target process from the doubly linked list be made up of record DLL information node of three PEB;
Wherein, three doubly linked list submeters are: according to the InLoadOrderList of loading sequence sequence, according to the InMemoryOrderList of order sequence in internal memory and the InInitOrderList according to initialization order sequence.
B17, device as described in B15, wherein,
Described reconstruction progress management structure unit, be suitable for traversal EPROCESS chained list, obtain the EPROCESS address of this target process, the address VadRoot of the root node of VAD tree is obtained from the EPROCESS data structure the EPROCESS address of this target process, preorder traversal algorithm is used to travel through VAD tree, extraction has execution authority and FileName is not empty VAD node, according to the DLL information of this target process of the acquisition of information loading in the VAD node extracted.
B18, device as described in B15, wherein, when described reconstruction progress management structure unit obtains the DLL information of this target process loading from the process context block PEB being positioned at user address space, and, when obtaining the DLL information of this target process loading from the virtual address descriptor VAD structure being arranged in kernel address space
Described safety detection unit, be suitable for working as a DLL not exist in the DLL information obtained from PEB, and when existing in the DLL information obtained from VAD structure, determine that this DLL is for malice DLL, determine that this target process is the parasitic process being injected into malice DLL further.
B19, device according to any one of B11-B18, wherein,
Described safety detection unit, is suitable for the header structure that whether there is PE formatted file in the data of the management of process structure detecting described reconstruct, if existed, using the target of the content corresponding to the header structure of this PE formatted file as safety monitoring.
B20, device according to any one of B11-B18, wherein,
Described reconstruction progress management structure unit, is suitable for obtaining in the internal memory of described designated virtual machine and is arranged in the executable code relevant to this target process that difference can perform memory block;
Described safety detection unit, be suitable for the entropy of the executable code calculated respectively in described different memory block, if the entropy that has calculated is greater than the executable code of predetermined threshold value, then determine that this target process is the parasitic process being injected into malicious code or being injected into malice DLL.
Claims (10)
1. detect a method for the parasitic process in virtual machine, wherein, the method comprises:
Determine that one or more processes in designated virtual machine are as target process;
For each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside;
By analyzing the management of process structure of reconstruct, determine whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
2. the method for claim 1, wherein the described one or more processes determined in designated virtual machine comprise as target process:
Using one or more processes of the generation network behavior in described designated virtual machine as target process.
3. the method for claim 1, wherein describedly to comprise in the management of process structure of described designated virtual machine inside at this target process of designated virtual machine outside reconstruct:
Obtain the related content of this target process in the internal memory of described designated virtual machine.
4. method as claimed in claim 3, wherein, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises:
Use Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provide address space support for Volatility framework;
Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework;
Described script obtains the related content of this target process by the memory address space of the Domain 0 after mapping.
5. method as claimed in claim 3, wherein, the related content of this target process in the internal memory of the described designated virtual machine of described acquisition comprises:
The DLL information of this target process loading is obtained from the process context block PEB being positioned at user address space;
With the DLL information obtaining the loading of this target process from the virtual address descriptor VAD structure being arranged in kernel address space.
6. detect a device for the parasitic process in virtual machine, wherein, this device comprises:
Target process determining unit, is suitable for determining that one or more processes in designated virtual machine are as target process;
Reconstruction progress management structure unit, is suitable for for each target process, in the management of process structure of described designated virtual machine outside this target process of reconstruct in described designated virtual machine inside;
Safety detection unit, is suitable for the management of process structure by analyzing reconstruct, determines whether this target process is the parasitic process being injected into malicious code or being injected into malice dynamic link library (DLL).
7. device as claimed in claim 6, wherein,
Described target process determining unit, is suitable for one or more processes of the generation network behavior in described designated virtual machine as target process.
8. device as claimed in claim 6, wherein,
Described reconstruction progress management structure unit, is suitable for the related content of this target process obtained in the internal memory of described designated virtual machine, according to the related content of this target process obtained, reconstructs the management of process structure of this target process in described designated virtual machine inside.
9. device as claimed in claim 8, wherein,
Described reconstruction progress management structure unit, is suitable for using Libvmi to map the memory address space of memory address space corresponding to this target process of described designated virtual machine to Domain 0, thus provides address space support for Volatility framework; Generate the script for carrying out analyzing reading to designated virtual machine internal memory when running based on described Volatility framework; And be suitable for using described script to obtain the related content of this target process by the memory address space of the Domain 0 after mapping.
10. device as claimed in claim 8, wherein,
Described reconstruction progress management structure unit, is suitable for the DLL information obtaining the loading of this target process from the process context block PEB being positioned at user address space; Be suitable for from the virtual address descriptor VAD structure being arranged in kernel address space obtain this target process load DLL information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510149766.0A CN104714831B (en) | 2015-03-31 | 2015-03-31 | A kind of method and apparatus of parasitic process in detection virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510149766.0A CN104714831B (en) | 2015-03-31 | 2015-03-31 | A kind of method and apparatus of parasitic process in detection virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104714831A true CN104714831A (en) | 2015-06-17 |
| CN104714831B CN104714831B (en) | 2018-04-17 |
Family
ID=53414201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510149766.0A Active CN104714831B (en) | 2015-03-31 | 2015-03-31 | A kind of method and apparatus of parasitic process in detection virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104714831B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106156610A (en) * | 2016-06-29 | 2016-11-23 | 北京金山安全软件有限公司 | Process path acquisition method and device and electronic equipment |
| CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
| CN109918907A (en) * | 2019-01-30 | 2019-06-21 | 国家计算机网络与信息安全管理中心 | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium |
| CN112487414A (en) * | 2019-09-12 | 2021-03-12 | 腾讯科技(深圳)有限公司 | Method, device and equipment for acquiring process command line and storage medium |
| CN115481397B (en) * | 2022-08-31 | 2023-06-06 | 中国人民解放军战略支援部队信息工程大学 | Code injection attack evidence obtaining detection method and system based on memory structure reverse analysis |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0755004A2 (en) * | 1995-07-18 | 1997-01-22 | Nec Corporation | Communication facilities for heterogeneous distributed computing |
| CN101841523A (en) * | 2010-02-05 | 2010-09-22 | 中国科学院计算技术研究所 | Method for detecting network behavior of malicious code sample and system thereof |
| CN101848092A (en) * | 2009-03-25 | 2010-09-29 | 华为技术有限公司 | Malicious code detection method and device |
| CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN103065084A (en) * | 2012-12-27 | 2013-04-24 | 武汉大学 | Windows hidden process detection method performed at external machine of virtual machine |
| CN104392171A (en) * | 2014-11-27 | 2015-03-04 | 南京大学 | Automatic memory evidence analyzing method based on data association |
-
2015
- 2015-03-31 CN CN201510149766.0A patent/CN104714831B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0755004A2 (en) * | 1995-07-18 | 1997-01-22 | Nec Corporation | Communication facilities for heterogeneous distributed computing |
| CN101848092A (en) * | 2009-03-25 | 2010-09-29 | 华为技术有限公司 | Malicious code detection method and device |
| CN101841523A (en) * | 2010-02-05 | 2010-09-22 | 中国科学院计算技术研究所 | Method for detecting network behavior of malicious code sample and system thereof |
| CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN103065084A (en) * | 2012-12-27 | 2013-04-24 | 武汉大学 | Windows hidden process detection method performed at external machine of virtual machine |
| CN104392171A (en) * | 2014-11-27 | 2015-03-04 | 南京大学 | Automatic memory evidence analyzing method based on data association |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106156610A (en) * | 2016-06-29 | 2016-11-23 | 北京金山安全软件有限公司 | Process path acquisition method and device and electronic equipment |
| CN106156610B (en) * | 2016-06-29 | 2019-02-12 | 珠海豹趣科技有限公司 | A kind of process path acquisition methods, device and electronic equipment |
| CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
| CN109597675B (en) * | 2018-10-25 | 2020-12-22 | 中国科学院信息工程研究所 | Method and system for detecting malicious software behaviors of virtual machine |
| CN109918907A (en) * | 2019-01-30 | 2019-06-21 | 国家计算机网络与信息安全管理中心 | Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium |
| CN112487414A (en) * | 2019-09-12 | 2021-03-12 | 腾讯科技(深圳)有限公司 | Method, device and equipment for acquiring process command line and storage medium |
| CN112487414B (en) * | 2019-09-12 | 2024-04-12 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring process command line |
| CN115481397B (en) * | 2022-08-31 | 2023-06-06 | 中国人民解放军战略支援部队信息工程大学 | Code injection attack evidence obtaining detection method and system based on memory structure reverse analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104714831B (en) | 2018-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11163702B2 (en) | Apparatus and method for handling page protection faults in a computing system | |
| US9336018B2 (en) | Mechanism for class data sharing using extension and application class-loaders | |
| US20150052403A1 (en) | Snapshotting Executing Code with a Modifiable Snapshot Definition | |
| CN104714831A (en) | Method and device for detecting parasitic process in virtual machine | |
| US9665394B2 (en) | Sharing application objects among multiple tenants | |
| US20090024986A1 (en) | Runtime code modification | |
| US20150052400A1 (en) | Breakpoint Setting Through a Debugger User Interface | |
| US20110153689A1 (en) | Confirming the sensitivity of a data object in a managed object heap | |
| US11994988B2 (en) | Multi-ring shared, traversable, and dynamic advanced database | |
| JP2015530662A5 (en) | ||
| US20150195106A1 (en) | Address pinning | |
| CN104715202A (en) | Hidden process detecting method and hidden process detecting device in virtual machine | |
| Docan et al. | Activespaces: Exploring dynamic code deployment for extreme scale data processing | |
| EP3036636A1 (en) | Snapshotting executing code with a modifiable snapshot definition | |
| Ki et al. | Reptor: Enabling api virtualization on android for platform openness | |
| US11635948B2 (en) | Systems and methods for mapping software applications interdependencies | |
| CN103942131A (en) | Method and device for monitoring whether bottom layer interfaces change or not | |
| US9703573B1 (en) | Interposer for dynamic mapping of API calls | |
| Meng et al. | A case study in preserving a high energy physics application with Parrot | |
| US9195457B1 (en) | Interactive application programming interface documentation | |
| Cservenka | Design and implementation of dynamic memory management in a reversible object-oriented programming language | |
| CN107632934B (en) | Function copying method and device in C-sharp | |
| US20150033209A1 (en) | Dynamic Cluster Wide Subsystem Engagement Using a Tracing Schema | |
| Yannes et al. | Amniote: A User Space Interface to the Android Runtime. | |
| Jenke et al. | Towards Generic Malware Unpacking: A Comprehensive Study on the Unpacking Behavior of Malicious Run-Time Packers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220718 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |