CN102831339B - Method, device and browser for protecting webpage against malicious attack - Google Patents
Method, device and browser for protecting webpage against malicious attack Download PDFInfo
- Publication number
- CN102831339B CN102831339B CN201210252213.4A CN201210252213A CN102831339B CN 102831339 B CN102831339 B CN 102831339B CN 201210252213 A CN201210252213 A CN 201210252213A CN 102831339 B CN102831339 B CN 102831339B
- Authority
- CN
- China
- Prior art keywords
- protection attribute
- page protection
- memory address
- authority
- perform authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The application provides a method, a device and a browser for protecting a webpage against a malicious attack, which aim to solve the problem that an attacker performs the Trojan horse attack on the webpage through bypassing DEP (Data Execution Protection) by the ROP (Return Oriented Programming) technology. In the application, a memory page protection attribute of a memory address to be modified by a malicious code is pre-detected when an API (Application Programming Interface) of the memory page protection attribute is transferred in the process; and the original memory page protection attribute and the modified memory page protection attribute of the memory address are distinguished through a rule, and a malicious modifying behavior is baffled or warned once found out, so that the conditions that the memory address of a data page is modified into an executable authority and the malicious code is illegally executed can be avoided.
Description
Technical field
The application relates to browser technology, particularly relates to method, device and browser that a kind of malicious attack for webpage is carried out protecting.
Background technology
It is one of current most popular network attack that webpage Trojan horse is attacked, and current webpage Trojan horse uses the buffer-overflow vulnerability of browser in a large number, is changed and the execution flow process of control program, final control system downloading-running wooden horse by Overflow Vulnerability.The process that webpage Trojan horse is attacked is generally: assailant is by the heap memory of javascript operating browser, malicious code shellcode is write the heap memory address of browser, by the execution flow process of buffer-overflow vulnerability reprogramming, the shellcode in browser heap memory is performed.
Along with the malicious attack based on browser is more and more general, various browser also strengthens the security function of browser, and wherein an important safety function is: DEP (Data ExecutionPrevention, DEP).In flooding, malicious code shellcode is stored in heap memory; but be heap or stack all belongs to page of data in the process space; data can not perform as code; therefore the data in page of data generally should not be performed, and DEP (DEP) namely forbids that application program and service perform run time version instruction in the data page internal memory of authority non-.
But on the other hand, assailant also brings into use the technology walking around and resist DEP (DEP) in a large number to carry out webpage Trojan horse attack.At present, assailant mainly use return guiding programming technique (Return Oriented Programming, ROP) carry out malicious attack.ROP technology is that assailant is not by the process space of write shellcode to leak program; but utilize the dynamic link library or executable code that have existed in memory headroom to perform any operation, finally reach a kind of malicious attack technology walking around DEP (DEP).
Therefore, the current technical issues that need to address are: how to using the malicious attack of ROP technology to protect, to improve the security of web page browsing.
Summary of the invention
This application provides method, device and browser that a kind of malicious attack for webpage is carried out protecting, to solve assailant's use ROP technology to walk around problem that DEP carries out webpage Trojan horse attack.
In order to solve the problem, this application discloses a kind of method that malicious attack for webpage is carried out protecting, comprising:
When process transfer changes the application programming interface of page protection attribute, detect the page protection attribute of the memory address that will revise, described detection comprises:
Obtain original page protection attribute of described memory address, and check whether described original page protection attribute is set to perform authority;
Obtain the amended page protection attribute of described memory address, and check whether described amended page protection attribute arranges and can perform authority;
When original page protection attribute of described memory address does not have and can perform authority, and described amended page protection attribute has and can right of execution prescribe a time limit, and warns and stops the act of revision page of described memory address being protected to attribute.
Preferably, detected by the page protection attribute of monitoring VirtualProtect function to the memory address that will revise, wherein, the effect of described VirtualProtect function changes page protection attribute.
Preferably, original page protection attribute of the described memory address of described acquisition, comprising: the lpAddress parameter obtaining described VirtualProtect function, the start address of the memory address that described lpAddress Parametric Representation will be revised; Original page protection attribute corresponding to described start address is obtained by query function.
Preferably, the amended page protection attribute of the described memory address of described acquisition, comprising: the flNewProtect parameter obtaining described VirtualProtect function, described flNewProtect Parametric Representation amended page protection attribute.
Preferably, described page protection attribute comprises following 8 kinds: can not read right, read-only authority, readable can write permission, can perform authority, readablely perform authority, readable writing can perform authority, can write and can copy authority, can write and can copy and can perform authority.
Preferably, the original page protection attribute of described memory address does not have and can perform authority, comprising: described original page protection attribute is for can not read right, or read-only authority, or readable can write permission, maybe can write and can copy authority; Described amended page protection attribute has and can perform authority, comprising: described amended page protection attribute for can perform authority, or readablely performs authority, or readable writing can perform authority, maybe can write and can copy and can perform authority.
Preferably, the described memory address that will revise is the memory address at malicious code place.
Present invention also provides the device that a kind of malicious attack for webpage is carried out protecting, comprising:
Detection module, for when the application programming interface of process transfer change page protection attribute, detect the page protection attribute of the memory address that will revise, described detection module comprises:
First acquiring unit, for obtaining original page protection attribute of described memory address;
First inspection unit, for checking whether described original page protection attribute is set to perform authority;
Second acquisition unit, for obtaining the amended page protection attribute of described memory address;
Second inspection unit, for checking whether described amended page protection attribute arranges and can perform authority;
Protective unit; do not have can perform authority for the original page protection attribute when described memory address; and described amended page protection attribute has and can right of execution prescribe a time limit, and warns and stops the act of revision page of described memory address being protected to attribute.
Preferably, described detection module is detected by the page protection attribute of monitoring VirtualProtect function to the memory address that will revise, and wherein, the effect of described VirtualProtect function changes page protection attribute.
Preferably, described first acquiring unit comprises:
Parameter acquiring subelement, for obtaining the lpAddress parameter of described VirtualProtect function, the start address of the memory address that described lpAddress Parametric Representation will be revised;
Inquiry subelement, for obtaining original page protection attribute corresponding to described start address by query function.
Preferably, described second acquisition unit obtains the flNewProtect parameter of described VirtualProtect function, described flNewProtect Parametric Representation amended page protection attribute.
Preferably, described page protection attribute comprises following 8 kinds: can not read right, read-only authority, readable can write permission, can perform authority, readablely perform authority, readable writing can perform authority, can write and can copy authority, can write and can copy and can perform authority.
Preferably, the original page protection attribute of described memory address does not have and can perform authority, comprising: described original page protection attribute is for can not read right, or read-only authority, or readable can write permission, maybe can write and can copy authority; Described amended page protection attribute has and can perform authority, comprising: described amended page protection attribute for can perform authority, or readablely performs authority, or readable writing can perform authority, maybe can write and can copy and can perform authority.
Preferably, the described memory address that will revise is the memory address at malicious code place.
Present invention also provides a kind of browser, comprise the device that the malicious attack for webpage as above is carried out protecting.
Compared with prior art, the application comprises following advantage:
The application changes API (the Application ProgrammingInterface of page protection attribute at process transfer; application programming interface) time; pre-detection is carried out to the page protection attribute of the memory address that malicious code will be revised; by rule, original page protection attribute of this memory address and amended page protection attribute are differentiated; once find that namely the act of revision of malice stops and warn; thus protected data page memory address is not modified to and can performs authority, and illegally performed malicious code.
Accompanying drawing explanation
Fig. 1 is the process flow diagram that described in the embodiment of the present application, the method for protecting is carried out in a kind of malicious attack for webpage;
Fig. 2 is the process flow diagram that described in another embodiment of the application, the method for protecting is carried out in a kind of malicious attack for webpage;
Fig. 3 is the structure drawing of device that a kind of malicious attack for webpage described in the embodiment of the present application is carried out protecting.
Embodiment
For enabling above-mentioned purpose, the feature and advantage of the application more become apparent, below in conjunction with the drawings and specific embodiments, the application is described in further detail.
Use ROP technology (returning guiding programming technique) to walk around the problem that DEP (DEP) carries out webpage Trojan horse attack to solve assailant, first the application analyzes the process using ROP technology to carry out malicious attack, specific as follows.
As described in the prior art; DEP (DEP) can not be fully effective protection system safety; new attack mode still emerges in an endless stream; assailant can revise the page protection attribute of malicious code shellcode place memory address by ROP technology (returning guiding programming technique); make datarams page to be performed code, thus walk around the security function of the DEP (DEP) of browser.
Enumerate a kind of popular ROP attack pattern below, as follows:
1, attack code first builds ROP command chain and malicious code shellcode in the heap memory of IE browser;
2, the Overflow Vulnerability of browser enters in ROP command chain after triggering;
3, ROP command chain enters the springboard instruction in msvcrt.dll module, and the memory protect attribute calling VirtualProtect function amendment shellcode address is readablely write execution authority;
Wherein, described msvcrt.dll module is the dynamic link library loaded in IE browser process.
Springboard instruction in msvcrt.dll module is as follows:
Xchg eax, esp // value of register eax and register esp is exchanged
Ret // link order
4, walk around the DEP protection of browser, be readablely write successful execution malicious code shellcode in the memory address performing authority at amendment memory protect attribute, complete malicious attack.
The function of described malicious code shellcode has been download and the operation of Malware.
From above-mentioned attack pattern, ROP technology is a kind of brand-new attack pattern, it utilizes code re-use technique, assailant uses the existing dynamic link library of leak process (as msvcrt.dll module) or executable file, extract utilizable instruction fragment, these instruction fragments, mostly with ret (returning) instruction ending, are namely used ret (returning) instruction to realize instruction fragment and are performed the linking of flowing.
Based on above analysis; the application proposes a kind of means of defence; mainly through the monitoring to VirtualProtect function, by the behavior of certain regular monitor malicious amendment page protection attribute, the webpage Trojan horse attack by ROP technology modification memory attribute effectively can be protected.
Below by embodiment, the realization flow of method described in the application is described in detail.
With reference to Fig. 1, it illustrates a kind of malicious attack for webpage described in the embodiment of the present application and carry out the process flow diagram of the method for protecting.
Step 101, when process transfer changes API (application programming interface) of page protection attribute, detects the page protection attribute of the memory address that will revise;
Namely the API changing memory attribute is called in monitoring, detects mainly through the page protection attribute of monitoring VirtualProtect function to the memory address that will revise.Wherein, described VirtualProtect function is an operating system function, and its effect is the page protection attribute changing calling process.The described memory address that will revise mainly refers to the memory address at malicious code shellcode place.
Described detection comprises the following steps 102 to 104:
Step 102, obtains original page protection attribute of described memory address, and checks whether described original page protection attribute is set to perform authority;
Step 103, obtains the amended page protection attribute of described memory address, and checks whether described amended page protection attribute is set to perform authority;
Step 104, when original page protection attribute of described memory address does not have and can perform authority, and described amended page protection attribute has and can right of execution prescribe a time limit, and warns and stops the act of revision page of described memory address being protected to attribute.
From above-mentioned steps, in testing process, if the page protection attribute of a certain memory address can perform authority and is revised as by not having and can performs authority, then what show to deposit in this memory address is malicious code.
Based on above content, in another embodiment that the application provides, particularly, described VirtualProtect function provides following parameter:
Wherein,
1) hProcess Parametric Representation will revise the process handle of internal memory;
2) start address of memory address that will revise of lpAddress Parametric Representation;
3) dwSize Parametric Representation will revise the byte of internal memory;
4) flNewProtect Parametric Representation amended page protection attribute;
5) address of the page protection attribute before the amendment of lpflOldProtect Parametric Representation.
Meanwhile, page protection attribute has following 8:
1) PAGE_NOACCESS can not read right, and attempting to read the page, the write page or the code performed in the page will cause access violation;
2) PAGE_READONLY read-only authority, attempting the code write in the page or the execution page will cause access violation;
3) PAGE_READWRITE is readable can write permission, and attempting the code performed in the page will cause access violation;
4) PAGE_EXECUTE can perform authority, attempts to read the page or write the page and will cause access violation;
5) PAGE_EXECUTE_READ is readable performs authority, and attempting the write page will cause access violation;
6) readable the writing of PAGE_EXECUTE_READWRITE can perform authority, performs any operation all can not cause access violation to the page;
7) PAGE_WRITECOPY can write and can copy authority, and attempting the code performed in the page will cause access violation;
8) PAGE_EXECUTE_WRITECOPY can write and can copy and can perform authority, performs any operation all can not cause access violation to the page.
In the embodiment of the present application; monitor mainly for the lpAddress parameter in VirtualProtect function and flNewProtect parameter; the page protection attribute of the internal memory start address of the lpAddress parameter of pre-detection VirtualProtect function and the page protection attribute of flNewProtect parameter; whether have amendment page protection attribute to be the malicious act that can perform authority, thus protected data page is not performed malicious code by the utilization of ROP technological attack.
Therefore, in above-mentioned Fig. 1 embodiment:
1), in described step 102, the step obtaining original page protection attribute of described memory address specifically comprises:
Sub-step 1, obtains the lpAddress parameter of described VirtualProtect function, the start address of the memory address that described lpAddress Parametric Representation will be revised;
Sub-step 2, obtains original page protection attribute corresponding to described start address by query function.
2), in described step 103, the step of the amended page protection attribute of the described memory address of described acquisition specifically comprises:
Obtain the flNewProtect parameter of described VirtualProtect function, described flNewProtect Parametric Representation amended page protection attribute.
Another embodiment below by Fig. 2 is described in detail.
With reference to Fig. 2, it illustrates a kind of malicious attack for webpage described in another embodiment of the application and carry out the process flow diagram of the method for protecting.
Step 201, is linked up with VirtualProtectEx function by HOOK technology, by the parameter of VirtualProtectEx function, hooks in the inspection parameter of described HOOK function MineVirtualProtectEx;
Programming under windows system, the transmission of message m essage runs through it all the time.HOOK and message have very close contacting, and its Chinese implication is " hook ".HOOK is a link in Message Processing, for monitoring message transmission in systems in which, and before these message arrive final message processing procedure, processes some specific message.
The effect of described HOOK function MineVirtualProtectEx is the parameter detecting VirtualProtectEx function, in the embodiment of the present application, mainly detects lpAddress parameter and the flNewProtect parameter of VirtualProtectEx function.
Owing to completing detection in HOOK function, so before VirtualProtectEx function really performs, just can find whether have amendment page protection attribute to be the malicious act that can perform authority by the parameter of VirtualProtectEx function.
Step 202, obtain the lpAddress parameter of VirtualProtectEx function, lpAddress parameter is a concrete memory address (will revise the start address of internal memory), can use the protection attribute of VirtualQuery functional query memory address page, the protection attribute of this memory address page is original page protection attribute of the memory address of lpAddress Parametric Representation;
Wherein, described VirtualQuery function is a kind of query function that Microsoft provides, and is well known to those skilled in the art, therefore no longer describes in detail.
Step 203, checks whether the memory address page of the lpAddress parameter of VirtualProtectEx function has and can perform authority;
Step 204, obtains the flNewProtect parameter of VirtualProtectEx function;
Step 205, checks whether the flNewProtect parameter of VirtualProtectEx function is be set to perform authority;
Step 206, if the memory address page of lpAddress parameter can not perform authority, flNewProtect optimum configurations is for can perform authority simultaneously, then warn the act of revision simultaneously stoping memory protect attribute;
Wherein, the memory address page of described lpAddress parameter can not perform authority; namely original page protection attribute of described memory address does not have and can perform authority yet; specifically refer to: described original page protection attribute is for can not read right; or read-only authority; or readable can write permission, maybe can write and can copy authority.In a word, do not comprise the attribute that can perform authority all to can be described as and do not have and can perform authority.
Described flNewProtect optimum configurations is for can perform authority; also namely described amended page protection attribute has and can perform authority; specifically refer to: described amended page protection attribute is for can perform authority; or readablely perform authority; or readable writing can perform authority, maybe can write and can copy and can perform authority.In a word, comprise the attribute that can perform authority all to can be described as and have and can perform authority.
Step 207, if without above-mentioned malicious act, then returns and performs real VirtualProtectEx function.
In sum; the embodiment of the present application is when process transfer changes the API of page protection attribute; pre-detection is carried out to the page protection attribute of the memory address that malicious code will be revised; by rule, original page protection attribute of this memory address and amended page protection attribute are differentiated; once find that namely the act of revision of malice stops and warn; thus protected data page memory address is not modified to and can performs authority, and illegally performed malicious code.
The various embodiments described above use the webpage Trojan horse of ROP technology to attack as example is described, but also can be applied in embody rule in the virus of other uses ROP technology or the attack of Malware, and it is similar to the aforementioned embodiment that it implements principle, therefore repeat no more.
It should be noted that, for aforesaid embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the application is not by the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and involved action might not be that the application is necessary.
Based on the explanation of said method embodiment, present invention also provides corresponding device embodiment, be described below by Fig. 3.
With reference to Fig. 3, it illustrates the structure drawing of device that a kind of malicious attack for webpage described in the embodiment of the present application is carried out protecting.
The device that the described malicious attack for webpage is carried out protecting can comprise with lower module:
Detection module 10, for when the application programming interface of process transfer change page protection attribute, detect the page protection attribute of the memory address that will revise, described detection module comprises:
First acquiring unit 101, for obtaining original page protection attribute of described memory address;
First inspection unit 102, for checking whether described original page protection attribute is set to perform authority;
Second acquisition unit 103, for obtaining the amended page protection attribute of described memory address;
Second inspection unit 104, for checking whether described amended page protection attribute arranges and can perform authority;
Protective unit 105; do not have can perform authority for the original page protection attribute when described memory address; and described amended page protection attribute has and can right of execution prescribe a time limit, and warns and stops the act of revision page of described memory address being protected to attribute.
Further, described detection module detects by the page protection attribute of monitoring VirtualProtect function to the memory address that will revise, and wherein, the effect of described VirtualProtect function changes page protection attribute.
Based on described VirtualProtect function, described first acquiring unit 101 specifically can comprise:
Parameter acquiring subelement, for obtaining the lpAddress parameter of described VirtualProtect function, the start address of the memory address that described lpAddress Parametric Representation will be revised;
Inquiry subelement, for obtaining original page protection attribute corresponding to described start address by query function.
Based on described VirtualProtect function, described second acquisition unit 102 can obtain the flNewProtect parameter of described VirtualProtect function, described flNewProtect Parametric Representation amended page protection attribute.
In another embodiment of the application, described page protection attribute can comprise following 8 kinds:
Can not read right, read-only authority, readable can write permission, can perform authority, readablely perform authority, readable writing can perform authority, can write and can copy authority, can write and can copy and can perform authority.
Based on above 8 kinds of pages protection attribute:
The original page protection attribute of described memory address does not have and can perform authority, comprising: described original page protection attribute is for can not read right, or read-only authority, or readable can write permission, maybe can write and can copy authority;
Described amended page protection attribute has and can perform authority, comprising: described amended page protection attribute for can perform authority, or readablely performs authority, or readable writing can perform authority, maybe can write and can copy and can perform authority.
Wherein, the described memory address that will revise can be the memory address at malicious code place.
For said apparatus embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method shown in Fig. 1 and Fig. 2.
Carry out the device embodiment of protecting based on the above-mentioned malicious attack for webpage, the embodiment of the present application additionally provides a kind of browser comprising this device.Described browser changes API (the Application Programming Interface of page protection attribute at process transfer; application programming interface) time; pre-detection is carried out to the page protection attribute of the memory address that malicious code will be revised; by rule, original page protection attribute of this memory address and amended page protection attribute are differentiated; once find that namely the act of revision of malice stops and warn; thus protected data page memory address is not modified to and can performs authority, and illegally performed malicious code.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.
Those skilled in the art are easy to it is envisioned that: the combination in any application of each embodiment above-mentioned is all feasible, therefore the combination in any between each embodiment above-mentioned is all the embodiment of the application, but this instructions does not just detail one by one at this as space is limited.
In this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And term " comprises ", " comprising ", not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
On the device (or multiple device) that the embodiment of the present application can be embodied in any support graphics process, internet content captures and play up.These devices include but not limited to personal computer, cluster server, mobile phone, workstation, embedded system, game machine, TV, Set Top Box, or any other supports the calculation element that computer graphical and content show.These devices can include but not limited to have execution and one or more processor of save command and the device of storer.These devices can comprise software, firmware and hardware.Software can comprise one or more application program and operating system.Hardware can include but not limited to processor, storer and display.
Those skilled in the art should understand, the embodiment of the application can be provided as method, system or computer program.Therefore, the application can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the application can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) of computer usable program code.
The application describes with reference to according to the process flow diagram of the method for the embodiment of the present application, equipment (system) and computer program and/or block scheme.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block scheme and/or square frame and process flow diagram and/or block scheme and/or square frame.These computer program instructions can being provided to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computing machine or other programmable data processing device produce device for realizing the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
These computer program instructions also can be loaded in computing machine or other programmable data processing device, make on computing machine or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computing machine or other programmable devices is provided for the step realizing the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
Although described the preferred embodiment of the application, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the application's scope.
Above to a kind of method, device and browser protected for the malicious attack of webpage that the application provides, be described in detail, apply specific case herein to set forth the principle of the application and embodiment, the explanation of above embodiment is just for helping method and the core concept thereof of understanding the application; Meanwhile, for one of ordinary skill in the art, according to the thought of the application, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the application.
Claims (13)
1. carry out a method of protecting for the malicious attack of webpage, it is characterized in that, comprising:
When process transfer changes the application programming interface of page protection attribute, pre-detection is carried out to the page protection attribute of the memory address that malicious code will be revised, described pre-detection comprises: detect the page protection attribute of the memory address that malicious code will be revised and the page protection attribute of the internal memory start address that will revise, wherein, the described memory address that will revise is the memory address at malicious code place;
Described detection comprises: the original page protection attribute obtaining described memory address, and checks whether described original page protection attribute is set to perform authority;
Obtain the amended page protection attribute of described memory address, and check whether described amended page protection attribute arranges and can perform authority;
When original page protection attribute of described memory address does not have and can perform authority, and described amended page protection attribute has and can right of execution prescribe a time limit, and warns and stops the act of revision page of described memory address being protected to attribute.
2. method according to claim 1, is characterized in that:
Detected by the page protection attribute of monitoring VirtualProtect function to the memory address that will revise, wherein, the effect of described VirtualProtect function changes page protection attribute.
3. method according to claim 2, is characterized in that, original page protection attribute of the described memory address of described acquisition, comprising:
Obtain the lpAddress parameter of described VirtualProtect function, the start address of the memory address that described lpAddress Parametric Representation will be revised;
Original page protection attribute corresponding to described start address is obtained by query function.
4. method according to claim 2, is characterized in that, the amended page protection attribute of the described memory address of described acquisition, comprising:
Obtain the flNewProtect parameter of described VirtualProtect function, described flNewProtect Parametric Representation amended page protection attribute.
5. method according to claim 1, is characterized in that, described page protection attribute comprises following 8 kinds:
Can not read right, read-only authority, readable can write permission, can perform authority, readablely perform authority, readable writing can perform authority, can write and can copy authority, can write and can copy and can perform authority.
6. method according to claim 5, is characterized in that,
The original page protection attribute of described memory address does not have and can perform authority, comprising: described original page protection attribute is for can not read right, or read-only authority, or readable can write permission, maybe can write and can copy authority;
Described amended page protection attribute has and can perform authority, comprising: described amended page protection attribute for can perform authority, or readablely performs authority, or readable writing can perform authority, maybe can write and can copy and can perform authority.
7. carry out the device protected for the malicious attack of webpage, it is characterized in that, comprising:
Detection module, for when the application programming interface of process transfer change page protection attribute, pre-detection is carried out to the page protection attribute of the memory address that malicious code will be revised, described pre-detection comprises: detect the page protection attribute of the memory address that malicious code will be revised and the page protection attribute of the internal memory start address that will revise, wherein, the described memory address that will revise is the memory address at malicious code place;
Described detection module comprises:
First acquiring unit, for obtaining original page protection attribute of described memory address;
First inspection unit, for checking whether described original page protection attribute is set to perform authority;
Second acquisition unit, for obtaining the amended page protection attribute of described memory address;
Second inspection unit, for checking whether described amended page protection attribute arranges and can perform authority;
Protective unit; do not have can perform authority for the original page protection attribute when described memory address; and described amended page protection attribute has and can right of execution prescribe a time limit, and warns and stops the act of revision page of described memory address being protected to attribute.
8. device according to claim 7, is characterized in that:
Described detection module is detected by the page protection attribute of monitoring VirtualProtect function to the memory address that will revise, and wherein, the effect of described VirtualProtect function changes page protection attribute.
9. device according to claim 8, is characterized in that, described first acquiring unit comprises:
Parameter acquiring subelement, for obtaining the lpAddress parameter of described VirtualProtect function, the start address of the memory address that described lpAddress Parametric Representation will be revised;
Inquiry subelement, for obtaining original page protection attribute corresponding to described start address by query function.
10. device according to claim 8, is characterized in that:
Described second acquisition unit obtains the flNewProtect parameter of described VirtualProtect function, described flNewProtect Parametric Representation amended page protection attribute.
11. devices according to claim 7, is characterized in that, described page protection attribute comprises following 8 kinds:
Can not read right, read-only authority, readable can write permission, can perform authority, readablely perform authority, readable writing can perform authority, can write and can copy authority, can write and can copy and can perform authority.
12. devices according to claim 11, is characterized in that,
The original page protection attribute of described memory address does not have and can perform authority, comprising: described original page protection attribute is for can not read right, or read-only authority, or readable can write permission, maybe can write and can copy authority;
Described amended page protection attribute has and can perform authority, comprising: described amended page protection attribute for can perform authority, or readablely performs authority, or readable writing can perform authority, maybe can write and can copy and can perform authority.
13. 1 kinds of browsers, is characterized in that, comprise as arbitrary in the claims 7 to 12 as described in the malicious attack for webpage carry out the device that protects.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210252213.4A CN102831339B (en) | 2012-07-19 | 2012-07-19 | Method, device and browser for protecting webpage against malicious attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210252213.4A CN102831339B (en) | 2012-07-19 | 2012-07-19 | Method, device and browser for protecting webpage against malicious attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102831339A CN102831339A (en) | 2012-12-19 |
| CN102831339B true CN102831339B (en) | 2015-05-27 |
Family
ID=47334472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210252213.4A Expired - Fee Related CN102831339B (en) | 2012-07-19 | 2012-07-19 | Method, device and browser for protecting webpage against malicious attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102831339B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11784993B2 (en) | 2020-12-16 | 2023-10-10 | Cisco Technology, Inc. | Cross site request forgery (CSRF) protection for web browsers |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104268471B (en) * | 2014-09-10 | 2017-04-26 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| CN105701397B (en) * | 2014-11-24 | 2019-01-01 | 中国移动通信集团公司 | A kind of application control method and device |
| SG10201504066QA (en) * | 2015-05-25 | 2016-12-29 | Huawei Internat Pte Ltd | Method and system for defense against return oriented programming (rop) based attacks |
| CN105205400B (en) * | 2015-08-28 | 2018-10-16 | 北京金山安全软件有限公司 | Module loading method and device and electronic equipment |
| US20170060783A1 (en) * | 2015-09-01 | 2017-03-02 | Mediatek Inc. | Apparatus for performing secure memory allocation control in an electronic device, and associated method |
| CN106682512B (en) * | 2016-11-25 | 2020-07-28 | 腾讯科技(深圳)有限公司 | Method, device and system for preventing program from being modified |
| CN107220542A (en) * | 2017-05-31 | 2017-09-29 | 郑州云海信息技术有限公司 | A kind of Windows system process means of defences based on forced symmetric centralization |
| CN111191227B (en) * | 2019-07-22 | 2023-12-12 | 腾讯科技(深圳)有限公司 | Method and device for preventing malicious code from executing |
| CN113646763B (en) * | 2019-08-15 | 2024-02-02 | 奇安信安全技术(珠海)有限公司 | shellcode detection method and device |
| CN114741694B (en) * | 2022-03-07 | 2023-03-10 | 安芯网盾(北京)科技有限公司 | Method, device and equipment for detecting execution of shellcode and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
| CN101520754A (en) * | 2009-03-24 | 2009-09-02 | 中兴通讯股份有限公司 | Method and device for positioning function and/or task violating memory access |
| CN101706852A (en) * | 2009-11-17 | 2010-05-12 | 珠海金山软件股份有限公司 | Online game password protecting device and method thereof |
| US7996904B1 (en) * | 2007-12-19 | 2011-08-09 | Symantec Corporation | Automated unpacking of executables packed by multiple layers of arbitrary packers |
-
2012
- 2012-07-19 CN CN201210252213.4A patent/CN102831339B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
| US7996904B1 (en) * | 2007-12-19 | 2011-08-09 | Symantec Corporation | Automated unpacking of executables packed by multiple layers of arbitrary packers |
| CN101520754A (en) * | 2009-03-24 | 2009-09-02 | 中兴通讯股份有限公司 | Method and device for positioning function and/or task violating memory access |
| CN101706852A (en) * | 2009-11-17 | 2010-05-12 | 珠海金山软件股份有限公司 | Online game password protecting device and method thereof |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11784993B2 (en) | 2020-12-16 | 2023-10-10 | Cisco Technology, Inc. | Cross site request forgery (CSRF) protection for web browsers |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102831339A (en) | 2012-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102831339B (en) | Method, device and browser for protecting webpage against malicious attack | |
| Lekies et al. | 25 million flows later: large-scale detection of DOM-based XSS | |
| Octeau et al. | Effective {Inter-Component} communication mapping in android: An essential step towards holistic security analysis | |
| KR101044274B1 (en) | Exploit site filtering APPARATUS, METHOD, AND RECORDING MEDIUM HAVING COMPUTER PROGRAM RECORDED | |
| Izquierdo et al. | Collaboro: a collaborative (meta) modeling tool | |
| Jain et al. | Enriching reverse engineering through visual exploration of Android binaries | |
| CN103714292A (en) | Method for detecting exploit codes | |
| Rawat et al. | Safe guard anomalies against SQL injection attacks | |
| Mitropoulos et al. | Fatal injection: A survey of modern code injection attack countermeasures | |
| Yang et al. | {Iframes/Popups} Are Dangerous in Mobile {WebView}: Studying and Mitigating Differential Context Vulnerabilities | |
| EP3087527B1 (en) | System and method of detecting malicious multimedia files | |
| CN102819703B (en) | For protecting the method and apparatus of web page attacks | |
| JP5441043B2 (en) | Program, information processing apparatus, and information processing method | |
| KR102156340B1 (en) | Method and apparatus for blocking web page attack | |
| CN105471821A (en) | Browser-based information processing method and device | |
| KR101217546B1 (en) | Method and system to detect and intercept heap spray attack based on realtime | |
| Chen et al. | Semantic-integrated software watermarking with tamper-proofing | |
| Grace et al. | Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection | |
| CN113779578A (en) | Intelligent confusion method and system for mobile terminal application | |
| CN103390129A (en) | Method and device for detecting security of uniform resource locator | |
| Zhou et al. | The final security problem in IOT: Don’t count on the canary! | |
| CN106372508B (en) | Malicious document processing method and device | |
| Riley | A framework for prototyping and testing data-only rootkit attacks | |
| Xiong et al. | Static taint analysis method for intent injection vulnerability in android applications | |
| Hsu et al. | HSP: A solution against heap sprays |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150527 Termination date: 20190719 |