CN101393591B - Method and system for discovering unknown USB virus - Google Patents
Method and system for discovering unknown USB virus Download PDFInfo
- Publication number
- CN101393591B CN101393591B CN2008102249422A CN200810224942A CN101393591B CN 101393591 B CN101393591 B CN 101393591B CN 2008102249422 A CN2008102249422 A CN 2008102249422A CN 200810224942 A CN200810224942 A CN 200810224942A CN 101393591 B CN101393591 B CN 101393591B
- Authority
- CN
- China
- Prior art keywords
- file
- operating system
- dynamic link
- link library
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a method and a system for finding an unknown USB virus. The method comprises the following steps: 1, building a dynamic link library file; when the dynamic link library file is executed to inquire the type of a driving disc and if the driving disc to be inquired is inexistent, replying that the type of the inquired driving disc is movable, and when the dynamic link library file is executed to copy a file and if the target path of the file to be copied is inexistent, copying the file to a specified path; and 2, injecting the dynamic link library file into a running process in an operating system to cause the USB virus to inquire the type of the driving disc and copy virus files. The method and the system can find the unknown virus and obtain a sample of the USB virus without misinformation.
Description
Technical field
The present invention relates to the computer security technique field, particularly a kind of method and system of finding unknown USB virus.
Background technology
Current, computing machine extensively and profoundly in people's daily life, become the instrument that people often use, and present most personal computers all has USB interface.Common movable memory equipment, as USB flash disk, portable hard drive, digital camera, Digital Video, MP3, smart mobile phone etc., mostly be to be connected with computing machine, thereby make computer virus have an opportunity by the device radiates that has USB interface to other computing machines by USB interface.
In recent years, USB virus is very popular, once propagates more serious virus on the internet, as " Panda burning incense ", " USB flash disk saboteur ", " USB flash disk parasite " etc., all mainly by the USB device infect computers, USB device has become one of most important approach of virus disseminating.
Utilize the USB device transmitted virus to possess 2 advantages.First, the technology that does not rely on the utilization of operating system leak: USB virus does not belong to leak, but the AutoPlay function that operating system has in order to improve ease for use, thereby USB Virus code compiling need not frequent renewal after finishing substantially, and it is very little to write difficulty; The second, do not rely on computer network, USB virus can be propagated between the computing machine of access network not having, and simultaneously, can also propagate between Intranet and outer net, thereby bring the serious risk that Intranet concerning security matters data is leaked.
USB virus is different from the virus of other types on the propagation aspect, but is as good as with the virus of other types on the behavior aspect, then can be bigger in the harm aspect.USB virus also can make up Botnet (Botnet), implements distributed denial of service attack (DDos), sends spam (Spam), steal sensitive information.For stealing the physical isolation private network and not inserting sensitive information on the main frame of internet, USB virus has more harm.
The propagation steps of the USB virus of current main-stream, as shown in Figure 1.
Step S101 is initialized as the A dish with drive to be infected.
Step S102, GetDriveType function in the calling system with the type that obtains to wait to infect driving-disc, judges whether wait to infect driving-disc is displacement disc, if, execution in step S103 then, otherwise, execution in step S104.
For displacement disc, the GetDriveType function returns DRIVE_REMOVABLE (removable); For shaft collar, the GetDriveType function returns DRIVE_FIXED (fixing); For CD-ROM drive, the GetDriveType function returns DRIVE_CDROM (CD-ROM drive).USB virus is found displacement disc from the driving-disc of computing machine.
Step S103, CopyFile function or call the CreateFile function successively and the WriteFile function in the calling system copies to driving-disc to be infected with the executable file of virus.
CopyFile function or call the CreateFile function successively and the WriteFile function copies to the executable file Y.exe of virus and waits to infect under the driving-disc in the calling system.Simultaneously, virus is called the WriteFile function writes automatic operation necessity in file autorun.inf order then waiting to infect use CreateFile function creation file autorun.inf under the driving-disc.Typical file autorun.inf thes contents are as follows
[autorun]
action=open
shellexecute=y.exe
Step S104 gets next drive as drive to be infected.
Step S105 judges and whether to wait to infect drive smaller or equal to Z, if, execution in step S102 then, otherwise, execution in step S106.
Step S106, dormancy a period of time, execution in step S101.
By said method, USB virus can be found removable dish, and it is infected.
Though the USB viral load is many and harm is big,, the preventive means for USB virus is still far from perfect now.The method that has following three kinds of antagonism USB viruses at present.
First kind is immunization of the same name.Establishment in advance is called the file of autorun.inf in the USB of contamination coils as yet, when USB virus attempts to create autorun.inf file of the same name, and can be because establishment be failed with the autorun.inf file is of the same name.Windows operating system self mechanism has guaranteed can not have file of the same name and file coexistence under same catalogue;
Second kind is condition code killing method.At known USB virus, extract its file characteristic sign indicating number, these condition codes are updated to the anti-viral software of installing on the subscriber's main station at set intervals, be used for the virus of these known features of killing, wherein, renewal frequency is by general user's personal settings.
The third is for closing automatic operation.Configuration Windows system forbids its all or part of AutoPlay function, even make open the USB device of infective virus on native system, the Windows system can not automatically perform the Virus in the USB dish yet.
First method can be coiled by immune USB; feasible virus can't successfully write the autorun.inf file; even also can't on other computing machines, move automatically thereby make this USB dish successfully write virus document; but this method can't be protected not coiled by the USB of immunity that the third party inserts; also can't resist USB dish that the third party inserts goes up and has viral operation; even more serious is that USB virus can be deleted the file or folder of waiting to infect autorun.inf by name in the USB dish earlier; and then with the autorun.inf file copy of self correspondence in target USB dish, thereby make immuning failure.There is serious lag at virus base in second method on update time, even if make that known viruse also is difficult to effective defence.The third method can't prevent the new USB dish that inserts of existing virus infections on the operating system.In addition, above-mentioned three kinds of methods of the prior art all can't be found unknown USB virus, also can't obtain corresponding Virus Sample.
Summary of the invention
In order to address the above problem, the present invention proposes a kind of method and system of finding unknown USB virus, the present invention can not have the sample that wrong report ground is found unknown USB virus and obtained this USB virus.
The invention discloses a kind of method of finding unknown USB virus, comprising:
Step 1 is created dynamic link library file; When carrying out the type of described dynamic link library file query driven dish, judge whether the driving-disc of being inquired about exists, if then return the type of the described driving-disc of being inquired about; Otherwise the type of replying the driving-disc of being inquired about is removable; When carrying out described dynamic link library file xcopy, judge whether the destination path of xcopy exists, if then file copy is arrived under the described destination path; Otherwise with described file copy under specified path;
Step 2 is injected into described dynamic link library file in the process of moving in the operating system, makes USB virus carry out the inquiry of type and the duplicating of virus document of driving-disc by described dynamic link library file.
When carrying out the type of described dynamic link library file query driven dish, if the driving-disc of being inquired about does not exist, the type of then replying the driving-disc of being inquired about is removablely further to comprise in the described step 1:
Step 21, call be used to obtain the driving-disc type in the described operating system function to obtain by the type of query driven dish.
Described operating system is Windows operating system,
The function that is used to obtain the driving-disc type in the described step 21 in the operating system is the GetDriveType function.
In the described step 1 when carrying out described dynamic link library file xcopy, if the destination path of xcopy does not exist, then under specified path further be with described file copy:
Step 41 judges whether the destination path of described xcopy does not exist, if then described destination path being redirected is described specified path, and execution in step 42, otherwise, execution in step 42;
Step 42 is called the function that is used for xcopy in the described operating system, and described file copy is arrived under the described destination path.
Described operating system is Windows operating system,
The function that is used for xcopy in the described step 42 in the operating system is the CopyFile function.
Described step 1 also comprises, when carrying out described dynamic link library file and create file, do not exist if create the destination path of file, then with described document creation under specified path;
Described step 2 also comprises, carries out described described dynamic link library file being injected in the process of moving in the operating system, makes USB virus carry out the establishment of file by described dynamic link library file.
When the described dynamic link library file of execution is created file, do not exist in the described step 1, then under specified path further be described document creation if create the destination path of file:
Step 71 judges whether the destination path of described establishment file does not exist, if then described destination path being redirected is described specified path, and execution in step 72, otherwise, execution in step 72;
Step 72 is called the function that is used to create file in the described operating system, creates file under described destination path.
Described operating system is Windows operating system,
The function that is used to create file in the described step 72 in the operating system is CreateFile function or NtCreateFile function.
Described step 2 further is:
Step 91 is created a process status table, whether has loaded described dynamic link library file in order to write down each process of moving in the described operating system;
Step 92 is enumerated the process of moving in the operating system, and upgrades described process status table;
Step 93 does not load in described process status table and loads described dynamic link library file in the process of described dynamic link library file.
The process of moving in the corresponding described operating system of each list item in the described process status table, described list item comprises the process identification (PID) of corresponding process and the state that articulates of corresponding process;
The described state that articulates comprises and articulates and do not articulate that the described corresponding process of the described list item of expression that articulated has loaded described dynamic link library file, and the described corresponding process of the described list item of expression that do not articulate does not load described dynamic link library file.
Described process identification (PID) comprises process ID, process handle and process complete trails.
Upgrading described process status table in the described step 92 further is:
Step 121 for the process of enumerating that does not have corresponding list item in described process status table, is the corresponding list item of described process creation in described process status table, the state that articulates in the described list item is initialized as do not articulate;
Step 122 will be deleted with the not corresponding list item of all processes of enumerating in the described process status table.
Described step 93 further is:
Step 131, the state that articulates in described process status table be for loading described dynamic link library file in the process of the list item correspondence that do not articulate, after the loading state that articulates of described list item changed to articulate.
The invention also discloses a kind of system that finds unknown USB virus, comprising:
Dynamic linked library modular is used to create dynamic link library file, when carrying out the type of described dynamic link library file query driven dish, judges whether the driving-disc of being inquired about exists, if then return the type of the described driving-disc of being inquired about; Otherwise the type of replying the driving-disc inquired about is removable, when carrying out described dynamic link library file xcopy, judges whether the destination path of xcopy exists, if then file copy is arrived under the described destination path; Otherwise with described file copy under specified path;
The file injection module is used for described dynamic link library file is injected in the process that operating system moving, and makes USB virus carry out the inquiry of type and the duplicating of virus document of driving-disc by described dynamic link library file.
Described dynamic linked library modular is further used for calling described operating system and is used to obtain the function of driving-disc type to obtain by the type of query driven dish when carrying out the type of described dynamic link library file query driven dish.
Described operating system is Windows operating system,
The function that is used to obtain the driving-disc type in the described operating system is the GetDriveType function.
Described dynamic linked library modular is when carrying out described dynamic link library file xcopy, be further used for judging whether the destination path of described xcopy does not exist, if, then described destination path being redirected is described specified path, and the function that is used for xcopy that calls in the described operating system arrives described file copy under the described destination path; Otherwise, directly call the function that is used for xcopy in the described operating system with described file copy under destination path.
Described operating system is Windows operating system,
The function that is used for xcopy in the described operating system is the CopyFile function.
Described dynamic linked library modular also is used for not existing if create the destination path of file when carrying out described dynamic link library file and create file, then with described document creation under specified path;
Described file injection module also is used for carrying out described described dynamic link library file being injected in the process that operating system moving, and makes USB virus carry out the establishment of file by described dynamic link library file.
When described dynamic linked library modular is created file at the described dynamic link library file of execution, be further used for judging whether the destination path of described establishment file does not exist, if, then described destination path is redirected and is described specified path, and the function that calls the establishment file in the described operating system is created file under described destination path; Otherwise, directly call the function of the establishment file in the described operating system and under described destination path, create file.
Described operating system is Windows operating system,
The function that is used to create file in the described operating system is CreateFile function or NtCreateFile function.
Described file injection module is further used for creating a process status table, whether has loaded described dynamic link library file in order to write down each process of moving in the described operating system; The process of moving in the operating system is enumerated, and upgraded described process status table; In described process status table, do not load and load described dynamic link library file in the process of described dynamic link library file.
The process of moving in the corresponding described operating system of each list item in the described process status table, described list item comprises the process identification (PID) of corresponding process and the state that articulates of corresponding process;
The described state that articulates comprises and articulates and do not articulate that the described corresponding process of the described list item of expression that articulated has loaded described dynamic link library file, and the described corresponding process of the described list item of expression that do not articulate does not load described dynamic link library file.
Described process identification (PID) comprises process ID, process handle and process complete trails.
Described file injection module is further used for for the process of enumerating that does not have corresponding list item in described process status table when upgrading described process status table, be the corresponding list item of described process creation in described process status table, the state that articulates in the described list item is initialized as does not articulate; To delete with the not corresponding list item of all processes of enumerating in the described process status table.
Described file injection module is further used for the state that articulates for loading described dynamic link library file in the process of the list item correspondence that do not articulate in described process status table when loading described dynamic link library file in the process that does not load described dynamic link library file in described process status table, after the loading state that articulates of described list item changed to articulate.
Effect intentionally of the present invention is, fictionalizes a USB device by articulating system function, and induces this virtual USB device of USB virus infections, thus the sample of acquisition USB virus; Because it is irrelevant that the present invention realizes with the file feature, need not hardware supported, need not frequent upgrading, just can find unknown USB virus, thereby using the present invention, to obtain USB Virus Sample cost low, the efficient height; Because writing the behavior of file to non-existent driving-disc is to be caused by malicious code, this law Benq has avoided the wrong report for non-virus in this characteristics identification virus.
Description of drawings
Fig. 1 is the workflow diagram of USB virus;
Fig. 2 is the method flow diagram that the present invention finds unknown USB virus;
Fig. 3 is the method flow diagram of function NewGetDriveType in the dll file of the present invention;
Fig. 4 is the method flow diagram of function NewCopyFile in the dll file of the present invention;
Fig. 5 is the method flow diagram of function NewCreateFile in the dll file of the present invention;
Fig. 6 is the method flow diagram that among the present invention dll file is injected into process;
Fig. 7 is the system construction drawing that the present invention finds unknown USB virus.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
At USB virus disseminating principle, general thought of the present invention is to utilize to articulate system function and fictionalize a USB dish, and induce this virtual USB of USB virus infections, because xcopy is an abnormal operation in a non-existent USB dish of reality, so when detecting this abnormal operation, reproduction process can be redirected in the assigned catalogue, thereby can obtain the sample of this USB virus.
Method of the present invention as shown in Figure 2.
Step S201 creates DLL (dynamic link library) file.
When carrying out the type of described dll file query driven dish, if the driving-disc of being inquired about does not exist, the type of then replying the driving-disc of being inquired about is removable; When carrying out the dll file xcopy, if the destination path of xcopy does not exist, then with file copy under specified path.
Step S202 is injected into dll file in the process of moving in the operating system, makes USB virus carry out the inquiry of type and the duplicating of virus document of driving-disc by described dll file.
The realization environment of embodiment is the Win32 operating system of Windows.
Before creating dll file, download increase income Detours storehouse, storehouse and the installation that are used to articulate system function.
Comprise three functions in the dll file and be respectively NewGetDriveType, NewCopyFile and NewCreateFile, described three functions are corresponding A PI function G etDriveType, CopyFile and CreateFile respectively, after dll file is loaded in the process, GetDriveType, the CopyFile of this process and CreateFile totally three api functions will be articulated.
The described execution flow process that articulates the respective function in the operating system for a change.
The specific implementation method of three functions among the DLL is as follows.
Method flow diagram among the function NewGetDriveType as shown in Figure 3.
Step S301, function NewGetDriveType reads the drive parameter, is parameter call api function GetDriveType with the drive parameter.
Step S302 judges whether the driving-disc of drive parameter correspondence exists, if exist, and execution in step S303 then, otherwise execution in step S304.
Step S303 is with the rreturn value of the api function GetDriveType rreturn value as function NewGetDriveType.
Step S304, function NewGetDriveType rreturn value is DRIVE_REMOVABLE (removable), the type of the driving-disc of notice caller drive parameter correspondence is removable.
Pass through said method, because after articulating, feasible virus call GetDriveType (X:) after, wherein X is described drive parameter, that reality is carried out is function NewGetDriveType, though so the X dish does not exist, virus thinks that the X dish is displacement disc, thereby induced this X dish of virus infections.
The specific embodiment of function NewGetDriveType is as follows.
Void WINAPI NewGetDriveType (drive)
{
Call the type that api function GetDriveType obtains the corresponding driving-disc of drive;
If api function GetDriveType returns DRIVE_NO_ROOT_DIR, then return DRIVE_REMOVABLE, otherwise return the rreturn value of api function GetDriveType.
}
Method flow diagram among the function NewCopyFile as shown in Figure 4.
Step S401 judges whether the destination path of xcopy exists, if there is no, and execution in step S402, otherwise, execution in step S403.
Step S402, it is specified path that destination path is redirected.
Step S403 calls api function CopyFile, with file copy under destination path.
Find a type when process and, next can call CopyFile, self executable file is copied to this driving-disc for behind the driving-disc movably.In the present invention, process is actual, and that call is function NewCopyFile, this function with destination path X: Y.exe, wherein file destination is called Y.exe, drive is X, is rewritten as a specified path, for example, C: Windows MalwareSamples the process complete trails Y.exe, and then virus is copied under this specified path.Make virus when attempting that self executable file copied to the root directory of USB dish, with this executable file copied to appointment be used to collect under the particular category of Virus Sample, thereby collect the unknown USB virus sample.
The specific embodiment of function NewCopyFile is as follows.
Void WINAPI NewCopyFile (source path, destination path, coverage mode)
{
If destination path is redirected to specified path for not existing with destination path;
Call api function CopyFile.
}
Method flow diagram among the function NewCreateFile as shown in Figure 5.
Step S501 judges whether the destination path of creating file exists, if there is no, and execution in step S502, otherwise, execution in step S503.
Step S502, it is specified path that destination path is redirected.
Step S503 calls api function CreateFile, with document creation under destination path.
The specific embodiment of function NewCreateFile is as follows.
Void WINAPI NewCreateFile (destination path, other parameters)
{
If destination path is redirected to specified path for not existing with destination path;
Call api function CreateFile.
}
Dll file also comprises function DllMain, call function DetourAttach, DetourTransactionBegin, DetourUpdateThread, DetourTransactionCommit, DetourRestoreAfterWith, DetourDetach that the Detours storehouse provides, begin to articulate system function when dll file is loaded by process, when dll file is unloaded by process, stop this and articulate.
The method that dll file is injected into process as shown in Figure 6.
Step S601, promoting authority is the Debug rank, enumerates all processes of system so that authority can be arranged, and articulates system function.
The method that promotes authority is to be that major parameter calls api function OpenProcessToken with SeDebugPrivilege, call the Debug authority that api function LookupPrivilegeValue and api function AdjustTokenPrivileges open this process then successively, above-mentioned three api functions are arranged in the Advapi32 storehouse of Windows;
Step S602 creates a process status table, is the list item of its distribution of each process that is moving in the system.Each list item is made of 4 fields, comprising: process ID, process handle, process complete trails, articulate state.The state of articulating comprises and articulates and do not articulate two states.Articulated the corresponding process of expression list item and loaded dll file, the described corresponding process of expression list item that do not articulate does not load dll file.
Step 603 is enumerated all processes of moving in the system, upgrades process status table.
Call api function CreateToolhelp32Snapshot, Process32First and Process32Next API and realize that the statement file of described three api functions is Tlhelp32.h, realizes in the Kernel32 storehouse.Described three API are in the later system of Windows2000, WindowsXP/2003/Vista/2008, and middle could the use, Windows95/98/Me can not use.Obtain the process identification (PID) of all processes by enumerating process, process identification (PID) is made of process ID, process handle and process fullpath three parts.
For each process identification (PID) that obtains, searching in process status table, if do not exist in the process status table, then is that this process is created a corresponding list item in process status table, process ID, process handle, process complete trails are filled into, and the state of articulating is initialized as and does not articulate; If this process exists at process status table, then do not carry out any operation; And with all unmatched list item deletion of same all processes of enumerating of process status table.
Step S604, from process status table, read one and articulate the list item of state for not articulating, call OpenProcess and open process, parameter is the process handle of this list item, call VirtualAllocEx and in the target process virtual address space, distribute an internal memory, memory size equals the length of the title of dll file, call WriteProcessMemory the title of dll file is write target process, call the address of the API of GetProcAddress acquisition LoadLibraryW, call CreateRemoteThread and create a remote thread at target process, the thread address is the address of LoadLibraryW, parameter is the title of dll file, thereby make dll file in target process, load and carry out, and the state that articulates in the list item changed to articulate; Said process is carried out in circulation, and all articulate state and all have been changed to and articulate in process status table.
Step 605: calling system function S leep dormancy a period of time, execution in step S603.
Find new process termly by said method, dll file is injected in the new process, dll file articulates system function GetDriveType, CopyFile, the CreateFile of new process, make it possess new function, and regularly delete expired list item, prevent the memory overflow and the wasting of resources.Like this, when certain process in the system is USB virus process, this process is when the type of a non-existent dish of basis of inquiry, will obtain the rreturn value of a falseness, the type of informing the driving-disc of this process inquiry is removable, and this process attempts self executable file is copied in this non-existent driving-disc then, and has in fact copied in the assigned catalogue by the present invention, thereby obtained the sample of unknown USB virus, found unknown USB virus.
In the above-described embodiments, also CreateFile can be replaced with NtCreateFile.
System architecture of the present invention as shown in Figure 7.System of the present invention comprises:
Dynamic linked library modular 701, be used to create dll file, when carrying out the type of this dll file query driven dish, if the driving-disc of being inquired about does not exist, the type of then replying the driving-disc of being inquired about is removable, when carrying out this dll file xcopy, if the destination path of xcopy does not exist, then this document is copied under the specified path, when carrying out this dll file establishment file, do not exist if create the destination path of file, then with described document creation under specified path.
The dll file of creating is used to articulate the operating system function.Operating system is Windows operating system in embodiment.
Dynamic linked library modular 701 is when carrying out the type of dll file query driven dish, and the GetDriveType function that is further used for the call operation system is to obtain by the type of query driven dish; Whether judgement is existed by the query driven dish, if exist, then reply obtain by the type of query driven dish; Otherwise it is removable replying by the type of query driven dish.
Dynamic linked library modular 701 is when carrying out described dll file xcopy, be further used for judging whether the destination path of xcopy does not exist, if, then described destination path is redirected and is specified path, and call CopyFile function in the described operating system with described file copy under destination path; Otherwise, directly the CopyFile function in the call operation system with file copy under destination path.
When dynamic linked library modular 701 is created file at the described dll file of execution, be further used for judging whether the destination path of creating file does not exist, if, then destination path is redirected and is specified path, and the CreateFile function in the call operation system or NtCreateFile function are created file under destination path; Otherwise directly CreateFile function or the NtCreateFile function in the call operation system created file under destination path.
File injection module 702 is used for this dll file is injected in the process that operating system moving, make USB virus undertaken by this dll file the type of driving-disc inquiry, virus document duplicate establishment with file.
File injection module 702 is further used for creating a process status table, whether has loaded this dll file in order to each process of moving in the recording operation system; The process of moving in the operating system is enumerated, and upgraded process status table; In described process status table, do not load and load described dll file in the process of this dll file.
The process of moving in the corresponding operating system of each list item in the process status table, list item comprises the process identification (PID) of corresponding process and the state that articulates of corresponding process; The state of articulating comprises and articulates and do not articulate, and has articulated the corresponding process of this list item of expression and has loaded this dll file, does not articulate the corresponding process of this list item of expression and does not load this dll file.
Wherein, process identification (PID) comprises process ID, process handle and process complete trails.
File injection module 702 is further used for for the process of enumerating that does not have corresponding list item in process status table when upgrading process status table, be the corresponding list item of this process creation in process status table, the state that articulates in the list item of creating is initialized as does not articulate; To delete with the not corresponding list item of all processes of enumerating in the process status table.
File injection module 702 is further used for the state that articulates for loading described dll file in the process of the list item correspondence that do not articulate in process status table when loading dll file in the process that does not load described dll file in process status table, after the loading state that articulates of this list item changed to articulate.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determine by the scope of claims.
Claims (26)
1. a method of finding unknown USB virus is characterized in that, comprising:
Step 1 is created dynamic link library file; When carrying out the type of described dynamic link library file query driven dish, judge whether the driving-disc of being inquired about exists, if then return the type of the described driving-disc of being inquired about; Otherwise the type of replying the driving-disc of being inquired about is removable; When carrying out described dynamic link library file xcopy, judge whether the destination path of xcopy exists, if then file copy is arrived under the described destination path; Otherwise with described file copy under specified path;
Step 2 is injected into described dynamic link library file in the process of moving in the operating system, makes USB virus carry out the inquiry of type and the duplicating of virus document of driving-disc by described dynamic link library file.
2. the method for discovery unknown USB virus as claimed in claim 1 is characterized in that,
When carrying out the type of described dynamic link library file query driven dish, if the driving-disc of being inquired about does not exist, the type of then replying the driving-disc of being inquired about is removablely further to comprise in the described step 1:
Step 21, call be used to obtain the driving-disc type in the described operating system function to obtain by the type of query driven dish.
3. the method for discovery unknown USB virus as claimed in claim 2 is characterized in that,
Described operating system is Windows operating system,
The function that is used to obtain the driving-disc type in the described step 21 in the operating system is the GetDriveType function.
4. the method for discovery unknown USB virus as claimed in claim 1 is characterized in that,
In the described step 1 when carrying out described dynamic link library file xcopy, if the destination path of xcopy does not exist, then under specified path further be with described file copy:
Step 41 judges whether the destination path of described xcopy does not exist, if then described destination path being redirected is described specified path, and execution in step 42, otherwise, execution in step 42;
Step 42 is called the function that is used for xcopy in the described operating system, and described file copy is arrived under the described destination path.
5. the method for discovery unknown USB virus as claimed in claim 4 is characterized in that,
Described operating system is Windows operating system,
The function that is used for xcopy in the described step 42 in the operating system is the CopyFile function.
6. the method for discovery unknown USB virus as claimed in claim 1 is characterized in that,
Described step 1 also comprises, when carrying out described dynamic link library file and create file, do not exist if create the destination path of file, then with described document creation under specified path;
Described step 2 also comprises, carries out described described dynamic link library file being injected in the process of moving in the operating system, makes USB virus carry out the establishment of file by described dynamic link library file.
7. the method for discovery unknown USB virus as claimed in claim 6 is characterized in that,
When the described dynamic link library file of execution is created file, do not exist in the described step 1, then under specified path further be described document creation if create the destination path of file:
Step 71 judges whether the destination path of described establishment file does not exist, if then described destination path being redirected is described specified path, and execution in step 72, otherwise, execution in step 72;
Step 72 is called the function that is used to create file in the described operating system, creates file under described destination path.
8. the method for discovery unknown USB virus as claimed in claim 7 is characterized in that,
Described operating system is Windows operating system,
The function that is used to create file in the described step 72 in the operating system is CreateFile function or NtCreateFile function.
9. as the method for arbitrary described discovery unknown USB virus in the claim 1 to 8, it is characterized in that,
Described step 2 further is:
Step 91 is created a process status table, whether has loaded described dynamic link library file in order to write down each process of moving in the described operating system;
Step 92 is enumerated the process of moving in the operating system, and upgrades described process status table;
Step 93 does not load in described process status table and loads described dynamic link library file in the process of described dynamic link library file.
10. the method for discovery unknown USB virus as claimed in claim 9 is characterized in that,
The process of moving in the corresponding described operating system of each list item in the described process status table, described list item comprises the process identification (PID) of corresponding process and the state that articulates of corresponding process;
The described state that articulates comprises and articulates and do not articulate that the described corresponding process of the described list item of expression that articulated has loaded described dynamic link library file, and the described corresponding process of the described list item of expression that do not articulate does not load described dynamic link library file.
11. the method for discovery unknown USB virus as claimed in claim 10 is characterized in that,
Described process identification (PID) comprises process ID, process handle and process complete trails.
12. the method for discovery unknown USB virus as claimed in claim 10 is characterized in that,
Upgrading described process status table in the described step 92 further is:
Step 121 for the process of enumerating that does not have corresponding list item in described process status table, is the corresponding list item of described process creation in described process status table, the state that articulates in the described list item is initialized as do not articulate;
Step 122 will be deleted with the not corresponding list item of all processes of enumerating in the described process status table.
13. the method for discovery unknown USB virus as claimed in claim 10 is characterized in that,
Described step 93 further is:
Step 131, the state that articulates in described process status table be for loading described dynamic link library file in the process of the list item correspondence that do not articulate, after the loading state that articulates of described list item changed to articulate.
14. a system that finds unknown USB virus is characterized in that, comprising:
Dynamic linked library modular is used to create dynamic link library file; When carrying out the type of described dynamic link library file query driven dish, judge whether the driving-disc of being inquired about exists, if then return the type of the described driving-disc of being inquired about; Otherwise the type of replying the driving-disc of being inquired about is removable; When carrying out described dynamic link library file xcopy, judge whether the destination path of xcopy exists, if then file copy is arrived under the described destination path; Otherwise with described file copy under specified path;
The file injection module is used for described dynamic link library file is injected in the process that operating system moving, and makes USB virus carry out the inquiry of type and the duplicating of virus document of driving-disc by described dynamic link library file.
15. the system of discovery unknown USB virus as claimed in claim 14 is characterized in that,
Described dynamic linked library modular is further used for calling described operating system and is used to obtain the function of driving-disc type to obtain by the type of query driven dish when carrying out the type of described dynamic link library file query driven dish.
16. the system of discovery unknown USB virus as claimed in claim 15 is characterized in that,
Described operating system is Windows operating system,
The function that is used to obtain the driving-disc type in the described operating system is the GetDriveType function.
17. the system of discovery unknown USB virus as claimed in claim 14 is characterized in that,
Described dynamic linked library modular is when carrying out described dynamic link library file xcopy, be further used for judging whether the destination path of xcopy does not exist, if, then described destination path being redirected is described specified path, and the function that is used for xcopy that calls in the described operating system arrives described file copy under the described destination path; Otherwise, directly call the function that is used for xcopy in the described operating system with described file copy under destination path.
18. the system of discovery unknown USB virus as claimed in claim 17 is characterized in that,
Described operating system is Windows operating system,
The function that is used for xcopy in the described operating system is the CopyFile function.
19. the system of discovery unknown USB virus as claimed in claim 14 is characterized in that,
Described dynamic linked library modular also is used for not existing if create the destination path of file when carrying out described dynamic link library file and create file, then with described document creation under specified path;
Described file injection module also is used for carrying out described described dynamic link library file being injected in the process that operating system moving, and makes USB virus carry out the establishment of file by described dynamic link library file.
20. the system of discovery unknown USB virus as claimed in claim 19 is characterized in that,
When described dynamic linked library modular is created file at the described dynamic link library file of execution, be further used for judging whether the destination path of described establishment file does not exist, if, then described destination path is redirected and is described specified path, and the function that calls the establishment file in the described operating system is created file under described destination path; Otherwise, directly call the function of the establishment file in the described operating system and under described destination path, create file.
21. the system of discovery unknown USB virus as claimed in claim 20 is characterized in that,
Described operating system is Windows operating system,
The function that is used to create file in the described operating system is CreateFile function or NtCreateFile function.
22. the system as the arbitrary described discovery unknown USB virus of claim 14 to 21 is characterized in that,
Described file injection module is further used for creating a process status table, whether has loaded described dynamic link library file in order to write down each process of moving in the described operating system; The process of moving in the operating system is enumerated, and upgraded described process status table; In described process status table, do not load and load described dynamic link library file in the process of described dynamic link library file.
23. the system of discovery unknown USB virus as claimed in claim 22 is characterized in that,
The process of moving in the corresponding described operating system of each list item in the described process status table, described list item comprises the process identification (PID) of corresponding process and the state that articulates of corresponding process;
The described state that articulates comprises and articulates and do not articulate that the described corresponding process of the described list item of expression that articulated has loaded described dynamic link library file, and the described corresponding process of the described list item of expression that do not articulate does not load described dynamic link library file.
24. the system of discovery unknown USB virus as claimed in claim 23 is characterized in that,
Described process identification (PID) comprises process ID, process handle and process complete trails.
25. the system of discovery unknown USB virus as claimed in claim 23 is characterized in that,
Described file injection module is further used for for the process of enumerating that does not have corresponding list item in described process status table when upgrading described process status table, be the corresponding list item of described process creation in described process status table, the state that articulates in the described list item is initialized as does not articulate; To delete with the not corresponding list item of all processes of enumerating in the described process status table.
26. the system of discovery unknown USB virus as claimed in claim 23 is characterized in that,
Described file injection module is further used for the state that articulates for loading described dynamic link library file in the process of the list item correspondence that do not articulate in described process status table when loading described dynamic link library file in the process that does not load described dynamic link library file in described process status table, after the loading state that articulates of described list item changed to articulate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102249422A CN101393591B (en) | 2008-10-27 | 2008-10-27 | Method and system for discovering unknown USB virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102249422A CN101393591B (en) | 2008-10-27 | 2008-10-27 | Method and system for discovering unknown USB virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101393591A CN101393591A (en) | 2009-03-25 |
| CN101393591B true CN101393591B (en) | 2010-10-27 |
Family
ID=40493881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102249422A Expired - Fee Related CN101393591B (en) | 2008-10-27 | 2008-10-27 | Method and system for discovering unknown USB virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101393591B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101630351B (en) * | 2009-06-04 | 2012-10-03 | 中国人民解放军理工大学指挥自动化学院 | Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis |
| CN102779076B (en) * | 2012-06-29 | 2016-04-20 | 北京奇虎科技有限公司 | The method and apparatus of interprocess communication in a kind of browser |
| CN104484224B (en) * | 2014-12-18 | 2019-04-09 | 北京奇安信科技有限公司 | A kind of server processes control method, apparatus and system |
| CN106293790B (en) * | 2015-05-28 | 2019-12-13 | Tcl集团股份有限公司 | application program upgrading method and device based on Firefox operating system |
| CN109471671B (en) * | 2017-09-06 | 2023-03-24 | 武汉斗鱼网络科技有限公司 | Program cold starting method and system |
| CN110717183B (en) * | 2019-12-09 | 2020-10-27 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and storage medium |
-
2008
- 2008-10-27 CN CN2008102249422A patent/CN101393591B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101393591A (en) | 2009-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102902909B (en) | A kind of system and method preventing file to be tampered | |
| US9742777B2 (en) | Centralized selective application approval for mobile devices | |
| CN101393591B (en) | Method and system for discovering unknown USB virus | |
| US5502815A (en) | Method and apparatus for increasing the speed at which computer viruses are detected | |
| US9230100B2 (en) | Securing anti-virus software with virtualization | |
| EP1920338B1 (en) | Network security systems and methods | |
| US8930940B2 (en) | Online software execution platform | |
| US7930749B2 (en) | Accelerated data scanning | |
| US7512977B2 (en) | Intrustion protection system utilizing layers | |
| US9154517B2 (en) | System and method for preventing spread of malware in peer-to-peer network | |
| US20070028291A1 (en) | Parametric content control in a network security system | |
| CN103077243B (en) | The disposal route of file system access and system | |
| CN103279706A (en) | Method and device for intercepting installation of Android application program in mobile terminal | |
| CN102332072A (en) | The system and method that is used for detection of malicious software and management Malware relevant information | |
| AU2007238540A1 (en) | File origin determination | |
| EP2641207A1 (en) | Disinfection of a file system | |
| CN103207970B (en) | Virus document scan method and device | |
| CN103294955A (en) | Macro-virus searching and killing method and system | |
| JP6255336B2 (en) | Secure data storage method and device | |
| WO2015131801A1 (en) | Data blackhole processing method | |
| JP2005165874A (en) | System environment convention violation detecting method for client device | |
| CN103713945A (en) | Game identifying method and device | |
| CN108038380B (en) | Inoculator and antibody for computer security | |
| WO2013143714A1 (en) | Controlling anti-virus software updates | |
| JP2007164676A (en) | Information collecting software management system, management server, and management program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101027 Termination date: 20201027 |