CN114168958A - Executable file injection detection method, device, equipment and storage medium - Google Patents
Executable file injection detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114168958A CN114168958A CN202111517612.4A CN202111517612A CN114168958A CN 114168958 A CN114168958 A CN 114168958A CN 202111517612 A CN202111517612 A CN 202111517612A CN 114168958 A CN114168958 A CN 114168958A
- Authority
- CN
- China
- Prior art keywords
- information
- memory
- dynamic
- target process
- executable file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method, a device, equipment and a storage medium for detecting injection of an executable file, wherein the method comprises the following steps: searching the memory information of the target process; detecting whether the memory information of the target process contains information of more than two dynamic linkers; when the information of more than two dynamic linkers is detected, the target process is determined to be infected by the Trojan horse virus injected by the executable file of the dynamic link. The detection method provided by the invention can detect whether the memory of the target process is injected with the Trojan horse virus of the 'dynamically linked executable file' in real time, has strong pertinence to the Trojan horse virus, does not need the characteristic code data of the Trojan horse virus, and has wide adaptability and high detection efficiency.
Description
Technical Field
The present invention relates to the field of system security detection technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting executable file injection.
Background
At present, linux systems face various attack threats, many lawbreakers attack the systems and acquire user information through various means, and system administrators generally scan files on the systems, detect problematic executable files and remove the problematic executable files. However, some trojan viruses do not exist in a file system, and cannot be detected in a traditional file scanning mode, and the trojan viruses can directly inject the trojan viruses into a memory of a target process by utilizing bugs of a system or application software and run in parallel with the target process, so that the trojan binary files are not landed and are completely in the memory, and a system administrator is difficult to detect the existence of the trojan.
In the prior art, generally, matching is performed through feature codes of known Trojan horse viruses, and whether a feature code exists in a memory of a target process is searched from a feature code library, so that whether the target process is infected with the Trojan horse virus is judged. However, the disadvantage is that the virus must be detected from a sample of the existing Trojan horse virus, and the virus cannot be detected from a newly emerged Trojan horse virus.
Disclosure of Invention
In view of this, the present invention provides a method, an apparatus, a device and a storage medium for detecting executable file injection, which can detect whether a memory of a target process is infected with a trojan virus in real time, and have wide adaptability and high detection efficiency. The specific scheme is as follows:
a method for detecting executable file injection comprises the following steps:
searching the memory information of the target process;
detecting whether the memory information of the target process contains information of more than two dynamic linkers;
when the information of more than two dynamic linkers is detected, determining that the target process is infected by the Trojan horse virus injected by the executable file of the dynamic link.
Preferably, in the method for detecting executable file injection provided by the embodiment of the present invention, the searching for the memory information of the target process includes:
traversing/proc directory; the directory is internally provided with numerically named subdirectories as pids of the running process of the current system;
detecting whether a/proc/< pid >/maps file exists;
and if so, reading the memory information of the target process recorded in the/proc/< pid >/maps file.
Preferably, in the method for detecting executable file injection provided by the embodiment of the present invention, the detecting whether there are more than two pieces of information of dynamic linkers in the memory information of the target process includes:
detecting whether the total line number corresponding to the information of the tail end of the dynamic link file path displayed in the last column in the memory information of the target process exceeds 1;
if the number exceeds 1, the information of more than two dynamic linkers is determined to be detected.
Preferably, in the detection method for executable file injection provided by the embodiment of the present invention, the method further includes:
if the number of the lines in the target process is not more than 1, searching all the specified memory intervals of all the lines which are displayed to be empty in the last column in the memory information of the target process, and searching whether the information of the so dynamic library exists or not to detect whether the information of more than two dynamic linkers exists or not.
Preferably, in the method for detecting executable file injection provided in the embodiment of the present invention, after the searching whether there is information of the so dynamic library, the method further includes:
if the information of the so dynamic library is found, reading the file information of the dynamic linker from the disk, analyzing the elf file, storing the data which has the execution authority and can be added to the segment in the memory, and recording the data as a first variable;
reading each row of data which is displayed empty in the last column in the memory information of the target process, and searching whether the buffer memory contains data specified by the first variable;
and if the data specified by the first variable is included, determining that the information of more than two dynamic linkers is detected.
Preferably, in the method for detecting injection of an executable file according to an embodiment of the present invention, reading data of an addition section having an execution permission to a memory includes:
judging whether the executable attribute of the dynamic linker is the data of the PT _ LOAD section;
if yes, the data which has the execution authority and can be added in the dynamic linker is stored in the memory.
Preferably, in the detection method for executable file injection provided by the embodiment of the present invention, the method further includes:
and circularly processing all the processes, and outputting detection result information after all the processes are detected.
The embodiment of the invention also provides a detection device for executable file injection, which comprises:
the memory information searching module is used for searching the memory information of the target process;
the dynamic linker detection module is used for detecting whether the memory information of the target process contains information of more than two dynamic linkers;
and the determining module is used for determining that the target process is infected with the Trojan horse virus injected by the executable file of the dynamic link when the information of more than two dynamic links is detected.
The embodiment of the invention also provides a device for detecting the injection of the executable file, which comprises a processor and a memory, wherein the processor realizes the method for detecting the injection of the executable file provided by the embodiment of the invention when executing the computer program stored in the memory.
The embodiment of the present invention further provides a computer-readable storage medium for storing a computer program, where the computer program, when executed by a processor, implements the above-mentioned detection method for executable file injection provided by the embodiment of the present invention.
According to the technical scheme, the detection method for executable file injection provided by the invention comprises the following steps: searching the memory information of the target process; detecting whether the memory information of the target process contains information of more than two dynamic linkers; when the information of more than two dynamic linkers is detected, the target process is determined to be infected by the Trojan horse virus injected by the executable file of the dynamic link.
The detection method provided by the invention can be used for scanning the system process in real time and detecting whether the memory of the target process is injected with the Trojan horse virus of the 'dynamically linked executable file' or not in real time, has strong pertinence to the Trojan horse virus, does not need the characteristic code data of the Trojan horse virus, and has wide adaptability and high detection efficiency.
In addition, the invention also provides a corresponding device, equipment and a computer readable storage medium aiming at the detection method of the injection of the executable file, so that the method has higher practicability, and the device, the equipment and the computer readable storage medium have corresponding advantages.
Drawings
In order to more clearly illustrate the embodiments of the present invention or technical solutions in related arts, the drawings used in the description of the embodiments or related arts will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flowchart of a method for detecting executable file injection according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a detection apparatus for executable file injection according to an embodiment of the present invention.
Detailed Description
In the prior art, a plurality of methods capable of infecting a process memory in operation are available, and a trojan virus is placed in a target process to carry out hidden operation, such as injecting a so dynamic library into the process, injecting a section of shellcode into the process, injecting a dynamically linked executable file into the process, and the like. The detection technologies of each infection method are different, and the embodiment of the invention provides a method for detecting whether a process in a linux system is infected with 'dynamically linked executable file injection' in real time.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a detection method for executable file injection, as shown in fig. 1, comprising the following steps:
s101, running a target process;
s102, searching memory information of a target process;
s103, detecting whether the memory information of the target process contains information of more than two dynamic linkers;
if the information of more than two dynamic linkers is detected, executing step S103;
and S104, determining that the target process is infected with the Trojan horse virus injected by the dynamically linked executable file.
In practical application, the dynamic linker is responsible for loading the dynamic library required by the executable file, relocating the dynamic library, and handing the control right to the entry address of the executable file to complete the startup of the executable file. The executable file of the dynamic link means that the executable file can depend on other dynamic libraries, such as ld.so, libc.so and the like, and the executable file can load the dependent dynamic libraries when being started.
It should be understood that, the way in which an attacker injects a dynamically linked executable file into a memory of a target process and runs the dynamically linked executable file is to execute a segment of shellcode code in the target process, usually by a system bug or ptrace method, and the main functions of the segment of shellcode code are as follows:
firstly, loading a dynamic linker into a target process memory; such as: l lib64/ld-linux-x86-64. so.2;
then, writing the Trojan horse virus into a target process memory; the Trojan horse virus can be downloaded from a network and directly written into the memory after being downloaded; the Trojan horse can also be a part of shellcode, and the Trojan horse is decrypted in the memory;
then, create a stack (using mmap); preparing stack related information (argc, argv, envp, auxiliary vectors and the like), and writing the information related to the Trojan in the memory into the auxiliary vectors (including the addresses of the Trojan in the memory, the addresses of program segment headers, the number of program segments, the addresses of Trojan running entries and the like);
finally, passing control to the entry point of the dynamic linker; and then the dynamic linker loads other so libraries needed by the Trojan horse, and then gives control power to the entry address of the Trojan horse, and the Trojan horse is in the memory in the whole process, so that no information exists on the file system.
Because the executable file injection of the dynamic link in the above manner needs to use the dynamic link, such as "/lib 64/ld-linux-x86-64. so.2", the target process has one more memory information of the dynamic link, and the normal program has only one information of the dynamic link after being started. Therefore, the detection method provided by the invention searches the memory information of the target process firstly, and if more than two dynamic linkers are found, the abnormal injection condition is shown, so that the condition that the target process is infected with the Trojan horse virus is judged.
In the method for detecting injection of the executable file provided by the embodiment of the invention, the system process can be scanned in real time, whether the memory of the target process is injected with the Trojan horse virus of the 'dynamically linked executable file' can be detected in real time, the method has strong pertinence to the Trojan horse virus, the characteristic code data of the Trojan horse virus is not needed, the adaptability is wide, and the detection efficiency is high.
Further, in a specific implementation, in the method for detecting executable file injection provided in the embodiment of the present invention, the step S102 of searching for the memory information of the target process may specifically include:
traversing/proc directory; the directory is internally provided with a subdirectory named by a number as the pid of the process running by the current system;
detecting whether a/proc/< pid >/maps file exists;
and if so, reading the memory information of the target process recorded in the/proc/< pid >/maps file.
That is, after the process runs, the memory loading information of the process is recorded in the "/proc/process < pid >/maps" file, and whether the executable file is injected or not can be found by analyzing the file.
Specifically, the manner of reading the memory information of the target process recorded in the/proc/< pid >/maps file may include:
find where the second column is rwxp or r-xp (x denotes executable) and the last column is empty, denoted as maps _ a.
Find the row where the second column is rwxp or r-xp (x represents executable), and ends with a similar "ld-2.27. so", denoted as maps _ b.
I.e. the second column contains executable data and the last column shows empty or a message ending with the dynamic linker file path, respectively.
Where "/lib/x 86_64-linux-gnu/ld-2.27. so" is shown as the dynamic link file location currently used by the system, it can be determined by the command: ls-lh/lib64/ld-linux-x86-64.so.2 obtains the actual dynamic linker position.
The above maps _ a and maps _ b information are the memory information that may exist in the dynamic link.
In a specific implementation, in the method for detecting executable file injection provided in the embodiment of the present invention, the step S103 detects whether there are more than two pieces of information of dynamic link in the memory information of the target process, which may specifically include:
detecting whether the total line number corresponding to the information of the tail end of the dynamic link file path displayed in the last column in the memory information of the target process exceeds 1; judging whether the number of the found rows of maps _ b is more than 1;
if the number exceeds 1, the information of more than two dynamic linkers is determined to be detected.
It should be noted that, if the trojan injection is performed, the dynamic link loaded in the file mapping manner will display a piece of information at the end of the dynamic link file path in the last column, and at this time, it can be determined that the trojan injection is performed. After detecting the information of two or more dynamic links, the present detection is finished, and the process returns to step S101 to start detecting the next process.
If the number of the lines in the target process is not more than 1, searching the memory interval specified by all the lines which are displayed to be empty in the last column in the memory information of the target process, and searching whether the information of the so dynamic library exists or not so as to detect whether the information of more than two dynamic linkers exists or not.
If the number of rows of map _ b found is less than 1, the memory interval specified by the row in map _ a needs to be searched to find out whether the information is as id. Because the trojan is injected, if the dynamic linker is anonymously mapped to the memory, the last column will show empty.
Further, in a specific implementation, in the method for detecting executable file injection provided by the embodiment of the present invention, after searching whether there is information of the so dynamic library, the method may further include:
firstly, if the information of the so dynamic library is found, reading the file information of a dynamic linker (/ lib64/ld-linux-x86-64.so.2) from a disk, analyzing an elf file, and storing the attachable data with the execution authority into a memory as a first variable, such as ld _ flag _ data. Specifically, reading the loading segment data with the execution authority into the memory may include: judging whether the executable attribute of the dynamic linker is the data of the PT _ LOAD section; if yes, the data which has the execution authority and can be added in the dynamic linker is stored in the memory. The pseudo code is as follows:
then, reading each row of data which is displayed empty in the last column in the memory information of the target process, and searching whether the buffer memory contains data specified by the first variable; if the data specified by the first variable is included, the information of more than two dynamic linkers is determined to be detected.
Specifically, reading the data of each row of maps _ a, for example, reading the data in the memory address interval of "7 fc2981c0000-7fc2981c 2000", and using the process _ vm _ readv function, the memory data of the designated process can be read, and the pseudo code is as follows:
searching whether the buffer memory contains data specified by the ld _ flag _ data variable; if the data of the variable ld _ flag _ data is contained, the memory segment is a memory segment of the dynamic link and is illegally loaded dynamic link memory information, so that the information of more than two dynamic links is detected, and the condition that the process is injected by Trojan horse viruses is judged. When the detection is finished, the process returns to step S101 to start detecting the next process.
And finally, circularly processing all the processes, and outputting detection result information after all the processes are detected.
Based on the same inventive concept, the embodiment of the present invention further provides a device for detecting executable file injection, and because the principle of the device for solving the problem is similar to the aforementioned method for detecting executable file injection, the implementation of the device can refer to the implementation of the method for detecting executable file injection, and repeated details are not repeated.
In specific implementation, the detection apparatus for executable file injection provided in the embodiment of the present invention, as shown in fig. 2, specifically includes:
the memory information searching module 11 is used for searching the memory information of the target process;
the dynamic linker detection module 12 is configured to detect whether there are more than two pieces of information of the dynamic linker in the memory information of the target process;
and the determining module 13 is configured to determine that the target process is infected with a trojan virus injected by the dynamically linked executable file when the information of more than two dynamic linkers is detected.
In the detection apparatus for executable file injection provided in the embodiment of the present invention, the system process can be scanned in real time through the interaction of the three modules, and whether the memory of the target process is injected with the trojan virus of the "dynamically linked executable file" is detected in real time.
For more specific working processes of the modules, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Correspondingly, the embodiment of the invention also discloses a detection device for executable file injection, which comprises a processor and a memory; wherein, the processor implements the executable file injection detection method disclosed in the foregoing embodiments when executing the computer program stored in the memory.
For more specific processes of the above method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Further, the present invention also discloses a computer readable storage medium for storing a computer program; the computer program, when executed by a processor, implements the method of detection of executable file injection disclosed above.
For more specific processes of the above method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device, the equipment and the storage medium disclosed by the embodiment correspond to the method disclosed by the embodiment, so that the description is relatively simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
To sum up, a method for detecting executable file injection provided by the embodiment of the present invention includes: searching the memory information of the target process; detecting whether the memory information of the target process contains information of more than two dynamic linkers; when the information of more than two dynamic linkers is detected, the target process is determined to be infected by the Trojan horse virus injected by the executable file of the dynamic link. The detection method can scan the system process in real time, immediately detect whether the memory of the target process is injected with the Trojan horse virus of the 'dynamically linked executable file', has strong pertinence to the Trojan horse virus, does not need the characteristic code data of the Trojan horse virus, and has wide adaptability and high detection efficiency. In addition, the invention also provides a corresponding device, equipment and a computer readable storage medium aiming at the detection method of the injection of the executable file, so that the method has higher practicability, and the device, the equipment and the computer readable storage medium have corresponding advantages.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the apparatus, the device and the storage medium for detecting executable file injection provided by the present invention are described in detail above, and a specific example is applied in the present document to illustrate the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for detecting executable file injection, comprising:
searching the memory information of the target process;
detecting whether the memory information of the target process contains information of more than two dynamic linkers;
when the information of more than two dynamic linkers is detected, determining that the target process is infected by the Trojan horse virus injected by the executable file of the dynamic link.
2. The method according to claim 1, wherein the searching for the memory information of the target process comprises:
traversing/proc directory; the directory is internally provided with numerically named subdirectories as pids of the running process of the current system;
detecting whether a/proc/< pid >/maps file exists;
and if so, reading the memory information of the target process recorded in the/proc/< pid >/maps file.
3. The method for detecting executable file injection according to claim 2, wherein the detecting whether there are more than two pieces of information of dynamic linkers in the memory information of the target process comprises:
detecting whether the total line number corresponding to the information of the tail end of the dynamic link file path displayed in the last column in the memory information of the target process exceeds 1;
if the number exceeds 1, the information of more than two dynamic linkers is determined to be detected.
4. The method for detecting executable file injection of claim 3, further comprising:
if the number of the lines in the target process is not more than 1, searching all the specified memory intervals of all the lines which are displayed to be empty in the last column in the memory information of the target process, and searching whether the information of the so dynamic library exists or not to detect whether the information of more than two dynamic linkers exists or not.
5. The method for detecting executable file injection according to claim 4, wherein after said searching whether there is the information of the so dynamic library, further comprising:
if the information of the so dynamic library is found, reading the file information of the dynamic linker from the disk, analyzing the elf file, storing the data which has the execution authority and can be added to the segment in the memory, and recording the data as a first variable;
reading each row of data which is displayed empty in the last column in the memory information of the target process, and searching whether the buffer memory contains data specified by the first variable;
and if the data specified by the first variable is included, determining that the information of more than two dynamic linkers is detected.
6. The method for detecting injection of an executable file according to claim 5, wherein reading the loading segment data with the execution authority to the memory comprises:
judging whether the executable attribute of the dynamic linker is the data of the PT _ LOAD section;
if yes, the data which has the execution authority and can be added in the dynamic linker is stored in the memory.
7. The method for detecting executable file injection of claim 6, further comprising:
and circularly processing all the processes, and outputting detection result information after all the processes are detected.
8. An apparatus for detecting executable file injection, comprising:
the memory information searching module is used for searching the memory information of the target process;
the dynamic linker detection module is used for detecting whether the memory information of the target process contains information of more than two dynamic linkers;
and the determining module is used for determining that the target process is infected with the Trojan horse virus injected by the executable file of the dynamic link when the information of more than two dynamic links is detected.
9. An executable file injection detection device comprising a processor and a memory, wherein the processor implements the executable file injection detection method according to any one of claims 1 to 7 when executing a computer program stored in the memory.
10. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements a method for detecting executable file injection as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111517612.4A CN114168958A (en) | 2021-12-13 | 2021-12-13 | Executable file injection detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111517612.4A CN114168958A (en) | 2021-12-13 | 2021-12-13 | Executable file injection detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114168958A true CN114168958A (en) | 2022-03-11 |
Family
ID=80485987
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111517612.4A Pending CN114168958A (en) | 2021-12-13 | 2021-12-13 | Executable file injection detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114168958A (en) |
-
2021
- 2021-12-13 CN CN202111517612.4A patent/CN114168958A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9824217B2 (en) | Runtime detection of self-replicating malware | |
| US8312546B2 (en) | Systems, apparatus, and methods for detecting malware | |
| US7841006B2 (en) | Discovery of kernel rootkits by detecting hidden information | |
| US8572371B2 (en) | Discovery of kernel rootkits with memory scan | |
| US7458099B1 (en) | Selective detection of malicious computer code | |
| RU2607231C2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| KR102323290B1 (en) | Systems and methods for detecting data anomalies by analyzing morphologies of known and/or unknown cybersecurity threats | |
| US8171550B2 (en) | System and method for defining and detecting pestware with function parameters | |
| US20050021994A1 (en) | Pre-approval of computer files during a malware detection | |
| US10691800B2 (en) | System and method for detection of malicious code in the address space of processes | |
| CN103390130B (en) | Based on the method for the rogue program killing of cloud security, device and server | |
| US9910983B2 (en) | Malware detection | |
| CN107330328B (en) | Method and device for defending against virus attack and server | |
| US9129109B2 (en) | Method and apparatus for detecting a malware in files | |
| AU2021319159B2 (en) | Advanced ransomware detection | |
| CN103679027A (en) | Searching and killing method and device for kernel level malware | |
| CN103034513A (en) | Method and system for processing starting-up process | |
| US20070094733A1 (en) | System and method for neutralizing pestware residing in executable memory | |
| US11423153B2 (en) | Detection of malicious operating system booting and operating system loading | |
| CN114168958A (en) | Executable file injection detection method, device, equipment and storage medium | |
| Srivastava et al. | Detecting code injection by cross-validating stack and VAD information in windows physical memory | |
| CN108205624B (en) | Electronic device and method for detecting malicious file | |
| GB2574129A (en) | False alarm detection for malware scanning | |
| Fu et al. | Correlating processes for automatic memory evidence analysis | |
| Grebenyuk et al. | Mac OS X Malware Vulnerabilities (November 2008) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |