CN103294956B - It it is the method and device processed in the enterprising every trade of windows platform - Google Patents
It it is the method and device processed in the enterprising every trade of windows platform Download PDFInfo
- Publication number
- CN103294956B CN103294956B CN201310255011.XA CN201310255011A CN103294956B CN 103294956 B CN103294956 B CN 103294956B CN 201310255011 A CN201310255011 A CN 201310255011A CN 103294956 B CN103294956 B CN 103294956B
- Authority
- CN
- China
- Prior art keywords
- operating system
- vmm
- virtual machine
- native operating
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of is the method and device processed in the enterprising every trade of windows platform.The method is applied to support the CPU of hardware virtualization, including: start native operating system, described native operating system is performed hardware virtualization operation, generates virtual machine monitor VMM;Native operating system is inserted client computer run so that the authority of the described operating system authority less than described VMM;Native operating system is placed in by supervision state, the behavior utilizing described VMM monitoring at least one CPU described to trigger, carries out respective handling according to triggering result.Use this method can improve the security performance of computer system.
Description
Technical field
The present invention relates to internet arena, being specifically related to a kind of is the method and device processed in the enterprising every trade of windows platform.
Background technology
At present, increasing rogue program (such as computer virus, backdoor programs, wooden horse, spyware and ad ware etc.) attacks the computer of user.In order to protect the computer of user not encroached on by rogue program, many third company are proposed Initiative Defense software.Initiative Defense is the real-time protection technology independently analyzing judgement based on program behavior, not using condition code as judging the foundation of rogue program, but from the most original definition, directly using the behavior of program as the foundation judging rogue program.First Initiative Defense software carry out behavior interception to rogue program, then carries out respective handling.Wherein, the interception of program behavior is exactly the important first step of Initiative Defense, and the mode of a lot of rogue programs antagonism Initiative Defense is also interference or walks around behavior interception.
At present, for the windows platform of Microsoft, behavior intercepts in addition to using the standard interface of Microsoft, needs third party software system kernel to modify (patch) operation more.On the 32-bit Windows platform of Microsoft, third party software can go to revise operating system by patch, obtains operating system nucleus code and critical data such that it is able to the suspect program performing operating system effectively intercepts.
But, Microsoft introduces kernel protection system in its 64 Windows operating systems and forbids revising (Patch Guard) mechanism, prohibits any unauthorized third party software patch operating system nucleus code and critical data.The purpose of Microsoft design Patch Guard is to ensure that Windows kernel will not be attacked by malicious code; thus result also in third party software and cannot be monitored the behavior of Windows, so this function makes the safety protecting Windows computer bring difficulty.
In prior art, owing to Microsoft prohibits third party software, its Windows kernel of 64 is carried out patch, so that third company cannot provide complete Initiative Defense product on 64 windows platforms, this brings the biggest potential safety hazard to user machine system.
Summary of the invention
In view of the above problems, it is proposed that the present invention in case provide a kind of overcome the problems referred to above or solve the problems referred to above at least in part be the device processed in the enterprising every trade of windows platform and be accordingly the method processed in the enterprising every trade of windows platform.
According to one aspect of the present invention, it is provided that a kind of is the method processed in the enterprising every trade of windows platform, is applied to support the CPU of hardware virtualization, including:
Start native operating system, described native operating system is performed hardware virtualization operation, generates virtual machine monitor VMM;
Native operating system is inserted client computer run so that the authority of the described operating system authority less than described VMM;
Native operating system is placed in by supervision state, the behavior utilizing described VMM monitoring at least one CPU described to trigger, carries out respective handling according to triggering result.
Alternatively, the generating mode of described VMM comprises the steps:
Driver is utilized to send for the instruction realizing VMM at least one CPU described;
Wherein, at least one CPU described self is performing hardware virtualization operation according to described instruction, generates described VMM.
Alternatively, native operating system is placed in by supervision state, including:
The current state of described native operating system is switched to client computer guest state by main frame host state, at least one CPU described is placed in by supervision state.
Alternatively, said method also includes: arrange VMM mode for native operating system.
Alternatively, the current state of described native operating system is switched to client computer guest state by main frame host state, including:
It is set to described native operating system run under non-root virtualization VMX-non-root pattern, accordingly,
It is set to described VMM run under root virtualization VMX-root pattern.
Alternatively, carry out respective handling according to triggering result, including:
Described triggering result is the behavior that triggers of described CPU when being unsafe act, utilizes described VMM to intercept unsafe act therein.
Alternatively, after utilizing described VMM to intercept unsafe act therein, including:
Searching described unsafe act and corresponding processing mode in the process list of pre-stored, wherein, in described process list, storage has at least one unsafe incidents and the processing mode to this unsafe incidents;
According to lookup result, described intercepted unsafe act are processed.
Alternatively, according to lookup result, described intercepted unsafe act are processed, including:
When the operation that unsafe act are read-write or amendment, utilizing described VMM to return the behavior value determined by user, wherein, the actual value that described behavior value obtains from described read-write or amendment operation is different.
Alternatively, described unsafe act include at least one following:
The read-write behavior of special register, the malice read-write behavior of control depositor, the malicious act of change control stream.
Alternatively, described windows platform includes 64 windows platforms.
According to another aspect of the present invention, it is provided that a kind of is the device processed in the enterprising every trade of windows platform, is applied to support the CPU of hardware virtualization, including:
Virtual module, is configured to start native operating system, described native operating system performs hardware virtualization operation, generates virtual machine monitor VMM;
Priority assignation module, is configured to that native operating system is inserted client computer and runs so that the authority of the described operating system authority less than described VMM;
Processing module, is configured to be placed in by described native operating system by supervision state, the behavior utilizing described VMM monitoring at least one CPU described to trigger, carries out respective handling according to triggering result.
Alternatively, described virtual module is additionally configured to:
Driver is utilized to send for the instruction realizing VMM at least one CPU described;
Wherein, at least one CPU described self is performing hardware virtualization operation according to described instruction, generates described VMM.
Alternatively, described processing module is additionally configured to:
The current state of described native operating system is switched to client computer guest state by main frame host state, at least one CPU described is placed in by supervision state.
Alternatively, described processing module is additionally configured to: arrange VMM mode for native operating system.
Alternatively, described processing module is additionally configured to:
It is set to described native operating system run under non-root virtualization VMX-non-root pattern, accordingly,
It is set to described VMM run under root virtualization VMX-root pattern.
Alternatively, described processing module is additionally configured to: described triggering result is the behavior that triggers of described CPU when being unsafe act, utilizes described VMM to intercept unsafe act therein.
Alternatively, said apparatus also includes:
Searching module, be configured to search described unsafe act and corresponding processing mode in the process list of pre-stored, wherein, in described process list, storage has at least one unsafe incidents and the processing mode to this unsafe incidents;
Described processing module is additionally configured to process described intercepted unsafe act according to lookup result.
Alternatively, described processing module is additionally configured to:
When the operation that unsafe act are read-write or amendment, utilizing described VMM to return the behavior value determined by user, wherein, the actual value that described behavior value obtains from described read-write or amendment operation is different.
Alternatively, described unsafe act include at least one following:
The read-write behavior of special register, the malice read-write behavior of control depositor, the malicious act of change control stream.
Alternatively, described windows platform includes 64 windows platforms.
In embodiments of the present invention, starting native operating system, this system performs hardware virtualization operation, generates VMM, at least one CPU is monitored by exploitation right limit for height in the VMM of native operating system, and carries out respective handling according to triggering result.As can be seen here, utilize generation VMM can realize the behavior of Windows is monitored, those skilled in the art can perform third party software in VMM, it is achieved thereby that utilize third party software that windows platform (particularly cannot revise 64 of kernel or even more high-order) is carried out Patch, complete Initiative Defense product can be provided on 64 windows platforms, solve existing security hidden trouble for user machine system, improve security performance.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means method of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the detailed description of the invention of the present invention.
Accompanying drawing explanation
By reading the detailed description of hereafter preferred implementation, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 shows according to an embodiment of the invention at the process chart that the enterprising every trade of windows platform is the method processed;
Fig. 2 shows according to an embodiment of the invention at the structural representation that the enterprising every trade of windows platform is the device processed;And
Fig. 3 shows according to an embodiment of the invention at the system architecture schematic diagram that the enterprising every trade of windows platform is process.
Detailed description of the invention
Algorithm and display are not intrinsic to any certain computer, virtual system or miscellaneous equipment relevant provided herein.Various general-purpose systems can also be used together with based on teaching in this.As described above, construct the structure required by this kind of system to be apparent from.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various programming languages realize the content of invention described herein, and the description done language-specific above is the preferred forms in order to disclose the present invention.
Present invention could apply to computer system/server, it can operate together with other universal or special computing system environment numerous or configuration.The example of well-known calculating system, environment and/or configuration being suitable to be used together with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, system based on microprocessor, Set Top Box, programmable consumer electronics, NetPC Network PC, minicomputer system large computer system and include the distributed cloud computing technology environment of any of the above described system, etc..
Computer system/server can describe under the general linguistic context of the computer system executable instruction (such as program module) performed by computer system.Generally, program module can include routine, program, target program, assembly, logic, data structure etc., and they perform specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in distributed cloud computing environment, task is to be performed by the remote processing devices connected by communication network.In distributed cloud computing environment, program module may be located at and includes that the Local or Remote of storage device calculates on system storage medium.
After 64 windows platforms introduce Patch Guard mechanism, prohibit any unauthorized third party software patch operating system nucleus code and critical data, but consequence is third party software cannot carry out effective monitoring to based on the operation on windows platform on windows platform, and this brings the biggest potential safety hazard to user machine system.
For solving this technical problem, the embodiment of the present invention uses the technical scheme of a kind of uniqueness, its main thought is: utilize CPU(Central Processing Unit, central processing unit) hardware virtualization of (such as Intel or AMD) extends support, in order to realize realizing complete behavior on 64 even more high-order windows platforms and process.Wherein, hardware virtualization refers to realize the most fully virtualized by the support of hardware (mainly host-processor).Such as having had the support of Intel-VT technology, the execution environment of Guest OS and VMM is the most completely isolated to come, and Guest OS has the depositor of oneself, can run directly in highest level.This resolving ideas that the embodiment of the present invention provides can breach the restriction of the operating systems such as Microsoft, utilizes the method can provide complete effective Initiative Defense software system in 64 even more high-order systems.
The main reason using above-mentioned thinking is that Intel Virtualization Technology is widely used the most, and hardware virtualization can have independent operating platform, it is achieved interception and the process to unsafe act.The concrete principle of Intel Virtualization Technology is:
Intel Virtualization Technology allows physical machine (such as server, PC(personal computer, PC) machine, panel computer etc.) it is partitioned or shares, so that the bottom hardware of this machine is rendered as one or more virtual machine worked alone.Virtual machine monitor can run on computers, and presents the abstract of one or more virtual machine to other softwares.Each virtual machine can be used as running operating system (Operating System, OS) and/or the self-holding platform of application software of their own.The software performed in virtual machine performs to be referred to as client software.Client software can be expected as on special-purpose computer rather than at VM(Virtual Machine, virtual machine) upper operation, now, VMM and Guest OS shares the processor resource of bottom.That is, client software can hardware resource in the various event of desired control, and addressable computer (such as physical machine).The hardware resource of this physical machine can include one or more processor, resident resource on the processor (such as control depositor, cache and other), memorizer (and structure residing in memorizer of such as descriptor table) and other resources (such as input and output (I/O) equipment) of residing in physical machine.
Embodiments providing a kind of is the method processed in the enterprising every trade of windows platform, is applied to support the CPU of hardware virtualization.Fig. 1 shows to be the process chart of method processed in the enterprising every trade of windows platform according to an embodiment of the invention, including:
Step S102, startup native operating system, perform hardware virtualization operation, generate VMM(Virtual Machine Monitor, virtual machine monitor this system);
Wherein, native system includes operating system, CPU, also includes application layer software etc..
It should be noted that native operating system operates on the CPU of its management, all of CPU is managed and monitors.Now, if desired native operating system is supervised, then need to revise its authority, be specifically shown in step S104.
Step S104, native operating system is inserted client computer run so that the authority of native operating system is less than the authority of VMM generated.
Concrete, it is possible to use the authority of driver performs this step.In view of driver and native operating system, there is identical highest weight limit, therefore, the highest weight limit that can utilize driver makes CPU operate under the pattern supporting virtualization extensions, then native operating system can be in the pattern of management state, and its authority can be less than the authority of VMM.Now, CPU can be switched to the customer status of non-root state, recovers Windows and performs environment, is changed into non-root state by root state environment recovery switches when.
Step S106, this system is placed in by supervision state, utilizes the VMM generated to monitor the behavior that at least one CPU triggers, carry out respective handling according to triggering result.
Owing to native operating system is in the module of management state, therefore, being equivalent to run in a client, now VMM is still in the machine, can be monitored the behavior that CPU triggers, and then performs follow-up operation process.
What deserves to be explained is herein, specifically include according to triggering the step for that result carries out respective handling: first judge the character of the behavior that CPU triggers, judge whether the behavior triggered is safety behavior, then carry out different differentiations for safety behavior and unsafe act and process.The present embodiment lays particular emphasis on the process of unsafe act, for ensureing that terminal and the software run on it will not be worked the mischief by unsafe act, VMM can be utilized to intercept unsafe act, and then according to the behavior processing mode of pre-stored, the behavior under intercepting is processed.
In embodiments of the present invention, starting native operating system, this system performs hardware virtualization operation, generates VMM, at least one CPU is monitored by exploitation right limit for height in the VMM of native operating system, and carries out respective handling according to triggering result.As can be seen here, utilize generation VMM can realize the behavior of Windows is monitored, third party software can be performed in VMM, it is achieved thereby that utilize third party software that windows platform (particularly cannot revise 64 of kernel or even more high-order) is carried out patch, complete Initiative Defense product can be provided on 64 windows platforms, solve existing security hidden trouble for user machine system, improve security performance.
Considering that different computer systems or function or performance or ability or hardware or software arrangements all differ, the means that the behavior that realizes on different windows platforms processes this method are the most different.Such as, as a example by x86 processor.X86 processor has 4 privilege levels, Ring0~Ring3, only operates in Ring0~when 2 grades, and processor just can be with access privileges resource or perform privileged instruction;When operating in Ring0 level, processor can access all of privileged mode.Operating system on x86 platform the most only uses Ring0 and Ring3 the two rank, and operating system is in Ring0 level, and consumer process operates in Ring3 level.In order to meet first sufficient condition-resources control above, VMM oneself has to operate at Ring0 level, simultaneously in order to avoid Guest OS control system resource, Guest OS has to the runlevel reducing self, operates in Ring1 or Ring3 level (Ring2 does not uses).
Being only an illustration, provide the embodiment of the present invention does not cause any restriction in the different enterprising every trades of windows platform for processing this method itself herein.
Step S102 is upon execution, it is possible to use driver sends the instruction for realizing VMM at least one CPU, in order to realize VMM, carries respective code in instruction.After at least one CPU receives instruction, resolve and obtain specific code.Subsequently, each CPU performs code, self is performing hardware virtualization operation, is generating VMM.
In order to reach step S106 is mentioned, at least one CPU is placed in the purpose by supervision state, the current state of CPU is preferably switched to client computer (guest) state by main frame (host) state by the embodiment of the present invention, is placed at least one CPU by supervision state.In the case of CPU can be at by supervision state, further native operating system is set to VMM mode.Now, native operating system authority can be higher than with reference to the VMM authority mentioned in step S104, therefore, it can the monitoring utilizing VMM to realize at least one CPU.
The switching mode of the current state of CPU can have multiple, VMX-non-root is only intended to example, such as, it is directed to the cpu type of Intel, can be set at least one CPU run under non-root virtualization (VMX-non-root) pattern, accordingly, it is set to VMM run under root virtualization (VMX root) pattern.CPU and VMM is put respectively in different patterns, and, the mode classes at VMM is higher than the pattern at CPU.This CPU other pattern corresponding can also be selected to run for other cpu type, thus be set to VMM under virtualization mode run.Such as, also having the AMD-V(Virtualization of correspondence, virtualization for AMD) pattern is for x86 platform.
Trigger result and have multiple, such as, the behavior that CPU triggers be unsafe act be a kind of result, the behavior that CPU triggers is some particular procedure or behavior is another kind of result, the behavior that CPU triggers be safety behavior be another kind of result, etc..Every kind is triggered result difference, and corresponding process is also different.Such as, if the behavior triggering result proof CPU triggering is safety behavior, then just can directly this safety behavior be let pass.The most such as, triggering result proves when the behavior that CPU triggers is unsafe act, it is possible to use VMM intercepts unsafe act therein.
After utilizing VMM to intercept unsafe act therein, the unsafe act to intercepting are needed to process.Embodiments providing the process list of a pre-stored, wherein storage has at least one unsafe incidents and the processing mode to this unsafe incidents.Any one unsafe incidents, can have a kind of processing mode, it is possibility to have multiple processing mode.It addition, multiple unsafe incidents, its processing mode is also likely to be identical.That is, unsafe incidents is probably one to one with the corresponding relation of its processing mode, it is also possible to one-to-many, it is also possible to many-one.After finding unsafe act and corresponding processing mode in the process list of pre-stored, according to lookup result, intercepted unsafe act are processed.
Now as a example by the operation that unsafe act are read-write or amendment, rogue program attempts to read, write or revise the data stored, and now, the machine can utilize VMM to return the behavior value determined by user, wherein, the actual value that behavior value obtains from read-write or amendment operation is different.Behavior value owing to utilizing VMM to return is not actual value, and therefore, rogue program reads or prepares a behavior value the most false value of write or amendment.Rogue program is follow-up to be attacked a false value, actual value will not be produced impact, thus improve the safety and stability of computer system.
Unsafe act mentioned above can be the behavior that computer system (including the combination of operating system, computer software and computer hardware) arbitrarily produces adverse consequences, it is enumerated by the embodiment of the present invention, such as, the read-write behavior of special register, the malicious act controlling the malice read-write behavior of depositor, change control stream etc..
Now various unsafe act are specifically described.All kinds of unsafe incidents (being referred to as sensitive behavior) include but not limited to:
1, the read-write behavior of the special register (MSRs) of each quasi-mode, such as, VMM have modified the MSR such as LSTAR of PatchGuard protection, then need to intercept the operating system access to this depositor, keep its concordance, prevent blue screen.Wherein, PatchGuard is that Windows Vista adds a new safety operation layer, PatchGuard can effectively prevent kernel mode driver from changing or replace any content of Windows kernel, and third party software will be unable to add any " patch " to Windows Vista kernel again.
2, the read-write behavior of all kinds of control depositors, it is possible to capture the behavior of some Malicious kernel modules, the mode of system kernel code to be revised much can first remove the WP(write-protect of CR0 depositor) guard bit.
3, this kind of behavior is by guest page tables control, changes and control stream during client codes performs in the interception that the page set out is abnormal.
Said method is applicable to windows platform, and especially 64 even more high-order windows platforms, concrete reason refers to above, not repeat at this.Owing to the CPU of x86 and x86-64 architecture is unsatisfactory in Popek and Goldberg theorem the definition about efficient VMM, Intel Yu AMD is respectively the extension of the CPU design of oneself a set of hardware virtualization and supports, it is respectively Intel-VT and AMD-V, improves processor with this and accelerate virtualization.Illustrate, in addition as a example by this case only Windows system, it is also possible to being applied on the other systems such as Unix system, application process is referred to Windows system.
Further, said method can be that upper layer drivers provides interface, it is achieved that by virtualized mode on the basis of 64 windows platforms, operating system is positioned over the state of client computer (client software), thus complete monitor operating system.In User space part and kernel state part, it can be the operation calls storehouse of the dependent event of caller offer complete set, utilizing this to call storehouse can be that requestor returns and adjusts back result accordingly, this calls storehouse and is just properly termed as interface, it is referred to as function, its functional interface that specifically certain system external provides or general designation of service.Owing to reducing the authority of operating system; therefore; this method can be applied at Initiative Defense; the technical fields such as wooden horse attacking and defending; the standardized callback interface that can not only utilize Microsoft provides protection to file, registration table, process with thread object; may be provided for window message to attack, utilize RPC(Remote Procedure Call, remote procedure call) etc. inter-process communication mechanisms attack etc., and then also be able to the function such as keyboard protection etc. realizing on a lot of 32-bit Windows platform.
Further, the embodiment of the present invention can complete the interception of safety behavior and the event that cannot realize in 64 even more high-order Windows systems in the past, can significantly Initiative Defense class software or other need the fail-safe software of the behavior event interception ability in 64 even more high-order Windows systems, thus complete effective Initiative Defense software system can be provided in 64 even more high-order systems.
In summary, embodiments provide a kind of new operator scheme, VMM is made to be in unrestricted operator scheme, regardless of whether the Client application software of the client operating system of ring 0 or ring 3 all operates in the sensitive behavior of limited operator scheme, client operating system or Client application software and event all can be by VMM perception and interception.The method using the embodiment of the present invention to provide can intercept behavior, the event that traditional approach (the most embedded hook Inline HOOK) is intercepted less than or is difficulty with, for example, it is possible to intercepting system service call (this point is unallowed in x64 system), page anomalous mode etc..The prior client operating system can not supervised by it and client applications are realized and disturb, therefore can be greatly promoted Initiative Defense class software with PatchGuard depositing or other need the fail-safe software of behavior event interception ability in 64 Windows systems.
The method now provided the embodiment of the present invention with specific embodiment is described in detail.
Embodiment one
CPU is extended by the way of hardware virtualization by the present embodiment, whole operating system to be monitored is positioned over the customer status of more low order, and monitor is in advanced environment.
After driver loads, the instruction comprising code is sent to each CPU, the state of CPU is switched to guest state from current host state by each CPU so that it is be placed in by supervision state.
As a certain CPU, it triggers some events being concerned (such as sensitive behavior or instruction) or operation, such as, some read-writes or the operation of amendment.The event triggered can be returned to virtual machine monitor (being positioned at outside host), and now, user can change its behavior.Such as, after user monitoring reads the operation of depositor to it, its behavior can be monitored, and then return a behavior value confirmed by user, (such as, the content read from memorizer, i.e. read or write the value of depositor), behavior value and the actual value really read are different, such that it is able to complete monitoring adapter operating system.At this moment, user can revise data, and system scanography cannot obtain legitimate reading.
In practice, a part of code can be arranged in the operating system of client computer, and VMM partial code cooperating.VMM both can process some voluntarily and intercept result, it is also possible to switch to the cooperation part in client by controlling stream, its actual going process interception result, the execution of the most on-demand recovery client codes tram.
Based on same inventive concept, it is the device processed in the enterprising every trade of windows platform that the embodiment of the present invention additionally provides a kind of, is applied to support the CPU of hardware virtualization.Fig. 2 shows according to an embodiment of the invention at the structural representation that the enterprising every trade of windows platform is the device processed.Fig. 2 shown device is capable of above-mentioned any one preferred embodiment or a combination thereof is provided is the method processed in the enterprising every trade of windows platform.Seeing Fig. 2, this device at least includes:
Virtual module 210, is configured to start native operating system, described native operating system performs hardware virtualization operation, generates VMM;
Priority assignation module 220, couples with virtual module 210, is configured to that native operating system is inserted client computer and runs so that the authority of the operating system authority less than VMM;
Processing module 230, couples with priority assignation module 220, is configured to be placed in by native operating system by supervision state, utilizes VMM to monitor the behavior that at least one CPU triggers, carries out respective handling according to triggering result.
In a preferred embodiment, virtual module 210 is also configured as:
Utilize driver to send the instruction for realizing VMM at least one CPU, instruction carries respective code;
Wherein, at least one CPU self is performing hardware virtualization operation according to code, raw VMM.
In a preferred embodiment, processing module 230 is also configured as:
The current state of native operating system is switched to client computer guest state by main frame host state, at least one CPU is placed in by supervision state.
In a preferred embodiment, processing module 230 is also configured as:
For native operating system, VMM mode is set.
In a preferred embodiment, processing module 230 is also configured as:
It is set at least one CPU run under non-root virtualization VMX-non-root pattern, accordingly,
It is set to VMM run under root virtualization VMX-root pattern.
In a preferred embodiment, processing module 230 is also configured as:
Triggering result is the behavior that triggers of CPU when being unsafe act, utilizes VMM to intercept unsafe act therein.
In a preferred embodiment, seeing Fig. 2, said apparatus can also include:
Searching module 240, be coupled with processing module 230, be configured in the process list of pre-stored search unsafe act and corresponding processing mode, wherein, processing storage in list has at least one unsafe incidents and the processing mode to this unsafe incidents;
Now, processing module 230 is also configured as processing intercepted unsafe act according to lookup result.
In a preferred embodiment, processing module 230 is also configured as:
When the operation that unsafe act are read-write or amendment, utilizing VMM to return the behavior value determined by user, wherein, the actual value that behavior value obtains from read-write or amendment operation is different.
In a preferred embodiment, unsafe act include at least one following:
The read-write behavior of special register, the malice read-write behavior of control depositor, the malicious act of change control stream.
In a preferred embodiment, windows platform includes 64 windows platforms.
Based on same inventive concept, it is the system processed in the enterprising every trade of windows platform that the embodiment of the present invention additionally provides a kind of.Fig. 3 shows according to an embodiment of the invention at the system architecture schematic diagram that the enterprising every trade of windows platform is process.In figure 3, the virtual client (Virtual Guests) that multiple stage client computer can be converted in system by virtualization operations, fictitious host computer (Virtual Host, or it is properly termed as virtual machine monitor VMM) various actions triggered in Virtual Guests can be monitored, and then carry out respective handling.
What the system that the embodiment of the present invention provides can support that any of the above-described embodiment or a combination thereof provided is the method and related device processed in the enterprising every trade of windows platform.
The method and device using the embodiment of the present invention to provide can reach following beneficial effect:
In embodiments of the present invention, starting native operating system, this system performs hardware virtualization operation, generates VMM, at least one CPU is monitored by exploitation right limit for height in the VMM of native operating system, and carries out respective handling according to triggering result.As can be seen here, utilize generation VMM can realize the behavior of Windows is monitored, those skilled in the art can perform third party software in VMM, it is achieved thereby that utilize third party software that windows platform (particularly cannot revise 64 of kernel or even more high-order) is carried out Patch, complete Initiative Defense product can be provided on 64 windows platforms, solve existing security hidden trouble for user machine system, improve security performance.In practice, present invention could apply to numerous safety product (such as, in the product such as the system emergency case of " 360 security guard ", wooden horse cloud killing engine, main frame system of defense).
In description mentioned herein, illustrate a large amount of detail.It is to be appreciated, however, that embodiments of the invention can be put into practice in the case of not having these details.In some instances, it is not shown specifically known method, structure and technology, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to simplify that the disclosure helping understands in each inventive aspect, above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes.But, the method for the disclosure should not being construed to reflect an intention that, i.e. the present invention for required protection requires than the more feature of feature being expressly recited in each claim.More precisely, as the following claims reflect, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, the most each claim itself is as the independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.In addition at least some in such feature and/or process or unit excludes each other, can use any combination that all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or all processes of equipment or unit are combined.Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing identical, equivalent or similar purpose.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and formed different embodiments.Such as, in the following claims, one of arbitrarily can mode the using in any combination of embodiment required for protection.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run in one or more processing module, or realizes with combinations thereof.It will be understood by those of skill in the art that the some or all functions that micro treatment module or digital signal processing module (DSP) can be used in practice to realize the some or all parts in equipment according to embodiments of the present invention.The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program).The program of such present invention of realization can store on a computer-readable medium, or can be to have the form of one or more signal.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims.In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not excludes the presence of the element or step not arranged in the claims.Word "a" or "an" before being positioned at element does not excludes the presence of multiple such element.The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer.If in the unit claim listing equipment for drying, several in these devices can be specifically to be embodied by same hardware branch.Word first, second and third use do not indicate that any order.Can be title by these word explanations.
Claims (20)
1., in the method that the enterprising every trade of windows platform is process, it is applied to support hardware
Virtualized CPU, including:
Start native operating system, described native operating system performed hardware virtualization operation,
Generate virtual machine monitor VMM;
Native operating system is inserted client computer run so that the authority of described native operating system
Authority less than described virtual machine monitor VMM;
Native operating system is placed in by supervision state, utilizes described virtual machine monitor VMM to supervise
Control the behavior that at least one CPU triggers, carry out respective handling according to triggering result;
In User space part and kernel state part, provide the dependent event of complete set for caller
Operation calls storehouse, utilize this operation calls storehouse for caller return adjust back result accordingly.
Method the most according to claim 1, wherein, described virtual machine monitor VMM's
Generating mode comprises the steps:
Driver is utilized to send for realizing virtual machine monitor at least one CPU described
The instruction of VMM;
Wherein, at least one CPU described self is performing hardware virtualization behaviour according to described instruction
Make, generate described virtual machine monitor VMM.
Method the most according to claim 1 and 2, wherein, is placed in native operating system
By supervision state, including:
The current state of described native operating system is switched to client computer by main frame host state
Guest state, is placed at least one CPU described by supervision state.
Method the most according to claim 3, wherein, also includes: for native operating system
Virtual machine monitor VMM mode is set.
Method the most according to claim 3, wherein, working as described native operating system
Front state is switched to client computer guest state by main frame host state, including:
It is set to described native operating system transport under non-root virtualization VMX-non-root pattern
OK, accordingly,
It is set to described virtual machine monitor VMM run under root virtualization VMX-root pattern.
Method the most according to claim 1, wherein, carries out corresponding position according to triggering result
Reason, including:
Described triggering result is the behavior that at least one CPU described triggers when being unsafe act,
Described virtual machine monitor VMM is utilized to intercept unsafe act therein.
Method the most according to claim 6, wherein, utilizes described virtual machine monitor VMM
After intercepting unsafe act therein, including:
Described unsafe act and the side of process accordingly is searched in the process list of pre-stored
Formula, wherein, in described process list, storage has at least one unsafe incidents and to this uneasiness
The processing mode of total event;
According to lookup result, intercepted unsafe act are processed.
Method the most according to claim 7, wherein, according to lookup result to intercepted
Unsafe act process, including:
When the operation that unsafe act are read-write or amendment, utilize described virtual machine monitor VMM
Return the behavior value determined by user, wherein, described behavior value and described read-write or amendment operation
The actual value obtained is different.
9. according to the method described in any one of claim 6 to 8, wherein, described dangerous row
At least one following for including:
The read-write behavior of special register, the malice read-write behavior of control depositor, change control
The malicious act of stream.
Method the most according to claim 1, wherein, described windows platform includes
64 windows platforms.
11. 1 kinds is the device processed in the enterprising every trade of windows platform, is applied to support firmly
The virtualized CPU of part, including:
Virtual module, is configured to start native operating system, performs described native operating system
Hardware virtualization operates, and generates virtual machine monitor VMM;
Priority assignation module, is configured to that native operating system is inserted client computer and runs so that institute
State the authority authority less than described virtual machine monitor VMM of native operating system;
Processing module, is configured to be placed in by supervision state described native operating system, utilizes institute
State virtual machine monitor VMM and monitor the behavior that at least one CPU triggers, enter according to triggering result
Row respective handling;
Operation calls storehouse, is configured in User space part and kernel state part, provides for caller
The dependent event of complete set, returns for caller and adjusts back result accordingly.
12. devices according to claim 11, wherein, described virtual module is additionally configured to:
Driver is utilized to send for realizing virtual machine monitor at least one CPU described
The instruction of VMM;
Wherein, at least one CPU described self is performing hardware virtualization behaviour according to described instruction
Make, generate described virtual machine monitor VMM.
13. according to the device described in claim 11 or 12, and wherein, described processing module is also
It is configured that
The current state of described native operating system is switched to client computer by main frame host state
Guest state, is placed at least one CPU described by supervision state.
14. devices according to claim 13, wherein, described processing module is additionally configured to:
For native operating system, virtual machine monitor VMM mode is set.
15. devices according to claim 13, wherein, described processing module is additionally configured to:
It is set to described native operating system transport under non-root virtualization VMX-non-root pattern
OK, accordingly,
It is set to described virtual machine monitor VMM run under root virtualization VMX-root pattern.
16. devices according to claim 11, wherein, described processing module is additionally configured to:
Described triggering result is the behavior that at least one CPU described triggers when being unsafe act, utilizes
Described virtual machine monitor VMM intercepts unsafe act therein.
17. devices according to claim 16, wherein, also include:
Search module, be configured to search in the process list of pre-stored described unsafe act with
And corresponding processing mode, wherein, in described process list, storage has at least one dangerous thing
Part and the processing mode to this unsafe incidents;
Described processing module is additionally configured to carry out intercepted unsafe act according to lookup result
Process.
18. devices according to claim 17, wherein, described processing module is additionally configured to:
When the operation that unsafe act are read-write or amendment, utilize described virtual machine monitor VMM
Return the behavior value determined by user, wherein, described behavior value and described read-write or amendment operation
The actual value obtained is different.
19. according to the device described in any one of claim 16 to 18, wherein, described uneasiness
Full behavior includes at least one following:
The read-write behavior of special register, the malice read-write behavior of control depositor, change control
The malicious act of stream.
20. devices according to claim 11, wherein, described windows platform includes
64 windows platforms.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310255011.XA CN103294956B (en) | 2013-06-25 | 2013-06-25 | It it is the method and device processed in the enterprising every trade of windows platform |
| PCT/CN2014/080579 WO2014206268A1 (en) | 2013-06-25 | 2014-06-24 | Action processing method and device on windows platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310255011.XA CN103294956B (en) | 2013-06-25 | 2013-06-25 | It it is the method and device processed in the enterprising every trade of windows platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103294956A CN103294956A (en) | 2013-09-11 |
| CN103294956B true CN103294956B (en) | 2016-08-24 |
Family
ID=49095798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310255011.XA Active CN103294956B (en) | 2013-06-25 | 2013-06-25 | It it is the method and device processed in the enterprising every trade of windows platform |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103294956B (en) |
| WO (1) | WO2014206268A1 (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103294956B (en) * | 2013-06-25 | 2016-08-24 | 北京奇虎科技有限公司 | It it is the method and device processed in the enterprising every trade of windows platform |
| US9753770B2 (en) * | 2014-04-03 | 2017-09-05 | Strato Scale Ltd. | Register-type-aware scheduling of virtual central processing units |
| CN104636647A (en) * | 2015-03-17 | 2015-05-20 | 南开大学 | Sensitive information protection method based on virtualization technology |
| CN106909840A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device of monitor operating system behavior |
| CN106055982B (en) * | 2016-06-29 | 2019-11-12 | 珠海豹趣科技有限公司 | A kind of hold-up interception method, device and the electronic equipment of rogue program triggering blue screen |
| CN111428240B (en) * | 2020-03-20 | 2021-10-15 | 安芯网盾(北京)科技有限公司 | Method and device for detecting illegal access of memory of software |
| CN111831395B (en) * | 2020-07-09 | 2024-01-09 | 西安交通大学 | Behavior monitoring analysis method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226577A (en) * | 2008-01-28 | 2008-07-23 | 南京大学 | Method for protecting microkernel OS integrality based on reliable hardware and virtual machine |
| CN101557420A (en) * | 2009-03-31 | 2009-10-14 | 北京航空航天大学 | Realization method of high-efficiency network communication of a virtual machine monitor |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101398769B (en) * | 2008-10-28 | 2012-09-05 | 华为技术有限公司 | Processor resource integrating and utilizing method transparent to operating system |
| US8479196B2 (en) * | 2009-09-22 | 2013-07-02 | International Business Machines Corporation | Nested virtualization performance in a computer system |
| CN103294956B (en) * | 2013-06-25 | 2016-08-24 | 北京奇虎科技有限公司 | It it is the method and device processed in the enterprising every trade of windows platform |
-
2013
- 2013-06-25 CN CN201310255011.XA patent/CN103294956B/en active Active
-
2014
- 2014-06-24 WO PCT/CN2014/080579 patent/WO2014206268A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226577A (en) * | 2008-01-28 | 2008-07-23 | 南京大学 | Method for protecting microkernel OS integrality based on reliable hardware and virtual machine |
| CN101557420A (en) * | 2009-03-31 | 2009-10-14 | 北京航空航天大学 | Realization method of high-efficiency network communication of a virtual machine monitor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103294956A (en) | 2013-09-11 |
| WO2014206268A1 (en) | 2014-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103294956B (en) | It it is the method and device processed in the enterprising every trade of windows platform | |
| US9589132B2 (en) | Method and apparatus for hypervisor based monitoring of system interactions | |
| KR102301721B1 (en) | Dual memory introspection to protect multiple network endpoints | |
| KR101946982B1 (en) | Process Evaluation for Malware Detection in Virtual Machines | |
| US10635479B2 (en) | Event filtering for virtual machine security applications | |
| US10395029B1 (en) | Virtual system and method with threat protection | |
| US9858411B2 (en) | Execution profiling mechanism | |
| CN103632101B (en) | A kind of method and apparatus of hooking system service call | |
| US8341627B2 (en) | Method and system for providing user space address protection from writable memory area in a virtual environment | |
| US20160210069A1 (en) | Systems and Methods For Overriding Memory Access Permissions In A Virtual Machine | |
| CN108154032B (en) | Computer system trust root construction method with memory integrity guarantee function | |
| CN103955438A (en) | Process memory protecting method based on auxiliary virtualization technology for hardware | |
| US10360386B2 (en) | Hardware enforcement of providing separate operating system environments for mobile devices | |
| AU2006210698A1 (en) | Intrusion detection for computer programs | |
| Pék et al. | On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment | |
| CN110874468B (en) | Application program security protection method and related equipment | |
| US20210026950A1 (en) | Hypervisor-based redirection of system calls and interrupt-based task offloading | |
| US10198280B2 (en) | Method and apparatus for hypervisor based monitoring of system interactions | |
| Bousquet et al. | Mandatory access control for the android dalvik virtual machine | |
| CN103793645A (en) | Hypercall protection method | |
| Grimm et al. | Automatic mitigation of kernel rootkits in cloud environments | |
| Yan et al. | MOSKG: countering kernel rootkits with a secure paging mechanism | |
| Molyakov et al. | Model of hidden IT security threats in the cloud computing environment | |
| Chen et al. | DScope: To Reliably and Securely Acquire Live Data from Kernel-Compromised ARM Devices | |
| Xiong et al. | Interrupt Stack Protection for Linux Kernel in Hardware Virtualization Layer of ARM64 Architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230713 Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing Hongxiang Technical Service Co.,Ltd. Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee before: 3600 Technology Group Co.,Ltd. |