CN107016286A - A kind of malicious code randomization recognition methods and system based on random-tracking - Google Patents
A kind of malicious code randomization recognition methods and system based on random-tracking Download PDFInfo
- Publication number
- CN107016286A CN107016286A CN201611251419.XA CN201611251419A CN107016286A CN 107016286 A CN107016286 A CN 107016286A CN 201611251419 A CN201611251419 A CN 201611251419A CN 107016286 A CN107016286 A CN 107016286A
- Authority
- CN
- China
- Prior art keywords
- randomization
- parameter
- address
- sample
- parameter address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of malicious code randomization recognition methods based on random-tracking and system, including:Record random number generation function is produced in operation code act of randomization randomization parameter value, randomization parameter address;Based on time parameter address search randomization parameter value, randomization parameter address;Based on the sample parameter value, sample parameter address produced in sample code function call, judge whether the randomization parameter address is appeared in the sample parameter address, and extract special parameter address;Based on the sample parameter value, sample parameter address, judge whether the randomization parameter value is appeared in sample parameter value, it is malicious code act of randomization then operation code act of randomization occur;The then special parameter address based on extraction is occurred without, tracking is compared and whether appeared in the sample parameter address, it is malicious code act of randomization the then operation code act of randomization occur, is occurred without, mean no harm code act of randomization.
Description
Technical field
The present invention relates to computer security technique field, relate more specifically to a kind of malicious code based on random-tracking with
Machine recognition methods and system.
Background technology
The life production that the progress of Internet technology gives people brings many benefits, social activity, finance, media,
The various aspects such as shopping all rely on Internet technology to be operated, and bring benefits.Huge economic benefit is created in internet
Under overall situation, valuable data, various competitive relations induce the malicious act stolen secret information, control, destroyed by internet.
Trojan horse program be it is instantly popular steal secret information, control, means of destruction.Network hacker passes through one section of specific program(Wooden horse
Program)To control another computer.Wooden horse generally has two executable programs:One is control end, and another is to be controlled
End.Implantation computer is controlled terminal part, and hacker exactly enters the computer for having run controlled terminal using control end.
Instantly trojan horse program is not found for hidden unique characteristics, can be to some names of itself after program operation
Claim the operation for carrying out randomization, such as process name, mutex name, configuration filename etc..The means of this randomization disturb peace
Full personnel are for the extraction of malicious code feature, the lookup and positioning of malicious code.Traditional method identification wooden horse randomization
Behavior is generally the associated documents and process title of record sample after operation sample, is recorded again after restarting, whether sees the two
It is variant.If then there is the behavior of randomization in sample.The defect of this method is to need to restart or ability is run multiple times
The behavior of randomization is determined whether, is unfavorable for the quick act of randomization for finding wooden horse.
Existing virus characteristic extracting method is generally extraction feature, checking this feature and can detect, be added into this feature
Virus base, but the Feature detection ability carried is not graded, i.e., the feature of all extractions is all endowed identical Detection capability,
The feature of some wrong reports is not excluded the presence of among these, and such easy wrong report and the low feature of Detection capability are added into virus base, done
The recall rate and rate of false alarm of antivirus engine can be influenceed during detection.
The content of the invention
In order to solve the above-mentioned technical problem there is provided a kind of malicious code based on random-tracking according to the present invention is random
Change recognition methods and system.
There is provided a kind of malicious code randomization recognition methods based on random-tracking according to the first aspect of the invention.
This method includes:Record randomization parameter value, randomization that the random number generation function in operation code act of randomization is produced
Argument address;Based on time parameter address search randomization parameter value, randomization parameter address;Based on sample code function call
The sample parameter value of middle generation, sample parameter address, judge whether the randomization parameter address appears in the sample parameter
In address, and extract special parameter address;Based on the sample parameter value, sample parameter produced in sample code function call
Location, judges whether the randomization parameter value is appeared in the sample parameter value, if there is then operation code randomization row
For for malicious code act of randomization;Whether the special parameter address based on extraction if occurring without, tracking compares
In the present sample parameter address, it is malicious code act of randomization the then operation code act of randomization occur, is not gone out
Now then mean no harm code act of randomization.
In certain embodiments, the parameter value is copied including process name, filename, file content, mutex, character string
Shellfish.
In certain embodiments, it is described to be based on time parameter address search randomization parameter value, randomization parameter address, bag
Include:Check whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if carried
Take the randomization parameter value, randomization parameter address.
In certain embodiments, the time parameter address includes operation duration argument address, current time parameter address.
In certain embodiments, the special parameter address includes character string copy relevant parameter address.
According to the second aspect of the invention there is provided a kind of malicious code randomization identifying system based on random-tracking, bag
Include:Logging modle, for record the random number generation function in operation code act of randomization generation randomization parameter value, with
Machine argument address;Searching modul, for based on time parameter address search randomization parameter value, randomization parameter address;Sentence
Disconnected module, for based on the sample parameter value, sample parameter address produced in sample code function call, judging the randomization
Whether argument address is appeared in the sample parameter address, and extracts special parameter address;Identification module, for based on sample
Code function calls the sample parameter value of middle generation, sample parameter address, judges whether the randomization parameter value appears in institute
State in sample parameter value, if there is then operation code act of randomization is malicious code act of randomization;Tracking module, is used
In the special parameter address based on extraction, whether tracking compares and appears in the sample parameter address, occurs then described
Operation code act of randomization is malicious code act of randomization, is occurred without, mean no harm code act of randomization.
In certain embodiments, the parameter value is copied including process name, filename, file content, mutex, character string
Shellfish.
In certain embodiments, the searching modul includes:
For checking whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if
Extracting the randomization parameter value, randomization parameter address.
In certain embodiments, the time parameter address includes operation duration argument address, current time parameter address.
In certain embodiments, the special parameter address includes character string copy relevant parameter address
Technical scheme provided by the present invention utilizes hook mechanism, obtains system boot to current duration function, current system
The related function of the function of time, randomization, records the return value produced, return value address, data, the internal memory of data occurs at random
Address.And confirm whether these data have been output to filename, service name, mutex, the process name of malicious code operation
Deng in system file, the identification of malicious code act of randomization is carried out.This method both can recognize that malicious code act of randomization, and
And eliminate by restarting the tedious steps that contrast malicious code associated process name, Service name, mutex, filename change, directly
Be connected on malicious code operation after just can an accurate and effective identify malicious code act of randomization.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to the required accompanying drawing used in embodiment below
Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area
For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow of malicious code randomization recognition methods based on random-tracking according to the embodiment of the present invention
Figure;
Fig. 2 is a kind of block diagram of malicious code randomization identifying system based on random-tracking according to the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, eliminate in the course of the description for this
It is unnecessary details and function for invention, to prevent the understanding of the present invention from causing to obscure.Show although being shown in accompanying drawing
Example property embodiment, it being understood, however, that may be realized in various forms the present invention without that should be limited by embodiments set forth here
System.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be complete by the scope of the present invention
Convey to those skilled in the art.
The method that the present invention is provided be it is a kind of utilize hook mechanism, obtain system boot to current duration function, when
The related function of preceding system time function, randomization, records the return value produced, return value address, data, data occurs at random
Memory address.And confirm these data whether be output to malicious code operation filename, service name, mutex,
In the system files such as process name, the identification of malicious code act of randomization is carried out.
Fig. 1 shows a kind of malicious code randomization recognition methods based on random-tracking according to embodiments of the present invention
Flow chart.As shown in figure 1, method comprises the following steps:
S110, records the sample parameter value produced in sample code function call, sample parameter address.
Sample code function call includes:Character string copies correlation function(strncpy、strcpy);Document creation, enter
Journey, mutex create correlation function(CreateFile, CreateProcess, CreateMutex etc.).
It is randomization parameter value that random number generation function in S120, record operation code act of randomization is produced, random
Change argument address.
Random number generation function call including:
Randomization correlation API(CryptGenRandom, CryptAcquireContext etc.);
Character string copies correlation function(Strncpy, strcpy etc.);
Document creation, process, mutex create correlation function(CreateFile, CreateProcess, CreateMutex etc.).
Specifically:
Obtain system boot to current duration API (GetTickCount etc.) return values and return address be labeled as Ax0,
Ax1、...、Axn。
Present system time function API (GetLocalTime, GetSystemTime etc.) return address is obtained to be labeled as
Ay0、Ay1、...、Ayn。
Randomization correlation API(CryptGenRandom, CryptAcquireContext etc.)Middle CryptGenRandom ginsengs
Records of values be Vz0, Vz1 ..., Vzn, the address mark of parameter value is Az0, Az1 ..., Azn.
Character string copies correlation function(Strncpy, strcpy etc.)The address mark of two parameters be Aw0, Aw1 ...,
Awn, Bw0, Bw1 ..., Bwn.
Document creation, process, mutex create correlation function(CreateFile、CreateProcess、CreateMutex
Deng)Parameter value labeled as Va0, Va1 ..., Van, Vb0, Vb1 ..., Vbn, Vc0, Vc1 ..., Vcn, argument address is labeled as
Sa0, Sa1 ..., San, Sb0, Sb1 ..., Sbn, Sc0, Sc1 ..., Scn.
It is equivalent that parameter value mentioned above includes process name, filename, file content, mutex, character string copy.
S130, based on time parameter address search randomization parameter value, randomization parameter address.
Time parameter address includes operation duration argument address, current time parameter address.It is exactly system boot to current
Duration API (GetTickCount etc.), present system time function API (GetLocalTime, GetSystemTime etc.)
Address return value.
Whether arbitrary parameter address is appeared in randomization parameter address in review time argument address, if extracted
Randomization parameter value, randomization parameter address.
Specifically, checking whether Ax0 to Axn address, Ay0 to Ayn address are appeared in Az0, Az1, Azn, such as go out
Now then individually put forward record, such as:If Ax3=Az3, extract randomization parameter value, randomization parameter address record Vz3,
Az3。
S140, judges whether randomization parameter address is appeared in sample parameter address, if so, with extracting special parameter
Location.
This is judged based on the sample parameter value, sample parameter address produced in sample code function call.Wherein, it is specific
Argument address includes character string copy relevant parameter address.
Specifically, check Az3 whether Bw0, Bw1 ..., occur in Bwn, such as occur, propose corresponding with Bwn in Awn
Address, such as:If Az3=Bw3, character string copy relevant parameter address Aw3 is extracted.
S150, judges whether randomization parameter value is appeared in sample parameter value, if there is then operation code randomization
Behavior is malicious code act of randomization.
This is judged based on the sample parameter value, sample parameter address produced in sample code function call.
Check Vz3 whether Va0, Va1 ..., Van, Vb0, Vb1 ..., Vbn, Vc0, Vc1 ..., Vcn.Such as:Such as
Character string of the fruit in Va3 finds Vz3, extracts randomization character string Vz3, finds wooden horse act of randomization.
S160, occurs without the then special parameter address based on extraction, and whether tracking compares and appear in sample parameter address.
Check extract character string copy relevant parameter address Aw3 whether Sa0, Sa1 ..., San, Sb0, Sb1 ...,
Sbn, Sc0, Sc1 ..., in Scn.
S170, it is malicious code act of randomization then operation code act of randomization occur, is occurred without, mean no harm code
Act of randomization.
If there is Vz3 is extracted in then backtracking, extracts randomization character string, finds wooden horse act of randomization.
Fig. 2 is a kind of frame of malicious code randomization identifying system based on random-tracking according to the embodiment of the present invention
Figure.As shown in Fig. 2 system can include:Logging modle 210, searching modul 220, judge module 230, identification module 240, with
Track module 250.
Logging modle 210, the randomization for recording the generation of the random number generation function in operation code act of randomization
Parameter value, randomization parameter address;
Parameter value includes process name, filename, file content, mutex, character string copy.
Searching modul 220, for based on time parameter address search randomization parameter value, randomization parameter address;
Judge module 230, for based on the sample parameter value, sample parameter address produced in sample code function call, judging
Whether randomization parameter address is appeared in sample parameter address, and extracts special parameter address;
Identification module 240, for based on the sample parameter value, sample parameter address produced in sample code function call, judging
Whether randomization parameter value is appeared in sample parameter value, if there is, then operation code act of randomization be malicious code with
Machine behavior;
Tracking module 250, for the special parameter address based on extraction, whether tracking compares and appears in sample parameter address,
It is malicious code act of randomization then operation code act of randomization occur, is occurred without, mean no harm code act of randomization.
Further, whether searching modul 220, appear at random for arbitrary parameter address in review time argument address
Change in argument address, if extracting randomization parameter value, randomization parameter address.
Time parameter address includes operation duration argument address, current time parameter address, and special parameter address includes word
Symbol string copy relevant parameter address.
So far combined preferred embodiment invention has been described.It should be understood that those skilled in the art are not
In the case of departing from the spirit and scope of the present invention, various other changes can be carried out, replaces and adds.Therefore, it is of the invention
Scope be not limited to above-mentioned specific embodiment, and should be defined by the appended claims.
Claims (10)
1. a kind of malicious code randomization recognition methods based on random-tracking, it is characterised in that including:
Record randomization parameter value, randomization parameter that the random number generation function in operation code act of randomization is produced
Location;
Based on time parameter address search randomization parameter value, randomization parameter address;
Based on the sample parameter value, sample parameter address produced in sample code function call, with judging the randomization parameter
Whether location is appeared in the sample parameter address, and extracts special parameter address;
Based on the sample parameter value, sample parameter address produced in sample code function call, the randomization parameter value is judged
Whether appear in the sample parameter value, if there is then operation code act of randomization is malicious code act of randomization;
The special parameter address based on extraction if occurring without, tracking compares whether appear in the sample parameter address
In, it is malicious code act of randomization the then operation code act of randomization occur, is occurred without, mean no harm code randomization
Behavior.
2. according to the method described in claim 1, it is characterised in that the parameter value is including in process name, filename, file
Appearance, mutex, character string copy.
3. according to the method described in claim 1, it is characterised in that described to be based on time parameter address search randomization parameter
Value, randomization parameter address, including:
Check whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if,
Extract the randomization parameter value, randomization parameter address.
4. the method according to claim 1 or 3, it is characterised in that the time parameter address includes operation duration parameter
Address, current time parameter address.
5. according to the method described in claim 1, it is characterised in that the special parameter address includes the related ginseng of character string copy
Number address.
6. a kind of malicious code randomization identifying system based on random-tracking, it is characterised in that including:
Logging modle, for record the random number generation function in operation code act of randomization generation randomization parameter value,
Randomization parameter address;
Searching modul, for based on time parameter address search randomization parameter value, randomization parameter address;
Judge module, for based on the sample parameter value, sample parameter address produced in sample code function call, judging described
Whether randomization parameter address is appeared in the sample parameter address, and extracts special parameter address;
Identification module, for based on the sample parameter value, sample parameter address produced in sample code function call, judging described
Whether randomization parameter value is appeared in the sample parameter value, if there is then operation code act of randomization is malice generation
Code act of randomization;
Tracking module, for the special parameter address based on extraction, tracking is compared with whether appearing in the sample parameter
In location, it is malicious code act of randomization the then operation code act of randomization occur, is occurred without, the code that means no harm is random
Change behavior.
7. system according to claim 6, it is characterised in that the parameter value is including in process name, filename, file
Appearance, mutex, character string copy.
8. system according to claim 6, it is characterised in that the searching modul includes:
For checking whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if
Extracting the randomization parameter value, randomization parameter address.
9. the system according to claim 6 or 8, it is characterised in that the time parameter address includes operation duration parameter
Address, current time parameter address.
10. system according to claim 1, it is characterised in that the special parameter address includes character string and copies correlation
Argument address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611251419.XA CN107016286B (en) | 2016-12-30 | 2016-12-30 | A kind of malicious code randomization recognition methods and system based on random-tracking |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611251419.XA CN107016286B (en) | 2016-12-30 | 2016-12-30 | A kind of malicious code randomization recognition methods and system based on random-tracking |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107016286A true CN107016286A (en) | 2017-08-04 |
CN107016286B CN107016286B (en) | 2019-09-24 |
Family
ID=59440067
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611251419.XA Active CN107016286B (en) | 2016-12-30 | 2016-12-30 | A kind of malicious code randomization recognition methods and system based on random-tracking |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107016286B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101630350A (en) * | 2008-07-14 | 2010-01-20 | 西门子(中国)有限公司 | Method and device for detecting buffer overflow and code instrumentation method and device |
US20110277035A1 (en) * | 2010-05-07 | 2011-11-10 | Mcafee, Inc. | Detection of Malicious System Calls |
CN102945347A (en) * | 2012-09-29 | 2013-02-27 | 中兴通讯股份有限公司 | Method, system and device for detecting Android malicious software |
CN104134041A (en) * | 2014-07-31 | 2014-11-05 | 北京奇虎科技有限公司 | Anti-detecting method and device of terminal simulator system |
US20160164901A1 (en) * | 2014-12-05 | 2016-06-09 | Permissionbit | Methods and systems for encoding computer processes for malware detection |
CN105760787A (en) * | 2015-06-30 | 2016-07-13 | 卡巴斯基实验室股份制公司 | System and method used for detecting malicious code of random access memory |
-
2016
- 2016-12-30 CN CN201611251419.XA patent/CN107016286B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101630350A (en) * | 2008-07-14 | 2010-01-20 | 西门子(中国)有限公司 | Method and device for detecting buffer overflow and code instrumentation method and device |
US20110277035A1 (en) * | 2010-05-07 | 2011-11-10 | Mcafee, Inc. | Detection of Malicious System Calls |
CN102945347A (en) * | 2012-09-29 | 2013-02-27 | 中兴通讯股份有限公司 | Method, system and device for detecting Android malicious software |
CN104134041A (en) * | 2014-07-31 | 2014-11-05 | 北京奇虎科技有限公司 | Anti-detecting method and device of terminal simulator system |
US20160164901A1 (en) * | 2014-12-05 | 2016-06-09 | Permissionbit | Methods and systems for encoding computer processes for malware detection |
CN105760787A (en) * | 2015-06-30 | 2016-07-13 | 卡巴斯基实验室股份制公司 | System and method used for detecting malicious code of random access memory |
Non-Patent Citations (2)
Title |
---|
傅德胜,史飞悦: "缓冲区溢出利用与保护防御方法", 《信息安全与技术》 * |
龚静,曾莉: "浅谈网络攻击与防范策略", 《安庆师范学院学报(自然科学版)》 * |
Also Published As
Publication number | Publication date |
---|---|
CN107016286B (en) | 2019-09-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8424090B2 (en) | Apparatus and method for detecting obfuscated malicious web page | |
EP2104901B1 (en) | Method and apparatus for detecting computer fraud | |
CN105956180B (en) | A kind of filtering sensitive words method | |
WO2015120752A1 (en) | Method and device for handling network threats | |
CN101751530B (en) | Method for detecting loophole aggressive behavior and device | |
US9239922B1 (en) | Document exploit detection using baseline comparison | |
Han et al. | {SIGL}: Securing software installations through deep graph learning | |
KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
CN107016298B (en) | Webpage tampering monitoring method and device | |
CN113067812B (en) | APT attack event tracing analysis method and device and computer readable medium | |
CN104009964A (en) | Network link detection method and system | |
CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
CN109327451A (en) | A kind of method, system, device and medium that the upload verifying of defence file bypasses | |
CN105718795A (en) | Malicious code evidence obtaining method and system on the basis of feature code under Linux | |
CN105653949A (en) | Malicious program detection method and device | |
CN104217162A (en) | Method and system for detecting malicious software in smart terminal | |
CN103488947A (en) | Method and device for identifying instant messaging client-side account number stealing Trojan horse program | |
Almansoori et al. | A global survey of android dual-use applications used in intimate partner surveillance | |
CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
CN107016286B (en) | A kind of malicious code randomization recognition methods and system based on random-tracking | |
CN106790102A (en) | A kind of QR based on URL features yards of phishing recognition methods and system | |
Kamalam et al. | Detection of phishing websites using machine learning | |
CN115688107A (en) | Fraud-related APP detection system and method | |
CN112163217B (en) | Malware variant identification method, device, equipment and computer storage medium | |
Chen et al. | A survey on threat hunting: Approaches and applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder | ||
CP01 | Change in the name or title of a patent holder |
Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd. Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd. |