CN115688106A - Method and device for detecting Java agent non-file-injection memory horse - Google Patents
Method and device for detecting Java agent non-file-injection memory horse Download PDFInfo
- Publication number
- CN115688106A CN115688106A CN202211436170.5A CN202211436170A CN115688106A CN 115688106 A CN115688106 A CN 115688106A CN 202211436170 A CN202211436170 A CN 202211436170A CN 115688106 A CN115688106 A CN 115688106A
- Authority
- CN
- China
- Prior art keywords
- file
- memory
- proc
- read
- self
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 239000003795 chemical substances by application Substances 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000002347 injection Methods 0.000 title claims abstract description 27
- 239000007924 injection Substances 0.000 title claims abstract description 27
- 230000006870 function Effects 0.000 claims description 21
- 238000001514 detection method Methods 0.000 claims description 19
- 238000004458 analytical method Methods 0.000 claims description 4
- 239000004579 marble Substances 0.000 claims 2
- 238000012544 monitoring process Methods 0.000 abstract description 5
- 230000006399 behavior Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 241000239226 Scorpiones Species 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 241000283086 Equidae Species 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for detecting a Java agent non-file injection memory horse, which comprise the following steps: analyzing a/proc/self/maps file in the JAVA system to obtain a loading range of libjvm.so; detecting the/proc/self/mem file in the JAVA system in real time; judging whether the writing range of the read-write operation of the proc/self/mem file in the memory is the loading range of libjvm.so; if yes, judging the read-write operation as a malicious memory operation, and intercepting; if not, the read-write operation is judged to be normal memory operation. Malicious shellcode writing is detected by monitoring the memory operation of/proc/self/mem of the Java web container program, and malicious injection memory horse is found and intercepted in time, so that the safety and the stability are improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for detecting a Java agent non-file-injection memory horse.
Background
Java Agent is a technology introduced in JDK1.5 that can modify bytecode without affecting normal compilation, i.e. dynamically modify loaded or unloaded classes, including attributes and methods of the classes. Some malicious Webshell attack behaviors can modify the classes such as http servlet and the like by using the technology without falling to the ground of a file, so as to achieve the behavior of injecting the memory horse. The technology only carries out class modification and residence in a memory, and files are not stored on a disk in a ground mode, so that the technology is difficult to discover by conventional security software.
Disclosure of Invention
The invention aims to provide a method and a device for detecting a Java agent non-file injection memory horse.
In order to solve the above technical problem, a first aspect of the embodiments of the present invention provides a method for detecting a Java agent non-file-injection memory horse, including the following steps:
the method comprises the steps of analyzing a/proc/self/maps file in a JAVA system to obtain a loading range of libjvm.so;
detecting the/proc/self/mem file in the JAVA system in real time;
judging whether the writing range of the read-write operation of the/proc/self/mem file in the memory is the loading range of the libjvm.so;
if so, judging the read-write operation as a malicious memory operation, and intercepting;
if not, the read-write operation is judged to be normal memory operation.
Further, the detecting the/proc/self/mem file in the JAVA system in real time includes:
HOOK hooking is carried out on the read-write file function of the/proc/self/mem file;
and detecting the read-write operation of the memory of the/proc/self/mem file in real time in the HOOK function.
Further, after determining that the read-write operation is a malicious memory operation and intercepting the malicious memory operation, the method further includes:
and sending alarm information to the JAVA system, wherein the alarm information comprises the file name related to the read-write operation and the write-in range in the memory.
Further, the loading range of libjvm.so includes: so, base address and size of said libjvm.
Accordingly, a second aspect of the embodiments of the present invention provides a device for detecting a Java agent non-file-injection memory horse, including:
the analysis module is used for analyzing/proc/self/maps files in the JAVA system to obtain the loading range of libjvm.so;
the detection module is used for detecting the/proc/self/mem file in the JAVA system in real time;
the judging module is used for judging whether the writing range of the read-write operation of the/proc/self/mem file in the memory is the loading range of libjvm.so;
the control module is used for judging that the read-write operation is malicious memory operation when the write-in range of the read-write operation of the/proc/self/mem file in the memory is the loading range of the libjvm.so, intercepting and sending alarm information;
the control module is further configured to determine that the read-write operation is a normal memory operation when a write-in range of the read-write operation of the/proc/self/mem file in the memory is outside the load range of the libjvm.
Further, the detection module includes:
a HOOK function executing unit, which is used for HOOK to the read-write file function of the/proc/self/mem file;
and the detection execution unit is used for detecting the read-write operation of the memory of the/proc/self/mem file in the HOOK function in real time.
Further, the apparatus for detecting that the Java agent does not have the file to be injected into the memory horse further includes: an alarm module;
the warning module is used for sending warning information to the JAVA system, and the warning information comprises file names related to the read-write operation and a write-in range in the memory.
So, the loading range of libjvm includes: so, base address and size of said libjvm.
Accordingly, a third aspect of an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory coupled to the at least one processor; the storage stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the method for detecting the Java agent no-file-injection memory horse.
Accordingly, a fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, on which computer instructions are stored, and when the computer instructions are executed by a processor, the method for detecting Java agent non-file injection into a memory horse is implemented.
The technical scheme of the embodiment of the invention has the following beneficial technical effects:
malicious shellcode writing is detected by monitoring the memory operation of/proc/self/mem of the Java web container program, the behavior of maliciously injecting a memory horse is found in time and intercepted, and the safety and the stability of the system are improved.
Drawings
FIG. 1 is a flowchart of a method for detecting a Java agent non-file-injected memory horse according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating a method for detecting a Java agent non-file-injection memory horse according to an embodiment of the present invention;
FIG. 3 is a block diagram of a module of a detection apparatus for Java agent no-file injection into a memory horse according to an embodiment of the present invention;
fig. 4 is a block diagram of a determining module according to an embodiment of the present invention.
Reference numerals:
1. the device comprises an analysis module 2, a detection module 21, a HOOK function execution unit 22, a detection execution unit 3, a judgment module 4, a control module 5 and an alarm module.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the accompanying drawings in combination with the embodiments. It is to be understood that these descriptions are only illustrative and are not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
Java Agent is a technology introduced in JDK1.5 that can modify bytecode without affecting normal compilation, i.e. dynamically modify loaded or unloaded classes, including attributes and methods of the classes. Some malicious webshells, such as ice scorpions, provide the AgentNoFile memory horse injection function in order to hide themselves, and the attack behavior of the webshells can modify http servlet and other classes by using the following technology without landing a file, so as to achieve the behavior of memory horse injection. The attack method comprises the following steps:
1. analyzing/proc/self/maps to obtain a loading base address and a loading path of libjvm.so as to analyze an ELF head of libjvm.so as to obtain offsets of java _ io _ RandomessFile _ length and JNI _ GetCreatedJava VMs, and obtaining the addresses of functions of java _ io _ RandomessFile _ length and JNI _ GetCreatedJava VMs in the memory through the base address and the offsets.
2. The shellcode is written and the JNI _ GetCreatedJavaVMs are called to obtain the pointer of the JVM IEnV object.
3. And backing up a java _ io _ RandomAccess File _ length function body through reading/proc/self/mem.
4. And writing the shellcode in the step 2 into a java _ io _ Rando Maccessfile _ length address through writing/proc/self/mem.
5. Calling Java _ io _ random access file _ length at the Java layer to obtain a long return value, namely a pointer of the JVMTIEnv object.
6. And recovering the java _ io _ RandomAccess File _ length code.
7. JPLISAgents are constructed using pointers to JVMTEIEnv objects.
8. With the JPLISAgent object, a java, lang, instruction, and then class modification and HOOK can be performed through the instruction, redefineConslass, and memory horse residence is realized.
Malicious Webshells such as ice scorpions can modify and reside in the memory through the steps, files are not stored in a magnetic disk in a landing manner, and conventional security software is difficult to find and intercept, so that the system has large potential safety hazards.
In order to solve the above problems, a system is detected and defended in real time for behaviors of injecting memory horses into malicious webshells such as ice scorpions, and referring to fig. 1 and fig. 2, a first aspect of an embodiment of the present invention provides a method for detecting a Java agent file-free injected memory horse, including the following steps:
and S100, analyzing the/proc/self/maps file in the JAVA system to obtain the loading range of libjvm.
So, the loading range of libjvm includes: so base address and size. Analyzing/proc/self/maps to obtain a loading base address and a loading path of libjvm.so as to analyze an ELF head of libjvm.so as to obtain offsets of java _ io _ RandomessFile _ length and JNI _ GetCreatedJavaVMs, and obtaining addresses of functions of java _ io _ RandomessFile _ length and JNI _ GetCreatedJavaVMs in the memory through the base address and the offsets.
S200, detecting the/proc/self/mem file in the JAVA system in real time.
S300, judging whether the writing range of the read-write operation of the/proc/self/mem file in the memory is the loading range of libjvm.
S400, if the writing range of the read-write operation of the/proc/self/mem file in the memory is the loading range of libjvm.
And S500, if the writing range of the read-write operation of the/proc/self/mem file in the memory is beyond the loading range of libjvm.
According to the technical scheme, malicious shellcode writing is detected by monitoring the memory operation of/proc/self/mem of the Java web container program, malicious shellcode writing is found in time, malicious Webshell ice scorpions and the like are written in through/proc/self/mem, behaviors of memory horses are injected and intercepted, and the safety and the stability of the system are improved.
Specifically, in step S300, the real-time detection of the/proc/self/mem file in the JAVA system further includes the following steps:
s310, HOOK is carried out on the read-write file function of the/proc/self/mem file.
S320, detecting the read-write operation of the memory of the/proc/self/mem file in HOOK in real time.
Further, after the step S500 of determining that the read-write operation is a malicious memory operation and intercepting the malicious memory operation, the method further includes:
s600, sending alarm information to the JAVA system, wherein the alarm information comprises file names related to read-write operation and a write-in range in a memory.
Accordingly, referring to fig. 3, a second aspect of the present invention provides a device for detecting a Java agent no-file-injection memory horse, including:
the analysis module 1 is used for analyzing/proc/self/maps files in the JAVA system to obtain a loading range of libjvm.so;
the detection module 2 is used for detecting the/proc/self/mem file in the JAVA system in real time;
the judging module 3 is used for judging whether the writing range of the read-write operation of the/proc/self/mem file in the memory is the loading range of libjvm.so;
the control module 4 is used for judging that the read-write operation is malicious memory operation when the write-in range of the read-write operation of the/proc/self/mem file in the memory is the loading range of libjvm.so, intercepting and sending warning information;
the control module 4 is further configured to determine that the read-write operation is a normal memory operation when the write-in range of the read-write operation of the/proc/self/mem file in the memory is outside the load range of libjvm.
Further, referring to fig. 4, the detecting module 2 further includes:
a HOOK execution unit 21 for HOOK of read-write file function of/proc/self/mem file;
and the detection execution unit 22 is used for detecting the read-write operation of the memory of the/proc/self/mem file in the HOOK in real time.
In addition, the detection device for Java agent to inject no file into the memory horse further comprises: and an alarm module 5. The alarm module 5 is configured to send alarm information to the JAVA system, where the alarm information includes a file name related to the read-write operation and a write-in range in the memory.
So, the loading range of libjvm includes: so, base address and size.
The detection device for the Java agent non-file injection memory horse detects malicious shellcode writing by monitoring the memory operation of/proc/self/mem of a Java web container program, finds out the behavior of maliciously injecting the memory horse in time and intercepts the behavior, and improves the safety and stability of the system.
Accordingly, a third aspect of embodiments of the present invention provides an electronic device, comprising: at least one processor; and a memory coupled to the at least one processor; the storage stores instructions which can be executed by at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor executes the method for detecting the Java agent non-file-injection-into-memory horse.
Accordingly, a fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, on which computer instructions are stored, and when the computer instructions are executed by a processor, the method for detecting Java agent non-file-injection memory horse is implemented.
The embodiment of the invention aims to protect a detection method for Java agent non-file injection memory horse, which comprises the following steps: the method comprises the steps of analyzing a/proc/self/maps file in a JAVA system to obtain a loading range of libjvm.so; detecting the/proc/self/mem file in the JAVA system in real time; judging whether the writing range of the read-write operation of the proc/self/mem file in the memory is the loading range of libjvm.so; if so, judging the read-write operation as a malicious memory operation, and intercepting; if not, the read-write operation is judged to be normal memory operation. The technical scheme has the following effects:
by monitoring the memory operation of the/proc/self/mem of the Java web container program, malicious shellcode writing is found, the behavior of maliciously injecting a memory horse is found in time and intercepted, and the safety and the stability of the system are improved.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (10)
1. A detection method for Java agent non-file injection memory horse is characterized by comprising the following steps:
the method comprises the steps of analyzing a/proc/self/maps file in a JAVA system to obtain a loading range of libjvm.so;
detecting the/proc/self/mem file in the JAVA system in real time;
judging whether the writing range of the read-write operation of the/proc/self/mem file in the memory is the loading range of the libjvm.so;
if so, judging the read-write operation as a malicious memory operation, and intercepting;
if not, the read-write operation is judged to be normal memory operation.
2. The method for detecting Java agent non-file-injection memory horse according to claim 1, wherein the detecting/proc/self/mem file in the Java system in real time comprises:
HOOK is carried out on the read-write file function of the/proc/self/mem file;
and detecting the read-write operation of the memory of the/proc/self/mem file in real time in the HOOK function.
3. The method for detecting a Java agent non-file injection memory horse according to claim 1, wherein after determining that the read-write operation is a malicious memory operation and intercepting the operation, the method further comprises:
and sending alarm information to the JAVA system, wherein the alarm information comprises the file name related to the read-write operation and the write-in range in the memory.
4. The method for Java agent non-file injection into Marble horse detection according to any of claims 1-3,
so, the loading range of the libjvm includes: so, base address and size of said libjvm.
5. A detection device for Java agent to inject a memory horse without a file is characterized by comprising:
the analysis module (1) is used for analyzing/proc/self/maps files in the JAVA system to obtain the loading range of libjvm.so;
a detection module (2) for detecting the/proc/self/mem file in the JAVA system in real time;
a judging module (3) for judging whether the write-in range of the read-write operation of the/proc/self/mem file in the memory is the load range of libjvm.so;
the control module (4) is used for judging that the read-write operation is malicious memory operation when the write-in range of the read-write operation of the/proc/self/mem file in the memory is the loading range of the libjvm.so, intercepting and sending alarm information;
the control module (4) is further configured to determine that the read-write operation is a normal memory operation when a write-in range of the read-write operation of the/proc/self/mem file in the memory is outside the load range of the libjvm.
6. The apparatus for detecting Java agent no-file-injection memory horse according to claim 5, wherein the detection module (2) comprises:
a HOOK function execution unit (21) for HOOK of the read-write file function of the/proc/self/mem file;
and the detection execution unit (22) is used for detecting the read-write operation of the memory of the/proc/self/mem file in real time in the HOOK function.
7. The apparatus for detecting Java agent non-file-injection memory horse according to claim 5, further comprising: an alarm module (5);
the alarm module (5) is used for sending alarm information to the JAVA system, wherein the alarm information comprises file names related to the read-write operation and a write-in range in the memory.
8. The apparatus for Java agent non-file injection into Marble horse detection according to any of claims 5-7,
so, the loading range of the libjvm includes: so, base address and size of said libjvm.
9. An electronic device, comprising: at least one processor; and a memory coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the method for Java agent no file injection into memory horse claimed in any of claims 1-4.
10. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the Java agent no file injection memory horse detection method as claimed in any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211436170.5A CN115688106A (en) | 2022-11-16 | 2022-11-16 | Method and device for detecting Java agent non-file-injection memory horse |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211436170.5A CN115688106A (en) | 2022-11-16 | 2022-11-16 | Method and device for detecting Java agent non-file-injection memory horse |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115688106A true CN115688106A (en) | 2023-02-03 |
Family
ID=85053851
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211436170.5A Pending CN115688106A (en) | 2022-11-16 | 2022-11-16 | Method and device for detecting Java agent non-file-injection memory horse |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115688106A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318941A (en) * | 2023-03-09 | 2023-06-23 | 安芯网盾(北京)科技有限公司 | Method and device for detecting injected TomcatUpgrade memory horse |
| CN117792805A (en) * | 2024-02-28 | 2024-03-29 | 北京长亭科技有限公司 | Network security detection method and device based on memory horse simulation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112069499A (en) * | 2020-09-15 | 2020-12-11 | 北京微步在线科技有限公司 | Detection method, detection device, storage medium and electronic equipment |
| CN113312624A (en) * | 2021-06-21 | 2021-08-27 | 厦门服云信息科技有限公司 | Java Web application memory Trojan detection method, terminal device and storage medium |
| CN114065196A (en) * | 2021-09-30 | 2022-02-18 | 奇安信科技集团股份有限公司 | Java memory horse detection method and device, electronic equipment and storage medium |
| CN114065204A (en) * | 2021-11-29 | 2022-02-18 | 中国工商银行股份有限公司 | File-free Trojan horse searching and killing method and device |
| US20220253528A1 (en) * | 2021-02-09 | 2022-08-11 | National Central University | System and method of fileless malware detection and non-transitory computer readable medium |
-
2022
- 2022-11-16 CN CN202211436170.5A patent/CN115688106A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112069499A (en) * | 2020-09-15 | 2020-12-11 | 北京微步在线科技有限公司 | Detection method, detection device, storage medium and electronic equipment |
| US20220253528A1 (en) * | 2021-02-09 | 2022-08-11 | National Central University | System and method of fileless malware detection and non-transitory computer readable medium |
| CN113312624A (en) * | 2021-06-21 | 2021-08-27 | 厦门服云信息科技有限公司 | Java Web application memory Trojan detection method, terminal device and storage medium |
| CN114065196A (en) * | 2021-09-30 | 2022-02-18 | 奇安信科技集团股份有限公司 | Java memory horse detection method and device, electronic equipment and storage medium |
| CN114065204A (en) * | 2021-11-29 | 2022-02-18 | 中国工商银行股份有限公司 | File-free Trojan horse searching and killing method and device |
Non-Patent Citations (3)
| Title |
|---|
| 姚纪卫 等: ""基于内存保护技术的二进制内存破坏型漏洞攻击防护方法研究"" * |
| 张金莉 等: ""面向JAVA的高对抗内存型Webshell检测技术"" * |
| 黑客技术: ""Linux下无文件Java agent探究"" * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318941A (en) * | 2023-03-09 | 2023-06-23 | 安芯网盾(北京)科技有限公司 | Method and device for detecting injected TomcatUpgrade memory horse |
| CN116318941B (en) * | 2023-03-09 | 2023-10-10 | 安芯网盾(北京)科技有限公司 | Method and device for detecting injected TomcatUpgrade memory horse |
| CN117792805A (en) * | 2024-02-28 | 2024-03-29 | 北京长亭科技有限公司 | Network security detection method and device based on memory horse simulation |
| CN117792805B (en) * | 2024-02-28 | 2024-05-24 | 北京长亭科技有限公司 | Network security detection method and device based on memory horse simulation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115688106A (en) | Method and device for detecting Java agent non-file-injection memory horse | |
| US7631356B2 (en) | System and method for foreign code detection | |
| US9223964B2 (en) | Detecting JAVA sandbox escaping attacks based on JAVA bytecode instrumentation and JAVA method hooking | |
| US6698016B1 (en) | Method for injecting code into another process | |
| US7797702B1 (en) | Preventing execution of remotely injected threads | |
| CN113569246B (en) | Vulnerability detection method, vulnerability detection device, computer equipment and storage medium | |
| US11675905B2 (en) | System and method for validating in-memory integrity of executable files to identify malicious activity | |
| JPWO2005024630A1 (en) | Method and program for preventing illegal code | |
| JP2009129451A (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
| CN103632088A (en) | Method and device for detecting Trojan horses | |
| KR101064164B1 (en) | Kernel integrity inspection and the recovery method on linux kernel based smart platform | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CN111259386A (en) | Kernel security detection method, device, equipment and storage medium | |
| CN109933986B (en) | Malicious code detection method and device | |
| US11151247B2 (en) | System and method for detecting malware injected into memory of a computing device | |
| CN112214267A (en) | Android shelling acceleration method and device, storage medium and computer equipment | |
| CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| CN114936368A (en) | Java memory Trojan detection method, terminal device and storage medium | |
| JP4898823B2 (en) | Application information alteration monitoring device and method | |
| US8607348B1 (en) | Process boundary isolation using constrained processes | |
| CN116775147B (en) | Executable file processing method, device, equipment and storage medium | |
| US20240020140A1 (en) | Computer system enabled with runtime software module tracking | |
| CN112347499B (en) | Program self-protection method | |
| CN110610086B (en) | Illegal code identification method, system, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230203 |