CN103544090B - virtual machine process monitoring method and device - Google Patents
virtual machine process monitoring method and device Download PDFInfo
- Publication number
- CN103544090B CN103544090B CN201310485094.1A CN201310485094A CN103544090B CN 103544090 B CN103544090 B CN 103544090B CN 201310485094 A CN201310485094 A CN 201310485094A CN 103544090 B CN103544090 B CN 103544090B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- type
- data structure
- data block
- progress information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides a kind of virtual machine process monitoring method and device, wherein, method comprises: the OS Type obtaining virtual machine; Determine corresponding with OS Type kernel data structure skew array according to OS Type, kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that OS Type is corresponding and virtual machine corresponding to OS Type; According to the virtual address of structure corresponding to each process in the virtual machine that chain of processes list data structure determination operation system type is corresponding; According to the progress information of each process in the virtual address of structure corresponding to each process and virtual machine corresponding to the side-play amount determination operation system type of progress information in the structure that each process is corresponding of each process, solving in prior art the multiple virtual machines be difficult to host being provided with different operating system to monitor simultaneously, reducing the problem of monitoring efficiency.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of virtual machine process monitoring method and device.
Background technology
In prior art, by installing watchdog routine in the monitor of virtual machine on host, realize monitoring the process of the virtual machine on host.
But in prior art, because the semanteme of different types of operating system is different, therefore the watchdog routine in monitor of virtual machine can only analyze a kind of semanteme of operating system, obtain the process being provided with multiple virtual machines of same operating system, the multiple virtual machines be difficult to host being provided with different operating system are monitored simultaneously, reduce monitoring efficiency.
Summary of the invention
The invention provides a kind of virtual machine process monitoring method and device, monitoring for solving in prior art the multiple virtual machines be difficult to host being provided with different operating system simultaneously, reduce the problem of monitoring efficiency.
First aspect of the present invention is to provide a kind of virtual machine process monitoring method, comprising:
Obtain the OS Type of virtual machine;
According to described OS Type, the kernel data structure offset collection that inquiry is preset, determine that the kernel data structure corresponding with described OS Type offsets array, described kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that described OS Type is corresponding and virtual machine corresponding to described OS Type;
The virtual address of the structure that each process is corresponding in the virtual machine that described OS Type is corresponding is determined according to described chain of processes list data structure;
The virtual address of structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process obtain the progress information of each process in virtual machine corresponding to described OS Type.
Another aspect of the present invention provides a kind of virtual machine process monitoring device, comprising:
Acquisition module, for obtaining the OS Type of virtual machine;
Determination module, for according to described OS Type, the kernel data structure offset collection that inquiry is preset, determine that the kernel data structure corresponding with described OS Type offsets array, described kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that described OS Type is corresponding and virtual machine corresponding to described OS Type;
Described determination module also for, determine the virtual address of the structure that each process is corresponding in the virtual machine that described OS Type is corresponding according to described chain of processes list data structure;
Described acquisition module also for, the virtual address of structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process obtain the progress information of each process in virtual machine corresponding to described OS Type.
The present invention is by obtaining the OS Type of virtual machine, the kernel data structure skew array corresponding with OS Type is determined according to the OS Type of virtual machine, the progress information of each process in virtual machine is obtained according to kernel data structure skew array, thus can multiple virtual machines host being provided with different operating system be monitored simultaneously, improve monitoring efficiency.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of a virtual machine process monitoring method provided by the invention embodiment;
Fig. 2 is the process flow diagram of another embodiment of virtual machine process monitoring method provided by the invention;
Fig. 3 is treating to preserve in the structure that termination process is corresponding the workflow schematic diagram stopping waiting to stop process instruction;
Fig. 4 is the process flow diagram of another embodiment of virtual machine process monitoring method provided by the invention;
Fig. 5 is the structural representation of a virtual machine process monitoring device provided by the invention embodiment.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the process flow diagram of a virtual machine process monitoring method provided by the invention embodiment, as shown in Figure 1, comprising:
101, the OS Type of virtual machine is obtained.
Executive agent of the present invention is virtual machine process monitoring device, virtual machine process monitoring device specifically can be arranged in the virtual monitor device (VirtualMachineMonitor) on host, such as be positioned at virtual monitor device KVM(Kernel-basedVirtualMachine) or virtual monitor device XEN in.Virtual monitor device can between VME operating system and host.
For the virtual machine that this host is running or the virtual machine just moving to this host from other hosts, virtual machine process monitoring device can obtain the base numerical value of interrupt-descriptor table (InterruptDescriptorTable, IDT) register; For the virtual machine started at this host, because start-up course needs the regular hour, when each CR3 control register switches, virtual machine process monitoring device can read the limit numerical value of IDT register, when limit numerical value for " 0xff " time represent IDT register initialization complete, now virtual machine process monitoring device can obtain the base numerical value of IDT register.After getting the base numerical value of the IDT register of virtual machine, virtual machine process monitoring device can judge the OS Type of virtual machine according to base numerical value.
Virtual machine process monitoring device can by creating the virtual machine image that operating system is housed, use-monitorstdio the option of qemu-system-x86_64 order to start virtual machine, export control desk at standard input and perform the base numerical value that inforegister order obtains IDT register.
102, according to OS Type, the kernel data structure offset collection that inquiry is preset, determine corresponding with OS Type kernel data structure skew array, kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that OS Type is corresponding and virtual machine corresponding to OS Type.
Wherein, virtual machine process monitoring device is according to OS Type, the kernel data structure offset collection that inquiry is preset, before determining the kernel data structure skew array corresponding with OS Type, virtual machine process monitoring device also needs to create kernel data structure offset collection, and kernel data structure offset collection comprises the OS Type of each virtual machine that host is supported and the kernel data structure corresponding with the OS Type of each virtual machine offsets array.
When the OS Type of virtual machine is the operating systems such as WindowsXP or Windows7, the process of the kernel data structure skew array that virtual machine process monitoring device creates in kernel data structure offset collection is specifically as follows: the base numerical value of IDT register can be offset the first element of array by virtual machine process monitoring device as the kernel data structure that the OS Type of virtual machine is corresponding, virtual machine process monitoring device can also use the order dt in Windbg to obtain process identification number (UniqueProcessID), process title (ImageFileName), chain of processes list data structure (ActiveProcessLinks) and the side-play amount of DirectoryTableBase in EPROCESS structure, the side-play amount of ApcState in KTHREAD structure and the side-play amount of Process in ApcState structure, by UniqueProcessID, ImageFileName, the side-play amount of ActiveProcessLinks and DirectoryTableBase in EPROCESS structure, the side-play amount of ApcState in KTHREAD structure and the side-play amount of Process in ApcState structure are in a certain order successively as the element of kernel data structure skew array corresponding to the OS Type of virtual machine.Wherein, KTHREAD structure is arranged in the CurrentProcess of the PrcbData variable of Windows kernel data structure processor control zone (KPCR) structure.UniqueProcessID, ImageFileName, ActiveProcessLinks, DirectoryTableBase, ApcState and Process are the parameter supporting that the progress information of the virtual machine of the operating systems such as WindowsXP or Windows7 can comprise.
Corresponding, when according to the base numerical value of IDT register, virtual machine process monitoring device judges to learn that the OS Type of virtual machine is WindowsXP or Windows7 etc., the kernel data structure offset collection that virtual machine process monitoring device can be preset according to the base numerical value inquiry of IDT register, determines the kernel data structure skew array corresponding with OS Type.
When the OS Type of virtual machine is the operating systems such as Debian, Ubuntu, Fedora or CentOS of Linux virtual machine support, the process of the kernel data structure skew array that virtual machine process monitoring device creates in kernel data structure offset collection is specifically as follows: virtual machine process monitoring device can perform x/2xIDTR.base+0x400 instruction and obtain 0x80 interrupt descriptors, i.e. subsystem call table entry address, offsets the first element of array as the kernel data structure that the OS Type of virtual machine is corresponding using subsystem call table entry address, at virtual machine internal, kernel module instrument is installed, kernel module instrument is adopted to obtain process identification number (pid), process title (comm), internal storage structure body (mm_struct), the side-play amount in task_struct structure such as chain of processes list data structure (tasks) and pending signal (pending_signal) and page directory entry address pgd and internal storage starting code (start_code) side-play amount in mm_struct structure, by pid, comm, mm_struct, tasks, the side-play amount of the structures such as pending_signal in task_struct structure and pgd, the skew of start_code in mm_struct structure offsets the element of array in a certain order successively as the kernel data structure that the OS Type of virtual machine is corresponding.Wherein, pid, comm, mm_struct, tasks, pending_signal, pgd and start_code are the parameter supporting that the progress information of the virtual machine of the operating systems such as Debian, Ubuntu, Fedora or CentOS can comprise.
Corresponding, when virtual machine process monitoring device judges to learn that the OS Type of virtual machine is the operating systems such as Debian, Ubuntu, Fedora or CentOS of Linux virtual machine support according to the base numerical value of IDT register, virtual machine process monitoring device can perform x/2xIDTR.base+0x400 instruction and obtain 0x80 interrupt descriptors, i.e. subsystem call table entry address, according to the kernel data structure offset collection that the inquiry of subsystem call table entry address is preset, determine the kernel data structure skew array corresponding with OS Type.
103, according to the virtual address of structure corresponding to each process in virtual machine corresponding to chain of processes list data structure determination operation system type.
