CN104021063A - Modular computer forensic system and method based on hardware virtualization - Google Patents
Modular computer forensic system and method based on hardware virtualization Download PDFInfo
- Publication number
- CN104021063A CN104021063A CN201410202898.0A CN201410202898A CN104021063A CN 104021063 A CN104021063 A CN 104021063A CN 201410202898 A CN201410202898 A CN 201410202898A CN 104021063 A CN104021063 A CN 104021063A
- Authority
- CN
- China
- Prior art keywords
- module
- evidence
- event
- hardware
- control center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a modular computer forensic system and method based on hardware virtualization. The modular computer forensic system comprises an initialization drive, a system control center, a system support module set and a forensic function module set. The method is based on the hardware virtualization technology, a light virtual machine is set up through the initialization drive when an operation system operates, the system control center supports a hardware virtual platform and manages all sub modules, and the system support module set supports all basic functions of the forensic module set. According to the method, interfaces of the forensic function module set are standardized, multiplexing and extension of the modules are supported, and forensic tools can focus on the core function, and a large amount of repetitive work is reduced; no codes of the target operation system need to be modified, performance losses are low, memory usage is less, a safe and credible real-time forensic foundation platform is set up, and convenience is brought to acquisition of the various forensic tools based on virtualization.
Description
Technical field
What the present invention relates to is the method in a kind of computer forensics field, especially a kind of computer modularized Real-Time Forensics system and method thereof based on hardware virtualization.
Background technology
The object of computer forensics is that the vestige that criminal is stayed to computing machine offers court as vaild evidence, hits cyber-net crime.One of them difficulties is that how the very first time is obtained invasion evidence, finds crime program or criminal in the time there is computer intrusion.Current evidence collecting method is mainly the mode of analyzing again based on first obtaining, and first obtains memory mirror, then from Mirror Info, rebuilds intrusion event, manages to obtain evidence.One of defect of this method is that internal memory obtains and needs plenty of time and space, for ensureing that the consistance of memory image also needs to stop the operation of target machine, produces the normal operation that affects important machine longer stop time.Analysis phase will be processed a complete memory mirror, is also very complicated.In addition, due to the volatibility of internal memory, cannot ensure just to comprise invasion evidence in mirror image, the property consuming time that mirror image obtains and analyzes causes again the evidence acquisition methods based on mirror image to be frequently difficult to carry out.For these reasons, the intrusion behavior that current majority occurs in kernel cannot be rebuilt.
Hardware virtualization technology proposes first in IBM System/370, and its characteristic has ensured the consistance of running environment, i.e. the behavior of computer software under hardware virtual machine and on machine directly operation be consistent; Ensure that VMM can control the resource of virtual machine completely, comprises the execution of internal memory, register, I/O, interruption and instruction; And having ensured high efficiency, i.e. the operation of ordinary instruction is not disturbed by VMM, can full speed running.Under x86 framework, the virtualized technology of support hardware has the Intel VT-x (2005) of INTEL and the AMD-V (2006) of AMD at present, has all been widely used in all kinds of PC and server.Most of commercial virtualization software has all been supported this technology as Linux KVM, Microsoft Hyper-V, Xen, VMware etc.
The facility that lightweight virtual machine technique has utilized hardware virtualization to provide, can be used a small amount of code can realize a complete virtual platform.Due to the size of code that lightweight virtual machine is simplified, integrity checking can carry out more rapidly and completely, and this has ensured the security of virtual machine monitor.ST King has proposed the method for a lightweight virtual machine of Dynamical Deployment under the operating system of operation in 2006IEEE S & P meeting, has proved that lightweight virtual machine has the dirigibility that can dispose in the time of operation and the transparency to goal systems.
Summary of the invention
The present invention is directed to the deficiencies in the prior art, aim to provide a kind of computer modularized Real-Time Forensics system and method thereof based on hardware virtualization, realize a light-weighted virtual machine monitor, the facility and the dirigibility that make evidence obtaining instrument can directly utilize hardware virtualization technology to bring, in the time that intrusion event occurs, provide instrument to carry out express analysis and obtain real-time evidence.This method can, in the platform deploy of support hardware Intel Virtualization Technology, build in the time of operating system, and without stopping or restarting destination OS, without any operating system nucleus code of amendment, has the very high transparency.This method is utilized hardware virtual machine technology, use signal processing function, reception external control order, control guest virtual machine internal memory and digital evidence to obtain function, and can ignore irrelevant Virtual Machine Manager logic, multiplexing existing evidence obtaining functions of modules, realizes obtaining of important real-time evidence.
Technical scheme of the present invention is: a kind of modular computer evidence-obtaining system based on hardware virtualization, comprises initialization driving, System Control Center, system support module group and evidence obtaining functional module group; Evidence-obtaining system is that the realization of each evidence obtaining instrument facilitates, each evidence obtaining instrument is each module of evidence obtaining functional module group, by System Control Center unified management, wherein, the infrastructural support function of evidence-obtaining system can or be revised existing system support module and realize expansion by increase system support module.
Described initialization drives for the operating system in operation and disposes and unloading evidence obtaining platform, and gives System Control Center by control after initialization procedure completes;
Described System Control Center provides the support of hardware virtualization platform, controls initialization procedure and uninstall process, and the event of the destination OS that hardware virtualization platform is intercepted and captured is carried out pre-service and offered evidence obtaining functional module group;
Described system support module group realizes the basic function of system based on System Control Center, be included as smp system and provide the signaling module of the signal communication function between multinuclear, external control module, monitor destination OS internal memory behavior internal memory virtualization module and obtain in real time the virtual machine introspection module of the important evidence in operating system;
Described evidence obtaining functional module group is made up of several evidence obtaining modules, carrys out tracker state and collects evidence, and complete initialization, unloading and external control for the event of required supervision provides event response interface under the support of evidence obtaining platform.
Further, in described system support module group and evidence obtaining functional module group, each module need to realize or partly realize 4 group interfaces, is respectively initialization interface, event response interface, control interface and unloading interface; Described 4 group interfaces are by System Control Center unified management, and concrete management method is as follows:
(1) System Control Center is managed the initialization interface of each module, control the initialization order of each module, be initialization while driving, first initialization system control center, the system that reinitializes support module group, last initialization evidence obtaining functional module, control initialized single-threaded property;
(2) System Control Center is managed the control interface of each module, and control interface is registered in external control module, accepts the control of external control module;
(3) System Control Center is managed the event response interface of each module, event response interface is registered in the event handling function of each destination OS;
(4) System Control Center is managed the unloading interface of each module, control the sequence of unloading of each module, while unloading, first unloading evidence obtaining functional module, CPU control authority is returned destination OS by uninstalling system support module group, final system control center again.
The present invention also provides a kind of modular computer evidence collecting method based on hardware virtualization, and concrete steps are as follows:
Step 1, unloading phase, initialization drives to destination OS request storage allocation, open virtual machine pattern by CPU, the virtual machine control data structure that configure hardware is relevant, the each register and the running status that copy current operation system are configured in virtual machine; Former CPU control authority turns by System Control Center takes over;
Step 2, operation phase, the virtualized hardware platform of support hardware is intercepted and captured the hardware event producing in virtual machine automatically according to the configuration of System Control Center, controls stream and is absorbed in virtual machine monitor; Event by System Control Center pre-service after, continue to be assigned to the evidence obtaining functional module processing of corresponding registration, finally return to again guest virtual machine;
For hardware event, the pretreated concrete steps of described System Control Center are as follows:
In system, each module, by the virtualized hardware data structure of System Control Center configure hardware, ensures that the event of only having evidence obtaining platform to be concerned about just can trigger being absorbed in of virtual machine;
(1) in the time that the control stream of destination OS is trapped in virtual machine monitor, first System Control Center registers logic event by hardware event;
(2) System Control Center first logic event described in determining step (1) be whether the abnormal and error event of virtual machine, if, the function that hard closing makes a mistake, if the function of hard closing cannot recover, to serial ports reporting errors information; If not, enter step (3);
(3) System Control Center is distributed to logic event in the event response Processing Interface of evidence obtaining functional module of corresponding registration and processes;
For external control event, the pretreated concrete steps of described System Control Center are as follows: external control case distribution is arrived external control module by System Control Center, control information in external control module decrypts external control event, the form defining if meet, is forwarded in the control interface of evidence obtaining functional module of corresponding registration and processes; The form defining if do not meet, abandons, and does not produce any behavior;
The processing of described evidence obtaining functional module, be specially: invoke memory virtualization modules interface monitors the internal memory behavior of destination OS, call signal module propagates control information to other CPU, use the virtual machine module of examining oneself to obtain in real time the important evidence in operating system, or the interface that calls other evidence obtaining modules and provide obtain corresponding function;
Step 3, unloading phase, initialization drives the unloading of reporting system control center, System Control Center first unloads evidence obtaining functional module, uninstalling system support module group again, then CPU control authority is returned to destination OS, last initialization drives gives back the internal memory distributing in step 1, and completes unloading.
Further, the concrete steps described step 1 unloading phase are as follows:
(1) initialization drives to operating system request storage allocation, exists in whole evidence obtaining platform life cycle and do not give back in being assigned with;
(2) System Control Center initialization internal storage management system records all Memory Allocation situations simultaneously, builds the page table structure of fictitious host computer, sets up the mapping from main frame linear address to physical address;
(3) in the first calling system support module of System Control Center group, the initialization interface of each module is carried out initialization to each module, then the initialization interface of calling each module in evidence obtaining functional module group is carried out initialization to each module;
(4) initialization drives by CPU and checks hardware platform to the support situation of hardware virtualization and preserve, and opens virtual machine pattern, the virtual machine control data structure that configure hardware is relevant, and the operation system state moving is copied in virtual machine;
(5) former CPU control authority turns by System Control Center and takes over, and instruction pointer register, segment register, flag register and the descriptor table of fictitious host computer is set in virtual machine control data structure, the operation that then recovers destination OS;
(6) judge whether the virtual of all CPU, if so, entered step (7); Otherwise return to step (4), continue virtual next CPU;
(7) when all CPU complete virtual after, unloading phase, finishes.
Further, described hardware event is registered to logic event, be specially: the CR3 register that writes in read-write control register event is registered and becomes program context handover event, cpuid instruction execution event is registered the external control event that becomes, and the internal memory rights violation event of writing in internal memory permission event is registered into page and changes event.
Further, described signaling module propagates control information to other CPU, and concrete operating procedure is as follows:
(1) call signal module interface is to other CPU transmitted signal;
(2) signaling module records current demand signal value, and sends and interrupt to other CPU;
(3) whether other CPU have no progeny in receiving, read signal value is carried out corresponding processing, and return successful;
(4) signaling module is collected the result of interrupting in step (3), returns to the caller of step (1).
Further, described internal memory virtualization module interface monitors the internal memory behavior of destination OS, comprises 3 kinds of different operational modes, and corresponding different control models, specifically comprises:
Pattern 1: " shut " mode", does not use internal memory virtualization;
Pattern 2: single operational mode, all core shares a set of secondary page table, and the unified memory read-write of controlling of virtualization modules is carried out authority and the conversion from physical vlan address to actual physical address;
Mode 3: meticulous operational mode, each CPU uses independently secondary page table, and virtualization modules is controlled respectively the read-write of each core cpu and is carried out authority and the conversion from physical vlan address to actual physical address;
Wherein, internal memory virtualization page table structure is the mapping to actual physical internal memory to client's physical memory, obtains complete physical memory layout by resolving PCI register; In the time of operation, if internal memory virtualization module is abnormal because configuration error produces, operational mode automatically switches and becomes the mode 1;
Operational mode switch step is as follows:
(1) invoke memory virtualization modules arranges internal memory operational mode;
(2) internal memory virtualization module call signal module is revised signal by memorymodel and is sent to all CPU;
(3) when CPU receives after signal, internal memory virtualization module check is arranged at the operational mode value of current C PU, then upgrades the two-level address conversion page table of current C PU;
(4), when all CPU successfully upgrade after page table, pattern is switched setting and is returned successfully;
Control physical vlan address as follows to the conversion of actual physical address and the concrete steps of memory read-write execution authority:
(1) memory read-write of invoke memory virtualization modules intended target address is carried out the physical address map of authority or modifying target address; If in operational mode 3, also need intended target CPU.
(2) revise corresponding page table structure; If memory read-write is carried out authority amendment, the read right of the corresponding page table entry in modifying target address, write permission or execution authority; If mapping amendment, the physical address of the corresponding page table entry in modifying target address is quoted;
(3) call signal module sends and refreshes TLB and page table structure buffer memory to target CPU;
(4) after in step (3), buffer memory successfully refreshes, return successfully.
Further, the important evidence that described virtual machine is examined oneself in the real-time operating system obtaining of module comprises: in the time that occurring, event records the running status of current operation system, and the current process behavior moving; Specifically: the details of the task state segment that current hardware is moving, the code of current operation, current stack architecture and the details of current process; And auxiliary evidence obtaining module group obtains data structure copy in operating system in real time as evidence.
Further, the auxiliary evidence obtaining module group that described virtual machine is examined oneself in module obtains the evidence in operating system in real time, comprises static content and dynamic data structure in operating system; The auxiliary content of described auxiliary evidence obtaining module group comprises the translation of operating system virtual address and the assembling across page data structure; The logic of obtaining of target data structure is completed by corresponding evidence obtaining functional module, and concrete operating procedure is as follows:
(1) by the address of the static symbol acquisition root static data structure in operating system nucleus, the source of address is the driving compiler of deriving symbol table or using destination OS;
(2) virtual machine is from examining module direct access static data structure in virtual machine monitor, if target data structure, its copy is returned to the evidence obtaining module of calling, if not, the next data structure that evidence obtaining module selects this static data structure to point to is given the resume module of examining oneself;
(3) operating system virtual address is given software MMU conversion by the module of examining oneself, and by this virtual address and corresponding CR3 value, the page table structure of software MMU use client operating system obtains physical address from corresponding PTE;
(4) according to the size of the data structure of describing in physical address described in step (3) and symbol table, object assembling device can be judged this data structure and whether cross over page boundary, if leap page boundary, object assembling device calculates the operating system virtual address of next page automatically, and returns to step (3); If do not cross over page boundary, object assembling device directly reads physical memory content, the memory content that obtained is before assembled into the copy of data structure, and enters step (5);
(5) if the copy of the data structure obtaining in step (4) is not final data structure, return to step (3), continue to resolve the next data structure that evidence obtaining module requires; If the copy of the data structure obtaining is final data structure, this final data structure is returned to evidence obtaining module.
Beneficial effect of the present invention is:
(1) this method is used Intel Virtualization Technology to overcome the defect of current evidence collecting method afterwards, not to build evidence according to memory mirror duplicate removal afterwards, and the direct event that monitors and intercept and capture hardware configuration in target machine, give evidence obtaining module analysis, obtain real real-time evidence, prevent that to the full extent evidence from losing afterwards or distorting, ensured the confidence level of the evidence obtaining.
(2) the present invention directly obtains and has greatly reduced data acquisition amount for the evidence of data structure, makes evidence obtaining instrument repeatedly obtain evidence based on the intrusion event short time, and the operation that stops destination OS in host pattern ensures the consistance of evidence.
(3) this method has also overcome the dirigibility defect of Intel Virtualization Technology itself, do not build in advance virtual platform, obtain highest weight limit but immediately build lightweight virtual machine based on hardware virtualization technology, and operating system is moved in virtual machine and monitored.Use the modular realization that is designed to the instrument of collecting evidence to reduce a large amount of overlapping development work.Its module package internal data, an exposed interface, has simplified the improved difficulty of method greatly, and module can be re-used.
(4) the virtual machine of the present invention module of examining oneself can be obtained dynamic data structure and the static data structure in operating system in virtual machine monitor, but the not running status of modifying target operating system, due to retouching operation system source code not, not virtual extra hardware device and used internal memory virtualization module, can ensure the transparency of this platform for destination OS, ensure the self-consistentency of hardware environment and software environment, thereby ensured confidence level and the accuracy of collecting evidence.
Brief description of the drawings
Fig. 1 is evidence obtaining platform life cycle schematic diagram;
Fig. 2 is evidence obtaining platform structure schematic diagram;
Fig. 3 is modular structure schematic diagram;
Fig. 4 is evidence obtaining platform virtual memory schematic layout pattern;
Fig. 5 is introspection module process flow diagram.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described further.
The detailed operation workflow of this method as Figure 1-Figure 5.
Shown in Fig. 1 is three life cycles of this method, the unloading phase of comprising, operation phase and unloading phase.Initialization drives for the operating system in operation and disposes and unloading evidence obtaining platform.
The present embodiment has adopted Intel VT technology, when startup, drives by initialization the interior Nuclear Authorization that obtains operating system, and the operation that invoke memory partition function is virtual machine distributes sufficient space, and configuration VMCS structure arranges whole virtual machine.Then current operation system running status is copied in Guest-State Area, and in Host-State Area, configure the event handling function of evidence obtaining platform, each descriptor table, storehouse and register.Finally, control center circulates control in the initialization procedure of each module.Like this, after VMLAUNCH instruction start time, whole platform has completed deployment, CPU can be automatically in the original operating system of virtual machine pattern relaying reforwarding row.When virtual machine operation, if there is Event triggered VM exit, CPU can produce VMexits and enter root mode operation.Now, state when operating system is triggered the event of remaining on, the event handling function of evidence obtaining platform will be called, and each system module can respond corresponding event and in destination OS, collect important evidence.Handle after corresponding event, the operation that evidence obtaining platform invoke VMRESUME recovers destination OS, whole process is transparent to operating system, i.e. operating system itself do not know to move this fact in virtual machine.
In the time that platform unloads, first virtual machine monitor notifies each module to unload.After basic uninstall process completes, monitor will dynamically generate assembly instruction in internal memory, and for closing recovery operation system after virtual machine function, the homing behavior of analog function, turns back to normal operating condition.Successfully close after virtual machine, initialization drives will complete common driving Uninstaller, discharge all internal memories that distributed, and finally complete the uninstall process in operating system.
By above step, this evidence obtaining platform can, on the hardware platform of support hardware Intel Virtualization Technology, obtain high-level authority in the time that destination OS moves, and monitors and collects evidence in being implanted into virtual machine under the condition of the operation of terminating operation system not.
The system architecture schematic diagram for operation phase evidence obtaining platform shown in Fig. 2.Wherein initialization driving, in this stage only for taking operating system memory, prevents from, after the internal memory for configuring virtual machine is given back, causing system crash for other purposes.Wherein, System Control Center provides the control of the support of the most basic hardware virtualization platform, initialization procedure control and uninstall process, and the event handling on basis, the each event handling in hardware virtualization platform is become logic event by the present embodiment, offer again each module, as the CR3 register that writes of reading and writing in control register event is registered and becomes program context handover event, cpuid instruction execution event is registered the external control event that becomes, and the internal memory rights violation event of writing in internal memory permission event is registered into page change event etc.System support module group has realized the basic function of system based on System Control Center, comprise internal memory virtualization, external control, virtual machine introspection and provide the communication function of the signal between multinuclear for smp system.System support module group can continue to increase extra module provides abundanter function.System Control Center and system support module group provide support for evidence obtaining functional module group, simplify the realization of evidence obtaining functional module, be included as it cross-platform support is provided, and the module that makes to collect evidence is paid close attention to the exploitation of Core Feature.
Shown in Fig. 3 is modular structure design diagram.All modules only externally expose 4 group interfaces: initialization interface offers initialization procedure, like this in the time that initialization drives deployment evidence obtaining platform, can call this interface and carry out the initialization of inside modules, comprise the relevant setting of hardware virtualization platform, Memory Allocation, module data structure initialization and module status initialization, evidence obtaining platform itself is without knowing its interior details; Unloading interface provides support for this module of safety unloading, and can call this interface automatic closing function in the time that module or system make a mistake; Evidence obtaining module can be the event registration event handling function monitoring, in the time that critical event occurs, module can produce response to destination OS, tracker state and collection important evidence; Evidence obtaining module is accepted keeper by external control interface and is controlled, and comprises pattern switching, in detail setting and functional switch etc.
Shown in Fig. 4 is the layout situation of this method memory headroom and the embodiment of each system support module.This method will record all memory headrooms that distribute in operating system at initial phase; in the time entering the operation phase; internal memory virtualization module will be opened single-mode; and the region of memory of evidence obtaining platform is hidden destination OS; make associated internal memory only accessed in host pattern ability by hardware protection; prevent that crucial internal memory from being distorted by rogue program, ensured security and the transparency of platform, then ensure the confidence level of the evidence obtaining.
The present embodiment has used the EPT technology of INTEL to realize internal memory virtualization module, offers the function of evidence obtaining platform and evidence obtaining functional module group control virutal machine memory authority and address, second-level translation.Internal memory virtualization module is processor distribution N+1 the second level page table with N CPU at initial phase, so just can provide 3 kinds of different operational modes in the operation phase:
" shut " mode" has been closed internal memory virtualization function completely, and the conversion from client's physical address to actual physical address is not provided;
Single-mode provides a global page table, will be applied to all CPU upper to the change of this page table,, by signaling module, renewal is delivered in all CPU meanwhile, thereby is refreshing after TLB buffer memory, and relevant change can be applied by other CPU;
Fine pattern provides an independently page table for each CPU, like this, evidence obtaining platform can be revised address translation and the internal memory authority of the upper virtual machine of some CPU, and is unlikely to have influence on remaining core, and target CPU will receive that signal refreshes TLB buffer memory and upgrades with application.In the time of wrong generation, internal memory virtualization module will transfer " shut " mode" automatically to.
Virtual machine introspection module is made up of object assembling device and software MMU, by traversing operation system kernel page table, evidence obtaining platform keeps the memory-mapped structure identical with destination OS in high address scope, and the carry out introspection of the intention logic that drives compiler compiling by operating system to destination OS, for obtaining the evidence at computer forensics.For the module that makes to collect evidence can directly be used physical address access memory, virtual machine introspection module is shone upon physical memory in main frame virtual address low address scope at initial phase, can obtain believable range of physical addresses by inquiry PCI register.
Signaling module uses signal graph marking signal, and interrupts informing that by IPI all the other CPU receive signals, and CPU after notified, checks the signal graph of working as pronucleus, completes inter-related task, returns successfully.
Virtual machine introspection module completes obtaining destination OS key data structure by the step shown in Fig. 5:
Step 1: by self-defining logic obtain any in operating system the virtual address of data structure and the CR3 register value of its corresponding process.
Step 2: object assembling device obtains size and the inner structure situation of target data structure according to symbol table or data structure definition.
Step 3: object assembling device request software MMU becomes physical address by CR3 with virtual address translation.
Step 4: software MMU obtains the highest level page table address of page table structure by CR3 value, found physical address corresponding to virtual address and returned to object assembling device by multilevel query.
Step 5: the physical address map region of object assembling device access memory, by data structure content replication in destination address.
Step 6: object assembling device judges that according to physical address and data structure size whether data structure is across page.
Step 7: if across page, object assembling device continues the physical address in identical CR3 value to the lower one page virtual address of software MMU request.Return to step 5 operation.
Step 8: object assembling device completes after assembling, the destination address that evidence obtaining module provides can comprise the copy of a complete target data structure.
Although the present invention discloses as above with preferred embodiment, so it is not in order to limit the present invention.Persond having ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope of the present invention, when being used for a variety of modifications and variations.Therefore, protection scope of the present invention is when being as the criterion depending on claims person of defining.
Claims (9)
1. the modular computer evidence-obtaining system based on hardware virtualization, is characterized in that: comprise initialization driving, System Control Center, system support module group and evidence obtaining functional module group; Evidence-obtaining system is that the realization of each evidence obtaining instrument facilitates, each evidence obtaining instrument is each module of evidence obtaining functional module group, by System Control Center unified management, wherein, the infrastructural support function of evidence-obtaining system can or be revised existing system support module and realize expansion by increase system support module;
Described initialization drives for the operating system in operation and disposes and unloading evidence obtaining platform, and gives System Control Center by control after initialization procedure completes;
Described System Control Center provides the support of hardware virtualization platform, controls initialization procedure and uninstall process, and the event of the destination OS that hardware virtualization platform is intercepted and captured is carried out pre-service and offered evidence obtaining functional module group;
Described system support module group realizes the basic function of system based on System Control Center, be included as smp system and provide the signaling module of the signal communication function between multinuclear, external control module, monitor destination OS internal memory behavior internal memory virtualization module and obtain in real time the virtual machine introspection module of the important evidence in operating system;
Described evidence obtaining functional module group is made up of several evidence obtaining modules, carrys out tracker state and collects evidence, and complete initialization, unloading and external control for the event of required supervision provides event response interface under the support of evidence obtaining platform.
2. a kind of modular computer evidence-obtaining system based on hardware virtualization according to claim 1, it is characterized in that: in described system support module group and evidence obtaining functional module group, each module need to realize or partly realize 4 group interfaces, is respectively initialization interface, event response interface, control interface and unloading interface; Described 4 group interfaces are by System Control Center unified management, and concrete management method is as follows:
(1) System Control Center is managed the initialization interface of each module, control the initialization order of each module, be initialization while driving, first initialization system control center, the system that reinitializes support module group, last initialization evidence obtaining functional module, control initialized single-threaded property;
(2) System Control Center is managed the control interface of each module, and control interface is registered in external control module, accepts the control of external control module;
(3) System Control Center is managed the event response interface of each module, event response interface is registered in the event handling function of each destination OS;
(4) System Control Center is managed the unloading interface of each module, control the sequence of unloading of each module, while unloading, first unloading evidence obtaining functional module, CPU control authority is returned destination OS by uninstalling system support module group, final system control center again.
3. an evidence collecting method for the modular computer evidence-obtaining system based on hardware virtualization described in claim 1 or 2, is characterized in that: concrete steps are as follows:
Step 1, unloading phase, initialization drives to destination OS request storage allocation, open virtual machine pattern by CPU, the virtual machine control data structure that configure hardware is relevant, the each register and the running status that copy current operation system are configured in virtual machine; Former CPU control authority turns by System Control Center takes over;
Step 2, operation phase, the virtualized hardware platform of support hardware is intercepted and captured the hardware event producing in virtual machine automatically according to the configuration of System Control Center, controls stream and is absorbed in virtual machine monitor; Event by System Control Center pre-service after, continue to be assigned to the evidence obtaining functional module processing of corresponding registration, finally return to again guest virtual machine;
For hardware event, the pretreated concrete steps of described System Control Center are as follows:
In system, each module, by the virtualized hardware data structure of System Control Center configure hardware, ensures that the event of only having evidence obtaining platform to be concerned about just can trigger being absorbed in of virtual machine;
(1) in the time that the control stream of destination OS is trapped in virtual machine monitor, first System Control Center registers logic event by hardware event;
(2) System Control Center first logic event described in determining step (1) be whether the abnormal and error event of virtual machine, if, the function that hard closing makes a mistake, if the function of hard closing cannot recover, to serial ports reporting errors information; If not, enter step (3);
(3) System Control Center is distributed to logic event in the event response Processing Interface of evidence obtaining functional module of corresponding registration and processes;
Wherein, external control event after being registered by hardware event, pretreated concrete steps are as follows: external control case distribution is arrived external control module by System Control Center, control information in external control module decrypts external control event, the form defining if meet, is forwarded in the control interface of evidence obtaining functional module of corresponding registration and processes; The form defining if do not meet, abandons, and does not produce any behavior;
The processing of described evidence obtaining functional module, be specially: invoke memory virtualization modules interface monitors the internal memory behavior of destination OS, call signal module propagates control information to other CPU, use the virtual machine module of examining oneself to obtain in real time the important evidence in operating system, or the interface that calls other evidence obtaining modules and provide obtain corresponding function;
Step 3, unloading phase, initialization drives the unloading of reporting system control center, System Control Center first unloads evidence obtaining functional module, uninstalling system support module group again, then CPU control authority is returned to destination OS, last initialization drives gives back the internal memory distributing in step 1, and completes unloading.
4. a kind of modular computer evidence collecting method based on hardware virtualization according to claim 3, is characterized in that: the concrete steps unloading phase of described step 1 are as follows:
(1) initialization drives to operating system request storage allocation, exists in whole evidence obtaining platform life cycle and do not give back in being assigned with;
(2) System Control Center initialization internal storage management system records all Memory Allocation situations simultaneously, builds the page table structure of fictitious host computer, sets up the mapping from main frame linear address to physical address;
(3) in the first calling system support module of System Control Center group, the initialization interface of each module is carried out initialization to each module, then the initialization interface of calling each module in evidence obtaining functional module group is carried out initialization to each module;
(4) initialization drives by CPU and checks hardware platform to the support situation of hardware virtualization and preserve, and opens virtual machine pattern, the virtual machine control data structure that configure hardware is relevant, and the operation system state moving is copied in virtual machine;
(5) former CPU control authority turns by System Control Center and takes over, and instruction pointer register, segment register, flag register and the descriptor table of fictitious host computer is set in virtual machine control data structure, the operation that then recovers destination OS;
(6) judge whether the virtual of all CPU, if so, entered step (7); Otherwise return to step (4), continue virtual next CPU;
(7) when all CPU complete virtual after, unloading phase, finishes.
5. a kind of modular computer evidence collecting method based on hardware virtualization according to claim 3, it is characterized in that: described hardware event is registered to logic event, be specially: the CR3 register that writes in read-write control register event is registered and becomes program context handover event, cpuid instruction execution event is registered the external control event that becomes, and the internal memory rights violation event of writing in internal memory permission event is registered into page and changes event.
6. a kind of modular computer evidence collecting method based on hardware virtualization according to claim 3, is characterized in that: described signaling module propagates control information to other CPU, and concrete operating procedure is as follows:
(1) call signal module interface is to other CPU transmitted signal;
(2) signaling module records current demand signal value, and sends and interrupt to other CPU;
(3) whether other CPU have no progeny in receiving, read signal value is carried out corresponding processing, and return successful;
(4) signaling module is collected the result of interrupting in step (3), returns to the caller of step (1).
7. a kind of modular computer evidence collecting method based on hardware virtualization according to claim 3, it is characterized in that: described internal memory virtualization module interface monitors the internal memory behavior of destination OS, comprise 3 kinds of different operational modes, corresponding different control models, specifically comprises:
Pattern 1: " shut " mode", does not use internal memory virtualization;
Pattern 2: single operational mode, all core shares a set of secondary page table, and the unified memory read-write of controlling of virtualization modules is carried out authority and the conversion from physical vlan address to actual physical address;
Mode 3: meticulous operational mode, each CPU uses independently secondary page table, and virtualization modules is controlled respectively the read-write of each core cpu and is carried out authority and the conversion from physical vlan address to actual physical address;
Wherein, internal memory virtualization page table structure is the mapping to actual physical internal memory to client's physical memory, obtains complete physical memory layout by resolving PCI register; In the time of operation, if internal memory virtualization module is abnormal because configuration error produces, operational mode automatically switches and becomes the mode 1;
Operational mode switch step is as follows:
(1) invoke memory virtualization modules arranges internal memory operational mode;
(2) internal memory virtualization module call signal module is revised signal by memorymodel and is sent to all CPU;
(3) when CPU receives after signal, internal memory virtualization module check is arranged at the operational mode value of current C PU, then upgrades the two-level address conversion page table of current C PU;
(4), when all CPU successfully upgrade after page table, pattern is switched setting and is returned successfully;
Control physical vlan address as follows to the conversion of actual physical address and the concrete steps of memory read-write execution authority:
(1) memory read-write of invoke memory virtualization modules intended target address is carried out the physical address map of authority or modifying target address; If in operational mode 3, also need intended target CPU.
(2) revise corresponding page table structure; If memory read-write is carried out authority amendment, the read right of the corresponding page table entry in modifying target address, write permission or execution authority; If mapping amendment, the physical address of the corresponding page table entry in modifying target address is quoted;
(3) call signal module sends and refreshes TLB and page table structure buffer memory to target CPU;
(4) after in step (3), buffer memory successfully refreshes, return successfully.
8. a kind of modular computer evidence collecting method based on hardware virtualization according to claim 3, it is characterized in that: the important evidence that described virtual machine is examined oneself in the real-time operating system obtaining of module comprises: in the time that occurring, event records the running status of current operation system, and the current process behavior moving; Specifically: the details of the task state segment that current hardware is moving, the code of current operation, current stack architecture and the details of current process; And auxiliary evidence obtaining module group obtains data structure copy in operating system in real time as evidence.
9. a kind of modular computer evidence collecting method based on hardware virtualization according to claim 8, it is characterized in that: the auxiliary evidence obtaining module group that described virtual machine is examined oneself in module obtains the evidence in operating system in real time, comprises static content and dynamic data structure in operating system; The auxiliary content of described auxiliary evidence obtaining module group comprises the translation of operating system virtual address and the assembling across page data structure; The logic of obtaining of target data structure is completed by corresponding evidence obtaining functional module, and concrete operating procedure is as follows:
(1) by the address of the static symbol acquisition root static data structure in operating system nucleus, the source of address is the driving compiler of deriving symbol table or using destination OS;
(2) virtual machine is from examining module direct access static data structure in virtual machine monitor, if target data structure, its copy is returned to the evidence obtaining module of calling, if not, the next data structure that evidence obtaining module selects this static data structure to point to is given the resume module of examining oneself;
(3) operating system virtual address is given software MMU conversion by the module of examining oneself, and by this virtual address and corresponding CR3 value, the page table structure of software MMU use client operating system obtains physical address from corresponding PTE;
(4) according to the size of the data structure of describing in physical address described in step (3) and symbol table, object assembling device can be judged this data structure and whether cross over page boundary, if leap page boundary, object assembling device calculates the operating system virtual address of next page automatically, and returns to step (3); If do not cross over page boundary, object assembling device directly reads physical memory content, the memory content that obtained is before assembled into the copy of data structure, and enters step (5);
(5) if the copy of the data structure obtaining in step (4) is not final data structure, return to step (3), continue to resolve the next data structure that evidence obtaining module requires; If the copy of the data structure obtaining is final data structure, this final data structure is returned to evidence obtaining module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410202898.0A CN104021063B (en) | 2014-05-14 | 2014-05-14 | Modular computer forensic system and method based on hardware virtualization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410202898.0A CN104021063B (en) | 2014-05-14 | 2014-05-14 | Modular computer forensic system and method based on hardware virtualization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104021063A true CN104021063A (en) | 2014-09-03 |
| CN104021063B CN104021063B (en) | 2015-03-11 |
Family
ID=51437831
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410202898.0A Expired - Fee Related CN104021063B (en) | 2014-05-14 | 2014-05-14 | Modular computer forensic system and method based on hardware virtualization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104021063B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392171A (en) * | 2014-11-27 | 2015-03-04 | 南京大学 | Automatic memory evidence analyzing method based on data association |
| CN106934281A (en) * | 2017-03-30 | 2017-07-07 | 兴华永恒(北京)科技有限责任公司 | A kind of method for building up of the virtual machine countermeasure techniques based on hardware virtualization technology |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| CN107515775A (en) * | 2016-06-15 | 2017-12-26 | 华为技术有限公司 | A kind of data transmission method and device |
| CN107608756A (en) * | 2017-08-24 | 2018-01-19 | 武汉大学 | A kind of virtual machine based on CPU hardware characteristic is examined oneself triggering method and system |
| WO2018028056A1 (en) * | 2016-08-10 | 2018-02-15 | 北京奇虎科技有限公司 | Android emulator and method for implementing android emulator |
| WO2018028055A1 (en) * | 2016-08-10 | 2018-02-15 | 北京奇虎科技有限公司 | Method and apparatus for running android application program on windows system |
| CN107704356A (en) * | 2017-06-12 | 2018-02-16 | 平安科技(深圳)有限公司 | Exception stack information acquisition method, device and computer-readable recording medium |
| CN107885748A (en) * | 2016-09-30 | 2018-04-06 | 华为技术有限公司 | Virtualize the document layered access method and device of example |
| CN109241743A (en) * | 2018-08-14 | 2019-01-18 | 清华大学 | Method, apparatus, system and the medium of recording processor operation information |
| CN109254902A (en) * | 2018-07-10 | 2019-01-22 | 南京大学 | The evidence-obtaining system and method for being intended to detection based on user applied to cloud computing environment |
| CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
| CN109840430A (en) * | 2017-11-28 | 2019-06-04 | 中国科学院沈阳自动化研究所 | The secure processing units and its bus arbitration method of PLC |
| CN110569105A (en) * | 2019-08-14 | 2019-12-13 | 上海交通大学 | Self-adaptive memory consistency protocol of distributed virtual machine, design method and terminal thereof |
| CN110851239A (en) * | 2019-11-15 | 2020-02-28 | 湖南智领通信科技有限公司 | TYPE-I TYPE hard real-time high-reliability full virtualization method |
| CN114035896A (en) * | 2021-11-09 | 2022-02-11 | 四川大学 | Batch cloud evidence obtaining method based on trusted computing |
| WO2023093380A1 (en) * | 2021-11-27 | 2023-06-01 | 华为技术有限公司 | Maintenance method for translation lookaside buffer, and related device |
| CN116383015A (en) * | 2023-06-06 | 2023-07-04 | 成都安思科技有限公司 | Physical memory noninductive evidence obtaining system and method based on extensible board plug-in type |
| CN117370093A (en) * | 2023-12-05 | 2024-01-09 | 无锡亚科鸿禹电子有限公司 | Chip debugging method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090158432A1 (en) * | 2007-12-12 | 2009-06-18 | Yufeng Zheng | On-Access Anti-Virus Mechanism for Virtual Machine Architecture |
| CN103154961A (en) * | 2010-09-30 | 2013-06-12 | 惠普发展公司,有限责任合伙企业 | Virtual machines for virus scanning |
| CN103425563A (en) * | 2013-07-04 | 2013-12-04 | 上海交通大学 | Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology |
-
2014
- 2014-05-14 CN CN201410202898.0A patent/CN104021063B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090158432A1 (en) * | 2007-12-12 | 2009-06-18 | Yufeng Zheng | On-Access Anti-Virus Mechanism for Virtual Machine Architecture |
| CN103154961A (en) * | 2010-09-30 | 2013-06-12 | 惠普发展公司,有限责任合伙企业 | Virtual machines for virus scanning |
| CN103425563A (en) * | 2013-07-04 | 2013-12-04 | 上海交通大学 | Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392171A (en) * | 2014-11-27 | 2015-03-04 | 南京大学 | Automatic memory evidence analyzing method based on data association |
| CN104392171B (en) * | 2014-11-27 | 2017-04-05 | 南京大学 | A kind of automatic internal memory evidence analysis method based on data association |
| US11922202B2 (en) | 2016-06-15 | 2024-03-05 | Huawei Technologies Co., Ltd. | Data transmission method and apparatus |
| CN107515775A (en) * | 2016-06-15 | 2017-12-26 | 华为技术有限公司 | A kind of data transmission method and device |
| US11182190B2 (en) | 2016-06-15 | 2021-11-23 | Huawei Technologies Co., Ltd. | Data transmission method and apparatus |
| CN107515775B (en) * | 2016-06-15 | 2021-11-19 | 华为技术有限公司 | Data transmission method and device |
| WO2018028056A1 (en) * | 2016-08-10 | 2018-02-15 | 北京奇虎科技有限公司 | Android emulator and method for implementing android emulator |
| WO2018028055A1 (en) * | 2016-08-10 | 2018-02-15 | 北京奇虎科技有限公司 | Method and apparatus for running android application program on windows system |
| CN107885748A (en) * | 2016-09-30 | 2018-04-06 | 华为技术有限公司 | Virtualize the document layered access method and device of example |
| CN107885748B (en) * | 2016-09-30 | 2021-10-26 | 华为技术有限公司 | File hierarchical access method and device for virtualized instance |
| US11010355B2 (en) | 2016-09-30 | 2021-05-18 | Huawei Technologies Co., Ltd. | Layer-based file access method and apparatus of virtualization instance |
| CN106934281A (en) * | 2017-03-30 | 2017-07-07 | 兴华永恒(北京)科技有限责任公司 | A kind of method for building up of the virtual machine countermeasure techniques based on hardware virtualization technology |
| CN107203410B (en) * | 2017-04-14 | 2020-02-14 | 华中科技大学 | VMI method and system based on system call redirection |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| US11010227B2 (en) | 2017-06-12 | 2021-05-18 | Ping An Technology (Shenzhen) Co., Ltd. | Exception stack information acquisition method and device and computer-readable storage medium |
| CN107704356B (en) * | 2017-06-12 | 2019-06-28 | 平安科技(深圳)有限公司 | Exception stack information acquisition method, device and computer readable storage medium |
| CN107704356A (en) * | 2017-06-12 | 2018-02-16 | 平安科技(深圳)有限公司 | Exception stack information acquisition method, device and computer-readable recording medium |
| CN107608756B (en) * | 2017-08-24 | 2020-10-13 | 武汉大学 | CPU hardware characteristic-based virtual machine introspection triggering method and system |
| CN107608756A (en) * | 2017-08-24 | 2018-01-19 | 武汉大学 | A kind of virtual machine based on CPU hardware characteristic is examined oneself triggering method and system |
| CN109840430A (en) * | 2017-11-28 | 2019-06-04 | 中国科学院沈阳自动化研究所 | The secure processing units and its bus arbitration method of PLC |
| CN109840430B (en) * | 2017-11-28 | 2023-05-02 | 中国科学院沈阳自动化研究所 | Safety processing unit of PLC and bus arbitration method thereof |
| CN109254902A (en) * | 2018-07-10 | 2019-01-22 | 南京大学 | The evidence-obtaining system and method for being intended to detection based on user applied to cloud computing environment |
| CN109254902B (en) * | 2018-07-10 | 2022-02-08 | 南京大学 | Evidence obtaining system and method based on user intention detection and applied to cloud computing environment |
| CN109241743A (en) * | 2018-08-14 | 2019-01-18 | 清华大学 | Method, apparatus, system and the medium of recording processor operation information |
| CN109597675B (en) * | 2018-10-25 | 2020-12-22 | 中国科学院信息工程研究所 | Method and system for detecting malicious software behaviors of virtual machine |
| CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
| CN110569105B (en) * | 2019-08-14 | 2023-05-26 | 上海交通大学 | Self-adaptive memory consistency protocol of distributed virtual machine, design method thereof and terminal |
| CN110569105A (en) * | 2019-08-14 | 2019-12-13 | 上海交通大学 | Self-adaptive memory consistency protocol of distributed virtual machine, design method and terminal thereof |
| CN110851239A (en) * | 2019-11-15 | 2020-02-28 | 湖南智领通信科技有限公司 | TYPE-I TYPE hard real-time high-reliability full virtualization method |
| CN114035896A (en) * | 2021-11-09 | 2022-02-11 | 四川大学 | Batch cloud evidence obtaining method based on trusted computing |
| CN114035896B (en) * | 2021-11-09 | 2023-03-31 | 四川大学 | Batch cloud evidence obtaining method based on trusted computing |
| WO2023093380A1 (en) * | 2021-11-27 | 2023-06-01 | 华为技术有限公司 | Maintenance method for translation lookaside buffer, and related device |
| CN116383015A (en) * | 2023-06-06 | 2023-07-04 | 成都安思科技有限公司 | Physical memory noninductive evidence obtaining system and method based on extensible board plug-in type |
| CN117370093A (en) * | 2023-12-05 | 2024-01-09 | 无锡亚科鸿禹电子有限公司 | Chip debugging method, device, equipment and storage medium |
| CN117370093B (en) * | 2023-12-05 | 2024-02-02 | 无锡亚科鸿禹电子有限公司 | Chip debugging method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104021063B (en) | 2015-03-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104021063B (en) | Modular computer forensic system and method based on hardware virtualization | |
| EP1939754B1 (en) | Providing protected access to critical memory regions | |
| US7886293B2 (en) | Optimizing system behavior in a virtual machine environment | |
| Fattori et al. | Dynamic and transparent analysis of commodity production systems | |
| US9529614B2 (en) | Automatically bridging the semantic gap in machine introspection | |
| CN1991808B (en) | Method and apparatus for a guest to access a memory mapped device | |
| US7418584B1 (en) | Executing system management mode code as virtual machine guest | |
| CN101681269B (en) | Adaptive dynamic selection and application of multiple virtualization techniques | |
| Fu et al. | Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery | |
| CN104021344B (en) | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer | |
| CN109643290B (en) | Techniques for object-oriented memory management with extension segmentation | |
| US20140053272A1 (en) | Multilevel Introspection of Nested Virtual Machines | |
| US20070067590A1 (en) | Providing protected access to critical memory regions | |
| US11048588B2 (en) | Monitoring the operation of a processor | |
| US20110167422A1 (en) | Virtualization apparatus | |
| CN107667350A (en) | Platform protection technique based on virtualization | |
| Dong et al. | Extending Xen with Intel Virtualization Technology. | |
| Buerki et al. | Muen-an x86/64 separation kernel for high assurance | |
| Guan et al. | Supporting transparent snapshot for bare-metal malware analysis on mobile devices | |
| Allievi et al. | Windows Internals, Part 2 | |
| Ferstay | Fast secure virtualization for the arm platform | |
| Vaarala | Security considerations of commodity x86 virtualization | |
| Huang et al. | PVM: Efficient Shadow Paging for Deploying Secure Containers in Cloud-native Environment | |
| CN108563491A (en) | A kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself | |
| Araújo | lLTZVisor: a lightweight TrustZone-assisted hypervisor for low-end Arm devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150311 Termination date: 20210514 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |