CN104102878B - Malicious code analysis method and system under Linux platform - Google Patents

Malicious code analysis method and system under Linux platform Download PDF

Info

Publication number
CN104102878B
CN104102878B CN201310123502.9A CN201310123502A CN104102878B CN 104102878 B CN104102878 B CN 104102878B CN 201310123502 A CN201310123502 A CN 201310123502A CN 104102878 B CN104102878 B CN 104102878B
Authority
CN
China
Prior art keywords
file
information
monitored
module
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310123502.9A
Other languages
Chinese (zh)
Other versions
CN104102878A (en
Inventor
何振学
田昕晖
孙毓忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongke Flux Technology Co ltd
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201310123502.9A priority Critical patent/CN104102878B/en
Publication of CN104102878A publication Critical patent/CN104102878A/en
Application granted granted Critical
Publication of CN104102878B publication Critical patent/CN104102878B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种Linux平台下的恶意代码分析方法及系统,利用LKM技术可实现动态加载,截获系统调用的位置位于VFS层和具体文件系统之间,以获取更多与文件操作相关的信息,提供更加准确有用的监控信息;系统调用的截获不需要修改系统调用表,以避免传统修改系统调用表方法所带来的安全隐患;采用共享内存机制以提高内核模块和用户进程的通信速度,以及通信传输的数据量;由用户选定需要监控的关键文件以及进程,以提高系统的易用性、灵活性和高效性,更好的满足用户对恶意代码分析的要求;选取恶意代码进程和多个重要的关键文件进行监控,以避免系统较大的性能损失,提高分析系统运行的速度。

The present invention provides a malicious code analysis method and system under the Linux platform. LKM technology can be used to realize dynamic loading, and the position of intercepting system calls is located between the VFS layer and the specific file system to obtain more information related to file operations. Provide more accurate and useful monitoring information; the interception of system calls does not need to modify the system call table, so as to avoid the security risks brought by the traditional method of modifying the system call table; the shared memory mechanism is used to improve the communication speed between the kernel module and the user process, and The amount of data transmitted by communication; the key files and processes to be monitored are selected by the user to improve the ease of use, flexibility and efficiency of the system, and better meet the user's requirements for malicious code analysis; select malicious code processes and multiple An important key file is monitored to avoid a large performance loss of the system and improve the speed of the analysis system.

Description

一种Linux平台下的恶意代码分析方法及系统A malicious code analysis method and system under a Linux platform

技术领域technical field

本发明涉及Linux平台下的恶意代码分析领域,尤其涉及一种Linux平台下的恶意代码分析方法及系统。The invention relates to the field of malicious code analysis under the Linux platform, in particular to a malicious code analysis method and system under the Linux platform.

背景技术Background technique

互联网在给人们的生活带来便利和高效的同时,安全威胁事件逐年上升。网络上大量的病毒和木马对人们的财产,社会生产安全和国家信息安全造成了严重的危害。在各种危害之中,其中可执行恶意代码造成的损失和危害尤为突出。恶意代码的盛行,唤醒了人们的安全意识,促使人们从各个方面对恶意代码进行研究。随着恶意代码的不断发展进步,各种各样的恶意代码呈出不穷、变幻莫测,传统的恶意代码调试器调试检测方法和样本分析技术早已不能适应新型恶意代码的分析。由此可知,开发有针对性和高效性的恶意代码分析平台已迫在眉睫。While the Internet brings convenience and efficiency to people's lives, security threats are increasing year by year. A large number of viruses and Trojan horses on the network have caused serious harm to people's property, social production safety and national information security. Among various hazards, the loss and harm caused by executable malicious code is particularly prominent. The prevalence of malicious codes has awakened people's security awareness and prompted people to study malicious codes from various aspects. With the continuous development and progress of malicious codes, all kinds of malicious codes are endless and unpredictable. Traditional malicious code debugger debugging detection methods and sample analysis techniques have long been unable to adapt to the analysis of new malicious codes. It can be seen that it is imminent to develop a targeted and efficient malicious code analysis platform.

恶意代码分析是恶意代码应急响应和计算机取证的基础,通过对恶意代码行为,功能分析,可以为损失评估和系统恢复提供有用的信息。其中基于系统调用行为监控的恶意代码分析认为:不管攻击者来自何方,用何种行为,对目标系统所实施的入侵、控制或破坏,最终都要借助于目标系统的系统调用来执行。Linux和UNIX系统设计的哲学之一是“一切皆是文件”,恶意代码对目标系统进行的各种恶意行为操作最终都可以归结为对文件的操作。恶意代码执行过程中所调用的系统调用和最终所要操作的文件与恶意代码攻击行为和功能有着直接的联系。因此,对恶意代码所调用的系统调用进行截获,监控恶意代码进程对文件的操作,就可以达到恶意代码分析的目的。Malicious code analysis is the basis of malicious code emergency response and computer forensics. Through the analysis of malicious code behavior and function, it can provide useful information for loss assessment and system recovery. Among them, the malicious code analysis based on system call behavior monitoring believes that no matter where the attacker comes from and what kind of behavior is used, the intrusion, control or destruction of the target system must ultimately be executed with the help of system calls of the target system. One of the philosophies of Linux and UNIX system design is "everything is a file", and various malicious behaviors and operations performed by malicious code on the target system can ultimately be attributed to operations on files. The system calls called during the malicious code execution process and the final files to be operated are directly related to the malicious code attack behavior and function. Therefore, the purpose of malicious code analysis can be achieved by intercepting the system calls invoked by the malicious code and monitoring the operation of the malicious code process on the file.

现有的基于Linux的恶意代码分析方法中,所涉及的系统调用截获技术,传统上都是利用中断向量表获得中断处理例程的地址,再在中断服务例程的内存地址中搜索特征指令获取系统调用表的地址。或是通过读取dev/kmem,System.map,kallsyms来得到系统调用表的地址。然后将系统调用表中需要截获的系统调用服务例程入口地址保存,再将原来系统调用服务例程入口地址修改成自定义处理函数的地址,使其跳转到监控程序。基于传统系统调用截获技术的恶意代码分析方法存在以下一些问题:In the existing Linux-based malicious code analysis methods, the system call interception technology involved traditionally uses the interrupt vector table to obtain the address of the interrupt processing routine, and then searches the memory address of the interrupt service routine to obtain the characteristic instruction. The address of the system call table. Or get the address of the system call table by reading dev/kmem, System.map, kallsyms. Then save the system call service routine entry address that needs to be intercepted in the system call table, and then modify the original system call service routine entry address to the address of the custom processing function to make it jump to the monitoring program. The malicious code analysis method based on the traditional system call interception technology has the following problems:

(1)Linux2.6以后版本的内核,基于安全考虑,系统调用表不再作为符号导出,需通过查找特征指令的方式来获得。此方法的前提是应用程序请求需通过INT 0x80指令陷入内核,但对于SYSENTER或SYSCALL指令,该方法就会失效。(1) For the kernel of Linux2.6 and later versions, based on security considerations, the system call table is no longer exported as a symbol, and needs to be obtained by searching for characteristic instructions. The premise of this method is that the application request needs to fall into the kernel through the INT 0x80 instruction, but for the SYSENTER or SYSCALL instruction, this method will fail.

(2)对于通过读/dev/kmem设备文件得到系统调用表的地址,来实现系统调用截获的方法,存在着潜在的安全隐患。(2) For the method of intercepting system calls by reading the /dev/kmem device file to obtain the address of the system call table, there are potential security risks.

(3)传统的恶意代码分析方法所涉及的系统调用的截获是处于系统调用层,位于VFS层之上,不能得到更多更具体的与恶意代码相关的信息。(3) The system call interception involved in the traditional malicious code analysis method is at the system call layer, above the VFS layer, and more specific information related to malicious code cannot be obtained.

(4)修改系统调用表会造成安全隐患,在多线程的环境下健壮性不好。(4) Modifying the system call table will cause security risks, and the robustness is not good in a multi-threaded environment.

发明内容Contents of the invention

为解决上述问题,本发明提供了一种Linux平台下的恶意代码分析方法及系统,以避免传统修改系统调用表方法所带来的安全隐患,避免系统较大的性能损失,提供更加准确有用的监控信息,提高通信传输的数据量以及系统的易用性、灵活性和高效性,更好的满足用户对恶意代码分析的要求。In order to solve the above problems, the present invention provides a malicious code analysis method and system under the Linux platform, so as to avoid potential safety hazards caused by the traditional method of modifying the system call table, avoid large performance loss of the system, and provide more accurate and useful Monitor information, increase the amount of data transmitted by communication and the ease of use, flexibility and efficiency of the system, and better meet the user's requirements for malicious code analysis.

为实现上述发明目的,本发明提供了一种Linux平台下的恶意代码分析方法,该方法包括:In order to achieve the above-mentioned purpose of the invention, the present invention provides a malicious code analysis method under a Linux platform, the method comprising:

步骤1,设置需要监控的关键文件信息,并将其以界面形式展示,其中所述关键文件信息包括:文件名、文件所属用户、用户组,文件访问权限;Step 1. Set the key file information to be monitored and display it in the form of an interface, wherein the key file information includes: file name, user to which the file belongs, user group, and file access rights;

步骤2,加载并执行需要分析的恶意代码,同时根据界面展示的进程信息设置需要被监控进程;Step 2, load and execute the malicious code that needs to be analyzed, and set the process to be monitored according to the process information displayed on the interface;

步骤3,将所述关键文件信息和被监控进程信息传递给内核空间的监控模块,所述监控模块根据所述关键文件信息和所述监控进程信息同步生成关键文件列表和被监控进程信息列表;Step 3, passing the key file information and the monitored process information to the monitoring module of the kernel space, and the monitoring module synchronously generates a key file list and a monitored process information list according to the key file information and the monitored process information;

步骤4,所述监控模块实时监控所述被监控进程对关键文件的访问,并依据所述关键文件和被监控进程的访问权限,拒绝或允许所述被监控进程对关键文件的操作;Step 4, the monitoring module monitors the monitored process's access to the key file in real time, and rejects or allows the monitored process's operation on the key file according to the access rights of the key file and the monitored process;

步骤5,所述监控模块记录所述被监控进程对关键文件的操作,并将被监控进程对关键文件的操作信息保存到日志队列中;Step 5, the monitoring module records the operation of the monitored process on the key file, and saves the operation information of the monitored process on the key file in the log queue;

步骤6,将所述日志队列中的日志信息传递给用户模块的日志处理例程,并以界面的形式将所述日志信息展示。Step 6, transfer the log information in the log queue to the log processing routine of the user module, and display the log information in the form of an interface.

进一步的,所述步骤2包括:Further, said step 2 includes:

步骤21,依次进入/proc文件系统以数字命名的目录,分别对所述目录中的status文件执行read()操作,获取进程信息,该进程信息包括:可执行文件名、进程号、父进程号、有效用户EUID、有效组EGID和内存映象;Step 21, enter the directories named by numbers in the /proc file system in sequence, and perform the read() operation on the status files in the directories respectively to obtain process information, the process information includes: executable file name, process number, parent process number , effective user EUID, effective group EGID and memory map;

步骤22,将所述进程信息存放在struct process_info结构中,并将其链接到链表中;Step 22, storing the process information in the struct process_info structure, and linking it to the linked list;

步骤23,依次从所述链表中获取所述进程信息,并以界面方式展示给用户;Step 23, sequentially obtain the process information from the linked list, and display it to the user in the form of an interface;

步骤24,所述用户根据展示的进程信息指定恶意代码进程为被监控进程。Step 24, the user designates the malicious code process as the monitored process according to the displayed process information.

进一步的,所述步骤4包括:Further, said step 4 includes:

步骤41,所述监控模块截获从VFS层传递下来的系统调用,通过修改VFS函数跳转表指向自定义的截获函数,获得上层系统调用所要操作的文件对象;Step 41, the monitoring module intercepts the system call passed down from the VFS layer, and points to the self-defined interception function by modifying the VFS function jump table to obtain the file object to be operated by the upper layer system call;

步骤42,filter_process_hash()函数获取该系统调用所属进程的进程号和父进程号,以所述进程号为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,则说明当前进程是被监控进程;如果比对不成功,以父进程号作为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,说明当前进程是被监控进程,执行步骤43,如果比对不成功,则不做任何处理,继续执行下层具体文件系统处理函数;Step 42, the filter_process_hash() function obtains the process number and the parent process number of the process to which the system call belongs, uses the process number as a key, and compares them sequentially in the monitoring process information list, and if the comparison is successful, it means The current process is a monitored process; if the comparison is unsuccessful, the parent process number is used as a keyword to perform comparisons in the list of monitoring process information. If the comparison is successful, it means that the current process is a monitored process, and step 43 is performed. , if the comparison is unsuccessful, do not do any processing, and continue to execute the specific file system processing function of the lower layer;

filter_file_hash()函数截获将要被操作的文件对象,通过文件对象获得关键文件的文件名和文件所属用户UID,并以所述文件名和文件所属用户UID为关键字,在所述关键文件列表中依次进行比对,如果两者都比对成功,则说明当前文件是被监控的关键文件,执行步骤43,否则不做任何处理,继续执行下层具体文件系统处理函数;The filter_file_hash() function intercepts the file object to be operated, obtains the file name of the key file and the UID of the user to which the file belongs through the file object, and uses the file name and the UID of the user to which the file belongs as keywords, and compares them sequentially in the list of key files Yes, if both are compared successfully, it means that the current file is the key file to be monitored, and step 43 is performed; otherwise, no processing is performed, and the specific file system processing function of the lower layer is continued;

步骤43,对所述被监控进程和所述关键文件进行权限比对,并根据比对结果拒绝或允许所述被监控进程对关键文件的操作。Step 43 , comparing the permissions of the monitored process and the key file, and denying or allowing the monitored process to operate on the key file according to the comparison result.

进一步的,所述步骤6包括:Further, said step 6 includes:

步骤61,从所述日志队列中获取日志信息,并将获取的日志信息写入到所述监控模块创建的共享内存中;Step 61, obtaining log information from the log queue, and writing the obtained log information into the shared memory created by the monitoring module;

步骤62,异步通知所述日志处理例程,所述日志处理例程读取日志信息,经过处理之后,将其存放在日志缓冲区,并以界面的形式将所述日志缓冲区中的日志信息展示给用户。Step 62, asynchronously notify the log processing routine, the log processing routine reads the log information, stores it in the log buffer after processing, and stores the log information in the log buffer in the form of an interface displayed to the user.

其中,所述步骤6中:Wherein, in the step 6:

所述日志信息包括被监控进程的可执行文件名,进程号,父进程号,有效用户EUID,有效组EGID,以及操作的关键文件的文件名,文件所属用户UID,用户组GID,和操作命令。The log information includes the executable file name of the monitored process, the process number, the parent process number, the effective user EUID, the effective group EGID, and the file name of the key file of the operation, the user UID to which the file belongs, the user group GID, and the operation command .

为实现上述发明目的,本发明还提供一种Linux平台下的恶意代码分析处理系统,该系统包括:In order to achieve the purpose of the above invention, the present invention also provides a malicious code analysis and processing system under the Linux platform, the system comprising:

预处理模块,设置需要监控的关键文件信息及访问权限,并将其以界面形式展示,其中所述关键文件信息包括:文件名、文件所属用户UID、用户组GID,文件访问权限;The preprocessing module sets the key file information and access rights that need to be monitored, and displays them in the form of an interface, wherein the key file information includes: file name, user UID to which the file belongs, user group GID, and file access rights;

恶意代码加载模块,加载并执行需要分析的恶意代码,同时根据界面展示的内容设置需要被监控进程;The malicious code loading module loads and executes the malicious code that needs to be analyzed, and at the same time sets the process to be monitored according to the content displayed on the interface;

同步生成模块,将所述关键文件信息和监控进程信息传递给内核空间的监控模块,所述监控模块根据所述关键文件信息和所述监控进程信息同步生成关键文件列表和被监控进程信息列表;A synchronous generation module, which transmits the key file information and monitoring process information to the monitoring module of the kernel space, and the monitoring module synchronously generates a key file list and a monitored process information list according to the key file information and the monitoring process information;

监控处理模块,所述监控模块实时监控所述被监控进程对关键文件的访问,并依据所述关键文件和所述被监控进程的访问权限,拒绝或允许所述被监控进程对关键文件的操作;A monitoring processing module, the monitoring module monitors the monitored process's access to the key file in real time, and rejects or allows the monitored process's operation on the key file according to the key file and the access authority of the monitored process ;

记录保存模块,所述监控模块记录所述被监控进程对关键文件的操作,并将被监控进程对关键文件的操作信息保存到日志队列中;A record saving module, the monitoring module records the operation of the monitored process on the key file, and saves the operation information of the monitored process on the key file into the log queue;

传递展示模块,将所述日志队列中的日志信息传递给用户模块的日志处理例程,并以界面的形式将所述日志信息展示。The transfer display module transfers the log information in the log queue to the log processing routine of the user module, and displays the log information in the form of an interface.

进一步的,所述恶意代码加载模块包括:Further, the malicious code loading module includes:

操作处理模块,依次进入/proc文件系统以数字命名的目录,分别对所述目录中的status文件执行read()操作,获取进程信息,该进程信息包括:可执行文件名、进程号、父进程号、有效用户EUID、有效组EGID和内存映象;The operation processing module enters the directory named by numbers in the /proc file system in turn, and performs the read() operation on the status files in the directory respectively to obtain process information. The process information includes: executable file name, process number, parent process number, effective user EUID, effective group EGID and memory map;

链接处理模块,将所述进程信息存放在struct process_info结构中,并将其链接到链表中;The link processing module stores the process information in the struct process_info structure and links it to the linked list;

获取展示模块,依次从所述链表中获取所述进程信息,并以界面方式展示给用户;Obtaining a display module, sequentially obtaining the process information from the linked list, and displaying the information to the user in the form of an interface;

指定处理模块,所述用户根据展示的进程信息指定恶意代码进程为被监控进程。A designated processing module, the user designates a malicious code process as a monitored process according to the displayed process information.

进一步的,所述监控处理模块包括:Further, the monitoring processing module includes:

截获处理模块,所述监控模块截获从VFS层传递下来的系统调用,通过修改VFS函数跳转表指向自定义的截获函数,获得上层系统调用所要操作的文件对象;Intercept processing module, the monitoring module intercepts the system call passed down from the VFS layer, points to the self-defined interception function by modifying the VFS function jump table, and obtains the file object to be operated by the upper-level system call;

比对处理模块,filter_process_hash()函数获取该系统调用所属进程的进程号和父进程号,以所述进程号为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,则说明当前进程是被监控进程;如果比对不成功,以父进程号作为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,说明当前进程是被监控进程,进入执行模块,如果比对不成功,则不做任何处理,继续执行下层具体文件系统处理函数;Comparing the processing module, the filter_process_hash () function obtains the process number and the parent process number of the process to which the system call belongs, and uses the process number as a keyword to compare successively in the monitoring process information list. If the comparison is successful, It means that the current process is a monitored process; if the comparison is unsuccessful, use the parent process number as a keyword to compare in sequence in the monitoring process information list. If the comparison is successful, it means that the current process is a monitored process, enter Execute the module, if the comparison is unsuccessful, do not do any processing, and continue to execute the specific file system processing function of the lower layer;

filter_file_hash()函数截获将要被操作的文件对象,通过文件对象获得关键文件的文件名和文件所属用户UID,并以所述文件名和文件所属用户UID为关键字,在所述关键文件列表中依次进行比对,如果两者都比对成功,则说明当前文件是被监控的关键文件,进入执行模块,否则不做任何处理,继续执行下层具体文件系统处理函数;The filter_file_hash() function intercepts the file object to be operated, obtains the file name of the key file and the UID of the user to which the file belongs through the file object, and uses the file name and the UID of the user to which the file belongs as keywords, and compares them sequentially in the list of key files Yes, if the comparison between the two is successful, it means that the current file is the key file to be monitored and enters the execution module, otherwise it does not do any processing and continues to execute the specific file system processing function of the lower layer;

执行模块,对所述被监控进程和所述关键文件进行权限比对,并根据比对结果拒绝或允许所述被监控进程对关键文件的操作。The execution module compares the permissions of the monitored process and the key file, and rejects or allows the monitored process to operate on the key file according to the comparison result.

进一步的,所述传递展示模块包括:Further, the delivery display module includes:

写入处理模块,从所述日志队列中获取日志信息,并将获取的日志信息写入到所述监控模块创建的共享内存中;Write into the processing module, obtain log information from the log queue, and write the obtained log information into the shared memory created by the monitoring module;

异步处理模块,异步通知所述日志处理例程,所述日志处理例程读取日志信息,经过处理之后,将其存放在日志缓冲区,并以界面的形式将所述日志缓冲区中的日志信息展示给用户。The asynchronous processing module notifies the log processing routine asynchronously, the log processing routine reads the log information, stores it in the log buffer after processing, and saves the log in the log buffer in the form of an interface Information is displayed to the user.

其中,所述传递展示模块中:Among them, in the transfer display module:

所述日志信息包括被监控进程的可执行文件名,进程号,父进程号,有效用户EUID,有效组EGID,以及操作的关键文件的文件名,文件所属用户UID,用户组GID,和操作命令。The log information includes the executable file name of the monitored process, the process number, the parent process number, the effective user EUID, the effective group EGID, and the file name of the key file of the operation, the user UID to which the file belongs, the user group GID, and the operation command .

本发明的有益功效在于:The beneficial effects of the present invention are:

(1)利用LKM技术可实现动态加载,截获系统调用的位置位于VFS层和具体文件系统之间,可以获取更多与文件操作相关的信息,提供更加准确有用的监控信息。(1) LKM technology can be used to realize dynamic loading, and the location of intercepting system calls is located between the VFS layer and the specific file system, so that more information related to file operations can be obtained and more accurate and useful monitoring information can be provided.

(2)系统调用截获不需要修改系统调用表,由此可以避免传统修改系统调用表方法所带来的安全隐患。(2) The system call interception does not need to modify the system call table, thus avoiding the security risks brought by the traditional method of modifying the system call table.

(3)通过在内核中申请一块共享内存,将监控模块获得的日志信息传递给用户空间。采用共享内存机制既提高了内核模块和用户进程的通信速度,又提高了通信传输的数据量。(3) Pass the log information obtained by the monitoring module to the user space by applying for a shared memory in the kernel. Adopting the shared memory mechanism not only improves the communication speed between the kernel module and the user process, but also increases the amount of data transmitted by communication.

(4)由用户选定需要监控的关键文件以及进程,大大提高了系统的易用性、灵活性和高效性,更好的满足用户对恶意代码分析的要求。(4) The key files and processes to be monitored are selected by the user, which greatly improves the ease of use, flexibility and efficiency of the system, and better meets the user's requirements for malicious code analysis.

(5)选取恶意代码进程和多个重要的关键文件进行监控,避免了系统较大的性能损失,提高了分析系统运行的速度。(5) The malicious code process and multiple important key files are selected for monitoring, which avoids a large performance loss of the system and improves the speed of the analysis system.

以下结合附图和具体实施例对本发明进行详细描述,但不作为对本发明的限定。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments, but not as a limitation of the present invention.

附图说明Description of drawings

图1是本发明的Linux平台下的恶意代码分析方法流程图;Fig. 1 is the flowchart of malicious code analysis method under the Linux platform of the present invention;

图2是本发明的Linux平台下的恶意代码分析系统示意图;Fig. 2 is the malicious code analysis system schematic diagram under the Linux platform of the present invention;

图3是本发明的一实施例的Linux平台下的恶意代码分析系统架构图。FIG. 3 is an architecture diagram of a malicious code analysis system under a Linux platform according to an embodiment of the present invention.

具体实施方式detailed description

图1是本发明的Linux平台下的恶意代码分析方法流程图。如图1所示,该方法包括:Fig. 1 is a flowchart of the malicious code analysis method under the Linux platform of the present invention. As shown in Figure 1, the method includes:

步骤1,设置需要监控的关键文件信息,并将其以界面形式展示,其中所述关键文件信息包括:文件名、文件所属用户UID、用户组GID,文件访问权限;Step 1, set key file information to be monitored, and display it in an interface, wherein the key file information includes: file name, user UID to which the file belongs, user group GID, and file access rights;

步骤2,加载并执行需要分析的恶意代码,同时根据界面展示的内容设置需要被监控进程;Step 2, load and execute the malicious code that needs to be analyzed, and set the process to be monitored according to the content displayed on the interface;

步骤3,将所述关键文件信息和监控进程信息传递给内核空间的监控模块,所述监控模块根据所述关键文件信息和所述监控进程信息同步生成关键文件列表和监控进程信息列表;Step 3, passing the key file information and monitoring process information to the monitoring module of the kernel space, and the monitoring module synchronously generates a key file list and a monitoring process information list according to the key file information and the monitoring process information;

步骤4,所述监控模块实时监控所述被监控进程对关键文件的访问,并依据所述关键文件和所述被监控进程的访问权限,拒绝或允许所述被监控进程对关键文件的操作;Step 4, the monitoring module monitors the monitored process's access to the key file in real time, and rejects or allows the monitored process's operation on the key file according to the key file and the access authority of the monitored process;

步骤5,所述监控模块记录所述被监控进程对关键文件的操作,并将被监控进程对关键文件的操作信息保存到日志队列中;Step 5, the monitoring module records the operation of the monitored process on the key file, and saves the operation information of the monitored process on the key file in the log queue;

步骤6,将所述日志队列中的日志信息传递给用户模块的日志处理例程,并以界面的形式将所述日志信息展示。Step 6, transfer the log information in the log queue to the log processing routine of the user module, and display the log information in the form of an interface.

进一步的,所述步骤2包括:Further, said step 2 includes:

步骤21,依次进入/proc文件系统以数字命名的目录,分别对所述目录中status文件执行read()操作,获取进程信息,该进程信息包括:可执行文件名、进程号、父进程号、有效用户EUID、有效组EGID和内存映象;Step 21, enter the directories named by numbers in the /proc file system in turn, and perform the read() operation on the status files in the directories respectively to obtain process information, the process information includes: executable file name, process number, parent process number, Effective user EUID, effective group EGID and memory map;

步骤22,将所述进程信息存放在struct process_info结构中,并将其链接到链表中;Step 22, storing the process information in the struct process_info structure, and linking it to the linked list;

步骤23,依次从所述链表中获取所述进程信息,并以界面方式展示给用户;Step 23, sequentially obtain the process information from the linked list, and display it to the user in the form of an interface;

步骤24,所述用户根据展示的进程信息指定恶意代码进程为被监控进程。Step 24, the user designates the malicious code process as the monitored process according to the displayed process information.

进一步的,所述步骤4包括:Further, said step 4 includes:

步骤41,所述监控模块截获从VFS层传递下来的系统调用,通过修改VFS函数跳转表指向自定义的截获函数,获得上层系统调用所要操作的文件对象;Step 41, the monitoring module intercepts the system call passed down from the VFS layer, and points to the self-defined interception function by modifying the VFS function jump table to obtain the file object to be operated by the upper layer system call;

步骤42,filter_process_hash()函数获取该系统调用所属进程的进程号和父进程号,以所述进程号为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,则说明当前进程是被监控进程;如果比对不成功,以父进程号作为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,说明当前进程是被监控进程,执行步骤43,如果比对不成功,则返回,即如果比对不成功,则不对该系统调用做任何处理,使其继续执行下层具体文件系统处理函数;Step 42, the filter_process_hash() function obtains the process number and the parent process number of the process to which the system call belongs, uses the process number as a key, and compares them sequentially in the monitoring process information list, and if the comparison is successful, it means The current process is a monitored process; if the comparison is unsuccessful, the parent process number is used as a keyword to perform comparisons in the list of monitoring process information. If the comparison is successful, it means that the current process is a monitored process, and step 43 is performed. , if the comparison is unsuccessful, it returns, that is, if the comparison is unsuccessful, no processing is performed on the system call, so that it continues to execute the lower-level specific file system processing function;

filter_file_hash()函数截获将要被操作的文件对象,通过文件对象获得关键文件的文件名和文件所属用户UID,并以所述文件名和文件所属用户UID为关键字,在所述关键文件列表中依次进行比对,如果两者都比对成功,则说明当前文件是被监控的关键文件,执行步骤43,否则,则返回,即如果比对不成功的话,则说明所要操作的文件不是用户设置的关键文件,则不对该系统调用做任何处理,使其继续去执行下层具体文件系统处理函数;The filter_file_hash() function intercepts the file object to be operated, obtains the file name of the key file and the UID of the user to which the file belongs through the file object, and uses the file name and the UID of the user to which the file belongs as keywords, and compares them sequentially in the list of key files Yes, if the comparison between the two is successful, it means that the current file is the key file to be monitored, go to step 43, otherwise, return, that is, if the comparison is unsuccessful, it means that the file to be operated is not the key file set by the user , the system call will not be processed in any way, so that it will continue to execute the specific file system processing function of the lower layer;

步骤43,对所述被监控进程和所述关键文件进行权限比对,并根据比对结果拒绝或允许所述被监控进程对关键文件的操作。Step 43 , comparing the permissions of the monitored process and the key file, and denying or allowing the monitored process to operate on the key file according to the comparison result.

进一步的,所述步骤6包括:Further, said step 6 includes:

步骤61,从所述日志队列中获取日志信息,并将获取的日志信息写入到所述监控模块创建的共享内存中;Step 61, obtaining log information from the log queue, and writing the obtained log information into the shared memory created by the monitoring module;

步骤62,异步通知所述日志处理例程,所述日志处理例程读取日志信息,经过处理之后,将其存放在日志缓冲区,并以界面的形式将所述日志缓冲区中的日志信息展示给用户。Step 62, asynchronously notify the log processing routine, the log processing routine reads the log information, stores it in the log buffer after processing, and stores the log information in the log buffer in the form of an interface displayed to the user.

其中,所述步骤6中:Wherein, in the step 6:

所述日志信息包括被监控进程的可执行文件名,进程号,父进程号,有效用户EUID,有效组EGID,以及操作的关键文件的文件名,文件所属用户UID,用户组GID,和操作命令。The log information includes the executable file name of the monitored process, the process number, the parent process number, the effective user EUID, the effective group EGID, and the file name of the key file of the operation, the user UID to which the file belongs, the user group GID, and the operation command .

图2是本发明的Linux平台下的恶意代码分析系统示意图。如图2所示,该系统包括:Fig. 2 is a schematic diagram of the malicious code analysis system under the Linux platform of the present invention. As shown in Figure 2, the system includes:

预处理模块100,设置需要监控的关键文件信息,并将其以界面形式展示,其中所述关键文件信息包括:文件名、文件所属用户UID、用户组GID,文件访问权限;The preprocessing module 100 sets the key file information that needs to be monitored, and displays it in the form of an interface, wherein the key file information includes: file name, user UID to which the file belongs, user group GID, and file access authority;

恶意代码加载模块200,加载并执行需要分析的恶意代码,同时根据界面展示的内容设置需要被监控进程;The malicious code loading module 200 loads and executes the malicious code that needs to be analyzed, and sets the process to be monitored according to the content displayed on the interface;

同步生成模块300,将所述关键文件信息和监控进程信息传递给内核空间的监控模块,所述监控模块根据所述关键文件信息和所述监控进程信息同步生成关键文件列表和监控进程信息列表;The synchronous generation module 300 transmits the key file information and the monitoring process information to the monitoring module of the kernel space, and the monitoring module generates a key file list and a monitoring process information list synchronously according to the key file information and the monitoring process information;

监控处理模块400,所述监控模块实时监控所述被监控进程对关键文件的访问,并依据所述关键文件和所述被监控进程的访问权限,拒绝或允许所述被监控进程对关键文件的操作;A monitoring processing module 400, the monitoring module monitors the monitored process's access to the key file in real time, and denies or allows the monitored process's access to the key file according to the key file and the access authority of the monitored process operate;

记录保存模块500,所述监控模块记录所述被监控进程对关键文件的操作,并将被监控进程对关键文件的操作信息保存到日志队列中;Record saving module 500, the monitoring module records the operation of the monitored process on the key file, and saves the operation information of the monitored process on the key file in the log queue;

传递展示模块600,将所述日志队列中的日志信息传递给用户模块的日志处理例程,并以界面的形式将所述日志信息展示。The transfer and display module 600 transfers the log information in the log queue to the log processing routine of the user module, and displays the log information in the form of an interface.

进一步的,所述恶意代码加载模块200包括:Further, the malicious code loading module 200 includes:

操作处理模块,依次进入/proc文件系统以数字命名的目录,分别对各目录中status文件执行read()操作,获取进程信息,该进程信息包括:可执行文件名、进程号、父进程号、有效用户EUID、有效组EGID和内存映象;The operation processing module enters the directories named by numbers in the /proc file system in turn, and executes the read() operation on the status files in each directory to obtain process information, which includes: executable file name, process number, parent process number, Effective user EUID, effective group EGID and memory map;

链接处理模块,将所述进程信息存放在struct process_info结构中,并将其链接到链表中;The link processing module stores the process information in the struct process_info structure and links it to the linked list;

获取展示模块,依次从所述链表中获取所述进程信息,并以界面方式展示给用户;Obtaining a display module, sequentially obtaining the process information from the linked list, and displaying the information to the user in the form of an interface;

指定处理模块,所述用户根据展示的进程信息指定恶意代码进程为被监控进程。A designated processing module, the user designates a malicious code process as a monitored process according to the displayed process information.

进一步的,所述监控处理模块400包括:Further, the monitoring processing module 400 includes:

截获处理模块,所述监控模块截获从VFS层传递下来的系统调用,通过修改VFS函数跳转表指向自定义的截获函数,获得上层系统调用所要操作的文件对象;Intercept processing module, the monitoring module intercepts the system call passed down from the VFS layer, points to the self-defined interception function by modifying the VFS function jump table, and obtains the file object to be operated by the upper-level system call;

比对处理模块,filter_process_hash()函数获取该系统调用所属进程的进程号和父进程号,以所述进程号为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,则说明当前进程是被监控进程;如果比对不成功,以父进程号作为关键字,在所述监控进程信息列表中依次进行比对,如果比对成功,说明当前进程是被监控进程,进入执行模块,如果比对不成功,则返回,即如果比对不成功,则不对该系统调用做任何处理,使其继续执行下层具体文件系统处理函数;Comparing the processing module, the filter_process_hash () function obtains the process number and the parent process number of the process to which the system call belongs, and uses the process number as a keyword to compare successively in the monitoring process information list. If the comparison is successful, It means that the current process is a monitored process; if the comparison is unsuccessful, use the parent process number as a keyword to compare in sequence in the monitoring process information list. If the comparison is successful, it means that the current process is a monitored process, enter The execution module returns if the comparison is unsuccessful, that is, if the comparison is unsuccessful, it does not do any processing on the system call, so that it continues to execute the specific file system processing function of the lower layer;

filter_file_hash()函数截获将要被操作的文件对象,通过文件对象获得关键文件的文件名和文件所属用户UID,并以所述文件名和文件所属用户UID为关键字,在所述关键文件列表中依次进行比对,如果两者都比对成功,则说明当前文件是被监控的关键文件,进入执行模块,否则,则返回,即如果比对不成功的话,则说明所要操作的文件不是用户设置的关键文件,则不对该系统调用做任何处理,使其继续去执行下层具体文件系统处理函数;The filter_file_hash() function intercepts the file object to be operated, obtains the file name of the key file and the UID of the user to which the file belongs through the file object, and uses the file name and the UID of the user to which the file belongs as keywords, and compares them sequentially in the list of key files Yes, if the comparison between the two is successful, it means that the current file is the key file to be monitored, enter the execution module, otherwise, return, that is, if the comparison is unsuccessful, it means that the file to be operated is not the key file set by the user , the system call will not be processed in any way, so that it will continue to execute the specific file system processing function of the lower layer;

执行模块,对所述被监控进程和所述关键文件进行权限对比,并根据比对结果拒绝或允许所述被监控进程对关键文件的操作。The execution module compares the permissions of the monitored process and the key file, and rejects or allows the monitored process to operate on the key file according to the comparison result.

进一步的,所述传递展示模块600包括:Further, the transfer display module 600 includes:

写入处理模块,从所述日志队列中获取日志信息,并将获取的日志信息写入到所述监控模块创建的共享内存中;Write into the processing module, obtain log information from the log queue, and write the obtained log information into the shared memory created by the monitoring module;

异步处理模块,异步通知所述日志处理例程,所述日志处理例程读取日志信息,经过处理之后,将其存放在日志缓冲区,并以界面的形式将所述日志缓冲区中的日志信息展示给用户。The asynchronous processing module notifies the log processing routine asynchronously, the log processing routine reads the log information, stores it in the log buffer after processing, and saves the log in the log buffer in the form of an interface Information is displayed to the user.

其中,所述传递展示模块600中:Wherein, in the transfer display module 600:

所述日志信息包括被监控进程的可执行文件名,进程号,父进程号,有效用户EUID,有效组EGID,以及操作的关键文件的文件名,文件所属用户UID,用户组GID,和操作命令。The log information includes the executable file name of the monitored process, the process number, the parent process number, the effective user EUID, the effective group EGID, and the file name of the key file of the operation, the user UID to which the file belongs, the user group GID, and the operation command .

图3是本发明的一实施例的Linux平台下的恶意代码分析系统架构图。结合图3列举本发明的Linux平台下的恶意代码分析方法一实施例。该实施例的Linux平台下的恶意代码处理方法包括:FIG. 3 is an architecture diagram of a malicious code analysis system under a Linux platform according to an embodiment of the present invention. An embodiment of the malicious code analysis method under the Linux platform of the present invention is listed in conjunction with FIG. 3 . The malicious code processing method under the Linux platform of this embodiment comprises:

步骤1,用户通过用户模块设置关键文件信息;Step 1, the user sets key file information through the user module;

步骤2,用户模块提交执行代码例程加载并执行需要分析的恶意代码,同时用户通过用户模块设置需要被监控的进程;Step 2, the user module submits the execution code routine to load and execute the malicious code that needs to be analyzed, and at the same time, the user sets the process that needs to be monitored through the user module;

步骤3,通信模块的proc通信例程将用户模块设置的关键文件信息和被监控进程信息传递给监控模块;Step 3, the proc communication routine of the communication module transmits the key file information and the monitored process information set by the user module to the monitoring module;

步骤4,监控模块实时监控进程对关键文件的访问,并依据访问该关键文件进程的有效用户EUID、有效组EGID以及该关键文件所属用户UID,用户组GID,和关键文件所属用户、用户组访问权限的设定,来拒绝或允许被监控进程对关键文件的操作;Step 4, the monitoring module monitors the access of the process to the key file in real time, and accesses the key file according to the effective user EUID, the effective group EGID, the user UID to which the key file belongs, the user group GID, and the user and user group to which the key file belongs. Permission settings to deny or allow the monitored process to operate on key files;

步骤5,监控模块记录被监控进程对关键文件的访问操作,并将被监控进程信息,关键文件信息及其操作信息通过write_log_info()记录到日志中;Step 5, the monitoring module records the access operation of the monitored process to the key file, and records the monitored process information, key file information and its operation information in the log by write_log_info();

步骤6,将监控模块得到的日志信息通过通信模块的mmap通信例程传递给用户模块。Step 6, transfer the log information obtained by the monitoring module to the user module through the mmap communication routine of the communication module.

进一步,所述步骤1包括:Further, said step 1 includes:

A1.用户提供需要监控的关键文件信息,包括文件名filename,文件所属用户UID、用户组GID,文件访问权限等属性,并针对系统中的不同用户设置不同的访问权限;A1. The user provides key file information that needs to be monitored, including the file name filename, the user UID to which the file belongs, the user group GID, file access permissions and other attributes, and sets different access permissions for different users in the system;

A2.用户通过用户模块提供的两个接口函数add_keyfile()和del_keyfile()来增加和删除关键文件信息;A2. The user adds and deletes key file information through the two interface functions add_keyfile() and del_keyfile() provided by the user module;

A3.用户模块的关键文件设置例程通过show_keyfile()函数把关键文件信息以界面方式展示给用户。A3. The key file setting routine of the user module displays the key file information to the user through the show_keyfile() function.

进一步,所述步骤2包括:Further, said step 2 includes:

B1.用户模块的提交执行代码例程调用load_execute()函数从指定路径下加载并执行需要分析的恶意代码,同时,用户模块的进程信息设置例程调用get_process_info()函数依次进入/proc文件系统以数字命名的目录;B1. The user module's submission execution code routine calls the load_execute () function to load and execute the malicious code that needs to be analyzed from the specified path. At the same time, the user module's process information setting routine calls the get_process_info () function to enter the /proc file system in turn. numerically named directories;

B2.进程信息设置例程进入每个进程目录后,分别对status文件执行read()操作,获取可执行文件名name、进程号pid、父进程号ppid、有效用户EUID、有效用户组EGID和内存映象mmaps等进程信息;B2. After the process information setting routine enters each process directory, execute the read() operation on the status file respectively to obtain the executable file name, process number pid, parent process number ppid, effective user EUID, effective user group EGID and memory Process information such as image mmaps;

B3.将每个进程的信息存放在struct process_info结构中,并链接到链表processes_info中;B3. Store the information of each process in the struct process_info structure and link it to the linked list processes_info;

B4.进程信息设置例程调用read_process_info()函数依次从processes_info中获取每个进程的信息,并通过show_process_info()以界面形式展示给用户;B4. The process information setting routine calls the read_process_info() function to obtain the information of each process from processes_info in turn, and displays it to the user in the form of an interface through show_process_info();

B5.用户通过用户模块提供的两个接口函数add_process_info()和del_process_info()增加和删除进程信息;B5. The user adds and deletes process information through the two interface functions add_process_info() and del_process_info() provided by the user module;

B6.用户根据用户模块展示的进程信息,指定恶意代码进程为被监控进程。B6. The user designates the malicious code process as the monitored process according to the process information displayed by the user module.

进一步,所述步骤3包括:Further, said step 3 includes:

C1.用户模块通过通信模块的接口send_config_info()函数向监控模块发送关键文件信息和被监控进程信息;C1. The user module sends key file information and monitored process information to the monitoring module through the interface send_config_info() function of the communication module;

C2.监控模块的关键文件控制例程调用proc_mkdir()和create_proc_entry(),分别在/proc文件系统建立目录key_file和其所属文件config_file;C2. The key file control routine of the monitoring module calls proc_mkdir () and create_proc_entry (), and sets up the directory key_file and its affiliated file config_file in the /proc file system respectively;

C3.监控模块的进程信息控制例程调用proc_mkdir()和create_proc_entry(),分别在/proc文件系统建立目录process_info和其所属文件config_process;C3. The process information control routine of the monitoring module calls proc_mkdir () and create_proc_entry (), and establishes the directory process_info and its belonging file config_process in the /proc file system respectively;

C4.通信模块的proc通信例程,通过send_config_info()把关键文件配置信息和进程配置信息,写入到监控模块通过create_proc_entry()在/proc创建的文件中;C4. The proc communication routine of the communication module writes key file configuration information and process configuration information into the file created by the monitoring module through create_proc_entry() through send_config_info() in /proc;

C5.监控模块的关键文件控制例程通过系统调用sys_open()和sys_read(),从/proc文件系统中获取由用户模块写入的关键文件设置命令及其文件信息;The key file control routine of C5. monitoring module is by system call sys_open () and sys_read (), obtains the key file setting command and its file information written by the user module from the /proc file system;

C6.关键文件控制例程调用create_file_list()函数同步生成关键文件列表,利用update_file_list()函数更新关键文件列表;C6. The key file control routine calls the create_file_list () function to generate the key file list synchronously, and utilizes the update_file_list () function to update the key file list;

C7.监控模块进程信息控制例程通过系统调用sys_open()和sys_read(),从/proc文件系统获取由用户模块写入的进程设置命令及其进程信息;C7. The monitoring module process information control routine obtains the process setting command and process information thereof written by the user module from the /proc file system by calling sys_open () and sys_read ();

C8.进程信息控制例程调用create_process_list()函数同步生成进程信息列表,利用update_process_list()函数更新进程信息列表。C8. The process information control routine calls the create_process_list() function to generate a process information list synchronously, and uses the update_process_list() function to update the process information list.

进一步,所述步骤4包括:Further, said step 4 includes:

D1.监控模块的系统调用截获过滤例程,通过修改进程打开文件的file结构中f_op对象指针,使其不指向索引节点inode文件操作方法,而使跳转到系统调用截获过滤例程的my_operation(struct file*fp,void*buf,filldir_t filldir)函数;D1. The system call of the monitoring module intercepts the filter routine, by modifying the f_op object pointer in the file structure of the process to open the file, so that it does not point to the index node inode file operation method, and jumps to the my_operation( struct file*fp, void*buf, filldir_t filldir) function;

D2.由my_operation()函数得到进程欲要操作文件的文件对象,并通过打印fp->f_uid和fp->f_dentry->d_name.name得到该文件的所属用户UID和文件名filename;D2. Obtain the file object of the process to operate the file by the my_operation() function, and obtain the user UID and file name of the file by printing fp->f_uid and fp->f_dentry->d_name.name;

D3.由filter_process_list(current->pid,ppid)函数得到该系统调用所属进程的进程号pid和父进程号ppid,先以进程号pid为关键字,在进程信息列表中进行比对,如果进程信息列表中存在与之匹配的进程信息,则说明当前进程是被监视进程;如果比对不成功,再以父进程号ppid为关键字在进程信息列表中进行比对,如果比对成功,则说明该进程是用户开始设置被监控进程创建的子进程,也需要对其监控,如果比对不成功,则返回;D3. Get the process number pid and the parent process number ppid of the process to which the system call belongs by the filter_process_list(current->pid, ppid) function, first use the process number pid as the keyword, and compare it in the process information list, if the process information If there is a matching process information in the list, it means that the current process is a monitored process; if the comparison is unsuccessful, then use the parent process number ppid as the keyword to compare in the process information list, if the comparison is successful, it means This process is a child process created by the user to start setting the monitored process, and it also needs to be monitored. If the comparison is unsuccessful, return;

D4.由filter_file_list(UID,filename)函数以当前获得的文件对象所属用户UID和文件名filename为关键字,在关键文件列表中进行比对,如果关键文件列表中存在与两者匹配的关键文件,则说明当前文件是用户设置的关键文件,否则,则返回;D4. By the filter_file_list (UID, filename) function, the user UID and the file name filename of the currently obtained file object are used as keywords, and compared in the key file list, if there is a key file matching both in the key file list, It means that the current file is the key file set by the user, otherwise, return;

D5.由cmp_authority()函数对进程的有效用户EUID,有效组EGID和关键文件所属用户UID,用户组GID进行权限比对,并依据关键文件所属用户、用户组的访问权限设置,来决定对其进行拒绝或允许操作。D5. Use the cmp_authority() function to compare the effective user EUID of the process, the effective group EGID, the user UID to which the key file belongs, and the user group GID to compare the permissions, and determine the access rights according to the access rights of the user and user group to which the key file belongs. Perform Deny or Allow actions.

进一步,所述步骤5包括:Further, said step 5 includes:

E1.如果被监控的恶意代码进程有访问关键文件的权限,则允许其访问,并将该进程信息,关键文件信息和访问操作信息通过write_log_info()函数记录在日志队列structlog_queue中;E1. If the monitored malicious code process has permission to access key files, then allow its access, and record the process information, key file information and access operation information in the log queue structlog_queue by the write_log_info () function;

E2.如果被监控的恶意代码进程没有访问关键文件的权限,则拒绝其访问,并将该进程信息和关键文件信息及其操作信息通过write_log_info()函数也一块记录在日志队列struct log_queue中;E2. If the monitored malicious code process does not have permission to access key files, its access is denied, and the process information, key file information and its operation information are also recorded in the log queue struct log_queue together by the write_log_info () function;

E3.write_log_info()函数记录的信息包括被监控进程可执行文件名name,进程号pid,父进程ppid,有效用户EUID,有效组EGID和被操作关键文件的文件名filename,所属用户UID,用户组GID,执行命令如文件I/O操作(read,write),更改文件指针(lseek),打开/关闭/创建文件(open,close,create),等等;The information recorded by the E3.write_log_info() function includes the executable file name of the monitored process, the process number pid, the parent process ppid, the effective user EUID, the effective group EGID and the filename of the key file being operated, the user UID, and the user group GID, execute commands such as file I/O operations (read, write), change file pointers (lseek), open/close/create files (open, close, create), etc.;

E4.监控模块调用get_share_memory()在内核中获取一块共享内存,然后将该共享内存的属性,即起始地址sharememory_addr和长度sharememory_size通过proc文件系统传递给用户模块;E4. The monitoring module calls get_share_memory () to obtain a piece of shared memory in the kernel, and then the attributes of the shared memory, that is, the starting address sharememory_addr and the length sharememory_size are passed to the user module through the proc file system;

E5.用户模块通过读取proc文件系统获取共享内存的起始地址和长度,并通过调用mmap()映射到这块共享内存中;E5. The user module obtains the start address and length of the shared memory by reading the proc file system, and maps it to this shared memory by calling mmap();

E6.监控模块将日志写入该共享内存,用户模块使用read()函数从这块共享内存中读取日志信息。E6. The monitoring module writes the log into the shared memory, and the user module uses the read() function to read the log information from the shared memory.

进一步,所述步骤6包括:Further, said step 6 includes:

F1.通信模块调用get_log_info()从监控模块的日志队列struct log_queue中获取日志信息;F1. The communication module calls get_log_info() to obtain log information from the log queue struct log_queue of the monitoring module;

F2.mmap通信例程将获取的日志信息通过send_log_info(),写入到监控模块通过get_share_memory()创建的共享内存中;The F2.mmap communication routine writes the obtained log information into the shared memory created by the monitoring module through get_share_memory() through send_log_info();

F3.mmap通信例程异步通知用户模块的日志处理例程来读取日志信息;The F3.mmap communication routine asynchronously notifies the log processing routine of the user module to read the log information;

F4.日志处理例程调用read_log()从监控模块创建的共享内存中读取日志信息,经过处理后,再调用write_log()存放在日志缓冲区中;F4. The log processing routine calls read_log() to read log information from the shared memory created by the monitoring module, and after processing, call write_log() to store in the log buffer;

F5.日志处理例程调用get_log()从日志缓冲区中提取日志,并通过show_log()把日志信息以界面的形式展示出来。F5. The log processing routine calls get_log() to extract the log from the log buffer, and displays the log information in the form of an interface through show_log().

进一步,所述步骤6中:Further, in the step 6:

G1.提供给用户进行分析的日志信息包括被监控进程的可执行文件名name,进程号pid,父进程号ppid,有效用户EUID,用户组EGID,所访问的关键文件名filename,所属用户UID,用户组GID,操作命令(read/write/create/close等命令);G1. The log information provided to the user for analysis includes the executable file name of the monitored process, the process number pid, the parent process number ppid, the effective user EUID, the user group EGID, the key file name accessed, the user UID, User group GID, operation commands (commands such as read/write/create/close);

G2.用户根据被监控进程对关键文件的操作记录来对恶意代码进行分析。G2. The user analyzes the malicious code according to the operation records of the monitored process on key files.

当然,本发明还可有其它多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。Certainly, the present invention also can have other multiple embodiments, without departing from the spirit and essence of the present invention, those skilled in the art can make various corresponding changes and deformations according to the present invention, but these corresponding Changes and deformations should all belong to the protection scope of the appended claims of the present invention.

Claims (8)

1. a kind of malicious code analysis method under Linux platform is it is characterised in that include:
Step 1, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said critical file letter Breath includes:Filename, file owning user UID, user's group GID, file access authority;
Step 2, loads and executes the malicious code needing analysis, simultaneously according to the curriculum offering of showing interface need to be monitored into Journey;
Step 3, described critical file information and monitored progress information is passed to the monitoring module of kernel spacing, described monitoring Module synchronously generates critical file list and monitoring process letter according to described critical file information and described monitored progress information Breath list;
Step 4, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to described crucial literary composition Part and the access rights of monitored process, refusal or the permission operation to critical file for the described monitored process;
Step 5, the monitored operation to critical file for the process described in described monitoring module record, and by monitored process to key The operation information of file is saved in journal queue;
Step 6, the log information in described journal queue is passed to the log processing routine of line module, and the shape with interface Described log information is shown by formula;
Wherein said step 6 includes:
Step 61, obtains log information from described journal queue, and the log information of acquisition is written to described monitoring module In the shared drive creating;
Step 62, log processing routine described in asynchronous notifications, described log processing routine reads log information, through processing it Afterwards, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed user.
2. the malicious code analysis method under Linux platform as claimed in claim 1 is it is characterised in that described step 2 is wrapped Include:
Step 21, sequentially enter/proc file system with the catalogue of numerical designation, respectively status file in described catalogue is held Row read () operates, and obtains progress information, and this progress information includes:EXENAME, process number, parent process number, effective Family EUID, effectively group EGID and core image;
Step 22, described progress information is left in struct process_info structure, and is linked in chained list;
Step 23, obtains described progress information from described chained list successively, and shows user with interface manner;
Step 24, it is monitored process that described user specifies malicious code process according to the progress information shown.
3. the malicious code analysis method under Linux platform as claimed in claim 1 is it is characterised in that described step 4 is wrapped Include:
Step 41, described monitoring module is intercepted and captured the system transmitted from VFS layer and is called, and is referred to by changing VFS function jump table To self-defining intercepting and capturing function, obtain upper system and call file object to be operated;
Step 42, filter_process_hash () function obtains process number and the parent process number that this system calls affiliated process, With described process number as keyword, comparing successively in described monitoring process information list, if compared successfully, illustrating Current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring process information row Comparing successively in table, if compared successfully, illustrating that current process is monitored process, execution step 43, if compared not Success, is left intact, and continues executing with the concrete file system of lower floor and processes function;Filter_file_hash () function is intercepted and captured The file object that will be operated, obtains filename and the file owning user UID of critical file by file object, and with institute Stating filename and file owning user UID is keyword, compares successively, if both in described critical file list Compare successfully, then explanation current file is monitored critical file, execution step 43 otherwise, is left intact, continues to hold The concrete file system of row lower floor processes function;
Step 43, carries out authority comparison to described monitored process and described critical file, and according to comparison result refusal or permits Permitted the operation to critical file for the described monitored process.
4. the malicious code analysis method under Linux platform as claimed in claim 1 is it is characterised in that in described step 6:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, has Effect group EGID, and the critical file filename of operation, file owning user UID, user's group GID, and operational order.
5. the malicious code analysis system under a kind of Linux platform is it is characterised in that include:
Pretreatment module, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said crucial literary composition Part information includes:Filename, file owning user UID, user's group GID, file access authority;
Malicious code load-on module, loads and executes the malicious code needing analysis, the curriculum offering according to showing interface simultaneously Need monitored process;
Synchronous generation module, by described critical file information and described monitoring process information transmission to kernel spacing monitoring mould Block, described monitoring module generates critical file list and prison according to described critical file information and described monitoring process synchronizing information Control progress information list;
Monitor processing module, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to institute State critical file and the access rights of described monitored process, refusal or the permission behaviour to critical file for the described monitored process Make;
Record preserving module, the monitored operation to critical file for the process described in described monitoring module record, and by be monitored into Journey is saved in journal queue to the operation information of critical file;
Transmission display module, the log information in described journal queue is passed to the log processing routine of line module, and with Described log information is shown by the form at interface;
Wherein said transmission display module includes:
Write processing module, obtains log information from described journal queue, and the log information of acquisition is written to described prison In the shared drive of control module creation;
Asynchronous process module, log processing routine described in asynchronous notifications, described log processing routine reads log information, through place After reason, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed User.
6. the malicious code analysis system under Linux platform as claimed in claim 5 is it is characterised in that described malicious code Load-on module includes:
Operation processing module, sequentially enter/proc file system with the catalogue of numerical designation, respectively to status in described catalogue File execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, parent process number, Validated user EUID, effectively group EGID and core image;
Link processing module, described progress information is left in struct process_info structure, and is linked to chain In table;
Obtain display module, obtain described progress information from described chained list successively, and user is showed with interface manner;
Designated treatment module, it is monitored process that described user specifies malicious code process according to the progress information shown.
7. the malicious code analysis system under Linux platform as claimed in claim 5 is it is characterised in that described monitoring is processed Module includes:
Intercept and capture processing module, described monitoring module is intercepted and captured the system transmitted from VFS layer and called, jumped by changing VFS function Turn table and point to self-defining intercepting and capturing function, obtain upper system and call file object to be operated;
Compare processing module, filter_process_hash () function obtains process number and the father that this system calls affiliated process Process number, with described process number as keyword, compares, successively if compared in described monitoring process information list Work(, then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring Compare successively in progress information list, if comparing successfully, illustrating that current process is monitored process, entering execution mould Block, if comparing unsuccessful, is left intact, and continues executing with the concrete file system of lower floor and processes function;filter_file_ The file object that the intercepting and capturing of hash () function will be operated, obtains filename and the file of critical file information by file object Owning user UID, and with described filename and file owning user UID as keyword, in described critical file list successively Comparing, if both compared successfully, illustrating that current file is monitored critical file, enter performing module, no Then, it is left intact, continue executing with the concrete file system of lower floor and process function;
Performing module, carries out authority comparison to described monitored process and described critical file, and according to comparison result refusal or Allow the operation to critical file for the described monitored process.
8. the malicious code analysis system under Linux platform as claimed in claim 5 is it is characterised in that described transmission is shown In module:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, has Effect group EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operational order.
CN201310123502.9A 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform Active CN104102878B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310123502.9A CN104102878B (en) 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310123502.9A CN104102878B (en) 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform

Publications (2)

Publication Number Publication Date
CN104102878A CN104102878A (en) 2014-10-15
CN104102878B true CN104102878B (en) 2017-02-08

Family

ID=51671021

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310123502.9A Active CN104102878B (en) 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform

Country Status (1)

Country Link
CN (1) CN104102878B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9733969B2 (en) * 2015-06-30 2017-08-15 EMC IP Holding Company LLC Method and system for malware detection in virtual machines
US9852295B2 (en) * 2015-07-14 2017-12-26 Bitdefender IPR Management Ltd. Computer security systems and methods using asynchronous introspection exceptions
CN105550599B (en) * 2015-12-29 2018-07-17 山东中创软件商用中间件股份有限公司 A kind of tamper resistant method and system based on Linux Virtual File Systems
CN107818260B (en) * 2016-09-14 2023-04-25 中兴通讯股份有限公司 Method and device for guaranteeing system safety
CN108595303A (en) * 2018-04-11 2018-09-28 郑州云海信息技术有限公司 A kind of process and file monitor method and system based on system
CN109190411A (en) * 2018-07-25 2019-01-11 百富计算机技术(深圳)有限公司 A kind of active safety means of defence, system and the terminal device of operating system
CN110502930A (en) * 2019-07-26 2019-11-26 苏州浪潮智能科技有限公司 A kind of monitoring guard method of system core file integrality and device
CN111274008B (en) * 2020-01-08 2023-07-18 百度在线网络技术(北京)有限公司 Process control method, server and electronic equipment
CN113407940B (en) * 2021-06-21 2024-08-06 成都欧珀通信科技有限公司 Script detection method, script detection device, storage medium and computer equipment
CN114780353B (en) * 2022-06-15 2022-09-27 统信软件技术有限公司 File log monitoring method and system and computing device
CN115840938B (en) * 2023-02-21 2023-05-09 山东捷讯通信技术有限公司 File monitoring method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
CN102143168A (en) * 2011-02-28 2011-08-03 浪潮(北京)电子信息产业有限公司 Linux platform-based server safety performance real-time monitoring method and system
CN102521099A (en) * 2011-11-24 2012-06-27 深圳市同洲视讯传媒有限公司 Process monitoring method and process monitoring system
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN102984141A (en) * 2012-11-21 2013-03-20 浪潮电子信息产业股份有限公司 Method for improving safety of intranet linux server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
CN102143168A (en) * 2011-02-28 2011-08-03 浪潮(北京)电子信息产业有限公司 Linux platform-based server safety performance real-time monitoring method and system
CN102521099A (en) * 2011-11-24 2012-06-27 深圳市同洲视讯传媒有限公司 Process monitoring method and process monitoring system
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN102984141A (en) * 2012-11-21 2013-03-20 浪潮电子信息产业股份有限公司 Method for improving safety of intranet linux server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
防止恶意LKM修改Linux系统调用的方法研究;丁振国;《微电子学与计算机》;20080831;第25卷(第8期);第136-138页 *

Also Published As

Publication number Publication date
CN104102878A (en) 2014-10-15

Similar Documents

Publication Publication Date Title
CN104102878B (en) Malicious code analysis method and system under Linux platform
Malallah et al. A comprehensive study of kernel (issues and concepts) in different operating systems
CN105184166B (en) The real-time behavior analysis method of Android program and system based on kernel
Bartel et al. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing android
US8762948B1 (en) System and method for establishing rules for filtering insignificant events for analysis of software program
CN103198255B (en) Method and system for monitoring and intercepting sensitive behaviour of Android software
RU2665911C2 (en) System and method of file analysis for maliciousness in virtual machine
CN102184372B (en) Reverse-sandbox-based mobilephone payment protection method
Fattori et al. Hypervisor-based malware protection with accessminer
CN105760787B (en) System and method for the malicious code in detection of random access memory
CN105975328B (en) Journal file safety auditing system and method based on secure virtual machine
CN111400757B (en) Method for preventing native code in android third-party library from revealing user privacy
CN110728575A (en) WEB security depth monitoring method for electric power transaction platform
CN107450964A (en) It is a kind of to be used to finding that virtual machine is examined oneself whether there is the method for leak in system
Gong et al. Overlay-based android malware detection at market scales: Systematically adapting to the new technological landscape
Alam et al. In-cloud malware analysis and detection: State of the art
RU2649794C1 (en) System and method for log forming in virtual machine for anti-virus file checking
Stirparo et al. In-memory credentials robbery on android phones
Grace et al. Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection
Zhan et al. A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT
CN107203410B (en) VMI method and system based on system call redirection
Abbadini et al. Lightweight cloud application sandboxing
US10846405B1 (en) Systems and methods for detecting and protecting against malicious software
CN110414220A (en) Method and device for extracting operation files in dynamic execution process of program in sandbox
US20220345467A1 (en) Methods and systems for fast-paced dynamic malware analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240320

Address after: Room 711C, Floor 7, Building A, Yard 19, Ronghua Middle Road, Daxing District, Beijing Economic-Technological Development Area, 100176

Patentee after: Beijing Zhongke Flux Technology Co.,Ltd.

Country or region after: China

Address before: 100190 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District

Patentee before: Institute of Computing Technology, Chinese Academy of Sciences

Country or region before: China