CN101587521B - method and device for acquiring remote computer information - Google Patents
method and device for acquiring remote computer information Download PDFInfo
- Publication number
- CN101587521B CN101587521B CN2009100866889A CN200910086688A CN101587521B CN 101587521 B CN101587521 B CN 101587521B CN 2009100866889 A CN2009100866889 A CN 2009100866889A CN 200910086688 A CN200910086688 A CN 200910086688A CN 101587521 B CN101587521 B CN 101587521B
- Authority
- CN
- China
- Prior art keywords
- function call
- call stack
- stack
- last layer
- file operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a method and device for acquiring the remote computer information. The method includes: classifying the file operation into the normal file operation or the abnormal file operation when the file operation is monitored; if the normal file operation or the abnormal file operation belongs to the system proceeding, judging the starting address of the thread corresponding to the normal file operation or the abnormal file operation is in a module for processing the remote file visit in the system proceeding; if the starting address is in the module for remotefile visit, acquiring the remote computer information corresponding to the abnormal file operation according to the parameter of the function call stack of the normal file operation or the abnormal f ile operation. The embodiment of the invention can acquire the information of the remote computer in the remote file operation, accurately alarm in the first time of the virus instruction and positionthe virus, further can rapidly hold up the virus and manage and maintain the virus source.
Description
Technical field
The embodiment of the invention relates to computer technology, particularly a kind of method and device that obtains remote computer information.
Background technology
Some computer viruses are the malicious codes that utilize operating system leak, user's empty password account or weak passwurd account that remote computer is attacked, and these viruses infect in LAN (Local Area Network) and propagate rapidly, are difficult to thorough removing.
Existing software firewall can be reported to the police when local computer sends network connecting request or launches a offensive at remote computer, software firewall can obtain remote computer information from the request package that remote computer sends, it is normal visit or network attack that but software firewall can't be distinguished the request of remote computer initiation, therefore, cause false alarm easily, even cause in the LAN (Local Area Network) computing machine can't the proper communication visit.
When existing antivirus software generates rogue program or revises user program on the local computer when remote computer on local computer, can find virus and report to the police according to behavioural characteristic or virus signature.This method is removed virus after identifying virus, and can't know the remote computer information of transmitted virus, the viral propagation in LAN (Local Area Network) of therefore very difficult effectively containment.
Summary of the invention
The embodiment of the invention provides a kind of method and device that obtains remote computer information, in order to after monitoring file operation, to distinguish normal file operation and abnormal document operation, and obtain remote computer information according to the parameter of the function call stack of file operation, realize to find that the very first time behind the poisoning intrusion accurately reports to the police and the location viral source, and then can realize the rapid interception of virus and the remote computer of launching a offensive is safeguarded.
On the one hand, the embodiment of the invention provides a kind of method of obtaining the length of run computerized information, and this method comprises:
When monitoring file operation, described file operation is divided into normal file operation or abnormal document operation;
If described normal file operation or the operation of described abnormal document belong to system process, judge then whether the start address of the thread that described normal file operation or the operation of described abnormal document are corresponding is arranged in the module of described system process processing remote file access;
If described start address is positioned at the module of described processing remote file access, then:
A, the stack frame and the return address that obtain current function call stack;
B, if the return address of described current function call stack in the module of described processing remote file access, then obtains at least one call parameters of described current function call stack according to the stack frame of described current function call stack;
C, if at least one call parameters of described current function call stack is the active data structured fingers, judge then whether at least one call parameters of described current function call stack meets the type of data structure that remote access is transmitted;
D, if at least one call parameters of described current function call stack meets described type of data structure, then the memory block constant offset position of pointing to according at least one call parameters of described current function call stack obtains the corresponding remote computer information of described abnormal document operation.
On the other hand, the embodiment of the invention also provides a kind of device that obtains remote computer information, and this device comprises:
Parsing module is used for when monitoring file operation, and described file operation is divided into normal file operation or abnormal document operation;
Judge module, be used for if operation of described normal file or the operation of described abnormal document belong to system process, judge then whether the start address of the thread that described normal file operation or the operation of described abnormal document are corresponding is arranged in the module of described system process processing remote file access;
First obtains submodule, is used to obtain the stack frame and the return address of current function call stack or last layer function call stack;
First judges submodule, and whether the return address that is used to judge described current function call stack or described last layer function call stack is in the module of described processing remote file access;
Second obtains submodule, be used for if the return address that described current function call stack subtracts described last layer function call stack in the module of described processing remote file access, obtains at least one call parameters of described current function call stack or described last layer function call stack according to described current function call stack or described last layer function call stack stack frame;
Second judges submodule, is used to judge whether at least one call parameters of described current function call stack or described last layer function call stack is data structure pointer and whether effective;
The 3rd judges submodule, be used for judging whether at least one call parameters of described current function call stack or described last layer function call stack meets the type of data structure that remote access is transmitted if at least one call parameters of described current function call stack or described last layer function call stack is a data structure pointer and effective;
Processing sub, be used for if at least one call parameters of described current function call stack or described last layer function call stack meets the type of data structure that remote access is transmitted, the memory block constant offset position of pointing to according at least one call parameters of described current function call stack or described last layer function call stack obtains the corresponding remote computer information of described operation;
Controlling sub, be used for if at least one call parameters of described current function call stack or described last layer function call stack is invalid, or at least one call parameters of described current function call stack or described last layer function call stack is not the data structure pointer, or at least one call parameters of described current function call stack or described last layer function call stack do not meet described type of data structure, then controls described first and obtains stack frame and the return address that submodule obtains described last layer function call stack.
The method of obtaining remote computer information and device that the embodiment of the invention provides, to distinguish this operation after the file operation be normal file operation or abnormal document operation by monitoring, and according to the corresponding function call parameter acquiring operate source information of this document operation, realization is found accurate warning of the very first time behind the poisoning intrusion and the remote computer of unusual remote document access is located, can be implemented in the very first time location viral source of poisoning intrusion, realize the rapid interception of virus and the remote computer of launching a offensive is safeguarded.
Description of drawings
The method of the obtaining remote computer information first embodiment process flow diagram that Fig. 1 provides for the embodiment of the invention;
The method of the obtaining remote computer information second embodiment process flow diagram that Fig. 2 provides for the embodiment of the invention;
Fig. 3 is the function call stack synoptic diagram in the internal memory in the function call process of the present invention;
The device that the obtains remote computer information first example structural representation that Fig. 4 provides for the embodiment of the invention;
The device that the obtains remote computer information second example structure synoptic diagram that Fig. 5 provides for the embodiment of the invention.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
The method of the obtaining remote computer information first embodiment process flow diagram that Fig. 1 provides for the embodiment of the invention, as shown in Figure 1, this method comprises:
The Windows system drives (File System Driver by file system; Hereinafter to be referred as: FSD) handle from local and remote file access.Long-range FSD is divided into client FSD and server end FSD, and client FSD at first receives the I/O request from application program, and this request is converted to the Network File System protocol order, sends to server end FSD by network again.Server end FSD monitors networking command and receives the Network File System protocol order, asks to realize these orders by sending I/O to local FSD.
When handling the I/O request of local FSD, file system filter drives can monitor in real time whether file operation is arranged, and can further to distinguish file operation be normal file operation or abnormal document operation, the abnormal document operation may be for generating new executable file, revise the executable file content or with operations such as executable file rename, these operations can be distinguished by the behavioural characteristic of virus.
Because the FSD of the local processing remote file access of Windows system is mainly undertaken by the srv.sys module, when remote document access, system can start a system thread in system process, and the start address of this system thread is positioned at the srv.sys module.Therefore, whether the operate source that can judge certain file operation in view of the above is remote computer.
Judge that at first whether this normal file operation or abnormal document operation belong to system process, can operate the sign (Identity of current process according to this document; Hereinafter to be referred as: ID) judge.If this document operation occurs in the system process, judge further then whether the start address of the current thread of this document operation is arranged in the srv.sys module that system process loads, if the operate source that this operation then is described is a remote computer.
If this normal file operation or the corresponding current thread start address of abnormal document operation are arranged in the srv.sys module that system process loads, then the operate source of this document operation is a remote computer, because when the telefile operation takes place, long-range FSD is in processing procedure, the member of remote computer information as parameter can be transmitted in each layer processing function, therefore, can be by the parameter acquiring remote computer information of analytical function call stack, this information is Internet protocol (the Internet Protocol of remote computer; Hereinafter to be referred as: IP) address or computer name information.If abnormal document operation, then after obtaining the corresponding remote computer information of this abnormal document operation, can directly report to the police, also can notify the LAN Administrator that the remote computer of this abnormal document operation is managed or safeguards this abnormal document operation.Can avoid like this mistake of normal file operation is observed and predicted the police, and can in the very first time of finding poisoning intrusion, accurately locate viral source.
And operate for normal file, after obtaining this remote computer information, if this normal file operation of follow-up discovery has certain risk or this normal file operation can cause other situations, then can carry out some respective handling to the corresponding remote computer of this normal file operation.
Present embodiment is distinguished normal file operation or abnormal document operation after monitoring file operation, if the operator is a remote computer, then according to the function call parameter acquiring operate source information of file operation correspondence, realized the remote computer of timely this abnormal document operation of the accurate warning of unusual remote document access is positioned, and then can be at very first time of poisoning intrusion location viral source, realize the rapid interception of virus and rapid maintenance is advanced in the source of virus.
The method of the obtaining remote computer information second embodiment process flow diagram that Fig. 2 provides for the embodiment of the invention, as shown in Figure 2, this method comprises:
Step 201, monitor file operation;
Step 202, this document operation is divided into normal file operation or abnormal document operation;
Step 203, judge whether operation of this normal file or the corresponding current process of abnormal document operation belong to system process; Be execution in step 204 then, otherwise program is no longer carried out;
Step 204, judge whether to obtain the start address and the capacity information of the module of processing remote file access in the system process; Be execution in step 206 then, otherwise execution in step 205;
Step 205, obtain the start address and the capacity information of the module of processing remote file access;
Step 206, judge whether operation of this normal file or the corresponding thread start address of abnormal document operation are arranged in the module of system process processing remote file access; Be execution in step 208 then, otherwise program is no longer carried out;
Step 207, the stack frame and the return address that obtain current function call stack;
Step 208, judge that this return address is whether in the module of processing remote file access; Be execution in step 210 then, otherwise execution in step 209;
Step 209, read storehouse, obtain the stack frame and the return address of last layer function call stack, and execution in step 208;
Step 210, obtain the call parameters of current function call stack according to the stack frame;
Step 211, judge whether call parameters is effective; Be execution in step 214 then, otherwise execution in step 212;
Step 212, judging whether call parameters has arrived default number, is execution in step 209 then, otherwise execution in step 213;
Step 213, obtain next call parameters, and execution in step 210;
Step 214, judging that call parameters points to the data of being stored two constant offset positions of memory block and whether equate, is execution in step 215 then, otherwise execution in step 212;
Step 215, judge whether corresponding same valid memory of the data of constant offset location storage data type pointed; Be execution in step 216 then, otherwise execution in step 212;
Step 216, judging whether first double word content of valid memory storage is the SMB package identification, is execution in step 217 then, otherwise execution in step 212;
Step 217, the memory block constant offset position of pointing to according to call parameters obtain remote computer information;
If the operation of step 218 normal file is then carried out record to normal file operation and corresponding remote computer information; If the abnormal document operation then produces alerting signal.
Wherein, at first need to obtain the module of processing remote file access, be the start address and the capacity information of the srv.sys module of the current loading of system, therefore can obtain the end address of srv.sys module, can judge in view of the above that then the corresponding thread start address of the normal file operation that monitors or abnormal document operation is whether in the srv.sys module.If this operation occurs in the system process and the start address of thread is positioned at the srv.sys module, then the operate source of this normal file operation or abnormal document operation is a remote computer.According to the rule of calling of C language, after all parameters are stacked, before function call, it is stacked will to call the return address, at the function entrance place that is called, and can current stack frame is stacked, referring to Fig. 3, Fig. 3 is the function call stack synoptic diagram in the internal memory in the function call process of the present invention.Can obtain the stack frame and the return address of current function call stack, and further obtain the call parameters that function calling relationship and every layer functions call, can judge successively the call parameters that every layer functions calls, in each layer, can choose first three call parameters usually and judge.Call rule according to long-range FSD, when the call parameters that occurs choosing in certain one deck is the data structure pointer, judge at first whether this call parameters is effective, promptly whether the internal memory of this parameter sensing can read, if this call parameters is effective, judge further then whether this call parameters meets the type of data structure that remote access is transmitted, and determination methods is: judge at first whether the data that two deviation posts of memory block that call parameters is pointed to are stored equate; If equate then to continue to judge whether corresponding same valid memory of the data of constant offset location storage data type pointed, if judge again that then first double word content that this valid memory is stored is remote procedure call protocol (Server Message Block; Hereinafter to be referred as: SMB) package identification.If then this call parameters is the data structure that stores remote computer information, then this calls in the constant offset position of pointing in the memory block and stores remote computer information.Wherein, the deviation post of memory block has certain difference on different operating system, but this deviation post of each operating system is determined.Store the remote computer information of file operation in the internal memory of this deviation post correspondence, this information may be IP address information, computer name or other relevant informations, wherein, and the character string that it is 16 bytes that computer name saves as a maximum length.After finding the call parameters that meets above-mentioned condition, just can return the information of remote computer.
If abnormal document operation, then after obtaining the corresponding remote computer information of this abnormal document operation, can directly report to the police, also can notify the LAN Administrator that the remote computer of this abnormal document operation is managed or safeguards this abnormal document operation.False alarm can be avoided like this, and viral source can be in the very first time of finding poisoning intrusion, accurately located normal file operation.
Operate for normal file, after obtaining this remote computer information, can also carry out record to this normal file operation and corresponding remote computer information thereof, so that the operation of this normal file of follow-up discovery has certain risk or this normal file operation can cause other situations the time, can carry out some respective handling to the corresponding remote computer of this normal file operation.
Present embodiment is divided into normal file operation or abnormal document operation with this document operation after monitoring file operation, if the operator of this document operation is a remote computer, then according to the function call parameter acquiring remote computer information of file operation correspondence, realized the accurate warning of unusual remote document access and the remote computer that this abnormal document is operated are positioned, and then can realize to the rapid interception of virus and to the management of viral source, by record is carried out in normal file operation, realize when this normal file of follow-up discovery is operated situations such as having certain risk, can safeguard or manage the operate source of correspondence.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of programmed instruction, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
The device that the obtains remote computer information first example structure synoptic diagram that Fig. 4 provides for the embodiment of the invention, as shown in Figure 4, this device comprises parsing module 1, judge module 2 and processing module 3; Wherein, parsing module 1 is used for when monitoring file operation, and file operation is divided into normal file operation or abnormal document operation; Judge module 2 is used for if this normal file operation or abnormal document operation belong to system process, judges then whether this normal file operation or the corresponding thread start address of abnormal document operation are arranged in the module of system process processing remote file access; Processing module 3 is used for if the thread start address is positioned at the module of processing remote file access, according to the corresponding remote computer information of parameter acquiring operation of the function call stack of this normal file operation or abnormal document operation.
Because the FSD of the local processing remote file access of Windows system is mainly undertaken by the srv.sys module, promptly the module of processing remote file access is the srv.sys module in the system process.When remote document access, system can start a system thread in system thread, and the start address of this system thread is positioned at the srv.sys module.Therefore, whether the operate source that can judge certain file operation in view of the above is remote computer.
When handling the I/O request of local FSD, filter Driver on FSD can be monitored file operation in real time, it is normal file operation or abnormal document operation that parsing module 1 can parse these file operations, abnormal document operation may be for generating new executable file, revises the executable file content or executable file renamed etc.Judge module 2 judges at first whether this document operation belongs to system process, can be according to the sign (Identity of current process; Hereinafter to be referred as: ID) judge.If this operation occurs in the system process, then judge module 2 judges further whether the start address of the current thread that this operation is corresponding is arranged in the srv.sys module that system process loads, if the operate source that this operation then is described is a remote computer.
If the corresponding current thread start address of this operation is arranged in the srv.sys module that system process loads, then the operate source of this operation is a remote computer, because when the telefile operation takes place, long-range FSD is in processing procedure, the member of remote computer information as parameter can be transmitted in each layer processing function, therefore, can be by the parameter acquiring remote computer information of processing module 3 analytical function call stacks, this information is Internet protocol (the Internet Protocol of remote computer; Hereinafter to be referred as: IP) address or computer name information.
After getting access to remote computer information,, then can directly report to the police, and notify the LAN Administrator that the operate source of this abnormal document operation is safeguarded this file operation if file operation is the abnormal document operation.
Present embodiment has been realized the location to the file operation source, can obtain the information of the remote computer that carries out the telefile operation, and then can accurately report to the police and locate remote computer, and then can realize the rapid interception of virus and viral source is removed in the very first time of poisoning intrusion.
The device that the obtains remote computer information second example structure synoptic diagram that Fig. 5 provides for the embodiment of the invention, as shown in Figure 5, this device comprises parsing module 1, judge module 2 and processing module 3; Can also comprise acquisition module 4, logging modle 5 and alarm module 6; Acquisition module 4 is used for obtaining the start address and the capacity information of the module of system process processing remote file access; Logging modle 5 is used for then record being carried out in normal file operation and corresponding remote computer information if file operation is the normal file operation; Alarm module 6 is used for then producing alerting signal if file operation is the abnormal document operation.Further, judge module 2 can comprise first judge module 21 and second judge module 22; First judge module 21 is used to judge whether this normal file operation or abnormal document operation belong to system process; Second judge module 22 is used for judging whether the start address of the thread that this normal file operation or abnormal document operation are corresponding is positioned at the module of system process processing remote file access; Processing module 3 can also comprise that first obtains submodule 31, first and judge that submodule 32, second obtains submodule 33, second and judges that submodule the 34, the 3rd judges submodule 35 and processing sub 36; Wherein, first obtain stack frame and the return address that submodule 31 is used to obtain current function call stack or last layer function call stack; First judges that submodule 32 is used to judge that the return address of current function call stack or last layer function call stack is whether in the module of processing remote file access; Second obtains that submodule 33 is used for if current function call stack or last layer function call stack return address in the module of processing remote file access, obtain at least one call parameters of current function call stack or last layer function call stack according to current function call stack or last layer function call stack stack frame; Second judges that submodule 34 is used to judge whether at least one call parameters of current function call stack or last layer function call stack is data structure pointer and whether effective; The 3rd judges that submodule 35 is used for if current function call stack or at least one call parameters of last layer function call stack are data structure pointer and effective, judges whether current function call stack or at least one call parameters of last layer function call stack meet the type of data structure that remote access is transmitted; Processing sub 36 is used for if current function call stack or at least one call parameters of last layer function call stack meet the type of data structure that remote access is transmitted, and the memory block deviation post that points to according to current function call stack or at least one call parameters of last layer function call stack obtains remote computer information; Controlling sub 37, be used for if at least one call parameters of current function call stack or last layer function call stack is invalid, or at least one call parameters of current function call stack or last layer function call stack is not the data structure pointer, or at least one call parameters of current function call stack or last layer function call stack is not when meeting type of data structure, and stack frame and the return address that submodule 31 obtains last layer function call stack obtained in control first.
At first, can obtain the start address and the capacity information of srv.sys module by acquisition module 4, and then the end address that draws the srv.sys module, when parsing module 1 parses the file operation that monitors when being normal file operation or abnormal document operation, first judge module 21 judges whether this operation belongs to system process, and whether the start address that 22 of second judge modules are judged the thread that this document operation is corresponding according to the start address and the end address of srv.sys module is in the srv.sys module.If this document operation occurs in the system process and the start address of thread is positioned at the srv.sys module, then the operate source of this document operation is a remote computer.According to the rule of calling of C language, after all parameters are stacked, before function call, can be stacked with calling the return address, at the function entrance place that is called, can current stack frame is stacked, referring to Fig. 3.Can obtain stack frame and the return address that submodule 31 obtains current function call stack by first, judge that by first submodule 32 judges that the return address is whether in the srv.sys module, if, then second obtain submodule 33 obtains current function call stack according to the stack frame call parameters, for every layer function, can choose first three call parameters and judge.Call rule according to long-range FSD, in certain layer calls, second judges that it is data structure pointer and effective that submodule 34 is judged certain call parameters of this layer, then the 3rd judges submodule 35 judges further whether this call parameters meets the type of data structure that remote access is transmitted, and determination methods is: judge at first whether the data of two constant offset positions of the corresponding memory block that points to of call parameters being stored are equal; Wherein, the constant offset position is different for each operating system, but each operating system is determined.If the data that two constant offset positions are stored equate then to continue to judge whether corresponding same valid memory of the data of constant offset location storage data type pointed, if judge further that then first double word content that this valid memory is stored is remote procedure call protocol (Server Message Block; Hereinafter to be referred as: SMB) package identification.If call parameters meets above-mentioned condition, then this call parameters is the data structure that stores remote computer information, this constant offset location storage has the remote computer information of file operation, this information may be IP address information, computer name or other relevant informations, can obtain operate source information according to memory block skew place of the data structure pointed of call parameters correspondence by processing sub 36.If the call parameters at current function call stack does not all meet above-mentioned condition, after then obtaining the stack frame and return address that submodule 31 obtains last layer function call stack by controlling sub 37 control first, again the call parameters of this layer is carried out above-mentioned judgement, can judge every layer call parameters successively like this, every layer call parameters can be chosen three, can certainly choose a plurality of call parameters as required, till finding the call parameters that meets above-mentioned condition.After the information that obtains remote computer, if file operation is the normal file operation, then can adopt 5 pairs of this normal file operations of logging modle and corresponding remote computer information to carry out record, so that when having situation such as certain risk in the operation of this normal file of follow-up discovery, the operate source of this operation correspondence is safeguarded or managed.And, then can produce alerting signal by alarm module 6 for the abnormal document operation, to notify the user that the corresponding remote computer of this abnormal document operation is safeguarded or to manage.
Present embodiment has been realized the location to the file operation source, can obtain the information of the remote computer that carries out the telefile operation, and then can accurately report to the police and viral source is positioned, and then can realize the rapid interception of virus and viral source is managed and safeguards in the very first time of poisoning intrusion.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (12)
1. a method of obtaining remote computer information is characterized in that, comprising:
When monitoring file operation, described file operation is divided into normal file operation or abnormal document operation;
If described normal file operation or the operation of described abnormal document belong to system process, judge then whether the start address of the thread that described normal file operation or the operation of described abnormal document are corresponding is arranged in the module of described system process processing remote file access;
If described start address is positioned at the module of described processing remote file access, then:
A, the stack frame and the return address that obtain current function call stack;
B, if the return address of described current function call stack in the module of described processing remote file access, then obtains at least one call parameters of described current function call stack according to the stack frame of described current function call stack;
C, if at least one call parameters of described current function call stack is the active data structured fingers, judge then whether at least one call parameters of described current function call stack meets the type of data structure that remote access is transmitted;
D, if at least one call parameters of described current function call stack meets described type of data structure, then the memory block constant offset position of pointing to according at least one call parameters of described current function call stack obtains the corresponding remote computer information of described abnormal document operation.
2. the method for obtaining remote computer information according to claim 1 is characterized in that, also comprises:
If described file operation is the normal file operation, then record is carried out in described normal file operation and corresponding remote computer information; If described file operation is the abnormal document operation, then produce alerting signal.
3. the method for obtaining remote computer information according to claim 1 and 2 is characterized in that, describedly described file operation is divided into normal file operation or the abnormal document operation comprises:
Behavioural characteristic according to described file operation is divided into normal file operation or abnormal document operation with described file operation; Or
According to described file operation corresponding file feature sign indicating number described file operation is divided into normal file operation or abnormal document operation.
4. the method for obtaining remote computer information according to claim 1, it is characterized in that the module whether described start address of judging the thread that the operation of described normal file or the operation of described abnormal document are corresponding is arranged in the file access of described system process processing remote also comprises before:
Obtain the start address and the capacity information of the module of processing remote file access in the described system process.
5. the method for obtaining remote computer information according to claim 1 is characterized in that, whether described at least one call parameters of judging described current function call stack meets the type of data structure that remote access transmits comprises:
Whether the data of judging two constant offset location storage of the memory block that at least one call parameters of described current function call stack is pointed to equate;
If equate, then judge whether corresponding same valid memory of the data of described constant offset location storage data type pointed;
If judge then whether first double word content of described valid memory storage is the remote procedure call protocol package identification.
6. the method for obtaining remote computer information according to claim 1 is characterized in that,
If at least one call parameters of described current function call stack is invalid, or at least one call parameters of described current function call stack is not the data structure pointer, or if described at least one call parameters does not meet described type of data structure, then carries out:
A ', the stack frame and the return address that obtain last layer function call stack;
B ', if the return address of described last layer function call stack in the module of described processing remote file access, then obtains at least one call parameters of described last layer function call stack according to the stack frame of described last layer function call stack;
C ', if at least one call parameters of described last layer function call stack is the active data structured fingers, judge then whether at least one call parameters of described last layer function call stack meets the type of data structure that remote access is transmitted; If at least one call parameters of the invalid or described last layer function call of at least one call parameters stack of described last layer function call stack is not the data structure pointer, then return a ';
D ', if at least one call parameters of described last layer function call stack meets described type of data structure, then the memory block constant offset position of pointing to according at least one call parameters of described last layer function call stack obtains the corresponding remote computer information of described abnormal document operation; If at least one call parameters of described last layer function call stack does not meet described type of data structure, then return a '.
7. the method for obtaining remote computer information according to claim 6 is characterized in that, whether described at least one call parameters of judging described last layer function call stack meets the type of data structure that remote access transmits comprises:
Whether the data of judging two constant offset location storage of the memory block that at least one call parameters of described last layer function call stack is pointed to equate;
If equate, then judge whether corresponding same valid memory of the data of described constant offset location storage data type pointed;
If judge then whether first double word content of described valid memory storage is the remote procedure call protocol package identification.
8. a device that obtains remote computer information is characterized in that, comprising:
Parsing module is used for when monitoring file operation, and described file operation is divided into normal file operation or abnormal document operation;
Judge module, be used for if operation of described normal file or the operation of described abnormal document belong to system process, judge then whether the start address of the thread that described normal file operation or the operation of described abnormal document are corresponding is arranged in the module of described system process processing remote file access;
First obtains submodule, is used to obtain the stack frame and the return address of current function call stack or last layer function call stack;
First judges submodule, and whether the return address that is used to judge described current function call stack or described last layer function call stack is in the module of described processing remote file access;
Second obtains submodule, be used for if the return address of described current function call stack or described last layer function call stack in the module of described processing remote file access, obtains at least one call parameters of described current function call stack or described last layer function call stack according to described current function call stack or described last layer function call stack stack frame;
Second judges submodule, is used to judge whether at least one call parameters of described current function call stack or described last layer function call stack is data structure pointer and whether effective;
The 3rd judges submodule, be used for judging whether at least one call parameters of described current function call stack or described last layer function call stack meets the type of data structure that remote access is transmitted if at least one call parameters of described current function call stack or described last layer function call stack is a data structure pointer and effective;
Processing sub, be used for if at least one call parameters of described current function call stack or described last layer function call stack meets the type of data structure that remote access is transmitted, the memory block constant offset position of pointing to according at least one call parameters of described current function call stack or described last layer function call stack obtains the corresponding remote computer information of described operation;
Controlling sub, be used for if at least one call parameters of described current function call stack or described last layer function call stack is invalid, or at least one call parameters of described current function call stack or described last layer function call stack is not the data structure pointer, or at least one call parameters of described current function call stack or described last layer function call stack do not meet described type of data structure, then controls described first and obtains stack frame and the return address that submodule obtains described last layer function call stack.
9. the device that obtains remote computer information according to claim 8 is characterized in that, also comprises:
Logging modle is used for then record being carried out in described normal file operation and corresponding remote computer information if described file operation is the normal file operation.
10. the device that obtains remote computer information according to claim 8 is characterized in that, also comprises:
Alarm module is used for then producing alerting signal if described file operation is the abnormal document operation.
11. according to Claim 8 or the 9 described devices that obtain remote computer information, it is characterized in that described judge module comprises:
First judge module is used to judge whether described normal file operation or the operation of described abnormal document belong to system process;
Second judge module is used for judging whether the start address of the thread that described normal file operation or the operation of described abnormal document are corresponding is positioned at the module of described system process processing remote file access.
12. according to Claim 8 or the 9 described devices that obtain remote computer information, it is characterized in that, also comprise:
Acquisition module is used for obtaining the start address and the capacity information of the module of described system process processing remote file access.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100866889A CN101587521B (en) | 2009-06-17 | 2009-06-17 | method and device for acquiring remote computer information |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009100866889A CN101587521B (en) | 2009-06-17 | 2009-06-17 | method and device for acquiring remote computer information |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101587521A CN101587521A (en) | 2009-11-25 |
CN101587521B true CN101587521B (en) | 2011-12-28 |
Family
ID=41371765
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009100866889A Expired - Fee Related CN101587521B (en) | 2009-06-17 | 2009-06-17 | method and device for acquiring remote computer information |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101587521B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101714931B (en) | 2009-11-26 | 2012-09-19 | 成都市华为赛门铁克科技有限公司 | Early warning method, device and system of unknown malicious code |
US10027693B2 (en) | 2009-11-26 | 2018-07-17 | Huawei Digital Technologies (Cheng Du) Co., Limited | Method, device and system for alerting against unknown malicious codes within a network environment |
CN102591696A (en) * | 2011-01-14 | 2012-07-18 | 中国科学院软件研究所 | Method and system for extracting behavioral data of mobile phone software |
CN102932329B (en) * | 2012-09-26 | 2016-03-30 | 北京奇虎科技有限公司 | A kind of method, device and client device that the behavior of program is tackled |
CN103888447B (en) * | 2014-03-03 | 2017-05-24 | 珠海市君天电子科技有限公司 | Method and device for checking and killing viruses |
US10073809B2 (en) * | 2015-04-27 | 2018-09-11 | Intel Corporation | Technologies for scalable remotely accessible memory segments |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5754762A (en) * | 1997-01-13 | 1998-05-19 | Kuo; Chih-Cheng | Secure multiple application IC card using interrupt instruction issued by operating system or application program to control operation flag that determines the operational mode of bi-modal CPU |
CN101114252A (en) * | 2006-07-25 | 2008-01-30 | 中兴通讯股份有限公司 | Protection method in the time of aberrant management thread |
CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
-
2009
- 2009-06-17 CN CN2009100866889A patent/CN101587521B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5754762A (en) * | 1997-01-13 | 1998-05-19 | Kuo; Chih-Cheng | Secure multiple application IC card using interrupt instruction issued by operating system or application program to control operation flag that determines the operational mode of bi-modal CPU |
CN101114252A (en) * | 2006-07-25 | 2008-01-30 | 中兴通讯股份有限公司 | Protection method in the time of aberrant management thread |
CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102663274A (en) * | 2012-02-07 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and system for detecting remote computer-invading behavior |
WO2013117148A1 (en) * | 2012-02-07 | 2013-08-15 | 北京奇虎科技有限公司 | Method and system for detecting behaviour of remotely intruding into computer |
CN102663274B (en) * | 2012-02-07 | 2015-12-02 | 北京奇虎科技有限公司 | A kind of method and system detecting the behavior of long-range invasion computing machine |
Also Published As
Publication number | Publication date |
---|---|
CN101587521A (en) | 2009-11-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101587521B (en) | method and device for acquiring remote computer information | |
CN113661693B (en) | Detecting sensitive data exposure via log | |
US7278019B2 (en) | Method of hindering the propagation of a computer virus | |
EP2452287B1 (en) | Anti-virus scanning | |
CN103034807B (en) | Malware detection methods and device | |
US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
US20040088565A1 (en) | Method of identifying software vulnerabilities on a computer system | |
KR20090121579A (en) | System for checking vulnerabilities of servers and method thereof | |
KR100690187B1 (en) | Method and apparatus and system for cutting malicious codes | |
WO2015184752A1 (en) | Abnormal process detection method and apparatus | |
JP2010146457A (en) | Information processing system and program | |
US9940181B2 (en) | System and method for reacting to system calls made to a kernal of the system | |
WO2018017498A1 (en) | Inferential exploit attempt detection | |
CN114598512B (en) | Network security guarantee method and device based on honeypot and terminal equipment | |
CN105959294B (en) | A kind of malice domain name discrimination method and device | |
CN109783316A (en) | The recognition methods and device, storage medium, computer equipment of system security log tampering | |
CN116107846A (en) | Linux system event monitoring method and device based on EBPF | |
CN110417578B (en) | Abnormal FTP connection alarm processing method | |
CN111782481A (en) | Universal data interface monitoring system and monitoring method | |
US20230376591A1 (en) | Method and apparatus for processing security events in container virtualization environment | |
CN105631317B (en) | A kind of system call method and device | |
CN115242434A (en) | Application program interface API identification method and device | |
CN111258712B (en) | Method and system for protecting safety of virtual machine under virtual platform network isolation | |
CN115086081A (en) | Escape prevention method and system for honeypots | |
JP2020004127A (en) | Computer asset management system and computer asset management method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20180504 Address after: 100097 Jin Yuan, A 5E, business center, 2 East Road, Haidian District, Beijing. Patentee after: Weidian Baihui (Beijing) Information Security Technology Co.,Ltd. Address before: 100097 room 1608, office building, B District, Jin Yuan times shopping centre, 2 East Road, Haidian District, Beijing. Patentee before: Beijing Dongfang Micropoint Information Technology Co.,Ltd. |
|
TR01 | Transfer of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111228 |
|
CF01 | Termination of patent right due to non-payment of annual fee |