CN103632088A - 一种木马检测方法及装置 - Google Patents

一种木马检测方法及装置 Download PDF

Info

Publication number
CN103632088A
CN103632088A CN201210310462.4A CN201210310462A CN103632088A CN 103632088 A CN103632088 A CN 103632088A CN 201210310462 A CN201210310462 A CN 201210310462A CN 103632088 A CN103632088 A CN 103632088A
Authority
CN
China
Prior art keywords
described process
memory block
type
plot
base address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201210310462.4A
Other languages
English (en)
Chinese (zh)
Inventor
聂万泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201210310462.4A priority Critical patent/CN103632088A/zh
Priority to TW101146915A priority patent/TWI554907B/zh
Priority to US13/973,229 priority patent/US9152788B2/en
Priority to EP13759086.5A priority patent/EP2891104B1/en
Priority to JP2015525646A priority patent/JP5882542B2/ja
Priority to EP18190007.7A priority patent/EP3422238B1/en
Priority to PCT/US2013/056562 priority patent/WO2014035857A1/en
Publication of CN103632088A publication Critical patent/CN103632088A/zh
Priority to US14/842,648 priority patent/US9516056B2/en
Priority to JP2016018519A priority patent/JP6165900B2/ja
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)
CN201210310462.4A 2012-08-28 2012-08-28 一种木马检测方法及装置 Pending CN103632088A (zh)

Priority Applications (9)

Application Number Priority Date Filing Date Title
CN201210310462.4A CN103632088A (zh) 2012-08-28 2012-08-28 一种木马检测方法及装置
TW101146915A TWI554907B (zh) 2012-08-28 2012-12-12 Trojan horse detection method and device
US13/973,229 US9152788B2 (en) 2012-08-28 2013-08-22 Detecting a malware process
EP13759086.5A EP2891104B1 (en) 2012-08-28 2013-08-26 Detecting a malware process
JP2015525646A JP5882542B2 (ja) 2012-08-28 2013-08-26 マルウェアプロセスの検出
EP18190007.7A EP3422238B1 (en) 2012-08-28 2013-08-26 Detecting a malware process
PCT/US2013/056562 WO2014035857A1 (en) 2012-08-28 2013-08-26 Detecting a malware process
US14/842,648 US9516056B2 (en) 2012-08-28 2015-09-01 Detecting a malware process
JP2016018519A JP6165900B2 (ja) 2012-08-28 2016-02-03 マルウェアプロセスの検出

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210310462.4A CN103632088A (zh) 2012-08-28 2012-08-28 一种木马检测方法及装置

Publications (1)

Publication Number Publication Date
CN103632088A true CN103632088A (zh) 2014-03-12

Family

ID=50189431

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210310462.4A Pending CN103632088A (zh) 2012-08-28 2012-08-28 一种木马检测方法及装置

Country Status (6)

Country Link
US (2) US9152788B2 (https=)
EP (2) EP2891104B1 (https=)
JP (2) JP5882542B2 (https=)
CN (1) CN103632088A (https=)
TW (1) TWI554907B (https=)
WO (1) WO2014035857A1 (https=)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105608377A (zh) * 2015-12-24 2016-05-25 国家电网公司 一种信息系统进程安全管理系统及管理方法
CN106415577A (zh) * 2014-03-31 2017-02-15 赛门铁克公司 用于识别可疑事件来源的系统和方法
CN114969737A (zh) * 2022-05-26 2022-08-30 深信服科技股份有限公司 一种病毒处理的方法、装置、电子设备及介质
WO2022193630A1 (zh) * 2021-03-15 2022-09-22 清华大学 敏感数据的读取方法、装置、电子设备及存储介质
CN115766279A (zh) * 2022-12-06 2023-03-07 北京天融信网络安全技术有限公司 网络攻击取证方法、装置、电子设备及可读取存储介质

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10223530B2 (en) 2013-11-13 2019-03-05 Proofpoint, Inc. System and method of protecting client computers
CN106295328B (zh) 2015-05-20 2019-06-18 阿里巴巴集团控股有限公司 文件检测方法、装置及系统
WO2016186902A1 (en) * 2015-05-20 2016-11-24 Alibaba Group Holding Limited Detecting malicious files
US10083296B2 (en) * 2015-06-27 2018-09-25 Mcafee, Llc Detection of malicious thread suspension
US10049214B2 (en) * 2016-09-13 2018-08-14 Symantec Corporation Systems and methods for detecting malicious processes on computing devices
CN110414230B (zh) * 2019-06-21 2022-04-08 腾讯科技(深圳)有限公司 病毒查杀方法、装置、计算机设备和存储介质
CN111552962B (zh) * 2020-03-25 2024-03-01 三六零数字安全科技集团有限公司 一种基于Windows操作系统的U盘PE格式文件病毒的拦截方法
US11874920B2 (en) * 2020-12-30 2024-01-16 Acronis International Gmbh Systems and methods for preventing injections of malicious processes in software
CN113641997B (zh) * 2021-07-19 2025-03-14 卡奥斯工业智能研究院(青岛)有限公司 工业主机的安全防护方法、装置、系统及存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7493498B1 (en) * 2002-03-27 2009-02-17 Advanced Micro Devices, Inc. Input/output permission bitmaps for compartmentalized security
CN101826139A (zh) * 2009-12-30 2010-09-08 厦门市美亚柏科信息股份有限公司 一种非可执行文件挂马检测方法及其装置

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5812848A (en) * 1995-08-23 1998-09-22 Symantec Corporation Subclassing system for computer that operates with portable-executable (PE) modules
EP1684151A1 (en) * 2005-01-20 2006-07-26 Grant Rothwell William Computer protection against malware affection
EP1860588A1 (en) * 2005-02-25 2007-11-28 Matsushita Electric Industrial Co., Ltd. Processor
US7673345B2 (en) 2005-03-31 2010-03-02 Intel Corporation Providing extended memory protection
KR100843701B1 (ko) * 2006-11-07 2008-07-04 소프트캠프(주) 콜 스택에 기록된 정보를 이용한 에이피아이 확인방법
US7917725B2 (en) * 2007-09-11 2011-03-29 QNX Software Systems GmbH & Co., KG Processing system implementing variable page size memory organization using a multiple page per entry translation lookaside buffer
US8578483B2 (en) * 2008-07-31 2013-11-05 Carnegie Mellon University Systems and methods for preventing unauthorized modification of an operating system
HUE038328T2 (hu) * 2009-07-29 2018-10-29 Reversinglabs Corp Hordozható futtatható fájlok javítása
US8572740B2 (en) 2009-10-01 2013-10-29 Kaspersky Lab, Zao Method and system for detection of previously unknown malware
TW201137660A (en) * 2009-12-23 2011-11-01 Ibm Method and system for protecting an operating system against unauthorized modification
US8468602B2 (en) 2010-03-08 2013-06-18 Raytheon Company System and method for host-level malware detection
US20120036569A1 (en) * 2010-04-05 2012-02-09 Andrew Cottrell Securing portable executable modules
KR101122650B1 (ko) * 2010-04-28 2012-03-09 한국전자통신연구원 정상 프로세스에 위장 삽입된 악성코드 탐지 장치, 시스템 및 방법
US9245114B2 (en) * 2010-08-26 2016-01-26 Verisign, Inc. Method and system for automatic detection and analysis of malware
TW201220186A (en) * 2010-11-04 2012-05-16 Inventec Corp Data protection method for damaged memory cells
US8955132B2 (en) 2011-04-14 2015-02-10 F-Secure Corporation Emulation for malware detection
RU2487405C1 (ru) * 2011-11-24 2013-07-10 Закрытое акционерное общество "Лаборатория Касперского" Система и способ для исправления антивирусных записей
WO2014142986A1 (en) * 2013-03-15 2014-09-18 Mcafee, Inc. Server-assisted anti-malware client
EP2784716A1 (en) * 2013-03-25 2014-10-01 British Telecommunications public limited company Suspicious program detection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7493498B1 (en) * 2002-03-27 2009-02-17 Advanced Micro Devices, Inc. Input/output permission bitmaps for compartmentalized security
CN101826139A (zh) * 2009-12-30 2010-09-08 厦门市美亚柏科信息股份有限公司 一种非可执行文件挂马检测方法及其装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李青: "内网管理系统中移动存储介质管理软件的设计", 《中国优秀硕士论文全文数据库》, no. 3, 15 March 2012 (2012-03-15), pages 33 - 39 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106415577A (zh) * 2014-03-31 2017-02-15 赛门铁克公司 用于识别可疑事件来源的系统和方法
CN106415577B (zh) * 2014-03-31 2020-06-16 Ca公司 用于识别可疑事件来源的系统和方法
CN105608377A (zh) * 2015-12-24 2016-05-25 国家电网公司 一种信息系统进程安全管理系统及管理方法
WO2022193630A1 (zh) * 2021-03-15 2022-09-22 清华大学 敏感数据的读取方法、装置、电子设备及存储介质
US12399842B2 (en) 2021-03-15 2025-08-26 Tsinghua University Sensitive data reading method and apparatus, electronic device, and storage medium
CN114969737A (zh) * 2022-05-26 2022-08-30 深信服科技股份有限公司 一种病毒处理的方法、装置、电子设备及介质
CN115766279A (zh) * 2022-12-06 2023-03-07 北京天融信网络安全技术有限公司 网络攻击取证方法、装置、电子设备及可读取存储介质

Also Published As

Publication number Publication date
JP5882542B2 (ja) 2016-03-09
EP3422238B1 (en) 2020-03-11
JP2015523668A (ja) 2015-08-13
US20140068774A1 (en) 2014-03-06
TWI554907B (zh) 2016-10-21
WO2014035857A1 (en) 2014-03-06
US9516056B2 (en) 2016-12-06
EP2891104B1 (en) 2018-10-10
EP2891104A1 (en) 2015-07-08
US9152788B2 (en) 2015-10-06
JP6165900B2 (ja) 2017-07-19
US20160087998A1 (en) 2016-03-24
EP3422238A1 (en) 2019-01-02
TW201409272A (zh) 2014-03-01
JP2016105310A (ja) 2016-06-09

Similar Documents

Publication Publication Date Title
CN103632088A (zh) 一种木马检测方法及装置
CN104820801B (zh) 一种保护指定应用程序的方法及装置
CN102663288B (zh) 病毒查杀方法及装置
CN103150506B (zh) 一种恶意程序检测的方法和装置
KR20110128248A (ko) 데이터 저장 장치에 대한 원격 서버로부터의 안전한 스캔을 위한 방법 및 장치
WO2017023773A1 (en) Systems and methods of protecting data from injected malware
US20220035918A1 (en) System and Method for Validating In-Memory Integrity of Executable Files to Identify Malicious Activity
CN101902481B (zh) 一种网页木马实时监测方法及其装置
JP2010182019A (ja) 異常検知装置およびプログラム
CN114065196A (zh) Java内存马检测方法、装置、电子设备与存储介质
CN112099904A (zh) 一种虚拟机的嵌套页表管理方法、装置、处理器芯片及服务器
CN108229162B (zh) 一种云平台虚拟机完整性校验的实现方法
CN115795432B (zh) 一种适用于只读文件系统的程序完整性验证系统及方法
US20190018958A1 (en) System and method for detecting malware injected into memory of a computing device
WO2016197827A1 (zh) 一种恶意捆绑软件的处理方法和装置
KR102149711B1 (ko) 위장 프로세스를 이용한 랜섬웨어 행위 탐지 및 방지 장치, 이를 위한 방법 및 이 방법을 수행하는 프로그램이 기록된 컴퓨터 판독 가능한 기록매체
CN115688106A (zh) 一种Java agent无文件注入内存马的检测方法及装置
CN103116724A (zh) 探测程序样本危险行为的方法及装置
CN104516752B (zh) 一种信息处理方法及电子设备
CN103366115B (zh) 安全性检测方法和装置
KR20190079002A (ko) 이동식 저장 장치 및 그의 보안 방법
CN113407935A (zh) 一种文件检测方法、装置、存储介质及服务器
CN116484364B (zh) 一种基于Linux内核的隐藏端口检测方法及装置
CN116418593A (zh) 一种动态可信度量方法、电子设备及存储介质
CN105631317B (zh) 一种系统调用方法及装置

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140312