CN104899512A - Windows system service descriptor table tamper-proofing apparatus and method - Google Patents
Windows system service descriptor table tamper-proofing apparatus and method Download PDFInfo
- Publication number
- CN104899512A CN104899512A CN201510275475.6A CN201510275475A CN104899512A CN 104899512 A CN104899512 A CN 104899512A CN 201510275475 A CN201510275475 A CN 201510275475A CN 104899512 A CN104899512 A CN 104899512A
- Authority
- CN
- China
- Prior art keywords
- cpu
- module
- descriptor table
- driver module
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a Windows system service descriptor table tamper-proofing apparatus and a Windows system service descriptor table tamper-proofing method. The apparatus comprises: a main service process module, a CPU virtualization driving module, and an OS communication driving module. The main service process module is configured to install the CPU virtualization driving module and the OS communication driving module; the OS communication driving module is configured to acquire a memory address range of a system service descriptor table; and the CPU virtualization driving module is configured to acquire a CPU command and intercept the CPU command tampering the system service descriptor table according to the memory address range of the system service descriptor table upon initialization. According to the present invention, secuirty of a Windows operating system can be improved.
Description
Technical field
The present invention relates to computer safety field, particularly a kind of Windows system service descriptor table tamper resistant device and method.
Background technology
Along with the development of computer technology, the requirement of user to computer security is also more and more higher, and wherein operating system is the core of computing machine, once operating system is controlled by hacker or disabled user and utilizes, consequence is by hardly imaginable.System service descriptor table is the critical component of Windows operating system, it is the unified entrance of all application layer API, hacker often uses the Rootkit backdoor programs of oneself writing to distort system service descriptor table, with reach hiding self, destroy the object of system normal behaviour, so preventing from carrying out that malice distorts to system service descriptor table is problem demanding prompt solution.
At present, tamper resistant method for system service descriptor table mainly comprises: the PatchGuard mechanism carried by Windows operating system, between operating system runtime, whether check system service descriptor table is tampered, if be tampered, operating system reports an error at once, machine of delaying.
For by PatchGuard mechanism, anti-tamper method is carried out to system service descriptor table, when Windows operating system be in run under debugging mode time, PatchGuard mechanism does not come into force, the operational mode of Windows operating system can be placed in debugging mode by hacker in Rootkit backdoor programs, thus system service descriptor table is distorted, therefore carry out anti-tamper by PatchGuard mechanism to system service descriptor table, the security of Windows operating system is lower.
Summary of the invention
The invention provides a kind of Windows system service descriptor table tamper resistant device and method, the security of Windows operating system can be improved.
The invention provides a kind of Windows system service descriptor table tamper resistant device, comprising: main service processes module, the virtual driver module of CPU and OS communication drivers module;
Described main service processes module, for installing the virtual driver module of described CPU and described OS communication drivers module;
Described OS communication drivers module, for obtaining the memory address range of system service descriptor table;
The virtual driver module of described CPU, for obtaining cpu instruction after carrying out initialization, and tackles according to the memory address range of described system service descriptor table the cpu instruction distorted system service descriptor table.
Preferably, after the virtual driver module installation of described CPU, carry out initialization, comprise following in any one or multiple: distribute most highly privileged and enter internal memory needed for district and virtual machine control block; The zone bit of CPU register is set; Fill the version information of virtual machine control block; CPU is made to enter virtual machine mode; Initialization activating virtual machine controll block; The memory address range of the system descriptors table obtained from described OS communication drivers module is filled in virtual machine control block, thus indicates interception internal memory operation; Current operation system is operated on virtual cpu as virtual machine.
Preferably, the virtual driver module of described CPU, adopts the mode of kernel-driven to realize further, automatically runs, by CPU with the code of the virtual driver module of CPU described in ROOT mode operation, have the highest authority with operating system.
Preferably, the virtual driver module of described CPU, for judging whether the cpu instruction obtained is internal memory write instruction, if not then not tackling described cpu instruction, if it is the first memory address that described cpu instruction will write is obtained, judge described first memory address whether in the memory address range of described system service descriptor table, if do not existed, described cpu instruction is not tackled, if, described cpu instruction is tackled.
Preferably, described OS communication drivers module, the mode of further employing kernel-driven realizes, automatically run with operating system, by CPU with the code of OS communication drivers described in the mode operation of non-ROOT and RO, authority is lower than the virtual driver module of CPU, identical with other operating system nucleus code.
Further, described main service processes module, for receive user unloading order after, unload described OS communication drivers module and the virtual driver module of described CPU, and after the offload is complete self unloaded.
Further, described OS communication drivers module, for receiving the instruction message of interception that the virtual driver module of described CPU sends, form interception daily record, after the order receiving the acquisition interception daily record that described main service processes module sends, described interception daily record is back to described main service processes module.
The present invention also additionally provides a kind of Windows system service descriptor table tamper resistant method, comprising:
By main service processes module, the virtual driver module of CPU and OS communication drivers module are installed;
The memory address range of system service descriptor table is obtained by described OS communication drivers module;
According to the memory address range of described system service descriptor table, the virtual driver module of described CPU carries out initialization;
The virtual driver module of described CPU obtains cpu instruction;
The virtual driver module of described CPU tackles the cpu instruction distorted system service descriptor table according to the memory address range of described system service descriptor table.
Preferably, the described memory address range according to described system service descriptor table, the virtual driver module of described CPU carry out initialization comprise following in any one or multiple: distribute most highly privileged and enter internal memory needed for district and virtual machine control block; The zone bit of CPU register is set; Fill the version information of virtual machine control block; CPU is made to enter virtual machine mode; Initialization activating virtual machine controll block; The memory address range of the system descriptors table obtained from described OS communication drivers module is filled in virtual machine control block, thus indicates interception internal memory operation; Current operation system is operated on virtual cpu as virtual machine.
Preferably, describedly by main service processes module, the virtual driver module of CPU is installed and comprises: the virtual driver module of described CPU adopts the mode of kernel-driven to realize, automatically run with operating system, by CPU with the code of the virtual driver module of CPU described in ROOT mode operation, there is the highest authority.
Preferably, the virtual driver module of described CPU comprises the cpu instruction that system service descriptor table is distorted according to the memory address range interception of described system service descriptor table: judge whether described cpu instruction is internal memory write instruction, if not then not tackling described cpu instruction, if it is the first memory address that described cpu instruction will write is obtained, judge described first memory address whether in the memory address range of described system service descriptor table, if do not existed, described cpu instruction is not tackled, if, described cpu instruction is tackled.
Preferably, describedly by main service processes module, OS communication drivers module is installed and comprises: described OS communication drivers module adopts the mode of kernel-driven to realize, automatically run with operating system, by CPU with the code of OS communication drivers described in the mode operation of non-ROOT and RO, authority is lower than the virtual driver module of CPU, identical with other operating system nucleus code.
Further, after the unloading order of described main service processes module receives user, unload described OS communication drivers module and the virtual driver module of described CPU, and after the offload is complete self is unloaded.
Further, described OS communication drivers module receives the instruction message of interception that the virtual driver module of described CPU sends, form interception daily record, after the order receiving the acquisition interception daily record that described main service processes module sends, described interception daily record is back to described main service processes module.
Embodiments provide a kind of Windows system service descriptor table tamper resistant device and method, this device comprises main service processes module, the virtual driver module of CPU and OS communication drivers module, by main service processes module, the virtual driver module of CPU and OS communication drivers module are installed, OS communication drivers module obtains the memory address range of system service descriptor table, the virtual driver module of CPU filters the cpu instruction obtained according to the memory address range of system service descriptor table, wherein will be blocked the cpu instruction that system service descriptor table is distorted, therefore, Windows operating system under various mode operation, all kinds of malicious CPU instructions distorting system service descriptor table can both be tackled, thus improve the security of Windows operating system.
Accompanying drawing explanation
Fig. 1 is a kind of Windows system service descriptor table tamper resistant device schematic diagram that the embodiment of the present invention provides;
Fig. 2 is a kind of Windows system service descriptor table tamper resistant method process flow diagram that the embodiment of the present invention provides;
Fig. 3 is the OS communication drivers module message processing flow chart that the embodiment of the present invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described.Obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
As shown in Figure 1, one embodiment of the invention provides a kind of Windows system service descriptor table tamper resistant device, comprises the virtual driver module 102 of main service processes module 101, CPU and OS communication drivers module 103;
Described main service processes module 101, for installing the virtual driver module of described CPU 102 and described OS communication drivers module 103;
Described OS communication drivers module 103, for obtaining the memory address range of system service descriptor table;
The virtual driver module 102 of described CPU, for obtaining cpu instruction after carrying out initialization, and tackles according to the memory address range of described system service descriptor table the cpu instruction distorted system service descriptor table.
Embodiments provide a kind of Windows system service descriptor table tamper resistant device, this device comprises main service processes module, the virtual driver module of CPU and OS communication drivers module, by main service processes module, the virtual driver module of CPU and OS communication drivers module are installed, OS communication drivers module obtains the memory address range of system service descriptor table, the virtual driver module of CPU filters the cpu instruction obtained according to the memory address range of system service descriptor table, wherein will be blocked the cpu instruction that system service descriptor table is distorted, therefore, the Windows operating system run in each mode, all kinds of malicious CPU instructions distorting system service descriptor table can both be tackled, thus improve the security of Windows operating system.
In an embodiment of the invention, after the virtual driver module installation of CPU, need to carry out initialization, comprise following in any one or multiple: distribute most highly privileged and enter internal memory needed for district and virtual machine control block; The zone bit of CPU register is set; Fill the version information of virtual machine control block; CPU is made to enter virtual machine mode; Initialization activating virtual machine controll block; The memory address range of the system descriptors table obtained from described OS communication drivers module is filled in virtual machine control block, thus indicates interception internal memory operation; Current operation system is made to operate on virtual cpu as virtual machine, operating system is placed on transparent virtualization layer like this and runs, in the unware situation of user, system service descriptor table is monitored, tackle the cpu instruction that all kinds of malice distorts system service descriptor table, thus improve the security of Windows operating system.
In an embodiment of the invention; the virtual driver module of CPU realizes in the mode of kernel-driven; and automatically run with the operation of operating system; by CPU with its code of ROOT mode operation; there is the highest authority; like this; as long as system is in operation; the virtual driver module of CPU will be tackled the cpu instruction distorting system service descriptor table; because it has highest weight limit; other application programs cannot be modified to it or operate, and ensure to protect system service descriptor table in real time, thus improve the security of Windows operating system.
In an embodiment of the invention, after the virtual driver module of CPU obtains cpu instruction, first judge whether this cpu instruction is internal memory write instruction, if not then not tackling this cpu instruction, if it is the memory address that this cpu instruction will write is obtained, judge this memory address whether in the memory address range of system service descriptor table, if do not existed, this cpu instruction is not tackled, if, this cpu instruction is tackled, thus while effectively the cpu instruction distorting system service descriptor table being tackled, ensure that normal cpu instruction is performed timely.
In an embodiment of the invention, OS communication drivers module realizes in the mode of kernel-driven, automatically run with operating system, by CPU with its code of the mode operation of non-ROOT and RO, authority is lower than the virtual driver module of CPU, identical with other operating system nucleus code, like this, ensure that OS communication drivers module is unanimously in running status in system operation, record can be tackled by Real-time Obtaining, form interception daily record.
In an embodiment of the invention, main service processes module is after the unloading order receiving user, unloading OS communication drivers module and the virtual driver module of CPU, and self unloaded after the offload is complete, thus meet user under special circumstances to the requirement that system service descriptor table is modified.
In an embodiment of the invention, OS communication drivers module receives the instruction message of interception that the virtual driver module of CPU sends, form interception daily record, after the order receiving the acquisition interception daily record that main service processes module sends, interception daily record is back to main service processes module, because intercept process is carried out in the unware situation of user, forms interception record, user can check interception record by main service processes module, thus the safety case of the system of grasp.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the Windows system service descriptor table that the arbitrary Windows system service descriptor table tamper resistant device provided based on the embodiment of the present invention is described in further detail is prevented usurping method.
As shown in Figure 2, one embodiment of the invention provides a kind of Windows system service descriptor table and prevents usurping method, and the method can comprise:
Step 201: main service processes module installs the virtual driver module of CPU and OS communication drivers module.
In an embodiment of the invention, by main service processes module, the virtual driver module of CPU and OS communication drivers module are installed, wherein, the virtual driver module of CPU adopts the mode of kernel-driven to realize, automatically run with operating system, by CPU with its code of ROOT mode operation, therefore the virtual driver module of CPU has the highest authority; OS communication drivers module adopts the mode of kernel-driven to realize, and automatically run with operating system, by CPU with its code of the mode operation of non-ROOT and RO, its authority is lower than the virtual driver module of CPU, identical with other operating system nucleus codes; Main service processes module is realized by the mode of Windows background service.
Step 202:OS communication drivers module obtains the memory address range of system service descriptor table.
In an embodiment of the invention, OS communication drivers module obtains initial memory address and the memory address range of the system service descriptor table of current Windows operating system, and stores, and judges whether to tackle cpu instruction in order to subsequent step.
The virtual driver module of step 203:CPU carries out initialization.
In an embodiment of the invention, the virtual driver module of CPU after the installation is complete, need carry out initialization operation, comprises distributing most highly privileged and entering internal memory needed for district and virtual machine control block; The zone bit of CPU register is set; Fill the version information of virtual machine control block; CPU is made to enter virtual machine mode; Initialization activating virtual machine controll block; The memory address range of the system descriptors table obtained from described OS communication drivers module is filled in virtual machine control block, thus indicates interception internal memory operation; Current operation system is operated on virtual cpu as virtual machine.
The virtual driver module of step 204:CPU obtains cpu instruction.
In an embodiment of the invention, the virtual driver module of CPU obtains all cpu instructions of current Windows operating system, by judging all cpu instructions, the cpu instruction distorting system service descriptor table is tackled, thus ensure the comprehensive of protection.
The virtual driver module of step 205:CPU judges whether cpu instruction is internal memory write instruction, if so, then performs step 206, otherwise performs step 209.
In an embodiment of the invention, for the cpu instruction obtained, first the virtual driver module of CPU judges whether the cpu instruction of this acquisition is internal memory write instruction, if so, then need to judge further that whether this instruction is the instruction of writing system service descriptor table, perform step 206, if not, then this cpu instruction can not be distorted system service descriptor table, should ensure that it is normally performed, and performs step and plays 209.
The virtual driver module of step 206:CPU obtains the memory address that cpu instruction will write.
In an embodiment of the invention, when the cpu instruction obtained is internal memory write instruction, the virtual driver module of CPU obtains this internal memory write instruction memory address that will write, and whether what can judge that this internal memory write instruction will write by memory address is the memory address range of system service descriptor table.
The virtual driver module of step 207:CPU judges memory address that cpu instruction will write whether in the memory address range of system service descriptor table, if so, then and given step 208, otherwise perform step 209.
In an embodiment of the invention, the virtual driver module of CPU is according to the memory address range of the system service descriptor table be filled in virtual machine control block, judge memory address that cpu instruction will write whether at the memory address range of system service descriptor table, if, then can judge that this instruction is the instruction will distorted system service descriptor table, need tackle it, perform step 208, if not, although then this instruction is internal memory write instruction, but write is not the memory address range of system service descriptor table, can not distort system service descriptor table, need ensure that it is properly implemented, perform step 209.
Step 208: interception CPU performs, and does not allow it to perform, and terminates current process.
In an embodiment of the invention, if cpu instruction is judged as the instruction in the memory address range of write current operation system system service descriptor table through the virtual driver module of CPU, then this instruction is the instruction of distorting system service descriptor table, need tackle it, therefore the virtual driver module of CPU is tackled this instruction, do not allow it to write current operation system system service descriptor table, and terminate current process.
Step 209: do not tackle cpu instruction, allows it to perform.
In an embodiment of the invention, if cpu instruction is not internal memory write instruction, or cpu instruction be internal memory write instruction sheet but the memory address that will write not in the memory address range of system service descriptor table, then these cpu instructions can not be distorted system service descriptor table, do not need to tackle these cpu instructions, should ensure that it is normally performed.
In one embodiment of the invention, OS communication drivers module can obtain the memory address range of system service descriptor table, can also record interception message, and form interception daily record, as shown in Figure 3, its concrete grammar comprises:
Step 301: the message receiving autonomous service processes module or the virtual driver module of CPU.
In an embodiment of the invention, OS communication drivers module receipt message, wherein, the message received has two sources, the request message of daily record is tackled in one acquisition carrying out the transmission of autonomous service processes module, and another is cpu instruction interception message that the virtual driver module of CPU is sent or the request message obtaining system service descriptor table memory address range.
Step 302: judge whether message comes from the virtual driver module of CPU, if so, performs step 303, otherwise, perform step 306.
In an embodiment of the invention, after OS communication drivers module receives message, first the source of this message is judged, if message comes from the virtual driver module of CPU, then this message may be cpu instruction interception message, also may for obtaining the request message of system service descriptor table memory address range, need further to judge such message, thus step 303 is performed, if message is not come from the virtual driver module of CPU, this message is come from main service processes module surely, then perform step 306 for this message.
Step 303: judge whether message is cpu instruction interception message, if so, performs step 304, otherwise performs step 305.
In an embodiment of the invention, for the message coming from the virtual driver module of CPU, judge that whether this message be cpu instruction interception message further, if it is step 304 is performed, if not, then this message is the request message obtaining system service descriptor table memory address range, need send the memory address range of required system service descriptor table, perform step 305 for this message to request object.
Step 304: preserve cpu instruction interception message, form interception daily record, and terminate current process.
In an embodiment of the invention, if the message received is cpu instruction interception message, then this message is preserved, form interception daily record, and terminate current process, again receive other message.
Step 305: the memory address range of retrieval system service descriptor table, and terminate current process.
In an embodiment of the invention, if the message received is the request message obtaining system service descriptor table memory address range, then OS communication drivers module to be obtained and the system service descriptor table memory address range stored sends to the virtual driver module of CPU, and terminated current process.
Step 306: return an interception daily record.
In an embodiment of the invention, if the request message of the acquisition interception daily record that the message that OS communication drivers module receives is main service processes module to be sent, then interception daily record is returned to main service processes module.
It should be noted that, user can by main service processes module, obtain interception daily record, in addition, main service processes module can install the virtual startup module of CPU and OS communication drivers module, also after the instruction receiving user, first can unload the virtual startup module of CPU and OS communication drivers module, then oneself also unloaded.
According to such scheme, a kind of Windows system service descriptor table tamper resistant device that embodiments of the invention provide and method, at least have following beneficial effect:
1, in the embodiment of the present invention, provide a kind of Windows system service descriptor table tamper resistant device, this device comprises main service processes module, the virtual driver module of CPU and OS communication drivers module, by main service processes module, the virtual driver module of CPU and OS communication drivers module are installed, OS communication drivers module obtains the memory address range of system service descriptor table, the virtual driver module of CPU filters the cpu instruction obtained according to the memory address range of system service descriptor table, wherein will be blocked the cpu instruction that system service descriptor table is distorted, therefore, the Windows operating system run in each mode, all kinds of malicious CPU instructions distorting system service descriptor table can both be tackled, thus improve the security of Windows operating system.
2, in the embodiment of the present invention, the Windows system service descriptor table tamper resistant method provided is applicable to various types of Windows operating system, and prior art is carried out anti-tamper by PatchGuard mechanism to Windows system service descriptor table and is supported that 64 for operating system, but still have many consumers use 32-bit operating system at present, therefore, relative to prior art, the Windows system service descriptor table tamper resistant method that the embodiment of the present invention provides has applicability and comprehensive widely.
3, in the embodiment of the present invention, the Windows system service descriptor table tamper resistant device provided and method, it is one defense mechanism in advance, can to its interception before Rootkit backdoor programs destroys system service descriptor table, and prior art is carried out anti-tamper by PatchGuard mechanism to Windows system service descriptor table, belong to postmortem mechanism, before checking out that system service descriptor table is tampered, Rootkit backdoor programs may complete the thing that will do, therefore, relative to prior art, the scheme that the embodiment of the present invention provides can improve the security of Windows operating system.
4, in the embodiment of the present invention; adopt the measure of tackling in advance; system service descriptor table is fundamentally avoided to be tampered; there will not be the phenomenon of machine of delaying because system service descriptor table is tampered; and prior art is carried out anti-tamper by PatchGuard mechanism to Windows system service descriptor table; if check out that system service descriptor table is tampered; then operating system is delayed machine at once; for the computing machine that some are important; machine of delaying does not receive for user; therefore, the embodiment of the present invention can also protect data and the operation of user.
5, in the embodiment of the present invention, user according to actual conditions, when modifying to system service descriptor table at needs, can unload modules, thus realizes the amendment to system service descriptor table.
The content such as information interaction, implementation between each unit in the said equipment, due to the inventive method embodiment based on same design, particular content can see in the inventive method embodiment describe, repeat no more herein.
It should be noted that, in this article, the relational terms of such as first and second and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element " being comprised " limited by statement, and be not precluded within process, method, article or the equipment comprising described key element and also there is other same factor.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that programmed instruction is relevant, aforesaid program can be stored in the storage medium of embodied on computer readable, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium in.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (10)
1. a Windows system service descriptor table tamper resistant device, is characterized in that, comprising: main service processes module, the virtual driver module of CPU and OS communication drivers module;
Described main service processes module, for installing the virtual driver module of described CPU and described OS communication drivers module;
Described OS communication drivers module, for obtaining the memory address range of system service descriptor table;
The virtual driver module of described CPU, for obtaining cpu instruction after carrying out initialization, and tackles according to the memory address range of described system service descriptor table the cpu instruction distorted system service descriptor table.
2. device according to claim 1, is characterized in that, after the virtual driver module installation of described CPU, carries out initialization, comprise following in any one or multiple: distribute most highly privileged and enter internal memory needed for district and virtual machine control block; The zone bit of CPU register is set; Fill the version information of virtual machine control block; CPU is made to enter virtual machine mode; Initialization activating virtual machine controll block; The memory address range of the system descriptors table obtained from described OS communication drivers module is filled in virtual machine control block, thus indicates interception internal memory operation; Current operation system is operated on virtual cpu as virtual machine.
3. device according to claim 1, is characterized in that,
The virtual driver module of described CPU, adopts the mode of kernel-driven to realize further, automatically runs, by CPU with the code of the virtual driver module of CPU described in ROOT mode operation, have the highest authority with operating system;
And/or,
The virtual driver module of described CPU, for judging whether the cpu instruction obtained is internal memory write instruction, if not then not tackling described cpu instruction, if it is the first memory address that described cpu instruction will write is obtained, judge described first memory address whether in the memory address range of described system service descriptor table, if do not existed, described cpu instruction is not tackled, if, described cpu instruction is tackled.
4. device according to claim 1, is characterized in that,
Described OS communication drivers module, the mode of further employing kernel-driven realizes, and automatically runs with operating system, by CPU with the code of OS communication drivers described in the mode operation of non-ROOT and RO, authority is lower than the virtual driver module of CPU, identical with other operating system nucleus code.
5. device according to claim 1, is characterized in that, comprises further:
Described main service processes module, for receive user unloading order after, unload described OS communication drivers module and the virtual driver module of described CPU, and after the offload is complete self unloaded;
And/or,
Described OS communication drivers module, for receiving the instruction message of interception that the virtual driver module of described CPU sends, form interception daily record, after the order receiving the acquisition interception daily record that described main service processes module sends, described interception daily record is back to described main service processes module.
6. a Windows system service descriptor table tamper resistant method, is characterized in that, comprising:
By main service processes module, the virtual driver module of CPU and OS communication drivers module are installed;
The memory address range of system service descriptor table is obtained by described OS communication drivers module;
According to the memory address range of described system service descriptor table, the virtual driver module of described CPU carries out initialization;
The virtual driver module of described CPU obtains cpu instruction;
The virtual driver module of described CPU tackles the cpu instruction distorted system service descriptor table according to the memory address range of described system service descriptor table.
7. method according to claim 6, it is characterized in that, the described memory address range according to described system service descriptor table, the virtual driver module of described CPU carry out initialization comprise following in any one or multiple: distribute most highly privileged and enter internal memory needed for district and virtual machine control block; The zone bit of CPU register is set; Fill the version information of virtual machine control block; CPU is made to enter virtual machine mode; Initialization activating virtual machine controll block; The memory address range of the system descriptors table obtained from described OS communication drivers module is filled in virtual machine control block, thus indicates interception internal memory operation; Current operation system is operated on virtual cpu as virtual machine.
8. method according to claim 6, is characterized in that,
Describedly by main service processes module, the virtual driver module of CPU is installed and comprises: the virtual driver module of described CPU adopts the mode of kernel-driven to realize, automatically run with operating system, by CPU with the code of the virtual driver module of CPU described in ROOT mode operation, there is the highest authority;
And/or,
The virtual driver module of described CPU comprises the cpu instruction that system service descriptor table is distorted according to the memory address range interception of described system service descriptor table: judge whether described cpu instruction is internal memory write instruction, if not then not tackling described cpu instruction, if it is the first memory address that described cpu instruction will write is obtained, judge described first memory address whether in the memory address range of described system service descriptor table, if do not existed, described cpu instruction is not tackled, if, described cpu instruction is tackled.
9. method according to claim 6, is characterized in that,
Describedly by main service processes module, OS communication drivers module is installed and comprises: described OS communication drivers module adopts the mode of kernel-driven to realize, automatically run with operating system, by CPU with the code of OS communication drivers described in the mode operation of non-ROOT and RO, authority is lower than the virtual driver module of CPU, identical with other operating system nucleus code.
10. method according to claim 6, is characterized in that, comprises further:
After the unloading order of described main service processes module receives user, unload described OS communication drivers module and the virtual driver module of described CPU, and after the offload is complete self is unloaded;
And/or,
Described OS communication drivers module receives the instruction message of interception that the virtual driver module of described CPU sends, form interception daily record, after the order receiving the acquisition interception daily record that described main service processes module sends, described interception daily record is back to described main service processes module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510275475.6A CN104899512A (en) | 2015-05-26 | 2015-05-26 | Windows system service descriptor table tamper-proofing apparatus and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510275475.6A CN104899512A (en) | 2015-05-26 | 2015-05-26 | Windows system service descriptor table tamper-proofing apparatus and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104899512A true CN104899512A (en) | 2015-09-09 |
Family
ID=54032172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510275475.6A Pending CN104899512A (en) | 2015-05-26 | 2015-05-26 | Windows system service descriptor table tamper-proofing apparatus and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104899512A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650463A (en) * | 2016-12-16 | 2017-05-10 | 郑州云海信息技术有限公司 | System and method for preventing window system service description table from being tampered |
| CN109189558A (en) * | 2018-09-04 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of method and device for secure virtual machine protection |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101620660A (en) * | 2009-07-31 | 2010-01-06 | 北京大学 | Method for defending hooks in Windows operating system |
| CN101763292A (en) * | 2010-01-18 | 2010-06-30 | 北京龙芯中科技术服务中心有限公司 | Filtering device for processor presumed access and filtering method thereof based on address window |
| CN102122331A (en) * | 2011-01-24 | 2011-07-13 | 中国人民解放军国防科学技术大学 | Method for constructing ''In-VM'' malicious code detection framework |
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| CN102194080A (en) * | 2011-06-13 | 2011-09-21 | 西安交通大学 | Rootkit detection mechanism and detection method based on kernel-based virtual machine |
| CN102339243A (en) * | 2010-07-28 | 2012-02-01 | 昆达电脑科技(昆山)有限公司 | Memory access control method |
| CN102737198A (en) * | 2011-04-13 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Method and device for object protection |
| US20130318612A1 (en) * | 2010-08-30 | 2013-11-28 | International Business Machines Corporation | Rootkit monitoring agent built into an operating system kernel |
-
2015
- 2015-05-26 CN CN201510275475.6A patent/CN104899512A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101620660A (en) * | 2009-07-31 | 2010-01-06 | 北京大学 | Method for defending hooks in Windows operating system |
| CN101763292A (en) * | 2010-01-18 | 2010-06-30 | 北京龙芯中科技术服务中心有限公司 | Filtering device for processor presumed access and filtering method thereof based on address window |
| CN102339243A (en) * | 2010-07-28 | 2012-02-01 | 昆达电脑科技(昆山)有限公司 | Memory access control method |
| US20130318612A1 (en) * | 2010-08-30 | 2013-11-28 | International Business Machines Corporation | Rootkit monitoring agent built into an operating system kernel |
| CN102122331A (en) * | 2011-01-24 | 2011-07-13 | 中国人民解放军国防科学技术大学 | Method for constructing ''In-VM'' malicious code detection framework |
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| CN102737198A (en) * | 2011-04-13 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Method and device for object protection |
| CN102194080A (en) * | 2011-06-13 | 2011-09-21 | 西安交通大学 | Rootkit detection mechanism and detection method based on kernel-based virtual machine |
Non-Patent Citations (1)
| Title |
|---|
| 陈赟: ""Rootkit技术在第三方信息安全防护系统中的应用研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650463A (en) * | 2016-12-16 | 2017-05-10 | 郑州云海信息技术有限公司 | System and method for preventing window system service description table from being tampered |
| CN109189558A (en) * | 2018-09-04 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of method and device for secure virtual machine protection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10810309B2 (en) | Method and system for detecting kernel corruption exploits | |
| US10031743B2 (en) | Method and apparatus for kernel repair and patching | |
| JP6761476B2 (en) | Systems and methods for auditing virtual machines | |
| US9037873B2 (en) | Method and system for preventing tampering with software agent in a virtual machine | |
| US20150332048A1 (en) | Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features | |
| CN103064784B (en) | Towards Xen environment run-time memory leakage detection method and realize system | |
| US10142109B2 (en) | Instantiating containers | |
| US11263033B2 (en) | Usage checks for code running within a secure sub-environment of a virtual machine | |
| JP6370098B2 (en) | Information processing apparatus, information processing monitoring method, program, and recording medium | |
| US10114948B2 (en) | Hypervisor-based buffer overflow detection and prevention | |
| CN102254123B (en) | Method and device for enhancing security of application software | |
| CN105373734A (en) | Application data protection method and apparatus | |
| CN105260654A (en) | Verification method for own integrity of software system | |
| KR101064164B1 (en) | Kernel integrity inspection and the recovery method on linux kernel based smart platform | |
| EP3178032B1 (en) | Embedding secret data in code | |
| CN102663313B (en) | Method for realizing information security of computer system | |
| CN103309819A (en) | Embedded system and safety managing method for internal storage thereof | |
| CN107045605A (en) | A kind of real-time metrics method and device | |
| CN103793662A (en) | Method for safely operating trusted platform on basis of mandatory access control | |
| US10929148B2 (en) | Executing services in containers | |
| CN104951707A (en) | Sensitive resource access control policy system based on Android platform | |
| CN104899512A (en) | Windows system service descriptor table tamper-proofing apparatus and method | |
| Kaczmarek et al. | Operating system security by integrity checking and recovery using write‐protected storage | |
| US9104876B1 (en) | Virtual file-based tamper resistant repository | |
| CN107562514B (en) | Physical memory access control and isolation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150909 |
|
| WD01 | Invention patent application deemed withdrawn after publication |