CN115859274B - Method and system for monitoring event log behavior of Windows process emptying system - Google Patents
Method and system for monitoring event log behavior of Windows process emptying system Download PDFInfo
- Publication number
- CN115859274B CN115859274B CN202211599879.7A CN202211599879A CN115859274B CN 115859274 B CN115859274 B CN 115859274B CN 202211599879 A CN202211599879 A CN 202211599879A CN 115859274 B CN115859274 B CN 115859274B
- Authority
- CN
- China
- Prior art keywords
- event log
- remote procedure
- windows
- procedure call
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 192
- 230000008569 process Effects 0.000 title claims abstract description 93
- 238000012544 monitoring process Methods 0.000 title claims abstract description 17
- 238000002347 injection Methods 0.000 claims abstract description 4
- 239000007924 injection Substances 0.000 claims abstract description 4
- 230000006870 function Effects 0.000 claims description 88
- 238000011217 control strategy Methods 0.000 claims description 8
- 230000009471 action Effects 0.000 claims description 3
- 230000000903 blocking effect Effects 0.000 claims description 3
- 230000009897 systematic effect Effects 0.000 claims 2
- 230000006399 behavior Effects 0.000 description 32
- 239000000243 solution Substances 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000026676 system process Effects 0.000 description 2
- 239000011800 void material Substances 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
Abstract
The embodiment of the invention discloses a method and a system for monitoring event log behavior of a Windows process emptying system. The method comprises the following steps: finding a dynamic link library module corresponding to Windows event log service, and searching a feature code of a remote procedure call server interface structure body which accords with the byte code feature of a specific remote procedure call interface; searching an address of a clearing event log function which receives the wide character parameters; hooking operation is carried out on the emptying event log function which receives the wide character parameters, so that log file names and process information to be emptied are obtained; and reporting the name of the log file and the process information to an upper-layer strategy control engine, and judging whether the strategy control engine is malicious or not. The system comprises a process injection module, a remote procedure call server interface search module, a clearing event log function search module for receiving wide character parameters, a hooking module and an upper-layer strategy control engine module. The invention can accurately capture the behavior of the process for emptying the system event log, and intercept or release the emptied behavior.
Description
Technical Field
The invention relates to the technical field of anti-virus detection, in particular to a method and a system for monitoring event log behavior of a Windows process emptying system.
Background
To avoid intrusion behavior being discovered, program malicious attacks will always hide themselves in various ways, such as: hiding own real IP, clearing system log, deleting uploading tool, hiding back door file, erasing trace generated in invasion process, etc. Various malicious intrusions in computers are difficult to gradually clear manually. The Windows malicious program can actively empty the system event log to eliminate the activity trace, so that the behavior of the monitoring process for emptying the log has a relatively realistic meaning.
Disclosure of Invention
Therefore, an object of the embodiments of the present invention is to provide a method and a system for monitoring the behavior of a Windows process emptying system event log, which can accurately capture the behavior of the process emptying system event log, and intercept or release the emptying behavior, and is simple and efficient.
In a first aspect, an embodiment of the present invention provides a method for monitoring a behavior of a Windows process emptying system event log, where the method includes:
and injecting the function dynamic link library into a process corresponding to the Windows event log service.
And searching a dynamic link library DLL module corresponding to the Windows event log service, and searching a code segment section of the dynamic link library module for a feature code of a remote procedure call SERVER INTERFACE (RPC_SERVER_INTERFACE) structure body which accords with the byte code feature of the specific Remote Procedure Call (RPC) INTERFACE.
The address of the emptying event log function ELFrClearELFW accepting the wide character parameter is searched in the dispatch function table DispatchTable member of the remote procedure call SERVER INTERFACE rpc_server_interface structure.
And carrying out Hook operation on the emptying event log function ELFrClearELFW which receives the wide character parameters to obtain the name of the log file to be emptied and the process information.
And reporting the name of the log file and the process information to an upper-layer strategy control engine, and judging whether the strategy control engine is malicious or not.
And executing a release or interception strategy according to the judgment result.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the finding a dynamically linked library DLL module corresponding to a Windows event log service includes:
for Windows XP or Windows 2003 systems, find the event log dynamic link library eventlog. Dll for the system process service. Exe.
For WindowsVista, windows, windows 8, windows 8.1, windows 10 or Windows 11 systems, the Windows event log service dynamic link library wevtsvc.dll of the service container process svchost.exe is found.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the parameters of the structure body of the remote procedure call SERVER INTERFACE rpc_server_interface include:
the length unsigned int Length of the present structure is 0x44 in the 32-bit system and 0x60 in the 64-bit system.
The interface index RPC_SYNTAX_ IDENTIFIER InterfaceId has a SYNTAX global unique identifier SyntaxGUID of 2273FDC-E32A-18C3-3F78-827929DC23EA and a SYNTAX version Syntaxversion of 0.0.
The transmission grammar RPC_SYNTAX_ IDENTIFIER TransferSyntax has a grammar global unique identifier SyntaxGUID of 8A885D04-1CEB-11C9-9FE8-08002B104860 and a grammar version Syntaxversion of 2.0.
The DISPATCH function table pointer prpc_disptch_ TABLE DispatchTable includes an interface function address table provided by the RPC service in prpc_disptch_ TABLE DispatchTable, where the first member in the interface function address table is the address of the emptying event log function ELFrClearELFW that accepts the wide character parameter, and the DISPATCH function table pointer is an arbitrary non-zero value.
The remote procedure call protocol sequence terminal number unsigned int RpcProtseqEndpointCount, member value 0.
Remote procedure call protocol sequence terminal array pointer prpc_protreq_ ENDPOINT RpcProtseqEndpoint, member value 0.
Default manager entry point vector rpc_mgr_epv __ rpc_far defaultmanager EPV with member value 0.
The interpreter information structure pointer void const __ rpc_far interpterinfo, the interpreter information structure pointer is arbitrary non-zero value.
The identifier unsigned int Flags has an identifier value of 4 in a 32-bit system and 6 in a 64-bit system.
With reference to the first aspect, the embodiment of the present invention provides a third possible implementation manner of the first aspect, wherein the code segment section of the dynamic link library DLL module space includes a text section, and a read-only data section, a rdata section.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the performing a Hook operation on the emptying event log function ELFrClearELFW that accepts the wide character parameter, to obtain a log file name and process information to be emptied includes:
the first input parameter of the emptying event log function ELFrClearELFW accepting wide character parameters points to the log handle to be emptied.
The log HANDLE is a pointer to the service HANDLE context ielf_handle structure, where the Name of the service HANDLE context ielf_handle structure contains the Name of the log file.
Triggering a Hook function, and reading a Name member of a log handle to obtain the Name of the log file to be emptied.
And calling and inquiring whether the remote procedure call binding is the local client I_RpcBIndingIsClientlocal or the application programming interface API of the calling attribute RpcServerInqCallAttributes of the remote procedure server in the Hook function, judging whether the remote procedure call is the local remote procedure call RPC, and if the remote procedure call is the local remote procedure call RPC, further calling the process index PID of the remote procedure call to obtain the process information.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the reporting, to an upper layer policy control engine, the log file name and the process information, and determining whether the log file name and the process information are malicious behaviors includes:
and reporting the name of the log file and the process information to an upper-layer strategy control engine.
The upper layer policy control engine judges whether the behavior is malicious or not through a control policy, wherein the control policy comprises a black-and-white list library and a malicious feature library.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the executing a release or interception policy according to a determination result includes:
if the log action of the emptying system event of the process is malicious, the Hook function returns to the UNSUCCESSFUL state STATUS_UNSUCCESSFUL, blocks log emptying and intercepts, and gives an alarm to a user.
If the system event log behavior is not malicious, the original event log function ELFrClearELFW accepting the wide character parameters is called to continue running.
In a second aspect, an embodiment of the present invention further provides a system for monitoring a behavior of a Windows process emptying system event log, where the system includes:
and the process injection module is used for injecting the functional dynamic link library into the process corresponding to the Windows event log service.
And the remote procedure call SERVER INTERFACE searching module is used for finding a dynamic link library DLL module corresponding to the Windows event log service, and searching a code segment section of the dynamic link library module for a feature code of a remote procedure call SERVER INTERFACE RPC_SERVER_INTERFACE structure body which accords with the byte code feature of a specific remote procedure call RPC INTERFACE.
And the emptying event log function searching module is used for searching addresses of the emptying event log function ELFrClearELFW which receives the wide character parameters in a dispatch function table dispatch table member of the remote procedure call SERVER INTERFACE RPC_SERVER_INTERFACE structure.
And the hooking module is used for hooking Hook operation on the emptying event log function ELFrClearELFW which receives the wide character parameters to obtain the name of the log file to be emptied and the process information.
And the upper-layer policy control engine module is used for reporting the name of the log file and the process information to the upper-layer policy control engine, judging whether the log file is malicious or not, and executing the release or interception policy according to the judging result.
With reference to the second aspect, the embodiment of the present invention provides a first possible implementation manner of the second aspect, where the hook module includes:
the log file reading unit is used for triggering a Hook function and reading a Name member of a log handle to obtain the Name of the log file to be emptied.
And the process information reading unit is used for calling and inquiring whether the remote procedure call binding is the local client I_RpcBIndingIsClientlocal or the application programming interface API of the calling attribute RpcServerInqCallAttributes of the remote procedure server in the Hook function, judging whether the remote procedure call is the local remote procedure call RPC, and if the remote procedure call is the local remote procedure call RPC, further calling the process index PID of the remote procedure call to obtain the process information.
With reference to the second aspect, an embodiment of the present invention provides a second possible implementation manner of the second aspect, where the upper layer policy control engine module includes:
and the reporting unit is used for reporting the name of the log file and the process information to the upper layer policy control engine.
The judging unit is used for judging whether the upper-layer strategy control engine is malicious or not through a control strategy, wherein the control strategy comprises a black-and-white list library and a malicious feature library.
And the interception unit is used for hooking the Hook function to return an UNSUCCESSFUL state STATUS_UNSUCCESSFUL if the log action of the emptying system event log of the process is malicious, blocking log emptying and intercepting.
And the alarm unit is used for alarming to a user if the event log behavior of the emptying system of the process is malicious.
And the release unit is used for calling an original clear event log function ELFrClearELFW for accepting the wide character parameters to continue running if the clear system event log behavior of the process is not malicious.
The embodiment of the invention has the beneficial effects that:
the Windows program purge log is implemented by calling the application programming interface API, purge event log ClearEventLog. The function of the clearing event log ClearEventLog internally calls a remote procedure call RPC interface provided by Windows event log service WindowsEventLogServicee, and the remote procedure call RPC interface function finally called by the RPC interface is an event log clearing function ElfrClearELFW for accepting wide character parameters and an event log clearing function ElfrClearELFA for accepting narrow character parameters. Because the event log emptying function ElfrClearELFA receiving the narrow character parameters finally calls the event log emptying function ElfrClearELFW receiving the wide character parameters, the invention hooks the Hook through the function of the event log emptying function ElfrClearELFW receiving the parameters, and monitors the related operation of emptying the system log.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for monitoring the event log behavior of a Windows process emptying system according to the present invention;
FIG. 2 is a complete diagram of a method for monitoring the event log behavior of a Windows process emptying system according to the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein can be arranged and designed in a wide variety of different configurations.
Referring to fig. 1 to 2, a first embodiment of the present invention provides a method for monitoring a behavior of a Windows process to empty a system event log, which includes:
and injecting the function dynamic link library into a process corresponding to the Windows event log service.
And searching a dynamic link library DLL module corresponding to the Windows event log service, and searching a code segment section of the dynamic link library module for a feature code of a remote procedure call SERVER INTERFACE (RPC_SERVER_INTERFACE) structure body which accords with the byte code feature of the specific Remote Procedure Call (RPC) INTERFACE.
Specifically, the code segment section of the dynamic link library DLL module space comprises a text section, a text section and a read-only data section, a rdata section.
Specifically, the finding a dynamic link library DLL module corresponding to the Windows event log service includes: for Windows XP or Windows 2003 systems, find the event log dynamic link library eventlog. Dll for the system process service. Exe. For WindowsVista, windows, windows 8, windows 8.1, windows 10 or Windows 11 systems, the Windows event log service dynamic link library wevtsvc.dll of the service container process svchost.exe is found.
The address of the emptying event log function ELFrClearELFW accepting the wide character parameter is searched in the dispatch function table DispatchTable member of the remote procedure call SERVER INTERFACE rpc_server_interface structure.
Specifically, the parameters of the structure body of the remote procedure call SERVER INTERFACE rpc_server_interface include:
the length unsigned int Length of the present structure is 0x44 in the 32-bit system and 0x60 in the 64-bit system.
The interface index RPC_SYNTAX_ IDENTIFIER InterfaceId has a SYNTAX global unique identifier SyntaxGUID of 2273FDC-E32A-18C3-3F78-827929DC23EA and a SYNTAX version Syntaxversion of 0.0.
The transmission grammar RPC_SYNTAX_ IDENTIFIER TransferSyntax has a grammar global unique identifier SyntaxGUID of 8A885D04-1CEB-11C9-9FE8-08002B104860 and a grammar version Syntaxversion of 2.0.
The DISPATCH function table pointer prpc_disptch_ TABLE DispatchTable includes an interface function address table provided by the RPC service in prpc_disptch_ TABLE DispatchTable, where the first member in the interface function address table is the address of the emptying event log function ELFrClearELFW that accepts the wide character parameter, and the DISPATCH function table pointer is an arbitrary non-zero value.
The remote procedure call protocol sequence terminal number unsigned int RpcProtseqEndpointCount, member value 0.
Remote procedure call protocol sequence terminal array pointer prpc_protreq_ ENDPOINT RpcProtseqEndpoint, member value 0.
Default manager entry point vector rpc_mgr_epv __ rpc_far defaultmanager EPV with member value 0.
The interpreter information structure pointer void const __ rpc_far interpterinfo, the interpreter information structure pointer is arbitrary non-zero value.
The identifier unsigned int Flags has an identifier value of 4 in a 32-bit system and 6 in a 64-bit system.
And carrying out Hook operation on the emptying event log function ELFrClearELFW which receives the wide character parameters to obtain the name of the log file to be emptied and the process information.
Specifically, the performing Hook operation on the emptying event log function ELFrClearELFW receiving the wide character parameter to obtain the log file name and the process information to be emptied includes:
the first input parameter of the emptying event log function ELFrClearELFW accepting wide character parameters points to the log handle to be emptied.
The log HANDLE is a pointer to the service HANDLE context ielf_handle structure, where the Name of the service HANDLE context ielf_handle structure contains the Name of the log file.
Triggering a Hook function, and reading a Name member of a log handle to obtain the Name of the log file to be emptied.
And calling and inquiring whether the remote procedure call binding is the local client I_RpcBIndingIsClientlocal or the application programming interface API of the calling attribute RpcServerInqCallAttributes of the remote procedure server in the Hook function, judging whether the remote procedure call is the local remote procedure call RPC, and if the remote procedure call is the local remote procedure call RPC, further calling the process index PID of the remote procedure call to obtain the process information.
And reporting the name of the log file and the process information to an upper-layer strategy control engine, and judging whether the strategy control engine is malicious or not.
Specifically, reporting the log file name and the process information to the upper layer policy control engine, and judging whether the log file name and the process information are malicious behaviors includes: reporting the name of the log file and the process information to an upper layer strategy control engine; the upper layer policy control engine judges whether the behavior is malicious or not through a control policy, wherein the control policy comprises a black-and-white list library and a malicious feature library.
And executing a release or interception strategy according to the judgment result.
Specifically, the executing the release or interception policy according to the judgment result includes:
if the event log behavior of the emptying system of the process is malicious, the Hook function returns to an UNSUCCESSFUL state STATUS_UNSUCCESSFUL, blocks log emptying and intercepts, and gives an alarm to a user; if the system event log behavior is not malicious, the original event log function ELFrClearELFW accepting the wide character parameters is called to continue running.
A second embodiment of the present invention provides a system for monitoring event log behavior of a Windows process emptying system, including:
and the process injection module is used for injecting the functional dynamic link library into the process corresponding to the Windows event log service.
And the remote procedure call SERVER INTERFACE searching module is used for finding a dynamic link library DLL module corresponding to the Windows event log service, and searching a code segment section of the dynamic link library module for a feature code of a remote procedure call SERVER INTERFACE RPC_SERVER_INTERFACE structure body which accords with the byte code feature of a specific remote procedure call RPC INTERFACE.
And the emptying event log function searching module is used for searching addresses of the emptying event log function ELFrClearELFW which receives the wide character parameters in a dispatch function table dispatch table member of the remote procedure call SERVER INTERFACE RPC_SERVER_INTERFACE structure.
And the hooking module is used for hooking Hook operation on the emptying event log function ELFrClearELFW which receives the wide character parameters to obtain the name of the log file to be emptied and the process information.
Specifically, the hook module includes:
the log file reading unit is used for triggering a Hook function, reading Name members of log handles and obtaining names of log files to be emptied; and the process information reading unit is used for calling and inquiring whether the remote procedure call binding is the local client I_RpcBIndingIsClientlocal or the application programming interface API of the calling attribute RpcServerInqCallAttributes of the remote procedure server in the Hook function, judging whether the remote procedure call is the local remote procedure call RPC, and if the remote procedure call is the local remote procedure call RPC, further calling the process index PID of the remote procedure call to obtain the process information.
And the upper-layer policy control engine module is used for reporting the name of the log file and the process information to the upper-layer policy control engine, judging whether the log file is malicious or not, and executing the release or interception policy according to the judging result.
Specifically, the upper layer policy control engine module includes: the reporting unit is used for reporting the name of the log file and the process information to the upper layer policy control engine; the judging unit is used for judging whether the upper-layer strategy control engine is malicious or not through a control strategy, wherein the control strategy comprises a black-and-white list library and a malicious feature library; the intercepting unit is used for hooking the Hook function to return to an UNSUCCESSFUL state STATUS_UNSUCCESSFUL if the log behavior of the emptying system event of the process is malicious, blocking log emptying and intercepting; the alarm unit is used for alarming to a user if the event log behavior of the emptying system of the process is malicious; and the release unit is used for calling an original clear event log function ELFrClearELFW for accepting the wide character parameters to continue running if the clear system event log behavior of the process is not malicious.
The embodiment of the invention aims to protect a method and a system for monitoring event log behaviors of a Windows process emptying system, and has the following effects:
the invention carries out Hook through the function of the parameter event log emptying function ElfrClearELFW, and monitors the related operation of emptying the system log. The system event log clearing method and system can accurately capture the behavior of the process clearing system event log, intercept or pass the cleared behavior, and are simple and efficient.
The computer program product of the method and apparatus for monitoring the event log behavior of the Windows process emptying system provided in the embodiments of the present invention includes a computer readable storage medium storing program codes, and the instructions included in the program codes may be used to execute the method in the foregoing method embodiment, and specific implementation may refer to the method embodiment and will not be repeated herein.
Specifically, the storage medium can be a general storage medium, such as a mobile disk, a hard disk, and the like, and when the computer program on the storage medium is executed, the method for monitoring the behavior of the Windows process emptying system event log can be executed, so that the behavior of the process emptying system event log can be accurately captured, and the emptied behavior can be intercepted or released.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (2)
1. A method for monitoring the behavior of a Windows process emptying system event log, comprising:
injecting the function dynamic link library into a process corresponding to the Windows event log service;
finding a dynamic link library module corresponding to Windows event log service, and searching a code segment section of the dynamic link library module for a feature code of a remote procedure call server interface structure body conforming to the byte code feature of a specific remote procedure call interface;
searching an address of a clearing event log function accepting the wide character parameter in a dispatch function table member of the remote procedure call server interface structure;
hooking operation is carried out on the emptying event log function which receives the wide character parameters, so that log file names and process information to be emptied are obtained;
reporting the name of the log file and the process information to an upper layer strategy control engine, and judging whether the log file is malicious or not;
executing a release or interception strategy according to the judgment result;
the hooking operation of the emptying event log function receiving the wide character parameters, and obtaining the name and the process information of the log file to be emptied comprises the following steps:
the first input parameter of the emptying event log function accepting the wide character parameter points to a log handle to be emptied;
triggering a hooking function, and reading name members of the log handle to obtain the name of the log file to be emptied;
calling an application programming interface for inquiring whether the remote procedure call binding is a local client or inquiring the call attribute of a remote procedure server in the hook function, judging whether the remote procedure call is a local remote procedure call, and further calling a process index if the remote procedure call is the local remote procedure call to obtain process information;
the module for finding the dynamic link library corresponding to the Windows event log service comprises:
for Windows XP or Windows 2003 system, find the event log dynamic link library of the systematic process;
for WindowsVista, windows, windows 8, windows 8.1, windows 10 or Windows 11 systems, find the Windows event log service dynamic link library of the service container process;
parameters of the structure of the remote procedure call server interface include:
the length of the structure is 0x44 in a 32-bit system and 0x60 in a 64-bit system;
an interface index, wherein the value of the grammar global unique identifier of the interface index is 2273FDC-E32A-18C3-3F78-827929DC23EA, and the value of the grammar version is 0.0;
transmitting grammar, wherein the value of the grammar global unique identifier of the transmitting grammar is 8A885D04-1CEB-11C9-9FE8-08002B104860, and the value of the grammar version is 2.0;
a dispatch function table pointer, wherein the dispatch function table comprises an interface function address table provided by RPC service, the first member in the interface function address table is the address of a clearing event log function for receiving the wide character parameter, and the dispatch function table pointer is an arbitrary non-zero value;
the number of the remote procedure call protocol sequence terminals is 0;
remote procedure call protocol sequence terminal array pointer with member value of 0;
default manager entry point vector, member value 0;
an interpreter information structure pointer, the interpreter information structure pointer being an arbitrary non-zero value;
the identification value is 4 in a 32-bit system and 6 in a 64-bit system;
the code segment section of the dynamic link library module space comprises a text section and a read-only data section;
reporting the name of the log file and the process information to an upper layer policy control engine, and judging whether the log file is malicious or not comprises:
reporting the name of the log file and the process information to an upper layer strategy control engine;
the upper layer strategy control engine judges whether the behavior is malicious or not through a control strategy, wherein the control strategy comprises a black-and-white list library and a malicious feature library;
the executing the release or interception policy according to the judgment result includes:
if the event log behavior of the emptying system of the process is malicious, the hooking function returns to an unsuccessful state, blocks log emptying, intercepts and gives an alarm to a user;
if the event log behavior of the emptying system of the process is not malicious, the original emptying event log function for receiving the wide character parameters is called, and the operation is continued.
2. A system for monitoring Windows process emptying system event log behavior, comprising:
the process injection module is used for injecting the functional dynamic link library into a process corresponding to the Windows event log service;
the remote procedure call server interface searching module is used for finding a dynamic link library module corresponding to the Windows event log service, and searching a code segment section of the dynamic link library module for a feature code of a remote procedure call server interface structure body which accords with the byte code feature of a specific remote procedure call interface;
the emptying event log function searching module is used for searching addresses of the emptying event log functions for receiving the wide character parameters in dispatch function table members of the remote procedure call server interface structure body;
the hooking module is used for hooking the emptying event log function which receives the wide character parameters to obtain the name and the process information of the log file to be emptied;
the upper layer policy control engine module is used for reporting the name of the log file and the process information to the upper layer policy control engine, judging whether the log file is malicious or not, and executing a release or interception policy according to a judging result;
in the hooking operation of the hooking module, a first input parameter of the emptying event log function receiving the wide character parameter points to a log handle to be emptied;
the hook module includes:
the log file reading unit is used for triggering a hooking function, reading name members of the log handle and obtaining names of log files to be emptied;
the process information reading unit is used for calling and inquiring whether the remote procedure call binding is a local client or an application programming interface for inquiring the call attribute of the remote procedure server in the hook function, judging whether the remote procedure call is the local remote procedure call, and if the remote procedure call is the local remote procedure call, further calling the process index of the remote procedure call to obtain the process information;
the upper layer policy control engine module includes:
the reporting unit is used for reporting the name of the log file and the process information to the upper layer policy control engine;
the judging unit is used for judging whether the upper-layer strategy control engine is malicious or not through a control strategy, wherein the control strategy comprises a black-and-white list library and a malicious feature library;
the intercepting unit is used for blocking log emptying and intercepting if the log action of the emptying system event of the process is malicious and the hooking function returns to an unsuccessful state;
the alarm unit is used for alarming to a user if the event log behavior of the emptying system of the process is malicious;
the release unit is used for calling an original clear event log function for receiving the wide character parameters and continuing to run if the clear system event log behavior of the process is not malicious;
the module for finding the dynamic link library corresponding to the Windows event log service comprises:
for Windows XP or Windows 2003 system, find the event log dynamic link library of the systematic process;
for WindowsVista, windows, windows 8, windows 8.1, windows 10 or Windows 11 systems, find the Windows event log service dynamic link library of the service container process;
parameters of the structure of the remote procedure call server interface include:
the length of the structure is 0x44 in a 32-bit system and 0x60 in a 64-bit system;
an interface index, wherein the value of the grammar global unique identifier of the interface index is 2273FDC-E32A-18C3-3F78-827929DC23EA, and the value of the grammar version is 0.0;
transmitting grammar, wherein the value of the grammar global unique identifier of the transmitting grammar is 8A885D04-1CEB-11C9-9FE8-08002B104860, and the value of the grammar version is 2.0;
a dispatch function table pointer, wherein the dispatch function table comprises an interface function address table provided by RPC service, the first member in the interface function address table is the address of a clearing event log function for receiving the wide character parameter, and the dispatch function table pointer is an arbitrary non-zero value;
the number of the remote procedure call protocol sequence terminals is 0;
remote procedure call protocol sequence terminal array pointer with member value of 0;
default manager entry point vector, member value 0;
an interpreter information structure pointer, the interpreter information structure pointer being an arbitrary non-zero value;
the identification value is 4 in a 32-bit system and 6 in a 64-bit system;
the code segment section of the dynamic link library module space comprises a text section and a read-only data section.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211599879.7A CN115859274B (en) | 2022-12-12 | 2022-12-12 | Method and system for monitoring event log behavior of Windows process emptying system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211599879.7A CN115859274B (en) | 2022-12-12 | 2022-12-12 | Method and system for monitoring event log behavior of Windows process emptying system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115859274A CN115859274A (en) | 2023-03-28 |
| CN115859274B true CN115859274B (en) | 2023-11-21 |
Family
ID=85672600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211599879.7A Active CN115859274B (en) | 2022-12-12 | 2022-12-12 | Method and system for monitoring event log behavior of Windows process emptying system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115859274B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117742782A (en) * | 2024-02-19 | 2024-03-22 | 成都九洲电子信息系统股份有限公司 | Log data cross-language automatic recording method and system for software system |
| CN117742783A (en) * | 2024-02-19 | 2024-03-22 | 成都九洲电子信息系统股份有限公司 | Cross-language automatic log data recording method for software system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6550060B1 (en) * | 1999-04-08 | 2003-04-15 | Novadigm, Inc. | Method and system for dynamic injection of dynamic link libraries into a windowed operating system |
| CN102194079A (en) * | 2011-03-18 | 2011-09-21 | 北京思创银联科技股份有限公司 | File access filtering method |
| CN111367684A (en) * | 2018-12-26 | 2020-07-03 | 北京天融信网络安全技术有限公司 | Method and device for filtering remote procedure call |
| CN114896592A (en) * | 2022-03-07 | 2022-08-12 | 安芯网盾(北京)科技有限公司 | General detection method, device, equipment and storage medium for WMI malicious code |
-
2022
- 2022-12-12 CN CN202211599879.7A patent/CN115859274B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6550060B1 (en) * | 1999-04-08 | 2003-04-15 | Novadigm, Inc. | Method and system for dynamic injection of dynamic link libraries into a windowed operating system |
| CN102194079A (en) * | 2011-03-18 | 2011-09-21 | 北京思创银联科技股份有限公司 | File access filtering method |
| CN111367684A (en) * | 2018-12-26 | 2020-07-03 | 北京天融信网络安全技术有限公司 | Method and device for filtering remote procedure call |
| CN114896592A (en) * | 2022-03-07 | 2022-08-12 | 安芯网盾(北京)科技有限公司 | General detection method, device, equipment and storage medium for WMI malicious code |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115859274A (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115859274B (en) | Method and system for monitoring event log behavior of Windows process emptying system | |
| US10503904B1 (en) | Ransomware detection and mitigation | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US10552610B1 (en) | Adaptive virtual machine snapshot update framework for malware behavioral analysis | |
| RU2646352C2 (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
| JP4629332B2 (en) | Status reference monitor | |
| US8099472B2 (en) | System and method for a mobile cross-platform software system | |
| US20080141376A1 (en) | Determining maliciousness of software | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| US20070240215A1 (en) | Method and system for tracking access to application data and preventing data exploitation by malicious programs | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| CN104484599A (en) | Behavior processing method and device based on application program | |
| RU2723665C1 (en) | Dynamic reputation indicator for optimization of computer security operations | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| US8407789B1 (en) | Method and system for dynamically optimizing multiple filter/stage security systems | |
| CN114065204A (en) | File-free Trojan horse searching and killing method and device | |
| CN109815701B (en) | Software security detection method, client, system and storage medium | |
| CN113497786A (en) | Evidence obtaining and tracing method and device and storage medium | |
| CN105095758A (en) | Processing method and device for lock-screen application program and mobile terminal | |
| US8479289B1 (en) | Method and system for minimizing the effects of rogue security software | |
| CN113536242A (en) | Dynamic library calling method and device, terminal equipment and storage medium | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN111062035A (en) | Lesog software detection method and device, electronic equipment and storage medium | |
| CN113778826B (en) | Log processing method and device | |
| CN115189938A (en) | Service safety protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |