CN107016286A - A kind of malicious code randomization recognition methods and system based on random-tracking - Google Patents

A kind of malicious code randomization recognition methods and system based on random-tracking Download PDF

Info

Publication number
CN107016286A
CN107016286A CN201611251419.XA CN201611251419A CN107016286A CN 107016286 A CN107016286 A CN 107016286A CN 201611251419 A CN201611251419 A CN 201611251419A CN 107016286 A CN107016286 A CN 107016286A
Authority
CN
China
Prior art keywords
randomization
parameter
address
sample
parameter address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611251419.XA
Other languages
Chinese (zh)
Other versions
CN107016286B (en
Inventor
康学斌
朱晴
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Antan Network Security Technology Co.,Ltd.
Original Assignee
Shenzhen Anzhitian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Anzhitian Information Technology Co Ltd filed Critical Shenzhen Anzhitian Information Technology Co Ltd
Priority to CN201611251419.XA priority Critical patent/CN107016286B/en
Publication of CN107016286A publication Critical patent/CN107016286A/en
Application granted granted Critical
Publication of CN107016286B publication Critical patent/CN107016286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a kind of malicious code randomization recognition methods based on random-tracking and system, including:Record random number generation function is produced in operation code act of randomization randomization parameter value, randomization parameter address;Based on time parameter address search randomization parameter value, randomization parameter address;Based on the sample parameter value, sample parameter address produced in sample code function call, judge whether the randomization parameter address is appeared in the sample parameter address, and extract special parameter address;Based on the sample parameter value, sample parameter address, judge whether the randomization parameter value is appeared in sample parameter value, it is malicious code act of randomization then operation code act of randomization occur;The then special parameter address based on extraction is occurred without, tracking is compared and whether appeared in the sample parameter address, it is malicious code act of randomization the then operation code act of randomization occur, is occurred without, mean no harm code act of randomization.

Description

A kind of malicious code randomization recognition methods and system based on random-tracking
Technical field
The present invention relates to computer security technique field, relate more specifically to a kind of malicious code based on random-tracking with Machine recognition methods and system.
Background technology
The life production that the progress of Internet technology gives people brings many benefits, social activity, finance, media, The various aspects such as shopping all rely on Internet technology to be operated, and bring benefits.Huge economic benefit is created in internet Under overall situation, valuable data, various competitive relations induce the malicious act stolen secret information, control, destroyed by internet. Trojan horse program be it is instantly popular steal secret information, control, means of destruction.Network hacker passes through one section of specific program(Wooden horse Program)To control another computer.Wooden horse generally has two executable programs:One is control end, and another is to be controlled End.Implantation computer is controlled terminal part, and hacker exactly enters the computer for having run controlled terminal using control end.
Instantly trojan horse program is not found for hidden unique characteristics, can be to some names of itself after program operation Claim the operation for carrying out randomization, such as process name, mutex name, configuration filename etc..The means of this randomization disturb peace Full personnel are for the extraction of malicious code feature, the lookup and positioning of malicious code.Traditional method identification wooden horse randomization Behavior is generally the associated documents and process title of record sample after operation sample, is recorded again after restarting, whether sees the two It is variant.If then there is the behavior of randomization in sample.The defect of this method is to need to restart or ability is run multiple times The behavior of randomization is determined whether, is unfavorable for the quick act of randomization for finding wooden horse.
Existing virus characteristic extracting method is generally extraction feature, checking this feature and can detect, be added into this feature Virus base, but the Feature detection ability carried is not graded, i.e., the feature of all extractions is all endowed identical Detection capability, The feature of some wrong reports is not excluded the presence of among these, and such easy wrong report and the low feature of Detection capability are added into virus base, done The recall rate and rate of false alarm of antivirus engine can be influenceed during detection.
The content of the invention
In order to solve the above-mentioned technical problem there is provided a kind of malicious code based on random-tracking according to the present invention is random Change recognition methods and system.
There is provided a kind of malicious code randomization recognition methods based on random-tracking according to the first aspect of the invention. This method includes:Record randomization parameter value, randomization that the random number generation function in operation code act of randomization is produced Argument address;Based on time parameter address search randomization parameter value, randomization parameter address;Based on sample code function call The sample parameter value of middle generation, sample parameter address, judge whether the randomization parameter address appears in the sample parameter In address, and extract special parameter address;Based on the sample parameter value, sample parameter produced in sample code function call Location, judges whether the randomization parameter value is appeared in the sample parameter value, if there is then operation code randomization row For for malicious code act of randomization;Whether the special parameter address based on extraction if occurring without, tracking compares In the present sample parameter address, it is malicious code act of randomization the then operation code act of randomization occur, is not gone out Now then mean no harm code act of randomization.
In certain embodiments, the parameter value is copied including process name, filename, file content, mutex, character string Shellfish.
In certain embodiments, it is described to be based on time parameter address search randomization parameter value, randomization parameter address, bag Include:Check whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if carried Take the randomization parameter value, randomization parameter address.
In certain embodiments, the time parameter address includes operation duration argument address, current time parameter address.
In certain embodiments, the special parameter address includes character string copy relevant parameter address.
According to the second aspect of the invention there is provided a kind of malicious code randomization identifying system based on random-tracking, bag Include:Logging modle, for record the random number generation function in operation code act of randomization generation randomization parameter value, with Machine argument address;Searching modul, for based on time parameter address search randomization parameter value, randomization parameter address;Sentence Disconnected module, for based on the sample parameter value, sample parameter address produced in sample code function call, judging the randomization Whether argument address is appeared in the sample parameter address, and extracts special parameter address;Identification module, for based on sample Code function calls the sample parameter value of middle generation, sample parameter address, judges whether the randomization parameter value appears in institute State in sample parameter value, if there is then operation code act of randomization is malicious code act of randomization;Tracking module, is used In the special parameter address based on extraction, whether tracking compares and appears in the sample parameter address, occurs then described Operation code act of randomization is malicious code act of randomization, is occurred without, mean no harm code act of randomization.
In certain embodiments, the parameter value is copied including process name, filename, file content, mutex, character string Shellfish.
In certain embodiments, the searching modul includes:
For checking whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if Extracting the randomization parameter value, randomization parameter address.
In certain embodiments, the time parameter address includes operation duration argument address, current time parameter address.
In certain embodiments, the special parameter address includes character string copy relevant parameter address
Technical scheme provided by the present invention utilizes hook mechanism, obtains system boot to current duration function, current system The related function of the function of time, randomization, records the return value produced, return value address, data, the internal memory of data occurs at random Address.And confirm whether these data have been output to filename, service name, mutex, the process name of malicious code operation Deng in system file, the identification of malicious code act of randomization is carried out.This method both can recognize that malicious code act of randomization, and And eliminate by restarting the tedious steps that contrast malicious code associated process name, Service name, mutex, filename change, directly Be connected on malicious code operation after just can an accurate and effective identify malicious code act of randomization.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to the required accompanying drawing used in embodiment below Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow of malicious code randomization recognition methods based on random-tracking according to the embodiment of the present invention Figure;
Fig. 2 is a kind of block diagram of malicious code randomization identifying system based on random-tracking according to the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, eliminate in the course of the description for this It is unnecessary details and function for invention, to prevent the understanding of the present invention from causing to obscure.Show although being shown in accompanying drawing Example property embodiment, it being understood, however, that may be realized in various forms the present invention without that should be limited by embodiments set forth here System.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be complete by the scope of the present invention Convey to those skilled in the art.
The method that the present invention is provided be it is a kind of utilize hook mechanism, obtain system boot to current duration function, when The related function of preceding system time function, randomization, records the return value produced, return value address, data, data occurs at random Memory address.And confirm these data whether be output to malicious code operation filename, service name, mutex, In the system files such as process name, the identification of malicious code act of randomization is carried out.
Fig. 1 shows a kind of malicious code randomization recognition methods based on random-tracking according to embodiments of the present invention Flow chart.As shown in figure 1, method comprises the following steps:
S110, records the sample parameter value produced in sample code function call, sample parameter address.
Sample code function call includes:Character string copies correlation function(strncpy、strcpy);Document creation, enter Journey, mutex create correlation function(CreateFile, CreateProcess, CreateMutex etc.).
It is randomization parameter value that random number generation function in S120, record operation code act of randomization is produced, random Change argument address.
Random number generation function call including:
Randomization correlation API(CryptGenRandom, CryptAcquireContext etc.);
Character string copies correlation function(Strncpy, strcpy etc.);
Document creation, process, mutex create correlation function(CreateFile, CreateProcess, CreateMutex etc.).
Specifically:
Obtain system boot to current duration API (GetTickCount etc.) return values and return address be labeled as Ax0, Ax1、...、Axn。
Present system time function API (GetLocalTime, GetSystemTime etc.) return address is obtained to be labeled as Ay0、Ay1、...、Ayn。
Randomization correlation API(CryptGenRandom, CryptAcquireContext etc.)Middle CryptGenRandom ginsengs Records of values be Vz0, Vz1 ..., Vzn, the address mark of parameter value is Az0, Az1 ..., Azn.
Character string copies correlation function(Strncpy, strcpy etc.)The address mark of two parameters be Aw0, Aw1 ..., Awn, Bw0, Bw1 ..., Bwn.
Document creation, process, mutex create correlation function(CreateFile、CreateProcess、CreateMutex Deng)Parameter value labeled as Va0, Va1 ..., Van, Vb0, Vb1 ..., Vbn, Vc0, Vc1 ..., Vcn, argument address is labeled as Sa0, Sa1 ..., San, Sb0, Sb1 ..., Sbn, Sc0, Sc1 ..., Scn.
It is equivalent that parameter value mentioned above includes process name, filename, file content, mutex, character string copy.
S130, based on time parameter address search randomization parameter value, randomization parameter address.
Time parameter address includes operation duration argument address, current time parameter address.It is exactly system boot to current Duration API (GetTickCount etc.), present system time function API (GetLocalTime, GetSystemTime etc.) Address return value.
Whether arbitrary parameter address is appeared in randomization parameter address in review time argument address, if extracted Randomization parameter value, randomization parameter address.
Specifically, checking whether Ax0 to Axn address, Ay0 to Ayn address are appeared in Az0, Az1, Azn, such as go out Now then individually put forward record, such as:If Ax3=Az3, extract randomization parameter value, randomization parameter address record Vz3, Az3。
S140, judges whether randomization parameter address is appeared in sample parameter address, if so, with extracting special parameter Location.
This is judged based on the sample parameter value, sample parameter address produced in sample code function call.Wherein, it is specific Argument address includes character string copy relevant parameter address.
Specifically, check Az3 whether Bw0, Bw1 ..., occur in Bwn, such as occur, propose corresponding with Bwn in Awn Address, such as:If Az3=Bw3, character string copy relevant parameter address Aw3 is extracted.
S150, judges whether randomization parameter value is appeared in sample parameter value, if there is then operation code randomization Behavior is malicious code act of randomization.
This is judged based on the sample parameter value, sample parameter address produced in sample code function call.
Check Vz3 whether Va0, Va1 ..., Van, Vb0, Vb1 ..., Vbn, Vc0, Vc1 ..., Vcn.Such as:Such as Character string of the fruit in Va3 finds Vz3, extracts randomization character string Vz3, finds wooden horse act of randomization.
S160, occurs without the then special parameter address based on extraction, and whether tracking compares and appear in sample parameter address.
Check extract character string copy relevant parameter address Aw3 whether Sa0, Sa1 ..., San, Sb0, Sb1 ..., Sbn, Sc0, Sc1 ..., in Scn.
S170, it is malicious code act of randomization then operation code act of randomization occur, is occurred without, mean no harm code Act of randomization.
If there is Vz3 is extracted in then backtracking, extracts randomization character string, finds wooden horse act of randomization.
Fig. 2 is a kind of frame of malicious code randomization identifying system based on random-tracking according to the embodiment of the present invention Figure.As shown in Fig. 2 system can include:Logging modle 210, searching modul 220, judge module 230, identification module 240, with Track module 250.
Logging modle 210, the randomization for recording the generation of the random number generation function in operation code act of randomization Parameter value, randomization parameter address;
Parameter value includes process name, filename, file content, mutex, character string copy.
Searching modul 220, for based on time parameter address search randomization parameter value, randomization parameter address;
Judge module 230, for based on the sample parameter value, sample parameter address produced in sample code function call, judging Whether randomization parameter address is appeared in sample parameter address, and extracts special parameter address;
Identification module 240, for based on the sample parameter value, sample parameter address produced in sample code function call, judging Whether randomization parameter value is appeared in sample parameter value, if there is, then operation code act of randomization be malicious code with Machine behavior;
Tracking module 250, for the special parameter address based on extraction, whether tracking compares and appears in sample parameter address, It is malicious code act of randomization then operation code act of randomization occur, is occurred without, mean no harm code act of randomization.
Further, whether searching modul 220, appear at random for arbitrary parameter address in review time argument address Change in argument address, if extracting randomization parameter value, randomization parameter address.
Time parameter address includes operation duration argument address, current time parameter address, and special parameter address includes word Symbol string copy relevant parameter address.
So far combined preferred embodiment invention has been described.It should be understood that those skilled in the art are not In the case of departing from the spirit and scope of the present invention, various other changes can be carried out, replaces and adds.Therefore, it is of the invention Scope be not limited to above-mentioned specific embodiment, and should be defined by the appended claims.

Claims (10)

1. a kind of malicious code randomization recognition methods based on random-tracking, it is characterised in that including:
Record randomization parameter value, randomization parameter that the random number generation function in operation code act of randomization is produced Location;
Based on time parameter address search randomization parameter value, randomization parameter address;
Based on the sample parameter value, sample parameter address produced in sample code function call, with judging the randomization parameter Whether location is appeared in the sample parameter address, and extracts special parameter address;
Based on the sample parameter value, sample parameter address produced in sample code function call, the randomization parameter value is judged Whether appear in the sample parameter value, if there is then operation code act of randomization is malicious code act of randomization;
The special parameter address based on extraction if occurring without, tracking compares whether appear in the sample parameter address In, it is malicious code act of randomization the then operation code act of randomization occur, is occurred without, mean no harm code randomization Behavior.
2. according to the method described in claim 1, it is characterised in that the parameter value is including in process name, filename, file Appearance, mutex, character string copy.
3. according to the method described in claim 1, it is characterised in that described to be based on time parameter address search randomization parameter Value, randomization parameter address, including:
Check whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if, Extract the randomization parameter value, randomization parameter address.
4. the method according to claim 1 or 3, it is characterised in that the time parameter address includes operation duration parameter Address, current time parameter address.
5. according to the method described in claim 1, it is characterised in that the special parameter address includes the related ginseng of character string copy Number address.
6. a kind of malicious code randomization identifying system based on random-tracking, it is characterised in that including:
Logging modle, for record the random number generation function in operation code act of randomization generation randomization parameter value, Randomization parameter address;
Searching modul, for based on time parameter address search randomization parameter value, randomization parameter address;
Judge module, for based on the sample parameter value, sample parameter address produced in sample code function call, judging described Whether randomization parameter address is appeared in the sample parameter address, and extracts special parameter address;
Identification module, for based on the sample parameter value, sample parameter address produced in sample code function call, judging described Whether randomization parameter value is appeared in the sample parameter value, if there is then operation code act of randomization is malice generation Code act of randomization;
Tracking module, for the special parameter address based on extraction, tracking is compared with whether appearing in the sample parameter In location, it is malicious code act of randomization the then operation code act of randomization occur, is occurred without, the code that means no harm is random Change behavior.
7. system according to claim 6, it is characterised in that the parameter value is including in process name, filename, file Appearance, mutex, character string copy.
8. system according to claim 6, it is characterised in that the searching modul includes:
For checking whether arbitrary parameter address is appeared in the randomization parameter address in the time parameter address, if Extracting the randomization parameter value, randomization parameter address.
9. the system according to claim 6 or 8, it is characterised in that the time parameter address includes operation duration parameter Address, current time parameter address.
10. system according to claim 1, it is characterised in that the special parameter address includes character string and copies correlation Argument address.
CN201611251419.XA 2016-12-30 2016-12-30 A kind of malicious code randomization recognition methods and system based on random-tracking Active CN107016286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611251419.XA CN107016286B (en) 2016-12-30 2016-12-30 A kind of malicious code randomization recognition methods and system based on random-tracking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611251419.XA CN107016286B (en) 2016-12-30 2016-12-30 A kind of malicious code randomization recognition methods and system based on random-tracking

Publications (2)

Publication Number Publication Date
CN107016286A true CN107016286A (en) 2017-08-04
CN107016286B CN107016286B (en) 2019-09-24

Family

ID=59440067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611251419.XA Active CN107016286B (en) 2016-12-30 2016-12-30 A kind of malicious code randomization recognition methods and system based on random-tracking

Country Status (1)

Country Link
CN (1) CN107016286B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101630350A (en) * 2008-07-14 2010-01-20 西门子(中国)有限公司 Method and device for detecting buffer overflow and code instrumentation method and device
US20110277035A1 (en) * 2010-05-07 2011-11-10 Mcafee, Inc. Detection of Malicious System Calls
CN102945347A (en) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 Method, system and device for detecting Android malicious software
CN104134041A (en) * 2014-07-31 2014-11-05 北京奇虎科技有限公司 Anti-detecting method and device of terminal simulator system
US20160164901A1 (en) * 2014-12-05 2016-06-09 Permissionbit Methods and systems for encoding computer processes for malware detection
CN105760787A (en) * 2015-06-30 2016-07-13 卡巴斯基实验室股份制公司 System and method used for detecting malicious code of random access memory

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101630350A (en) * 2008-07-14 2010-01-20 西门子(中国)有限公司 Method and device for detecting buffer overflow and code instrumentation method and device
US20110277035A1 (en) * 2010-05-07 2011-11-10 Mcafee, Inc. Detection of Malicious System Calls
CN102945347A (en) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 Method, system and device for detecting Android malicious software
CN104134041A (en) * 2014-07-31 2014-11-05 北京奇虎科技有限公司 Anti-detecting method and device of terminal simulator system
US20160164901A1 (en) * 2014-12-05 2016-06-09 Permissionbit Methods and systems for encoding computer processes for malware detection
CN105760787A (en) * 2015-06-30 2016-07-13 卡巴斯基实验室股份制公司 System and method used for detecting malicious code of random access memory

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
傅德胜,史飞悦: "缓冲区溢出利用与保护防御方法", 《信息安全与技术》 *
龚静,曾莉: "浅谈网络攻击与防范策略", 《安庆师范学院学报(自然科学版)》 *

Also Published As

Publication number Publication date
CN107016286B (en) 2019-09-24

Similar Documents

Publication Publication Date Title
US8424090B2 (en) Apparatus and method for detecting obfuscated malicious web page
EP2104901B1 (en) Method and apparatus for detecting computer fraud
CN105956180B (en) A kind of filtering sensitive words method
WO2015120752A1 (en) Method and device for handling network threats
CN101751530B (en) Method for detecting loophole aggressive behavior and device
US9239922B1 (en) Document exploit detection using baseline comparison
Han et al. {SIGL}: Securing software installations through deep graph learning
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
CN107016298B (en) Webpage tampering monitoring method and device
CN113067812B (en) APT attack event tracing analysis method and device and computer readable medium
CN104009964A (en) Network link detection method and system
CN105488400A (en) Comprehensive detection method and system of malicious webpage
CN109327451A (en) A kind of method, system, device and medium that the upload verifying of defence file bypasses
CN105718795A (en) Malicious code evidence obtaining method and system on the basis of feature code under Linux
CN105653949A (en) Malicious program detection method and device
CN104217162A (en) Method and system for detecting malicious software in smart terminal
CN103488947A (en) Method and device for identifying instant messaging client-side account number stealing Trojan horse program
Almansoori et al. A global survey of android dual-use applications used in intimate partner surveillance
CN113067792A (en) XSS attack identification method, device, equipment and medium
CN107016286B (en) A kind of malicious code randomization recognition methods and system based on random-tracking
CN106790102A (en) A kind of QR based on URL features yards of phishing recognition methods and system
Kamalam et al. Detection of phishing websites using machine learning
CN115688107A (en) Fraud-related APP detection system and method
CN112163217B (en) Malware variant identification method, device, equipment and computer storage medium
Chen et al. A survey on threat hunting: Approaches and applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No.

Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd.

Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No.

Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd.