CN106778243A - Kernel Hole Detection document protection method and device based on virtual machine - Google Patents

Abstract

The invention discloses a kind of kernel Hole Detection document protection method and device based on virtual machine.Wherein method includes：The relevant information of each detection subprocess is obtained, by the relevant information write-in process filter list of each detection subprocess；The store path information of detection file is obtained, in detecting that the store path information of file writes privately owned catalogue list；When file access operation is produced, judge whether the store path information of file access object is recorded in privately owned catalogue list；If so, then judging whether record in the process filter list when the relevant information of front upper and lower background text process；If it is not, then refusing file access operation.Using the present invention; the detection file produced under virtual machine sandbox isolation environment can be protected; prevent from being accessed, distort, encrypt or being damaged by the malice sample process that sandbox is escaped, it is to avoid therefore caused detection failure or results abnormity, safeguard the stabilization and performance of sandbox system.

Description

Kernel Hole Detection document protection method and device based on virtual machine

Technical field

The present invention relates to computer security technique field, and in particular to a kind of kernel Hole Detection file based on virtual machine Guard method and device.

Background technology

Network malicious act refer to data in hardware, software and its system of network system be subject to malicious code attack and Destroyed, changed, revealed, cause system continuously reliably can not normally run, the behavior of network service outages.With information The popularization of change, a large amount of appearance of network new opplication, the behavior that network malicious code is shown also emerges in an endless stream, most popular at present Network malicious act be web page horse hanging, steal account number, port scan, vulnerability scanning, ARP (Address Resolution Protocol, address resolution protocol) deception, IP (Internet Protocol, Internet Protocol) kidnap, DDOS (Distributed Denial of Service, distributed denial of service) attack, flooding, Trojan attack etc..

Leak is implemented or defect present on System Security Policy in hardware, software, agreement, such that it is able to make Attacker can access in the case of unauthorized or destroy system.How kernel detects kernel as the core of operating system Leak is the most important thing of security protection work.In the prior art, hacker obtains in intrusion system often through the mode of the power that carries The highest authority of the system of obtaining, so as to obtain the control of operating system.In simple terms, the power of carrying is exactly by a low rights, is limited System many users are lifted to highest authority in system (such as administrator right).Control of authority is the foundation stone of system safety, is also The foundation stone of all fail-safe softwares, once such a threshold is broken, any defensive measure is all invalid.Therefore, how to have Effect ground detection kernel leak, prevention hacker carries out system attack by way of putting forward power turns into that prior art is urgently to be resolved hurrily asks Topic.During kernel Hole Detection, malice sample process access detection file how is avoided, it is also one to steal detection file Important problem.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State the kernel Hole Detection document protection method and device based on virtual machine of problem.

According to an aspect of the invention, there is provided a kind of kernel Hole Detection document protection method based on virtual machine, Methods described is run under virtual machine sandbox isolation environment, and method includes：

The relevant information of each detection subprocess is obtained, the relevant information of each detection subprocess is write into process filter list In；

The store path information of detection file is obtained, will detect that the store path information of file writes privately owned catalogue list In；

When file access operation is produced, judge whether the store path information of file access object is recorded in privately owned catalogue In list；

If judging the store path information record of file access object in privately owned catalogue list, judge when front upper and lower Whether the relevant information of background text process is recorded in the process filter list；

If judging to be not recorded in the process filter list when the relevant information of front upper and lower background text process, refuse File access operation.

According to another aspect of the present invention, there is provided a kind of kernel Hole Detection file protection device based on virtual machine, Described device is run under virtual machine sandbox isolation environment, and device includes：

First writing module, is suitable to obtain the relevant information of each detection subprocess, by the relevant information of each detection subprocess In write-in process filter list；

Second writing module, is suitable to obtain the store path information of detection file, will detect the store path information of file In writing privately owned catalogue list；

First judge module, is suitable to, when file access operation is produced, judge the store path information of file access object Whether record in privately owned catalogue list；

Second judge module, if being suitable to the store path information note that first judge module judges file access object Record judges filter name in the process when whether the relevant information of front upper and lower background text process records in privately owned catalogue list, then Dan Zhong；

Refusal module, if be suitable to the second judge module to judge to be not recorded in when the relevant information of front upper and lower background text process In the process filter list, then refuse file access operation.

According to kernel Hole Detection document protection method and device based on virtual machine that the present invention is provided, by each detection In the relevant information write-in process filter list of process, in detecting that the store path information of file writes privately owned catalogue list, When file access operation is produced, by the store path information of file access object and the related letter when front upper and lower background text process Breath respectively with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using the present invention, The detection file produced under virtual machine sandbox isolation environment can be protected, prevent the malice sample process escaped by sandbox from accessing, Distort, encrypt or damage, it is to avoid therefore caused detection failure or results abnormity, safeguard the stabilization and performance of sandbox system.

Described above is only the general introduction of technical solution of the present invention, in order to better understand technological means of the invention, And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by specific embodiment of the invention.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings：

Fig. 1 shows the flow chart of the kernel leak detection method based on virtual machine according to an embodiment of the invention；

Fig. 2 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 3 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 4 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 5 shows the kernel Hole Detection process protection method based on virtual machine according to an embodiment of the invention Flow chart；

Fig. 6 shows the kernel Hole Detection document protection method based on virtual machine according to an embodiment of the invention Flow chart；

Fig. 7 shows the functional block of the kernel Hole Detection device based on virtual machine according to an embodiment of the invention Figure；

Fig. 8 shows the functional block of the kernel Hole Detection device based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 9 shows the function of the kernel Hole Detection Process Protection based on virtual machine according to an embodiment of the invention Block diagram；

Figure 10 shows the work(of the kernel Hole Detection file protection based on virtual machine according to an embodiment of the invention Can block diagram.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

Fig. 1 shows the flow chart of the kernel leak detection method based on virtual machine according to an embodiment of the invention. This method is run under server end virtual machine sandbox isolation environment, for carrying out dynamic kernel for the sample file specified Vulnerability exploit is detected.As shown in figure 1, the method comprises the following steps：

Step S101, starts communication agent process, and the communication agent process monitors designated port, waits and receive virtual The detection bag and sample file of machine external host transmission, detection catalogue and interim mesh are respectively stored into by detection bag and sample file Under record.

The process that communication agent process is responsible for virtual machine external host carries out data interaction, file is transmitted.Work as service When end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port, waits simultaneously Receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is solved to detection bag Press operation, will decompress the file storage for obtaining and arrive under detection catalogue；In addition, sample file storage is arrived interim by communication agent process Under catalogue.Then, communication agent thread starts the scheduling management and control process in detection bag.

Step S102, starts the scheduling management and control process in detection bag, and the scheduling management and control process obtains sample file storage Path, recognizes sample file type, and the config option in general detection configuration file selects detection pattern and each detection work( Energy point, to create the target detection configuration file for the sample file.

After management and control process initiation is dispatched, scheduling management and control process obtains sample file store path, recognizes sample file Type.Then, scheduling management and control process reads the general detection configuration file of itself association, is detected according to sample file type selecting Pattern and each detection function point, initialize itself each function, create the target detection configuration file for sample file.Then, Scheduling management and control process initiation auxiliary detection procedure, and the store path (can be URL) of sample file is passed by way of parameter Pass auxiliary detection procedure.

Step S103, starts auxiliary detection procedure, and the auxiliary detection procedure utilizes the target detection configuration file control The switch of each detection function point of system.

After auxiliary detection procedure starts, auxiliary detection procedure is initialized according to target detection configuration file, plus The driver of core detection procedure is carried, using the switch of each detection function point of target detection configuration file control.

Step S104, starts core detection procedure, and the core detection procedure receives the sample that auxiliary detection procedure sends The switching information of the relevant information of file and each detection function point, performs the detection of leak, and daily record is generated according to testing result File, by under journal file storage to Log Directory.

After the driver of auxiliary detection procedure loading core detection procedure, core detection procedure starts.Core is detected Process receives the relevant information of the sample file that auxiliary detection procedure sends and the switching information of each detection function point, performs just Beginningization is operated.Then, according to sample file relevant information and the switching information of each detection function point performs sample file Detection, journal file is generated according to testing result, by under journal file storage to Log Directory.

The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment, Realize being transmitted with the data interaction of virtual machine external host and file by communication agent process, by scheduling management and control process and auxiliary Detection procedure is helped to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every From, for suspicious sample provides a detection environment for closing, even if suspicious sample is implicitly present in leak, also will not be to server Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.

Fig. 2 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure.This method describes the overall plan of the kernel Hole Detection based on virtual machine, specifically husky in server end virtual machine Run under case isolation environment, for carrying out dynamic kernel vulnerability exploit detection for the sample file specified.As shown in Fig. 2 The method comprises the following steps：

Step S201, when server end VME operating system is started shooting, communication agent process self-starting.

The process that communication agent process is responsible for virtual machine external host carries out data interaction, file is transmitted.Work as service When end VME operating system is started shooting, the self-starting therewith of communication agent process.

Step S202, communication agent process monitors designated port, waits pending data.

Server end virtual machine provides the designated port for accessing to virtual external main frame, after communication agent process initiation The designated port is just monitored, the data for waiting virtual machine external host to send over.

Step S203, communication agent process receives the detection bag and sample file of virtual machine external host transmission, will detect Bag and sample file are respectively stored under detection catalogue and temp directory.

Detection bag and sample file that virtual machine external host is transmitted by designated port are received in communication agent process Afterwards, decompression operations are carried out to detection bag therein, the file storage that obtains will be decompressed under detection catalogue, the detection catalogue can be with For the catalogue that certain is randomly generated；In addition, communication agent process stores under temp directory sample file.

Step S204, communication agent process initiation scheduling management and control process.

Communication agent process sends and starts order, for starting scheduling management and control process.

Step S205, communication agent process creation message communicating thread is set up and the communication link between scheduling management and control process Connect.

After management and control process initiation is dispatched, communication agent process creation message communicating thread, alternatively, by RPC (Remote Procedure Call Protocol, remote procedure call protocol) sets up communication connection with scheduling management and control process. Here, RPC is the mechanism in XMLRPCLIB storehouses, and XML RPC are the remote procedure calls for using http protocol as host-host protocol Mechanism, order and data are transmitted using the mode of XML texts.Using the communication connection, subsequently received can be come from tune The message packets for spending management and control process are forwarded to virtual machine external host in real time.

Step S206, dispatches management and control process initialization itself function.

After management and control process initiation is dispatched, scheduling management and control process obtains sample file store path, recognizes sample file class Type.Then, scheduling management and control process reads the general detection configuration file of itself association, and mould is detected according to sample file type selecting Formula and each detection function point, initialize itself each function.In addition, scheduling management and control process is according in general detection configuration file The config option overtime restrictive condition of selection, wherein overtime restrictive condition concrete restriction core detection procedure perform detection when It is long.By configuring overtime restrictive condition, it is to avoid the subsequently detection for certain sample file took for a long time, lifting detection Efficiency.

Step S207, scheduling management and control process creation screen interception thread and/or mouse emulation click on thread.

Alternatively, scheduling management and control process creation screen interception thread and/or mouse emulation click on thread.Wherein screen interception The effect of thread is to carry out sectional drawing to the screen of the server where virtual machine, and the screen picture being truncated to can be by communication agent Process is sent to virtual machine external host.The effect that mouse emulation clicks on thread is to be clicked on for screen coordinate analog mouse at random Operation, and for particular control analog mouse clicking operation.

Step S208, scheduling management and control process creation starts auxiliary detection for the target detection configuration file of sample file Process, and the store path of sample file is passed into auxiliary detection procedure by way of parameter.

Scheduling management and control process is selected and configured by reading general detection configuration file to config option therein, Obtain the target detection configuration file for sample file.It is directed to different types of sample file, detection pattern and configuration Detection function point is different, and scheduling management and control process can be the target detection configuration text that different types of sample file creates customization Part.Then, scheduling management and control process initiation auxiliary detection procedure, by the store path of sample file by way of command line parameter Pass to auxiliary detection procedure.

Step S209, screen interception thread screen printing image at predetermined time intervals, the screen picture of interception is sent out in real time Give communication agent process.

Step S210, mouse emulation clicks on thread and is directed to screen coordinate analog mouse clicking operation at random, and for spy Determine control analog mouse clicking operation.

Step S211, auxiliary detection procedure is initialized according to target detection configuration file, is configured using target detection Document control respectively detects the switch of function point.

Auxiliary detection procedure is carried out initially by resolve command line parameter and target detection configuration file to itself function Change.Specifically, auxiliary detection procedure parsing obtains sample file store path, detection pattern, respectively detects function point and other The Back ground Informations such as some detection functional configuration options, calculate the MD5 of sample file, control the switch of each detection function point.Pass through , with task data can be associated the sample data that produced during subsequent detection, one by the MD5 of the sample file being calculated Sample file may correspond to multiple Detection tasks.Can also be by sample data and wooden horse information, VT, first killing engine by MD5 It is associated.In addition, the URL of unified storage, wooden horse, APT classes sample can also be carried out into classification displaying by MD5.

Step S212, auxiliary detection procedure loads the driver of core detection procedure, to start core detection procedure.

Step S213, auxiliary detection procedure sends the relevant information of sample file and each inspection by way of IO control codes The switching information of brake point.

Auxiliary detection procedure by way of IO control codes to core detection procedure send sample file relevant information with And the switching information of each detection function point, to open the monitoring of inner nuclear layer vulnerability exploit behavior.

Step S214, auxiliary detection procedure starts sample process, sample process is run sample file.

Step S215, core detection procedure performs initialization operation.

Core detection procedure driver load when, initialization driver needed for related data structures object and Variable, these related data structures objects and variable and each Function detection point close association.

Step S216, core detection procedure creates log recording thread.

For the ease of record detection process, log recording thread is created, for recording the daily record produced in detection process.

Step S217, core detection procedure receives the sample file that auxiliary detection procedure is sent by way of IO control codes Relevant information and each detection function point switching information.

Core detection procedure receives the various IO control codes that auxiliary detection procedure sends, and parsing is carried out to it and obtains sample text The switching information of the relevant information of part and each detection function point.For the switching information of each detection function point, phase is opened in control The monitoring of function point should be detected.

Step S218, core detection procedure performs Hole Detection.

The detectable leak of core detection procedure includes the URL and relevant various leaks, virus, wood about malicious web pages Horse, the sample object attacked.In addition, sample object also includes：0Day, NDay, exposure period 0Day, position extension horse information, Important website, the follow-up of position extension horse etc..Wherein, 0Day is to have been found to (be possible to not be disclosed), and official does not have also The leak of associated patch.These leaks be found after immediately by malicious exploitation, for example using 0Day can with edit the registry, download File, runtime file.The form of sample object can be file, executable program etc., the invention is not limited in this regard.

Step S219, log recording thread generates journal file according to testing result, by journal file storage to daily record mesh Under record.

Follow-up identification engine can read journal file, identify inside engine (static, dynamic) by the daily record of various needs Information scratching out, is analyzed and screens to testing result, carries out basic rule judgement.Wherein the rule on backstage is up to several Hundred.So-called analysis choosing is exactly with reference to static and dynamic daily record data, using rule and association analysis, to sample in short This hazard level is identified (black, in vain, grey).And the effect screened is mainly to filter out and has hit using detecting behavioural characteristic Sample, and some suspicious actions features high sample, according to different groups of demand, data are distributed.

Step S220, in above-mentioned detection process, whether real-time judge meets overtime restrictive condition, if so, then terminating inspection Survey process, is packaged as testing result packet and is sent to communication agent process, so that communication agent process sends the packet within Give virtual machine external host.

The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment, Realize being transmitted with the data interaction of virtual machine external host and file by communication agent process, by scheduling management and control process and auxiliary Detection procedure is helped to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every From, for suspicious sample provides a detection environment for closing, even if suspicious sample is implicitly present in leak, also will not be to server Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In this method, scheduling management and control process is according to logical Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to The detection of certain sample file took the efficiency for lifting detection for a long time.Scheduling management and control process creation screen interception thread and/ Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.

Fig. 3 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure.The present embodiment is mainly the course of work of above-mentioned core detection procedure is described in detail, and describes core inspection in detail Survey process performs the particular content of Hole Detection.But it should be recognized that the method for the present embodiment is realize Hole Detection only Cube case, it can not rely on previous embodiment description environment and under the premise of realize.The method of the present embodiment is in virtual machine Run under sandbox isolation environment, as shown in figure 3, the method comprises the following steps：

Step S301, load driver program.

Core detection procedure driver load when, initialization driver needed for related data structures object and Variable.The process ID of at least one system process is recorded, storage in record HAL routine address table (HalDispatchTable) The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.

Step S302, receives the relevant information of the sample file that user's layer process sends and the switch of each detection function point Information.

In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined Survey process receive auxiliary detection procedure send various IO control codes, it is carried out parsing obtain sample file relevant information with And the switching information of each detection function point.

Step S303, the switching information according to each detection function point opens inner nuclear layer behavior monitoring master control switch.

Step S304, when the new process of system creation, new process is added in process creation record list.

When system starts sample process to run sample file, sample process is identified as the new process for being created, will Sample process is added in process creation record list.

Step S305, each operation behavior of inner nuclear layer to new process is detected.

The present embodiment realizes the detection to each operation behavior of inner nuclear layer of new process by hook technology.Specifically, in core Heart detection procedure is received after the IO control codes that auxiliary detection procedure sends, and parsing is carried out to it and identifies that " kernel is using prison The mark of control ", then according to the data of incoming buffering area (Buffer), selection enters in corresponding distribution processor routine.According to The switching information of the relevant information of sample file and each detection function point, hook (Hook) SSDT (System Services Descriptor Table, system service descriptor table) in for each Function detection point specified API and NtQueryIntervalProfile。

Using hook, before system calls specified API and NtQueryIntervalProfile, customized letter is performed Number, realizes the detection to each operation behavior of inner nuclear layer.

Step S306, journal file is generated according to testing result, by under journal file storage to Log Directory.

The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment, The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row It is monitoring master control switch；The new process that monitoring system is created, each operation behavior of inner nuclear layer to new process is detected.This method The detection of kernel leak is isolated from the outside, for suspicious sample provides a detection environment for closing, even if suspicious sample is true Real storage will not also cause damage in leak to server side, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.

Fig. 4 shows the flow of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure.The present embodiment has been further elaborated on the course of work of core detection procedure, such as Fig. 4 on the basis of the method shown in Fig. 3 Shown, the method comprises the following steps：

Step S401, load driver program.

Core detection procedure driver load when, initialization driver needed for related data structures object and Variable.The process ID of at least one system process is recorded, storage in record HAL routine address table (HalDispatchTable) The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.

Step S402, creates log recording thread.

For the ease of record detection process, log recording thread is created, for recording the daily record produced in detection process.

Step S403, receives the relevant information of the sample file that user's layer process is sent by IO control codes and each detection The switching information of function point.

In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined Survey process receive auxiliary detection procedure send various IO control codes, it is carried out parsing obtain sample file relevant information with And the switching information of each detection function point.

Specifically, core detection procedure identifies the mark of " kernel is using monitoring ", Ran Hougen by parsing IO control codes According to the data of incoming buffering area (Buffer), selection enters in corresponding distribution processor routine.

Step S404, the switching information of relevant information and each detection function point according to sample file, in hook SSDT For the specified API and NtQueryIntervalProfile of each Function detection point.

The present embodiment realizes the detection to each operation behavior of inner nuclear layer of new process by hook technology.According to sample file Relevant information and each detection function point switching information, in hook SSDT for each Function detection point specified API and NtQueryIntervalProfile.The API for being linked up with is specially for internal memory, privilege, registration table, process/thread, file etc. The crucial NTAPI of operation.And, process creation notification routines are set, when system has new process creation, into process creation Notification routines perform associative operation.

Step S405, the switching information according to each detection function point opens inner nuclear layer behavior monitoring master control switch.

Step S406, when the new process of system creation, new process is added in process creation record list.

When the new process of system creation, initially enter process creation notification routines, in this routine record created it is new The property value of process, for example：The property values such as Privileges, UserSID, OwnerSID.Then, new process is added to process In establishment record list.

Step S407, each operation behavior of inner nuclear layer to new process is detected.

When new process calls NtQueryIntervalProfile, first judge the new process whether in process creation record In list, if it is not, then the new process is added in process creation record list；When new process calls foregoing specified API, sentence Whether the new process of breaking is in process creation record list, if it is not, then the new process is added in process creation record list.

In the case where ensuring that new process is added to process creation record list, using hook technology, in new process Each operation behavior of stratum nucleare is detected, specifically comprising following several embodiments：

(1) HalDispatchTable detections

Using hook technology, before NtQueryIntervalProfile is called, in acquisition HalDispatchTable At least one Key Functions pointer value of storage；At least one the crucial letter that will be stored in acquired HalDispatchTable At least one Key Functions stored in HalDispatchTable recorded in number pointer value and load driver program process Pointer value is compared；If the comparison of at least one Key Functions pointer value is inconsistent, detects that new process is present and propose power behavior.

(2) Token replaces detection

Using hook technology, before specified API accordingly is called, according to recorded in load driver program process extremely The process ID of a few system process obtains the EPROCESS structures address of at least one system process, while obtaining new process EPROCESS structures address；By the pointer value in the Token domains in the EPROCESS structures address of new process and at least one system The pointer value in the Token domains in the EPROCESS structures address of process is compared；If the EPROCESS structures address of new process In the pointer value in Token domains and the EPROCESS structures address of one of system process in Token domains pointer value ratio To consistent, then detect that new process is present and propose power behavior.

Here, specified API can be：Establishment process (NtCreateUserProcess), to other proceeding internal memories create with And read-write (NtAllocateVirtualMemory/NtProtectVirtualMemory/NtReadVir tualMemory/ NtWriteVirtualMemory other process/threads (NtOpenThread/NtOpenProcess/), is opened NtSetContextThread), registration table read-write, file read-write etc..

(3) Token property values detection

Using hook technology, before specified API accordingly is called, the property value of the new process is obtained；Will be acquired The property value of new process compare with the property value of the new process recorded in process creation notification routines；If comparing not Unanimously, then detect that new process is present and propose power behavior.

In specific comparison, Privileges, TokenUser, and/or TokenOwner of the new process that will be obtained with Privileges, TokenUser, and/or TokenOwner of new process recorded in process creation notification routines are compared It is right, if wherein there is a comparison inconsistent, detect that new process is present and propose power behavior.

Here, specified API refers to the function related to Token.

(4) Token property values are empty detection

Using hook technology, before specified API accordingly is called, inquire about in the EPROCESS structures address of new process Whether the ACL in Token domains is set to null；If so, then detecting that new process is present proposes power behavior.

(5) kernel ROP (Return Oriented Programming, the new attack based on code reuse technology) inspections Survey

Kernel ROP common at present is used to close SMEP (Supervisor Mode Execution Protection, prison The pattern of superintending and directing performs protection) or CR4 registers are changed, this method utilizes hook technology, CR4 registers are operated in call stack Before, check whether call stack is the call stack for allowing to call CR4 register modifying instructions, or, whether detection call stack is adjusted With the instruction of disabling SMEP；If so, then detecting that new process is present proposes power behavior.

(6) Bitmap is using detection

For conditional kernel address write operation is converted into kernel arbitrary address read-write operation using Bitmap Behavior, detects to this behavior, if in the presence of detecting that the new process is present and propose power behavior.

Step S408, journal file is generated according to testing result, by under journal file storage to Log Directory.

Generation daily record is got ready according to preset format, daily record is inserted into log buffer inventory.In log recording thread, Continuously whether audit log buffer list has new daily record to insert, if so, then add new daily record being written to configuration In option in the journal file of specified path, and discharge the node of the new daily record in log buffer inventory.

This programme gets detection daily record generation form ready for cache way is got ready.The daily record for being detected is temporary in log buffer In inventory.The log recording thread poll log buffer inventory and mode according to FIFO (first in first out) processes each daily record successively Node, will in the additional write-in journal file of log content, obtained by outside correlation scheduler module process upon completion of the assays and Manage the journal file.

The packet of getting ready of this programme contains：Environment and document base information, detection function point trigger data etc..Environment and text Part essential information is exported in forms such as flowing water daily records, and detection function point trigger data is exported in the form of user behaviors log.Its middle ring Border and document base information are included：Sample process file MD5, sample file path, and major system modules title and file Version etc..For HalDispatchTable detections, detection function point trigger data is included：Process ID, Thread Id, it is tampered letter Several title, distort after pointer value, detection when where Hooked API (NtQueryIntervalProfile) etc.；For Token replaces detection, and detection function point trigger data is included：Process ID, Thread Id, Token addresses, hit system process name, Hooked API etc. where during detection.For the detection of Token property values, detection function point trigger data is included：Process ID, thread ID, Privileges mask describe place Hooked API etc. when sequence, UserSID, OwnerSID, detection.Other detection sides The detection function point trigger data of formula is similar to therewith, will not be repeated here.

The kernel leak detection method based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment, The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row It is monitoring master control switch；The new process that monitoring system is created, each operation behavior of inner nuclear layer to new process is detected.This method The detection of kernel leak is isolated from the outside, for suspicious sample provides a detection environment for closing, even if suspicious sample is true Real storage will not also cause damage in leak to server side, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This Method sets Hook Function by hook technology for the corresponding API of each detection function point that user's layer process is provided, and is calling Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, and improve the effect of kernel Hole Detection Rate.

Fig. 5 shows the kernel Hole Detection process protection method based on virtual machine according to an embodiment of the invention Flow chart.The method that the present embodiment is provided is mainly used for the detection procedure that protection runs under virtual machine sandbox isolation environment Address space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 5 institutes Show, the method comprises the following steps：

Step S501, obtains the relevant information of each detection subprocess, and the relevant information of each detection subprocess is write into process In filter list.

After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file Relevant field, parsing obtains the process name of one or more detection subprocess, and entering for each detection subprocess is obtained according to process name Journey ID, core detection procedure is sent to by IO control codes by the process ID of each detection subprocess.

Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send The process ID of journey.Specifically, core detection procedure is slow from input after the IO control codes labeled as " process ID filtering " are received Rush in area and obtain when time process ID of transmission, the relevant information of detection subprocess is obtained according to process ID.In this method, correlation letter Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it Afterwards, by the EPROCESS structures address write-in process filter list of each detection subprocess.

Step S502, using hook technology, before specified API is called, obtains when the correlation of front upper and lower background text process The relevant information of information and operation target process.

This method is linked up with to the specified API on process, thread, memory address space operation, and API is specified in Hook Afterwards, step S502- steps S504 is realized in SQL.In step S502, obtain when front upper and lower background text process EPROCESS structures address and the EPROCESS structures address of operation target process.

Step S503, judges to operate whether the relevant information of target process is recorded in process filter list, and it is current on Whether the relevant information of lower background text process is not recorded in process filter list, if so, then performing step S504；If it is not, then Perform step S505.

Alternatively, judge to operate whether the EPROCESS structures address of target process is recorded in process filter list, and In whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.

Specified API is called in step S504, termination.

If judge to operate the EPROCESS structures address of target process to record in process filter list, and when front upper and lower The EPROCESS structures address of background text process is not recorded in process filter list, then show to be attempted to access that in the presence of other processes Certain detection subprocess, then need to be prevented.For example, returning to the conditional code of denied access, specified API is called in termination.

Step S505, continues to call specified API, and the return value for specifying API is returned to caller.

If judge to operate the EPROCESS structures address of target process to be not recorded in process filter list, or, when The EPROCESS structures address of front upper and lower background text process is recorded in process filter list, then continue to call specified API, to tune User returns to the return value for specifying API.

According to the kernel Hole Detection process protection method based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write-in process filter list in, before specified API is called, using hook obtain when front upper and lower background text process Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh The relevant information of mark process matches with process filter list, determines whether that specified API is called in termination.Using this method, can protect The address space of the detection procedure run under virtual machine sandbox isolation environment is protected, the malice sample process escaped by sandbox is prevented Access, it is to avoid confidential information is stolen, is lifted at the security of kernel Hole Detection under virtual machine sandbox isolation environment.

Fig. 6 shows the kernel Hole Detection document protection method based on virtual machine according to an embodiment of the invention Flow chart.The method that the present embodiment is provided is mainly used for protecting produced detection file in detection process, such as journal file Deng, prevent by sandbox escape malice sample process accesses, distort, encrypt or damages, it is to avoid therefore it is caused detection unsuccessfully or Results abnormity, safeguards the stabilization and performance of sandbox system.As shown in fig. 6, the method comprises the following steps：

Step S601, obtains the relevant information of each detection subprocess, and the relevant information of each detection subprocess is write into process In filter list.

After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file Relevant field, parsing obtains the process name of one or more detection subprocess, and entering for each detection subprocess is obtained according to process name Journey ID, core detection procedure is sent to by IO control codes by the process ID of each detection subprocess.

Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send The process ID of journey.Specifically, core detection procedure is slow from input after the IO control codes labeled as " process ID filtering " are received Rush in area and obtain when time process ID of transmission, the relevant information of detection subprocess is obtained according to process ID.In this method, correlation letter Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it Afterwards, by the EPROCESS structures address write-in process filter list of each detection subprocess.

Step S602, obtains the store path information of detection file, will detect that the store path information write-in of file is privately owned In catalogue list.

After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file Relevant field, parsing obtain one or more detection files store paths, by IO control codes by it is each detection file storage Path is sent to core detection procedure.

Core detection procedure receives each detection file that auxiliary detection procedure (user's layer process) is sent by IO control codes Store path.Specifically, core detection procedure is buffered after the IO control codes labeled as " privately owned catalogue " are received from input The store path of the detection file when time transmission is obtained in area, the store path according to detection file constructs string and makees It is the store path information of detection file, in detecting that the store path information of file writes privately owned catalogue list.

Step S603, when file access operation is produced, judges whether the store path information of file access object records In privately owned catalogue list.

The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example, READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile are sent a letter and several realize function body certainly In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list, if so, then performing step S604；If it is not, performing step S606.

Whether step S604, judges record in the process filter list when the relevant information of front upper and lower background text process In.

If judging the store path information record of file access object in privately owned catalogue list, determine whether to work as Whether the relevant information of front upper and lower background text process is recorded in process filter list, specifically, is judged when front upper and lower background text Whether the EPROCESS structures address of process is recorded in process filter list, if so, then performing step S606；If it is not, then holding Row step S605.

Step S605, if judging to be not recorded in process filter list when the relevant information of front upper and lower background text process, Then refuse file access operation.

If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below Hair, refuses file access operation.

Step S606, if judging, the store path information of file access object is not recorded in privately owned catalogue list, or Person, judges to be recorded in the process filter list when the relevant information of front upper and lower background text process, then proceed to respond to file Access operation.

If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor The detection file of shield, then IPR continuation distribution downwards, response file accesses operation.If the store path information of file access object Record is shown to be in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list Detection subprocess attempts to access that detection file, then IPR continues distribution downwards, and response file accesses operation.

According to the kernel Hole Detection document protection method based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write-in process filter list in, in detecting that the store path information of file writes privately owned catalogue list, work as product During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using this method, can protect The detection file produced under virtual machine sandbox isolation environment is protected, prevent from being accessed, distorted by the malice sample process that sandbox is escaped, Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stabilization and performance of sandbox system.

Fig. 7 shows the functional block of the kernel Hole Detection device based on virtual machine according to an embodiment of the invention Figure.The present apparatus is specifically to be run under server end virtual machine sandbox isolation environment, for being carried out for the sample file specified Dynamic kernel vulnerability exploit detection.As shown in fig. 7, the device includes：Communication agent module 701, scheduling management and control module 702, Auxiliary detection module 703, core detection module 704.

Communication agent module 701, is suitable to start communication agent process, communication agent process is monitored designated port, waits And detection bag and sample file that virtual machine external host is transmitted are received, detection bag is respectively stored into detection mesh with sample file Under record and temp directory.The process that communication agent process is responsible for virtual machine external host carries out data interaction, file is transmitted. When service end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port, Wait and receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is wrapped to detection Decompression operations are carried out, the file storage for obtaining will be decompressed and arrived under detection catalogue；In addition, communication agent process stores sample file To under temp directory.Then, communication agent thread starts the scheduling management and control process in detection bag.

Scheduling management and control module 702, is suitable to start the scheduling management and control process in detection bag, scheduling management and control process is obtained sample File store path, recognize sample file type, according to it is general detection configuration file in config option selection detection pattern and Each detection function point, to create the target detection configuration file for the sample file.After management and control process initiation is dispatched, Scheduling management and control process obtains sample file store path, recognizes sample file type.Then, scheduling management and control process reads itself and closes The general detection configuration file of connection, according to sample file type selecting detection pattern and each detection function point, initializes itself each Function, creates the target detection configuration file for sample file.Then, scheduling management and control process initiation auxiliary detection procedure, and The store path (can be URL) of sample file is passed into auxiliary detection procedure by way of parameter.

Auxiliary detection module 703, is suitable to start auxiliary detection procedure, auxiliary detection procedure is configured text using target detection The switch of each detection function point of part control.After auxiliary detection procedure starts, auxiliary detection procedure is configured according to target detection File is initialized, and loads the driver of core detection procedure, and each detection function is controlled using target detection configuration file The switch of point.

Core detection module 704, is suitable to start core detection procedure, core detection procedure is received auxiliary detection procedure and sends out The switching information of the relevant information of the sample file for sending and each detection function point, performs Hole Detection, is given birth to according to testing result Into journal file, by under journal file storage to Log Directory.The driving journey of core detection procedure is loaded in auxiliary detection procedure After sequence, core detection procedure starts.Core detection procedure receive auxiliary detection procedure send sample file relevant information with And the switching information of each detection function point, perform initialization operation.Then, according to sample file relevant information and each detection The switching information of function point performs the detection of sample file, and journal file is generated according to testing result, and journal file storage is arrived Under Log Directory.

Communication agent module 701 is further adapted for：Make communication agent process creation message communicating thread, set up and the tune Communication connection between degree management and control process.After management and control process initiation is dispatched, communication agent process creation message communicating thread can Selection of land, communication connection is set up by RPC with scheduling management and control process.Using the communication connection, subsequently received can be come from The message packets for dispatching management and control process are forwarded to virtual machine external host in real time.

Scheduling management and control module 702 is further adapted for：Make scheduling management and control process creation screen interception thread, at predetermined time intervals Screen printing image；Using the communication connection for dispatching foundation between management and control process and communication agent process, the screen map that will be intercepted As being sent to the communication agent process in real time.

Communication agent module 701 is further adapted for：Make communication agent process that the screen picture of the interception is sent into void Plan machine external host.

Scheduling management and control module 702 is further adapted for：Scheduling management and control process creation mouse emulation is clicked on thread, be directed at random Screen coordinate analog mouse clicking operation, and for particular control analog mouse clicking operation.

Scheduling management and control module 702 is further adapted for：Make configuration of the scheduling management and control process in general detection configuration file The overtime restrictive condition of option selection；In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if It is, then detection of end process that testing result is packaged as into packet is sent to the communication agent process, for the communication generation The packet is sent to virtual machine external host by reason process.

Core detection module 704 is further adapted for：Make core detection procedure receive the auxiliary detection procedure to be controlled by IO The switching information of the relevant information of the sample file that the mode of code processed sends and each detection function point.

The kernel Hole Detection device based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment, Realize being transmitted with the data interaction of virtual machine external host and file by communication agent process, by scheduling management and control process and auxiliary Detection procedure is helped to aid in core detection procedure to realize the detection of sample file.The present apparatus by the detection of kernel leak with it is outside every From, for suspicious sample provides a detection environment for closing, even if suspicious sample is implicitly present in leak, also will not be to server Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In the present apparatus, scheduling management and control process is according to logical Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to The detection of certain sample file took the efficiency for lifting detection for a long time.Scheduling management and control process creation screen interception thread and/ Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.

Fig. 8 shows the functional block of the kernel Hole Detection device based on virtual machine in accordance with another embodiment of the present invention Figure.The device runs under virtual machine sandbox isolation environment, as shown in figure 8, the device includes：Load-on module 801, receiver module 802, starting module 803, add module 804, detection module 805, daily record memory module 806.

Load-on module 801, is suitable to load driver program.In load driver program, initialization drives journey to load-on module 801 Related data structures object and variable needed for sequence.The process ID of at least one system process is recorded, HAL routine address tables are recorded (HalDispatchTable) at least one Key Functions pointer value of storage in, for example The function pointer value such as HALQuerySystemInformatica.

Receiver module 802, is suitable to receive the relevant information of the sample file that user's layer process sends and respectively detects function The switching information of point.In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Connect Receive module 802 and receive the various IO control codes that auxiliary detection procedure sends, the related letter that parsing obtains sample file is carried out to it The switching information of breath and each detection function point.Specifically, the mark of " kernel is using monitoring " is identified by parsing IO control codes Note, then according to the data of incoming buffering area (Buffer), selection enters in corresponding distribution processor routine.

Starting module 803, is suitable to open inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.

Add module 804, is suitable to, when the new process of system creation, new process is added in process creation record list.

Detection module 805, is suitable to detect each operation behavior of inner nuclear layer of the new process.

Daily record memory module 806, is suitable to generate journal file according to testing result, by journal file storage to Log Directory Under.

Further, the device also includes：Hook configuration module 807, be suitable to according to the relevant information of sample file and The switching information of each detection function point, in hook SSDT for each Function detection point specified API and NtQueryIntervalProfile.The present apparatus realizes the inspection to each operation behavior of inner nuclear layer of new process by hook technology Survey.The switching information of relevant information and each detection function point according to sample file, each Function detection is directed in hook SSDT The specified API and NtQueryIntervalProfile of point.The API for being linked up with is specially for internal memory, privilege, registration table, enters The crucial NTAPI of the operations such as journey/thread, file.

Further, the device also includes：Routine setup module 808, is suitable to set process creation notification routines；Described The property value of the new process that record is created in process creation notification routines.When the new process of system creation, routine setup module 808 property values that the new process for being created is recorded in process creation notification routines, for example：Privileges、UserSID、 The property values such as OwnerSID.

Above-mentioned detection module 805 is further adapted for：Using hook technology, call NtQueryIntervalProfile it Before, obtain at least one the Key Functions pointer value stored in HAL routine address tables；By in acquired HAL routine address tables At least one Key Functions pointer value of storage and storage in the HAL routine address tables recorded in load driver program process At least one Key Functions pointer value is compared；If at least one Key Functions pointer value comparison is inconsistent, detect Go out the new process presence and propose power behavior.

Above-mentioned detection module 805 is further adapted for：Using hook technology, before specified API accordingly is called, according to plus The process ID for carrying at least one system process recorded in driver process obtains at least one system process EPROCESS structures address, while obtaining the EPROCESS structures address of the new process；By the EPROCESS of the new process Token domains in the pointer value in the Token domains in structure address and the EPROCESS structures address of at least one system process Pointer value is compared；If the pointer value in the Token domains in the EPROCESS structures address of the new process and one of system The pointer value in the Token domains in the EPROCESS structures address of system process is compared unanimously, then detect that the new process is present and carry Power behavior.

Above-mentioned detection module 805 is further adapted for：Using hook technology, before specified API accordingly is called, institute is obtained State the property value of new process；By the property value of acquired described new process and recorded in the process creation notification routines The property value of new process compare；If comparison is inconsistent, detects that the new process is present and propose power behavior.

Above-mentioned detection module 805 is further adapted for：By the Privileges of the new process of the acquisition, TokenUser, And/or the Privileges of TokenOwner and new process recorded in the process creation notification routines, UserSID, And/or OwnerSID compares.

Above-mentioned detection module 805 is further adapted for：Using hook technology, before specified API accordingly is called, institute is inquired about Whether the ACL stated in the Token domains in the EPROCESS structures address of new process is set to null；If so, then detecting described newly to enter Journey presence proposes power behavior.

Above-mentioned detection module 805 is further adapted for：Using hook technology, operation is carried out to CR4 registers in call stack Before, check whether the call stack is the call stack for allowing to call CR4 register modifying instructions, or, detect the call stack Whether the instruction of disabling SMEP is called；If so, then detecting that the new process is present proposes power behavior.

Above-mentioned detection module 805 is further adapted for：Detect whether to exist and be converted into conditional kernel address write operation The behavior of kernel arbitrary address read-write operation, if so, then detecting that the new process is present proposes power behavior.

The kernel Hole Detection device based on virtual machine that the present embodiment is provided runs under virtual machine sandbox isolation environment, The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row It is monitoring master control switch；The new process that monitoring system is created, each operation behavior of inner nuclear layer to new process is detected.The present apparatus The detection of kernel leak is isolated from the outside, for suspicious sample provides a detection environment for closing, even if suspicious sample is true Real storage will not also cause damage in leak to server side, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This Device sets Hook Function by hook technology for the corresponding API of each detection function point that user's layer process is provided, and is calling Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, and improve the effect of kernel Hole Detection Rate.

Fig. 9 shows the function of the kernel Hole Detection Process Protection based on virtual machine according to an embodiment of the invention Block diagram.The device that the present embodiment is provided is mainly used for the ground of the detection procedure that protection runs under virtual machine sandbox isolation environment Location space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 9 institutes Show, the device includes：Writing module 901, links up with processing module 902, and judge module 903 terminates module 904.Alternatively, also wrap Include：Receiver module 905 and calling module 906.

Receiver module 905, is suitable to receive the process ID of each detection subprocess that user's layer process sends.

After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file Relevant field, parsing obtains the process name of one or more detection subprocess, and entering for each detection subprocess is obtained according to process name Journey ID, core detection procedure is sent to by IO control codes by the process ID of each detection subprocess.

Receiver module 905 inside core detection procedure receives auxiliary detection procedure (user's layer process) and passes through IO control codes The process ID of each detection subprocess for sending.Specifically, receiver module 905 is receiving the IO controls labeled as " process ID filtering " After code processed, obtained from input block when time process ID of transmission.

Writing module 901, is suitable to obtain the relevant information of each detection subprocess, and the relevant information of each detection subprocess is write In entering process filter list.

Writing module 901 obtains the relevant information of detection subprocess according to process ID.Wherein, relevant information can be specially EPROCESS structures address.Writing module 901 is obtained after the EPROCESS structures address of each detection subprocess, by each detection In the EPROCESS structures address write-in process filter list of process.

Hook processing module 902, is suitable to utilize hook technology, before specified API is called, obtains when front upper and lower background text The relevant information of process and the relevant information of operation target process.

902 couples of specified API on process, thread, memory address space operation of hook processing module are linked up with, After Hook specifies API, judge module 903 is realized in SQL and terminates the function of module 904.Hook processing module 902 obtain the EPROCESS of the EPROCESS structures address and operation target process for working as front upper and lower background text process structurally first Location.

Judge module 903, is suitable to judge whether the relevant information of the operation target process is recorded in process filtering It is in list and described in whether the relevant information of front upper and lower background text process is not recorded in the process filter list.Specifically Ground, judge module 903 judges to operate whether the EPROCESS structures address of target process is recorded in process filter list, and works as Whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.

Terminate module 904, judge to operate the relevant information of target process to record in process mistake if being suitable to judge module 903 In filter list, and in the relevant information of front upper and lower background text process is not recorded in process filter list, termination is called specified API。

Calling module 906, if being suitable to judge module 903, to judge to operate the relevant information of target process to be not recorded in described In process filter list, or, when the relevant information of front upper and lower background text process is recorded in process filter list, then continue to adjust Specified API is used, the return value of the specified API is returned to caller.

According to the kernel Hole Detection Process Protection device based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write-in process filter list in, before specified API is called, using hook obtain when front upper and lower background text process Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh The relevant information of mark process matches with process filter list, determines whether that specified API is called in termination.Using the present apparatus, can protect The address space of the detection procedure run under virtual machine sandbox isolation environment is protected, the malice sample process escaped by sandbox is prevented Access, it is to avoid confidential information is stolen, is lifted at the security of kernel Hole Detection under virtual machine sandbox isolation environment.

Figure 10 shows the work(of the kernel Hole Detection file protection based on virtual machine according to an embodiment of the invention Can block diagram.The device that the present embodiment is provided is mainly used for protecting produced detection file in detection process, such as journal file Deng, prevent by sandbox escape malice sample process accesses, distort, encrypt or damages, it is to avoid therefore it is caused detection unsuccessfully or Results abnormity, safeguards the stabilization and performance of sandbox system.As shown in Figure 10, the device includes：First writing module 1001, second Writing module 1002, the first judge module 1003, the second judge module 1004 refuses module 1005；Alternatively, the device is also wrapped Include：Receiver module 1006 and respond module 1007.

Receiver module 1006, is suitable to receive the store path of the detection file that user's layer process sends.

After the driver of auxiliary detection procedure loading core detection procedure, in reading target detection configuration file Relevant field, parsing obtains the process name of one or more detection subprocess and the storage road of one or more detection files Footpath, the process ID of each detection subprocess is obtained according to process name, by IO control codes by the process ID of each detection subprocess and respectively Detect that the store path of file is sent to core detection procedure.

Receiver module 1006 inside core detection procedure receives auxiliary detection procedure (user's layer process) by IO controls The process ID and the store path of each detection file of each detection subprocess that code sends.Specifically, core detection procedure is being received To after the IO control codes labeled as " process ID filtering ", obtained from input block when time process ID of transmission；Core is detected Process is obtained when time detection file of transmission after the IO control codes labeled as " privately owned catalogue " are received from input block Store path.

First writing module 1001, is suitable to obtain the relevant information of each detection subprocess, by the correlation of each detection subprocess In information write-in process filter list.

First writing module 1001 obtains the relevant information of detection subprocess according to process ID.In this method, relevant information EPROCESS structures address can be specially.First writing module 1001 obtain it is each detection subprocess EPROCESS structures address it Afterwards, by the EPROCESS structures address write-in process filter list of each detection subprocess.

Second writing module 1002, is suitable to obtain the store path information of detection file, will detect the store path of file Information is write in privately owned catalogue list.

Second writing module 1002 constructs string as detection file according to the store path of detection file Store path information, in detecting that the store path information of file writes privately owned catalogue list.

First judge module 1003, is suitable to, when file access operation is produced, judge the store path of file access object Whether information is recorded in privately owned catalogue list.

The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example, READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile are sent a letter and several realize function body certainly In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list.

Second judge module 1004, if the first judge module 1003 judges the store path information note of file access object Record judges filter name in the process when whether the relevant information of front upper and lower background text process records in privately owned catalogue list, then Dan Zhong.

If judging the store path information record of file access object in privately owned catalogue list, the second judge module Whether 1004 determine whether record in process filter list when the relevant information of front upper and lower background text process, specifically, sentence Whether the disconnected EPROCESS structures address for working as front upper and lower background text process is recorded in process filter list.

Refusal module 1005, if be suitable to the second judge module 1004 judging when the relevant information of front upper and lower background text process It is not recorded in process filter list, then refuses file access operation.

If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below Hair, refuses file access operation.

Respond module 1007, judges the store path information of file access object not if being suitable to the first judge module 1003 Record in privately owned catalogue list, or, the second judge module 1004 is judged when the relevant information of front upper and lower background text process Record then proceeds to respond to file access operation in process filter list.

If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor The detection file of shield, then IPR continuation distribution downwards, response file accesses operation.If the store path information of file access object Record is shown to be in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list Detection subprocess attempts to access that detection file, then IPR continues distribution downwards, and response file accesses operation.

According to the kernel Hole Detection file protection device based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write-in process filter list in, in detecting that the store path information of file writes privately owned catalogue list, work as product During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using the present apparatus, can protect The detection file produced under virtual machine sandbox isolation environment is protected, prevent from being accessed, distorted by the malice sample process that sandbox is escaped, Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stabilization and performance of sandbox system.

Present invention could apply to network security, terminal security, cloud security, using safety, safety management and security service Etc. multiple fields.Product includes senior middle school low side next generation fire wall, intrusion prevention system, ddos attack system of defense, virtual comprehensive The products such as Service Gateway, sandbox, big data Safety Analysis System are closed, and the corresponding solution for being directed to tradition threat and unknown threat Certainly scheme.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair Bright preferred forms.

In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself All as separate embodiments of the invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection is appointed One of meaning mode can be used in any combination.

All parts embodiment of the invention can be realized with hardware, or be run with one or more processor Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) realize the inspection of the kernel leak based on virtual machine according to embodiments of the present invention The some or all functions of some or all parts surveyed in device.The present invention is also implemented as performing institute here Some or all equipment or program of device of the method for description are (for example, computer program and computer program are produced Product).It is such to realize that program of the invention be stored on a computer-readable medium, or can have one or more The form of signal.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or to appoint What other forms is provided.

It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (10)

1. a kind of kernel Hole Detection document protection method based on virtual machine, methods described is under virtual machine sandbox isolation environment Operation, method includes：

The relevant information of each detection subprocess is obtained, by the relevant information write-in process filter list of each detection subprocess；

The store path information of detection file is obtained, in detecting that the store path information of file writes privately owned catalogue list；

When file access operation is produced, judge whether the store path information of file access object is recorded in privately owned catalogue list In；

If judging the store path information record of file access object in privately owned catalogue list, judge to work as front upper and lower background Whether the relevant information of literary process is recorded in the process filter list；

If judging to be not recorded in the process filter list when the relevant information of front upper and lower background text process, refuse file Access operation.

2. method according to claim 1, the relevant information is specially EPROCESS structures address.

3. method according to claim 1 and 2, the store path information of the acquisition detection file is further included：

Receive the store path of the detection file that user's layer process sends；

According to the store path of the detection file, store path information of the string as detection file is constructed.

4. method according to claim 3, the store path of the detection file that the reception user layer process sends is specific For：Receive the store path of the detection file that user's layer process is sent by IO control codes.

5. method according to claim 1, methods described also includes：If judging the store path letter of file access object Breath be not recorded in privately owned catalogue list, or, judge when front upper and lower background text process relevant information record it is described enter In journey filter list, then file access operation is proceeded to respond to.

6. a kind of kernel Hole Detection file protection device based on virtual machine, described device is under virtual machine sandbox isolation environment Operation, device includes：

First writing module, is suitable to obtain the relevant information of each detection subprocess, by the relevant information write-in of each detection subprocess In process filter list；

Second writing module, is suitable to obtain the store path information of detection file, will detect the store path information write-in of file In privately owned catalogue list；

First judge module, be suitable to when produce file access operation when, judge file access object store path information whether Record is in privately owned catalogue list；

Second judge module, if being suitable to first judge module judges that the store path information record of file access object exists In privately owned catalogue list, then judge whether record in the process filter list when the relevant information of front upper and lower background text process In；

Refusal module, if be suitable to the second judge module judge when the relevant information of front upper and lower background text process be not recorded in it is described In process filter list, then refuse file access operation.

7. device according to claim 6, the relevant information is specially EPROCESS structures address.

8. the device according to claim 6 or 7, described device also includes：Receiver module, is suitable to receive user's layer process hair The store path of the detection file for sending；

Second writing module is further adapted for：According to the store path of the detection file, string work is constructed It is the store path information of detection file, in detecting that the store path information of file writes privately owned catalogue list.

9. device according to claim 8, the receiver module is further adapted for：User's layer process is received by IO controls The store path of the detection file that code sends.

10. device according to claim 6, described device also includes：Respond module, if being suitable to first judge module Judge that the store path information of file access object is not recorded in privately owned catalogue list, or, second judge module Judge to be recorded in the process filter list when the relevant information of front upper and lower background text process, then proceed to respond to file access Operation.