CN103116724A - Method and device for detecting dangerous behavior of program sample - Google Patents

Method and device for detecting dangerous behavior of program sample Download PDF

Info

Publication number
CN103116724A
CN103116724A CN2013100818699A CN201310081869A CN103116724A CN 103116724 A CN103116724 A CN 103116724A CN 2013100818699 A CN2013100818699 A CN 2013100818699A CN 201310081869 A CN201310081869 A CN 201310081869A CN 103116724 A CN103116724 A CN 103116724A
Authority
CN
China
Prior art keywords
sample
application programming
stored
programming interfaces
suspicious actions
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013100818699A
Other languages
Chinese (zh)
Other versions
CN103116724B (en
Inventor
邢超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310081869.9A priority Critical patent/CN103116724B/en
Publication of CN103116724A publication Critical patent/CN103116724A/en
Application granted granted Critical
Publication of CN103116724B publication Critical patent/CN103116724B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The invention relates to the technical field of network communication, and discloses a method and a relative device for detecting dangerous behavior of a program sample. The method comprises detecting whether the program sample has a first suspicious act of looking up attack points, and monitoring whether the program sample executes a second suspicious act of a comparing object under the premise that the first suspicious act is detected; confirming whether the compared object is matched with the content of a prestored blacklist when the second suspicious act is executed by the program sample, when the second suspicious act is detected. When the object compared by the program sample is matched with the content of the prestored blacklist, the action of the program sample is confirmed to be dangerous. Therefore the problem in the prior art that misinformation and failing to report are easy to occur when judgment is carried out simply through binary files is solved, and the beneficial effect of identifying dangerous acts accurately and reliably is obtained.

Description

Method and the device of locator(-ter) sample hazardous act
Technical field
The present invention relates to network communications technology field, be specifically related to a kind of method and device of locator(-ter) sample hazardous act.
Background technology
At present, the hacker often can be by wooden horse or plug-in some hazardous acts that carry out.For example, the antivirus software in wooden horse meeting seeking system, and by force antivirus software is closed; Game process is injected in plug-in meeting, revises the relevant setting of game.
In order to survey above-mentioned hazardous act, Kingsoft Co. has released Kingsoft pinkeye.Kingsoft pinkeye can the executive routine sample automated analysis, and come the hazardous act of determine procedures sample according to analysis result.Wherein, Kingsoft pinkeye is when carrying out automated analysis, the method that adopts is mainly that the binary file of program sample is analyzed, check whether exist in binary file some comprise common by object of attack (for example, 360tray.exe, the antivirus software processes such as ksafetray.exe, mpsvc.exe, and/or the game process such as dnf.exe) character string of title, if exist, just think that the behavior of this program sample is hazardous act.
The principle of aforesaid way is, generally, the program sample is before launching a offensive, at first to search by object of attack, therefore, if exist by the title of object of attack in the binary file of program sample, be probably will search this by object of attack and launch a offensive.
But, this mode exists a lot of drawbacks: at first, in the binary file of program sample, some appear sometimes by the title of object of attack, but this program sample is not in order to attack this object in fact, and be only the purpose of bearing no ill will for some, in this case, aforesaid way is easy to occur wrong report; Secondly, if the program sample is not at " heap " upper storage allocation, but at " stack " upper storage allocation, character string by the object of attack title can't appear in the binary file of program sample comprising, therefore, when " stack " went up storage allocation, said method can't be used when the program sample.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of method and corresponding device of the locator(-ter) sample hazardous act that overcomes the problems referred to above or address the above problem at least in part are provided.
According to one aspect of the present invention, a kind of method of locator(-ter) sample hazardous act is provided, comprise: whether the trace routine sample has first suspicious actions of searching the point of attack, and under the prerequisite that the first suspicious actions detected, whether the monitoring facilities sample carries out object the second suspicious actions relatively; When monitoring the second suspicious actions, the object that the determine procedures sample is compared when carrying out the second suspicious actions whether with pre-stored blacklist in content matching, pre-stored in blacklist have by the title of object of attack; When the content matching in object that the determine procedures sample is compared and pre-stored blacklist, the behavior of determine procedures sample is hazardous act.
Alternatively, the behavior of determine procedures sample is after the step of hazardous act, further comprises: the names associate of the object of the title of program sample and comparison is stored in default hazardous act log file.
Alternatively, the method further comprises: obtain the program sample by the mode of many virtual machine parallel runnings in advance.
Alternatively, the first suspicious actions are the behaviors of enumerating system process, whether the trace routine sample has first suspicious actions of searching the point of attack and further comprises: respectively the first application programming interfaces and second application programming interfaces of program sample are monitored, whether enumerate system process with the determine procedures sample, wherein, the first application programming interfaces are used for enumerating system process by the mode of returning to the handle value, and the second application programming interfaces are used for closing by the mode of closing the handle value system process of enumerating.
Alternatively, respectively the first application programming interfaces and second application programming interfaces of program sample are monitored, the step of whether enumerating system process with the determine procedures sample further comprises: when the first application programming interfaces return to the handle value, the handle value that the first application programming interfaces are returned is stored in a chained list, and default initial value is zero variable increment; When determining that handle value that the second application programming interfaces will be closed is stored in chained list, deletion handle value from chained list, and variable is successively decreased; Under the prerequisite that the first suspicious actions detected, the step whether the monitoring facilities sample carries out the second suspicious actions of object comparison further comprises: determine that whether the value of variable is greater than default variable threshold, when being, whether the monitoring facilities sample carries out object the second suspicious actions relatively when definite result; When being no, whether the monitoring facilities sample does not carry out object the second suspicious actions relatively when definite result.
Alternatively, the step whether the monitoring facilities sample carries out the second suspicious actions further comprises: the function of each in the program sample be used for being carried out the object comparing function is monitored, and whether carries out the object compare operation with the determine procedures sample.
Alternatively, pre-stored being comprised by object of attack in blacklist: antivirus software process and/or game process.
Alternatively, when monitoring the second suspicious actions, further carry out following steps: the object that the determine procedures sample is compared whether with pre-stored white list in content matching, wherein, the pre-stored title that non-object of attack is arranged in white list; When the content in object that the determine procedures sample is compared and pre-stored white list was not mated, the behavior of determine procedures sample was suspicious actions.
According to another aspect of the present invention, a kind of device of locator(-ter) sample hazardous act is provided, comprising: the first monitoring modular is suitable for the trace routine sample and whether has first suspicious actions of searching the point of attack; The second monitoring modular is suitable for detecting under the prerequisite of the first suspicious actions at the first monitoring modular, and whether the monitoring facilities sample carries out object the second suspicious actions relatively; Match comparison module, be suitable for when the second monitoring module monitors is carried out the second suspicious actions to the program sample, the object that the determine procedures sample is compared when carrying out the second suspicious actions whether with pre-stored blacklist in content matching, when the content matching in object that the determine procedures sample is compared and pre-stored blacklist, the behavior of determine procedures sample is hazardous act; Wherein, pre-stored in blacklist have by the title of object of attack.
Alternatively, this device further comprises: logging modle, be suitable for when the behavior of match comparison module determine procedures sample is hazardous act, and the names associate of the object of the title of program sample and comparison is stored in default hazardous act log file.
Alternatively, this device further comprises: program sample acquisition module is suitable for obtaining the program sample by the mode of many virtual machine parallel runnings in advance.
Alternatively, the first monitoring modular is further adapted for: respectively the first application programming interfaces and second application programming interfaces of program sample are monitored, whether enumerate system process with the determine procedures sample, wherein, the first application programming interfaces are used for enumerating system process by the mode of returning to the handle value, and the second application programming interfaces are used for closing by the mode of closing the handle value system process of enumerating.
Alternatively, the first monitoring modular further comprises: the first hook module, be suitable for when the first application programming interfaces return to the handle value, and the handle value that the first application programming interfaces are returned is stored in a chained list, and default initial value is zero variable increment; The second hook module is suitable for deleting the handle value from chained list, and variable being successively decreased when determining that handle value that the second application programming interfaces will be closed is stored in chained list; The second monitoring modular is further adapted for: determine the value of variable whether greater than default variable threshold, when being, whether the monitoring facilities sample carries out the second suspicious actions of object comparison when definite result; When being no, whether the monitoring facilities sample does not carry out object the second suspicious actions relatively when definite result.
Alternatively, the second monitoring modular is further adapted for: the function of each in the program sample be used for being carried out the object comparing function is monitored, and whether carries out the object compare operation with the determine procedures sample.
Alternatively, pre-stored being comprised by object of attack in blacklist: antivirus software process and/or game process.
Alternatively, match comparison module, be suitable for when the second monitoring module monitors is carried out the second suspicious actions to the program sample, be further used for: the object that the determine procedures sample is compared whether with pre-stored white list in content matching, wherein, the pre-stored title that non-object of attack is arranged in white list; When the content in object that the determine procedures sample is compared and pre-stored white list was not mated, the behavior of determine procedures sample was suspicious actions.
The method of locator(-ter) sample hazardous act provided by the invention and device are that the behavioural characteristic when carrying out hazardous act according to the program sample is formulated, generally, behavioural characteristic when the sample program is carried out hazardous act shows as: at first, search the point of attack (for example, enumerating system process); Then, carry out object compare operation (for example character string comparison operation) and determine whether exist the title of wanting object of attack in the potential point of attack (system process of for example enumerating), may launch a offensive when determining that object of attack is wanted in existence.According to above-mentioned behavioural characteristic, the method for locator(-ter) sample hazardous act provided by the invention and device have been searched under the prerequisite of the point of attack at the program sample of monitoring, and whether the monitoring facilities sample carries out the object compare operation; Then when monitoring the program sample and carry out the object compare operation, further the object that compared of determine procedures sample whether with pre-stored blacklist in content matching, thereby identify the hazardous act of sample program.Because the scheme in the present invention only just can be identified as hazardous act when the sample program has been carried out the first above-mentioned suspicious actions and the second suspicious actions simultaneously, solve thus the easy wrong report that exists when only judging by binary file in the prior art and the problem of failing to report, obtained the beneficial effect that can accurately and reliably identify hazardous act.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
The method flow diagram of the locator(-ter) sample hazardous act that provides according to the embodiment of the present invention is provided Fig. 1; And
The structure drawing of device of the locator(-ter) sample hazardous act that provides according to the embodiment of the present invention is provided Fig. 2.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
The embodiment of the present invention provides a kind of method and device of locator(-ter) sample hazardous act, the easy wrong report that exists when only judging hazardous act by binary file in order to solve in prior art and the problem of failing to report.
The method that provides due to the embodiment of the present invention and device are mainly that the behavioural characteristic when carrying out hazardous act according to the program sample is surveyed hazardous act, therefore, for the ease of understanding the present invention, before introducing technical scheme of the present invention, the behavioural characteristic when first introducing program sample execution hazardous act:
Find to possess the program sample (for example wooden horse or plug-in) of attack characteristics when carrying out hazardous act according to inventor's research, carry out successively two kinds of suspicious actions by needs.For example, at first need to determine potential in object of attack, may be antivirus software process such as 360tray.exe, ksafetray.exe, mpsvc.exe etc. such as the object of attack of wooden horse, plug-in object of attack may be the game process such as dnf.exe etc.For can be to being launched a offensive by object of attack, at first the program sample needs to find above-mentioned potential in object of attack before carrying out hazardous act.When searching by object of attack, the program sample can first be enumerated the process in current system usually, then makes corresponding reaction according to the result of enumerating.Wherein, the program sample is generally that the application programming interfaces API of the toolhelp32 by name that provides by direct call operation system realizes when enumerating system process, by this API, all processes of moving in current system can be enumerated out one by one.After having enumerated system process; the program sample usually can be by the run-time library function of character string; be that character string comparison function (for example stricmp function) compares one by one to the system process that enumerates, whether exist in the system process of determining to enumerate with by the process of the name-matches of object of attack.If exist in the system process of finding to enumerate and by the process of the name-matches of object of attack, according to the characteristics of this process, it carried out corresponding hazardous act.For example, if this process is the antivirus software process, the program sample can be taked following processing mode usually: if the program sample is found the leak that this antivirus software process exists some easily to be attacked, this program sample can be closed this antivirus software process by force; If the program sample is not found the leak of this antivirus software process, found by the antivirus software process and point out the user when closing by force this antivirus software process, this program sample can not carried out any operation and directly withdraw from.If this process is game process, this program sample may detect the position of this game process by further injection behavior, in order to this game process is carried out some illegal operations.
Can find out by top description, at first the program sample needed search the point of attack (such as by enumerating system process) and determine by object of attack by the second suspicious actions (such as operations such as character string comparisons) by the first suspicious actions before carrying out hazardous act.Therefore, the present invention can come based on above-mentioned behavioural characteristic the hazardous act of locator(-ter) sample.
In addition, the embodiment of the present invention can be applied to honey pot system, and honey jar is mainly used in carrying out the detection of program sample.Above-mentioned program sample can obtain by the mode of many virtual machine parallel runnings in advance.Wherein, every virtual machine can move many physical machine that xp is corresponding, can promote thus the efficient of sample collection.After the program sample collection was come in, virtual machine was closed, and when needs again during the collection procedure sample, then opened virtual machine and got final product.
Fig. 1 shows the method flow diagram of the locator(-ter) sample hazardous act that the embodiment of the present invention provides.As shown in Figure 1, the method starts from step S110, and in step S110, whether the trace routine sample has first suspicious actions of searching the point of attack.
Wherein, search that the first suspicious actions of the point of attack normally realize by the mode of enumerating system process, by enumerating system process, just can learn currently moved which system process, and therefrom determine the point of attack.
The below is that the details that realizes of step S110 is introduced in the behavior of enumerating system process in detail as example take the first suspicious actions: respectively the first application programming interfaces (for example CreateToolhelp32Snapshot interface) and second application programming interfaces (for example CloseHandle interface) of program sample are monitored, whether enumerate system process with the determine procedures sample.Wherein, the first application programming interfaces CreateToolhelp32Snapshot is used for enumerating system process by the mode of returning to handle value (handle value), that is to say, when the program sample calls the first application programming interfaces CreateToolhelp32Snapshot, these first application programming interfaces can return to some handle values, according to these handle values, just can determine in current system, which process operation has, thereby these processes are enumerated in an enumerated list.The second application programming interfaces CloseHandle is used for closing by the mode of closing the handle value system process of enumerating.that is to say, after enumerating the corresponding handle value of system process by the first application programming interfaces when the program sample, if the program sample further calls the second application programming interfaces, the second application programming interfaces can be closed the handle value of program sample appointment, thereby close the system process of enumerating, here the said system process of enumerating of closing, do not refer to veritably this system process be closed, and refer to this system process is deleted from above-mentioned enumerated list, at this moment this system process may still operate in system, just do not enumerated in enumerated list by the program sample.
The below introduces the specific implementation process that above-mentioned the first application programming interfaces to the program sample and the second application programming interfaces are monitored in detail.For example, can realize by the combination of dynamic link library and hook technology above-mentioned observation process: at first, create a dynamic link library ATPuser DLL, this dynamic link library is injected in each program sample, when the program sample comprises the process that in current system, all are moving, namely this dynamic link library is injected in the system process of each startup in current system.Wherein, can be by various technology realizations well known to those skilled in the art with the mode of dynamic link library injected system process, the present invention does not do restriction to concrete injection mode.The purpose that dynamic link library is injected into system process is mainly in order to realize the use of hook technology.Therefore, next, the assigned address in each process arranges hook (HOOK), to realize the monitoring to the running status of assigned address.for the purpose that realizes the first application programming interfaces and second application programming interfaces of program sample are monitored, assigned address above-mentioned can comprise the first application programming interfaces and second application programming interfaces of program sample, by the first application programming interfaces and the second application programming interfaces are arranged respectively hook, can be when the program sample runs to the first application programming interfaces and the second application programming interfaces, at first carry out the logic function in hook function corresponding to this interface, thereby realize purpose that the first application programming interfaces and the second application programming interfaces are monitored.
The below introduces in detail by hook technology again and realizes details to what the first application programming interfaces and the second application programming interfaces were monitored.The logic function of the hook function that the first above-mentioned application programming interfaces are corresponding is: when the program sample runs to the first application programming interfaces, the handle value that this hook function is used for the first application programming interfaces are returned is stored in a self-defining chained list, is that the value of zero variable count increases progressively (for example increasing progressively one) simultaneously with default initial value.The logic function of the hook function that the second above-mentioned application programming interfaces are corresponding is: when the program sample runs to the second application programming interfaces, determine whether the handle value that the second application programming interfaces will be closed has been stored in above-mentioned chained list, if judgment result is that be, delete this handle value that will close from this chained list, and the value of above-mentioned variable count is successively decreased (for example successively decreasing one).In the process of aforesaid operations chained list, in order to ensure the accuracy of the content in chained list, also can come content in synchronous chained list by synchronous operation.
The logic function of the hook function by the first application programming interfaces and the second application programming interfaces can be found out, when the program sample runs to the first application programming interfaces and enumerate system process by the first application programming interfaces, the value of variable count will be started from scratch and be increased progressively; And when the program sample runs to the second application programming interfaces and close by the second application programming interfaces the system process of enumerating, the value of variable count will begin again to successively decrease.This shows, when the program sample operates between the first application programming interfaces and the second application programming interfaces, the representation program sample is current is enumerating system process, and the value of this variations per hour count should be more than or equal to default variable threshold (for example variable threshold is).
This shows, in aforesaid way, in the situation of value more than or equal to variable threshold of variable count, can enumerate system process by the determine procedures sample; And in the situation of value less than variable threshold of variable count, can not enumerate system process by the determine procedures sample.
The first suspicious actions can be also other suspicious actions, as long as can realize searching the purpose of the point of attack.Therefore, except the mode of introducing above, those skilled in the art can also take other modes to come the trace routine sample whether to have to search the first suspicious actions of the point of attack flexibly in step S110, for example, whether the trace routine sample has the suspicious actions of searching one by one current working procedure or file.
The present invention continues to monitor in step S110, under the program sample of monitoring has been enumerated the prerequisite of system process (be the value of variable count more than or equal to variable threshold time), continue execution in step S120, in step S120, whether the monitoring facilities sample carries out object the second suspicious actions relatively, when monitoring the program sample and carry out relatively the second suspicious actions of object, the object that the determine procedures sample is compared whether with pre-stored blacklist in content matching.
Particularly, the object that the program sample compared is such as being character string, file name etc.When the program sample compared to as if during character string, when whether the monitoring facilities sample carries out the second suspicious actions of object comparison, can monitor the function that each in the program sample is used for execution character string comparing function, with the whether execution character string suspicious operation relatively of determine procedures sample.The common function that is used for execution character string comparing function includes but not limited to minor function: _ strcmpi, _ stricmp, _ wcsicmp, _ mbsicmp, _ stricmp_l, _ wcsicmp_l, _ mbsicmp_l, StrCmp, strcmp, wcscmp, _ mbscmp, _ strnicmp, _ wcsnicmp, _ mbsnicmp, _ strnicmp_l, _ wcsnicmp_l, _ mbsnicmp_l, strncmp, wcsncmp, _ mbsncmp and _ mbsncmp_l.
For the function of above-mentioned execution character string comparing function is monitored, can realize with reference to the hook technology in step S110.for example, after can in step S110, dynamic link library ATPuser DLL being injected into each program sample, when the assigned address of each program sample arranges hook, except the first application programming interfaces and the second application programming interfaces to the program sample arrange respectively hook, each the function setup hook for execution character string comparing function that also further each program sample is comprised, that is to say, the assigned address of mentioning in step S110 further comprises each residing position of function for execution character string comparing function that the program sample comprises.Wherein, for each logic function that is used for the set hook function of the function of execution character string comparing function is: when the program sample runs to the function that this is used for execution character string comparing function, its hook function determine procedures sample has been carried out the character string comparison operation, and the character string that function compared of further determining this execution character string comparing function whether with pre-stored blacklist in content matching.Wherein, pre-stored in blacklist have by the title of object of attack, this by object of attack such as being common antivirus software (as 360tray.exe, ksafetray.exe, mpsvc.exe etc.) and/or game process (as dnf.exe etc.).
When the content matching in character string that the determine procedures sample is compared and pre-stored blacklist, execution in step S130, in step S130, the behavior of determine procedures sample is hazardous act.
Concrete reason is, if the content matching in the character string that the program sample is compared and pre-stored blacklist, for example, the function ratio of program sample by execution character string comparing function the character string of 360tray.exe, can the determine procedures sample be to search the process of 360tray.exe, thereby be likely and will carry out the hazardous acts such as hard closing to this antivirus software of 360tray.exe, therefore, the behavior that can determine this program sample is hazardous act.
Alternatively, after step S130, can further include step S140.In step S140, the names associate of the character string that title and the program sample of said procedure sample compared is stored in default hazardous act log file.
Particularly, step S140 can realize in the following way: after the behavior of determine procedures sample is hazardous act, trigger a foregone conclusion spare (event), and when this event occurs, transmit the corresponding information of this event by default thread.Wherein, the corresponding information of this event comprises the title of said procedure sample and the title of the character string that the program sample is compared.Subsequently, receive the corresponding information of this event and it is recorded to default hazardous act log file by the driver of bottom, for example in the action.log file.Wherein, the action.log file is specifically designed to the various actions of register system.
In addition, in embodiments of the present invention, after the behavior of determine procedures sample is hazardous act, can also further eject prompting frame to the user, with the prompting user.In this prompting frame, the title of the character string that is complementary with the blacklist content that can show that the title of this program sample and/or its search.
And, in order to distinguish better the type of hazardous act, above-mentioned blacklist can further be subdivided into dissimilar blacklist, for example, the name storage of antivirus software is in the blacklist of antivirus software type, and the name storage of game process is in the blacklist of game process type.Correspondingly, when the behavior of determine procedures sample was hazardous act in step S130 and S140, the type of the character string that is further compared according to the program sample and the blacklist of coupling was determined the type of the hazardous act of this program sample.For example, if the blacklist of the character string that the program sample is compared and antivirus software type coupling, the behavior of determining this program sample is the hazardous act for antivirus software; If the character string that the program sample is compared and the blacklist of game process type coupling, the behavior of determining this program sample is the hazardous act for game process.
In the above-described embodiments, mainly utilized the program sample first will determine by the behavioural characteristic of object of attack by enumerating the operations such as system process and character string comparison before carrying out hazardous act.Wherein, these characteristics that above-mentioned step S110 enumerates system process mainly for the program sample detect, and above-mentioned step S120 detects mainly for the performed character string comparison operation of program sample.Because character string comparison operates in the program sample more commonly, character string comparison operation all may appear in many places, if only for character string comparison operation monitor to determine that hazardous act is easy to occur reporting by mistake situation.Therefore, in the present embodiment, only enumerated under the prerequisite of system process at the program sample, situation about being reported by mistake during only for the purpose execution character string compare operation of non-malice when the program sample has been avoided in just whether execution character string compare operation of monitoring facilities sample thus.Particularly, in the present embodiment, the character string comparison operation of only carrying out between the first application programming interfaces and the second application programming interfaces just can be monitored.wherein, the first application programming interfaces are enumerated the relevant interface of system process with the second application programming interfaces representative to the program sample, therefore, the CreateToolhelp32Snapshot interface that the title of the first application programming interfaces and the second application programming interfaces and quantity are not limited to describe in the present embodiment and CloseHandle interface, in other system, the interface that may have other also can realize enumerating the function of system process, therefore, those skilled in the art can also select other interface to monitor flexibly, as long as can realize monitoring the purpose of enumerating this behavior of system process.
Because the embodiment of the present invention is not only directly to search by the title of object of attack in the binary file of program sample, so the accuracy of the embodiment of the present invention aspect the hazardous act detection is better.And even the program sample is not at " heap " upper storage allocation, but at " stack " upper storage allocation, the method in the embodiment of the present invention is also still applicable.
In addition, for the hazardous act of trace routine sample more fully, in embodiments of the present invention a white list can also be set further, the title of pre-stored non-object of attack in this white list.Wherein, non-object of attack is some predetermined safe objects, for example, can be in the antivirus software process and the process game process in above-mentioned blacklist, the process that can not be attacked of further determining.Correspondingly, in embodiments of the present invention, when monitoring the compare operation of program sample execution character string, further carry out following steps: the character string that the determine procedures sample is compared whether with pre-stored white list in content matching; When the content in character string that the determine procedures sample is compared and pre-stored white list was not mated, the behavior of determine procedures sample was suspicious actions.Wherein, the character string that the determine procedures sample is compared whether with pre-stored white list in the concrete mode of content matching can realize with reference to the mode in step S120, repeat no more herein.After the behavior of determining the program sample is suspicious actions, can further eject prompting frame to the user, this program sample of prompting user has compared non-existent character string in some white lists, determines whether to close this program sample by the user.
The embodiment of the present invention also provides a kind of device 200 of locator(-ter) sample hazardous act, and as shown in Figure 2, this device comprises: the first monitoring modular 210, the second monitoring modular 220 and match comparison module 230.Wherein, whether the first monitoring modular 210 monitoring facilities samples have first suspicious actions of searching the point of attack.The second monitoring modular 220 detects under the prerequisite of the first suspicious actions at the first monitoring modular 210, and whether the monitoring facilities sample carries out object the second suspicious actions relatively.Match comparison module 230 is when monitoring program sample execution the second suspicious actions when the second monitoring modular 220, the object that the determine procedures sample is compared when carrying out the second suspicious actions whether with pre-stored blacklist in content matching, when the content matching in object that the determine procedures sample is compared and pre-stored blacklist, the behavior of determine procedures sample is hazardous act; Wherein, pre-stored in blacklist have by the title of object of attack (for example antivirus software process and/or game process).
Alternatively, this device further comprises: logging modle 240, be suitable for when the behavior of match comparison module 230 determine procedures samples is hazardous act, the names associate of the title of program sample and the object of comparison (for example character string) is stored in default hazardous act log file.Alternatively, this device also comprises: program sample acquisition module is suitable for obtaining the program sample by the mode of many virtual machine parallel runnings in advance.
Wherein, the first monitoring modular 210 is further adapted for: respectively the first application programming interfaces and second application programming interfaces of program sample are monitored, whether enumerate system process with the determine procedures sample, wherein, the first application programming interfaces are used for enumerating system process by the mode of returning to the handle value, and the second application programming interfaces are used for closing by the mode of closing the handle value system process of enumerating.Wherein, the first monitoring modular 210 further comprises: the first hook module, be suitable for when the first application programming interfaces return to the handle value, and the handle value that the first application programming interfaces are returned is stored in a chained list, and default initial value is zero variable increment; The second hook module is suitable for deleting the handle value from chained list, and variable being successively decreased when determining that handle value that the second application programming interfaces will be closed is stored in chained list; The second monitoring modular is further adapted for: determine the value of variable whether greater than default variable threshold, when being, whether the monitoring facilities sample carries out the second suspicious actions of object comparison when definite result; When being no, whether the monitoring facilities sample does not carry out object the second suspicious actions relatively when definite result.
Alternatively, the second monitoring modular 220 is further adapted for: the function of each in the program sample be used for being carried out the object comparing function is monitored, with the whether execution character string compare operation of determine procedures sample.
Alternatively, match comparison module 230, be suitable for when the second monitoring module monitors is carried out the second suspicious actions to the program sample, be further used for: the object that the determine procedures sample is compared whether with pre-stored white list in content matching, wherein, the pre-stored title that non-object of attack is arranged in white list; When the content in object that the determine procedures sample is compared and pre-stored white list was not mated, the behavior of determine procedures sample was suspicious actions.
Wherein, but the description of corresponding steps in the specific implementation details reference method embodiment of the first above-mentioned monitoring modular 210, the second monitoring modular 220 and match comparison module 230 repeats no more herein.
The method of locator(-ter) sample hazardous act provided by the invention and device are that the behavioural characteristic when carrying out hazardous act according to the program sample is formulated, behavioural characteristic when generally, the sample program is carried out hazardous act shows as: at first, search the point of attack, for example, enumerate system process; Then, carry out object relatively, whether exist the title of wanting object of attack in the system process that for example character string comparison operates to determine to enumerate, exist when wanting object of attack in determining system process and may launch a offensive.According to above-mentioned behavioural characteristic, the method for locator(-ter) sample hazardous act provided by the invention and device have been enumerated under the prerequisite of system process at the program sample of monitoring, the whether execution character string compare operation of monitoring facilities sample; Then when monitoring the compare operation of program sample execution character string, further the character string that compared of determine procedures sample whether with pre-stored blacklist in content matching, thereby identify the hazardous act of sample program.Because the scheme in the present invention only just can be identified as hazardous act when the sample program has been carried out the operation of character string of the process of enumerating and comparison and blacklist coupling simultaneously, solve thus the easy wrong report that exists when only judging by binary file in the prior art and the problem of failing to report, obtained the beneficial effect that can accurately and reliably identify hazardous act.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can with based on using together with this teaching.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be in the situation that do not have these details to put into practice.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment in embodiment.Can be combined into a module or unit or assembly to the module in embodiment or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed), disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment mean be in scope of the present invention within and form different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving on one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the device of the embodiment of the present invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.The program of the present invention that realizes like this can be stored on computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides on carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not break away from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in claim.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.

Claims (16)

1. the method for a locator(-ter) sample hazardous act comprises:
Whether the trace routine sample has first suspicious actions of searching the point of attack, and under the prerequisite that described the first suspicious actions detected, whether the monitoring facilities sample carries out object the second suspicious actions relatively;
When monitoring described the second suspicious actions, the object that the determine procedures sample is compared when carrying out the second suspicious actions whether with pre-stored blacklist in content matching, pre-stored in described blacklist have by the title of object of attack;
When the content matching in object that the determine procedures sample is compared and pre-stored blacklist, the behavior of determine procedures sample is hazardous act.
2. the method for claim 1, the behavior of described determine procedures sample are after the step of hazardous act, further comprise:
The names associate of the object of the title of described program sample and described comparison is stored in default hazardous act log file.
3. method as claimed in claim 1 or 2, further comprise: obtain the program sample by the mode of many virtual machine parallel runnings in advance.
4. method as described in any in claim 1-3, described the first suspicious actions are the behaviors of enumerating system process, the described trace routine sample step that whether has first suspicious actions of searching the point of attack further comprises:
Respectively the first application programming interfaces and second application programming interfaces of program sample are monitored, whether enumerate system process with the determine procedures sample, wherein, described the first application programming interfaces are used for enumerating system process by the mode of returning to the handle value, and described the second application programming interfaces are used for closing by the mode of closing described handle value the system process of enumerating.
5. method as claimed in claim 4 is describedly monitored the first application programming interfaces and second application programming interfaces of program sample respectively, and the step of whether enumerating system process with the determine procedures sample further comprises:
When described the first application programming interfaces returned to the handle value, the handle value that described the first application programming interfaces are returned was stored in a chained list, and default initial value is zero variable increment;
When determining that handle value that described the second application programming interfaces will be closed is stored in described chained list, the described handle value of deletion from described chained list, and described variable is successively decreased;
Under described prerequisite described the first suspicious actions being detected, the step whether the monitoring facilities sample carries out the second suspicious actions of object comparison further comprises: determine that whether the value of described variable is more than or equal to default variable threshold, when being, whether the monitoring facilities sample carries out object the second suspicious actions relatively when definite result; When being no, whether the monitoring facilities sample does not carry out object the second suspicious actions relatively when definite result.
6. method as described in any in claim 1-5, the step whether described monitoring facilities sample carries out the second suspicious actions of object comparison further comprises:
Each in the program sample be used for is carried out the function of object comparing function and monitored, whether carry out the object compare operation with the determine procedures sample.
7. method as described in any in claim 1-6, pre-stored being comprised by object of attack in described blacklist: default antivirus software process and/or game process.
8. the method for claim 1, described when monitoring described the second suspicious actions, further carries out following steps:
The object that the determine procedures sample is compared whether with pre-stored white list in content matching, wherein, the pre-stored title that non-object of attack is arranged in described white list;
When the content in object that the determine procedures sample is compared and pre-stored white list was not mated, the behavior of determine procedures sample was suspicious actions.
9. the device of a locator(-ter) sample hazardous act comprises:
The first monitoring modular is suitable for the trace routine sample and whether has first suspicious actions of searching the point of attack;
The second monitoring modular is suitable for detecting under the prerequisite of described the first suspicious actions at described the first monitoring modular, and whether the monitoring facilities sample carries out object the second suspicious actions relatively;
Match comparison module, be suitable for when the second monitoring module monitors is carried out described the second suspicious actions to the program sample, the object that the determine procedures sample is compared when carrying out the second suspicious actions whether with pre-stored blacklist in content matching, when the content matching in object that the determine procedures sample is compared and pre-stored blacklist, the behavior of determine procedures sample is hazardous act; Wherein, pre-stored in described blacklist have by the title of object of attack.
10. device as claimed in claim 9 further comprises:
Logging modle is suitable for when the behavior of described match comparison module determine procedures sample is hazardous act, and the names associate of the object of the title of described program sample and described comparison is stored in default hazardous act log file.
11. device as described in claim 9 or 10 further comprises:
Program sample acquisition module is suitable for obtaining the program sample by the mode of many virtual machine parallel runnings in advance.
12. device as described in any in claim 9-11, described the first monitoring modular is further adapted for: respectively the first application programming interfaces and second application programming interfaces of program sample are monitored, whether enumerate system process with the determine procedures sample, wherein, described the first application programming interfaces are used for enumerating system process by the mode of returning to the handle value, and described the second application programming interfaces are used for closing by the mode of closing described handle value the system process of enumerating.
13. device as claimed in claim 12, described the first monitoring modular further comprises:
The first hook module is suitable for when described the first application programming interfaces return to the handle value, and the handle value that described the first application programming interfaces are returned is stored in a chained list, and default initial value is zero variable increment;
The second hook module is suitable for deleting described handle value from described chained list, and described variable being successively decreased when determining that handle value that described the second application programming interfaces will be closed is stored in described chained list;
Described the second monitoring modular is further adapted for: determine the value of described variable whether more than or equal to default variable threshold, when being, whether the monitoring facilities sample carries out the second suspicious actions of object comparison when definite result; When being no, whether the monitoring facilities sample does not carry out object the second suspicious actions relatively when definite result.
14. device as described in any in claim 9-13, described the second monitoring modular is further adapted for: the function of each in the program sample be used for being carried out the object comparing function is monitored, and whether carries out the object compare operation with the determine procedures sample.
15. device as described in any in claim 9-14, pre-stored being comprised by object of attack in described blacklist: antivirus software process and/or game process.
16. device as claimed in claim 9, described match comparison module is suitable for being further used for when the second monitoring module monitors is carried out the second suspicious actions to the program sample:
The object that the determine procedures sample is compared whether with pre-stored white list in content matching, wherein, the pre-stored title that non-object of attack is arranged in described white list;
When the content in object that the determine procedures sample is compared and pre-stored white list was not mated, the behavior of determine procedures sample was suspicious actions.
CN201310081869.9A 2013-03-14 2013-03-14 The method of locator(-ter) sample hazardous act and device Active CN103116724B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310081869.9A CN103116724B (en) 2013-03-14 2013-03-14 The method of locator(-ter) sample hazardous act and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310081869.9A CN103116724B (en) 2013-03-14 2013-03-14 The method of locator(-ter) sample hazardous act and device

Publications (2)

Publication Number Publication Date
CN103116724A true CN103116724A (en) 2013-05-22
CN103116724B CN103116724B (en) 2015-08-12

Family

ID=48415097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310081869.9A Active CN103116724B (en) 2013-03-14 2013-03-14 The method of locator(-ter) sample hazardous act and device

Country Status (1)

Country Link
CN (1) CN103116724B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109522714A (en) * 2018-09-05 2019-03-26 航天信息股份有限公司 A kind of method and system that target software is protected based on plug-in securing software
CN109939443A (en) * 2019-03-27 2019-06-28 努比亚技术有限公司 Prevent the method, apparatus, terminal and computer readable storage medium of game cheat
CN111095250A (en) * 2017-05-30 2020-05-01 赛姆普蒂夫技术公司 Real-time detection and protection against malware and steganography in kernel mode

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034974A (en) * 2007-03-29 2007-09-12 北京启明星辰信息技术有限公司 Associative attack analysis and detection method and device based on the time sequence and event sequence
CN102156834A (en) * 2011-04-18 2011-08-17 北京思创银联科技股份有限公司 Method for realizing program killing prevention
US20120159628A1 (en) * 2010-12-15 2012-06-21 Institute For Information Industry Malware detection apparatus, malware detection method and computer program product thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034974A (en) * 2007-03-29 2007-09-12 北京启明星辰信息技术有限公司 Associative attack analysis and detection method and device based on the time sequence and event sequence
US20120159628A1 (en) * 2010-12-15 2012-06-21 Institute For Information Industry Malware detection apparatus, malware detection method and computer program product thereof
CN102156834A (en) * 2011-04-18 2011-08-17 北京思创银联科技股份有限公司 Method for realizing program killing prevention

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111095250A (en) * 2017-05-30 2020-05-01 赛姆普蒂夫技术公司 Real-time detection and protection against malware and steganography in kernel mode
CN109522714A (en) * 2018-09-05 2019-03-26 航天信息股份有限公司 A kind of method and system that target software is protected based on plug-in securing software
CN109939443A (en) * 2019-03-27 2019-06-28 努比亚技术有限公司 Prevent the method, apparatus, terminal and computer readable storage medium of game cheat

Also Published As

Publication number Publication date
CN103116724B (en) 2015-08-12

Similar Documents

Publication Publication Date Title
Lindorfer et al. Lines of malicious code: Insights into the malicious software industry
US8763128B2 (en) Apparatus and method for detecting malicious files
CN107292169B (en) Threat tracing method and device for malicious software
CN106709325B (en) Method and device for monitoring program
CN107688743B (en) Malicious program detection and analysis method and system
CN102932329A (en) Method and device for intercepting behaviors of program, and client equipment
CN102314561A (en) Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
CN102916937B (en) A kind of method, device and client device tackling web page attacks
CN103077353A (en) Method and device for actively defending rogue program
CN103810428B (en) Method and device for detecting macro virus
CN105897807A (en) Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN103559447B (en) A kind of detection method, checkout gear and detection system based on Virus Sample feature
CN112380542B (en) Internet of things firmware vulnerability mining method and system based on error scene generation
CN103473501A (en) Malware tracking method based on cloud safety
CN103279707A (en) Method, device and system for actively defending against malicious programs
CN104331663A (en) Detection method of web shell and web server
CN102882875A (en) Active defense method and device
CN104462985A (en) Detecting method and device of bat loopholes
CN103116724A (en) Method and device for detecting dangerous behavior of program sample
US10275596B1 (en) Activating malicious actions within electronic documents
CN105205398A (en) Shell checking method based on dynamic behaviors of APK (android package) packing software
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
CN112632538A (en) Android malicious software detection method and system based on mixed features
CN102857519A (en) Active defensive system
CN102945343A (en) Method and device for enumerating system process

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220725

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.