Content of the invention
For solving the above problems, the invention provides the malicious code analysis method and system under a kind of Linux platform, with
Avoid the potential safety hazard that tradition modification subsystem call table method is brought, it is to avoid the larger performance loss of system, provide more accurate
The monitoring information truly having, improves the data volume of communications and the ease for use of system, motility and high efficiency, preferably full
The requirement to malicious code analysis for the sufficient user.
For achieving the above object, the invention provides a kind of malicious code analysis method under Linux platform, the party
Method includes:
Step 1, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said crucial literary composition
Part information includes:Filename, file owning user, user's group, file access authority;
Step 2, loads and executes the malicious code needing analysis, and the progress information according to showing interface arranges needs simultaneously
Monitored process;
Step 3, described critical file information and monitored progress information is passed to the monitoring module of kernel spacing, described
Monitoring module according to described critical file information and described monitoring process synchronizing information generate critical file list and be monitored into
Journey information list;
Step 4, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to described pass
Keyed file and the access rights of monitored process, refusal or the permission operation to critical file for the described monitored process;
Step 5, the monitored operation to critical file for the process described in described monitoring module record, and by monitored process pair
The operation information of critical file is saved in journal queue;
Step 6, the log information in described journal queue is passed to the log processing routine of line module, and with interface
Form described log information is shown.
Further, described step 2 includes:
Step 21, sequentially enter/proc file system with the catalogue of numerical designation, respectively to the status in described catalogue
File execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, parent process number,
Validated user EUID, effectively group EGID and core image;
Step 22, described progress information is left in struct process_info structure, and is linked to chained list
In;
Step 23, obtains described progress information from described chained list successively, and shows user with interface manner;
Step 24, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described step 4 includes:
Step 41, described monitoring module is intercepted and captured the system transmitted from VFS layer and is called, and is redirected by changing VFS function
Table points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Step 42, filter_process_hash () function obtains this system and calls the process number of affiliated process and father to enter
Cheng Hao, with described process number as keyword, compares in described monitoring process information list successively, if comparing successfully,
Then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring process
Comparing successively in information list, if compared successfully, illustrating that current process is monitored process, execution step 43, if
Compare unsuccessful, be then left intact, continue executing with the concrete file system of lower floor and process function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object
The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass
Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file,
Execution step 43, is otherwise left intact, and continues executing with the concrete file system of lower floor and processes function;
Step 43, carries out authority comparison to described monitored process and described critical file, and is refused according to comparison result
Or allow the operation to critical file for the described monitored process.
Further, described step 6 includes:
Step 61, obtains log information from described journal queue, and the log information of acquisition is written to described monitoring
In the shared drive of module creation;
Step 62, log processing routine described in asynchronous notifications, described log processing routine reads log information, through processing
Afterwards, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed use
Family.
Wherein, in described step 6:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user
EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life
Order.
For achieving the above object, the present invention also provides the malicious code analysis processing system under a kind of Linux platform,
This system includes:
Pretreatment module, setting needs critical file information and the access rights of monitoring, and it is shown with interface form,
Wherein said critical file information includes:Filename, file owning user UID, user's group GID, file access authority;
Malicious code load-on module, loads and executes the malicious code needing analysis, the content according to showing interface simultaneously
Setting needs monitored process;
Synchronous generation module, by described critical file information and monitoring process information transmission to kernel spacing monitoring mould
Block, described monitoring module generates critical file list and quilt according to described critical file information and described monitoring process synchronizing information
Monitoring process information list;
Monitor processing module, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to
According to the access rights of described critical file and described monitored process, refusal or the described monitored process of permission are to critical file
Operation;
Record preserving module, the monitored operation to critical file for the process described in described monitoring module record, and will be supervised
Control process is saved in journal queue to the operation information of critical file;
Transmission display module, the log information in described journal queue is passed to the log processing routine of line module,
And in the form of interface, described log information is shown.
Further, described malicious code load-on module includes:
Operation processing module, sequentially enter/proc file system with the catalogue of numerical designation, respectively in described catalogue
Status file execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, father enter
Cheng Hao, validated user EUID, effectively group EGID and core image;
Link processing module, described progress information is left in struct process_info structure, and is linked
To in chained list;
Obtain display module, obtain described progress information from described chained list successively, and user is showed with interface manner;
Designated treatment module, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described monitor processing module includes:
Intercept and capture processing module, described monitoring module is intercepted and captured the system transmitted from VFS layer and called, by changing VFS letter
Number jump list points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Compare processing module, filter_process_hash () function obtains the process number that this system calls affiliated process
With parent process number, with described process number as keyword, compare successively in described monitoring process information list, if compared
Success, then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described prison
Compare successively in control progress information list, if comparing successfully, illustrating that current process is monitored process, entering execution mould
Block, if comparing unsuccessful, is left intact, and continues executing with the concrete file system of lower floor and processes function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object
The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass
Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file,
Enter performing module, be otherwise left intact, continue executing with the concrete file system of lower floor and process function;
Performing module, carries out authority comparison to described monitored process and described critical file, and is refused according to comparison result
Absolutely or allow the operation to critical file for the described monitored process.
Further, described transmission display module includes:
Write processing module, obtains log information from described journal queue, and the log information of acquisition is written to institute
State in the shared drive of monitoring module establishment;
Asynchronous process module, log processing routine described in asynchronous notifications, described log processing routine reads log information, warp
After crossing process, it is deposited into log buffer area, and by the log information exhibition in described log buffer area in the form of interface
Show to user.
Wherein, in described transmission display module:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user
EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life
Order.
The beneficial functional of the present invention is:
(1)Can achieve dynamic load using LKM technology, the position that interception system calls is located at VFS layer and concrete file system
Between system, more information related to file operation can be obtained, more accurately useful monitoring information is provided.
(2)System call interception does not need to change subsystem call table, thus can avoid tradition modification subsystem call table side
The potential safety hazard that method is brought.
(3)By applying for one piece of shared drive in kernel, it is empty that the log information that monitoring module is obtained passes to user
Between.Both improve the communication speed of kernel module and consumer process using shared drive mechanism, improve the number of communications again
According to amount.
(4)Being selected by user needs critical file and the process of monitoring, substantially increases ease for use, the motility of system
And high efficiency, better meet the requirement to malicious code analysis for the user.
(5)Choose malicious code process and multiple important critical file to be monitored, it is to avoid the larger performance of system
Loss, improves the speed of analysis system operation.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Specific embodiment
Fig. 1 is the malicious code analysis method flow diagram under the Linux platform of the present invention.As shown in figure 1, the method bag
Include:
Step 1, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said crucial literary composition
Part information includes:Filename, file owning user UID, user's group GID, file access authority;
Step 2, loads and executes the malicious code needing analysis, and the curriculum offering according to showing interface needs to be supervised simultaneously
Control process;
Step 3, by described critical file information and monitoring process information transmission to kernel spacing monitoring module, described prison
Control module generates critical file list and monitoring process letter according to described critical file information and described monitoring process synchronizing information
Breath list;
Step 4, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to described pass
Keyed file and the access rights of described monitored process, refusal or the permission operation to critical file for the described monitored process;
Step 5, the monitored operation to critical file for the process described in described monitoring module record, and by monitored process pair
The operation information of critical file is saved in journal queue;
Step 6, the log information in described journal queue is passed to the log processing routine of line module, and with interface
Form described log information is shown.
Further, described step 2 includes:
Step 21, sequentially enter/proc file system with the catalogue of numerical designation, respectively to status literary composition in described catalogue
Part execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, parent process number, have
Effectiveness family EUID, effectively group EGID and core image;
Step 22, described progress information is left in struct process_info structure, and is linked to chained list
In;
Step 23, obtains described progress information from described chained list successively, and shows user with interface manner;
Step 24, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described step 4 includes:
Step 41, described monitoring module is intercepted and captured the system transmitted from VFS layer and is called, and is redirected by changing VFS function
Table points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Step 42, filter_process_hash () function obtains this system and calls the process number of affiliated process and father to enter
Cheng Hao, with described process number as keyword, compares in described monitoring process information list successively, if comparing successfully,
Then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring process
Comparing successively in information list, if compared successfully, illustrating that current process is monitored process, execution step 43, if
Compare unsuccessful, then return, if comparing unsuccessful, this system not called and doing any process so as to continue executing with down
The concrete file system of layer processes function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object
The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass
Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file,
Execution step 43, otherwise, then returns, and that is, if comparison is unsuccessful, then explanation file to be operated is not user setup
Critical file, then this system is not called and does any process and process function so as to continue to execute lower floor concrete file system;
Step 43, carries out authority comparison to described monitored process and described critical file, and is refused according to comparison result
Or allow the operation to critical file for the described monitored process.
Further, described step 6 includes:
Step 61, obtains log information from described journal queue, and the log information of acquisition is written to described monitoring
In the shared drive of module creation;
Step 62, log processing routine described in asynchronous notifications, described log processing routine reads log information, through processing
Afterwards, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed use
Family.
Wherein, in described step 6:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user
EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life
Order.
Fig. 2 is the malicious code analysis system schematic under the Linux platform of the present invention.As shown in Fig. 2 this system bag
Include:
Pretreatment module 100, setting needs the critical file information of monitoring, and it is shown with interface form, wherein institute
State critical file information to include:Filename, file owning user UID, user's group GID, file access authority;
Malicious code load-on module 200, loads and executes the malicious code needing analysis, simultaneously according in showing interface
It is installed with to put and need monitored process;
Synchronous generation module 300, by described critical file information and monitoring process information transmission to kernel spacing monitoring
Module, described monitoring module according to described critical file information and described monitoring process synchronizing information generate critical file list and
Monitoring process information list;
Monitor processing module 400, the monitored access to critical file for the process described in described monitoring module monitor in real time, and
According to the access rights of described critical file and described monitored process, refusal or the described monitored process of permission are to critical file
Operation;
Record preserving module 500, the monitored operation to critical file for the process described in described monitoring module record, and will be by
Monitoring process is saved in journal queue to the operation information of critical file;
Transmission display module 600, the log information in described journal queue is passed to the log processing example of line module
Journey, and in the form of interface, described log information is shown.
Further, described malicious code load-on module 200 includes:
Operation processing module, sequentially enter/proc file system with the catalogue of numerical designation, respectively in each catalogue
Status file execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, father enter
Cheng Hao, validated user EUID, effectively group EGID and core image;
Link processing module, described progress information is left in struct process_info structure, and is linked
To in chained list;
Obtain display module, obtain described progress information from described chained list successively, and user is showed with interface manner;
Designated treatment module, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described monitor processing module 400 includes:
Intercept and capture processing module, described monitoring module is intercepted and captured the system transmitted from VFS layer and called, by changing VFS letter
Number jump list points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Compare processing module, filter_process_hash () function obtains the process number that this system calls affiliated process
With parent process number, with described process number as keyword, compare successively in described monitoring process information list, if compared
Success, then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described prison
Compare successively in control progress information list, if comparing successfully, illustrating that current process is monitored process, entering execution mould
Block, if comparing unsuccessful, returns, if comparing unsuccessful, this system not being called and doing any process so as to continue
The concrete file system of execution lower floor processes function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object
The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass
Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file,
Enter performing module, otherwise, then return, that is, if comparison is unsuccessful, then explanation file to be operated is not that user sets
The critical file put, then do not call to this system and do any process so as to continue to execute lower floor's concrete file system process letter
Number;
Performing module, carries out authority contrast to described monitored process and described critical file, and is refused according to comparison result
Absolutely or allow the operation to critical file for the described monitored process.
Further, described transmission display module 600 includes:
Write processing module, obtains log information from described journal queue, and the log information of acquisition is written to institute
State in the shared drive of monitoring module establishment;
Asynchronous process module, log processing routine described in asynchronous notifications, described log processing routine reads log information, warp
After crossing process, it is deposited into log buffer area, and by the log information exhibition in described log buffer area in the form of interface
Show to user.
Wherein, in described transmission display module 600:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user
EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life
Order.
Fig. 3 is the malicious code analysis system architecture diagram under the Linux platform of one embodiment of the invention.In conjunction with Fig. 3 row
For malicious code analysis method one embodiment under the Linux platform of the present invention.Malice generation under the Linux platform of this embodiment
Code processing method includes:
Step 1, user arranges critical file information by line module;
Step 2, line module submits to execution code routine to load and execute the malicious code needing analysis, and user is led to simultaneously
Crossing line module setting needs monitored process;
Step 3, critical file information and monitored process that line module is arranged by the proc Communications routines of communication module
Information transmission is to monitoring module;
Step 4, the access to critical file for the monitoring module monitor in real time process, and according to this critical file process of access
Use belonging to validated user EUID, effectively group EGID and this critical file owning user UID, user's group GID, and critical file
Family, the setting of user's group access rights, to refuse or to allow the monitored operation to critical file for the process;
Step 5, the monitored process of monitoring module record operates to the access of critical file, and by monitored progress information,
Critical file information and its operation information be recorded in daily record by write_log_info ();
Step 6, the log information that monitoring module is obtained passes to user's mould by the mmap Communications routines of communication module
Block.
Further, described step 1 includes:
A1. user provides the critical file information needing monitoring, including filename filename, file owning user UID,
User's group GID, the attribute such as file access authority, and for the different access rights of the different user setting in system;
A2. user by line module, two interface functions add_keyfile () providing and del_keyfile () to increase
Plus and delete critical file information;
A3. the critical file setting routine of line module passes through show_keyfile () function critical file information with boundary
Face mode shows user.
Further, described step 2 includes:
B1. the submission execution code routine of line module calls load_execute () function to load simultaneously from specified path
Execution needs the malicious code of analysis, meanwhile, progress information setting routine call get_process_info () of line module
Function sequentially enters/and proc file system is with the catalogue of numerical designation;
B2. after progress information setting routine enters each process catalogue, respectively to status file execution read () operation,
Obtain EXENAME name, process number pid, parent process ppid, validated user EUID, validated user group EGID and internal memory
The progress informations such as map mmaps;
B3. the information of each process is left in struct process_info structure, and be linked to chained list
In processes_info;
B4. progress information setting routine call read_process_info () function is successively from processes_info
Obtain the information of each process, and user is showed with interface form by show_process_info ();
B5. user is provided by line module two interface functions add_process_info () and del_process_
Info () increases and deletion process information;
B6. the progress information that user shows according to line module is it is intended that malicious code process is monitored process.
Further, described step 3 includes:
C1. line module passes through interface the send_config_info () function of communication module to monitoring module transmission key
Fileinfo and monitored progress information;
C2. the critical file control routine of monitoring module calls proc_mkdir () and create_proc_entry (), point
Not do not set up catalogue key_file and its affiliated file config_file in/proc file system;
C3. the progress information control routine of monitoring module calls proc_mkdir () and create_proc_entry (), point
Not do not set up catalogue process_info and its affiliated file config_process in/proc file system;
C4. the proc Communications routines of communication module, by send_config_info () critical file configuration information and
Process configuration information, is written to monitoring module and passes through create_proc_entry () in the file that/proc creates;
C5. the critical file control routine of monitoring module calls sys_open () and sys_read () by system, from/
The critical file setting command being write by line module and its fileinfo is obtained in proc file system;
C6. critical file control routine calls create_file_list () function synchronizing to generate critical file list, profit
Update critical file list with update_file_list () function;
C7. monitoring module progress information control routine calls sys_open () and sys_read () by system, from/proc
File system obtains the process setting command being write by line module and its progress information;
C8. progress information control routine calls create_process_list () function synchronizing to generate progress information list,
Update progress information list using update_process_list () function.
Further, described step 4 includes:
D1. the System call interception filter routine of monitoring module, opens f_ in the file structure of file by modification process
Op pointer to object is so as to be not directed to index node inode file operational approach, and makes to jump to System call interception filter routine
My_operation (struct file*fp, void*buf, filldir_t filldir) function;
D2. the file object that process wants operation file is obtained by my_operation () function, and by printing fp->
F_uid and fp->f_dentry->D_name.name obtains the owning user UID and filename filename of this document;
D3. by filter_process_list (current->Pid, ppid) function obtains this system and calls affiliated process
Process number pid and parent process ppid, first with process number pid as keyword, compare in progress information list, if
There is matching progress information, then explanation current process is monitored process in progress information list;If comparing not become
Work(, then compared in progress information list with parent process ppid for keyword, if compared successfully, this process is described
Being that user starts setting up the subprocess of monitored process creation it is also desirable to monitor to it, if comparing unsuccessful, returning;
D4. by filter_file_list (UID, filename) function with the current file object owning user obtaining
UID and filename filename be keyword, compare in critical file list, if in critical file list exist with
The critical file of both couplings, then explanation current file is the critical file of user setup, otherwise, then returns;
D5. by the validated user EUID of cmp_authority () function pair process, belonging to effectively group EGID and critical file
User UID, user's group GID carries out authority comparison, and the access rights setting according to critical file owning user, user's group, comes
Determine it to be refused or is allowed to operate.
Further, described step 5 includes:
If the malicious code process being E1. monitored has the authority of access critical file, allow its access, and this is entered
Journey information, critical file information and access operation information pass through write_log_info () function record in journal queue struct
In log_queue;
If the malicious code process being E2. monitored does not have the authority of access critical file, refuse its access, and should
Progress information and critical file information and its operation information pass through write_log_info () function and also record in daily record team for one piece
In row struct log_queue;
The information of E3.write_log_info () function record includes monitored process EXENAME name, process
Number pid, parent process ppid, validated user EUID, effectively group EGID and the filename filename by operation critical file, affiliated
User UID, user's group GID, execution order such as file I/O operates (read, write), change file pointer (lseek), open/
Closing/establishment file (open, close, create), etc.;
E4. monitoring module calls get_share_memory () to obtain one piece of shared drive in kernel, then by this altogether
Enjoy the attribute of internal memory, that is, initial address sharememory_addr and length sharememory_size pass through proc file system
Pass to line module;
E5. line module passes through to read initial address and the length that proc file system obtains shared drive, and by adjusting
It is mapped in this block shared drive with mmap ();
E6. daily record is write this shared drive by monitoring module, and line module uses read () function from this block shared drive
Middle reading log information.
Further, described step 6 includes:
F1. communication module calls get_log_info () to obtain from the journal queue struct log_queue of monitoring module
Take log information;
The log information obtaining is passed through send_log_info () by F2.mmap Communications routines, is written to monitoring module and passes through
In the shared drive that get_share_memory () creates;
The log processing routine of F3.mmap Communications routines asynchronous notifications line module is reading log information;
F4. log processing routine call read_log () reads log information from the shared drive that monitoring module creates,
After treatment, recall write_log () to leave in log buffer area;
F5. log processing routine call get_log () extracts daily record from log buffer area, and by show_log ()
Log information is displayed in the form of interface.
Further, in described step 6:
G1. it is supplied to the EXENAME name that the log information that user is analyzed includes monitored process, process
Number pid, parent process ppid, validated user EUID, user's group EGID, critical file name filename being accessed, affiliated use
Family UID, user's group GID, operational order (order such as read/write/create/close);
G2. user is analyzed to malicious code to the operation note of critical file according to monitored process.
Certainly, the present invention also can have other various embodiments, in the case of without departing substantially from present invention spirit and its essence, ripe
Know those skilled in the art and work as and various corresponding changes and deformation can be made according to the present invention, but these corresponding changes and change
Shape all should belong to the protection domain of appended claims of the invention.