CN117454368A - Malicious software detection method, device, equipment and medium - Google Patents
Malicious software detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN117454368A CN117454368A CN202311056424.5A CN202311056424A CN117454368A CN 117454368 A CN117454368 A CN 117454368A CN 202311056424 A CN202311056424 A CN 202311056424A CN 117454368 A CN117454368 A CN 117454368A
- Authority
- CN
- China
- Prior art keywords
- detected
- software
- load
- virtual memory
- target virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 claims abstract description 106
- 238000000034 method Methods 0.000 claims abstract description 62
- 238000012544 monitoring process Methods 0.000 claims abstract description 31
- 230000008569 process Effects 0.000 claims abstract description 26
- 238000004590 computer program Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 10
- 241000700605 Viruses Species 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure relates to the technical field of security, in particular to a method, a device, equipment and a medium for detecting malicious software, which are used for monitoring access rights corresponding to a target virtual memory of software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected; when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from a target virtual memory; detecting a load to be detected through a preset detection engine to obtain a target detection result; the target detection result is used for indicating whether the software to be detected is malicious software or not. In the process, the situation that the effective load is hidden by the malware in the process of detecting the software to be detected by adopting the prior art can be avoided, so that the characteristics corresponding to the effective load cannot be obtained, the effective detection of the software to be detected cannot be realized, and the accuracy of detecting the malware is improved.
Description
Technical Field
The disclosure relates to the field of security technologies, and in particular, to a method, a device, equipment and a medium for detecting malicious software.
Background
Malware refers to software between virus and regular software, and can cause certain interference to a user's computer through the malware, for example, when the user uses the computer to surf the internet, windows continuously jump out, or when the user opens a webpage, the webpage becomes an incoherent strange picture, and normal use of the user is affected. Based on this, it is important for the detection of malware.
In the prior art, the detection of the malicious software can be generally realized through modes of antivirus software, behavior detection, static detection and the like, however, the existing malicious software can adopt a shell adding technology to hide the effective load, so that the corresponding characteristics of the effective load cannot be obtained, the code is dynamically released in the running process of the malicious software, the safety inspection of the malicious software is avoided, the malicious software is detected, and the problem of inaccurate detection exists.
Disclosure of Invention
Based on the foregoing, it is necessary to provide a method, an apparatus, a device and a medium for detecting malware. When the access authority of the load to be detected corresponding to the stored software to be detected is changed, the load to be detected of the software to be detected is directly obtained from the target virtual memory, and the load to be detected is detected through the preset detection engine, so that whether the software to be detected is malicious software or not is determined, and the problem that the characteristics corresponding to the effective load cannot be obtained because the malicious software can hide the effective load by adopting a shell adding technology in the detection process of the software to be detected in the prior art is avoided, the effective detection of the software to be detected cannot be realized, and the accuracy of detecting the malicious software is improved.
In a first aspect of embodiments of the present disclosure, a method for detecting malware is provided, the method including:
monitoring the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected;
when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from the target virtual memory;
detecting the load to be detected through a preset detection engine to obtain a target detection result;
the target detection result is used for indicating whether the software to be detected is malicious software or not.
In one embodiment, when the access right is determined to be changed, obtaining the load to be detected of the software to be detected from the target virtual memory includes:
when the access authority is determined to be changed, acquiring address information corresponding to the target virtual memory;
and acquiring a load to be detected corresponding to the software to be detected from the target virtual memory according to the address information.
In one embodiment, the address information includes: the starting address, the ending address and the memory space length of the target virtual memory;
and acquiring the load to be detected corresponding to the software to be detected from the target virtual memory according to the address information, wherein the load to be detected comprises the following steps:
determining the position of the target virtual memory in a kernel space according to the starting address, the ending address and the memory space length;
and after the position of the target virtual memory is determined, acquiring a load to be detected corresponding to the software to be detected from the target virtual memory.
In one embodiment, the detecting the load to be detected by the preset detection engine to obtain a target detection result includes:
according to the load to be detected, corresponding characteristics to be detected of the software to be detected are obtained;
and detecting the feature to be detected through the preset detection engine, and determining whether the feature to be detected is a malicious software feature or not so as to obtain the target detection result.
In one embodiment, the monitoring, for storing the access rights corresponding to the target virtual memory of the software to be detected, includes:
and monitoring the access right corresponding to the target virtual memory of the software to be detected by monitoring the target process corresponding to the software to be detected.
In one embodiment, the changing of the access rights includes: the access rights are changed from write and execute access rights to write access rights.
In one embodiment, the method further comprises:
and when the software to be detected is determined to be malicious software according to the target detection result, preventing the software to be detected from running.
In a second aspect of embodiments of the present disclosure, there is provided a malware detection apparatus, the apparatus comprising:
the access right monitoring module is used for monitoring the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected;
the load to be detected obtaining module is used for obtaining the load to be detected of the software to be detected from the target virtual memory when the access authority is determined to be changed;
the target detection result obtaining module is used for detecting the load to be detected through a preset detection engine to obtain a target detection result;
the target detection result is used for indicating whether the software to be detected is malicious software or not.
In a third aspect of the disclosed embodiments, there is provided an electronic device, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of the first aspects.
A fourth aspect of embodiments of the present disclosure provides a computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the method according to any of the first aspects.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the disclosure provides a method, a device, equipment and a medium for detecting malicious software, which are used for monitoring access rights corresponding to a target virtual memory of software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected; when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from a target virtual memory; detecting a load to be detected through a preset detection engine to obtain a target detection result; the target detection result is used for indicating whether the software to be detected is malicious software or not. In the process, when the access authority of the load to be detected corresponding to the stored software to be detected is determined to be changed, the load to be detected of the software to be detected can be directly obtained from the target virtual memory, and the load to be detected is detected through the preset detection engine, so that whether the software to be detected is malicious software or not is determined, the problem that the effective load is hidden by the shell adding technology in the detection process of the software to be detected in the prior art is avoided, so that the characteristics corresponding to the effective load cannot be obtained, the effective detection of the software to be detected cannot be realized, and the accuracy of detecting the malicious software is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flow chart of a method for detecting malware according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of another malware detection method provided by an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a malware detection device according to an embodiment of the present disclosure;
fig. 4 is an internal structural diagram of an electronic device provided in an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, where appropriate, such that embodiments of the disclosure may be practiced in sequences other than those illustrated and described herein, and that the objects identified by "first," "second," etc. are generally of the same type and are not limited to the number of objects, e.g., the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.
Malware refers to software between virus and regular software, and can cause certain interference to a user's computer through the malware, for example, when the user uses the computer to surf the internet, windows continuously jump out, or when the user opens a webpage, the webpage becomes an incoherent strange picture, and normal use of the user is affected. Based on this, it is important for the detection of malware.
The detection of the malicious software can be generally realized through modes such as antivirus software, behavior detection, static detection and the like, but the existing malicious software adopts a shell adding technology to hide the effective load, so that the corresponding characteristics of the effective load cannot be obtained, the code is dynamically released by the malicious software in the running process, the security check on the malicious software is avoided, the malicious software is detected, and the problem of inaccurate detection exists.
Based on the above problems, the present disclosure provides a method, an apparatus, a device, and a medium for detecting malicious software, by monitoring access rights corresponding to a target virtual memory of software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected; when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from a target virtual memory; detecting a load to be detected through a preset detection engine to obtain a target detection result; the target detection result is used for indicating whether the software to be detected is malicious software or not. In the process, when the access authority of the load to be detected corresponding to the stored software to be detected is determined to be changed, the load to be detected of the software to be detected can be directly obtained from the target virtual memory, and the load to be detected is detected through the preset detection engine, so that whether the software to be detected is malicious software or not is determined, the problem that the effective load is hidden by the shell adding technology in the detection process of the software to be detected in the prior art is avoided, so that the characteristics corresponding to the effective load cannot be obtained, the effective detection of the software to be detected cannot be realized, and the accuracy of detecting the malicious software is improved.
In one embodiment, as shown in fig. 1, fig. 1 is a flow chart of a method for detecting malware according to an embodiment of the present disclosure, and specifically includes the following steps:
s11: and monitoring the access right corresponding to the target virtual memory of the software to be detected.
The access permission refers to access permission of the software to be detected to a target virtual memory, the target virtual memory is used for storing a load to be detected corresponding to the software to be detected, for example, the target virtual memory is used for storing a load to be detected of the software to be detected, namely, a payload, which is a relevant code of the software to be detected, and it is noted that, for the target virtual memory, which is a virtual memory area of a terminal device, allocated in a kernel space and used for storing the software to be detected.
Specifically, for the software to be detected, monitoring the access right corresponding to the target virtual memory of the software to be detected, wherein the target virtual memory is used for storing the load to be detected corresponding to the software to be detected
Alternatively, on the basis of the above embodiments, in some embodiments of the present disclosure, since the running of the software to be detected is implemented by calling a process, based on this, an implementation for S11 may be:
step A: and monitoring the access right corresponding to the target virtual memory of the software to be detected by monitoring the target process corresponding to the software to be detected.
Specifically, for the software to be detected, the monitoring of the access right corresponding to the target virtual memory of the software to be detected is realized by monitoring and running the target process corresponding to the software to be detected.
Optionally, on the basis of the foregoing embodiments, in some embodiments of the present disclosure, by using an extended berkeley packet filter (extended Berkeley Packet Filter, eBPF) technology, a preset hook function in kernel space, such as security_file_mpprotection (), is monitored, so as to implement monitoring of a target process corresponding to the software to be detected, thereby further monitoring an access right corresponding to a target virtual memory corresponding to a load to be detected of the software to be detected, and obtaining a relevant parameter for storing the access right of the target virtual memory corresponding to the load to be detected of the software to be detected.
Optionally, the target process corresponding to the software to be detected may be monitored through a preset driver, so as to monitor the access right corresponding to the target virtual memory corresponding to the load to be detected of the software to be detected, which is not limited to this, and the present disclosure is not particularly limited, and those skilled in the art can set the access right according to the actual situation.
In this way, in the method for detecting malicious software provided in this embodiment, in the above process, by monitoring the target process corresponding to the software to be detected, the access right corresponding to the target virtual memory of the software to be detected is monitored, so that the resources of the terminal device are saved.
S12: and when the access authority is determined to be changed, acquiring a load to be detected of the software to be detected from the target virtual memory.
The changing of the access right includes: the access rights are changed from write and execute access rights to write access rights.
Specifically, when it is determined that the access right of the target virtual memory for storing the load to be detected of the software to be detected is changed, that is, when the access right is changed from the write and execute access right to the write access right, the load to be detected of the software to be detected is obtained from the target virtual memory.
Optionally, based on the foregoing embodiment, in some embodiments of the present disclosure, when it is determined that the access right changes, an implementation manner of obtaining, from the target virtual memory, a load to be detected of the software to be detected may be:
step B1: and when the access authority is determined to be changed, acquiring address information corresponding to the target virtual memory.
The method comprises the steps that a target virtual memory is allocated from a kernel space of a terminal device and is used for storing a load to be detected corresponding to software to be detected, and based on the load to be detected, the position of the target virtual memory in the kernel space is determined by acquiring address information, wherein the address information comprises: the starting address, ending address, and memory space length of the target virtual memory.
Specifically, when it is determined that the access right of the target virtual memory for storing the load to be detected of the software to be detected is changed, that is, when the access right is changed from the write and execute access right to the write access right, address information corresponding to the target virtual memory is obtained.
Optionally, based on the foregoing embodiments, in some embodiments of the present disclosure, a preset hook function in the kernel space, such as security_file_mpprotect (), may be monitored through an extended berkeley packet filter (Extended Berkeley Packet Filter, eBPF) technology, so as to obtain address information corresponding to the target virtual memory, which is not limited thereto, and the present disclosure is not particularly limited, and may be set by a person skilled in the art according to actual situations.
Step B2: and acquiring a load to be detected corresponding to the software to be detected from the target virtual memory according to the address information.
Specifically, after the address information corresponding to the target virtual memory is obtained, the load to be detected corresponding to the software to be detected is obtained from the target virtual memory according to the address information.
Alternatively, based on the above embodiments, in some embodiments of the disclosure, an implementation of step B2 may be:
step B21: and determining the position of the target virtual memory in the kernel space according to the starting address, the ending address and the memory space length.
Step B22: after the position of the target virtual memory is determined, the load to be detected corresponding to the software to be detected is obtained from the target virtual memory.
Specifically, according to a start address, an end address and a memory space length corresponding to the target virtual memory, determining the position of the target virtual memory in the kernel space, and after determining the position of the target virtual memory in the kernel space, acquiring a load to be detected corresponding to the software to be detected from the target virtual memory.
It should be noted that, after determining the position of the target virtual memory in the kernel space, the load to be detected corresponding to the software to be detected is obtained from the target virtual memory, and the load to be detected is copied to the user space, so that the load to be detected in the user space is detected through a preset detection engine, and a target detection result is obtained.
S13: and detecting the load to be detected through a preset detection engine to obtain a target detection result.
The target detection result is used for indicating whether the software to be detected is malicious software or not. The malicious software refers to software between viruses and regular software, and can cause certain interference to a user's computer, and the malicious software can be installed and run on the user's computer or other terminals without explicitly prompting the user or being licensed by the user, so that legal rights and interests of the user are infringed.
The preset detection engine is used for detecting whether the software to be detected is malware, and may be, for example, a virus checking and killing engine, a sandbox analysis engine and a shellcode detection engine, but is not limited thereto, and the disclosure is not particularly limited thereto, and a person skilled in the art can set the detection engine according to actual situations.
Specifically, after the load to be detected corresponding to the software to be detected is obtained, the load to be detected is detected through a preset detection engine, a target detection result is obtained, and whether the software to be detected is malicious software or not is determined according to the target detection result.
Alternatively, based on the above embodiments, in some embodiments of the disclosure, one implementation of S13 may be:
step C1: and obtaining corresponding features to be detected corresponding to the software to be detected according to the load to be detected.
The feature to be detected is a feature required for detecting whether the software to be detected is malicious software, and the feature to be detected may be, for example, a feature code of the software to be detected, but is not limited thereto, and the disclosure is not particularly limited thereto, and a person skilled in the art may set the feature code according to the actual situation.
The specific implementation manner of acquiring the corresponding feature to be detected corresponding to the software to be detected according to the load to be detected may refer to the prior art, and will not be described herein.
Specifically, after the load to be detected corresponding to the software to be detected is obtained from the target virtual memory, the corresponding feature to be detected corresponding to the software to be detected is obtained according to the load to be detected.
Step C2: detecting the feature to be detected through a preset detection engine, and determining whether the feature to be detected is a malicious software feature or not so as to obtain a target detection result.
Specifically, after the corresponding feature to be detected corresponding to the software to be detected is obtained, the feature to be detected is detected through a preset detection engine, and whether the feature to be detected is a malicious software feature or not is detected, so that a target detection result is obtained.
Optionally, in some embodiments of the present disclosure, the detecting the feature to be detected may be comparing the feature to be detected with the malicious feature, so as to determine whether the feature to be detected is a malicious feature, and when the matching is consistent, determine that the feature to be detected is a malicious feature, that is, the software to be detected is malicious, otherwise determine that the feature to be detected is not a malicious feature, that is, the software to be detected is not malicious.
In this way, the method for detecting malicious software provided by the embodiment monitors the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected; when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from a target virtual memory; detecting a load to be detected through a preset detection engine to obtain a target detection result; the target detection result is used for indicating whether the software to be detected is malicious software or not. In the process, when the access authority of the load to be detected corresponding to the stored software to be detected is determined to be changed, the load to be detected of the software to be detected can be directly obtained from the target virtual memory, and the load to be detected is detected through the preset detection engine, so that whether the software to be detected is malicious software or not is determined, the problem that the effective load is hidden by the shell adding technology in the detection process of the software to be detected in the prior art is avoided, so that the characteristics corresponding to the effective load cannot be obtained, the effective detection of the software to be detected cannot be realized, and the accuracy of detecting the malicious software is improved.
Optionally, fig. 2 is a flow chart of another malware detection method provided by an embodiment of the present disclosure, and fig. 2 is a flowchart of a further optimization based on fig. 1, and when determining that software to be detected is malware according to a target detection result, in order to ensure that a user can normally use terminal equipment, interference caused by the malware to the user is avoided, based on this, as shown in fig. 2, the method further includes:
s21: and when the software to be detected is determined to be malicious software according to the target detection result, preventing the software to be detected from running.
Specifically, when the software to be detected is determined to be malicious according to the target detection result, the kernel space is prevented from running the software to be detected.
Optionally, on the basis of the foregoing embodiments, in some embodiments of the present disclosure, when it is determined that the software to be detected is malware according to the target detection result, the software to be detected may be isolated.
In this way, in the method for detecting the malicious software provided by the embodiment, when the software to be detected is determined to be the malicious software, the operation of the software to be detected is prevented, so that the normal use of the terminal equipment by a user is ensured, the interference of the malicious software to the user is avoided, and the user experience is improved.
The embodiment of the disclosure also provides a malicious software detection device, which is used for executing any of the malicious software detection methods provided by the embodiment, and has the corresponding beneficial effects of the malicious software detection method.
Fig. 3 is a schematic structural diagram of a malware detection device according to an embodiment of the present disclosure, including: the system comprises an access right monitoring module 11, a load to be detected obtaining module 12 and a target detection result obtaining module 13.
The access right monitoring module 11 is used for monitoring the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected;
the load to be detected obtaining module 12 is configured to obtain the load to be detected of the software to be detected from the target virtual memory when it is determined that the access right changes;
the target detection result obtaining module 13 is configured to detect the load to be detected through a preset detection engine, so as to obtain a target detection result;
the target detection result is used for indicating whether the software to be detected is malicious software or not.
In the above embodiment, the load obtaining module to be detected 12 is specifically configured to obtain address information corresponding to the target virtual memory when it is determined that the access right changes;
and acquiring a load to be detected corresponding to the software to be detected from the target virtual memory according to the address information.
In the above embodiment, the address information includes: the starting address, the ending address and the memory space length of the target virtual memory; the load obtaining module 12 to be detected is specifically further configured to determine a location of the target virtual memory in a kernel space according to the start address, the end address, and the memory space length;
and after the position of the target virtual memory is determined, acquiring a load to be detected corresponding to the software to be detected from the target virtual memory.
In the above embodiment, the target detection result obtaining module 13 is specifically configured to obtain, according to the load to be detected, a corresponding feature to be detected corresponding to the software to be detected;
and detecting the feature to be detected through the preset detection engine, and determining whether the feature to be detected is a malicious software feature or not so as to obtain the target detection result.
In the above embodiment, the access right monitoring module 11 is specifically configured to monitor, by monitoring a target process corresponding to the software to be detected, an access right corresponding to a target virtual memory of the software to be detected.
In the above embodiment, the changing the access right includes: the access rights are changed from write and execute access rights to write access rights.
In the above embodiment, the apparatus further includes: and the processing module is used for preventing the software to be detected from running when the software to be detected is determined to be malicious according to the target detection result.
In this way, the access right monitoring module 11 is configured to monitor the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected; the load to be detected obtaining module 12 is configured to obtain the load to be detected of the software to be detected from the target virtual memory when it is determined that the access right changes; the target detection result obtaining module 13 is configured to detect the load to be detected through a preset detection engine, so as to obtain a target detection result; the target detection result is used for indicating whether the software to be detected is malicious software or not. In the process, when the access authority of the load to be detected corresponding to the stored software to be detected is determined to be changed, the load to be detected of the software to be detected can be directly obtained from the target virtual memory, and the load to be detected is detected through the preset detection engine, so that whether the software to be detected is malicious software or not is determined, the problem that the effective load is hidden by the shell adding technology in the detection process of the software to be detected in the prior art is avoided, so that the characteristics corresponding to the effective load cannot be obtained, the effective detection of the software to be detected cannot be realized, and the accuracy of detecting the malicious software is improved.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, and as shown in fig. 4, the electronic device includes a processor 410, a memory 420, an input device 430, and an output device 440; the number of processors 410 in the computer device may be one or more, one processor 410 being taken as an example in fig. 4; the processor 410, memory 420, input device 430, and output device 440 in the electronic device may be connected by a bus or other means, for example in fig. 4.
The memory 420 is a computer readable storage medium, and may be used to store a software program, a computer executable program, and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention. The processor 410 executes the software programs, instructions and modules stored in the memory 420 to perform the various functional applications of the computer device and malware detection, i.e., to implement the methods provided by embodiments of the present invention.
Memory 420 may include primarily a program storage area and a data storage area, wherein the program storage area may store an operating system, at least one application program required for functionality; the storage data area may store data created according to the use of the terminal, etc. In addition, memory 420 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 420 may further include memory remotely located relative to processor 410, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 430 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the electronic device, which may include a keyboard, mouse, etc. The output 440 may include a display device such as a display screen.
The disclosed embodiments also provide a storage medium containing computer executable instructions which, when executed by a computer processor, are used to implement the methods provided by the embodiments of the present invention, the method comprising:
monitoring the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected;
when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from the target virtual memory;
detecting the load to be detected through a preset detection engine to obtain a target detection result;
the target detection result is used for indicating whether the software to be detected is malicious software or not.
Of course, the storage medium containing computer executable instructions provided in the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the method provided in any embodiment of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method of malware detection, the method comprising:
monitoring the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected;
when the access authority is determined to be changed, acquiring the load to be detected of the software to be detected from the target virtual memory;
detecting the load to be detected through a preset detection engine to obtain a target detection result;
the target detection result is used for indicating whether the software to be detected is malicious software or not.
2. The method according to claim 1, wherein when the access right is determined to be changed, obtaining the load to be detected of the software to be detected from the target virtual memory includes:
when the access authority is determined to be changed, acquiring address information corresponding to the target virtual memory;
and acquiring a load to be detected corresponding to the software to be detected from the target virtual memory according to the address information.
3. The method of claim 2, wherein the address information comprises: the starting address, the ending address and the memory space length of the target virtual memory;
and acquiring the load to be detected corresponding to the software to be detected from the target virtual memory according to the address information, wherein the load to be detected comprises the following steps:
determining the position of the target virtual memory in a kernel space according to the starting address, the ending address and the memory space length;
and after the position of the target virtual memory is determined, acquiring a load to be detected corresponding to the software to be detected from the target virtual memory.
4. The method according to claim 1, wherein the detecting the load to be detected by the preset detecting engine, to obtain a target detection result, includes:
according to the load to be detected, corresponding characteristics to be detected of the software to be detected are obtained;
and detecting the feature to be detected through the preset detection engine, and determining whether the feature to be detected is a malicious software feature or not so as to obtain the target detection result.
5. The method according to claim 1, wherein the monitoring the access rights corresponding to the target virtual memory for storing the software to be detected comprises:
and monitoring the access right corresponding to the target virtual memory of the software to be detected by monitoring the target process corresponding to the software to be detected.
6. The method of claim 1, wherein the changing of the access rights comprises: the access rights are changed from write and execute access rights to write access rights.
7. The method according to claim 1, wherein the method further comprises:
and when the software to be detected is determined to be malicious software according to the target detection result, preventing the software to be detected from running.
8. A malware detection apparatus, the apparatus comprising:
the access right monitoring module is used for monitoring the access right corresponding to the target virtual memory of the software to be detected; the target virtual memory is used for storing a load to be detected corresponding to the software to be detected;
the load to be detected obtaining module is used for obtaining the load to be detected of the software to be detected from the target virtual memory when the access authority is determined to be changed;
the target detection result obtaining module is used for detecting the load to be detected through a preset detection engine to obtain a target detection result;
the target detection result is used for indicating whether the software to be detected is malicious software or not.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the steps of the malware detection method of any of claims 1 to 7.
10. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the malware detection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311056424.5A CN117454368A (en) | 2023-08-18 | 2023-08-18 | Malicious software detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311056424.5A CN117454368A (en) | 2023-08-18 | 2023-08-18 | Malicious software detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117454368A true CN117454368A (en) | 2024-01-26 |
Family
ID=89593579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311056424.5A Pending CN117454368A (en) | 2023-08-18 | 2023-08-18 | Malicious software detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117454368A (en) |
-
2023
- 2023-08-18 CN CN202311056424.5A patent/CN117454368A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10984097B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| US9858416B2 (en) | Malware protection | |
| US10055585B2 (en) | Hardware and software execution profiling | |
| US9679136B2 (en) | Method and system for discrete stateful behavioral analysis | |
| US8499354B1 (en) | Preventing malware from abusing application data | |
| US8621608B2 (en) | System, method, and computer program product for dynamically adjusting a level of security applied to a system | |
| US8904537B2 (en) | Malware detection | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| JP6176622B2 (en) | Malware detection method | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| KR101086203B1 (en) | A proactive system against malicious processes by investigating the process behaviors and the method thereof | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| GB2510701A (en) | Detecting malware code injection by determining whether return address on stack thread points to suspicious memory area | |
| CN111177727A (en) | Vulnerability detection method and device | |
| US20120222116A1 (en) | System and method for detecting web browser attacks | |
| JP6714112B2 (en) | Mitigating malicious behavior associated with graphical user interface elements | |
| CN109684826B (en) | Application sandbox anti-escape method and electronic equipment | |
| CN117454368A (en) | Malicious software detection method, device, equipment and medium | |
| CN115694944A (en) | Attack defense method and device, protection equipment and readable storage medium | |
| JP2023078441A (en) | Execution control system, execution control method, and program | |
| CN115906057A (en) | Method, device, equipment, storage medium and program product for identifying right-offering behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |