CN114266037A - Sample detection method and device, electronic equipment and storage medium - Google Patents
Sample detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114266037A CN114266037A CN202111546945.XA CN202111546945A CN114266037A CN 114266037 A CN114266037 A CN 114266037A CN 202111546945 A CN202111546945 A CN 202111546945A CN 114266037 A CN114266037 A CN 114266037A
- Authority
- CN
- China
- Prior art keywords
- sample
- processed
- address
- detection
- detection environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 136
- 238000000034 method Methods 0.000 claims abstract description 166
- 230000008569 process Effects 0.000 claims abstract description 131
- 230000006870 function Effects 0.000 claims description 50
- 230000006399 behavior Effects 0.000 claims description 37
- 238000012544 monitoring process Methods 0.000 claims description 27
- 238000012360 testing method Methods 0.000 claims description 19
- 230000008676 import Effects 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 4
- 238000002347 injection Methods 0.000 abstract description 8
- 239000007924 injection Substances 0.000 abstract description 8
- 230000009471 action Effects 0.000 description 7
- 241000700605 Viruses Species 0.000 description 6
- 244000035744 Hura crepitans Species 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 208000027418 Wounds and injury Diseases 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 208000014674 injury Diseases 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241000544061 Cuculus canorus Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000002715 modification method Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a sample detection method, a sample detection device, electronic equipment and a storage medium. The method comprises the following steps: receiving a detection environment establishing instruction, and establishing a detection environment process in a current operating system; the detection environment process can simulate the process environment of the current operating system; loading a sample to be processed into the detection environment process; controlling the sample to be processed to run in the detection environment process; acquiring target behavior data of the sample to be processed during internal operation in the detection environment; and the address called during the running of the sample to be processed is an offset address processed according to the actual calling address. According to the sample detection method, the sample to be processed and the detection environment process are located in the same virtual address, injection operation on the sample to be processed is not needed, and hijacking is directly carried out on the behavior of the sample to be processed, so that the sample to be processed can be monitored and data can be acquired even if the sample to be processed has anti-injection capacity.
Description
Technical Field
The present invention relates to the field of executable program detection, and in particular, to a method and an apparatus for detecting a sample, an electronic device, and a storage medium.
Background
A large number of viruses exist in the current network world, wherein some viruses are analyzed and reversed in order to prevent detection, and countermeasures of counter injection, counter debugging and counter hooking are taken. The existing virus detection sandbox, such as cuckoo abroad and sandboxes of other domestic brands, usually adopts a mode of starting a sample independent process, then injects a module for monitoring into the sample process through remote thread injection (createremotetrathread), and determines a rule of dangerous behavior in another independent process, and then establishes a communication mechanism, such as a pipeline (pipe), a network (tcp/ip) and the like, and then hooks the system call through the module injected into the sample to output the behavior of the sample.
However, when the sample itself is injected reversely, for example, createremotetraead is hooked globally, various kinds of inverse debugging, for example, peb debugging environment detection, and the byte code judgment of inverse hooking, for example, inlineHook, for example, rop, etc., will cause the existing sandbox to lose effectiveness.
Disclosure of Invention
In view of the above, the present invention provides a sample detection method, apparatus, electronic device and storage medium, which at least partially solve the problems in the prior art.
According to an aspect of the present application, there is provided a sample detection method including:
receiving a detection environment establishing instruction, and establishing a detection environment process in a current operating system; the detection environment process can simulate the process environment of the current operating system;
loading a sample to be processed into the detection environment process;
controlling the sample to be processed to run in the detection environment process;
acquiring target behavior data of the sample to be processed during internal operation in the detection environment;
and the address called by the sample to be processed in the running process is an offset address processed according to the actual calling address.
In an exemplary embodiment of the present application, the controlling the to-be-processed sample to run in the testing environment process includes:
receiving a sample operation instruction to be processed;
in response to the acquisition of the operation instruction, modifying an operation register address in an operation pointer of the sample to be processed into a detection register address, wherein the detection register address has a corresponding relation with the detection environment process;
and controlling the sample to be processed to start running.
In an exemplary embodiment of the present application, after the controlling the sample to be processed to run in the testing environment process, the method further includes:
and acquiring an environment variable acquisition instruction sent by the sample to be processed, and sending the sample thread environment variable and the sample process environment variable corresponding to the detection environment process to the sample to be processed.
In an exemplary embodiment of the present application, after the loading the sample to be processed into the testing environment process, the method further comprises:
acquiring a relocation table, an import table and an export table in the sample to be processed;
obtaining an offset address according to the actual call address in the relocation table, the import table and the export table and the memory address of the detection environment process;
and modifying the actual call address in the relocation table, the import table and the export table according to the offset address.
In an exemplary embodiment of the present application, after the controlling the sample to be processed to run in the testing environment process, the method further includes:
acquiring a function calling instruction of the sample to be processed;
obtaining an offset address according to an actual calling address corresponding to the function calling instruction and the memory address of the detection environment process;
modifying the function call instruction according to the offset address to obtain a modified function call instruction;
and sending the modified function calling instruction to the CUP.
In an exemplary embodiment of the present application, the acquiring target behavior data of the to-be-processed sample when running in the detection environment includes:
acquiring monitoring configuration information;
monitoring the running of the sample to be processed according to the monitoring configuration information;
and setting a calling function corresponding to the behavior corresponding to the monitoring configuration information in the running process of the sample to be processed as a monitoring function so as to obtain the target behavior data.
In an exemplary embodiment of the present application, the detection environment process runs at an application layer of the current operating system.
According to an aspect of the present application, there is provided a sample detection apparatus comprising:
the establishing module is used for receiving a detection environment establishing instruction and establishing a detection environment process in the current operating system; the detection environment process can simulate the process environment of the current operating system;
the loading module is used for loading a sample to be processed into the detection environment process;
the operation module is used for controlling the sample to be processed to operate in the detection environment process;
the acquisition module is used for acquiring target behavior data of the sample to be processed during the in-operation of the detection environment;
and the address called by the sample to be processed in the running process is an offset address processed according to the actual calling address.
According to one aspect of the present application, there is provided an electronic device comprising a processor and a memory;
the processor is configured to perform the steps of any of the above methods by calling a program or instructions stored in the memory.
According to an aspect of the application, there is provided a computer-readable storage medium storing a program or instructions for causing a computer to perform the steps of any of the methods described above.
The application provides a sample detection method which can establish a detection environment process in a current operating system. In performing the testing of the pending sample (i.e., the executable program that may be a virus), the pending sample may be loaded into the testing environment process. When the sample to be processed runs in the detection environment process, the detection environment process can simulate the environment of the current operating system, so that the sample to be processed is regarded as running in the current operating system. Therefore, the sample to be processed and the detection environment process are located in the same virtual address, so that the detection environment process directly hijacks the sample to be processed when the sample to be processed calls the system function, and monitoring of the sample to be processed and acquisition of target behavior data can be achieved. According to the sample detection method, injection operation is not performed on the sample to be processed, hijacking is performed on the behavior of the sample to be processed directly, and therefore the sample to be processed can be monitored and data can be obtained even if the sample to be processed has anti-injection capacity.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a sample detection method provided in this embodiment.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without any creative effort belong to the protection scope of the present application.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present application, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
As shown in fig. 1, the present embodiment provides a sample detection method, which includes the following steps:
step S100, receiving a detection environment establishment instruction, and establishing a detection environment process in a current operating system; the detection environment process can simulate the process environment of the current operating system;
step S200, loading a sample to be processed into the detection environment process;
step S300, controlling the sample to be processed to run in the detection environment process;
step S400, acquiring target behavior data of the sample to be processed during the in-operation of the detection environment;
and the address called by the sample to be processed in the running process is an offset address processed according to the actual calling address.
In this embodiment, the to-be-processed sample refers to an executable program that needs to be detected.
The detection environment establishment instruction can be changed into a picture that a user clicks an establishment button or double-clicks a corresponding program on an operation interface. As long as the function established for enabling the detection environment is enabled.
After receiving the detection environment establishment instruction, the corresponding memory resource can be selected according to the environment of the current operating system, and the establishment of the detection environment process is carried out. At the same time, the detection environment process can take over at least a portion of the current operating system functionality. And the detection environment process can simulate the process environment of the current operating system. Therefore, when the sample to be processed runs in the detection environment process, the sample to be processed still can be regarded as the sample or directly run in the current operating system.
The specific change of loading the sample to be processed into the detection environment process may be that the user adds the sample to be processed into the detection environment process through an adding function, or may be that a file corresponding to the sample to be processed is directly dragged to a corresponding position.
In this embodiment, the address called by the to-be-processed sample during running is modified to the offset address processed according to the actual calling address. The actual function calling behavior of the sample to be processed is in a controllable state, and corresponding hijacking is completed according to the setting of the offset address. For example, when a function is called in the sample to be processed, the offset address is modified to the entry address of the monitoring function of the sample to be processed, so that the sample to be processed still considers that the corresponding function is called normally, and does not know that the sample to be processed is actually monitored.
The sample detection method provided by the embodiment can establish a detection environment process in the current operating system. In performing the testing of the pending sample (i.e., the executable program that may be a virus), the pending sample may be loaded into the testing environment process. When the sample to be processed runs in the detection environment process, the detection environment process can simulate the environment of the current operating system, so that the sample to be processed is regarded as running in the current operating system. Therefore, the sample to be processed and the detection environment process are located in the same virtual address, so that the detection environment process directly hijacks the sample to be processed when the sample to be processed calls the system function, and monitoring of the sample to be processed and acquisition of target behavior data can be achieved. According to the sample detection method, injection operation is not performed on the sample to be processed, hijacking is performed on the behavior of the sample to be processed directly, and therefore the sample to be processed can be monitored and data can be obtained even if the sample to be processed has anti-injection capacity.
In this embodiment, the detection environment process runs in an application layer of the current operating system. In this embodiment, a detection environment process is directly established in the current operating system and is made to run in the application layer of the operating system, as compared with the case where a virtual machine is established in the operating system to allow the sample to be processed to run in the virtual machine. Therefore, the environment detection process only needs to simulate the environment, and does not need to simulate a series of components and functions such as CUP, GUP, working environment and the like a virtual machine. So that the amount of instrumentation environment processes is very small compared to virtual machines. And the function of the real CUP can be directly called, on one hand, the quick response of the function can be realized, and on the other hand, the real CUP is used, so that the real CUP is not easy to be found by the sample to be processed and does not directly run in the current operating system, thereby greatly enhancing the deception of the sample to be processed and improving the success rate of detection.
In an exemplary embodiment of the present application, step S300 specifically includes the following steps:
step S310, receiving a sample operation instruction to be processed.
Step S320, in response to the acquisition of the operation instruction, modifying the operation register address in the operation pointer of the sample to be processed into a detection register address, wherein the detection register address has a corresponding relation with the detection environment process;
and step S330, controlling the to-be-processed sample to start running.
After receiving an operation instruction of a sample to be processed, if the sample to be processed is directly operated in a current operating system, the sample to be processed generates an operation pointer, and the operation pointer points to an operation register address of a memory, so that the sample to be processed can be operated at an originally expected memory address. In this embodiment, in order to enable the sample to be processed to be operated in the detection environment process, the operation register address process corresponding to the operation pointer is modified to be the detection register address corresponding to the base address of the detection environment process, so that all behaviors of the sample to be processed are controlled under the control of the detection environment process without injecting the sample to be processed.
In an exemplary embodiment of the present application, after step S300, the method further includes:
step S340, acquiring an environment variable acquisition instruction sent by the sample to be processed, and sending the sample thread environment variable and the sample process environment variable corresponding to the detection environment process to the sample to be processed.
When a general executable program runs, it acquires environment variables of the current operating system so that it can run normally. However, in this embodiment, the sample to be processed needs to be run in the detection environment process, so in order to prevent the sample to be processed from finding that it is not running in the current application system, the sample thread environment variable and the sample process environment variable corresponding to the detection environment process need to be sent to the sample to be processed. And the method runs according to the sample thread environment variable and the sample process environment variable corresponding to the detection environment process. In this embodiment, the sample thread environment variable and the sample process environment variable corresponding to the detection environment process are obtained by performing calculation on the environment variable and the thread environment variable of the current operating system, that is, the detection environment process realizes environment simulation on the current operating system by this means.
During the running process of the sample to be processed, many behaviors call the CUP and the like. And the user can determine a corresponding calling address according to actual things to be done so as to realize corresponding functions. In the embodiment, the to-be-processed sample is operated in the detection environment process, so that behavior monitoring and target behavior data acquisition of the to-be-processed sample are realized. In this embodiment, the address called by the to-be-processed sample during running is modified to the offset address processed according to the actual calling address. The specific method can implement corresponding modification method according to the static calling and the dynamic calling of the sample to be processed. The method comprises the following specific steps:
in an exemplary embodiment of the present application, after the loading the sample to be processed into the testing environment process, the method further comprises:
and acquiring a relocation table, an import table and an export table in the sample to be processed.
And obtaining an offset address according to the actual call address in the relocation table, the import table and the export table and the memory address of the detection environment process.
And modifying the actual call address in the relocation table, the import table and the export table according to the offset address.
A static call of a general executable program means that each call action selects a corresponding call address according to a relocation table, an import table, and an export table in the structure of the call action. When the CPU runs in the operating system, the CPU is converted into the memory to be executed, and in the conversion process, the CPU is required to convert the relocation table, the import table and the export table of the CPU, so that the actual call address suitable for the running environment of the operating system is obtained.
Since the sample to be processed is run in the process of the detection environment in this embodiment, the initial memory address of the actual run has been shifted. If the address called by the subsequent action is called according to the actual calling address set by the user, the actual behavior of the sample to be processed is separated from the control of the detection environment process or the calling is directly failed to cause the program crash and the like. In this embodiment, the detection environment process takes over the conversion operation of the cpu on the relocation table, the import table, and the export table, so that after the conversion, an actually obtained call address is an offset address adapted to the detection environment process, and all call operations of the sample to be processed are under the control of the detection environment process.
In an exemplary embodiment of the present application, after the controlling the sample to be processed to run in the testing environment process, the method further includes:
acquiring a function calling instruction of the sample to be processed;
obtaining an offset address according to an actual calling address corresponding to the function calling instruction and the memory address of the detection environment process;
modifying the function call instruction according to the offset address to obtain a modified function call instruction;
and sending the modified function calling instruction to the CUP.
A dynamic call of a general executable program means that when a call behavior is to be executed, a call request (i.e., a function call instruction) is sent to the cpu, and the cpu performs a call of a register and the like according to an actual call address corresponding to the call request, thereby implementing a corresponding function or action.
Since the sample to be processed is run in the process of the detection environment in this embodiment, the initial memory address of the actual run has been shifted. If the address called by the subsequent action is called according to the actual calling address set by the user, the actual behavior of the sample to be processed is separated from the control of the detection environment process or the calling is directly failed to cause the program crash and the like. In this embodiment, the detection environment process receives the function call instruction before the cpu, modifies the function call instruction according to the offset address after receiving the function call instruction of the sample to be processed, and sends the modified function call instruction to the cpu, so that the cpu calls according to the modified call address, thereby implementing that all call operations of the sample to be processed are under the control of the detection environment process.
The specific implementation mode can be that the detection environment process calls GetProcAddress, and the sample to be processed is led into the detection environment process through the lead-in table, so that dynamic sample loading of the detection environment is realized.
Therein, the GetProcAddress function is used to retrieve the output function address in the DLL.
In an exemplary embodiment of the present application, step S400 includes:
step S410, acquiring monitoring configuration information;
step S420, monitoring the running of the sample to be processed according to the monitoring configuration information;
step S430, setting a calling function corresponding to the behavior corresponding to the monitoring configuration information in the running process of the sample to be processed as a monitoring function, so as to obtain the target behavior data.
The monitoring configuration information may be obtained by directly configuring the detection environment process for the user, or may be obtained by configuring the detection module in the detection environment process by the user.
When the sample to be processed runs, the detection environment process or the detection module screens the behavior of the sample to be processed according to the monitoring configuration information, and changes the calling function of the behavior corresponding to the monitoring configuration information so as to enable the behavior to enter the monitoring function. The monitoring function can monitor the behavior of the sample to be processed at the moment and record the action of the sample to be processed, so that target behavior data can be obtained.
The specific implementation manner may be that, if the import table map or the export table map (which may be understood as an actual call address) is consistent with the detection configuration information of the detection module, the sample to be processed is abnormal, and the hijacking mechanism is started. The hijacking mechanism is to set the function called by the sample system as a corresponding monitoring function. This monitoring function is used to obtain behavioral data of the sample.
According to the acquired behavior data, a user can conduct behavior analysis on the behavior data according to analysis rules, so that whether the behavior data is a virus or not, the size of the injury, the type of the injury and the like can be determined.
According to an aspect of the present application, there is provided a sample detection apparatus comprising:
the establishing module is used for receiving a detection environment establishing instruction and establishing a detection environment process in the current operating system; the detection environment process can simulate the process environment of the current operating system;
the loading module is used for loading a sample to be processed into the detection environment process;
the operation module is used for controlling the sample to be processed to operate in the detection environment process;
the acquisition module is used for acquiring target behavior data of the sample to be processed during the in-operation of the detection environment;
and the address called by the sample to be processed in the running process is an offset address processed according to the actual calling address.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is only an example and should not bring any limitation to the function and the scope of use of the embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of the electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components (including the memory and the processor).
Wherein the storage stores program code executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present invention as described in the "exemplary methods" section above.
The memory may include readable media in the form of volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The bus may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. Also, the electronic device may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via a network adapter. As shown, the network adapter communicates with other modules of the electronic device over a bus. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for detecting a sample, comprising:
receiving a detection environment establishing instruction, and establishing a detection environment process in a current operating system; the detection environment process can simulate the process environment of the current operating system;
loading a sample to be processed into the detection environment process;
controlling the sample to be processed to run in the detection environment process;
acquiring target behavior data of the sample to be processed during internal operation in the detection environment;
and the address called by the sample to be processed in the running process is an offset address processed according to the actual calling address.
2. The method for testing samples according to claim 1, wherein the controlling the sample to be processed to run in the testing environment process comprises:
receiving a sample operation instruction to be processed;
in response to the acquisition of the operation instruction, modifying an operation register address in an operation pointer of the sample to be processed into a detection register address, wherein the detection register address has a corresponding relation with the detection environment process;
and controlling the sample to be processed to start running.
3. The method for testing samples according to claim 1, wherein after the controlling the sample to be processed to run within the testing environment process, the method further comprises:
and acquiring an environment variable acquisition instruction sent by the sample to be processed, and sending the sample thread environment variable and the sample process environment variable corresponding to the detection environment process to the sample to be processed.
4. The method for testing samples according to claim 1, wherein after said loading of the sample to be processed into the testing environment process, the method further comprises:
acquiring a relocation table, an import table and an export table in the sample to be processed;
obtaining an offset address according to the actual call address in the relocation table, the import table and the export table and the memory address of the detection environment process;
and modifying the actual call address in the relocation table, the import table and the export table according to the offset address.
5. The method for testing samples according to claim 1, wherein after the controlling the sample to be processed to run within the testing environment process, the method further comprises:
acquiring a function calling instruction of the sample to be processed;
obtaining an offset address according to an actual calling address corresponding to the function calling instruction and the memory address of the detection environment process;
modifying the function call instruction according to the offset address to obtain a modified function call instruction;
and sending the modified function calling instruction to the CUP.
6. The method for detecting the sample according to claim 1, wherein the acquiring the target behavior data of the sample to be processed when the sample to be processed runs in the detection environment comprises:
acquiring monitoring configuration information;
monitoring the running of the sample to be processed according to the monitoring configuration information;
and setting a calling function corresponding to the behavior corresponding to the monitoring configuration information in the running process of the sample to be processed as a monitoring function so as to obtain the target behavior data.
7. The sample detection method as claimed in claim 1, wherein the detection environment process runs at an application layer of the current operating system.
8. A sample testing device, comprising:
the establishing module is used for receiving a detection environment establishing instruction and establishing a detection environment process in the current operating system; the detection environment process can simulate the process environment of the current operating system;
the loading module is used for loading a sample to be processed into the detection environment process;
the operation module is used for controlling the sample to be processed to operate in the detection environment process;
the acquisition module is used for acquiring target behavior data of the sample to be processed during the in-operation of the detection environment;
and the address called by the sample to be processed in the running process is an offset address processed according to the actual calling address.
9. An electronic device comprising a processor and a memory;
the processor is adapted to perform the steps of the method of any one of claims 1 to 7 by calling a program or instructions stored in the memory.
10. A computer-readable storage medium, characterized in that it stores a program or instructions for causing a computer to carry out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111546945.XA CN114266037B (en) | 2021-12-16 | 2021-12-16 | Sample detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111546945.XA CN114266037B (en) | 2021-12-16 | 2021-12-16 | Sample detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114266037A true CN114266037A (en) | 2022-04-01 |
| CN114266037B CN114266037B (en) | 2024-05-17 |
Family
ID=80827633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111546945.XA Active CN114266037B (en) | 2021-12-16 | 2021-12-16 | Sample detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114266037B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105677550A (en) * | 2015-12-29 | 2016-06-15 | 广州华多网络科技有限公司 | Performance acquisition-analysis method, device and system based on Linux system |
| US20170206357A1 (en) * | 2014-11-17 | 2017-07-20 | Morphisec Information Security Ltd. | Malicious code protection for computer systems based on process modification |
| CN108874462A (en) * | 2017-12-28 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of browser behavior acquisition methods, device, storage medium and electronic equipment |
| CN109471697A (en) * | 2017-12-01 | 2019-03-15 | 北京安天网络安全技术有限公司 | The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine |
| US10375576B1 (en) * | 2016-09-09 | 2019-08-06 | Trend Micro Incorporated | Detection of malware apps that hijack app user interfaces |
| CN113391874A (en) * | 2020-03-12 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Virtual machine detection countermeasure method and device, electronic equipment and storage medium |
-
2021
- 2021-12-16 CN CN202111546945.XA patent/CN114266037B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170206357A1 (en) * | 2014-11-17 | 2017-07-20 | Morphisec Information Security Ltd. | Malicious code protection for computer systems based on process modification |
| CN105677550A (en) * | 2015-12-29 | 2016-06-15 | 广州华多网络科技有限公司 | Performance acquisition-analysis method, device and system based on Linux system |
| US10375576B1 (en) * | 2016-09-09 | 2019-08-06 | Trend Micro Incorporated | Detection of malware apps that hijack app user interfaces |
| CN109471697A (en) * | 2017-12-01 | 2019-03-15 | 北京安天网络安全技术有限公司 | The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine |
| CN108874462A (en) * | 2017-12-28 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of browser behavior acquisition methods, device, storage medium and electronic equipment |
| CN113391874A (en) * | 2020-03-12 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Virtual machine detection countermeasure method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 陈荔城 等: "一种监测函数语义信息访存地址序列的方法", 《计算机研究与发展》, 31 May 2013 (2013-05-31), pages 1100 - 1109 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114266037B (en) | 2024-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10552610B1 (en) | Adaptive virtual machine snapshot update framework for malware behavioral analysis | |
| EP2784716A1 (en) | Suspicious program detection | |
| KR20130031860A (en) | System testing method | |
| US10372908B2 (en) | System and method for detecting malware in a stream of bytes | |
| US20120047493A1 (en) | Break on next called function or method in java debugger agent | |
| US11436131B2 (en) | Systems and methods for software testing using a disposable code | |
| US8701094B2 (en) | Event management in a non-stop debugging environment | |
| US11055416B2 (en) | Detecting vulnerabilities in applications during execution | |
| US9195562B2 (en) | Recording external processes | |
| CN110505246B (en) | Client network communication detection method, device and storage medium | |
| CN108121650B (en) | Method and device for testing page user interface | |
| US9069895B2 (en) | Analyzing concurrent debugging sessions | |
| US9075921B2 (en) | Error simulation | |
| US9652365B2 (en) | Fault configuration using a registered list of controllers | |
| CN110928787B (en) | Automatic test script recording and playback method, device, equipment and storage medium | |
| CN110928630A (en) | Activation control method, device and equipment for application program window and storage medium | |
| CN114266037B (en) | Sample detection method and device, electronic equipment and storage medium | |
| CN114328090A (en) | Program monitoring method and device, electronic equipment and storage medium | |
| CN111797016B (en) | Application program testing method, device, storage medium and device | |
| US20170060571A1 (en) | System and method for masking complexity in a heterogeneous development environment | |
| CN109472133B (en) | Sandbox monitoring method and device | |
| CN114327648B (en) | Driving debugging method and device, electronic equipment and storage medium | |
| Baird et al. | Automated dynamic detection of self-hiding behavior | |
| US11836064B2 (en) | Computing device monitoring | |
| US20160323397A1 (en) | Aysnchronous Custom Exit Points |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |