CN104102878B - Malicious code analysis method and system under Linux platform - Google Patents

Malicious code analysis method and system under Linux platform Download PDF

Info

Publication number
CN104102878B
CN104102878B CN201310123502.9A CN201310123502A CN104102878B CN 104102878 B CN104102878 B CN 104102878B CN 201310123502 A CN201310123502 A CN 201310123502A CN 104102878 B CN104102878 B CN 104102878B
Authority
CN
China
Prior art keywords
file
information
monitored
module
malicious code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310123502.9A
Other languages
Chinese (zh)
Other versions
CN104102878A (en
Inventor
何振学
田昕晖
孙毓忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongke Flux Technology Co ltd
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201310123502.9A priority Critical patent/CN104102878B/en
Publication of CN104102878A publication Critical patent/CN104102878A/en
Application granted granted Critical
Publication of CN104102878B publication Critical patent/CN104102878B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a malicious code analysis method and system under a Linux platform. According to the method and the system provided by the invention, dynamic loading can be realized by using an LKM (Loadable Kernel Module) technology, a position of intercepting system call is positioned between a VFS (Virtual File system) layer and a detailed file system so as to acquire more information related to file operation and provide more accurate and useful monitoring information. The system call can be intercepted without the need of correcting a system call table, so that the potential safety hazards brought by the traditional method of correcting the system call table are avoided; a shared memory mechanism is adopted to increase the communication speed of a kernel module and a user progress, and the data volume of communication transmission; key files and progresses needing to be monitored are selected by a user so as to improve the usability, the flexibility and the high efficiency of the system, and the demands of the user on malicious code analysis are well met; the selected malicious code progresses and a plurality of important key files are monitored so as to avoid great performance loss of the system and improve the operation speed of the analysis system.

Description

A kind of malicious code analysis method and system under Linux platform
Technical field
The present invention relates to the malicious code analysis field under Linux platform, the malice under more particularly, to a kind of Linux platform Code analysis methods and system.
Background technology
While the Internet offers convenience and be efficient in the life giving people, security threat event rises year by year.On network Substantial amounts of virus and the property to people for the wooden horse, social production safety and national information cause safely serious harm.Each Plant among harm, the loss that wherein executable malicious code causes and harm are especially prominent.Malicious code prevailing, waken up people Safety consciousness, promote people in all its bearings malicious code to be studied.Making constant progress with malicious code, Various malicious codes show not poor, changeable, traditional malicious code debugger debugging detection method and sample divides Analysis technology does not adapt to the analysis of novel malicious code already.It follows that developing targeted and high efficiency malicious code Analysis platform is extremely urgent.
Malicious code analysis are the bases of malicious code emergency response and computer forensics, by malicious code behavior, Functional analyses, can be loss appraisal and system recovery provides useful information.The evil of behavior monitoring is wherein called based on system Meaning code analysis are thought:No matter where attacker is derived from, used which kind of behavior, invasion that goal systems are implemented, control or broken Bad, finally will call to execute by means of the system of goal systems.One of philosophy of Linux and unix system design is " one Cut is all file ", the various malicious act operations that malicious code is carried out to goal systems finally can be attributed to file Operation.The system called in malicious code implementation procedure is called and file finally to be operated and malicious code aggressive behavior There is direct contact with function.Therefore, system malicious code called is called and is intercepted and captured, monitor malicious code process Operating it is possible to reach the purpose of malicious code analysis to file.
Existing based in the malicious code analysis method of Linux, involved System call interception technology, traditionally all It is the address obtaining interrupt handling program using interrupt vector table, then search characteristics refer in the memory address of Interrupt Service Routine Order obtains the address of subsystem call table.Or by reading dev/kmem, System.map, kallsyms call obtaining system The address of table.Then the system needing in subsystem call table to intercept and capture is called service routine entry address to preserve, then will originally be System calls service routine entry address to be modified as the self-defined address processing function so as to jump to monitoring programme.Based on tradition There are following some problems in the malicious code analysis method of System call interception technology:
(1)The kernel of version after Linux2.6, based on security consideration, subsystem call table is not re-used as symbol derives, and needs To be obtained by way of searching feature instruction.The premise of the method is that application requests need to be absorbed in by INT 0x80 instruction Kernel, but for SYSENTER or SYSCALL instruction, the method will lose efficacy.
(2)For the address obtaining subsystem call table by reading/dev/kmem device file, to realize System call interception Method, there is potential potential safety hazard.
(3)The intercepting and capturing that traditional system involved by malicious code analysis method is called are in system call layer, are located at It is impossible to obtain more more specifically related to malicious code information on VFS layer.
(4)Modification subsystem call table can cause potential safety hazard, and in the environment of multithreading, vigorousness is bad.
Content of the invention
For solving the above problems, the invention provides the malicious code analysis method and system under a kind of Linux platform, with Avoid the potential safety hazard that tradition modification subsystem call table method is brought, it is to avoid the larger performance loss of system, provide more accurate The monitoring information truly having, improves the data volume of communications and the ease for use of system, motility and high efficiency, preferably full The requirement to malicious code analysis for the sufficient user.
For achieving the above object, the invention provides a kind of malicious code analysis method under Linux platform, the party Method includes:
Step 1, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said crucial literary composition Part information includes:Filename, file owning user, user's group, file access authority;
Step 2, loads and executes the malicious code needing analysis, and the progress information according to showing interface arranges needs simultaneously Monitored process;
Step 3, described critical file information and monitored progress information is passed to the monitoring module of kernel spacing, described Monitoring module according to described critical file information and described monitoring process synchronizing information generate critical file list and be monitored into Journey information list;
Step 4, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to described pass Keyed file and the access rights of monitored process, refusal or the permission operation to critical file for the described monitored process;
Step 5, the monitored operation to critical file for the process described in described monitoring module record, and by monitored process pair The operation information of critical file is saved in journal queue;
Step 6, the log information in described journal queue is passed to the log processing routine of line module, and with interface Form described log information is shown.
Further, described step 2 includes:
Step 21, sequentially enter/proc file system with the catalogue of numerical designation, respectively to the status in described catalogue File execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, parent process number, Validated user EUID, effectively group EGID and core image;
Step 22, described progress information is left in struct process_info structure, and is linked to chained list In;
Step 23, obtains described progress information from described chained list successively, and shows user with interface manner;
Step 24, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described step 4 includes:
Step 41, described monitoring module is intercepted and captured the system transmitted from VFS layer and is called, and is redirected by changing VFS function Table points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Step 42, filter_process_hash () function obtains this system and calls the process number of affiliated process and father to enter Cheng Hao, with described process number as keyword, compares in described monitoring process information list successively, if comparing successfully, Then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring process Comparing successively in information list, if compared successfully, illustrating that current process is monitored process, execution step 43, if Compare unsuccessful, be then left intact, continue executing with the concrete file system of lower floor and process function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file, Execution step 43, is otherwise left intact, and continues executing with the concrete file system of lower floor and processes function;
Step 43, carries out authority comparison to described monitored process and described critical file, and is refused according to comparison result Or allow the operation to critical file for the described monitored process.
Further, described step 6 includes:
Step 61, obtains log information from described journal queue, and the log information of acquisition is written to described monitoring In the shared drive of module creation;
Step 62, log processing routine described in asynchronous notifications, described log processing routine reads log information, through processing Afterwards, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed use Family.
Wherein, in described step 6:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life Order.
For achieving the above object, the present invention also provides the malicious code analysis processing system under a kind of Linux platform, This system includes:
Pretreatment module, setting needs critical file information and the access rights of monitoring, and it is shown with interface form, Wherein said critical file information includes:Filename, file owning user UID, user's group GID, file access authority;
Malicious code load-on module, loads and executes the malicious code needing analysis, the content according to showing interface simultaneously Setting needs monitored process;
Synchronous generation module, by described critical file information and monitoring process information transmission to kernel spacing monitoring mould Block, described monitoring module generates critical file list and quilt according to described critical file information and described monitoring process synchronizing information Monitoring process information list;
Monitor processing module, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to According to the access rights of described critical file and described monitored process, refusal or the described monitored process of permission are to critical file Operation;
Record preserving module, the monitored operation to critical file for the process described in described monitoring module record, and will be supervised Control process is saved in journal queue to the operation information of critical file;
Transmission display module, the log information in described journal queue is passed to the log processing routine of line module, And in the form of interface, described log information is shown.
Further, described malicious code load-on module includes:
Operation processing module, sequentially enter/proc file system with the catalogue of numerical designation, respectively in described catalogue Status file execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, father enter Cheng Hao, validated user EUID, effectively group EGID and core image;
Link processing module, described progress information is left in struct process_info structure, and is linked To in chained list;
Obtain display module, obtain described progress information from described chained list successively, and user is showed with interface manner;
Designated treatment module, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described monitor processing module includes:
Intercept and capture processing module, described monitoring module is intercepted and captured the system transmitted from VFS layer and called, by changing VFS letter Number jump list points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Compare processing module, filter_process_hash () function obtains the process number that this system calls affiliated process With parent process number, with described process number as keyword, compare successively in described monitoring process information list, if compared Success, then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described prison Compare successively in control progress information list, if comparing successfully, illustrating that current process is monitored process, entering execution mould Block, if comparing unsuccessful, is left intact, and continues executing with the concrete file system of lower floor and processes function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file, Enter performing module, be otherwise left intact, continue executing with the concrete file system of lower floor and process function;
Performing module, carries out authority comparison to described monitored process and described critical file, and is refused according to comparison result Absolutely or allow the operation to critical file for the described monitored process.
Further, described transmission display module includes:
Write processing module, obtains log information from described journal queue, and the log information of acquisition is written to institute State in the shared drive of monitoring module establishment;
Asynchronous process module, log processing routine described in asynchronous notifications, described log processing routine reads log information, warp After crossing process, it is deposited into log buffer area, and by the log information exhibition in described log buffer area in the form of interface Show to user.
Wherein, in described transmission display module:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life Order.
The beneficial functional of the present invention is:
(1)Can achieve dynamic load using LKM technology, the position that interception system calls is located at VFS layer and concrete file system Between system, more information related to file operation can be obtained, more accurately useful monitoring information is provided.
(2)System call interception does not need to change subsystem call table, thus can avoid tradition modification subsystem call table side The potential safety hazard that method is brought.
(3)By applying for one piece of shared drive in kernel, it is empty that the log information that monitoring module is obtained passes to user Between.Both improve the communication speed of kernel module and consumer process using shared drive mechanism, improve the number of communications again According to amount.
(4)Being selected by user needs critical file and the process of monitoring, substantially increases ease for use, the motility of system And high efficiency, better meet the requirement to malicious code analysis for the user.
(5)Choose malicious code process and multiple important critical file to be monitored, it is to avoid the larger performance of system Loss, improves the speed of analysis system operation.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Brief description
Fig. 1 is the malicious code analysis method flow diagram under the Linux platform of the present invention;
Fig. 2 is the malicious code analysis system schematic under the Linux platform of the present invention;
Fig. 3 is the malicious code analysis system architecture diagram under the Linux platform of one embodiment of the invention.
Specific embodiment
Fig. 1 is the malicious code analysis method flow diagram under the Linux platform of the present invention.As shown in figure 1, the method bag Include:
Step 1, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said crucial literary composition Part information includes:Filename, file owning user UID, user's group GID, file access authority;
Step 2, loads and executes the malicious code needing analysis, and the curriculum offering according to showing interface needs to be supervised simultaneously Control process;
Step 3, by described critical file information and monitoring process information transmission to kernel spacing monitoring module, described prison Control module generates critical file list and monitoring process letter according to described critical file information and described monitoring process synchronizing information Breath list;
Step 4, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to described pass Keyed file and the access rights of described monitored process, refusal or the permission operation to critical file for the described monitored process;
Step 5, the monitored operation to critical file for the process described in described monitoring module record, and by monitored process pair The operation information of critical file is saved in journal queue;
Step 6, the log information in described journal queue is passed to the log processing routine of line module, and with interface Form described log information is shown.
Further, described step 2 includes:
Step 21, sequentially enter/proc file system with the catalogue of numerical designation, respectively to status literary composition in described catalogue Part execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, parent process number, have Effectiveness family EUID, effectively group EGID and core image;
Step 22, described progress information is left in struct process_info structure, and is linked to chained list In;
Step 23, obtains described progress information from described chained list successively, and shows user with interface manner;
Step 24, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described step 4 includes:
Step 41, described monitoring module is intercepted and captured the system transmitted from VFS layer and is called, and is redirected by changing VFS function Table points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Step 42, filter_process_hash () function obtains this system and calls the process number of affiliated process and father to enter Cheng Hao, with described process number as keyword, compares in described monitoring process information list successively, if comparing successfully, Then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring process Comparing successively in information list, if compared successfully, illustrating that current process is monitored process, execution step 43, if Compare unsuccessful, then return, if comparing unsuccessful, this system not called and doing any process so as to continue executing with down The concrete file system of layer processes function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file, Execution step 43, otherwise, then returns, and that is, if comparison is unsuccessful, then explanation file to be operated is not user setup Critical file, then this system is not called and does any process and process function so as to continue to execute lower floor concrete file system;
Step 43, carries out authority comparison to described monitored process and described critical file, and is refused according to comparison result Or allow the operation to critical file for the described monitored process.
Further, described step 6 includes:
Step 61, obtains log information from described journal queue, and the log information of acquisition is written to described monitoring In the shared drive of module creation;
Step 62, log processing routine described in asynchronous notifications, described log processing routine reads log information, through processing Afterwards, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed use Family.
Wherein, in described step 6:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life Order.
Fig. 2 is the malicious code analysis system schematic under the Linux platform of the present invention.As shown in Fig. 2 this system bag Include:
Pretreatment module 100, setting needs the critical file information of monitoring, and it is shown with interface form, wherein institute State critical file information to include:Filename, file owning user UID, user's group GID, file access authority;
Malicious code load-on module 200, loads and executes the malicious code needing analysis, simultaneously according in showing interface It is installed with to put and need monitored process;
Synchronous generation module 300, by described critical file information and monitoring process information transmission to kernel spacing monitoring Module, described monitoring module according to described critical file information and described monitoring process synchronizing information generate critical file list and Monitoring process information list;
Monitor processing module 400, the monitored access to critical file for the process described in described monitoring module monitor in real time, and According to the access rights of described critical file and described monitored process, refusal or the described monitored process of permission are to critical file Operation;
Record preserving module 500, the monitored operation to critical file for the process described in described monitoring module record, and will be by Monitoring process is saved in journal queue to the operation information of critical file;
Transmission display module 600, the log information in described journal queue is passed to the log processing example of line module Journey, and in the form of interface, described log information is shown.
Further, described malicious code load-on module 200 includes:
Operation processing module, sequentially enter/proc file system with the catalogue of numerical designation, respectively in each catalogue Status file execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, father enter Cheng Hao, validated user EUID, effectively group EGID and core image;
Link processing module, described progress information is left in struct process_info structure, and is linked To in chained list;
Obtain display module, obtain described progress information from described chained list successively, and user is showed with interface manner;
Designated treatment module, it is monitored process that described user specifies malicious code process according to the progress information shown.
Further, described monitor processing module 400 includes:
Intercept and capture processing module, described monitoring module is intercepted and captured the system transmitted from VFS layer and called, by changing VFS letter Number jump list points to self-defining intercepting and capturing function, obtains upper system and calls file object to be operated;
Compare processing module, filter_process_hash () function obtains the process number that this system calls affiliated process With parent process number, with described process number as keyword, compare successively in described monitoring process information list, if compared Success, then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described prison Compare successively in control progress information list, if comparing successfully, illustrating that current process is monitored process, entering execution mould Block, if comparing unsuccessful, returns, if comparing unsuccessful, this system not being called and doing any process so as to continue The concrete file system of execution lower floor processes function;
The file object that the intercepting and capturing of filter_file_hash () function will be operated, obtains crucial literary composition by file object The filename of part and file owning user UID, and with described filename and file owning user UID as keyword, in described pass Comparing successively in keyed file list, if both compared successfully, illustrating that current file is monitored critical file, Enter performing module, otherwise, then return, that is, if comparison is unsuccessful, then explanation file to be operated is not that user sets The critical file put, then do not call to this system and do any process so as to continue to execute lower floor's concrete file system process letter Number;
Performing module, carries out authority contrast to described monitored process and described critical file, and is refused according to comparison result Absolutely or allow the operation to critical file for the described monitored process.
Further, described transmission display module 600 includes:
Write processing module, obtains log information from described journal queue, and the log information of acquisition is written to institute State in the shared drive of monitoring module establishment;
Asynchronous process module, log processing routine described in asynchronous notifications, described log processing routine reads log information, warp After crossing process, it is deposited into log buffer area, and by the log information exhibition in described log buffer area in the form of interface Show to user.
Wherein, in described transmission display module 600:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, effectively organizes EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operation life Order.
Fig. 3 is the malicious code analysis system architecture diagram under the Linux platform of one embodiment of the invention.In conjunction with Fig. 3 row For malicious code analysis method one embodiment under the Linux platform of the present invention.Malice generation under the Linux platform of this embodiment Code processing method includes:
Step 1, user arranges critical file information by line module;
Step 2, line module submits to execution code routine to load and execute the malicious code needing analysis, and user is led to simultaneously Crossing line module setting needs monitored process;
Step 3, critical file information and monitored process that line module is arranged by the proc Communications routines of communication module Information transmission is to monitoring module;
Step 4, the access to critical file for the monitoring module monitor in real time process, and according to this critical file process of access Use belonging to validated user EUID, effectively group EGID and this critical file owning user UID, user's group GID, and critical file Family, the setting of user's group access rights, to refuse or to allow the monitored operation to critical file for the process;
Step 5, the monitored process of monitoring module record operates to the access of critical file, and by monitored progress information, Critical file information and its operation information be recorded in daily record by write_log_info ();
Step 6, the log information that monitoring module is obtained passes to user's mould by the mmap Communications routines of communication module Block.
Further, described step 1 includes:
A1. user provides the critical file information needing monitoring, including filename filename, file owning user UID, User's group GID, the attribute such as file access authority, and for the different access rights of the different user setting in system;
A2. user by line module, two interface functions add_keyfile () providing and del_keyfile () to increase Plus and delete critical file information;
A3. the critical file setting routine of line module passes through show_keyfile () function critical file information with boundary Face mode shows user.
Further, described step 2 includes:
B1. the submission execution code routine of line module calls load_execute () function to load simultaneously from specified path Execution needs the malicious code of analysis, meanwhile, progress information setting routine call get_process_info () of line module Function sequentially enters/and proc file system is with the catalogue of numerical designation;
B2. after progress information setting routine enters each process catalogue, respectively to status file execution read () operation, Obtain EXENAME name, process number pid, parent process ppid, validated user EUID, validated user group EGID and internal memory The progress informations such as map mmaps;
B3. the information of each process is left in struct process_info structure, and be linked to chained list In processes_info;
B4. progress information setting routine call read_process_info () function is successively from processes_info Obtain the information of each process, and user is showed with interface form by show_process_info ();
B5. user is provided by line module two interface functions add_process_info () and del_process_ Info () increases and deletion process information;
B6. the progress information that user shows according to line module is it is intended that malicious code process is monitored process.
Further, described step 3 includes:
C1. line module passes through interface the send_config_info () function of communication module to monitoring module transmission key Fileinfo and monitored progress information;
C2. the critical file control routine of monitoring module calls proc_mkdir () and create_proc_entry (), point Not do not set up catalogue key_file and its affiliated file config_file in/proc file system;
C3. the progress information control routine of monitoring module calls proc_mkdir () and create_proc_entry (), point Not do not set up catalogue process_info and its affiliated file config_process in/proc file system;
C4. the proc Communications routines of communication module, by send_config_info () critical file configuration information and Process configuration information, is written to monitoring module and passes through create_proc_entry () in the file that/proc creates;
C5. the critical file control routine of monitoring module calls sys_open () and sys_read () by system, from/ The critical file setting command being write by line module and its fileinfo is obtained in proc file system;
C6. critical file control routine calls create_file_list () function synchronizing to generate critical file list, profit Update critical file list with update_file_list () function;
C7. monitoring module progress information control routine calls sys_open () and sys_read () by system, from/proc File system obtains the process setting command being write by line module and its progress information;
C8. progress information control routine calls create_process_list () function synchronizing to generate progress information list, Update progress information list using update_process_list () function.
Further, described step 4 includes:
D1. the System call interception filter routine of monitoring module, opens f_ in the file structure of file by modification process Op pointer to object is so as to be not directed to index node inode file operational approach, and makes to jump to System call interception filter routine My_operation (struct file*fp, void*buf, filldir_t filldir) function;
D2. the file object that process wants operation file is obtained by my_operation () function, and by printing fp-> F_uid and fp->f_dentry->D_name.name obtains the owning user UID and filename filename of this document;
D3. by filter_process_list (current->Pid, ppid) function obtains this system and calls affiliated process Process number pid and parent process ppid, first with process number pid as keyword, compare in progress information list, if There is matching progress information, then explanation current process is monitored process in progress information list;If comparing not become Work(, then compared in progress information list with parent process ppid for keyword, if compared successfully, this process is described Being that user starts setting up the subprocess of monitored process creation it is also desirable to monitor to it, if comparing unsuccessful, returning;
D4. by filter_file_list (UID, filename) function with the current file object owning user obtaining UID and filename filename be keyword, compare in critical file list, if in critical file list exist with The critical file of both couplings, then explanation current file is the critical file of user setup, otherwise, then returns;
D5. by the validated user EUID of cmp_authority () function pair process, belonging to effectively group EGID and critical file User UID, user's group GID carries out authority comparison, and the access rights setting according to critical file owning user, user's group, comes Determine it to be refused or is allowed to operate.
Further, described step 5 includes:
If the malicious code process being E1. monitored has the authority of access critical file, allow its access, and this is entered Journey information, critical file information and access operation information pass through write_log_info () function record in journal queue struct In log_queue;
If the malicious code process being E2. monitored does not have the authority of access critical file, refuse its access, and should Progress information and critical file information and its operation information pass through write_log_info () function and also record in daily record team for one piece In row struct log_queue;
The information of E3.write_log_info () function record includes monitored process EXENAME name, process Number pid, parent process ppid, validated user EUID, effectively group EGID and the filename filename by operation critical file, affiliated User UID, user's group GID, execution order such as file I/O operates (read, write), change file pointer (lseek), open/ Closing/establishment file (open, close, create), etc.;
E4. monitoring module calls get_share_memory () to obtain one piece of shared drive in kernel, then by this altogether Enjoy the attribute of internal memory, that is, initial address sharememory_addr and length sharememory_size pass through proc file system Pass to line module;
E5. line module passes through to read initial address and the length that proc file system obtains shared drive, and by adjusting It is mapped in this block shared drive with mmap ();
E6. daily record is write this shared drive by monitoring module, and line module uses read () function from this block shared drive Middle reading log information.
Further, described step 6 includes:
F1. communication module calls get_log_info () to obtain from the journal queue struct log_queue of monitoring module Take log information;
The log information obtaining is passed through send_log_info () by F2.mmap Communications routines, is written to monitoring module and passes through In the shared drive that get_share_memory () creates;
The log processing routine of F3.mmap Communications routines asynchronous notifications line module is reading log information;
F4. log processing routine call read_log () reads log information from the shared drive that monitoring module creates, After treatment, recall write_log () to leave in log buffer area;
F5. log processing routine call get_log () extracts daily record from log buffer area, and by show_log () Log information is displayed in the form of interface.
Further, in described step 6:
G1. it is supplied to the EXENAME name that the log information that user is analyzed includes monitored process, process Number pid, parent process ppid, validated user EUID, user's group EGID, critical file name filename being accessed, affiliated use Family UID, user's group GID, operational order (order such as read/write/create/close);
G2. user is analyzed to malicious code to the operation note of critical file according to monitored process.
Certainly, the present invention also can have other various embodiments, in the case of without departing substantially from present invention spirit and its essence, ripe Know those skilled in the art and work as and various corresponding changes and deformation can be made according to the present invention, but these corresponding changes and change Shape all should belong to the protection domain of appended claims of the invention.

Claims (8)

1. a kind of malicious code analysis method under Linux platform is it is characterised in that include:
Step 1, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said critical file letter Breath includes:Filename, file owning user UID, user's group GID, file access authority;
Step 2, loads and executes the malicious code needing analysis, simultaneously according to the curriculum offering of showing interface need to be monitored into Journey;
Step 3, described critical file information and monitored progress information is passed to the monitoring module of kernel spacing, described monitoring Module synchronously generates critical file list and monitoring process letter according to described critical file information and described monitored progress information Breath list;
Step 4, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to described crucial literary composition Part and the access rights of monitored process, refusal or the permission operation to critical file for the described monitored process;
Step 5, the monitored operation to critical file for the process described in described monitoring module record, and by monitored process to key The operation information of file is saved in journal queue;
Step 6, the log information in described journal queue is passed to the log processing routine of line module, and the shape with interface Described log information is shown by formula;
Wherein said step 6 includes:
Step 61, obtains log information from described journal queue, and the log information of acquisition is written to described monitoring module In the shared drive creating;
Step 62, log processing routine described in asynchronous notifications, described log processing routine reads log information, through processing it Afterwards, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed user.
2. the malicious code analysis method under Linux platform as claimed in claim 1 is it is characterised in that described step 2 is wrapped Include:
Step 21, sequentially enter/proc file system with the catalogue of numerical designation, respectively status file in described catalogue is held Row read () operates, and obtains progress information, and this progress information includes:EXENAME, process number, parent process number, effective Family EUID, effectively group EGID and core image;
Step 22, described progress information is left in struct process_info structure, and is linked in chained list;
Step 23, obtains described progress information from described chained list successively, and shows user with interface manner;
Step 24, it is monitored process that described user specifies malicious code process according to the progress information shown.
3. the malicious code analysis method under Linux platform as claimed in claim 1 is it is characterised in that described step 4 is wrapped Include:
Step 41, described monitoring module is intercepted and captured the system transmitted from VFS layer and is called, and is referred to by changing VFS function jump table To self-defining intercepting and capturing function, obtain upper system and call file object to be operated;
Step 42, filter_process_hash () function obtains process number and the parent process number that this system calls affiliated process, With described process number as keyword, comparing successively in described monitoring process information list, if compared successfully, illustrating Current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring process information row Comparing successively in table, if compared successfully, illustrating that current process is monitored process, execution step 43, if compared not Success, is left intact, and continues executing with the concrete file system of lower floor and processes function;Filter_file_hash () function is intercepted and captured The file object that will be operated, obtains filename and the file owning user UID of critical file by file object, and with institute Stating filename and file owning user UID is keyword, compares successively, if both in described critical file list Compare successfully, then explanation current file is monitored critical file, execution step 43 otherwise, is left intact, continues to hold The concrete file system of row lower floor processes function;
Step 43, carries out authority comparison to described monitored process and described critical file, and according to comparison result refusal or permits Permitted the operation to critical file for the described monitored process.
4. the malicious code analysis method under Linux platform as claimed in claim 1 is it is characterised in that in described step 6:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, has Effect group EGID, and the critical file filename of operation, file owning user UID, user's group GID, and operational order.
5. the malicious code analysis system under a kind of Linux platform is it is characterised in that include:
Pretreatment module, setting needs the critical file information of monitoring, and it is shown with interface form, wherein said crucial literary composition Part information includes:Filename, file owning user UID, user's group GID, file access authority;
Malicious code load-on module, loads and executes the malicious code needing analysis, the curriculum offering according to showing interface simultaneously Need monitored process;
Synchronous generation module, by described critical file information and described monitoring process information transmission to kernel spacing monitoring mould Block, described monitoring module generates critical file list and prison according to described critical file information and described monitoring process synchronizing information Control progress information list;
Monitor processing module, the monitored access to critical file for the process described in described monitoring module monitor in real time, and according to institute State critical file and the access rights of described monitored process, refusal or the permission behaviour to critical file for the described monitored process Make;
Record preserving module, the monitored operation to critical file for the process described in described monitoring module record, and by be monitored into Journey is saved in journal queue to the operation information of critical file;
Transmission display module, the log information in described journal queue is passed to the log processing routine of line module, and with Described log information is shown by the form at interface;
Wherein said transmission display module includes:
Write processing module, obtains log information from described journal queue, and the log information of acquisition is written to described prison In the shared drive of control module creation;
Asynchronous process module, log processing routine described in asynchronous notifications, described log processing routine reads log information, through place After reason, it is deposited into log buffer area, and in the form of interface, the log information in described log buffer area is showed User.
6. the malicious code analysis system under Linux platform as claimed in claim 5 is it is characterised in that described malicious code Load-on module includes:
Operation processing module, sequentially enter/proc file system with the catalogue of numerical designation, respectively to status in described catalogue File execution read () operation, obtains progress information, and this progress information includes:EXENAME, process number, parent process number, Validated user EUID, effectively group EGID and core image;
Link processing module, described progress information is left in struct process_info structure, and is linked to chain In table;
Obtain display module, obtain described progress information from described chained list successively, and user is showed with interface manner;
Designated treatment module, it is monitored process that described user specifies malicious code process according to the progress information shown.
7. the malicious code analysis system under Linux platform as claimed in claim 5 is it is characterised in that described monitoring is processed Module includes:
Intercept and capture processing module, described monitoring module is intercepted and captured the system transmitted from VFS layer and called, jumped by changing VFS function Turn table and point to self-defining intercepting and capturing function, obtain upper system and call file object to be operated;
Compare processing module, filter_process_hash () function obtains process number and the father that this system calls affiliated process Process number, with described process number as keyword, compares, successively if compared in described monitoring process information list Work(, then explanation current process is monitored process;If comparing unsuccessful, using parent process number as keyword, in described monitoring Compare successively in progress information list, if comparing successfully, illustrating that current process is monitored process, entering execution mould Block, if comparing unsuccessful, is left intact, and continues executing with the concrete file system of lower floor and processes function;filter_file_ The file object that the intercepting and capturing of hash () function will be operated, obtains filename and the file of critical file information by file object Owning user UID, and with described filename and file owning user UID as keyword, in described critical file list successively Comparing, if both compared successfully, illustrating that current file is monitored critical file, enter performing module, no Then, it is left intact, continue executing with the concrete file system of lower floor and process function;
Performing module, carries out authority comparison to described monitored process and described critical file, and according to comparison result refusal or Allow the operation to critical file for the described monitored process.
8. the malicious code analysis system under Linux platform as claimed in claim 5 is it is characterised in that described transmission is shown In module:
Described log information includes the EXENAME of monitored process, process number, parent process number, validated user EUID, has Effect group EGID, and the filename of the critical file of operation, file owning user UID, user's group GID, and operational order.
CN201310123502.9A 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform Active CN104102878B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310123502.9A CN104102878B (en) 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310123502.9A CN104102878B (en) 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform

Publications (2)

Publication Number Publication Date
CN104102878A CN104102878A (en) 2014-10-15
CN104102878B true CN104102878B (en) 2017-02-08

Family

ID=51671021

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310123502.9A Active CN104102878B (en) 2013-04-10 2013-04-10 Malicious code analysis method and system under Linux platform

Country Status (1)

Country Link
CN (1) CN104102878B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9733969B2 (en) * 2015-06-30 2017-08-15 EMC IP Holding Company LLC Method and system for malware detection in virtual machines
US9852295B2 (en) * 2015-07-14 2017-12-26 Bitdefender IPR Management Ltd. Computer security systems and methods using asynchronous introspection exceptions
CN105550599B (en) * 2015-12-29 2018-07-17 山东中创软件商用中间件股份有限公司 A kind of tamper resistant method and system based on Linux Virtual File Systems
CN107818260B (en) * 2016-09-14 2023-04-25 中兴通讯股份有限公司 Method and device for guaranteeing system safety
CN108595303A (en) * 2018-04-11 2018-09-28 郑州云海信息技术有限公司 A kind of process and file monitor method and system based on system
CN109190411A (en) * 2018-07-25 2019-01-11 百富计算机技术(深圳)有限公司 A kind of active safety means of defence, system and the terminal device of operating system
CN110502930A (en) * 2019-07-26 2019-11-26 苏州浪潮智能科技有限公司 A kind of monitoring guard method of system core file integrality and device
CN111274008B (en) * 2020-01-08 2023-07-18 百度在线网络技术(北京)有限公司 Process control method, server and electronic equipment
CN113407940B (en) * 2021-06-21 2024-08-06 成都欧珀通信科技有限公司 Script detection method, script detection device, storage medium and computer equipment
CN114780353B (en) * 2022-06-15 2022-09-27 统信软件技术有限公司 File log monitoring method and system and computing device
CN115840938B (en) * 2023-02-21 2023-05-09 山东捷讯通信技术有限公司 File monitoring method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
CN102143168A (en) * 2011-02-28 2011-08-03 浪潮(北京)电子信息产业有限公司 Linux platform-based server safety performance real-time monitoring method and system
CN102521099A (en) * 2011-11-24 2012-06-27 深圳市同洲视讯传媒有限公司 Process monitoring method and process monitoring system
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN102984141A (en) * 2012-11-21 2013-03-20 浪潮电子信息产业股份有限公司 Method for improving safety of intranet linux server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
CN102143168A (en) * 2011-02-28 2011-08-03 浪潮(北京)电子信息产业有限公司 Linux platform-based server safety performance real-time monitoring method and system
CN102521099A (en) * 2011-11-24 2012-06-27 深圳市同洲视讯传媒有限公司 Process monitoring method and process monitoring system
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN102984141A (en) * 2012-11-21 2013-03-20 浪潮电子信息产业股份有限公司 Method for improving safety of intranet linux server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
防止恶意LKM修改Linux系统调用的方法研究;丁振国;《微电子学与计算机》;20080831;第25卷(第8期);第136-138页 *

Also Published As

Publication number Publication date
CN104102878A (en) 2014-10-15

Similar Documents

Publication Publication Date Title
CN104102878B (en) Malicious code analysis method and system under Linux platform
Zhou et al. The peril of fragmentation: Security hazards in android device driver customizations
US8762948B1 (en) System and method for establishing rules for filtering insignificant events for analysis of software program
Trinius et al. Visual analysis of malware behavior using treemaps and thread graphs
CN102184372B (en) Reverse-sandbox-based mobilephone payment protection method
CN105740046B (en) A kind of virtual machine process behavior monitoring method and system based on dynamic base
Sadeghi et al. Analysis of android inter-app security vulnerabilities using covert
CN105893228A (en) Systems and methods for behavioral sandboxing
CN103620613A (en) System and method for virtual machine monitor based anti-malware security
CN109388538A (en) A kind of file operation behavior monitoring method and device based on kernel
CN105184166A (en) Kernel-based Android application real-time behavior analysis method and system
Xiao et al. Kernel data attack is a realistic security threat
CN105975328A (en) Log file security auditing system and method based on security virtual machine
CN113961245A (en) Security protection system, method and medium based on micro-service application
CN107450964A (en) It is a kind of to be used to finding that virtual machine is examined oneself whether there is the method for leak in system
CN102222292B (en) Mobile phone payment protection method
CN108737373B (en) Safety evidence obtaining method for large network equipment hiding technology
Zegzhda et al. Detecting Android application malicious behaviors based on the analysis of control flows and data flows
CN105550573B (en) The method and apparatus for intercepting bundled software
Grace et al. Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection
Da et al. Detection of Android malware security on system calls
Rack et al. Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications
Abbadini et al. Lightweight cloud application sandboxing
Reeves Autoscopy Jr.: Intrusion detection for embedded control systems
US10846405B1 (en) Systems and methods for detecting and protecting against malicious software

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240320

Address after: Room 711C, Floor 7, Building A, Yard 19, Ronghua Middle Road, Daxing District, Beijing Economic-Technological Development Area, 100176

Patentee after: Beijing Zhongke Flux Technology Co.,Ltd.

Country or region after: China

Address before: 100190 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District

Patentee before: Institute of Computing Technology, Chinese Academy of Sciences

Country or region before: China

TR01 Transfer of patent right