CN111966457B - Malicious code detection method and system based on snapshot - Google Patents
Malicious code detection method and system based on snapshot Download PDFInfo
- Publication number
- CN111966457B CN111966457B CN202010796163.0A CN202010796163A CN111966457B CN 111966457 B CN111966457 B CN 111966457B CN 202010796163 A CN202010796163 A CN 202010796163A CN 111966457 B CN111966457 B CN 111966457B
- Authority
- CN
- China
- Prior art keywords
- snapshot
- virtual machine
- malicious
- detected
- snapshot file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 238000000034 method Methods 0.000 claims abstract description 142
- 230000008569 process Effects 0.000 claims abstract description 100
- 238000004458 analytical method Methods 0.000 claims abstract description 40
- 238000005206 flow analysis Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 9
- 230000006872 improvement Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 238000012098 association analyses Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002618 waking effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and a system for detecting malicious codes based on snapshot, which run the whole malicious codes to be detected on a virtual machine, wherein the snapshot file at the current moment is stored when the operation of creating a subprocess is detected during running, and comprises the name of the subprocess and the running state of the virtual machine at the current moment; other virtual machines acquire snapshot files corresponding to malicious codes to be detected, the malicious codes are detected by utilizing the snapshot files, the processes and the subprocesses created by the malicious codes are used for storing snapshots, the processes can ensure consistency of malicious behaviors, and the execution flow of the malicious codes is restored on a plurality of Qemu virtual machine detection systems in a snapshot loading mode, so that a relatively accurate analysis log is obtained.
Description
Technical Field
The invention belongs to the field of information security, and in particular relates to a malicious code detection method and system based on snapshot.
Background
In the current large background of the Internet, various malicious codes are layered endlessly, so that great challenges are brought to the field of Internet security, and the production and living modes of people are seriously endangered. Therefore, the detection of malicious codes is always a very hot problem, but due to the variety of malicious codes and complex functions, how to accurately detect and analyze the malicious codes is always the direction of safety personnel research. In addition to the classification of static detection analysis and dynamic detection analysis, the present method is classified into single-system detection and multi-system detection according to the number of analysis systems.
Single system detection is an extension of a single virtual machine, and integrates a plurality of complex modules, so that log information related to malicious behaviors of malicious codes is obtained during the running of the malicious codes. The limitations of a single detection system are evident, as the system functions too much, resulting in poor performance. The above drawbacks can be overcome by multi-system detection composed of multiple virtual machines, wherein the multi-system detection is extended based on the multiple virtual machines, and each functional module is independent, however, the systems generally use Qemu virtual machines as the most important components, and malicious codes run in different detection systems, and due to the difference of the systems and the uncertain behavior of the malicious codes, malicious behaviors of the malicious codes may be inconsistent in different systems, so that the accuracy and the detection efficiency of malicious samples in the multi-virtual machine detection system are reduced.
Disclosure of Invention
Aiming at least one defect or improvement requirement of the prior art, the invention provides a malicious code detection method and a malicious code detection system based on snapshot, which aim to solve the problem of how to improve the accuracy and the detection efficiency of a multi-virtual machine detection system by keeping the consistency of malicious behaviors of malicious codes in multi-system detection.
In order to achieve the above object, according to one aspect of the present invention, there is provided a snapshot-based malicious code detection method for detecting malicious code in parallel using a plurality of virtual machines, comprising the steps of:
Running the whole malicious code to be detected on one virtual machine, wherein the snapshot file at the current moment is stored when the operation of creating the subprocess is detected in the running process, and comprises the name of the subprocess and the running state of the virtual machine at the current moment;
and the other virtual machines acquire snapshot files corresponding to the malicious codes to be detected, and the malicious codes are detected by utilizing the snapshot files.
As a further improvement of the present invention, the process of obtaining the snapshot file includes:
The virtual machine establishes a system image file related to a malicious program to be detected, a instrumentation sub-program is inserted by using an instrumentation interface of the virtual machine, and the instrumentation sub-program is used for executing instrumentation operation on an API of the creation process to generate monitoring data of the creation process, so that a snapshot file at the current moment is kept when the operation of the creation sub-process is detected during running.
When a plurality of snapshots exist in the running process of the malicious code to be detected, all snapshot files in the running process are extracted to generate a snapshot file set corresponding to the malicious code to be detected, other virtual machines acquire the snapshot file set corresponding to the malicious code to be detected, and the snapshot file set is utilized to detect the malicious code.
As a further improvement of the present invention, the process of acquiring the snapshot file set includes:
Storing a snapshot file at the current moment, writing the snapshot file name and a corresponding sub-process name into a virtual machine log, filtering and extracting the generated virtual machine log to obtain all the snapshot file names and the sub-process names, and then sequencing according to the time of sub-process creation to obtain a time line process table, namely the snapshot file set.
As a further improvement of the present invention, the process of malicious code detection in other virtual machines includes:
S1, configuring parameters of other virtual machines, loading system image files to start the other virtual machines, and loading a first snapshot file by the other virtual machines to start control flow analysis or memory evidence collection analysis;
S2, acquiring memory process tables of other virtual machines every other preset time period, determining whether a new subprocess is created by comparing the memory process tables with the snapshot file set, and if the new subprocess is created, querying the snapshot file set to determine whether the snapshot file set is the last snapshot; and step S2, repeating until the last snapshot is loaded, and writing the analysis result into other virtual machine logs.
As a further improvement of the present invention, the obtaining the memory process table of the other virtual machine includes:
The current virtual machine is Qemu with high version, the real-time memory of the client machine is mapped out through object parameters and numa parameters, and then a memory process table is obtained through a memory analysis tool;
The current virtual machine is Qemu with low version, the client memory is backed up by pmemsave command, and then the memory process table is obtained by the memory analysis tool.
To achieve the above object, according to another aspect of the present invention, there is provided a snapshot-based malicious code detection system including a code running virtual machine and a code analyzing virtual machine, wherein,
The code running virtual machine is used for running the whole malicious code to be detected, wherein the snapshot file at the current moment is stored when the operation of creating the subprocess is detected in the running process, and comprises the name of the subprocess and the running state of the virtual machine at the current moment;
the code analysis virtual machine is used for acquiring a snapshot file corresponding to the malicious code to be detected, and detecting the malicious code by utilizing the snapshot file.
As a further improvement of the invention, the process of the code running virtual machine to acquire the snapshot file comprises the following steps:
The virtual machine establishes a system image file related to a malicious program to be detected, a instrumentation sub-program is inserted by using an instrumentation interface of the virtual machine, and the instrumentation sub-program is used for executing instrumentation operation on an API of the creation process to generate monitoring data of the creation process, so that a snapshot file at the current moment is kept when the operation of the creation sub-process is detected during running.
When a plurality of snapshots exist in the running process of the malicious code to be detected, the code running virtual machine extracts all snapshot files in the running process to generate a snapshot file set corresponding to the malicious code to be detected, and other virtual machines acquire the snapshot file set corresponding to the malicious code to be detected and use the snapshot file set to detect the malicious code.
As a further improvement of the present invention, the process of acquiring the snapshot file set includes:
Storing a snapshot file at the current moment, writing the snapshot file name and a corresponding sub-process name into a virtual machine log, filtering and extracting the generated virtual machine log to obtain all the snapshot file names and the sub-process names, and then sequencing according to the time of sub-process creation to obtain a time line process table, namely the snapshot file set.
In general, the above technical solutions conceived by the present invention, compared with the prior art, enable the following beneficial effects to be obtained:
(1) According to the method and the system for detecting the malicious code based on the snapshot, which are provided by the invention, the process and the subprocess created by the malicious code are used for storing the snapshot, and the process can ensure consistency of malicious behaviors, so that the operation flow of the malicious code can be restored through the snapshot corresponding to the loading process on the subsequent control flow analysis, memory evidence collection analysis and other systems, the consistency of the malicious behaviors of the malicious code can be ensured, meanwhile, the execution flow of the malicious code can be restored through the snapshot loading mode on a plurality of Qemu virtual machine detection systems, so that a relatively accurate analysis log is obtained, and finally, different models or algorithms are adopted for normalizing information to obtain a deeper relation, so that a final detection result is obtained, and the accuracy and the detection efficiency of the multi-virtual machine detection system are improved.
(2) The invention provides a method and a system for detecting malicious codes based on snapshots, which are used for establishing a corresponding time line process table aiming at replay of a plurality of snapshots, wherein a time line exists in a process created by the malicious codes, when a parent process creates a child process, if the parent process does not exit, the parent process and the child process start to run together, and the time lines of the parent process and the child process are overlapped from the moment of creating the child process. The snapshot corresponding to the sub-process is loaded, and the parent process is also present, so that analysis of malicious behaviors of the parent process at the overlapping part of the time line can be put in the step of the snapshot corresponding to the sub-process, and therefore the snapshot corresponding to the process with the sub-process is loaded for analysis of malicious behaviors, the snapshot which is loaded by the process after the creation of the process is detected to continue analysis without running until the malicious sample is ended, and finally, a log of analysis results is generated, so that a large amount of analysis time can be reduced.
Drawings
FIG. 1 is a schematic diagram of a malicious code detection method based on snapshot provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of storing a snapshot file according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a timeline process table generated according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The method and the working principle provided by the invention are described in detail below with reference to examples and figures.
The terms involved in the present invention are explained as follows:
the API (Application Programming Interface, application program interface) is a number of predefined functions or conventions that refer to the engagement of the various components of the software system. Which is used to provide a set of routines that applications and developers have access to based on certain software or hardware without having to access the source code or understand the details of the internal operating mechanisms.
Qemu, virtual operating system simulator. QEMU is a set of analog processors written by fabricberla (fabricbergard) that distribute source code in GPL licenses, and is widely used on GNU/Linux platforms.
Fig. 1 is a schematic diagram of a malicious code detection method based on snapshot according to an embodiment of the present invention. As shown in fig. 1, a method for detecting malicious code based on snapshot, which uses multiple virtual machines to detect malicious code in parallel, includes the following steps:
Running the whole malicious code to be detected on one virtual machine, wherein the snapshot file at the current moment is stored when the operation of creating the subprocess is detected in the running process, and comprises the name of the subprocess and the running state of the virtual machine at the current moment;
and the other virtual machines acquire snapshot files corresponding to the malicious codes to be detected, and the malicious codes are detected by utilizing the snapshot files.
As an example, when only a single snapshot exists in the running process of the malicious code to be detected, the corresponding execution flow of the method includes:
utilizing qemu-img command to make window system mirror image containing malicious program;
The method comprises the steps that pile inserting is conducted on an API of a creation process through a pile inserting interface provided by a Qemu virtual machine detection system, so that monitoring of operation of the creation process is completed;
configuring Qemu virtual machine parameters, starting the Qemu virtual machine by the loaded windows system mirror image, running a malicious program in the system, storing an independent snapshot (corresponding to a malicious program name), and writing the independent snapshot into a log of a current detection system;
And performing control flow analysis, memory evidence collection analysis and the like on other Qemu virtual machine detection systems. And configuring Qemu virtual machine parameters, and loading a windows system mirror image to start the Qemu virtual machine. And loading a snapshot corresponding to the sample name of the malicious program, and waking up the virtual machine. Control flow analysis or memory forensics analysis is started until the malicious program operation is finished. And writing the obtained analysis result into a log. And extracting analysis logs generated by all systems, and performing deeper association analysis.
When a plurality of snapshots exist in the operation process of the malicious code to be detected, all snapshot files in the operation process are extracted to generate a snapshot file set corresponding to the malicious code to be detected, other virtual machines acquire the snapshot file set corresponding to the malicious code to be detected, and the snapshot file set is utilized to detect the malicious code.
Fig. 2 is a schematic diagram of storing a snapshot file according to an embodiment of the present invention. As shown in fig. 2, the process of obtaining the snapshot file includes: the virtual machine establishes a system image file about a malicious program to be detected, for example, a Qemu-img command is used for making a windows system image containing the malicious program, a instrumentation sub-program is inserted by using an instrumentation interface of the Qemu virtual machine, and the instrumentation sub-program is used for executing instrumentation operation on an API of a creation process to generate monitoring data of the creation process, so that a snapshot file at the current moment is kept when the operation of the creation sub-process is detected during running.
FIG. 3 is a schematic diagram of a timeline process table generated according to an embodiment of the present invention. As shown in fig. 3, the process of acquiring the snapshot file set includes: storing a snapshot file at the current moment, writing the snapshot file name and a corresponding sub-process name into a virtual machine log, filtering and extracting the generated virtual machine log to obtain the snapshot file name and the sub-process name, and then sequencing according to the time of sub-process creation to obtain an ordered time line process table, namely the snapshot file set. Because different virtual machine detection systems are possibly expanded according to Qemu of different versions, compatibility among snapshots is also particularly important, corresponding processing can be carried out on the snapshots of Qemu2 which can be compatible with Qemu1, the specific method is that the bottom source code of Qemu2 is modified, the function acpi _load_old in Qemu/hw/acpi/pix4. C is modified, loading of ar.tmr.timer is skipped, and the modification is divided into two steps, wherein the first step is in the timer_get (f, s- > ar.tmr.timer); qemu_file_skip (f, 8) is added before, and the second step is to annotate away the timer_get (f, s- > ar. Tmr. Timer).
Optionally, the process of detecting malicious code in other virtual machines includes:
S1, configuring other Qemu virtual machine parameters, loading a system image file to start other Qemu virtual machines, and then loading a first snapshot file (the sample name of the first snapshot corresponds to that of a malicious program) to start control flow analysis or memory evidence collection analysis;
S2, acquiring memory process tables of other virtual machines every other preset time period, determining whether a new subprocess is created by comparing the memory process tables with the snapshot file set, and if the new subprocess is created, querying the snapshot file set to determine whether the snapshot file set is the last snapshot; and step S2, repeating until the last snapshot is loaded, and writing the analysis result into other virtual machine logs.
As a further preferred aspect, the obtaining the memory process table of the other virtual machine includes:
The current virtual machine is Qemu with high version, namely the virtual machine supports the version of object and numa parameters, then the real-time memory of the client machine is mapped out through the two parameters, and then a process table in the memory is obtained through a memory analysis tool;
The current virtual machine is Qemu with a low version, the client memory can be backed up by pmemsave commands, and then the process table in the memory is obtained by a memory analysis tool.
A snapshot-based malicious code detection system includes a code-running virtual machine and a code-analyzing virtual machine, wherein,
The code running virtual machine is used for running the whole malicious code to be detected, wherein the snapshot file at the current moment is stored when the operation of creating the subprocess is detected in the running process, and comprises the name of the subprocess and the running state of the virtual machine at the current moment;
the code analysis virtual machine is used for acquiring a snapshot file corresponding to the malicious code to be detected, and detecting the malicious code by utilizing the snapshot file.
As an example, when only a single snapshot exists in the running process of the malicious code to be detected, the corresponding execution flow of the system includes:
utilizing qemu-img command to make window system mirror image containing malicious program;
The method comprises the steps that pile inserting is conducted on an API of a creation process through a pile inserting interface provided by a Qemu virtual machine detection system, so that monitoring of operation of the creation process is completed;
configuring Qemu virtual machine parameters, starting the Qemu virtual machine by the loaded windows system mirror image, running a malicious program in the system, storing an independent snapshot (corresponding to a malicious program name), and writing the independent snapshot into a log of a current detection system;
And performing control flow analysis, memory evidence collection analysis and the like on other Qemu virtual machine detection systems. And configuring Qemu virtual machine parameters, and loading a windows system mirror image to start the Qemu virtual machine. And loading a snapshot corresponding to the sample name of the malicious program, and waking up the virtual machine. Control flow analysis or memory forensics analysis is started until the malicious program operation is finished. And writing the obtained analysis result into a log. And extracting analysis logs generated by all systems, and performing deeper association analysis.
When a plurality of snapshots exist in the malicious code operation process to be detected, the code operation virtual machine extracts all snapshot files in the operation process to generate a snapshot file set corresponding to the malicious code to be detected, and other virtual machines acquire the snapshot file set corresponding to the malicious code to be detected and use the snapshot file set to detect the malicious code.
Optionally, the process of the code running the virtual machine to obtain the snapshot file includes: the virtual machine establishes a system image file about a malicious program to be detected, for example, a Qemu-img command is used for making a windows system image containing the malicious program, a instrumentation sub-program is inserted by using an instrumentation interface of the Qemu virtual machine, and the instrumentation sub-program is used for executing instrumentation operation on an API of a creation process to generate monitoring data of the creation process, so that a snapshot file at the current moment is kept when the operation of the creation sub-process is detected during running.
Optionally, the process of the code running the virtual machine to obtain the snapshot file set includes: storing a snapshot file at the current moment, writing the snapshot file name and a corresponding sub-process name into a virtual machine log, filtering and extracting the generated virtual machine log to obtain the snapshot file name and the sub-process name, and then sequencing according to the time of sub-process creation to obtain an ordered time line process table, namely the snapshot file set.
Optionally, the process of malicious code detection by the code analysis virtual machine includes:
S1, configuring other Qemu virtual machine parameters, loading a system image file to start other Qemu virtual machines, and then loading a first snapshot file (the sample name of the first snapshot corresponds to that of a malicious program) to start control flow analysis or memory evidence collection analysis;
S2, acquiring memory process tables of other virtual machines every other preset time period, determining whether a new subprocess is created by comparing the memory process tables with the snapshot file set, and if the new subprocess is created, querying the snapshot file set to determine whether the snapshot file set is the last snapshot; and step S2, repeating until the last snapshot is loaded, and writing the analysis result into other virtual machine logs.
As a further preferred aspect, the code analysis virtual machine obtaining the memory process table includes:
The current virtual machine is Qemu with high version, namely the virtual machine supports the version of object and numa parameters, then the real-time memory of the client machine is mapped out through the two parameters, and then a process table in the memory is obtained through a memory analysis tool;
The current virtual machine is Qemu with a low version, the client memory can be backed up by pmemsave commands, and then the process table in the memory is obtained by a memory analysis tool.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (8)
1. A malicious code detection method based on snapshot is characterized by comprising the following steps of:
Running the whole malicious code to be detected on one virtual machine, wherein the snapshot file at the current moment is stored when the operation of creating the subprocess is detected in the running process, and comprises the name of the subprocess and the running state of the virtual machine at the current moment;
other virtual machines acquire snapshot files corresponding to malicious codes to be detected, and the malicious codes are detected by utilizing the snapshot files, including restoring the execution flow of the malicious agents by loading the snapshot files;
the process for obtaining the snapshot file comprises the following steps:
The virtual machine establishes a system image file related to a malicious program to be detected, a instrumentation sub-program is inserted by using an instrumentation interface of the virtual machine, and the instrumentation sub-program is used for executing instrumentation operation on an API of the creation process to generate monitoring data of the creation process, so that a snapshot file at the current moment is kept when the operation of the creation sub-process is detected during running.
2. The method for detecting malicious codes based on snapshots as defined in claim 1, wherein when a plurality of snapshots exist in the operation process of malicious codes to be detected, all snapshot files in the operation process are extracted to generate a snapshot file set corresponding to the malicious codes to be detected, other virtual machines acquire the snapshot file set corresponding to the malicious codes to be detected, and the snapshot file set is utilized for detecting the malicious codes.
3. The method for detecting malicious code based on snapshot as claimed in claim 2, wherein the process of obtaining the snapshot file set includes:
Storing a snapshot file at the current moment, writing the snapshot file name and a corresponding sub-process name into a virtual machine log, filtering and extracting the generated virtual machine log to obtain all the snapshot file names and the sub-process names, and then sequencing according to the time of sub-process creation to obtain a time line process table, namely the snapshot file set.
4. The method for detecting malicious code based on snapshot as claimed in claim 3, wherein the process of detecting malicious code in other virtual machines comprises:
S1, configuring parameters of other virtual machines, loading system image files to start the other virtual machines, and loading a first snapshot file by the other virtual machines to start control flow analysis or memory evidence collection analysis;
S2, acquiring memory process tables of other virtual machines every other preset time period, determining whether a new subprocess is created by comparing the memory process tables with the snapshot file set, and if the new subprocess is created, querying the snapshot file set to determine whether the snapshot file set is the last snapshot; and step S2, repeating until the last snapshot is loaded, and writing the analysis result into other virtual machine logs.
5. The method for detecting malicious code based on snapshot as claimed in claim 4, wherein obtaining the memory process table of the other virtual machine comprises:
The current virtual machine is Qemu with high version, the real-time memory of the client machine is mapped out through object parameters and numa parameters, and then a memory process table is obtained through a memory analysis tool;
The current virtual machine is Qemu with low version, the client memory is backed up by pmemsave command, and then the memory process table is obtained by the memory analysis tool.
6. A malicious code detection system based on snapshot is characterized in that the system comprises a code running virtual machine and a code analyzing virtual machine, wherein,
The code running virtual machine is used for running the whole malicious code to be detected, wherein the snapshot file at the current moment is stored when the operation of creating the subprocess is detected in the running process, and comprises the name of the subprocess and the running state of the virtual machine at the current moment;
the code analysis virtual machine is used for acquiring a snapshot file corresponding to malicious codes to be detected, and detecting the malicious codes by utilizing the snapshot file, wherein the method comprises the steps of recovering the execution flow of the malicious agent by loading the snapshot file;
the process of the code running virtual machine obtaining the snapshot file comprises the following steps:
The virtual machine establishes a system image file related to a malicious program to be detected, a instrumentation sub-program is inserted by using an instrumentation interface of the virtual machine, and the instrumentation sub-program is used for executing instrumentation operation on an API of the creation process to generate monitoring data of the creation process, so that a snapshot file at the current moment is kept when the operation of the creation sub-process is detected during running.
7. The malicious code detection system based on snapshot as set forth in claim 6, wherein when a plurality of snapshots exist in the operation process of malicious code to be detected, the code operation virtual machine extracts all snapshot files in the operation process to generate a snapshot file set corresponding to the malicious code to be detected, and other virtual machines acquire the snapshot file set corresponding to the malicious code to be detected and use the snapshot file set to detect the malicious code.
8. A snapshot-based malicious code detection system according to claim 7, wherein the process of obtaining the snapshot file set includes:
Storing a snapshot file at the current moment, writing the snapshot file name and a corresponding sub-process name into a virtual machine log, filtering and extracting the generated virtual machine log to obtain all the snapshot file names and the sub-process names, and then sequencing according to the time of sub-process creation to obtain a time line process table, namely the snapshot file set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010796163.0A CN111966457B (en) | 2020-08-10 | 2020-08-10 | Malicious code detection method and system based on snapshot |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010796163.0A CN111966457B (en) | 2020-08-10 | 2020-08-10 | Malicious code detection method and system based on snapshot |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111966457A CN111966457A (en) | 2020-11-20 |
| CN111966457B true CN111966457B (en) | 2024-04-19 |
Family
ID=73365417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010796163.0A Active CN111966457B (en) | 2020-08-10 | 2020-08-10 | Malicious code detection method and system based on snapshot |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111966457B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966270A (en) * | 2021-03-16 | 2021-06-15 | 武汉小安科技有限公司 | Application program security detection method and device, electronic equipment and storage medium |
| CN114428957A (en) * | 2021-12-21 | 2022-05-03 | 哈尔滨理工大学 | High-accuracy Linux shared memory malicious code detection method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778373A (en) * | 2014-01-10 | 2014-05-07 | 深圳市深信服电子科技有限公司 | Virus detection method and device |
| CN105550574A (en) * | 2015-12-11 | 2016-05-04 | 南京大学 | Side-channel attack evidence collecting system and method based on memory activity |
-
2020
- 2020-08-10 CN CN202010796163.0A patent/CN111966457B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778373A (en) * | 2014-01-10 | 2014-05-07 | 深圳市深信服电子科技有限公司 | Virus detection method and device |
| CN105550574A (en) * | 2015-12-11 | 2016-05-04 | 南京大学 | Side-channel attack evidence collecting system and method based on memory activity |
Non-Patent Citations (1)
| Title |
|---|
| Membrane A Posteriori Detection of Malicious Code Loading by Memory Paging Analysis;G´abor P´ek 等;《ESORICS 2016》;第199-215页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111966457A (en) | 2020-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kim et al. | Automatic identification of bug-introducing changes | |
| US6851075B2 (en) | Race detection for parallel software | |
| CN111966457B (en) | Malicious code detection method and system based on snapshot | |
| US20110107307A1 (en) | Collecting Program Runtime Information | |
| CN101515320B (en) | Vulnerability testing method in attack and system thereof | |
| US11422920B2 (en) | Debugging multiple instances of code using thread patterns | |
| JPH01180645A (en) | Automatic verification system for maintenance diagnosing mechanism | |
| US7721250B2 (en) | System and method for interactive and integrated software development process and phases | |
| US20080189686A1 (en) | System and Method for Detecting Software Defects | |
| CN110908894A (en) | Visual report tool automatic testing method and device based on vuex | |
| CN112148614A (en) | Regression testing method and device | |
| CN115357515A (en) | Debugging method and device of multi-core system, computer equipment and storage medium | |
| Li et al. | Effectively manifesting concurrency bugs in android apps | |
| CN116795726B (en) | Method for online debugging Linux kernel | |
| Wang et al. | Design pattern detection in Eiffel systems | |
| JPH04229340A (en) | Debug system of common-memory multiprocessor computer | |
| CN112612697A (en) | Software defect testing and positioning method and system based on byte code technology | |
| CN112216340A (en) | Hard disk test method and device, storage medium and electronic equipment | |
| CN108681506B (en) | Pressure testing method and device | |
| Kim et al. | Performance testing based on test-driven development for mobile applications | |
| CN111414287A (en) | Method, system and device for analyzing chip test result | |
| CN110321130B (en) | Non-repeatable compiling and positioning method based on system call log | |
| CN103593179A (en) | Method for developing software in a parallel computing environment | |
| Reichelt et al. | Automated Identification of Performance Changes at Code Level | |
| Ogata et al. | Replay compilation: improving debuggability of a just-in-time compiler |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |