CN114297647A - Program security detection method and related device - Google Patents

Program security detection method and related device Download PDF

Info

Publication number
CN114297647A
CN114297647A CN202111603144.2A CN202111603144A CN114297647A CN 114297647 A CN114297647 A CN 114297647A CN 202111603144 A CN202111603144 A CN 202111603144A CN 114297647 A CN114297647 A CN 114297647A
Authority
CN
China
Prior art keywords
program
abnormal
instruction
detected
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111603144.2A
Other languages
Chinese (zh)
Other versions
CN114297647B (en
Inventor
姜新
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Priority to CN202111603144.2A priority Critical patent/CN114297647B/en
Publication of CN114297647A publication Critical patent/CN114297647A/en
Application granted granted Critical
Publication of CN114297647B publication Critical patent/CN114297647B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a program security detection method and a related device, and the method comprises the steps of obtaining an abnormal encryption instruction of a program to be detected, wherein the abnormal encryption instruction is an encryption instruction which is not confirmed by security; acquiring an abnormal program segment according to the abnormal encryption instruction, wherein the abnormal program segment comprises the abnormal encryption instruction, and the instruction number of the abnormal program segment is smaller than the total instruction amount of the program to be detected; and carrying out abnormal encryption program detection on the abnormal program segment, determining the safety of the abnormal program segment, and obtaining the safety of the program to be detected. The embodiment of the application can improve the detection efficiency of program safety detection.

Description

Program security detection method and related device
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a program security detection method and a related device.
Background
With the continuous development of computer technology, the application of computers is also more extensive, and the problem of computer data security corresponding to the computer technology is more important.
The Lessovirus which appears in recent years is a novel virus which affects the security of computer data and is mainly spread in the form of program Trojan horse and the like. The virus encrypts the user file by using the encryption instruction, so that the important file of the user cannot be read, the key data is damaged, and a computer user needs to pay a huge fee to a Lesso virus writer to obtain the file encryption key so as to recover the user data. This has a large impact on computer data security and user usage.
In order to solve the problems, the antivirus software real-time monitoring technology is used for detecting program and file data abnormity, and whether the program characteristics are consistent with the viruses in the known virus database or not is judged by scanning the application program to be executed and extracting the program characteristics, so that a user is informed of clearing the viruses.
However, in order to achieve effective detection, it is necessary to scan viruses and extract program features for any program and file data to be run, which results in consuming resources to scan and extract virus features, resulting in slow startup of normal user programs and affecting user experience.
Therefore, how to improve the efficiency of detecting the abnormal encryption program becomes a technical problem which needs to be solved urgently.
Disclosure of Invention
The technical problem solved by the embodiment of the application is how to improve the efficiency of detecting the abnormal encryption program.
In order to solve the above problem, an embodiment of the present application provides a method for detecting program security and a related device, including:
in a first aspect, an embodiment of the present application provides a method for detecting program security, where the method includes:
acquiring an abnormal encryption instruction of a program to be detected, wherein the abnormal encryption instruction is an encryption instruction which is not confirmed in safety;
acquiring an abnormal program segment according to the abnormal encryption instruction, wherein the abnormal program segment comprises the abnormal encryption instruction, and the instruction number of the abnormal program segment is smaller than the total instruction amount of the program to be detected;
and carrying out abnormal encryption program detection on the abnormal program segment, determining the safety of the abnormal program segment, and obtaining the safety of the program to be detected.
In a second aspect, an embodiment of the present application provides a program security detection apparatus, where the apparatus includes:
the abnormal encryption instruction acquisition module is suitable for acquiring an abnormal encryption instruction of a program to be detected, wherein the abnormal encryption instruction is an encryption instruction which is not confirmed in safety;
an abnormal program segment obtaining module, adapted to obtain an abnormal program segment according to the abnormal encryption instruction, where the abnormal program segment includes the abnormal encryption instruction, and the instruction number of the abnormal program segment is smaller than the total instruction amount of the program to be detected;
and the safety determination module is suitable for carrying out abnormal encryption program detection on the abnormal program segment, determining the safety of the abnormal program segment and obtaining the safety of the program to be detected.
In a third aspect, an embodiment of the present application provides an integrated circuit to implement the program security detection method according to any one of the first aspect.
In a fourth aspect, an embodiment of the present application further provides an electronic device, including the integrated circuit according to the third aspect.
Compared with the prior art, the technical scheme of the embodiment of the application has the following advantages:
in the method for detecting program security provided by the embodiment of the application, the abnormal encryption instruction is acquired, the abnormal program segment including the abnormal encryption instruction is further acquired, and the detection of the program security is realized by detecting the security of the abnormal program segment. It can be seen that, in the program security detection method provided in the embodiment of the present application, the number of instructions included in the abnormal program segment used for security detection is less than the number of instructions included in the complete program to be detected, and because the abnormal program segment includes an abnormal encryption instruction that can determine whether the program to be detected is an abnormal program, the security detection of the program to be detected corresponding to the program segment can be implemented only by detecting the abnormal program segment, so that the workload of detecting the abnormal program can be reduced, the time required for detecting the abnormal program is shortened, the detection efficiency of the virus file is improved, and further, the user experience is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic diagram showing the principle of Lesovirus destruction.
Fig. 2 is a schematic diagram of the operating principle of the antivirus software.
FIG. 3 is a schematic diagram illustrating the operation of antivirus software to detect encrypted files.
Fig. 4 is a flowchart of a program security detection method according to an embodiment of the present application.
Fig. 5 is another flowchart of a program security detection method provided in an embodiment of the present application.
Fig. 6 is a flowchart illustrating a step of setting a specific abnormal instruction identifier in the method for detecting program security according to an embodiment of the present application.
Fig. 7 is a schematic diagram of a configuration structure of an abnormal instruction identifier in the method for detecting program security according to the embodiment of the present application.
Fig. 8 is a block diagram of a program security detection apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
FIG. 1 is a schematic diagram illustrating the principle of Lessovirus destruction.
As shown in fig. 1, the lemonavirus 110 reads the user data 112 stored on the disk 113, and encrypts the read user data 112 by using the encryption command 111, while the encrypted user data 112 is generally not decryptable by the user, and the user data 112 can not be normally used after the encrypted user data 112 is decrypted by obtaining a private key that can be decrypted.
It should be noted that the "virus" in the lemonavirus 110 generally refers to malicious code per se. Malicious code is a program that has an undesirable intent of compromising the security of information, and is typically latent in the computer system of the attacked user to destroy or steal information. The lemonavirus 110 is mainly transmitted in the form of mail and web page marquee, wherein marquee is a transmission mode of the trojan, that is, the trojan is a malicious software (i.e., lemonavirus), and marquee is one of the ways for the software to enter the computer of the attacked user. The webpage Trojan horse hanging means that a Trojan horse program is uploaded to a website and then a Trojan horse generator is used for generating a webpage Trojan horse, and the Trojan horse program is automatically downloaded and run when the webpage is opened.
The key behaviors of the Leso virus 110 in the process of running propagation mainly include: first, Lexus virus 110 will traverse all user data 112 in disk 113; the lux virus 110 may then format and encrypt the user data 112 by calling an encryption algorithm library, and the lux virus 110 encrypts the file using a public key cryptographic algorithm in cryptography. Some viruses use RSA encryption (such as WannaCry virus) and some use elliptic curve encryption (such as CTB Locker).
The specific working principle is as follows: the creator of the lasso virus 110, i.e. a malicious lasso person, first generates a private key a and a public key a on his computer by using an RSA encryption algorithm or an elliptic curve encryption algorithm; then, the Lessovirus 110 randomly generates a private key B and a public key B on a magnetic disk 113 of the attacked user; then, encrypting each user data 112 on the disk 113 of the attacked user through a public key B, and encrypting a private key B generated on the attacked user through a public key A; and finally, deleting the private key B, the public key A and the user data 112 on the disk 113 of the attacked user.
Thus, the attacker who wants to obtain the user data 112 needs to decrypt the B public key, which needs to use the B private key, but the B private key is encrypted by the a public key, so that the attacker who wants to obtain the user data needs to decrypt the a public key using the a private key owned by the creator of the lemonavirus 110. However, when the creator of the lux virus 110 decrypts the a public key using the a private key, only the random a private key 'is provided, instead of the original a private key of the creator of the lux virus 110, which results in each encrypted user data 112 having a different a private key', which the creator of the lux virus 110 needs to provide to obtain the user data 112.
Therefore, the lasso virus 110 may cause the important files of the user to be unreadable, the key data is damaged, and the user needs to pay a huge fee to the lasso virus author to obtain the file encryption key, so as to recover the user data. Based on this, the research on the detection and killing technology of Leso virus 110 is very necessary.
In the prior art, virus searching and killing software is usually used for detecting and killing virus programs by real-time monitoring, please refer to fig. 2, and fig. 2 is a schematic diagram of the working principle of the virus killing software.
As shown in the figure, the existing antivirus software 21 monitors the program running in real time, when the antivirus software 21 is started, a file read-write hook (hook) code is registered in the operating system 115, and the application program 20, the luxo virus 110, the user data 112, and the like are all stored in the disk 113 in the form of files, so that the virus can be defended as long as the read-write operation of the files is monitored and the file contents are analyzed, and the main flow is as follows:
step 1: the program loader 22 starts a certain application program 20, reads the file of the disk 113, and certainly, the antivirus software 21 registers a hook for reading and writing the file on the path in advance, and the antivirus software 21 starts when the electronic device starts and registers a hook for reading and writing the file with the operating system 115 at the same time;
step 2: after acquiring information of a file to be read through hook, the antivirus software 21 reads the file of a certain application program 20 from the disk 113, but does not load and execute the file;
and step 3: scanning all data of the application program 20 and analyzing and extracting characteristics through a read disk file virus analysis module of the antivirus software 21, comparing the extracted characteristics with the existing virus data contained in a virus library, judging that a certain application program 20 is suspicious Lesox virus 110 if the extracted characteristics are consistent with the virus data, and informing a user; if the signature is not consistent with the virus data, it is a miss, the antivirus software 21 is exited, the application program 20 is determined to be an executable normal file, and at this time, the program loader 22 continues to acquire all data of the application program 20 from the disk 113 and execute the application program 20.
Wherein hook is actually a segment of a program that handles messages and hangs them to the system through system calls. Whenever a particular message is sent, the hook program captures the message before the destination window is reached, i.e. the hook function takes control. In this case, the hook function may process (change) the message, may continue to transfer the message without processing, or may forcibly end the transfer of the message.
It can be seen that, when monitoring the application program 20 to be read or other data stored on the disk 113 in real time, the antivirus software 21 firstly needs to analyze and detect all the data of the application program 20 to be read to obtain a final judgment result, and during the period of judging whether the application program 20 to be read can be normally executed, other reading operations cannot be simultaneously performed, which may cause slow start of a normal user program and affect user experience.
On the other hand, for some applications 20 (or the lemonavirus 110) using encrypted shell, it is not possible to effectively analyze the virus characteristics by only scanning all data of the application 20, because the application 20 has been encrypted and compressed, and its related program characteristics have been destroyed, specifically please refer to fig. 3, where fig. 3 is a schematic diagram of the working principle of the antivirus software for detecting the encrypted file.
As shown in the figure, the antivirus software 21 needs to pre-load all data of the encrypted application 201 (i.e. the encrypted program of the original application 20, stored in a disk file) into a secure container (not shown in the figure) through a program loader 22, and perform shell removal of the encrypted application 201 data by using a loader (shell) 23, so as to obtain the original application 20; finally, the original application program 20 is scanned and analyzed to extract features, and whether the extracted features are Lesox virus 110 is determined.
It can be seen that, when the antivirus software 21 checks and kills viruses, for the application 20 (or the lemonavirus 110) that has been encrypted and shelled, an additional loader (shell) 23 and a secure container are required to un-shell and decrypt the encrypted file, so that the overhead on system resources is greater, the time consumption for antivirus detection is longer, and the user experience is worse.
In order to improve the efficiency of virus detection, an embodiment of the present application provides a method for detecting program security, and specifically, please refer to fig. 4, where fig. 4 is a flowchart of the method for detecting program security provided in the embodiment of the present application.
As shown in fig. 4, the method for detecting program security provided in the embodiment of the present application may include the following steps:
in step S10, an abnormal encrypted instruction of the program to be detected is acquired, the abnormal encrypted instruction being an encrypted instruction that is not security-confirmed.
The abnormal encryption instruction is used for identifying that the program to be detected is an unexecutable program, namely the program to be detected may be a Lesox virus program, and the security needs to be confirmed by detecting the program to be detected.
Since the lasso virus is encrypted by an encryption command and is destroyed, it is necessary to determine a program including the encryption command.
In step S11, an abnormal program segment is obtained according to the abnormal encryption instruction, where the abnormal program segment includes the abnormal encryption instruction, and the number of instructions of the abnormal program segment is less than the total number of instructions of the program to be detected.
After obtaining the abnormal encryption instruction, acquiring an abnormal program segment based on the abnormal encryption instruction, wherein the selection of the abnormal program segment is determined according to the abnormal encryption instruction, and in some embodiments, one abnormal program segment may be set to be a program segment containing 4096 bytes, where the determination of 4096 bytes is centered on the location where the acquired abnormal encryption instruction is located, so that the sum of the number of bytes selected before the position of the abnormal encryption instruction and the number of bytes selected after the position of the abnormal encryption instruction is 4096 bytes, thus determining the abnormal program segment containing the abnormal encryption instruction.
Of course, in other embodiments, more byte program segments may be formed, such as: 8192 bytes or the like or a smaller number of bytes, it is easily understood that the larger the number of bytes of the abnormal program segment is, the longer the detection time is required.
In step S12, performing abnormal encrypted program detection on the abnormal program segment, determining the security of the abnormal program segment, and obtaining the security of the program to be detected.
After the abnormal program segment is obtained, abnormal encryption program detection is carried out on the abnormal program segment, and if the detection result is the abnormal program segment, the program to be detected is an abnormal program, namely a virus program; otherwise, the program is a normal program, so that the safety of the program to be detected can be obtained.
In some embodiments, the security of the abnormal program segment may be determined by extracting program features of the abnormal program segment and based on the program features.
The program characteristics can indicate the type of program exception used to determine whether the exception program segment is a Lesox virus program. Of course, the extracted program features are specific in that they uniquely identify a malicious code program (Lesoviru program) over a wide range of matches.
Specifically, the program feature may be a program including an instruction to call an encryption function, or a program including an instruction to traverse the entire user data, that is, a program of a read/write instruction.
In some embodiments, antivirus software may be used to extract program features of the abnormal program segment and determine the security of the abnormal program segment based on the program features.
The antivirus software comprises a virus library, and a large number of characteristic instructions of known malicious programs are stored in the virus library, so that the antivirus software can compare extracted program characteristics one by using the virus library to determine whether an abnormal program segment contains the characteristic instructions stored in the virus library.
In another specific embodiment, when the security of the abnormal program segment cannot be determined according to the program characteristics by using the antivirus software, user confirmation is started, and a user confirmation result is received to obtain the security of the abnormal program segment.
Because the virus library of the antivirus software contains the existing virus characteristic instructions, the development and the update of the virus are very fast, and the update speed of the virus library is very slow, the situation that the virus program cannot be identified can occur when the virus library of the antivirus software is used for comparison, at the moment, the security detection program can report an error to a user according to the encryption abnormal instruction of the program to be detected, and the user can identify whether the program to be detected is an executable program or not.
Specifically, the error may be reported by popping up a display box to remind the user to perform the check.
The detection mode can judge the safety of the program through double detection of anti-virus software and manual detection, and improves the reliability of program safety detection.
It can be seen that, with the program security detection method provided in the embodiment of the present application, the number of instructions included in an abnormal program segment for security detection is less than the total number of instructions included in a complete program to be detected, and because the abnormal program segment includes an abnormal encryption instruction that can determine whether the program to be detected is an abnormal program, the security detection of the program to be detected corresponding to the program segment can be implemented only by detecting the abnormal program segment, so that the workload of detecting the abnormal program can be reduced, the time required for detecting the abnormal program is shortened, the detection efficiency of the virus file is improved, and further, the user experience is improved.
In a specific embodiment, in order to implement detection on the program to be detected while ensuring user experience, an abnormal encryption instruction may be obtained during execution of the program to be detected. Referring to fig. 5, fig. 5 is another flowchart of a program security detection method according to an embodiment of the present disclosure.
As shown in the figure, the program security detection method provided in the embodiment of the present application may include the following steps:
in step S20, the current instruction to be detected of the program to be detected is analyzed, and each instruction of the program to be detected is provided with a specific abnormal instruction identifier.
With the execution of the program to be detected, each instruction to be detected of the program to be detected is continuously analyzed, so that the instruction to be detected at the current moment, namely the current instruction to be detected, is obtained.
It should be noted that, in order to obtain the abnormal encryption instruction, each instruction to be detected is provided with a specific abnormal instruction identifier.
It is easily understood that the specific abnormal instruction flag set in the current instruction to be detected is an instruction for indicating whether the current instruction to be detected is an abnormally unsafe instruction, that is, an instruction of the lasso virus program.
In order to enable the processor to identify whether the currently pending instruction is an excepting instruction when executing the currently pending instruction, in some embodiments, please continue to refer to fig. 5.
The specific abnormal instruction identifier can be set in the program to be detected in advance, and the specific steps can include:
in step S01, the program to be detected is loaded.
It will be readily appreciated that, in accordance with the foregoing description of the prior art, the operation of loading the program to be detected is done on the operating system (program loader 22 on operating system 115 shown in FIG. 2 loads the program).
Of course, the encrypted and shelled program to be detected is also loaded in the same manner as described above.
In step S02, the CPU context of the program to be detected is initialized, and the specific abnormal instruction identifier is set in the specific abnormal instruction identifier field of the CPU context.
After the loading of the program to be detected is completed, initializing the CPU context of the program to be detected, and when the CPU context of the program to be detected is initialized, not only finishing the operation required to be executed by the initialization of the CPU context of a common program, but also setting the specific abnormal instruction identification in the specific abnormal instruction identification field of the CPU context.
Specifically, a specific abnormal instruction identifier can be set when the current program to be loaded is initialized through the operating system, so that the processor in the following can make a timely judgment on the abnormal instruction when executing the current instruction to be detected, the running of the Lesox virus is rapidly prevented, and the safety of program data is protected.
Of course, in order to implement the normal program running more quickly and reduce unnecessary waste of program detection time, in one embodiment, when the specific abnormal instruction identifier is set in the specific abnormal instruction identifier field of the CPU context in step S02, different specific abnormal instruction identifiers may be set based on different programs to be detected.
Specifically, please refer to fig. 6, fig. 6 is a flowchart illustrating a step of setting a specific abnormal instruction identifier according to the method for detecting program security of the present application.
As shown in the figure, in the program security detection method provided in the embodiment of the present application, the step of setting the specific abnormal instruction identifier may specifically include:
in step S020, it is determined whether the digital signature of the program to be detected is acquired, if so, step S021 is executed, and if not, step S022 is executed.
Firstly, whether the digital signature of the program to be detected is acquired is determined, if so, whether the digital signature can pass the verification is further judged, namely, the program to be detected with the digital signature continues to execute the step S021 so as to further judge the safety of the program to be detected.
And when the digital signature of the program to be detected is not acquired, that is, the program to be detected is not encrypted by the encryption algorithm, the program to be detected is regarded as an abnormal program to be detected (since an abnormal program such as a virus program does not have a digital signature, re-detection is required), at this time, the operating system cannot determine the security of the program to be detected, and for the sake of security, the step S022 is continuously executed, that is, the specific abnormal instruction identifier is set in the specific abnormal instruction identifier field of the context of the CPU as an abnormal identifier, so that the subsequent judgment is further performed according to each instruction.
In step S021, it is determined whether the digital signature passes verification, if yes, step S023 is executed, and if no, step S022 is executed.
When the digital signature of the program to be detected is obtained, the digital signature of the program to be detected is checked, when the check sign passes, it indicates that the program to be detected is a verified normally-running program, step S023 may be executed, that is, the specific abnormal instruction identifier is set as a non-abnormal identifier in the specific abnormal instruction identifier field of the CPU context, the processor may directly run the program to be detected, without further detecting the program security, and when the check sign does not pass, the security of the program to be detected cannot be verified, so step S022 also needs to be executed, that is, the specific abnormal instruction identifier is set as an abnormal identifier in the specific abnormal instruction identifier field of the CPU context, so as to further judge in the subsequent instruction execution process.
In step S022, the specific exceptional instruction flag is set as an exception flag in a specific exceptional instruction flag field of the CPU context.
In step S023, setting the specific abnormal instruction flag as a non-abnormal flag in a specific abnormal instruction flag field of the CPU context.
It can be seen that, in the process of initializing the CPU context, by obtaining and verifying the digital signature of the program to be detected, the digital signature can be directly obtained, and the specific abnormal instruction identification field of the CPU context of the program to be detected, which passes through the verification, is set as the non-abnormal identification.
In some embodiments, the operation of setting the particular excepting instruction identification as an exception identification in a particular excepting instruction identification field of a CPU context may be setting the particular excepting instruction identification in a particular excepting instruction identification field of the CPU context using an operating system kernel.
Specifically, please refer to fig. 7, fig. 7 is a schematic diagram illustrating a configuration structure of an abnormal instruction identifier in the method for detecting program security according to the embodiment of the present application.
As shown in fig. 7, the abnormal instruction identifier may add an SIT (specific instruction trace) field 30 to a kernel of the operating system, that is, a new field in a Reserved field (RAZ) shown in the figure, where the SIT field 30 is used to identify a specific abnormal instruction identifier type of the current instruction to be detected, for example, the SIT corresponding to the current instruction to be detected is 1, which indicates that the current instruction to be detected is an abnormal instruction, and when the CPU executes the current instruction to be detected, the current instruction to be detected is considered as an abnormal instruction; when the SIT is equal to 0, the current instruction to be detected is a non-abnormal instruction, and when the CPU executes the current instruction to be detected, the instruction to be detected is directly judged to be the non-abnormal instruction.
Because the operation of the loader is executed on the operating system, the SIT field 30 only has the read-write permission of the kernel of the operating system, and the Lesox virus has no permission, the setting of the specific abnormal instruction identifier of the CPU context is completed on the kernel of the operating system, the malicious setting of the Lesox virus on the specific abnormal instruction identifier field can be avoided, and the safety of the specific abnormal instruction identifier field and the accuracy of the program safety detection are improved.
When the current instruction to be detected of the program to be detected is analyzed, and the current instruction to be detected obtained after the analysis is provided with the specific abnormal instruction identifier, please refer to fig. 5 continuously.
Specifically, the step S21 of acquiring the abnormal encryption instruction of the program to be detected may specifically include:
in step S210, it is determined whether the current instruction to be detected is an encrypted instruction, if so, step S211 is executed, and if not, step S212 is executed.
Because the abnormal encryption instruction needs to be the encryption instruction at first, whether the current instruction to be detected is the encryption instruction is judged at first, if so, further judgment is needed, otherwise, the current instruction to be detected can be directly executed.
In step S211, it is determined whether the specific abnormal instruction identifier of the current instruction to be detected is an abnormal identifier, if so, step S213 is executed, and if not, step S212 is executed.
When the current instruction to be detected is judged to be an encrypted instruction, whether the current instruction to be detected is an abnormal instruction or not is determined based on a set specific abnormal instruction identification of the current instruction to be detected, if so, an abnormal encrypted instruction is obtained, otherwise, the current instruction to be detected is executed even though the instruction is an encrypted instruction but not an abnormal instruction.
And when the specific abnormal instruction identifier is set in the specific abnormal instruction identifier field of the CPU context and is determined to be an abnormal identifier, obtaining the abnormal encryption instruction.
In step S212, the current instruction to be detected is executed.
In step S213, the abnormal encryption instruction is obtained.
When the current instruction to be detected is an encrypted instruction and the specific abnormal instruction identifier of the current instruction to be detected is an abnormal identifier, obtaining the abnormal encrypted instruction; and when the current instruction to be detected is a non-encrypted instruction or the specific abnormal instruction identifier of the current instruction to be detected is a non-abnormal identifier, executing the current instruction to be detected.
Therefore, when the program safety is detected, the normal program or the executable program detected as the program is not influenced, and the efficiency of detecting the program safety is improved.
Of course, please refer to fig. 5 again, in another embodiment, in order not to affect the execution of other programs, after the abnormal encryption instruction is obtained, the method for detecting program security provided in the embodiment of the present application may further include:
in step S22, the program to be detected including the abnormal encryption instruction is stopped from being executed.
Due to the insecurity of the exception-encrypted instruction, execution of the program to be detected including the exception-encrypted instruction needs to be stopped.
In step S23, the program to be detected to which the abnormal encryption instruction belongs is moved out of a program run queue.
It should be noted that, in the program security detection method provided by the present application, in the execution process, when the abnormal encryption instruction of the program to be detected is obtained, the current program to be detected is immediately moved out of the program running queue, and the processor continues to execute each instruction included in the next program to be detected.
Therefore, the security detection can be carried out on the program segment to be detected containing the abnormal encryption instruction, the execution of the next program cannot be hindered, and the program detection and whole program operation efficiency is further improved.
In step S24, an abnormal program segment is obtained according to the abnormal encryption instruction, where the abnormal program segment includes the abnormal encryption instruction, and the number of instructions of the abnormal program segment is less than the total number of instructions of the program to be detected.
For details of step S24, please refer to the description of step S11 shown in fig. 4, which is not repeated herein.
In step S25, performing abnormal encrypted program detection on the abnormal program segment, determining the security of the abnormal program segment, and obtaining the security of the program to be detected.
For details of step S25, please refer to the description of step S12 shown in fig. 4, which is not repeated herein.
Of course, there are two cases after obtaining the security of the program to be detected, different processing may be performed subsequently according to different security structures, when it is determined that the security of the abnormal program segment is safe, step S26 is performed, otherwise, step S27 is performed, specifically, please continue to refer to fig. 5.
As shown in fig. 5, the method for detecting program security provided in the embodiment of the present application may further include:
when the safety of the abnormal program segment is determined to be safe:
in step S26, the specific abnormal instruction identifier of the program to be detected to which the abnormal program segment belongs is adjusted to be a non-abnormal identifier, and the program to be detected to which the abnormal program segment belongs is returned to the program running queue.
As can be seen from the foregoing description, after the abnormal encryption instruction is obtained, in order to not hinder the operation of other programs, the program to be detected is moved out of the program running queue, and when it is determined that the abnormal program segment containing the abnormal encryption instruction is a safe instruction, in order to ensure the continued execution of the program to be detected, it is necessary to return the program to the program running queue, and of course, before this, the specific abnormal instruction identifier of the program to be detected also needs to be adjusted.
Specifically, when the program to be detected is determined to be a safe program, in order to ensure the subsequent normal execution of the program to be detected, the specific abnormal instruction identifier of the program to be detected needs to be adjusted to be a non-abnormal identifier, and meanwhile, the program to be detected needs to be returned to the program running queue, so that the program to be detected can be continuously executed from the abnormal encryption instruction, and the normal and rapid execution of the program to be detected is ensured.
When the abnormal program segment is determined to be unsafe:
in step S27, the program to be detected to which the abnormal program segment belongs is deleted.
And when the abnormal program section is determined to be unsafe, directly deleting the program to be detected in order to avoid the damage of the program to be detected to the file.
The deleting operation can be that the antivirus software is deleted automatically after the comparison is successful, or the user operates the antivirus software when the comparison is successful.
Therefore, the program security detection method provided by the embodiment of the application can improve the efficiency of security detection of the abnormal program and improve the user experience without affecting the operation of the normal program.
In order to solve the foregoing problem, an embodiment of the present application further provides a program security detection apparatus, which may be regarded as a functional module that is required to be configured to implement the program security detection method provided in the embodiment of the present application. The device content described below may be referred to in correspondence with the method content described above.
As an alternative implementation, fig. 8 shows an alternative structural block diagram of the program security detection apparatus provided in the embodiment of the present application.
As shown in fig. 8, the program security detection means may include:
an abnormal encryption instruction obtaining module 700, adapted to obtain an abnormal encryption instruction of a program to be detected, where the abnormal encryption instruction is an encryption instruction that is not confirmed by security;
the abnormal encryption instruction indicates that the program to be detected may be a Lesox virus program and needs to detect and confirm security of the program to be detected. This is because the lasso virus is encrypted by an encryption command and is destroyed, and therefore, it is necessary to determine a program including the encryption command.
An abnormal program segment obtaining module 701, adapted to obtain an abnormal program segment according to the abnormal encryption instruction, where the abnormal program segment includes the abnormal encryption instruction, and the instruction number of the abnormal program segment is smaller than the total instruction amount of the program to be detected;
the security determining module 702 is adapted to perform abnormal encryption program detection on the abnormal program segment, determine the security of the abnormal program segment, and obtain the security of the program to be detected.
After the abnormal program segment is obtained, abnormal encryption program detection is carried out on the abnormal program segment, and if the detection result is the abnormal program segment, the program to be detected is an abnormal program, namely a virus program; otherwise, the program is a normal program, so that the safety of the program to be detected can be obtained.
It can be seen that, in the program security detection apparatus provided in the embodiment of the present application, the abnormal encrypted instruction obtaining module 700 obtains the abnormal encrypted instruction, then the abnormal program segment obtaining module 701 obtains the abnormal program segment containing the abnormal encrypted instruction, and finally the security determining module 702 detects the security of the abnormal program segment, so as to implement the detection of the program security.
Therefore, the program security detection device provided by the embodiment of the application is used for detecting security, the number of instructions contained in the abnormal program segment is less than the total number of instructions contained in the complete program to be detected, and because the abnormal program segment contains the abnormal encryption instruction which can determine whether the program to be detected is the abnormal program, the security of the program to be detected corresponding to the program segment can be detected only by detecting the abnormal program segment, so that the workload of detecting the abnormal program can be reduced, the time required by detecting the abnormal program is shortened, the virus file detection efficiency is improved, and the user experience is improved.
In one embodiment, to implement detection on a program to be detected while ensuring user experience, an abnormal encryption instruction may be obtained during execution of the program to be detected, so that before the abnormal encryption instruction obtaining module 700 executes, in one embodiment, please continue to refer to fig. 8, the program security detecting apparatus further includes:
the analysis running module 602 is adapted to analyze a current instruction to be detected of the program to be detected, and each instruction of the program to be detected is provided with a specific abnormal instruction identifier;
with the execution of the program to be detected, each instruction to be detected of the program to be detected is continuously analyzed, so that the instruction to be detected at the current moment, namely the current instruction to be detected, is obtained.
It should be noted that, in order to obtain the abnormal encryption instruction, each instruction to be detected is provided with a specific abnormal instruction identifier.
It is easily understood that the specific abnormal instruction flag set in the current instruction to be detected is an instruction for indicating whether the current instruction to be detected is an abnormally unsafe instruction, that is, an instruction of the lasso virus program.
In one embodiment, in order to enable the processor to identify whether the current instruction to be detected is an abnormal instruction when executing the current instruction to be detected, please continue referring to fig. 8, the program security detecting apparatus further includes:
a program loading module 600 adapted to load the program to be detected;
the initialization module 601 is adapted to initialize the CPU context of the program to be detected, and set the specific abnormal instruction identifier in the specific abnormal instruction identifier field of the CPU context.
In an embodiment, after the program loading module 600 finishes loading the program to be detected, in order to implement the normal program running more quickly and reduce the unnecessary waste of the program detection time, in an embodiment, when setting the specific abnormal instruction identifier in the specific abnormal instruction identifier field of the CPU context in the initialization module 601, different specific abnormal instruction identifiers may be set based on the difference of the program to be detected. The specific initialization module 601 includes:
when the digital signature of the program to be detected is acquired and the signature passes, setting the specific abnormal instruction identifier as a non-abnormal identifier in a specific abnormal instruction identifier field of the context of the CPU;
and when the digital signature of the program to be detected is not acquired or the signature verification fails, setting the specific abnormal instruction identifier as an abnormal identifier in a specific abnormal instruction identifier field of the context of the CPU.
According to the content of the program security detection method, it can be known that program instructions included in the lasso virus are encrypted, and the digital signature is obtained by performing encryption operation on the program instructions by using a private key, that is, when it is determined that the obtained program to be detected is a program with a digital signature, that is, the program to be detected is subjected to the private key encryption operation, the process of verifying the digital signature can be regarded as a decryption process, that is, the program to be detected with the digital signature is regarded as an abnormal lasso virus program.
At this time, the digital signature of the program to be detected is checked, and when the check passes, it indicates that the program to be detected is a normally-operable program verified by a user, the initialization module 601 may set the specific abnormal instruction identifier in the specific abnormal instruction identifier field of the CPU context as a non-abnormal identifier, and the processor may directly operate the program to be detected, without further detecting the program security, thereby reducing the time for detecting the normal program and improving the efficiency of detecting the program security.
When the digital signature of the program to be detected is not obtained, that is, the program to be detected is not encrypted by the encryption algorithm, and is regarded as a common program to be detected, at this time, the operating system cannot determine the security of the program to be detected, and for the sake of security, the initialization module 601 may set the specific abnormal instruction identifier as an abnormal identifier in the specific abnormal instruction identifier field of the CPU context, so as to further perform determination according to each instruction in the following.
When the digital signature of the program to be detected is acquired, the digital signature of the program to be detected is checked, when the check is passed, the program to be detected is a normally-running program which is verified by a user, the initialization module 601 sets the specific abnormal instruction identifier in the specific abnormal instruction identifier field of the context of the CPU as a non-abnormal identifier, the processor can directly run the program to be detected, the program security does not need to be further detected, and when the check is not passed, the security of the program to be detected cannot be verified, so that the initialization module 601 needs to set the specific abnormal instruction identifier in the specific abnormal instruction identifier field of the context of the CPU as an abnormal identifier, so that the subsequent instruction execution process can be further judged.
In some embodiments, the initialization module 601 is adapted to:
setting the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context by utilizing an operating system kernel.
Specifically, the exception instruction identifier may add an SIT (specific instruction trap) field 30 to a kernel of the operating system, where the SIT field 30 is used to control an execution condition of the current instruction to be detected, for example, when the SIT is 1, it indicates that an instruction exception is generated when the CPU executes the current instruction to be detected; when SIT is 0, the CPU releases the instruction exception of the current instruction to be detected.
When the current analysis of the instruction to be detected of the program to be detected is completed and the current instruction to be detected obtained after the analysis is provided with a specific abnormal instruction identifier, the abnormal encryption instruction obtaining module 700 is suitable for obtaining the abnormal encryption instruction of the program to be detected, and includes:
when the current instruction to be detected is an encrypted instruction and the specific abnormal instruction identifier of the current instruction to be detected is an abnormal identifier, the abnormal encrypted instruction obtaining module obtains the abnormal encrypted instruction (that is, the abnormal encrypted instruction obtaining module 700 in fig. 8 is shown by a downward connecting line).
When the abnormal encryption instruction obtaining module 700 does not obtain the abnormal encryption instruction, the current instruction to be detected is executed by returning to the execution module 801, that is, the connection line to the left in fig. 8 at the position of the abnormal encryption instruction obtaining module 700 is shown.
According to the abnormal encrypted instruction obtained by the abnormal encrypted instruction obtaining module 700, the security determining module 702 is adapted to:
and extracting the program characteristics of the abnormal program segment, and determining the safety of the abnormal program segment according to the program characteristics.
The program characteristics can indicate the type of program exception used to determine whether the exception program segment is a Lesox virus program. May be a critical operating instruction that the lemonavirus includes at runtime. Such as instructions to invoke cryptographic functions, instructions to traverse the entire user data.
According to extracted program features, in some embodiments, the security determination module 702 is further adapted to:
and extracting the program characteristics of the abnormal program segment by using anti-virus software, and determining the safety of the abnormal program segment according to the program characteristics.
When program features are not present in the virus library of the antivirus software, the security determination module 702 is further adapted to:
and starting user confirmation, and receiving a user confirmation result to obtain the safety of the abnormal program section.
In order to facilitate the control and execution of the program security detection method, the program security detection apparatus further includes:
an execution module 801, adapted to stop executing the program to be detected including the abnormal encryption instruction, that is, as shown by a right connecting line at the execution module 801 in fig. 8;
the execution queue adjusting module 802 is adapted to move the to-be-detected program to which the abnormal encryption instruction belongs out of a program running queue.
The execution queue adjusting module 802 is further adapted to, when it is determined that the security of the abnormal program segment is safe, adjust a specific abnormal instruction identifier of the program to be detected to which the abnormal program segment belongs to be a non-abnormal identifier, and return the program to be detected to which the abnormal program segment belongs to the program running queue.
When the program is detected to be non-safe, the program safety detection device further comprises:
a program deleting module 803, (shown by the downward connecting line at the security determining module 702 of fig. 8) is adapted to delete the program to be detected to which the abnormal program segment belongs when the abnormal program segment is determined to be non-secure.
When it is detected that the abnormal program is safe (indicated by a rightward connecting line at the security determining module 702 in fig. 8), that is, when the abnormal encrypted instruction obtaining module determines that the current instruction to be detected is an unencrypted instruction or the specific abnormal instruction identifier of the current instruction to be detected is an abnormal identifier, the executing module 801 is further adapted to execute the current instruction to be detected, that is, indicated by a leftward connecting line at the execution queue adjusting module 802 in fig. 8.
It can be seen that, while the security determining module 702 performs security detection on the to-be-detected program segment including the abnormal encryption instruction, the analysis running module 602 is not hindered from executing the next program, so that the efficiency of program detection and overall program running is further improved.
Therefore, unnecessary detection time for the normal program can be saved, the running of the normal program is not influenced, and the efficiency of program safety detection can be further improved.
The embodiment of the application also provides an integrated circuit which is suitable for realizing the program safety detection method provided by the embodiment of the application.
An embodiment of the present application further provides an electronic device, which may include the integrated circuit provided in the embodiment of the present application.
Although the embodiments of the present application are disclosed above, the present application is not limited thereto. Various changes and modifications may be effected therein by one of ordinary skill in the pertinent art without departing from the scope or spirit of the present disclosure, and it is intended that the scope of the present disclosure be defined by the appended claims.

Claims (27)

1. A method for detecting program security, comprising:
acquiring an abnormal encryption instruction of a program to be detected, wherein the abnormal encryption instruction is an encryption instruction which is not confirmed in safety;
acquiring an abnormal program segment according to the abnormal encryption instruction, wherein the abnormal program segment comprises the abnormal encryption instruction, and the instruction number of the abnormal program segment is smaller than the total instruction amount of the program to be detected;
and carrying out abnormal encryption program detection on the abnormal program segment, determining the safety of the abnormal program segment, and obtaining the safety of the program to be detected.
2. The program security detection method of claim 1, wherein the step of obtaining the abnormal encryption instruction of the program to be detected further comprises, before the step of obtaining the abnormal encryption instruction of the program to be detected:
analyzing a current instruction to be detected of the program to be detected, wherein each instruction of the program to be detected is provided with a specific abnormal instruction identifier;
the step of obtaining the abnormal encryption instruction of the program to be detected comprises the following steps:
and when the current instruction to be detected is an encrypted instruction and the specific abnormal instruction identifier of the current instruction to be detected is an abnormal identifier, obtaining the abnormal encrypted instruction.
3. The program security detection method of claim 2, wherein the setting of the specific abnormal instruction flag comprises:
loading the program to be detected;
initializing the CPU context of the program to be detected, and setting the specific abnormal instruction identification in the specific abnormal instruction identification field of the CPU context.
4. The program security detection method of claim 3, wherein the step of setting the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context comprises:
when the digital signature of the program to be detected is acquired and the signature passes, setting the specific abnormal instruction identifier as a non-abnormal identifier in a specific abnormal instruction identifier field of the context of the CPU;
and when the digital signature of the program to be detected is not acquired or the signature verification fails, setting the specific abnormal instruction identifier as an abnormal identifier in a specific abnormal instruction identifier field of the context of the CPU.
5. The program security detection method of claim 3, wherein the step of setting the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context comprises:
setting the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context by utilizing an operating system kernel.
6. The program security detection method of any one of claims 1 to 5, wherein the abnormal encrypted program detection is performed on the abnormal program segment, and the step of determining the security of the abnormal program segment includes:
and extracting the program characteristics of the abnormal program segment, and determining the safety of the abnormal program segment according to the program characteristics.
7. The program security detection method of claim 6, wherein the step of extracting the program feature of the abnormal program segment and determining the security of the abnormal program segment according to the program feature comprises:
and extracting the program characteristics of the abnormal program segment by using anti-virus software, and determining the safety of the abnormal program segment according to the program characteristics.
8. The program security detection method of claim 7, further comprising:
and when the security of the abnormal program section cannot be determined by the antivirus software according to the program characteristics, starting user confirmation, receiving a user confirmation result, and obtaining the security of the abnormal program section.
9. The program security detection method of any one of claims 1 to 5, wherein the step of obtaining an abnormal encryption instruction of the program to be detected further comprises, after the step of obtaining an abnormal encryption instruction of the program to be detected:
and stopping executing the program to be detected comprising the abnormal encryption instruction.
10. The program security detection method of any one of claims 1 to 5, wherein the step of obtaining an abnormal encryption instruction of the program to be detected further comprises, after the step of obtaining an abnormal encryption instruction of the program to be detected:
and moving the program to be detected to which the abnormal encryption instruction belongs out of a program running queue.
11. The program security detection method of claim 10, further comprising:
when the safety of the abnormal program segment is determined to be safe, the specific abnormal instruction identifier of the program to be detected, to which the abnormal program segment belongs, is adjusted to be a non-abnormal identifier, and the program to be detected, to which the abnormal program segment belongs, is returned to the program running queue.
12. The program security detection method of any one of claims 1 to 5, further comprising:
and when the abnormal program segment is determined to be unsafe, deleting the program to be detected to which the abnormal program segment belongs.
13. The program security detection method of any one of claims 2-5, further comprising:
and when the current instruction to be detected is a non-encrypted instruction or the specific abnormal instruction identifier of the current instruction to be detected is a non-abnormal identifier, executing the current instruction to be detected.
14. A program security detection apparatus, comprising:
the abnormal encryption instruction acquisition module is suitable for acquiring an abnormal encryption instruction of a program to be detected, wherein the abnormal encryption instruction is an encryption instruction which is not confirmed in safety;
an abnormal program segment obtaining module, adapted to obtain an abnormal program segment according to the abnormal encryption instruction, where the abnormal program segment includes the abnormal encryption instruction, and the instruction number of the abnormal program segment is smaller than the total instruction amount of the program to be detected;
and the safety determination module is suitable for carrying out abnormal encryption program detection on the abnormal program segment, determining the safety of the abnormal program segment and obtaining the safety of the program to be detected.
15. The program security detection apparatus of claim 14, further comprising:
the analysis operation module is suitable for analyzing the current to-be-detected instruction of the to-be-detected program, and each instruction of the to-be-detected program is provided with a specific abnormal instruction identifier;
the abnormal encryption instruction acquisition module is suitable for acquiring the abnormal encryption instruction of the program to be detected, and comprises the following steps:
and when the current instruction to be detected is an encrypted instruction and the specific abnormal instruction identifier of the current instruction to be detected is an abnormal identifier, the abnormal encrypted instruction acquisition module acquires the abnormal encrypted instruction.
16. The program security detection apparatus of claim 15, further comprising:
the program loading module is suitable for loading the program to be detected;
and the initialization module is suitable for initializing the CPU context of the program to be detected, and setting the specific abnormal instruction identification in the specific abnormal instruction identification field of the CPU context.
17. The program security detection apparatus of claim 16, wherein the initialization module adapted to set the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context comprises:
when the digital signature of the program to be detected is acquired and the signature passes, setting the specific abnormal instruction identifier as a non-abnormal identifier in a specific abnormal instruction identifier field of the context of the CPU;
and when the digital signature of the program to be detected is not acquired or the signature verification fails, setting the specific abnormal instruction identifier as an abnormal identifier in a specific abnormal instruction identifier field of the context of the CPU.
18. The program security detection apparatus of claim 16, wherein the initialization module adapted to set the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context comprises:
setting the specific abnormal instruction identification in a specific abnormal instruction identification field of the CPU context by utilizing an operating system kernel.
19. The program security detection apparatus of any of claims 14-18, wherein the security determination module is further adapted to:
and extracting the program characteristics of the abnormal program segment, and determining the safety of the abnormal program segment according to the program characteristics.
20. The program security detection apparatus of claim 19, wherein the security determination module is further adapted to:
and extracting the program characteristics of the abnormal program segment by using anti-virus software, and determining the safety of the abnormal program segment according to the program characteristics.
21. The program security detection apparatus of claim 20, wherein the security determination module is further adapted to:
and when the security of the abnormal program section cannot be determined by the antivirus software according to the program characteristics, starting user confirmation, receiving a user confirmation result, and obtaining the security of the abnormal program section.
22. The program security detection apparatus of any one of claims 14-18, further comprising:
the execution module is suitable for stopping executing the program to be detected comprising the abnormal encryption instruction;
and the execution queue adjusting module is suitable for moving the program to be detected to which the abnormal encryption instruction belongs out of a program running queue.
23. The program security detection apparatus of claim 22, wherein the execution queue adjusting module is further adapted to, when it is determined that the security of the abnormal program segment is safe, adjust a specific abnormal instruction flag of the program to be detected to which the abnormal program segment belongs to a non-abnormal flag, and return the program to be detected to which the abnormal program segment belongs to the program execution queue.
24. The program security detection apparatus of any one of claims 14-18, further comprising:
and the program deleting module is suitable for deleting the program to be detected to which the abnormal program section belongs when the abnormal program section is determined to be unsafe.
25. The program security detection apparatus according to claim 22, wherein the execution module is further adapted to execute the current instruction to be detected when the abnormal encrypted instruction obtaining module determines that the current instruction to be detected is an unencrypted instruction or the specific abnormal instruction identifier of the current instruction to be detected is a non-abnormal identifier.
26. An integrated circuit, characterized in that the program security detection method as claimed in any one of claims 1 to 13 can be implemented.
27. An electronic device comprising the integrated circuit of claim 26.
CN202111603144.2A 2021-12-24 2021-12-24 Program security detection method and related device Active CN114297647B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111603144.2A CN114297647B (en) 2021-12-24 2021-12-24 Program security detection method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111603144.2A CN114297647B (en) 2021-12-24 2021-12-24 Program security detection method and related device

Publications (2)

Publication Number Publication Date
CN114297647A true CN114297647A (en) 2022-04-08
CN114297647B CN114297647B (en) 2022-10-04

Family

ID=80970017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111603144.2A Active CN114297647B (en) 2021-12-24 2021-12-24 Program security detection method and related device

Country Status (1)

Country Link
CN (1) CN114297647B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5778211A (en) * 1996-02-15 1998-07-07 Sun Microsystems, Inc. Emulating a delayed exception on a digital computer having a corresponding precise exception mechanism
US20030093685A1 (en) * 2001-11-15 2003-05-15 Tobin John P.E. Method and system for obfuscation of computer program execution flow to increase computer program security
CN107741907A (en) * 2017-09-30 2018-02-27 北京梆梆安全科技有限公司 With reference to bottom instruction and the simulator detection method and device of system information
CN110879889A (en) * 2019-11-27 2020-03-13 武汉虹旭信息技术有限责任公司 Method and system for detecting malicious software of Windows platform
CN112181841A (en) * 2020-10-10 2021-01-05 有半岛(北京)信息科技有限公司 Detected anomaly detection method, device, equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5778211A (en) * 1996-02-15 1998-07-07 Sun Microsystems, Inc. Emulating a delayed exception on a digital computer having a corresponding precise exception mechanism
US20030093685A1 (en) * 2001-11-15 2003-05-15 Tobin John P.E. Method and system for obfuscation of computer program execution flow to increase computer program security
CN107741907A (en) * 2017-09-30 2018-02-27 北京梆梆安全科技有限公司 With reference to bottom instruction and the simulator detection method and device of system information
CN110879889A (en) * 2019-11-27 2020-03-13 武汉虹旭信息技术有限责任公司 Method and system for detecting malicious software of Windows platform
CN112181841A (en) * 2020-10-10 2021-01-05 有半岛(北京)信息科技有限公司 Detected anomaly detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN114297647B (en) 2022-10-04

Similar Documents

Publication Publication Date Title
AU2020203503B2 (en) Automated runtime detection of malware
KR102296754B1 (en) secure storage device
US10893068B1 (en) Ransomware file modification prevention technique
US10291634B2 (en) System and method for determining summary events of an attack
US11797677B2 (en) Cloud based just in time memory analysis for malware detection
US8195953B1 (en) Computer program with built-in malware protection
EP2420949B1 (en) Information processing system, information processing method, information processing program, computer readable medium and computer data signal
US7631356B2 (en) System and method for foreign code detection
US7607122B2 (en) Post build process to record stack and call tree information
EP3270318B1 (en) Dynamic security module terminal device and method for operating same
AU2021319159B2 (en) Advanced ransomware detection
EP2492833A1 (en) Method and apparatus for detecting malicious software
US10902122B2 (en) Just in time memory analysis for malware detection
Alzahrani et al. Ransomware in windows and android platforms
KR20180060819A (en) Apparatus and method for blocking attack of ransom ware
US10880316B2 (en) Method and system for determining initial execution of an attack
CN114297647B (en) Program security detection method and related device
CN111125793B (en) Trusted verification method and system for object memory in access control
CN112597449B (en) Software encryption method, device, equipment and storage medium
KR101825699B1 (en) Method for improving security in program using CNG(cryptography API next generation) and apparatus for using the same
KR20190020999A (en) Apparatus and method for malware
CN117668822A (en) Application program starting control method and device and electronic equipment
KR20220098952A (en) Apparatus and Method for Decoding Data by Ransomware
CN117454370A (en) Software decryption method, software encryption method, electronic device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant