CN101599113A - Driven malware defence method and device - Google Patents
Driven malware defence method and device Download PDFInfo
- Publication number
- CN101599113A CN101599113A CNA200910086686XA CN200910086686A CN101599113A CN 101599113 A CN101599113 A CN 101599113A CN A200910086686X A CNA200910086686X A CN A200910086686XA CN 200910086686 A CN200910086686 A CN 200910086686A CN 101599113 A CN101599113 A CN 101599113A
- Authority
- CN
- China
- Prior art keywords
- function
- fail
- safe software
- address information
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present invention discloses a kind of driven malware defence method and device, and this method comprises: according to the importing table information of driver, the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function; The application safety software monitoring function, the execution action of monitoring driver, and when carrying out remarkable action, send warning message.This device comprises: replacement processing module, be used for importing table information according to driver, and the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function; Monitor processing module is used to use the fail-safe software monitoring function after replacement processing module is replaced, the execution action of monitoring driver, and when carrying out remarkable action, send warning message.When the present invention effectively defends driving rogue program, have intelligent, defending performance is safe and reliable and be difficult for being resumed and can be to characteristics such as system performance exert an influence.
Description
Technical field
The present invention relates to a kind of driven malware defence method and device, belong to the computer security technique field.
Background technology
Along with being extensive use of of computing machine, the value volume and range of product of various computer viruses also increases rapidly, and especially along with networks development, the propagation of virus and harm are more serious, for the computer user causes puzzlement and loss.In existing antivirus protection, along with fail-safe software progressively adopts rogue program decision method based on behavior, make rogue program based on user's attitude application program progressively to the driving development of kernel state, these rogue programs are loaded in the kernel of Windows operating system by type of drive, thereby realize the destruction of user data and steal behavior.
In the prior art, the surveillance and control measure that fail-safe software is taked this driving program mainly contains two kinds, and a kind of is that monitoring drives the loading behavior, and whether the inquiry user allows to drive and load when driving loading.Another kind of measure is the entry code of the system function that need monitor of hook, makes its first security of operation software supervision code, by timing, carries out the monitor code of fail-safe software at monitored system function earlier, carries out logic determines, judges whether the behavior of calling is legal.For first kind of surveillance and control measure, it will be shirked on one's body the user the responsibility of system damage fully owing to clearance malice drive to load the back, not have intelligent.For second kind of measure, at first, because the hook mode need be revised the entry code of monitored system function, make in its monitor code that jumps to fail-safe software and carry out logic determines, this kind hook mode is easier to be found, and therefore also is easier to be resumed, now existing driven malware is by original kernel file on the reading disk, function entrance code to the fail-safe software hook recovers, and allows function carry out original logic, hides the monitoring of fail-safe software; Secondly, being called by the system function of hook may also be the function that system itself or normal kernel module frequently call, and calls the decision logic that all can carry out once safety software at every turn, and system performance is had great influence; In addition, if when the monitored system function of this mode hook of multiple usefulness is installed on the subscriber computer, can causes conflict, or cause the fail-safe software partial function to lose efficacy, or, cause system crash because hook is that decision logic is not rigorous.
Summary of the invention
The objective of the invention is defective at above-mentioned prior art, a kind of driven malware defence method and device are provided, when realizing driving rogue program effectively defendd, have intelligent, defending performance is safe and reliable and the effect that is difficult for being resumed and can not exert an influence to system performance.
For achieving the above object, the invention provides a kind of driven malware defence method, comprising:
According to the importing table information of driver, the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function;
Use described fail-safe software monitoring function, monitor the execution action of described driver, and when carrying out remarkable action, send warning message.
For achieving the above object, the present invention also provides a kind of driven malware defence device, comprising:
Replacement processing module is used for the importing table information according to driver, and the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function;
Monitor processing module is used to use the fail-safe software monitoring function after described replacement processing module is replaced, and monitors the execution action of described driver, and send warning message when carrying out remarkable action.
On the time point of the present invention before driver is carried out, after the system function of required monitoring replaced to fail-safe software monitoring function, can use this fail-safe software monitoring function monitoring driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.The present invention can be finished and without any need for hand control voluntarily by system, does not therefore need the user to carry out the attack that any judgement can effectively prevent driven malware, has intelligent; The present invention makes full use of the feature that driver must the calling system function could be realized its function, carries out the fail-safe software replacement operation on specific time point, and therefore, defending performance is safe and reliable and be difficult for being resumed; In addition, the present invention only needs the function address information relevant with the system function of required monitoring is once replaced, and can finish subsequent logic and judge, and not need calling system function repeatedly, thereby can not exert an influence to system performance.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the process flow diagram of driven malware defence method first embodiment of the present invention;
Fig. 2 is the process flow diagram of driven malware defence method second embodiment of the present invention;
Fig. 3 is the process flow diagram of driven malware defence method the 3rd embodiment of the present invention;
Fig. 4 is the structural representation of driven malware defence device first embodiment of the present invention;
Fig. 5 is the structural representation of driven malware defence device second embodiment of the present invention;
Fig. 6 is the structural representation of driven malware defence device the 3rd embodiment of the present invention.
Embodiment
Fig. 1 is the process flow diagram of driven malware defence method first embodiment of the present invention, and as shown in Figure 1, the method for present embodiment comprises:
When driver loads, can have a time point, at this moment between on the point, driver has been loaded in the system kernel, by resolving the importing table information that also gets access to this driver, next step is exactly the required system function of call driver, thereby realizes driving function.Point is installed fail-safe software monitoring function at this moment, can before driver is carried out the required system function that calls of driver be replaced with fail-safe software monitoring function.This replacement process promptly can be the address information that the function address information relevant with the system function of required monitoring is replaced with fail-safe software monitoring function.This fail-safe software monitoring function has logic judging function, can judge according to this fail-safe software monitoring function whether driver has carried out abnormal operation follow-up.
According to the ABC of operating system as can be known, driven malware will be realized its function, must be at its run time call system function.Have only two kinds and driver calls the mode of required system function, a kind of is the mode that static state is obtained the required system function that calls; Another kind is a mode of dynamically obtaining the required system function that calls.Mode for static state is obtained when writing this driver, needs direct calling system function, and when this driver of compiling, the information of the system function that compiler can call needs automatically is kept in the importing table that drives file.And for the mode of dynamically obtaining, in the driver operational process, when needing the calling system function, this system function name can be referred to as the input parameter of this class function of MmGetSystemRoutineAddress, by calling this class function of MmGetSystemRoutineAddress, the entry address that obtains the required system function that calls.
Obtain the dual mode of system function at above-mentioned driver, when present embodiment replaces with fail-safe software monitoring function at the system function with required monitoring, can adopt dual mode.Specifically, obtain the mode of system function for driver static state, present embodiment can be loaded in the kernel at driver, before the calling driver module entrance function, can search for the driver module internal memory, in driver module importing table information, parse the system function that driver imports, if need the system function of monitoring, then the address information of this system function can be replaced with the address information of fail-safe software monitoring function, thereby make when driver module calls the system function of this required monitoring again that what call is to have replaced the fail-safe software monitoring function of finishing.Dynamically obtain the mode of system function for driver, because all Windows operating systems all are by call function MmGetSystemRoutineAddress, import the system function name of the system function address that need obtain into, call MmGetSystemRoutineAddress and just can obtain the system function entry address, and for driver, can only call the MmGetSystemRoutineAddress function by the mode that static state is obtained, therefore, the function address information of calling the MmGetSystemRoutineAddress function in can the importing table information with driver replaces with the address information of calling fail-safe software monitoring function.When driver module calls this MmGetSystemRoutineAddress function again, what in fact call is fail-safe software monitoring function, this fail-safe software monitoring function can get access to the function name of the required system function that calls, judge then whether the required system function that calls is the system function of required monitoring, if need the system function of monitoring, then the entry address of this fail-safe software monitoring function can be fed back to driver, thereby make when calling the system function of required monitoring again that what all call is this fail-safe software monitoring function.
After completing steps 101, present embodiment is no matter be dynamically to obtain system function or static state is obtained under the mode of system function at driver, all can adopt this fail-safe software monitoring function to monitor the execution action of this driver, promptly based on the decision process of behavioural characteristic.The operation of the execution action of monitoring driver can adopt following four examples to illustrate.In fact, whether whether this execution action meets logic promptly normally can be judged according to the behavior knowledge base, and is not limited to following several situation.
Example one, for calling the judgement rule that the KeInsertQueueApc system function injects process.
The KeInsertQueueApc function has four parameters, and wherein first parameter is the pointer of sensing _ KAPC structure, and _ KAPC structure can be found in the disclosed DLL (dynamic link library) explanation of Microsoft,
typedef?struct_KAPC{
CSHORT?Type;
CSHORT?Size;
ULONG?Spare0;
struct_KTHREAD*Thread;
LIST_ENTRY?ApcListEntry;
PKKERNEL_ROUTINE?KernelRoutine;
PKRUNDOWN_ROUTINE?RundownRoutine;
PKNORMAL_ROUTINE?NormalRoutine;
PVOID?NormalContext;
//
//N.B.The?following?two?members?MUST?be?together.
//
PVOID?SystemArgument1;
PVOID?SystemArgument2;
CCHAR?ApcStateIndex;
KPROCESSOR_MODE?ApcMode;
BOOLEAN?Inserted;
}KAPC,*PKAPC,*RESTRICTED_POINTER?PRKAPC;
Wherein ApcMode is 1 to be undesired calling, the refusal of can directly reporting to the police.
Example two, for the judgment rule that calls the direct disk write operation of IoCallDriver.
IoCallDriver is the disclosed DLL (dynamic link library) of Microsoft, two parameters are arranged, a destination device device object pointer, a request package pointer, if when the driving arrangement that the destination device pointer to object points to is disk unit or subregion equipment, the data of analysis request bag pointed, if during the request of request package correspondence during write request, this is one and illegally calls, and may cause direct disk to write, the refusal of can reporting to the police.
Example three, for calling the judgment rule that MmUnmapViewOfSection release process mapping internal memory causes process to withdraw from.
Can discharge the mapping internal memory of formulating formulation address in the process space by MmUnmapViewOfSection, cause process to withdraw from, this function should not be driven directly and call, and when having driving directly to call this function release process mapping internal memory, can directly report to the police.
Example four, the unknown driving of record are called PsCreateSystemThread establishment system thread, and action is reported to the police according to system thread.
The unknown driving when calling PsCreateSystemThread can and unknownly drive relatedly with the system thread information newly created, if during through can the decision-making system threads dangerous action of other logics, can quote the position driving of association next together during warning.
By foregoing description as can be known, on the time point of present embodiment before driver is carried out, after the system function of required monitoring replaced to fail-safe software monitoring function, can use this fail-safe software monitoring function monitoring driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.Present embodiment can be finished and without any need for hand control voluntarily by system, does not therefore need the user to carry out the attack that any judgement can effectively prevent driven malware, has intelligent; Present embodiment makes full use of the feature that driver must the calling system function could be realized its function, carries out the fail-safe software replacement operation on specific time point, and therefore, defending performance is safe and reliable and be difficult for being resumed; In addition, present embodiment only needs once replacing for the relevant function address information of system function of unknown or the required monitoring of driver that possibility is unsafe by procedure identification, can finish subsequent logic judges, and monitored system function can not done monitoring when being called by other drivings, thereby can not exert an influence to system performance.
Fig. 2 is the process flow diagram of driven malware defence method second embodiment of the present invention, as shown in Figure 2, present embodiment adopts under the situation of static obtain manner calling system function to driver, the process of how to defend rogue program to attack is elaborated, concrete, the method for present embodiment can comprise:
When driver loads, can have a time point, at this moment between on the point, driver has been loaded in the system kernel, by resolving the importing table information that also gets access to this driver, then the function name information in the importing table information is replaced with system function entry address information.Next step is exactly the required system function of call driver, thereby realizes driving function.
Present embodiment can be searched and obtain the importing function corresponding with this system function entry address information by search driver module internal memory, i.e. this driver system function that need call.In specific implementation process, the importing module in this importing table information can import from ntoskrnl.exe, can obtain the importing function according to this importing module.Can judge then whether this importing function is the system function that needs monitoring, if need the system function of monitoring, then the address information of this system function can be replaced with the address information of fail-safe software monitoring function, thereby make when driver module calls the system function of this required monitoring again that what call is to have replaced the fail-safe software monitoring function of finishing.
Need to prove, can there be a plurality of importing modules in this importing table information, and need the system function of monitoring is to be imported by ntoskrnl.exe, therefore, can import module by ntoskrnl.exe and obtain a plurality of importing functions, and then can judge successively whether a plurality of importing functions that obtain are system functions of required monitoring.
In addition, present embodiment replaces with the function address information relevant with the system function of required monitoring before the address information of fail-safe software monitoring function in above-mentioned importing table information according to driver, can also comprise:
For described fail-safe software monitoring function Registering modules loads call back function.
Thereby make the address information that will the function address information relevant replaces with fail-safe software monitoring function specifically to comprise: to use described module loading call back function, the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function with the system function of required monitoring.
System can provide a kind of callback mechanism, when driver module loads, if the registered callbacks function is arranged, system can be with the module information of current loading as parameter, call the module loading call back function of having registered, fail-safe software monitoring function can be registered a module loading call back function, realizes the replacement to the system function that needs in the driver module importing table to monitor in the module loading call back function.
When driver is carried out, when this driver needs to call the system function of required monitoring again, can call this fail-safe software monitoring function, thereby effective monitoring is carried out in the execution action of follow-up this driver.
On the time point of present embodiment before the driver that adopts static mode to obtain system function is carried out, after the system function of required monitoring replaced to fail-safe software monitoring function, can use this fail-safe software monitoring function monitoring driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.That the method for present embodiment has is intelligent, defending performance is safe and reliable and be difficult for being resumed and can be to characteristics such as system performance exert an influence.
Fig. 3 is the process flow diagram of driven malware defence method the 3rd embodiment of the present invention, as shown in Figure 3, present embodiment adopts under the situation of dynamic obtain manner calling system function to driver, the process of how to defend rogue program to attack is elaborated, concrete, the method for present embodiment can comprise:
For the mode of dynamically obtaining system function, all be by call function MmGetSystemRoutineAddress in all Windows operating systems, import the system function name of the system function that need obtain into, call function MmGetSystemRoutineAddress just can obtain the system function entry address, and the mode call function MmGetSystemRoutineAddress that driver can only obtain by static state, promptly when driver was write, MmGetSystemRoutineAddress write in the driver with this function.Therefore, when obtaining the importing table information of this driver, can judge whether to exist function MmGetSystemRoutineAddress by the mode of searching, present embodiment replaces with the address information of this function MmGetSystemRoutineAddress the address information of fail-safe software monitoring function when having function MmGetSystemRoutineAddress.When call function MmGetSystemRoutineAddress obtained the entry address of system function again, what in fact call was fail-safe software monitoring function.
According to the address information call function after replacing the time, can call the fail-safe software monitoring function corresponding with this address information.This fail-safe software monitoring function can be judged the whether entry address of the system function of required monitoring of the required system function that calls according to the system function entry address that obtains, and this process adopts the mode of fail-safe software monitoring function filter function name to realize.If the entry address of then fail-safe software being monitored function feeds back to driver, thereby when making that driver is follow-up and calling required supervisory system function again, can call fail-safe software monitoring function according to the entry address of this fail-safe software monitoring function.If not, then the entry address of this system function can be returned to driver.
In addition, present embodiment is in above-mentioned importing table information according to driver, and the described address information that is used to obtain the function of system function entry address is replaced with before the address information of described fail-safe software monitoring function, can also comprise:
For described fail-safe software monitoring function Registering modules loads call back function.
Thereby make the address information that will the function address information relevant replaces with fail-safe software monitoring function specifically to comprise: to use described module loading call back function, the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function with the system function of required monitoring.
System can provide a kind of callback mechanism, when driver module loads, if the registered callbacks function is arranged, system can be with the module information of current loading as parameter, call the module loading call back function of having registered, fail-safe software monitoring function can be registered a module loading call back function, realizes driver module is imported the replacement of function relevant with the system function of required monitoring in the table in the module loading call back function.
On the time point of present embodiment before the driver that adopts dynamical fashion to obtain system function is carried out, after the address information of function that will be used for the entry address of calling system function replaces to the address information of fail-safe software monitoring function, can use this fail-safe software monitoring function and judge whether the entry address of the system function of required feedback is the entry address of the system function of required monitoring, and when being the entry address of system function of required monitoring, the entry address of this fail-safe software monitoring function is fed back to driver, thereby can utilize this fail-safe software monitoring function to monitor driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.That the method for present embodiment has is intelligent, defending performance is safe and reliable and be difficult for being resumed and can be to characteristics such as system performance exert an influence.
Fig. 4 is the structural representation of driven malware defence device first embodiment of the present invention, and as shown in Figure 4, the device of present embodiment comprises: replacement processing module 1 and monitor processing module 2.Wherein, replacement processing module 1 is used for the importing table information according to driver, and the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function; The fail-safe software that monitor processing module 2 is used to use after replacement processing module 1 is replaced is monitored function, monitors the execution action of described driver, and sends warning message when carrying out remarkable action.
When driver loads, can have a time point, at this moment between on the point, driver has been loaded in the system kernel, by resolving the importing table information that also gets access to this driver, next step is exactly the required system function of call driver, thereby realizes driving function.Point is installed fail-safe software monitoring function at this moment, can before driver is carried out the required system function that calls of driver be replaced with fail-safe software monitoring function.This replacement process promptly can be the address information that the function address information relevant with the system function of required monitoring is replaced with fail-safe software monitoring function.This fail-safe software monitoring function has logic judging function, can judge according to this fail-safe software monitoring function whether driver has carried out abnormal operation follow-up.
According to the ABC of operating system as can be known, driven malware will be realized its function, must be at its run time call system function.Have only two kinds and driver calls the mode of required system function, a kind of is the mode that static state is obtained the required system function that calls; Another kind is a mode of dynamically obtaining the required system function that calls.Mode for static state is obtained when writing this driver, needs direct calling system function, and when this driver of compiling, the information of the system function that compiler can call needs automatically is kept in the importing table that drives file.And for the mode of dynamically obtaining, in the driver operational process, when needing the calling system function, this system function name can be referred to as the input parameter of this class function of MmGetSystemRoutineAddress, by calling this class function of MmGetSystemRoutineAddress, the entry address that obtains the required system function that calls.
Obtain the dual mode of system function at above-mentioned driver, when present embodiment replaces with fail-safe software monitoring function at the system function with required monitoring, can adopt dual mode.Specifically, obtain the mode of system function for driver static state, replacement processing module 1 in the present embodiment can be loaded in the kernel at driver, before the calling driver module entrance function, function name information in the importing table information is replaced with the system function entry address, at this moment, can search for the driver module internal memory, in driver module importing table information, parse the system function that driver imports, if need the system function of monitoring, then the address information of this system function can be replaced with the address information of fail-safe software monitoring function, thereby make when driver module calls the system function of this required monitoring again that what call is to have replaced the fail-safe software monitoring function of finishing.Dynamically obtain the mode of system function for driver, because all Windows operating systems all are by call function MmGetSystemRoutineAddress, import the system function name of the system function address that need obtain into, call MmGetSystemRoutineAddress and just can obtain the system function entry address, and for driver, can only call the MmGetSystemRoutineAddress function by the mode that static state is obtained, therefore, the replacement processing module 1 function address information of calling the MmGetSystemRoutineAddress function in can the importing table information with driver replaces with the address information of calling fail-safe software monitoring function.When driver module calls this MmGetSystemRoutineAddress function again, what in fact call is fail-safe software monitoring function, this fail-safe software monitoring function can get access to the function name of the required system function that calls, judge then whether the required system function that calls is the system function of required monitoring, if need the system function of monitoring, then the entry address of this fail-safe software monitoring function can be fed back to driver, thereby make when calling the system function of required monitoring again that what all call is this fail-safe software monitoring function.
No matter at driver is dynamically to obtain system function or static state is obtained under the mode of system function, monitor processing module 2 all can adopt this fail-safe software monitoring function to monitor the execution action of this driver, promptly based on the decision process of behavioural characteristic.The operation of the execution action of monitoring driver can adopt four examples described in the method embodiment to illustrate.In fact, whether whether this execution action meets logic promptly normally can be judged according to the behavior knowledge base, and is not limited to following several situation.
By foregoing description as can be known, on the time point of replacement processing module in the present embodiment before driver is carried out, after the system function of required monitoring replaced to fail-safe software monitoring function, monitor processing module can be used this fail-safe software monitoring function monitoring driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.Present embodiment can be finished and without any need for hand control voluntarily by system, does not therefore need the user to carry out the attack that any judgement can effectively prevent driven malware, has intelligent; Present embodiment makes full use of the feature that driver must the calling system function could be realized its function, carries out the fail-safe software replacement operation on specific time point, and therefore, defending performance is safe and reliable and be difficult for being resumed; In addition, present embodiment only needs the function address information relevant with the system function of required monitoring is once replaced, and can finish subsequent logic and judge, and not need calling system function repeatedly, thereby can not exert an influence to system performance.
Fig. 5 is the structural representation of driven malware defence device second embodiment of the present invention, and as shown in Figure 5, the device of present embodiment comprises: replacement processing module 1 and monitor processing module 2.Wherein, replacement processing module 1 is used for the importing table information according to driver, and the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function; The fail-safe software that monitor processing module 2 is used to use after replacement processing module 1 is replaced is monitored function, monitors the execution action of described driver, and sends warning message when carrying out remarkable action.
Further, when adopting static obtain manner calling system function at driver, the effectively attack of defence rogue program, in the device of present embodiment, replacement processing module 1 can comprise: first acquiring unit 11, first judging unit 12 and first are replaced processing unit 13.This first acquiring unit 11 is used for the system function entry address information according to described importing table information, obtains and the corresponding importing function of described system function entry address information; First judging unit 12 is used to judge whether the importing function that first acquiring unit 11 obtains is the system function of required monitoring; First replaces processing unit 13 is used for the address information of described importing function being replaced with the address information of described fail-safe software monitoring function when first judging unit 12 judges that described importing function is the system function of required monitoring.
Specifically, when driver loads, can there be a time point, on putting at this moment, driver has been loaded in the system kernel, by resolving the importing table information that also gets access to this driver, then the function name information in the importing table information is replaced with system function entry address information.Next step is exactly the required system function of call driver, thereby realizes driving function.
In the present embodiment, first acquiring unit 11 can be searched and obtain the importing function corresponding with this system function entry address information by search driver module internal memory, i.e. this driver system function that need call.In specific implementation process, the importing module in this importing table information can import from ntoskrnl.exe, can obtain the importing function according to this importing module.First judging unit 12 can judge whether this importing function is the system function that needs monitoring then, if need the system function of monitoring, then first replace the address information that processing unit 13 can replace with the address information of this system function fail-safe software monitoring function, thereby make when driver module calls the system function of this required monitoring again that what call is to have replaced the fail-safe software monitoring function of finishing.
Need to prove, can there be a plurality of importing modules in this importing table information, and need the system function of monitoring is to be imported by ntoskrnl.exe, therefore, can import module by ntoskrnl.exe and obtain a plurality of importing functions, and then can judge successively whether a plurality of importing functions that obtain are system functions of required monitoring.
When driver is carried out, when this driver needs to call the system function of required monitoring again, can call this fail-safe software monitoring function, thereby effective monitoring is carried out in the execution action of follow-up this driver.
On the time point of the device of present embodiment before the driver that adopts static mode to obtain system function is carried out, after the system function of required monitoring replaced to fail-safe software monitoring function, monitor processing module can be used this fail-safe software monitoring function monitoring driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.That the method for present embodiment has is intelligent, defending performance is safe and reliable and be difficult for being resumed and can be to characteristics such as system performance exert an influence.
Fig. 6 is the structural representation of driven malware defence device the 3rd embodiment of the present invention, and as shown in Figure 6, the device of present embodiment comprises: replacement processing module 1 and monitor processing module 2.Wherein, replacement processing module 1 is used for the importing table information according to driver, and the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function; The fail-safe software that monitor processing module 2 is used to use after replacement processing module 1 is replaced is monitored function, monitors the execution action of described driver, and sends warning message when carrying out remarkable action.
Further, when adopting static obtain manner calling system function at driver, effectively defend the attack of rogue program, in the device of present embodiment, replacement processing module 1 can comprise: second judging unit 14 and second is replaced processing unit 15.This second judging unit 14 is used for judging whether described importing table information exists the function that is used to obtain the system function entry address; Second replaces processing unit 15 is used for judging that at second judging unit 14 described importing table information exists when being used to obtain the function of system function entry address, the described address information that is used to obtain the function of system function entry address is replaced with the address information of described fail-safe software monitoring function.
Further, the device of present embodiment can also comprise: call processing unit 3, this calls the address information that processing unit 3 is used for monitoring according to described fail-safe software function, call described fail-safe software monitoring function, judge that system function entry address that described fail-safe software monitoring function obtains is whether corresponding to the system function of required monitoring, and at once, the entry address of described fail-safe software monitoring function is fed back to described driver, call described fail-safe software monitoring function according to the entry address of described fail-safe software monitoring function for described monitor processing module.
Specifically, second judging unit 14 judges in the described importing table information whether have the function that is used to obtain the system function entry address, and when existing, second replaces the address information that processing unit 15 will describedly be used to obtain the function of system function entry address replaces with the address information that described fail-safe software is monitored function.
For the mode of dynamically obtaining system function, all be by call function MmGetSystemRoutineAddress in all Windows operating systems, import the system function name of the system function that need obtain into, call function MmGetSystemRoutineAddress just can obtain the system function entry address, and the mode call function MmGetSystemRoutineAddress that driver can only obtain by static state, promptly when driver was write, MmGetSystemRoutineAddress write in the driver with this function.Therefore, when obtaining the importing table information of this driver, can judge whether to exist function MmGetSystemRoutineAddress by the mode of searching, present embodiment is when existing function MmGetSystemRoutineAddress, and second replaces the address information that processing unit 15 replaces with the address information of this function MmGetSystemRoutineAddress fail-safe software monitoring function.When call function MmGetSystemRoutineAddress obtained the entry address of system function again, what in fact call was fail-safe software monitoring function.
Call processing module 3 the time, can call the fail-safe software monitoring function corresponding with this address information according to the address information call function after replacing.This fail-safe software monitoring function can be judged the whether entry address of the system function of required monitoring of the required system function that calls according to the system function entry address that obtains, and this process adopts the mode of fail-safe software monitoring function filter function name to realize.If the entry address of then fail-safe software being monitored function feeds back to driver, thereby when making that driver is follow-up and calling required supervisory system function again, can call fail-safe software monitoring function according to the entry address of this fail-safe software monitoring function.If not, then the entry address of this system function can be returned to driver.
On the time point of present embodiment before the driver that adopts dynamical fashion to obtain system function is carried out, after the address information of function that will be used for the entry address of calling system function replaces to the address information of fail-safe software monitoring function, can use this fail-safe software monitoring function and judge whether the entry address of the system function of required feedback is the entry address of the system function of required monitoring, and when being the entry address of system function of required monitoring, the entry address of this fail-safe software monitoring function is fed back to driver, thereby can utilize this fail-safe software monitoring function to monitor driver and whether carry out illegal operation, when judging that carrying out action is the behavior feature abnormalities, can send warning message, thereby effectively defend the attack of driven malware.That the method for present embodiment has is intelligent, defending performance is safe and reliable and be difficult for being resumed and can be to characteristics such as system performance exert an influence.
Need to prove, driven malware defence device second embodiment of the present invention and the 3rd embodiment also can be combined in the system, effectively defend thereby make driven malware defence device of the present invention both can obtain the malicious attack that system function is, can obtain the malicious attack that system function is to driver static state again and effectively defend driver static state.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.
Claims (11)
1, a kind of driven malware defence method is characterized in that, comprising:
According to the importing table information of driver, the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function;
Use described fail-safe software monitoring function, monitor the execution action of described driver, and when carrying out remarkable action, send warning message.
2, driven malware defence method according to claim 1, it is characterized in that, described importing table information according to driver replaces with the address information that fail-safe software is monitored function with the function address information relevant with the system function of required monitoring, comprising:
According to the system function entry address information in the described importing table information, obtain and the corresponding importing function of described system function entry address information, judge whether described importing function is the system function of required monitoring, and when described importing function is the system function of required monitoring, the address information of described importing function is replaced with the address information of described fail-safe software monitoring function.
3, driven malware defence method according to claim 2 is characterized in that, the described fail-safe software monitoring of described application function is monitored before the execution action of described driver, also comprises:
According to the address information of described fail-safe software monitoring function, call described fail-safe software monitoring function.
4, driven malware defence method according to claim 1, it is characterized in that, described importing table information according to driver replaces with the address information that fail-safe software is monitored function with the function address information relevant with the system function of required monitoring, comprising:
Judge in the described importing table information whether have the function that is used to obtain the system function entry address, and when existing, the described address information that is used to obtain the function of system function entry address is replaced with the address information of described fail-safe software monitoring function.
5, driven malware defence method according to claim 4 is characterized in that, the described fail-safe software monitoring of described application function is monitored before the execution action of described driver, also comprises:
Address information according to described fail-safe software monitoring function, call described fail-safe software monitoring function, judge that system function entry address that described fail-safe software monitoring function obtains is whether corresponding to the system function of required monitoring, and at once, the entry address of described fail-safe software monitoring function is fed back to described driver, call described fail-safe software monitoring function according to the entry address of described fail-safe software monitoring function for described driver.
6, according to the described driven malware defence method of arbitrary claim in the claim 1~5, it is characterized in that, described importing table information according to driver, the function address information relevant with the system function of required monitoring is replaced with before the address information of fail-safe software monitoring function, also comprises:
For described fail-safe software monitoring function Registering modules loads call back function.
7, driven malware defence method according to claim 6 is characterized in that, described the function address information relevant with the system function of required monitoring is replaced with the address information of fail-safe software monitoring function, comprising:
Use described module loading call back function, the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function.
8, a kind of driven malware defence device is characterized in that, comprising:
Replacement processing module is used for the importing table information according to driver, and the function address information relevant with the system function of required monitoring is replaced with the address information that fail-safe software is monitored function;
Monitor processing module is used to use the fail-safe software monitoring function after described replacement processing module is replaced, and monitors the execution action of described driver, and send warning message when carrying out remarkable action.
9, driven malware defence device according to claim 8 is characterized in that, described replacement processing module comprises:
First acquiring unit is used for the system function entry address information according to described importing table information, obtains and the corresponding importing function of described system function entry address information;
First judging unit is used to judge whether the importing function that described first acquiring unit obtains is the system function of required monitoring;
First replaces processing unit, is used for when the described importing function of described first judgment unit judges is the system function of required monitoring, the address information of described importing function is replaced with the address information of described fail-safe software monitoring function.
10, driven malware defence device according to claim 8 is characterized in that, described replacement processing module comprises:
Second judging unit is used for judging whether described importing table information exists the function that is used to obtain the system function entry address;
Second replaces processing unit, be used for existing when being used to obtain the function of system function entry address, the described address information that is used to obtain the function of system function entry address replaced with the address information of described fail-safe software monitoring function in the described importing table of second judgment unit judges information.
11, driven malware defence device according to claim 10 is characterized in that, also comprises:
Call processing unit, be used for address information according to described fail-safe software monitoring function, call described fail-safe software monitoring function, judge that system function entry address that described fail-safe software monitoring function obtains is whether corresponding to the system function of required monitoring, and at once, the entry address of described fail-safe software monitoring function is fed back to described driver, call described fail-safe software monitoring function according to the entry address of described fail-safe software monitoring function for described monitor processing module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200910086686XA CN101599113A (en) | 2009-06-17 | 2009-06-17 | Driven malware defence method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200910086686XA CN101599113A (en) | 2009-06-17 | 2009-06-17 | Driven malware defence method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101599113A true CN101599113A (en) | 2009-12-09 |
Family
ID=41420556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA200910086686XA Pending CN101599113A (en) | 2009-06-17 | 2009-06-17 | Driven malware defence method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101599113A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012071989A1 (en) * | 2010-11-29 | 2012-06-07 | 北京奇虎科技有限公司 | Method and system for program identification based on machine learning |
| CN103839006A (en) * | 2010-11-29 | 2014-06-04 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
| CN103853979A (en) * | 2010-12-31 | 2014-06-11 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
| CN105786524A (en) * | 2016-03-23 | 2016-07-20 | 福建正孚软件有限公司 | Software hook setting method and device |
| CN105787356A (en) * | 2016-03-28 | 2016-07-20 | 北京金山安全软件有限公司 | Driver repairing method and device |
| CN105893838A (en) * | 2016-05-11 | 2016-08-24 | 北京鼎源科技有限公司 | Reinforcement method for key driving program of Android operating system |
| CN106203189A (en) * | 2016-07-04 | 2016-12-07 | 北京金山安全软件有限公司 | Equipment data acquisition method and device and terminal equipment |
| CN108416233A (en) * | 2018-01-19 | 2018-08-17 | 阿里巴巴集团控股有限公司 | Obtain the method and device of input character |
-
2009
- 2009-06-17 CN CNA200910086686XA patent/CN101599113A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103839006B (en) * | 2010-11-29 | 2017-07-28 | 北京奇虎科技有限公司 | Procedure identification method and device based on machine learning |
| CN103839006A (en) * | 2010-11-29 | 2014-06-04 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
| US9349006B2 (en) | 2010-11-29 | 2016-05-24 | Beijing Qihoo Technology Company Limited | Method and device for program identification based on machine learning |
| WO2012071989A1 (en) * | 2010-11-29 | 2012-06-07 | 北京奇虎科技有限公司 | Method and system for program identification based on machine learning |
| CN103853979A (en) * | 2010-12-31 | 2014-06-11 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
| CN105786524A (en) * | 2016-03-23 | 2016-07-20 | 福建正孚软件有限公司 | Software hook setting method and device |
| CN105786524B (en) * | 2016-03-23 | 2019-03-12 | 福建正孚软件有限公司 | Software hooks setting method and device |
| CN105787356A (en) * | 2016-03-28 | 2016-07-20 | 北京金山安全软件有限公司 | Driver repairing method and device |
| CN105893838A (en) * | 2016-05-11 | 2016-08-24 | 北京鼎源科技有限公司 | Reinforcement method for key driving program of Android operating system |
| CN106203189A (en) * | 2016-07-04 | 2016-12-07 | 北京金山安全软件有限公司 | Equipment data acquisition method and device and terminal equipment |
| CN108416233A (en) * | 2018-01-19 | 2018-08-17 | 阿里巴巴集团控股有限公司 | Obtain the method and device of input character |
| WO2019141112A1 (en) * | 2018-01-19 | 2019-07-25 | 阿里巴巴集团控股有限公司 | Method and apparatus for acquiring input character |
| CN108416233B (en) * | 2018-01-19 | 2020-03-06 | 阿里巴巴集团控股有限公司 | Method and device for acquiring input characters |
| TWI693534B (en) * | 2018-01-19 | 2020-05-11 | 香港商阿里巴巴集團服務有限公司 | Method and device for obtaining input characters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US8627478B2 (en) | Method and apparatus for inspecting non-portable executable files | |
| CN101599113A (en) | Driven malware defence method and device | |
| EP3039608B1 (en) | Hardware and software execution profiling | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| RU2645268C2 (en) | Complex classification for detecting malware | |
| EP3654218B1 (en) | Method for detecting malicious code and deferring countermeasures | |
| US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
| US8645923B1 (en) | Enforcing expected control flow in program execution | |
| US10733296B2 (en) | Software security | |
| AU2006235058B2 (en) | System and method for foreign code detection | |
| CN105580022A (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
| US9542557B2 (en) | Snoop-based kernel integrity monitoring apparatus and method thereof | |
| WO2018017498A1 (en) | Inferential exploit attempt detection | |
| GB2510701A (en) | Detecting malware code injection by determining whether return address on stack thread points to suspicious memory area | |
| CN109784054B (en) | Behavior stack information acquisition method and device | |
| US20230376591A1 (en) | Method and apparatus for processing security events in container virtualization environment | |
| CN112395593A (en) | Instruction execution sequence monitoring method and device, storage medium and computer equipment | |
| EP4160455A1 (en) | Behavior analysis based on finite-state machine for malware detection | |
| CN102819703A (en) | Method and equipment used for preventing webpage attack | |
| US20220138311A1 (en) | Systems and methods for detecting and mitigating code injection attacks | |
| WO2019136428A1 (en) | Systems and methods for detecting and mitigating code injection attacks | |
| CN109558730B (en) | Safety protection method and device for browser | |
| CN105631317A (en) | System calling method and apparatus | |
| EP3394786B1 (en) | Software security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20091209 |