CN102622543A - Method and device for dynamically detecting malicious webpage scripts - Google Patents
Method and device for dynamically detecting malicious webpage scripts Download PDFInfo
- Publication number
- CN102622543A CN102622543A CN2012100247819A CN201210024781A CN102622543A CN 102622543 A CN102622543 A CN 102622543A CN 2012100247819 A CN2012100247819 A CN 2012100247819A CN 201210024781 A CN201210024781 A CN 201210024781A CN 102622543 A CN102622543 A CN 102622543A
- Authority
- CN
- China
- Prior art keywords
- function
- script
- shellcode
- risk
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method and device for dynamically detecting malicious webpage scripts. The method includes: S1, analyzing webpage scripts to be detected, and during analysis, if acquiring binary data generated by a function in internal memory through a function hook preliminarily hooked to the preset function for compiling a shell code, executing step S2; and S2, subjecting the binary data to disassembling detection, and if detecting a self-locating code during disassembling detection, confirming detection of the shell code. By loading the webpage scripts for dynamic analysis and detecting in the process of dynamic analysis, the method has improved reliability and detection rate as compared with the manner of static analysis. The shell code can be detected before script vulnerability is triggered, so that the method avoids crash of browser process as compared with the manner of externally monitoring the browser process.
Description
[technical field]
The present invention relates to the computer security technique field, particularly a kind of method and apparatus of detection of dynamic malicious web pages script.
[background technology]
The continuous development of Along with computer technology, computer network has become the main tool that people obtain information, and the thing followed is improving constantly the computer security technique demand.Computer virus, wooden horse, spyware and malicious code are the main security threats faced of computer network in recent years, and wherein shellcode is the malicious code that utilizes particular vulnerability, generally send to service end as data and cause and overflow.
The existing method that detects shellcode in the page script mainly comprises following two kinds:
The mode of one of which, employing static analysis web page characteristics; Safeguard a malicious web pages mark sheet in advance; Page script to be detected and this malicious web pages mark sheet are mated,, confirm that then this page script comprises shellcode if match; But this method then lost efficacy for the malicious script that adopts translating means easily, and reliability is lower.
Two, monitor excessive identification of startup process, load-on module, EMS memory occupation of browser process through the periphery, but this mode has been carried out shellcode usually when detecting shellcode, browser process possibly collapsed.
[summary of the invention]
The invention provides a kind of method and apparatus of detection of dynamic malicious web pages script, so that improve the reliability of identification shellcode, and solve the defective that causes the browser process collapse in the existing identifying.
Concrete technical scheme is following:
A kind of method of detection of dynamic malicious web pages script, said method comprises:
S1, page script to be detected is resolved, if in resolving, get access to the binary data that respective function produces at internal memory through in advance the function hook that the function of shellcode hangs being write in preset being used for, execution in step S2 then;
S2, said binary data is carried out dis-assembling detect,, then confirm to detect shellcode if in the dis-assembling process, detect self-align code.
According to one preferred embodiment of the present invention, before said step S1, also comprise:
S0, a newly-built browser IE control process, and the function extension function hook that is used to write shellcode to presetting.
According to one preferred embodiment of the present invention; The said function that is used to write shellcode comprises: javascript type script u function, unescape function or string.fromcharcode function, at least a in the unescape function of vbscript type script, string.fromcharcode function or the chrw function.
According to one preferred embodiment of the present invention, after said step S1 and carry out before the said step S2, also comprise:
S3, the beginning of the binary data that gets access to and the blacklist that is provided with are in advance mated,, finish parsing said page script to be detected if on the coupling, then confirm to detect shellcode; Otherwise, carry out said step S2;
Wherein said blacklist comprises, and: nop instructs head.
According to one preferred embodiment of the present invention, said self-align code comprises: at least a in call instruction code, pop instruction code, FSTENV instruction code and the SEH instruction code.
According to one preferred embodiment of the present invention,, then finish parsing, said page script to be detected is proceeded to resolve otherwise go to said step S1 to said page script to be detected if in said step S2, confirm to detect shellcode.
According to one preferred embodiment of the present invention, if in said step S2, in the dis-assembling process, do not detect self-align code, then continue execution in step S3:
S3, the said binary data that gets access to carried out the statistics of high-risk bytecode; If the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold; Then confirm to detect shellcode, finish parsing said page script to be detected; Otherwise, go to said step S1 said page script to be detected proceeded to resolve.
According to one preferred embodiment of the present invention, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
A kind of method of detection of dynamic malicious web pages script, said method comprises:
A1, page script to be detected is resolved, if in resolving, get access to the binary data that respective function produces at internal memory through in advance the function hook that the function of shellcode hangs being write in preset being used for, execution in step A2 then;
A2, said binary data is carried out the statistics of high-risk bytecode,, then confirm to detect shellcode if the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold.
According to one preferred embodiment of the present invention, before said steps A 1, also comprise:
A0, a newly-built browser IE control process, and the function extension function hook that is used to write shellcode to presetting.
According to one preferred embodiment of the present invention; The said function that is used to write shellcode comprises: the escape of javascript type script u function, character string decoding unescape function or return the character string string.fromcharcode function of ASCII value representation, at least a in the unescape function of vbscript type script, string.fromcharcode function or the chrw function.
According to one preferred embodiment of the present invention, after said steps A 1 and carry out before the said steps A 2, also comprise:
A3, the beginning of the binary data that gets access to and the blacklist that is provided with are in advance mated,, finish parsing said page script to be detected if on the coupling, then confirm to detect shellcode; Otherwise, carry out said steps A 2;
Wherein said blacklist comprises, and: nop instructs head.
According to one preferred embodiment of the present invention, in said steps A 2,, finish parsing to said page script to be detected if confirm to detect shellcode; Otherwise, go to 1 pair of said page script to be detected of said steps A and proceed to resolve.
According to one preferred embodiment of the present invention, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
A kind of device of detection of dynamic malicious web pages script, this device comprises:
The script resolution unit; Be used for page script to be detected is resolved; If in resolving, get access to the binary data that respective function produces at internal memory, then trigger the dis-assembling detecting unit through in advance the function hook that the function of shellcode hangs being write in preset being used for;
The dis-assembling detecting unit after being used to triggered, carries out dis-assembling to said binary data and detects, if in the dis-assembling process, detect self-align code, then confirms to detect shellcode.
According to one preferred embodiment of the present invention, this device also comprises:
The beamhouse operation unit is used for a newly-built browser IE control process, and the function extension function hook of shellcode is write in preset being used to.
According to one preferred embodiment of the present invention; The said function that is used to write shellcode comprises: javascript type script u function, unescape function or string.fromcharcode function, at least a in the unescape function of vbscript type script, string.fromcharcode function or the chrw function.
According to one preferred embodiment of the present invention, this device also comprises: the blacklist matching unit;
Said script resolution unit triggers the dis-assembling detecting unit through triggering said blacklist matching unit;
Said blacklist matching unit; After being used to triggered, the beginning of said binary data and the blacklist that is provided with are in advance mated, if on the coupling; Then confirm to detect shellcode, trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said dis-assembling detecting unit; Wherein said blacklist comprises, and: nop instructs head.
According to one preferred embodiment of the present invention, said self-align code comprises: at least a in call instruction code, pop instruction code, FSTENV instruction code and the SEH instruction code.
According to one preferred embodiment of the present invention, if said dis-assembling detecting unit confirms to detect shellcode, then trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said script resolution unit said page script to be detected proceeded to resolve.
According to one preferred embodiment of the present invention, this device also comprises: high-risk sign indicating number statistic unit;
If said dis-assembling detecting unit does not detect self-align code in the dis-assembling process, then trigger said high-risk sign indicating number statistic unit;
Said high-risk sign indicating number statistic unit; After being used to triggered; Said binary data is carried out the statistics of high-risk bytecode; If the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold, then confirm to detect shellcode, trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said script resolution unit said page script to be detected proceeded to resolve.
According to one preferred embodiment of the present invention, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
A kind of device of detection of dynamic malicious web pages script, this device comprises:
The script resolution unit; Be used for page script to be detected is resolved; If in resolving, get access to the binary data that respective function produces at internal memory, then trigger high-risk sign indicating number statistic unit through in advance the function hook that the function of shellcode hangs being write in preset being used for;
High-risk sign indicating number statistic unit after being used to triggered, carries out the statistics of high-risk bytecode to said binary data, if the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold, then confirms to detect shellcode.
According to one preferred embodiment of the present invention, this device also comprises:
The beamhouse operation unit is used for a newly-built browser IE control process, and the function extension function hook of shellcode is write in preset being used to.
According to one preferred embodiment of the present invention; The said function that is used to write shellcode comprises: the escape of javascript type script u function, character string decoding unescape function or return the character string string.fromcharcode function of ASCII value representation, at least a in the unescape function of vbscript type script, string.fromcharcode function or the chrw function.
According to one preferred embodiment of the present invention, this device also comprises: the blacklist matching unit;
Said script resolution unit triggers high-risk sign indicating number statistic unit through triggering said blacklist matching unit;
Said blacklist matching unit; After being used to triggered, the beginning of said binary data and the blacklist that is provided with are in advance mated, if on the coupling; Then confirm to detect shellcode, trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said high-risk sign indicating number statistic unit; Wherein said blacklist comprises, and: nop instructs head.
According to one preferred embodiment of the present invention, if said high-risk sign indicating number statistic unit confirms to detect shellcode, then trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said script resolution unit said page script to be detected proceeded to resolve.
According to one preferred embodiment of the present invention, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
Can find out by above technical scheme; The present invention adopts the mode of dynamic parsing; Dynamically resolve through the Web page loading script; And,, reliability and recall rate have been improved even if the mode of the static analysis of comparing adopts the malicious script of translating means also can detect shellcode in dynamically resolving realization detection.In addition, before the script leak triggers, just can detect shellcode, compare, avoid the collapse of browser process through the mode of periphery monitoring browser process.
[description of drawings]
The method flow diagram that Fig. 1 provides for the embodiment of the invention one;
The another kind of method flow diagram that Fig. 2 provides for the embodiment of the invention two;
The structure drawing of device that Fig. 3 provides for the embodiment of the invention three;
The another kind of structure drawing of device that Fig. 4 provides for the embodiment of the invention four;
Another apparatus structure synoptic diagram that Fig. 5 provides for the embodiment of the invention five.
[embodiment]
In order to make the object of the invention, technical scheme and advantage clearer, describe the present invention below in conjunction with accompanying drawing and specific embodiment.
Embodiment one,
The method flow diagram that Fig. 1 provides for the embodiment of the invention one, as shown in Figure 1, this method can may further comprise the steps:
Step 101: the function extension function hook of in advance preset being used to being write shellcode.
Usually be to write shellcode in the page script through a series of script function; Controlled malicious data attacks thereby can in internal memory, generate, and promptly these functions that are used for writing shellcode can generate the binary data of specified format at internal memory.The function that these are preset is used to write shellcode can include but not limited to: javascript type script be used for escape u function, be used for the unescape function of character string decoding or be used to return the string.fromcharcode function of the character string of ASCII value representation, the unescape function of vbscript type script, string.fromcharcode function or be used for returns chrw function at least a of the character that is associated with the designated character code.
This step is a preparation process, through a newly-built browser (IE) control process, and on above-mentioned function, hangs the function hook, can in the process of page script to be detected, get access to the binary data that these functions generate in internal memory.
Step 102: page script to be detected is resolved, if in resolving, get access to the binary data that respective function produces through the function hook of having hung in internal memory, then execution in step 103.
In case be resolved to the function that is used to write shellcode, then just can get access to the binary data that the function that is resolved to produces in internal memory, and this binary data is carried out the processing of following steps, otherwise proceed to resolve through the function hook of having hung.
Step 103: binary data that gets access to and the blacklist that is provided with are in advance mated, if on the coupling, then detect shellcode, otherwise execution in step 104.
In order to protect the integrality of shellcode; Usually the head at shellcode can add a bit of sky (nop) instruction head; Therefore the head of nop instruction in advance is set to blacklist, in this step, the beginning of the binary data that gets access to and the blacklist that is provided with is in advance mated, if on the coupling then explain that the beginning of this binary data is a nop instruction head; Think that this page script is a malice, identifies shellcode.
9090,5858,0c0c, 0d0d etc. wherein nop instruction head includes but not limited to:.
If blacklist in this step, not mating; Then need further through following steps identification shellcode; Need to prove that this step is not a steps necessary of the present invention, can detect shellcode apace through this step; Improve detection efficiency, also can be step 102 after direct execution in step 104.
Step 104: binary data is carried out dis-assembling detect,, then detect shellcode if in the dis-assembling process, detect self-align code; Otherwise going to step 102 treats detection script and proceeds to resolve.
Byte-by-byte in this step binary data is carried out dis-assembling, and detect whether there is self-align code.In general the shellcode in the malicious web pages script encrypts; Dynamically deciphering must be through a self-align process; So-called self-align code be exactly shellcode obtain own in internal memory the code of position, include but not limited to: the invocation of procedure (call) instruction code, (pop) instruction code of popping, floating-point check protection environment (FSTENV) instruction code, high strength add flower (SEH) instruction code etc.
If the binary data in the internal memory is carried out can detecting self-align code after the dis-assembling, explain then to have shellcode in the page script that the detection mode of this step has high detection accuracy rate.
In addition, if in step 104, in the dis-assembling process, do not detect self-align code, can also further carry out the statistic procedure of high-risk bytecode, this situation is described through embodiment two.
Embodiment two,
The another kind of method flow diagram that Fig. 2 provides for the embodiment of the invention two, as shown in Figure 2, this method can may further comprise the steps:
Step 201 is with the step 101 among the embodiment one.
Step 202 is with the step 102 among the embodiment one.
Step 203 is with the step 103 among the embodiment one.
Step 204 is with the step 104 among the embodiment one, if but in the dis-assembling process, do not detect self-align code, then execution in step 205.
Step 205: the binary data that step 202 is got access to carries out the statistics of high-risk bytecode; If the quantity of high-risk bytecode surpasses preset high-risk bytecode amount threshold; Then detect shellcode; Proceed to resolve otherwise go to step 202 pair page script to be detected, finish until resolving.
High-risk bytecode is the characteristic that from a large amount of shellcode samples, extracts; Through analysis to a large amount of shellcode samples; Confirmed between character area that a series of shellcode of having only can use; These interval parts are between invisible character area, and so-called invisible character is meant all characters that do not belong to character visible on the keyboard and do not belong to Chinese character in the Unicode character list.Another part is to spray address commonly used through the heap of summarizing the experience out, includes but not limited to: 0c0c0c0c, 0d0d0d0d0d, 90909090,14141414 etc.
Preset high-risk bytecode amount threshold can be provided with by empirical value, if for example high-risk bytecode adopts invisible character, it is 5 that high-risk bytecode amount threshold then can be set; If high-risk bytecode adopts heap to spray address commonly used, it is 1 that high-risk bytecode amount threshold then can be set.
This step can be regarded further the replenishing that dis-assembling is detected as, thereby further improves the recall rate of shellcode.
In addition; Except aforesaid way, also can mainly detect shellcode through the mode of adding up high-risk bytecode, blacklist coupling and/or dis-assembling detect as further handling; Blacklist coupling and dis-assembling detect simultaneously can be referring to Fig. 2 as the flow process of the further processing of adding up high-risk bytecode; If have only the further treatment scheme of blacklist coupling, then in flow process shown in Figure 2, when execution in step 203 is not mated blacklist as the high-risk bytecode of statistics; Direct execution in step 205, and execution in step 204 no longer.If have only dis-assembling to detect further treatment scheme as the high-risk bytecode of statistics, then in flow process shown in Figure 2, execution of step 202 direct execution in step 204, and execution in step 203 not.
In the flow process shown in embodiment one and the embodiment two, in case detect shellcode, then stop parsing, and can further testing result be reported page script.
Lift a concrete instance below, at first to javascript type script u function, unescape function and string.fromcharcode function hang up the function hook, suppose that page script to be detected is following:
<html><body><script?language=″javascript″>
var?nbcode=′%u7468%u7074%u2f3a%u772f%u782e%u7274%u6263%u632e%u6d6f%u393a%u6d2f%u2f6d%u787a%u2e32%u7865%u0065′;
var?J=function(n){return?String.fromCharCode(n^8)};eval(J(110)+J(125)+J(102)+J(107)+J(124)+J(97)+J(103)+J(102)+J(40)+J(102)+J(106)+J(32)+J(33)+J(115)+J(126)+J(105)+J(122)+J(40)+J(102)+J(109)+J(124)+J(106)+J(103)+J(103)+J(101)+J(40)+J(53)+J(40)+J(125)+J(102)+J(109)+J(123)+J(107)+J(105)+J(120)+J(109)+J(32)+J(47)+J(45)+J(125)+J(49)+J(56)+J(49)+J(56)+J(45)+J(125)+J(49)+J(56)+J(49)+J(56)+J(45)+J(125)+J(61)+J(60)+J(109)+J(106)+J(45)+J(125)+J(63)+J(61)+J(48)+J(106)+J(45)+J(125)+J(48)+J(106)+J(59)+J(107)+J(45)+J(125)+J(59)+J(61)+J(63)+J(60)+J(45)+J(125)+J(56)+J(59)+J(63)+J(48)+J(45)+J(125)+J(61)+J(62)+J(110)+J(61)+J(45)+J(125)+J(63)+J(62)+J(48)+J(106)+J(45)+J(125)+J(56)+J(59)+J(58)+J(56)+J(45)+J(125)+J(59)+J(59)+J(110)+J(61)+J(45)+J(125)+J(60)+J(49)+J(107)+J(49)+J(45)+J(125)+J(105)+J(108)+J(60)+J(57)+J(45)+J(125)+J(108)+J(106)+J(59)+J(59)+J(45)+J(125)+J(56)+J(110)+J(59)+J(62)+J(45)+J(125)+J(57)+J(60)+J(106)+J(109)+J(45)+J(125)+J(59)+J(48)+J(58)+J(48)+J(45)+J(125)+J(63)+J(60)+J(110)+J(58)+J(45)+J(125)+J(107)+J(57)+J(56)+J(48)+J(45)+J(125)+J(56)+J(108)+J(107)+J(106)+J(45)+J(125)+J(108)+J(105)+J(56)+J(59)+J(45)+J(125)+J(109)+J(106)+J(60)+J(56)+J(45)+J(125)+J(59)+J(106)+J(109)+J(110)+J(45)+J(125)+J(63)+J(61)+J(108)+J(110)+J(45)+J(125)+J(61)+J(109)+J(109)+J(63)+J(45)+J(125)+J(61)+J(109)+J(48)+J(106)+J(45)+J(125)+J(56)+J(59)+J(58)+J(60)+J(45)+J(125)+J(62)+J(62)+J(108)+J(108)+J(45)+J(125)+J(56)+J(107)+J(48)+J(106)+J(45)+J(125)+J(48)+J(106)+J(60)+J(106)+J(45)+J(125)+J(57)+J(107)+J(61)+J(109)+J(45)+J(125)+J(108)+J(108)+J(56)+J(59)+J(45)+J(125)+J(56)+J(60)+J(48)+J(106)+J(45)+J(125)+J(56)+J(59)+J(48)+J(106)+J(45)+J(125)+J(107)+J(59)+J(107)+J(61)+J(45)+J(125)+J(63)+J(58)+J(63)+J(61)+J(45)+J(125)+J(62)+J(108)+J(62)+J(107)+J(45)+J(125)+J(62)+J(109)+J(62)+J(110)+J(45)+J(125)+J(62)+J(60)+J(58)+J(109)+J(45)+J(125)+J(62)+J(107)+J(62)+J(107)+J(45)+J(125)+J(60)+J(59)+J(56)+J(56)+J(45)+J(125)+J(61)+J(107)+J(59)+J(105)+J(45)+J(125)+J(58)+J(109)+J(62)+J(109)+J(45)+J(125)+J(62)+J(59)+J(63)+J(59)+J(45)+J(125)+J(56)+J(56)+J(63)+J(58)+J(45)+J(125)+J(107)+J(56)+J(59)+J(59)+J(45)+J(125)+J(56)+J(59)+J(62)+J(60)+J(45)+J(125)+J(59)+J(56)+J(60)+J(56)+J(45)+J(125)+J(56)+J(107)+J(63)+J(48)+J(45)+J(125)+J(60)+J(56)+J(48)+J(106)+J(45)+J(125)+J(48)+J(106)+J(56)+J(107)+J(45)+J(125)+J(57)+J(107)+J(63)+J(56)+J(45)+J(125)+J(48)+J(106)+J(105)+J(108)+J(45)+J(125)+J(56)+J(48)+J(60)+J(56)+J(45)+J(125)+J(56)+J(49)+J(109)+J(106)+J(45)+J(125)+J(60)+J(56)+J(48)+J(106)+J(45)+J(125)+J(48)+J(108)+J(59)+J(60)+J(45)+J(125)+J(63)+J(107)+J(60)+J(56)+J(45)+J(125)+J(60)+J(56)+J(48)+J(106)+J(45)+J(125)+J(49)+J(61)+J(59)+J(107)+J(45)+J(125)+J(48)+J(109)+J(106)+J(110)+J(45)+J(125)+J(56)+J(109)+J(60)+J(109)+J(45)+J(125)+J(109)+J(48)+J(109)+J(107)+J(45)+J(125)+J(110)+J(110)+J(48)+J(60)+J(45)+J(125)+J(110)+J(110)+J(110)+J(110)+J(45)+J(125)+J(109)+J(107)+J(48)+J(59)+J(45)+J(125)+J(48)+J(59)+J(56)+J(60)+J(45)+J(125)+J(58)+J(60)+J(58)+J(107)+J(45)+J(125)+J(110)+J(110)+J(59)+J(107)+J(45)+J(125)+J(49)+J(61)+J(108)+J(56)+J(45)+J(125)+J(106)+J(110)+J(61)+J(56)+J(45)+J(125)+J(57)+J(105)+J(59)+J(62)+J(45)+J(125)+J(63)+J(56)+J(58)+J(110)+J(45)+J(125)+J(62)+J(110)+J(109)+J(48)+J(45)+J(125)+J(110)+J(110)+J(110)+J(110)+J(45)+J(125)+J(48)+J(106)+J(110)+J(110)+J(45)+J(125)+J(58)+J(60)+J(61)+J(60)+J(45)+J(125)+J(48)+J(108)+J(110)+J(107)+J(45)+J(125)+J(106)+J(105)+J(61)+J(58)+J(45)+J(125)+J(108)+J(106)+J(59)+J(59)+J(45)+J(125)+J(61)+J(59)+J(61)+J(59)+J(45)+J(125)+J(109)+J(106)+J(61)+J(58)+J(45)+J(125)+J(61)+J(59)+J(58)+J(60)+J(45)+J(125)+J(108)+J(56)+J(110)+J(110)+J(45)+J(125)+J(106)+J(110)+J(61)+J(108)+J(45)+J(125)+J(110)+J(109)+J(49)+J(48)+J(45)+J(125)+J(56)+J(109)+J(48)+J(105)+J(45)+J(125)+J(61)+J(59)+J(109)+J(48)+J(45)+J(125)+J(110)+J(110)+J(110)+J(110)+J(45)+J(125)+J(48)+J(59)+J(110)+J(110)+J(45)+J(125)+J(56)+J(60)+J(109)+J(107)+J(45)+J(125)+J(58)+J(107)+J(48)+J(59)+J(45)+J(125)+J(62)+J(58)+J(58)+J(60)+J(45)+J(125)+J(108)+J(56)+J(110)+J(110)+J(45)+J(125)+J(63)+J(109)+J(106)+J(110)+J(45)+J(125)+J(109)+J(58)+J(108)+J(48)+J(45)+J(125)+J(109)+J(48)+J(63)+J(59)+J(45)+J(125)+J(110)+J(110)+J(60)+J(56)+J(45)+J(125)+J(110)+J(110)+J(110)+J(110)+J(45)+J(125)+J(110)+J(110)+J(61)+J(58)+J(45)+J(125)+J(109)+J(48)+J(108)+J(56)+J(45)+J(125)+J(110)+J(110)+J(108)+J(63)+J(45)+J(125)+J(110)+J(110)+J(110)+J(110)+J(47)+J(35)+J(102)+J(106)+J(107)+J(103)+J(108)+J(109)+J(33)+J(51)+J(126)+J(105)+J(122)+J(40)+J(102)+J(106)+J(53)+J(102)+J(109)+J(127)+J(40)+J(73)+J(122)+J(122)+J(105)+J(113)+J(32)+J(33)+J(51)+J(126)+J(105)+J(122)+J(40)+J(102)+J(106)+J(120)+J(103)+J(127)+J(109)+J(122)+J(53)+J(56)+J(112)+J(48)+J(62)+J(56)+J(56)+J(56)+J(37)+J(32)+J(102)+J(109)+J(124)+J(106)+J(103)+J(103)+J(101)+J(38)+J(100)+J(109)+J(102)+J(111)+J(124)+J(96)+J(34)+J(58)+J(33)+J(51)+J(126)+J(105)+J(122)+J(40)+J(102)+J(106)+J(100)+J(103)+J(100)+J(53)+J(125)+J(102)+J(109)+J(123)+J(107)+J(105)+J(120)+J(109)+J(32)+J(47)+J(45)+J(125)+J(56)+J(107)+J(56)+J(107)+J(45)+J(125)+J(56)+J(107)+J(56)+J(107)+J(47)+J(33)+J(51)+J(127)+J(96)+J(97)+J(100)+J(109)+J(32)+J(102)+J(106)+J(100)+J(103)+J(100)+J(38)+J(100)+J(109)+J(102)+J(111)+J(124)+J(96)+J(52)+J(102)+J(106)+J(120)+J(103)+J(127)+J(109)+J(122)+J(39)+J(58)+J(33)+J(115)+J(102)+J(106)+J(100)+J(103)+J(100)+J(35)+J(53)+J(102)+J(106)+J(100)+J(103)+J(100)+J(51)+J(117)+J(51)+J(126)+J(105)+J(122)+J(40)+J(102)+J(106)+J(127)+J(101)+J(53)+J(102)+J(106)+J(100)+J(103)+J(100)+J(38)+J(123)+J(125)+J(106)+J(123)+J(124)+J(122)+J(97)+J(102)+J(111)+J(32)+J(56)+J(36)+J(102)+J(106)+J(120)+J(103)+J(127)+J(109)+J(122)+J(39)+J(58)+J(33)+J(51)+J(108)+J(109)+J(100)+J(109)+J(124)+J(109)+J(40)+J(102)+J(106)+J(100)+J(103)+J(100)+J(51)+J(110)+J(103)+J(122)+J(32)+J(97)+J(53)+J(56)+J(51)+J(97)+J(52)+J(58)+J(63)+J(56)+J(51)+J(97)+J(35)+J(35)+J(33)+J(115)+J(102)+J(106)+J(83)+J(97)+J(85)+J(53)+J(102)+J(106)+J(127)+J(101)+J(35)+J(102)+J(106)+J(127)+J(101)+J(35)+J(102)+J(109)+J(124)+J(106)+J(103)+J(103)+J(101)+J(51)+J(117)+J(117)+J(102)+J(106)+J(32)+J(33)+J(51)+J(108)+J(103)+J(107)+J(125)+J(101)+J(109)+J(102)+J(124)+J(38)+J(127)+J(122)+J(97)+J(124)+J(109)+J(32)+J(42)+J(52)+J(103)+J(106)+J(98)+J(109)+J(107)+J(124)+J(40)+J(107)+J(100)+J(105)+J(123)+J(123)+J(97)+J(108)+J(53)+J(84)+J(42)+J(107)+J(100)+J(123)+J(97)+J(108)+J(50)+J(76)+J(58)+J(63)+J(75)+J(76)+J(74)+J(62)+J(77)+J(37)+J(73)+J(77)+J(62)+J(76)+J(37)+J(57)+J(57)+J(107)+J(110)+J(37)+J(49)+J(62)+J(74)+J(48)+J(37)+J(60)+J(60)+J(60)+J(61)+J(61)+J(59)+J(61)+J(60)+J(56)+J(56)+J(56)+J(56)+J(84)+J(42)+J(40)+J(97)+J(108)+J(53)+J(84)+J(42)+J(102)+J(109)+J(124)+J(106)+J(103)+J(103)+J(101)+J(84)+J(42)+J(40)+J(127)+J(97)+J(108)+J(124)+J(96)+J(53)+J(84)+J(42)+J(56)+J(84)+J(42)+J(40)+J(96)+J(109)+J(97)+J(111)+J(96)+J(124)+J(53)+J(84)+J(42)+J(56)+J(84)+J(42)+J(40)+J(107)+J(103)+J(108)+J(109)+J(106)+J(105)+J(123)+J(109)+J(53)+J(84)+J(42)+J(96)+J(124)+J(124)+J(120)+J(50)+J(84)+J(39)+J(84)+J(39)+J(108)+J(103)+J(127)+J(102)+J(100)+J(103)+J(105)+J(108)+J(38)+J(101)+J(105)+J(107)+J(122)+J(103)+J(101)+J(109)+J(108)+J(97)+J(105)+J(38)+J(107)+J(103)+J(101)+J(84)+J(39)+J(120)+J(125)+J(106)+J(84)+J(39)+J(123)+J(96)+J(103)+J(107)+J(99)+J(127)+J(105)+J(126)+J(109)+J(84)+J(39)+J(107)+J(105)+J(106)+J(123)+J(84)+J(39)+J(110)+J(100)+J(105)+J(123)+J(96)+J(84)+J(39)+J(123)+J(127)+J(110)+J(100)+J(105)+J(123)+J(96)+J(38)+J(107)+J(105)+J(106)+J(84)+J(42)+J(54)+J(52)+J(120)+J(105)+J(122)+J(105)+J(101)+J(40)+J(102)+J(105)+J(101)+J(109)+J(53)+J(84)+J(42)+J(101)+J(103)+J(126)+J(97)+J(109)+J(84)+J(42)+J(40)+J(126)+J(105)+J(100)+J(125)+J(109)+J(53)+J(84)+J(42)+J(102)+J(106)+J(38)+J(123)+J(127)+J(110)+J(84)+J(42)+J(40)+J(84)+J(39)+J(54)+J(52)+J(84)+J(39)+J(103)+J(106)+J(98)+J(109)+J(107)+J(124)+J(54)+J(42)+J(33)+J(51)+″);</script></body></html>
In the process that above-mentioned page script is resolved, can get access to the binary data that string.fromcharcode generates in internal memory, suppose that this section binary data is through the function hook of having hung:
90909090eb548b753c8b74357803f5568b762003f533c94941ad33db360fbe142838f27408c1cb0d03da40ebef3bdf75e75e……
At first binary data that gets access to and pre-configured blacklist are mated, judge promptly whether the beginning of binary data is nop instruction head, find 9090, directly can confirm to detect shellcode for nop instruction head.
Directly do not carry out dis-assembling and detect if do not carry out the operation of blacklist coupling, then when dis-assembling, detect the corresponding self-align code of eb54, can confirm to detect shellcode.
If in the dis-assembling testing process, do not detect self-align code; Then add up the quantity of high-risk bytecode; From this section binary data, count on above 5 invisible characters, suppose 5, then can detect shellcode equally for preset high-risk bytecode amount threshold.
More than be the description that method provided by the present invention is carried out, be described in detail with four pairs of devices provided by the present invention of embodiment through embodiment three below.
Embodiment three,
The structure drawing of device that Fig. 3 provides for the embodiment of the invention three, as shown in Figure 3, this device can comprise: script resolution unit 301 and dis-assembling detecting unit 302.
301 pairs of page scripts to be detected of script resolution unit are resolved; If in resolving, get access to the binary data that respective function produces at internal memory, then trigger dis-assembling detecting unit 302 through in advance the function hook that the function of shellcode hangs being write in preset being used for.
After dis-assembling detecting unit 302 is triggered, binary data is carried out dis-assembling detect,, then confirm to detect shellcode if in the dis-assembling process, detect self-align code.
Owing to need before page script is resolved to carry out a beamhouse operation, so this device can also comprise: beamhouse operation unit 303 newly-built IE control processes, and the function that shellcode is write in preset being used to hung the function hook.
The function that wherein is used to write shellcode comprises: javascript type script u function, unescape function or string.fromcharcode function, at least a in the unescape function of vbscript type script, string.fromcharcode function or the chrw function.
Dis-assembling detecting unit 302 is in carrying out the dis-assembling process; The self-align code that relates to can include but not limited to: call instruction code, pop instruction code, FSTENV instruction code, SEH instruction code, these all be shellcode obtain own in internal memory the code of position.
As preferred embodiment a kind of, this device can also comprise: blacklist matching unit 304.
As a kind of embodiment,, then trigger the parsing that script resolution unit 301 finishes page script to be detected if dis-assembling detecting unit 302 confirms to detect shellcode; Otherwise, trigger 301 pairs of page scripts to be detected of script resolution unit and proceed to resolve.
As another kind of embodiment, executing dis-assembling when not detecting self-align code, can also further detect whether there is shellcode through adding up high-risk bytecode, the structure of this embodiment is referring to embodiment four.
Embodiment four,
The another kind of structure drawing of device that Fig. 4 provides for the embodiment of the invention four, different with Fig. 3 is that this device further comprises high-risk sign indicating number statistic unit 305.
If dis-assembling detecting unit 302 does not detect self-align code in the dis-assembling process, then trigger high-risk sign indicating number statistic unit 305.
After high-risk sign indicating number statistic unit 305 is triggered; Binary data is carried out the statistics of high-risk bytecode; If the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold; Then confirm to detect shellcode, trigger the parsing that script resolution unit 301 finishes page script to be detected; Otherwise, trigger 301 pairs of page scripts to be detected of script resolution unit and proceed to resolve.