Wherein, before virtual address according to structure corresponding to each process in the virtual machine that chain of processes list data structure determination operation system type is corresponding, also comprise: the virtual address obtaining structure corresponding to the process run in virtual machine corresponding to OS Type; Corresponding, step 103 is specifically as follows: according to the virtual address query procedure linked list data structure of structure corresponding to the process run, the virtual address of the structure that other processes in the virtual machine that determination operation system type is corresponding except the process run are corresponding.
Particularly, when virtual machine internal carries out process switching, the state of virtual machine will leave the virtual machine control structure body (VirtualMachineControlStructure of virtual monitor device maintenance in, VMCS) in, the virtual address of the structure that the process that before obtaining process switching the VMCS that therefore virtual machine process monitoring device can be safeguarded from virtual monitor device, virtual machine internal is running is corresponding.
104, according to the virtual address of structure corresponding to each process and the progress information of each process, the side-play amount in the structure that each process is corresponding obtains the progress information of each process in virtual machine corresponding to OS Type.
Further, after step 104, can also comprise: create the data structure that the virtual machine corresponding with OS Type is corresponding, data structure comprises: OS Type, the kernel data structure skew array that OS Type is corresponding, the chain of processes list data structure of the virtual machine that OS Type is corresponding.
Such as, virtual machine process monitoring device can be data structure vm_info corresponding to virtual machine creating.If the OS Type of virtual machine is WindowsXP, Windows7 etc., virtual machine process monitoring device also needs FS register in the fs_base variable of the numerical value write vm_info structure of kernel state.In addition, next vm_info structure pointer can also be comprised in vm_info structure.
Further, be specifically as follows according to the process of the progress information of each process in the virtual address of structure corresponding to each process and virtual machine corresponding to the side-play amount determination operation system type of progress information in the structure that each process is corresponding of each process in step 104, virtual machine process monitoring device first can determine the progress information of the process run according to the virtual address of structure corresponding to the process run and the side-play amount of progress information in the structure that this process is corresponding of process run; Then according to the virtual address query procedure linked list data structure of structure corresponding to the process run, obtain the virtual address of structure corresponding to next process, adopt the method with the progress information obtaining the process run, obtain the progress information of next process.
Such as, for support Debian, Ubuntu, Fedora, the Linux virtual machine of the operating systems such as CentOS, the concrete steps that virtual machine process monitoring device obtains the progress information of Linux virtual machine can be: when Linux virtual machine attempt amendment CR3 control register, execution authority is given virtual monitor device by Linux virtual machine, virtual machine process monitoring device obtains the numerical value of ESP register, the virtual address of the task_struct structure that the process obtaining running in Linux virtual machine after the numerical value of ESP register and 0xFFFFE000 are carried out AND-operation is corresponding, in conjunction with the kernel data structure skew array in the virtual address of task_struct structure and vm_info structure corresponding to virtual machine, read the progress information of the process that pid, comm, pending_signal etc. are running, using the process run as originating processes, read the chain of processes list data structure in task_struct structure, obtain the progress information of next process, go on successively, until next process points to the process run, thus get the progress information of whole processes of virtual machine internal.
Again such as, for the Windows virtual machine supporting the operating systems such as WindowsXP, Windows7, the concrete steps that virtual machine process monitoring device obtains the progress information of Windows virtual machine can be: when Windows virtual machine attempt amendment CR3 control register, execution authority is given virtual machine process monitoring device by Windows virtual machine, and virtual machine process monitoring device obtains the address of Windows kernel data structure KPCR according to the fs_base in vm_info structure; Obtain the KTHREAD structure address of CurrentProcess in the PrcbData variable (type is KPRCB structure) in KPCR structure, the EPROCESS structure of the process that the Process pointed in the ApcState variable (type is KAPC_STATE structure) in KTHREAD structure is being run.In conjunction with the kernel data structure skew array in EPROCESS structure and vm_info structure corresponding to virtual machine, read the progress information such as process identification number, process title; Using the process run as originating processes, read the ActiveProcessLinks chain of processes list data structure in EPROCESS structure, obtain the information of next process, go on successively, until next process pointed current process, thus get the progress information of whole processes of virtual machine internal.
In the present embodiment, by obtaining the OS Type of virtual machine, the kernel data structure skew array corresponding with OS Type is determined according to the OS Type of virtual machine, the progress information of each process in virtual machine is obtained according to kernel data structure skew array, thus can multiple virtual machines host being provided with different operating system be monitored simultaneously, improve monitoring efficiency.
Fig. 2 is the process flow diagram of another embodiment of virtual machine process monitoring method provided by the invention, as shown in Figure 2, on basis embodiment illustrated in fig. 1, in the virtual machine that OS Type is corresponding, the progress information of each process can comprise: the process identification number of each process.In order to ensure that virtual machine process monitoring device can stop the process needing in virtual machine to stop, after step 104, can also comprise:
105, the process identification number treating termination process is obtained.
Wherein, treat that termination process can be arranged according to the security of each process in virtual machine corresponding to OS Type in advance by user.
106, according to treating that the process identification number of termination process stops treating termination process.
Particularly, step 106 is specifically as follows: according to the process identification number treating termination process, obtains the virtual address treating the structure that termination process is corresponding; According to the virtual address treating the structure that termination process is corresponding, treating to preserve the termination process instruction stopping treating termination process in the structure that termination process is corresponding, perform described termination process instruction with the virtual machine making OS Type corresponding.
Such as, for support Debian, Ubuntu, Fedora, the Linux virtual machine of the operating systems such as CentOS, virtual machine process monitoring device is according to the virtual address treating the structure that termination process is corresponding, treating that in the structure that termination process is corresponding, preservation stops treating the workflow schematic diagram of the termination process instruction of termination process as shown in Figure 3, be specifically as follows: (1) adds-monitorpty>monitorFile2> & 1 option when starting virtual machine, QEMUMonitor control desk is redirected to monitorFile file, (2) termination process commands killX (X is process identification number to be stopped) is write to monitorFile file, utilize QMP(QEMUMonitorProtocol) resolve and stop after process commands, send order by ioctl to the PROCESS CONTROL MODULE in virtual monitor device, (3) after PROCESS CONTROL MODULE receives orders, the vm_info structure of virtual machine is found according to the uuid of virtual machine, by the proc_identity structure that the chain of processes list data structure in vm_info structure finds process to be stopped corresponding, this structure deposits the virtual address of the task_struct structure treating termination process, (4) in conjunction with the pending_signal side-play amount in kernel data structure skew array and the virtual address of task_struct structure, be that the SIGKILL signal setting of 0x100 is in pending_signal at virtual monitor device layer by numerical value, and the numerical value arranging the flags in thread structure is 1UL<<2, be 0x0 by the numerical value of the preempt_count in thread structure.Thus make virtual machine carry SIGKILL signal in the pending_signal judging task_struct structure, and the numerical value of flags in thread structure is 1UL<<2, when the numerical value of the preempt_count in thread structure is 0x0, stop treating termination process.
In the present embodiment, by obtaining the OS Type of virtual machine, the kernel data structure skew array corresponding with OS Type is determined according to the OS Type of virtual machine, the progress information of each process in virtual machine is obtained according to kernel data structure skew array, and treat termination process and carry out terminal, thus can multiple virtual machines host being provided with different operating system be monitored simultaneously, improve monitoring efficiency.
Fig. 4 is the process flow diagram of another embodiment of virtual machine process monitoring method provided by the invention, as shown in Figure 4, on basis embodiment illustrated in fig. 1, in order to stop process when ensureing that virtual machine process monitoring device can exceed the access rights of data block to be operated in the operation that process treats service data block, after step 104, can also comprise:
107, the block number of data block to be operated in the process run in virtual machine corresponding to OS Type is obtained.
Wherein, the internal memory of virtual machine comprises at least one block group, and each piece of group comprises at least one data block, and each data block is made up of at least one sector.In virtual machine operational process, virtual machine process monitoring device can be monitored the I/O operation in virtual machine and intercepts and captures in real time, obtains the block number of data block to be operated in the process run in virtual machine.
When 108, there is data block to be operated in the protected data set of blocks preset, judge whether the process run is suspicious process.
Wherein, suspicious process refers in virtual machine the process that there is safety problem or may there is safety problem, and suspicious process after the progress information getting whole process in virtual machine, can be arranged by virtual monitor device or user in advance.
109, when the process run is suspicious process, judge whether operation that the process run treats service data block exceedes the access rights of data block to be operated.
In virtual machine, the access rights of each data block can be arranged in advance by virtual monitor device or user.Such as, when the access rights of data block to be operated are set to read-only by virtual monitor device, if what the process run treated service data block is operating as write operation, then the operation that the process run treats service data block exceedes the access rights of data block to be operated.Again such as, when the access rights of data block to be operated are set to carry out any operation by virtual monitor device, if what the process run treated service data block is operating as read operation or write operation, then the operation that the process run treats service data block exceedes the access rights of data block to be operated.
110, when the operation that the process run treats service data block exceedes the access rights of data block to be operated, the process stopping running treats the operation of service data block.
The process stopping running herein is treated virtual machine process monitoring device in the operation of service data block and embodiment 2 and is stopped treating that the process of termination process is similar, no longer repeats herein.
Further, before step 107, can also comprise: create the configuration file that virtual machine is corresponding, configuration file comprises: the access rights of shielded file and shielded file; Determine the data block that shielded file is corresponding in the virtual machine that OS Type is corresponding; The data block that shielded file is corresponding in the virtual machine that OS Type is corresponding is defined as protected data block; The access rights of shielded file are defined as the access rights of the protected data block corresponding with shielded file; The access rights of protected data block and protected data block are saved in protected data set of blocks.
Wherein, configuration file is based on user configured specific file set.In configuration file, the access rights of specific file are divided into read-only and not readable can not writing.The former only allows suspicious process to carry out read operation to specific file, and the latter does not allow suspicious process to any operation of specific file.The detailed process that virtual machine process monitoring device creates configuration file corresponding to virtual machine can be: all virtual machine image file for enabling virtual machine process monitoring device in host set up catalogue; in each catalogue, create the configuration file of user's sensitive document, user writes into needing the file carrying out protecting in this configuration file.In addition, before startup virtual machine, if user's sensitive document there occurs change, virtual machine process monitoring device can also revise configuration file, needs the file set carrying out protecting when specifying this to start virtual machine.
Further; virtual machine process monitoring device determines that the detailed process of the data block that shielded file is corresponding in the virtual machine that OS Type is corresponding can be: by virtual machine image file carry in host, obtain No. inode that the filename of each file in virtual machine image file is corresponding.(2) analyzing the relevant information of the file system of virtual machine image file when starting virtual machine, comprising block size, inode size, block group number etc.(3) according to the address of the formulae discovery in table 1 and each file inode one to one.Wherein bg_num is the block group at inode place, and inode_offset represents the deviation post of inode in inode table.Inode_addr represents the block number of inode in virtual machine image file, i.e. the address of the structure that inode is corresponding.(4), after obtaining the inode structure of this file, 41st ~ 100 bytes record the data block information shared by file corresponding to this inode.Wherein, if the file system of virtual machine image file is EXT2 or EXT3 file system, then 41st ~ 88 bytes of inode structure are 12 direct blocks pointers, i.e. the data block number of every four byte representations store data; 89th ~ 92 bytes are " an indirect block pointer ", i.e. these four byte representations block number, the data block number being only store data of every four byte representations in block number corresponding block; By that analogy, 93 ~ 96 bytes are " secondary indirect block pointer ", and 97 ~ 100 bytes are " three indirect block pointers ".If the file system of virtual machine image file is EXT4, then the extent structure in Water demand inode structure obtains all pieces numbers shared by file.
Table 1inode address computation formula
| bg_num=(inode-1)/inodes_per_group |
| inode_offset=(inode-1)%inodes_per_group |
| inode_addr=gdt[bg_num](9~12bytes)*block_size+inode_offset*inode_size |
In addition, virtual machine process monitoring device can also be journal file when virtual machine creating starts and run time journal file, be used for recording the ruuning situation of virtual machine.
In the present embodiment, by obtaining the OS Type of virtual machine, the kernel data structure skew array corresponding with OS Type is determined according to the OS Type of virtual machine, the progress information of each process in virtual machine is obtained according to kernel data structure skew array, and obtain the block number of data block to be operated in the process run in virtual machine, when the operation that the process run treats service data block exceedes the access rights of data block to be operated, the process stopping running treats the operation of service data block, thus can multiple virtual machines host being provided with different operating system be monitored simultaneously, improve monitoring efficiency.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Fig. 5 is the structural representation of a virtual machine process monitoring device provided by the invention embodiment, as shown in Figure 5, comprising:
Acquisition module 51, for obtaining the OS Type of virtual machine;
Determination module 52, for according to OS Type, the kernel data structure offset collection that inquiry is preset, determine corresponding with OS Type kernel data structure skew array, kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that OS Type is corresponding and virtual machine corresponding to OS Type;
Determination module 52 also for, according to the virtual address of structure corresponding to each process in the virtual machine that chain of processes list data structure determination operation system type is corresponding;
Acquisition module 51 also for, according to the virtual address of structure corresponding to each process and the progress information of each process, the side-play amount in the structure that each process is corresponding obtains the progress information of each process in virtual machine corresponding to OS Type.
Further, can also comprise in virtual machine process monitoring device: creation module; Creation module is used for, obtain the OS Type of virtual machine at acquisition module 51 before, create kernel data structure offset collection, kernel data structure offset collection comprises the OS Type of each virtual machine that host is supported and the kernel data structure corresponding with the OS Type of each virtual machine offsets array.
Further, acquisition module 51 also for, in the virtual machine that determination module 52 is corresponding according to chain of processes list data structure determination operation system type the structure that each process is corresponding virtual address before, obtain the virtual address of structure corresponding to the process run in virtual machine corresponding to OS Type.
Corresponding, determination module 52 is according in the virtual address of structure corresponding to each process in virtual machine corresponding to the chain of processes list data structure determination operation system type of virtual machine, determination module 52 specifically for, according to the virtual address query procedure linked list data structure of structure corresponding to the process run, the virtual address of the structure that other processes in the virtual machine that determination operation system type is corresponding except the process run are corresponding.
Again further, creation module also for, after in the virtual address of acquisition module 51 structure corresponding according to each process and the progress information of each process, the side-play amount in the structure that each process is corresponding obtains the progress information of each process in virtual machine corresponding to OS Type, create the data structure that the virtual machine corresponding with OS Type is corresponding, data structure comprises: the OS Type of virtual machine, the kernel data structure skew array that OS Type is corresponding, the chain of processes list data structure of the virtual machine that OS Type is corresponding.
In the present embodiment, by obtaining the OS Type of virtual machine, the kernel data structure skew array corresponding with OS Type is determined according to the OS Type of virtual machine, the progress information of each process in virtual machine is obtained according to kernel data structure skew array, thus can multiple virtual machines host being provided with different operating system be monitored simultaneously, improve monitoring efficiency.
On the basis of above-described embodiment, the progress information of each process of the virtual machine that OS Type is corresponding can comprise: the process identification number of each process.In order to ensure that virtual machine process monitoring device can stop the process needing in virtual machine to stop, virtual machine process monitoring device can also comprise: stop module;
Acquisition module 51 also for, after side-play amount in the structure that each process is corresponding obtains the progress information of each process in virtual machine in the virtual address of acquisition module 51 structure corresponding according to each process and the progress information of each process, obtain the process identification number treating termination process;
Termination module is used for, according to treating that the process identification number of termination process stops treating termination process.
Wherein, stop module and specifically may be used for, according to the process identification number treating termination process, obtain the virtual address treating the structure that termination process is corresponding; According to the virtual address treating the structure that termination process is corresponding, treating to preserve the termination process instruction stopping treating termination process in the structure that termination process is corresponding, with the virtual machine executive termination process instruction making OS Type corresponding.
On the basis of above-described embodiment, in order to stop process when ensureing that virtual machine process monitoring device can exceed the access rights of data block to be operated in the operation that process treats service data block, virtual machine process monitoring device can also comprise: judge module;
Acquisition module 51 also for, after side-play amount in the structure that each process is corresponding obtains the progress information of each process in virtual machine corresponding to OS Type in the virtual address of acquisition module 51 structure corresponding according to each process and the progress information of each process, obtain the block number of data block to be operated in the process run in virtual machine corresponding to OS Type;
Judge module is used for, and when there is data block to be operated in the protected data set of blocks preset, judges whether the process run is suspicious process;
When the process run is suspicious process, judge whether operation that the process run treats service data block exceedes the access rights of data block to be operated;
Termination module is used for, and when the operation that the process run treats service data block exceedes the access rights of data block to be operated, the process stopping running treats the operation of service data block.
Wherein, before acquisition module 51 obtains the block number of data block to be operated in the process run in virtual machine corresponding to OS Type, creation module also needs to create configuration file corresponding to virtual machine, and configuration file comprises: the access rights of shielded file and shielded file; Determination module 52 is also for determining the data block that shielded file is corresponding in the virtual machine that OS Type is corresponding; The data block that shielded file is corresponding in the virtual machine that OS Type is corresponding is defined as protected data block; The access rights of shielded file are defined as the access rights of the protected data block corresponding with shielded file; The access rights of protected data block and protected data block are saved in protected data set of blocks.
In the present embodiment, by obtaining the OS Type of virtual machine, the kernel data structure skew array corresponding with OS Type is determined according to the OS Type of virtual machine, the progress information of each process in virtual machine is obtained according to kernel data structure skew array, and obtain the block number of data block to be operated in the process run in virtual machine, when the operation that the process run treats service data block exceedes the access rights of data block to be operated, the process stopping running treats the operation of service data block, thus can multiple virtual machines host being provided with different operating system be monitored simultaneously, improve monitoring efficiency.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (9)
1. a virtual machine process monitoring method, is characterized in that, comprising:
Obtain the OS Type of virtual machine;
According to described OS Type, the kernel data structure offset collection that inquiry is preset, determine that the kernel data structure corresponding with described OS Type offsets array, described kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that described OS Type is corresponding and virtual machine corresponding to described OS Type;
The virtual address of the structure that each process is corresponding in the virtual machine that described OS Type is corresponding is determined according to described chain of processes list data structure;
The virtual address of structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process obtain the progress information of each process in virtual machine corresponding to described OS Type;
The virtual address of the described structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process also comprise after obtaining the progress information of each process in virtual machine corresponding to described OS Type:
Obtain the block number of data block to be operated in the process run in virtual machine corresponding to described OS Type;
When there is described data block to be operated in the protected data set of blocks preset, whether the process run described in judgement is suspicious process;
When the described process run is suspicious process, whether the operation of the process run described in judgement to described data block to be operated exceedes the access rights of described data block to be operated;
When the operation of the described process run to described data block to be operated exceedes the access rights of described data block to be operated, the process run described in termination is to the operation of described data block to be operated.
2. method according to claim 1, is characterized in that, before the OS Type of described acquisition virtual machine, also comprises:
Create kernel data structure offset collection, described kernel data structure offset collection comprises the OS Type of each virtual machine that host is supported and the kernel data structure corresponding with the OS Type of each virtual machine offsets array.
3. method according to claim 2, is characterized in that, described determine the virtual address of the structure that each process is corresponding in the virtual machine that described OS Type is corresponding according to described chain of processes list data structure before, also comprise:
Obtain the virtual address of structure corresponding to the process run in virtual machine corresponding to described OS Type;
The described virtual address determining the structure that each process is corresponding in the virtual machine that described OS Type is corresponding according to described chain of processes list data structure, comprising:
Virtual address according to structure corresponding to the described process run inquires about described chain of processes list data structure, determines the virtual address of the structure that other processes in the virtual machine that described OS Type is corresponding except the described process run are corresponding.
4. the method according to any one of claim 1-3, it is characterized in that, the virtual address of the described structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process also comprise after obtaining the progress information of each process in virtual machine corresponding to described OS Type:
Create the data structure that the virtual machine corresponding with described OS Type is corresponding, described data structure comprises: described OS Type, the kernel data structure skew array that described OS Type is corresponding, the chain of processes list data structure of the virtual machine that described OS Type is corresponding.
5. the method according to any one of claim 1-3, is characterized in that, in the virtual machine that described OS Type is corresponding, the progress information of each process comprises: the process identification number of each process;
The virtual address of the described structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process also comprise after obtaining the progress information of each process in virtual machine corresponding to described OS Type:
Obtain the process identification number treating termination process;
Treat that the process identification number of termination process treats termination process described in stopping according to described.
6. method according to claim 5, is characterized in that, treats that the process identification number of termination process treats termination process described in stopping, comprising described in described basis:
According to the described process identification number treating termination process, described in acquisition, treat the virtual address of the structure that termination process is corresponding;
According to the described virtual address treating the structure that termination process is corresponding, preserve described treating the termination process instruction treating termination process described in termination in the structure that termination process is corresponding, perform described termination process instruction to make virtual machine corresponding to described OS Type.
7. method according to claim 1, is characterized in that, in the process run in the virtual machine that the described OS Type of described acquisition is corresponding data block to be operated block number before, also comprise:
Create the configuration file that described virtual machine is corresponding, described configuration file comprises: the access rights of shielded file and described shielded file;
Determine the data block that described shielded file is corresponding in the virtual machine that described OS Type is corresponding;
The data block that described shielded file is corresponding in the virtual machine that described OS Type is corresponding is defined as protected data block;
The access rights of described shielded file are defined as the access rights of the protected data block corresponding with described shielded file;
The access rights of described protected data block and described protected data block are saved in described protected data set of blocks.
8. a virtual machine process monitoring device, is characterized in that, comprising:
Acquisition module, for obtaining the OS Type of virtual machine;
Determination module, for according to described OS Type, the kernel data structure offset collection that inquiry is preset, determine that the kernel data structure corresponding with described OS Type offsets array, described kernel data structure skew array comprises: the side-play amount of progress information in the structure that each process is corresponding of each process in the chain of processes list data structure of the virtual machine that described OS Type is corresponding and virtual machine corresponding to described OS Type;
Described determination module also for, determine the virtual address of the structure that each process is corresponding in the virtual machine that described OS Type is corresponding according to described chain of processes list data structure;
Described acquisition module also for, the virtual address of structure corresponding according to described each process and the side-play amount of progress information in the structure that each process is corresponding of described each process obtain the progress information of each process in virtual machine corresponding to described OS Type;
Described acquisition module also for, after side-play amount in the structure that each process is corresponding obtains the progress information of each process in virtual machine corresponding to OS Type in the virtual address of the acquisition module structure corresponding according to each process and the progress information of each process, obtain the block number of data block to be operated in the process run in virtual machine corresponding to OS Type;
Judge module, during for there is data block to be operated in the protected data set of blocks preset, judges whether the process run is suspicious process;
When the process run is suspicious process, judge whether operation that the process run treats service data block exceedes the access rights of data block to be operated;
Stop module, when the operation for treating service data block in the process run exceedes the access rights of data block to be operated, the process stopping running treats the operation of service data block.
9. device according to claim 8, is characterized in that, also comprises: creation module;
Described creation module is used for, obtain the OS Type of virtual machine at described acquisition module before, create kernel data structure offset collection, described kernel data structure offset collection comprises the OS Type of each virtual machine that host is supported and the kernel data structure corresponding with the OS Type of each virtual machine offsets array.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310485094.1A CN103544090B (en) | 2013-10-16 | 2013-10-16 | virtual machine process monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310485094.1A CN103544090B (en) | 2013-10-16 | 2013-10-16 | virtual machine process monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103544090A CN103544090A (en) | 2014-01-29 |
| CN103544090B true CN103544090B (en) | 2016-04-06 |
Family
ID=49967563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310485094.1A Active CN103544090B (en) | 2013-10-16 | 2013-10-16 | virtual machine process monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103544090B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103995863B (en) * | 2014-05-19 | 2018-06-19 | 华为技术有限公司 | A kind of method and device of data de-duplication |
| CN105138388B (en) * | 2014-06-09 | 2019-07-23 | 腾讯科技(深圳)有限公司 | Virtual machine monitoring method and device |
| CN105590054A (en) * | 2014-11-11 | 2016-05-18 | 航天恒星科技有限公司 | Virtual machine process monitoring method, device and system |
| CN105989008B (en) * | 2015-01-27 | 2020-06-23 | 炬芯(珠海)科技有限公司 | Method and equipment for writing data into mirror image file |
| CN105550575B (en) * | 2015-12-03 | 2018-10-02 | 北京神州绿盟信息安全科技股份有限公司 | A kind of acquisition methods and device of not derived function address and data structural deflection |
| CN106168883A (en) * | 2016-05-05 | 2016-11-30 | 诸葛晴凤 | A kind of efficient data tissue and access method |
| CN107463425B (en) * | 2016-06-03 | 2021-03-05 | 阿里巴巴集团控股有限公司 | Method and device for acquiring running state of Java virtual machine |
| CN106548066A (en) * | 2016-11-01 | 2017-03-29 | 广东浪潮大数据研究有限公司 | A kind of method and device of protection virtual machine |
| CN106789407A (en) * | 2016-12-05 | 2017-05-31 | 国云科技股份有限公司 | A kind of method that cloud platform checks virtual machine connection status |
| CN114281338A (en) * | 2021-11-25 | 2022-04-05 | 中国科学院信息工程研究所 | Method and device for acquiring data structure offset in Linux kernel |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
| CN101782954A (en) * | 2009-01-20 | 2010-07-21 | 联想(北京)有限公司 | Computer and abnormal progress detection method |
| CN101923507A (en) * | 2010-07-30 | 2010-12-22 | 华中科技大学 | Universal virtual machine monitoring system based on driving |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9148470B2 (en) * | 2011-05-26 | 2015-09-29 | Candi Control, Inc. | Targeting delivery data |
-
2013
- 2013-10-16 CN CN201310485094.1A patent/CN103544090B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
| CN101782954A (en) * | 2009-01-20 | 2010-07-21 | 联想(北京)有限公司 | Computer and abnormal progress detection method |
| CN101923507A (en) * | 2010-07-30 | 2010-12-22 | 华中科技大学 | Universal virtual machine monitoring system based on driving |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103544090A (en) | 2014-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103544090B (en) | virtual machine process monitoring method and device | |
| KR101863174B1 (en) | Memory introspection engine for integrity protection of virtual machines | |
| US11429416B2 (en) | Memory deduplication based on guest page hints | |
| CN100464314C (en) | Digital data transparency protected safety read-write system and method | |
| CN101782954B (en) | Computer and abnormal progress detection method | |
| CN109923546B (en) | Event filtering for virtual machine security applications | |
| US20100070678A1 (en) | Saving and Restoring State Information for Virtualized Computer Systems | |
| US10318275B2 (en) | Software update apparatus and method in virtualized environment | |
| CN107479946B (en) | Interactive behavior monitoring scheme of kernel module | |
| CN111858004A (en) | TEE expansion-based real-time application dynamic loading method and system for computer security world | |
| CN102419803A (en) | Method, system and device for searching and killing computer virus | |
| CN104572387A (en) | Method and device for debugging terminal in engineering mode | |
| CN105511941A (en) | System and method for facilitating joint operation of multiple hypervisors in computer system | |
| Nakamura et al. | I/O scheduling in Android devices with flash storage | |
| CN112015491A (en) | Method, device and computer storage medium for realizing function jump | |
| US10037276B1 (en) | Systems and methods for accelerating access to data by pre-warming the cache for virtual machines | |
| US20160224794A1 (en) | Virtual machine introspection | |
| US20170053118A1 (en) | Changed Block Tracking Driver for Agentless Security Scans of Virtual Disks | |
| CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
| CN105653352A (en) | Virtual simulation evidence-obtaining method for operating system | |
| CN103729233A (en) | Multiple virtual machines management method and device | |
| CN103197915A (en) | Method, device and physical machine for handling sensitive instruction | |
| US9983949B2 (en) | Restoration detecting method, restoration detecting apparatus, and restoration detecting program | |
| US11853615B2 (en) | Including network storage with direct attached storage | |
| CN1102262C (en) | Method for protection of hard disc based on computer main board fixation memory device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |