CN102609651A - Method for detecting malicious software in computer equipment - Google Patents

Method for detecting malicious software in computer equipment Download PDF

Info

Publication number
CN102609651A
CN102609651A CN2012100257399A CN201210025739A CN102609651A CN 102609651 A CN102609651 A CN 102609651A CN 2012100257399 A CN2012100257399 A CN 2012100257399A CN 201210025739 A CN201210025739 A CN 201210025739A CN 102609651 A CN102609651 A CN 102609651A
Authority
CN
China
Prior art keywords
page
malware
equipment
scanning
carry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012100257399A
Other languages
Chinese (zh)
Inventor
周亚芹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SUZHOU INDUSTRIAL PARK FLYCOOL ELECTRONIC TECHNOLOGY CO LTD
Original Assignee
SUZHOU INDUSTRIAL PARK FLYCOOL ELECTRONIC TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SUZHOU INDUSTRIAL PARK FLYCOOL ELECTRONIC TECHNOLOGY CO LTD filed Critical SUZHOU INDUSTRIAL PARK FLYCOOL ELECTRONIC TECHNOLOGY CO LTD
Priority to CN2012100257399A priority Critical patent/CN102609651A/en
Publication of CN102609651A publication Critical patent/CN102609651A/en
Pending legal-status Critical Current

Links

Abstract

Disclosed is a method for scanning viruses in memories of computer equipment. The method includes: scanning pages of the memories marked as executable, and triggering scanning by changing writable pages into executable APIs (application program interfaces) or by being notified once the executable pages are modified by a kernel. Since previous file system scanning is redundant, the method for scanning viruses in memories of the computer equipment is high in efficiency, and power is saved and the equipment is faster in execution. Further, the computer equipment is safer due to the fact that viruses which cannot be detected by other methods can be detected by the method for scanning viruses, and the method can be executed at execution points.

Description

Malware detection in the computer equipment
Technical field
The present invention relates to a kind of method that is used for operational computations equipment, and relate more specifically to a kind of improved method, be used for the Malware of computing equipment is scanned.
Background technology
In context of the present invention, term " computing equipment " includes but not limited to desk-top and laptop computer, personal digital assistant (PDA), mobile phone, smart phone, digital camera and digital music player. it also comprises function and a lot of other industrial and home electronics combines packages with the equipment of above-mentioned one or more classifications.
Common recognition is widely now, and rogue program (Malware) has significant risk to the influence of computing equipment, and foot is when computing equipment is connected to other equipment through network especially.For all instances of this Malware, be commonly called virus.Yet; The security expert distinguishes between a lot of dissimilar Malwares. nearest internet article sign and described 11 kinds dissimilar; It comprises: virus, worm, watt bit (Wabbit), wooden horse, back door (backdoor), a scheme software, detect 7M (Exploit), guiding tool (rootkit), Key Logger (key logger), dialer (dialer) and browser robber (Browser Hijacker).
Malware can obtain the login to computing equipment by different way. and what much infect is because be used for being cheated the software that carries this infection with installation.This paths of access arrangement can relatively easily keep watch on through certificate, authentication, peace commentaries on classics software package checking and other code items (for example grand).Yet the user always is not careful the dangerous caution of relevant distrust software that provides at installation phase.In addition, Malware is not limited to installable executable program, and can for example Email and e-mail attachment are propagated through other means.
For this reason, computing equipment is equipped with anti-viral software more and more.The work traditionally of this software is through connecting the file system of host operating system, and is written into or scanning this document when disc is read at file.In this scanning process, their search can be used as unique byte series of signature or fingerprint and discern Malware.Most of personal computer user are recognized if this method is effectively, and then they need and will keep up-to-date to the virus definition file of this type of software.
Since at once (on-the-fly) scanning processing be fallibility (for example; It can not detect Malware potential on the removable medium and infect); So the anti-virus software of most of types always with the operation in darker batch mode cycle, analyzed to search above-mentioned alleged fingerprint during this period by the complete content of whole software system.
Yet only the anti-viral software of scanning document system can not be caught all Malwares. be known that other approach that exist outside the file system come equipment is infected.Known can by Malware detecting with allow its code in the security breaches of carrying out on the computing equipment on the basis of certain rule, in the operating system of control computing equipment or in the general software package that uses, come to light.
Listed multiple this type of detecting in the article of network, comprised that impact damper overflows, integer overflows, storer is made mistakes, format the string attack, race condition, cross site scripting carry out, stride that the request of standing is forged and SQL infects the disease worm.Malware through a lot of approach access arrangements possibly reside in the storer fully, and can not detect through the scanning document system.The example of such Malware will be called as worm, and it propagates into the storer of another machine from the storer of a machine through detecting thin spot in communication stack is looked for.
For this reason, anti-viral software is checked the content of volatile memory (RAM) and the content of file system usually, thereby searches the signature of various types of memory resident malware.
Should be noted in the discussion above that all computing equipments all receive malware attacks potentially, and be not only desk-top or laptop computer. on other computing equipments, detect security breaches, comprised battery powered mobile device.Particularly; It is apparent that; For mobile computing device for example smart phone (its keep in long-time powering up or standby and use the non-volatile burst flash memory technological usually) for; Adopt the volatibility dynamic ram and can rely on the Malware that cuts off the power supply regularly with on the main-powered machine of removing memory resident malware to compare with being in, for example worm is obviously dangerous more based on the Malware of storer.
Current anti-viral software seriously depends on file system is scanned.Yet the problem that is used for the existing method of this purpose is:
Up to carrying out batch processing scanning, they just can detect good hide or polymorphic virus;
Be not written to disc (for example pure net network virus) if virus at all relies on, then it can not be detected.
It increases expense (even nonexecutable program, when they comprise the executable file of embedding) to each file access;
Effectively enforcement requires scanner and file system driver co-located usually on the operating system level, and himself can open safe thin spot, if because virus attack scanner self, then it can obtain the nothing constraint access to whole file system;
Especially, depth scan can produce a lot of scannings of executable program or alternative document, even they are not called; And operation of equipment is slowed down; This is at unusual poor efficiency aspect the power save. in battery powered apparatus; Any unnecessary use of the power function performance to equipment all is harmful to; Even and on the equipment of mains supply, also disapprove like this because energy dissipation exerts an influence to global warming and ecological deterioration.
As stated, owing to recognize that the scanning to file system can not detect the storer Malware, so current anti-viral software is gone back the scanning device storer usually.Yet the existing method of swept memory also has disadvantage:
Flip-flop storage scanning when anti-viral software loads first or loads with Fixed Time Interval, any Malware possibly be performed when the storer specific part is scanned;
Through the change of memory content, flip-flop storage scanning is necessary aggressiveness scanning is carried out in all this type of changes, and this has caused performance extremely to worsen.
Need scanning entire equipment storer, this opens the tip when computing equipment has several G byte memorys remarkable, and this has aggravated the problems referred to above;
In the system that realizes demand paging (demand paging) (wherein a part of virtual memory remains on the disc); Scanner need recognize that also in fact which partial memory resides in exchange (swap) file, in order to avoid it produces deterioration further to performance;
Swept memory foot for battery powered apparatus is heavy especially, because the scheme of continuous sweep storer can cause the very big rising of power consumption.In addition; Of above binding operation disc, any unnecessary use of power is all had infringement to the function performance of battery supply set, even and on the equipment of mains supply; Also disapprove like this because energy dissipation exerts an influence to global warming and ecological deterioration.
Summary of the invention
In the identical detailed method that the signature or the fingerprint that keep Malware scan, the invention discloses computing equipment and how to be set for realization and to detect and resist the system that malicious code infects in the following manner: be promptly more effective and more strong than existing anti-virus software scan solution.According to a first aspect of the invention, a kind of method of operational computations equipment is provided, wherein, said equipment protects in carrying out Malware in the following manner:
A. with program can not separate by execute store from the said equipment;
But b. only allow to carry out any code that comes from execute store;
C. use first software entity, but it can only scan the execute store on the said equipment with regard to Malware.
According to second aspect present invention, a kind of computing equipment is provided, it is set for according to the method for first aspect and operates.
According to third aspect present invention, a kind of operating system is provided, be used to make computing equipment to operate according to the method for first aspect.
Description of drawings
To embodiment of the present invention be described with reference to accompanying drawing and through the mode of further example now, wherein:
Fig. 1 shows the process flow diagram according to virus scan method of the present invention;
Fig. 2 shows locked memory pages wherein and is marked as the process flow diagram that can carry out the virus scan method when read-only;
Fig. 3 shows the process flow diagram according to virus scan method of the present invention, and wherein amended locked memory pages is scanned.
Embodiment
The present invention's understanding behind is that the executable code of on disc, storing himself is harmless.Be loaded in the storer even work as this code, it does not still produce injury.Only when this code was carried out, it just had an opportunity to produce injury.Therefore, if can find the method for the code that identification will be performed, the whole contents that then can save fully storer scans, and the scanning document system reads and writes, and to the depth scan of whole file system in the Malware search.Code through identification will be carried out can make scan process more effective.
The basis of embodiment of the present invention is: for computing equipment, use CPU (CPU), it can and only comprise between those parts of data in those parts of the storage that comprises executable code distinguishes; For the anti-viral software in the computing equipment, a kind of mechanism is set, through this mechanism, when the content that comprises a part of storer of code changes and is notified.
Suitable processor comprises the processor that meets the ARM architecture version 6 (ARMv6) that Britain Camb ARM plc designed, and those processors that meet the Intel IA-32 that intel corporation designed of California, USA Santa Clara.Combined the processor of memory management functions the same with a lot of other, but these CPU are divided into the page with access memory.This ARM framework is through realizing this purpose for each page setup XN bit of storer, and wherein XN representes never to carry out (Execute Never), and Intel is realized the mark to locked memory pages through setting the execution disable bit.
Application is noticed; Although disclosing to provide, Intel carries out disable bit to stop the code in the Malware execution page of data; Clearly its objective is the attack that prevents the Malware detecting; For example storehouse and impact damper overflow, but disclosed like the present invention, in Intel open, have no this mechanism of use to improve the efficient of virus scan operation and alleviate the hint of virus scan intrinsic power dissipation in operating.
Fig. 1 shows one embodiment of the present invention, and what the operating system that is used for this computing equipment will be supported this type can not the execute store page.In this embodiment, all storeies by default label for carrying out, till it needs run time version, promptly when it obviously is not labeled: be labeled as and can carry out.Can see, not be labeled that then at once effect is that greatly reduce in the scanning search space that is used for virus checking, just need to scan based on the virus of native code because have only those to be marked as executable locked memory pages in case realize this kind.Still being marked as the locked memory pages that can not carry out the page can be left in the basket, because the code that they comprise can not move and cause malicious harm.
Yet another embodiment of the present invention provides a kind of mechanism that is used for when one of them content changing of the page carried out of storer notifying directly or through operating system anti-viral software; This makes it possible to only when necessary the time, just storer rescaned, and has minimized the needs to complete memory scanning thus.
There are a plurality of modes to realize this informing mechanism. two (but not exclusive) suggesting methods are following:
1. mutual: as this method has been shown, and this method utilization to be true as follows in Fig. 2, promptly a lot of processors; Comprise aforesaid ARM and Intel framework, additionally can locked memory pages be labeled as write-protect, or read-only. and the client application on computing equipment provides API (API); Wherein this client application must be called the memory area that will distribute; Can move on the equipment thereby rise. in this embodiment, when having distributed memory area, meanwhile; For the memory page of being paid close attention to; Can not carry out bit to be closed (toggle off) and the write-protect bit is opened (toggle on). therefore, all pages of employed storage are in and can write or executable state: the page cannot be in simultaneously and can write and can carry out, and therefore equipment will not allow to write carrying out the page. therefore; The client application that possibly comprise malicious code can be written in the desired page; Because they be switched to " can write " yet., when any page of client application requests switches to executable the time from writing, the page is marked as read-only at once; And be added in the row page listings to be scanned. have only after anti-viral software completes successfully its scanning, the client API Calls just returns.If scanning result is cleaning, then next the page is marked as and can carries out and read-only, thereby the client code of being paid close attention in the page can move on equipment; But can not write new code; It is yet read-only because the page is marked as., if scanning detects any suspect code, state changes and will fail; And the page will return to be marked as and can write and can not carry out. alternatively, can remove the whole contents of locked memory pages then.
For the most of existing software on the most computers equipment; Program loader is that only needs are modified so that with the entity of above-mentioned API. any attempt of walking around this program loader will be failed inevitably, because this type of attempt will be attempted carrying out from the code that can not carry out in the page.
2, response: this requires to change not at all API; Yet and allow really to write to carrying out the page.; No matter when revise carrying out the page; (kernel) notifies virus scanner through operating system nucleus, and if its next set about carrying out page scan. find malicious code, then scanner can not be carried out its indicative of settings the kernel content of the page (and remove alternatively) of page marker. for better response; If do not carry out the risk of suspect code, then scanning can be carried out asynchronously; If any thread attempt was carried out the code in this page before completing successfully scanning, then operating system nucleus can be with this thread suspension.
The realization of response modes can be through setting special exception handle (handler) in memory manager; It can trigger interruption when having any attempt that the content that can carry out the page is made amendment: the mechanism of being advised is known to those skilled in the art, because it is similar with page acquiescence.Yet the additive method of notice also is feasible, and the present invention does not receive the restriction of institute's proposed mechanism.
Above-mentioned embodiment only is provided for illustrative purpose and not only is intended to limit the present invention in the specific embodiment. and the present invention can implement with a lot of modes; And can be embodied on a lot of different operating systems and the different computing equipment, and do not break away from scope of the present invention disclosed herein.
Can see that from above description if the application of the invention has produced thousand beneficial effects:
File scan become almost unnecessary (redundant).
Scan the code that all can be performed, and these codes can be proved to be anti-Malware; It does not need scanning, only if locked memory pages is written into.
This has eliminated security risk and poor efficiency that file system virus scanning hook program (hook) is brought.
Only need scan being marked as executable storer.
Virus scanner need not recognized any variation in the binary file format, or the variation in any compression algorithm of using above that.
To automatically be limited by the identical requirement of rescaning from revising viral code.
Memory scans API does not show as the file system plug-in unit with identical security risk or expense.
Can be through ram page to the visible fact of a lot of processing; Its call relatively frequent (loading of executable code more than the time access of disc otherwise frequent) and can come to realize effectively that the result of .API misuse just in time is the refusal (the refusal code is loaded) of service rather than file-system access freely through crossing over memory bound. only need disclose executable code to storer; Rather than the file of each ever loaded, and the income of effectiveness and reliability aspect, through additional efficiency income that saving power of the present invention obtained; For battery-operated equipment, this has prolonged the use of a Battery pack or single charge, and the power save to all computing equipments directly converts less energy dissipation into, less global warming and less environmental pollution simultaneously.
Although invention has been described with reference to specific implementations, need recognize, can implement various modifications, in the scope of the present invention that simultaneously still is retained in appended claims and is limited.

Claims (10)

1. the method for an operational computations equipment, wherein, said equipment protects in carrying out Malware in the following manner:
A. with executable program can not separate by execute store from the said equipment; And
B, but only allow to carry out any code that comes from execute store; And
C. use first software entity, but said first software entity can only scan the execute store on the said equipment with regard to Malware.
2. method according to claim 1, wherein, the storer on the said computing equipment comprises being set to can carry out the page that maybe can not carry out.
3. method according to claim 1 and 2, wherein, but the reformed notice of content of the execute store of said first software responses on said equipment, but and scan the said execute store on the said equipment with regard to Malware.
4. method according to claim 3 wherein, be changed but said notice is the single page of execute store, and wherein said first software entity responds through only the page that has changed being scanned.
5. method according to claim 4 wherein, is maintained in the formation to the untreated notice or the request of the page to be scanned, can be processed up to them.
6. according to each described method in the claim 3 to 5; Wherein, But but the software application of seeking to carry out from the code of reformed execute store is prevented from carrying out the code from reformed execute store, up to regard to Malware the said storer that is changed being scanned.
7. method according to claim 6 wherein, detects the reformed Malware of carrying out in the page and makes that the software application seek to carry out its content is ended.
8. according to claim 6 or 7 described methods, wherein, detect the reformed Malware of carrying out in the page and make and to remove being detected as the storer that comprises said Malware.
9. method according to claim 2; Wherein, said computing equipment is set to: but write store can not be performed, but and execute store can not be written into; And wherein, make second software entity can the page marks in the said storer can be carried out for writing maybe.
10. method according to claim 9; Wherein, But said second software entity of seeking to carry out from the code of one or more write store pages of software application request can be carried out the said page; And said second software entity is also failed to carry out this request, up to said first software entity with said page marks be read-only and with regard to Malware scanning the said page.
CN2012100257399A 2012-02-07 2012-02-07 Method for detecting malicious software in computer equipment Pending CN102609651A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012100257399A CN102609651A (en) 2012-02-07 2012-02-07 Method for detecting malicious software in computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012100257399A CN102609651A (en) 2012-02-07 2012-02-07 Method for detecting malicious software in computer equipment

Publications (1)

Publication Number Publication Date
CN102609651A true CN102609651A (en) 2012-07-25

Family

ID=46527012

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012100257399A Pending CN102609651A (en) 2012-02-07 2012-02-07 Method for detecting malicious software in computer equipment

Country Status (1)

Country Link
CN (1) CN102609651A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108369624A (en) * 2015-12-24 2018-08-03 英特尔公司 For with the technology of minimum performance degradation detection Malware

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1304089A (en) * 2000-01-11 2001-07-18 神达电脑股份有限公司 Tracking detection method for file infected by computer virus
CN1306251A (en) * 2000-01-14 2001-08-01 神达电脑股份有限公司 Virus detection method for IDE hard disk device in DMA transmission mode
CN101341491A (en) * 2005-12-20 2009-01-07 西姆毕恩软件有限公司 Malicious software detection in a computing device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1304089A (en) * 2000-01-11 2001-07-18 神达电脑股份有限公司 Tracking detection method for file infected by computer virus
CN1306251A (en) * 2000-01-14 2001-08-01 神达电脑股份有限公司 Virus detection method for IDE hard disk device in DMA transmission mode
CN101341491A (en) * 2005-12-20 2009-01-07 西姆毕恩软件有限公司 Malicious software detection in a computing device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108369624A (en) * 2015-12-24 2018-08-03 英特尔公司 For with the technology of minimum performance degradation detection Malware

Similar Documents

Publication Publication Date Title
CN101341491A (en) Malicious software detection in a computing device
KR101928908B1 (en) Systems and Methods for Using a Reputation Indicator to Facilitate Malware Scanning
US7401361B2 (en) System and method for reducing virus scan time
JP6895666B2 (en) Binary and memory diversity cross-reference of system and method related applications
Gu et al. Process implanting: A new active introspection framework for virtualization
CN101414339B (en) Method for protecting proceeding internal memory and ensuring drive program loading safety
JP5326062B1 (en) Non-executable file inspection apparatus and method
US9135435B2 (en) Binary translator driven program state relocation
CN105103158A (en) Profiling code execution
US10623438B2 (en) Detecting execution of modified executable code
Paik et al. Poster: Self-defensible storage devices based on flash memory against ransomware
IL266459D0 (en) System and method for detecting and for alerting of exploits in computerized systems
CN102609651A (en) Method for detecting malicious software in computer equipment
CN103679024B (en) Virus treating method and device
US20210049292A1 (en) Hypervisor-Based Interception of Memory and Register Accesses
Chen et al. Combating the OS-Level Malware in Mobile Devices by Leveraging Isolation and Steganography
US10885184B1 (en) Rearranging executables in memory to prevent rop attacks
Lee et al. Energy-efficient run-time detection of malware-infected executables and dynamic libraries on mobile devices
US20220027471A1 (en) Advanced ransomware detection
Nazarov PassSSD: A Ransomware proof SSD Using Fine Grained I/O Whitelisting
Patil et al. Computer virus and antivirus software a brief review
CN104657664A (en) Virus processing method and equipment
Parsa et al. An Approach to Rootkit Detection Based on Virtual Machine Introspection
RU91206U1 (en) HARDWARE ANTI-VIRUS
Ruan The Engine: Safeguarding Itself before Safeguarding Others

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120725