Equally, high-risk bytecode is the characteristic that from a large amount of shellcode samples, extracts, and through to the analysis of a large amount of shellcode samples, has confirmed that high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.Wherein heap sprays address commonly used and includes but not limited to: 0c0c0c0c, 0d0d0d0d0d, 90909090,14141414 etc.
Preset high-risk bytecode amount threshold can rule of thumb be worth and is provided with, if for example high-risk bytecode adopts invisible character, it is 5 that high-risk bytecode amount threshold then can be set; If high-risk bytecode adopts heap to spray address commonly used, it is 1 that high-risk bytecode amount threshold then can be set.
In addition, also there is a kind of embodiment, describes through embodiment five below.
Embodiment five,
Another apparatus structure synoptic diagram that Fig. 5 provides for the embodiment of the invention five, as shown in Figure 5, this device can comprise: script resolution unit 501 and high-risk sign indicating number statistic unit 502.
501 pairs of page scripts to be detected of script resolution unit are resolved; If in resolving, get access to the binary data that respective function produces at internal memory, then trigger high-risk sign indicating number statistic unit 502 through in advance the function hook that the function of shellcode hangs being write in preset being used for.
After high-risk sign indicating number statistic unit 502 is triggered, binary data is carried out the statistics of high-risk bytecode,, then confirm to detect shellcode if the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold.
Owing to before page script is resolved, need to carry out a beamhouse operation, so this device also comprises:
The function that wherein is used to write shellcode comprises: javascript type script u function, unescape function or string.fromcharcode function, at least a in the unescape function of vbscript type script, string.fromcharcode function or the chrw function.
As preferred embodiment a kind of, this device can also comprise: blacklist matching unit 504.
After blacklist matching unit 504 is triggered, the beginning of binary data and the blacklist that is provided with are in advance mated,, trigger the parsing that script resolution unit 501 finishes page script to be detected if on the coupling, then confirm to detect shellcode; Otherwise, trigger high-risk sign indicating number statistic unit 502; Wherein blacklist comprises, and: nop instructs head.9090,5858,0c0c, 0d0d etc. nop instruction head can include but not limited to:.
If high-risk sign indicating number statistic unit 502 confirms to detect shellcode, then trigger the parsing that script resolution unit 501 finishes page script to be detected; Otherwise, trigger 501 pairs of page scripts to be detected of script resolution unit and proceed to resolve.
Above-mentioned high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
Can find out that by above description method and apparatus provided by the invention possesses following advantage:
1) the present invention adopts the mode of dynamic parsing; Dynamically resolve through the Web page loading script; And,, reliability and recall rate have been improved even if the mode of the static analysis of comparing adopts the malicious script of translating means also can detect shellcode in dynamically resolving realization detection.
2) the present invention just can detect shellcode dynamically realizing detecting in the resolving before the script leak triggers, and compares through the mode of periphery monitoring browser process, has avoided the collapse of browser process.
3) the present invention is applicable to server end, also is applicable to client, and is not limited to browser version, is applicable to the running environment of various browser versions.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.
Claims (28)
1. the method for a detection of dynamic malicious web pages script is characterized in that, said method comprises:
S1, page script to be detected is resolved, if in resolving, get access to the binary data that respective function produces at internal memory through in advance the function hook that the function of shellcode hangs being write in preset being used for, execution in step S2 then;
S2, said binary data is carried out dis-assembling detect,, then confirm to detect shellcode if in the dis-assembling process, detect self-align code.
2. method according to claim 1 is characterized in that, before said step S1, also comprises:
S0, a newly-built browser IE control process, and the function extension function hook that is used to write shellcode to presetting.
3. method according to claim 1 and 2; It is characterized in that; The said function that is used to write shellcode comprises: javascript type script be used for escape u function, be used for the unescape function of character string decoding or be used to return the string.fromcharcode function of the character string of ASCII value representation, the unescape function of vbscript type script, string.fromcharcode function or be used for returns chrw function at least a of the character that is associated with the designated character code.
4. method according to claim 1 is characterized in that, after said step S1 and carry out before the said step S2, also comprises:
S3, the beginning of the binary data that gets access to and the blacklist that is provided with are in advance mated,, finish parsing said page script to be detected if on the coupling, then confirm to detect shellcode; Otherwise, carry out said step S2;
Wherein said blacklist comprises, and: nop instructs head.
5. method according to claim 1; It is characterized in that said self-align code comprises: invocation of procedure call instruction code, the pop instruction code of popping, floating-point check protection environment FSTENV instruction code and high strength add at least a in the colored SEH instruction code.
6. method according to claim 1; It is characterized in that; If in said step S2, confirm to detect shellcode, then finish parsing to said page script to be detected, otherwise go to said step S1 said page script to be detected is proceeded to resolve.
7. method according to claim 1 is characterized in that, if in said step S2, in the dis-assembling process, do not detect self-align code, then continues execution in step S3:
S3, the said binary data that gets access to carried out the statistics of high-risk bytecode; If the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold; Then confirm to detect shellcode, finish parsing said page script to be detected; Otherwise, go to said step S1 said page script to be detected proceeded to resolve.
8. method according to claim 7 is characterized in that, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
9. the method for a detection of dynamic malicious web pages script is characterized in that, said method comprises:
A1, page script to be detected is resolved, if in resolving, get access to the binary data that respective function produces at internal memory through in advance the function hook that the function of shellcode hangs being write in preset being used for, execution in step A2 then;
A2, said binary data is carried out the statistics of high-risk bytecode,, then confirm to detect shellcode if the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold.
10. method according to claim 9 is characterized in that, before said steps A 1, also comprises:
A0, a newly-built browser IE control process, and the function extension function hook that is used to write shellcode to presetting.
11. according to claim 9 or 10 described methods; It is characterized in that; The said function that is used to write shellcode comprises: javascript type script be used for escape u function, be used for the unescape function of character string decoding or be used to return the string.fromcharcode function of the character string of ASCII value representation, the unescape function of vbscript type script, string.fromcharcode function or be used for returns chrw function at least a of the character that is associated with the designated character code.
12. method according to claim 9 is characterized in that, after said steps A 1 and carry out before the said steps A 2, also comprises:
A3, the beginning of the binary data that gets access to and the blacklist that is provided with are in advance mated,, finish parsing said page script to be detected if on the coupling, then confirm to detect shellcode; Otherwise, carry out said steps A 2;
Wherein said blacklist comprises, and: nop instructs head.
13. method according to claim 9 is characterized in that, in said steps A 2, if confirm to detect shellcode, finishes the parsing to said page script to be detected; Otherwise, go to 1 pair of said page script to be detected of said steps A and proceed to resolve.
14. method according to claim 9 is characterized in that, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
15. the device of a detection of dynamic malicious web pages script is characterized in that, this device comprises:
The script resolution unit; Be used for page script to be detected is resolved; If in resolving, get access to the binary data that respective function produces at internal memory, then trigger the dis-assembling detecting unit through in advance the function hook that the function of shellcode hangs being write in preset being used for;
The dis-assembling detecting unit after being used to triggered, carries out dis-assembling to said binary data and detects, if in the dis-assembling process, detect self-align code, then confirms to detect shellcode.
16. device according to claim 15 is characterized in that, this device also comprises:
The beamhouse operation unit is used for a newly-built browser IE control process, and the function extension function hook of shellcode is write in preset being used to.
17. according to claim 15 or 16 described devices; It is characterized in that; The said function that is used to write shellcode comprises: javascript type script be used for escape u function, be used for the unescape function of character string decoding or be used to return the string.fromcharcode function of the character string of ASCII value representation, the unescape function of vbscript type script, string.fromcharcode function or be used for returns chrw function at least a of the character that is associated with designated character string code.
18. device according to claim 15 is characterized in that, this device also comprises: the blacklist matching unit;
Said script resolution unit triggers the dis-assembling detecting unit through triggering said blacklist matching unit;
Said blacklist matching unit; After being used to triggered, the beginning of said binary data and the blacklist that is provided with are in advance mated, if on the coupling; Then confirm to detect shellcode, trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said dis-assembling detecting unit; Wherein said blacklist comprises, and: nop instructs head.
19. device according to claim 15; It is characterized in that said self-align code comprises: invocation of procedure call instruction code, the pop instruction code of popping, floating-point check protection environment FSTENV instruction code and high strength add at least a in the colored SEH instruction code.
20. device according to claim 15 is characterized in that, if said dis-assembling detecting unit confirms to detect shellcode, then triggers said script resolution unit and finishes the parsing to said page script to be detected; Otherwise, trigger said script resolution unit said page script to be detected proceeded to resolve.
21. device according to claim 15 is characterized in that, this device also comprises: high-risk sign indicating number statistic unit;
If said dis-assembling detecting unit does not detect self-align code in the dis-assembling process, then trigger said high-risk sign indicating number statistic unit;
Said high-risk sign indicating number statistic unit; After being used to triggered; Said binary data is carried out the statistics of high-risk bytecode; If the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold, then confirm to detect shellcode, trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said script resolution unit said page script to be detected proceeded to resolve.
22. device according to claim 21 is characterized in that, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
23. the device of a detection of dynamic malicious web pages script is characterized in that, this device comprises:
The script resolution unit; Be used for page script to be detected is resolved; If in resolving, get access to the binary data that respective function produces at internal memory, then trigger high-risk sign indicating number statistic unit through in advance the function hook that the function of shellcode hangs being write in preset being used for;
High-risk sign indicating number statistic unit after being used to triggered, carries out the statistics of high-risk bytecode to said binary data, if the quantity of the high-risk bytecode that counts on surpasses preset high-risk bytecode amount threshold, then confirms to detect shellcode.
24. device according to claim 23 is characterized in that, this device also comprises:
The beamhouse operation unit is used for a newly-built browser IE control process, and the function extension function hook of shellcode is write in preset being used to.
25. according to claim 23 or 24 described devices; It is characterized in that; The said function that is used to write shellcode comprises: javascript type script be used for escape u function, be used for the unescape function of character string decoding or be used to return the string.fromcharcode function of the character string of ASCII value representation, the unescape function of vbscript type script, string.fromcharcode function or be used for returns chrw function at least a of the character that is associated with designated character string code.
26. device according to claim 23 is characterized in that, this device also comprises: the blacklist matching unit;
Said script resolution unit triggers high-risk sign indicating number statistic unit through triggering said blacklist matching unit;
Said blacklist matching unit; After being used to triggered, the beginning of said binary data and the blacklist that is provided with are in advance mated, if on the coupling; Then confirm to detect shellcode, trigger said script resolution unit and finish parsing said page script to be detected; Otherwise, trigger said high-risk sign indicating number statistic unit; Wherein said blacklist comprises, and: nop instructs head.
27. device according to claim 23 is characterized in that, if said high-risk sign indicating number statistic unit confirms to detect shellcode, then triggers said script resolution unit and finishes the parsing to said page script to be detected; Otherwise, trigger said script resolution unit said page script to be detected proceeded to resolve.
28. device according to claim 23 is characterized in that, said high-risk bytecode comprises: invisible character and heap spray at least a in the address commonly used.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210024781.9A CN102622543B (en) | 2012-02-06 | 2012-02-06 | A kind of method and apparatus of dynamic detection malicious web pages script |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210024781.9A CN102622543B (en) | 2012-02-06 | 2012-02-06 | A kind of method and apparatus of dynamic detection malicious web pages script |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102622543A true CN102622543A (en) | 2012-08-01 |
| CN102622543B CN102622543B (en) | 2016-08-03 |
Family
ID=46562458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210024781.9A Active CN102622543B (en) | 2012-02-06 | 2012-02-06 | A kind of method and apparatus of dynamic detection malicious web pages script |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102622543B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065093A (en) * | 2012-12-27 | 2013-04-24 | 中国人民解放军国防科学技术大学 | Method for marking malicious software behavior characteristics |
| CN103425931A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Abnormal web script detection method and system |
| WO2014059934A1 (en) * | 2012-10-18 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting hidden content of web page |
| CN104008336A (en) * | 2014-05-07 | 2014-08-27 | 中国科学院信息工程研究所 | ShellCode detecting method and device |
| WO2014183545A1 (en) * | 2013-05-15 | 2014-11-20 | Tencent Technology (Shenzhen) Company Limited | Method,device and system for identifying script virus |
| CN106022132A (en) * | 2016-05-30 | 2016-10-12 | 南京邮电大学 | Real-time webpage Trojan detection method based on dynamic content analysis |
| CN106599684A (en) * | 2015-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Detection method and system of entity file-free malicious code |
| CN106991328A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis |
| CN107172035A (en) * | 2017-05-11 | 2017-09-15 | 北京安赛创想科技有限公司 | The detection method and device of network attack information |
| CN107203580A (en) * | 2017-02-27 | 2017-09-26 | 张家口浩扬科技有限公司 | Webpage display method and device and corresponding mobile terminal |
| CN107851157A (en) * | 2015-06-27 | 2018-03-27 | 迈可菲有限责任公司 | The detection of Malware |
| CN108171060A (en) * | 2017-12-29 | 2018-06-15 | 哈尔滨安天科技股份有限公司 | Method, system and the storage medium of encryption deformation script are identified based on comentropy |
| CN109190372A (en) * | 2018-07-09 | 2019-01-11 | 四川大学 | A kind of JavaScript Malicious Code Detection model based on bytecode |
| CN109408810A (en) * | 2018-09-28 | 2019-03-01 | 东巽科技(北京)有限公司 | A kind of malice PDF document detection method and device |
| CN112632531A (en) * | 2020-12-15 | 2021-04-09 | 平安科技(深圳)有限公司 | Malicious code identification method and device, computer equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286979A (en) * | 2008-06-03 | 2008-10-15 | 电子科技大学 | Network attack detecting method |
| CN100478953C (en) * | 2006-09-28 | 2009-04-15 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
| CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
| CN102043919A (en) * | 2010-12-27 | 2011-05-04 | 北京安天电子设备有限公司 | Universal vulnerability detection method and system based on script virtual machine |
| CN102111308A (en) * | 2010-12-22 | 2011-06-29 | 成都天融信网络安全技术有限公司 | Automatic detection method of polymorphic worms |
| CN102223384A (en) * | 2011-07-25 | 2011-10-19 | 公安部第三研究所 | Shellcode detection method based on virtual execution |
-
2012
- 2012-02-06 CN CN201210024781.9A patent/CN102622543B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100478953C (en) * | 2006-09-28 | 2009-04-15 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
| CN101286979A (en) * | 2008-06-03 | 2008-10-15 | 电子科技大学 | Network attack detecting method |
| CN101673326A (en) * | 2008-09-11 | 2010-03-17 | 北京理工大学 | Method for detecting web page Trojan horse based on program execution characteristics |
| CN102111308A (en) * | 2010-12-22 | 2011-06-29 | 成都天融信网络安全技术有限公司 | Automatic detection method of polymorphic worms |
| CN102043919A (en) * | 2010-12-27 | 2011-05-04 | 北京安天电子设备有限公司 | Universal vulnerability detection method and system based on script virtual machine |
| CN102223384A (en) * | 2011-07-25 | 2011-10-19 | 公安部第三研究所 | Shellcode detection method based on virtual execution |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014059934A1 (en) * | 2012-10-18 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting hidden content of web page |
| US9979746B2 (en) | 2012-10-18 | 2018-05-22 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting hidden content of web page |
| US10333972B2 (en) | 2012-10-18 | 2019-06-25 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for detecting hidden content of web page |
| CN103425931B (en) * | 2012-12-27 | 2017-07-18 | 北京安天网络安全技术有限公司 | A kind of abnormal web script detection method and system |
| CN103425931A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Abnormal web script detection method and system |
| CN103065093B (en) * | 2012-12-27 | 2014-09-17 | 中国人民解放军国防科学技术大学 | Method for marking malicious software behavior characteristics |
| CN103065093A (en) * | 2012-12-27 | 2013-04-24 | 中国人民解放军国防科学技术大学 | Method for marking malicious software behavior characteristics |
| WO2014183545A1 (en) * | 2013-05-15 | 2014-11-20 | Tencent Technology (Shenzhen) Company Limited | Method,device and system for identifying script virus |
| CN104008336A (en) * | 2014-05-07 | 2014-08-27 | 中国科学院信息工程研究所 | ShellCode detecting method and device |
| CN104008336B (en) * | 2014-05-07 | 2017-04-12 | 中国科学院信息工程研究所 | ShellCode detecting method and device |
| CN107851157A (en) * | 2015-06-27 | 2018-03-27 | 迈可菲有限责任公司 | The detection of Malware |
| CN106599684A (en) * | 2015-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Detection method and system of entity file-free malicious code |
| CN106022132A (en) * | 2016-05-30 | 2016-10-12 | 南京邮电大学 | Real-time webpage Trojan detection method based on dynamic content analysis |
| CN107203580A (en) * | 2017-02-27 | 2017-09-26 | 张家口浩扬科技有限公司 | Webpage display method and device and corresponding mobile terminal |
| CN107203580B (en) * | 2017-02-27 | 2018-06-26 | 广州旺加旺网络科技有限公司 | Webpage display method and mobile terminal using same |
| CN106991328A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | A kind of vulnerability exploit detection recognition method based on Dram fingerprint anomaly analysis |
| CN106991328B (en) * | 2017-03-30 | 2019-11-29 | 兴华永恒(北京)科技有限责任公司 | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis |
| CN107172035A (en) * | 2017-05-11 | 2017-09-15 | 北京安赛创想科技有限公司 | The detection method and device of network attack information |
| CN108171060A (en) * | 2017-12-29 | 2018-06-15 | 哈尔滨安天科技股份有限公司 | Method, system and the storage medium of encryption deformation script are identified based on comentropy |
| CN109190372A (en) * | 2018-07-09 | 2019-01-11 | 四川大学 | A kind of JavaScript Malicious Code Detection model based on bytecode |
| CN109408810A (en) * | 2018-09-28 | 2019-03-01 | 东巽科技(北京)有限公司 | A kind of malice PDF document detection method and device |
| CN112632531A (en) * | 2020-12-15 | 2021-04-09 | 平安科技(深圳)有限公司 | Malicious code identification method and device, computer equipment and medium |
| WO2022126981A1 (en) * | 2020-12-15 | 2022-06-23 | 平安科技(深圳)有限公司 | Malicious code recognition method and apparatus, and computer device and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102622543B (en) | 2016-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102622543A (en) | Method and device for dynamically detecting malicious webpage scripts | |
| US9032516B2 (en) | System and method for detecting malicious script | |
| CN102609649B (en) | A kind of method and apparatus of automatic collection Malware | |
| US8627478B2 (en) | Method and apparatus for inspecting non-portable executable files | |
| US20200143051A1 (en) | Security scanning method and apparatus for mini program, and electronic device | |
| CN102542201B (en) | Detection method and system for malicious codes in web pages | |
| US7665138B2 (en) | Detecting method and architecture thereof for malicious codes | |
| US8745740B2 (en) | Apparatus and method for detecting malicious sites | |
| US9977897B2 (en) | System and method for detecting stack pivot programming exploit | |
| US7739100B1 (en) | Emulation system, method and computer program product for malware detection by back-stepping in program code | |
| CN105608391B (en) | More ELF document protection methods and system | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| JP2011233126A (en) | Device, system and method for detecting malignant code which is disguised as normal and inserted to normal process | |
| US9659173B2 (en) | Method for detecting a malware | |
| CN108959071B (en) | RASP-based PHP deformation webshell detection method and system | |
| JP2013239149A (en) | File inspection apparatus and method for malicious files | |
| CN102208002A (en) | Novel computer virus scanning and killing device | |
| US20190370106A1 (en) | Unexpected event detection during execution of an application | |
| CN104809391B (en) | Buffer overflow attack detection device, method and security protection system | |
| CN105184169A (en) | Method for vulnerability detection in Windows operating environment based on instrumentation tool | |
| CN105095759A (en) | File detection method and device | |
| CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
| US10601867B2 (en) | Attack content analysis program, attack content analysis method, and attack content analysis apparatus | |
| CN108268773B (en) | Android application upgrade package local storage security detection method | |
| CN105488399A (en) | Script virus detection method and system based on program keyword calling sequence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |