CN104537306A - Method and device for recognizing virus file - Google Patents
Method and device for recognizing virus file Download PDFInfo
- Publication number
- CN104537306A CN104537306A CN201510016091.2A CN201510016091A CN104537306A CN 104537306 A CN104537306 A CN 104537306A CN 201510016091 A CN201510016091 A CN 201510016091A CN 104537306 A CN104537306 A CN 104537306A
- Authority
- CN
- China
- Prior art keywords
- deciphering
- data
- virus
- script
- script file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and device for recognizing a virus file. The method includes the steps that when a script host program executes an encrypted script file, a system function is called to carry out self decryption processing, and decrypted data are obtained; a script virus engine is called to scan the data so as to judge whether the data are viruses or not, and if yes, a virus alarm is given for the script file. By the adoption of a software ordering method and system, the encrypted virus file can be effectively recognized in the self decryption process, so that the virus recognition efficiency is improved, and a virus threat is stopped.
Description
Technical field
The present invention relates to the identification scanning field of virus document, specifically, relate to a kind of method and the device that identify virus document.
Background technology
Along with the develop rapidly of computer network, virus document is also carrying out propagating and making a variation with more and more faster speed.Wherein, VB virus (visual basic) is the one virus by VB Script (VB script) programming, its script function is very powerful, they utilize the open characteristics of Windows system, by calling some ready-made Windows object, assemblies, can directly control file system, registration table etc., function is very powerful.Further, there is panoramic encryption method in VB script virus, and encrypted virus cannot be judged by form usually, if carry out tentative deciphering frequently, can cause data file calculated amount unformatted in computing machine excessive; If the man-to-man recognition methods of such as Hash and so on, efficiency is lower.
Therefore, in the face of the VB script virus recognition efficiency of current crypto is low, there is the problem of security threat, need a kind of method and apparatus that effectively can identify this virus document badly.
Summary of the invention
In order to the VB script virus recognition efficiency solving current crypto is low, there is the problem of security threat, embodiments of the present invention provide a kind of method and the device that identify virus document.
On the one hand, embodiment of the present invention provides a kind of method identifying virus document, and described method comprises:
When scripting host program performs encrypted script file, undertaken from decryption processing by calling system function, and obtain the data after deciphering;
Invoke script antivirus engine scans described data, determines whether virus, if so, then carries out V-ALert to described script file.
Accordingly, embodiment of the present invention additionally provides a kind of device identifying virus document, and described device comprises:
Call deciphering module, for when scripting host program performs encrypted script file, undertaken from decryption processing by calling system function, and obtain the data after deciphering;
Virus judge module, scans described data for invoke script antivirus engine, determines whether virus, if so, then carry out V-ALert to described script file.
Implement various embodiment of the present invention and there is following beneficial effect: effectively can identify in decrypting process at it encrypted virus file, thus improve viral recognition efficiency, block viral threat.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of the method for identification virus document according to embodiment of the present invention;
Fig. 2 is a kind of process flow diagram identifying the embodiment of the method for virus document of the present invention;
Fig. 3 is the Organization Chart of the device of identification virus document according to embodiment of the present invention;
Fig. 4 shows the block diagram calling deciphering module 100 shown in Fig. 3.
Embodiment
Be described in detail to various aspects of the present invention below in conjunction with the drawings and specific embodiments.Wherein, well-known module, unit and connection each other, link, communication or operation do not illustrate or do not elaborate.Further, described feature, framework or function can combine by any way in one or more embodiments.It will be appreciated by those skilled in the art that following various embodiments are only for illustrating, but not for limiting the scope of the invention.Can also easy understand, the module in each embodiment described herein and shown in the drawings or unit or processing mode can be undertaken combining and designing by various different configuration.
Fig. 1 is the process flow diagram of the method for identification virus document according to embodiment of the present invention; See Fig. 1, described method comprises:
S1, when scripting host program performs encrypted script file, undertaken from decryption processing by calling system function, and obtain the data after deciphering, described scripting host program refer to script file the object that relies on when running, described calling system function refers to the interface calling Microsoft's Window operating system documenting and documenting, describedly refers to from decryption processing the deciphering that Microsoft's Window operating system (windows system) initiatively performs decryption function and carries out enciphered data; Wherein, obtain the data after deciphering to comprise: described after decryption processing, obtained by API hook (hook) technology and extract the data after described deciphering, described API hook technology performs flow process by revising original API, make it enter in the destination code of reviser and perform non-original API flow process, described API is the application programming interface that Microsoft's Window operating system provides; Described from decryption processing by amendment original API implementation, obtain operating system deciphering after opportunity, obtain operating system deciphering after data; The described process of deciphering certainly comprises: to the script file after described deciphering, judge that it is performed deciphering mark (flag) and whether is set up, if not, then return original program after performing the code being modified and being capped in API and perform the API hook memory address code be below modified; If, then obtain the data after described deciphering, through the judgement of above-mentioned flag, this mark of known existence then represents that data are through deciphering, there is not this flag table registration according to there is not decrypting process, therefore the number of times of scanning is different, the former efficiency is higher, described data can be made more to optimize, improve data-handling efficiency.Data after described acquisition deciphering comprise: obtain the data after deciphering, and transcoding process (such as: described character string encoded by Unicode and transfer ASCII coding to) is carried out to the character in described data, the data that data after transcoding are mated are relatively less, can more be convenient to carry out virus scan.
S2, invoke script antivirus engine scans described data, determine whether virus, if, then V-ALert is carried out to script resolver execution script file, if not, then return original program after performing the code being modified and being capped in API and perform the API hook memory address code be below modified.
By adopting described method of the present invention, effectively can identify in decrypting process at it encrypted virus file, thus improve viral recognition efficiency, blocking viral threat.
Fig. 2 is a kind of process flow diagram identifying the embodiment of the method for virus document of the present invention; See Fig. 2, described method comprises:
S10, as scripting host program (wscript.exe in Microsoft's Window operating system, when cscript.exe) performing, by API Hook technology to the vbscript.dll intrinsic call " VbsExecute " of loading after all process initiations, " Var::Pvargetvarval " modifies, described intrinsic call refers to that Microsoft's Window operating system does not derive or the API of non-documenting, described amendment is similar to above-mentioned API hook technology, X86CPU instruction set jmp instruction can be used to cover original program partial bytes, jump in destination code by force and run, the complete rear operation of destination code performs the original program code of capped code rebound and runs, step S30 is performed when making to perform " VbsExecute " code, performing step S20, vbscript.dll when performing " Var::Pvargetvarval " code is that Microsoft's Window operating system provides the dynamic base of resolving execution use as VBS script,
S20, after " Var::Pvargetvarval " that be modified is called, first judges whether be performed mark is set up, i.e. S21, judges whether its flag value is empty, if not, then perform S50 and return original program execution; If so, then perform S22, obtain the data structure returned, and perform S23, in data structure, navigate to the address of decrypted character, by obtaining its character length, and transferring this character string to ASCII coding by Unicode coding, exporting and performing S40;
S30, will enter API hook process when encrypted script file performs from decrypting process, thus enter " VbsExecute " process be modified; By performing step S31, arrange one be performed mark (flag) after, then perform step S32, return the execution of " VbsExecute " original code;
S40, invoke script antivirus engine scans output data; S41, determines whether virus, if be virus, performs S42, carries out report poison to script file; If non-viral, perform S50;
S50, returns " Var::Pvargetvarval " original code and performs.
Fig. 3 is the Organization Chart of the device 1 of identification virus document according to embodiment of the present invention; See Fig. 3, described device 1 comprises:
Call deciphering module 100, for when scripting host program performs encrypted script file, undertaken from decryption processing by calling system function, and obtain the data after deciphering, described scripting host program refer to script file the object that relies on when running, described calling system function refers to the interface calling Microsoft's Window operating system documenting and documenting, describedly refers to from decryption processing the deciphering that Microsoft's Window operating system (windows system) initiatively performs decryption function and carries out enciphered data;
Virus judge module 200, for invoke script antivirus engine, described data are scanned, determine whether virus, if, then V-ALert is carried out to described script file, if not, then return original program after performing the code being modified and being capped in API and perform the API hook memory address code be below modified.
By adopting described device of the present invention, effectively can identify in decrypting process at it encrypted virus file, thus improve viral recognition efficiency, blocking viral threat.
Fig. 4 shows the block diagram calling deciphering module 100 shown in Fig. 3; See Fig. 4, described in call deciphering module 100 and comprise:
Decryption unit 110, carries out from decryption processing for described calling system function, by revising original API implementation, obtaining the opportunity after operating system deciphering, obtaining the data after operating system deciphering;
Extraction unit 120, for being obtained by API hook technology and extracting the data after described deciphering, described API hook technology performs flow process by revising original API, makes it enter in the destination code of reviser and perform non-original API flow process.
It should be noted that, described in call deciphering module and also can comprise:
Perform deciphering tag unit, for to the script file after described deciphering, judge that it is performed deciphering mark (flag) and whether is set up, if not, then return original program after performing the code being modified and being capped in API and perform the API hook memory address code be below modified; If so, then the data after deciphering are obtained, through the judgement of flag, this mark of known existence then represents that data are through deciphering, there is not this flag table registration according to there is not decrypting process, therefore the number of times of scanning is different, the former efficiency is higher, and data can be made more to optimize, and improves data-handling efficiency.
Transcoding units, for obtaining the data after described deciphering, and carries out transcoding process (such as: encoded by Unicode by described character and transfer ASCII coding to) to the character in described data.The data that data after transcoding are mated are relatively less, can more be convenient to carry out virus scan.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode of software combined with hardware platform, can certainly all be implemented by hardware.Based on such understanding, what technical scheme of the present invention contributed to background technology can embody with the form of software product in whole or in part, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, smart mobile phone or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
The term used in instructions of the present invention and wording, just to illustrating, are not meaned and are formed restriction.It will be appreciated by those skilled in the art that under the prerequisite of the ultimate principle not departing from disclosed embodiment, can various change be carried out to each details in above-mentioned embodiment.Therefore, scope of the present invention is only determined by claim, and in the claims, except as otherwise noted, all terms should be understood by the most wide in range rational meaning.
Claims (10)
1. identify a method for virus document, it is characterized in that, described method comprises:
When scripting host program performs encrypted script file, undertaken from decryption processing by calling system function, and obtain the data after deciphering;
Invoke script antivirus engine scans described data, determines whether virus, if so, then carries out V-ALert to described script file.
2. the method for claim 1, is characterized in that, described in obtain decipher after data comprise:
Described after decryption processing, obtained by API hook technology and extract the data after described deciphering.
3. the method for claim 1, is characterized in that, the described process of deciphering certainly comprises:
To the script file after described deciphering, judge that it is performed deciphering mark and whether is set up, if not, then return original program and perform; If so, then the data after described deciphering are obtained.
4. method as claimed in claim 3, is characterized in that, the data after described acquisition deciphering comprise:
Obtain the data after described deciphering, and transcoding process is carried out to the character in described data.
5. method as claimed in claim 4, is characterized in that, describedly carries out transcoding process to the character in described data and comprises:
Described character is encoded by Unicode and transfers ASCII coding to.
6. identify a device for virus document, it is characterized in that, described device comprises:
Call deciphering module, for when scripting host program performs encrypted script file, undertaken from decryption processing by calling system function, and obtain the data after deciphering;
Virus judge module, scans described data for invoke script antivirus engine, determines whether virus, if so, then carry out V-ALert to described script file.
7. device as claimed in claim 6, is characterized in that, described in call deciphering module and comprise:
Decryption unit, carries out from decryption processing for described calling system function;
Extraction unit, for obtaining by hook technology and extracting the data after described deciphering.
8. device as claimed in claim 7, is characterized in that, described in call deciphering module and also comprise:
Perform deciphering tag unit, for the script file after described deciphering, judge that it is performed deciphering mark and whether is set up, if not, then return original program and perform; If so, then the data after described deciphering are obtained.
9. device as claimed in claim 8, is characterized in that, described in call deciphering module and also comprise:
Transcoding units, for obtaining the data after described deciphering, and carries out transcoding process to the character in described data.
10. device as claimed in claim 9, is characterized in that, describedly carries out transcoding process to described character and comprises:
Described character is encoded by Unicode and transfers ASCII coding to.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510016091.2A CN104537306A (en) | 2015-01-13 | 2015-01-13 | Method and device for recognizing virus file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510016091.2A CN104537306A (en) | 2015-01-13 | 2015-01-13 | Method and device for recognizing virus file |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104537306A true CN104537306A (en) | 2015-04-22 |
Family
ID=52852828
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510016091.2A Pending CN104537306A (en) | 2015-01-13 | 2015-01-13 | Method and device for recognizing virus file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104537306A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229112A (en) * | 2016-12-22 | 2018-06-29 | 阿里巴巴集团控股有限公司 | A kind of operation method and device for protecting application program, application program |
| CN114036517A (en) * | 2021-11-02 | 2022-02-11 | 安天科技集团股份有限公司 | Virus identification method and device, electronic equipment and storage medium |
| KR102549124B1 (en) * | 2022-12-15 | 2023-06-29 | 시큐레터 주식회사 | Methods and apparatus for for detecting and decoding obfuscated vbscript |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020073330A1 (en) * | 2000-07-14 | 2002-06-13 | Computer Associates Think, Inc. | Detection of polymorphic script language viruses by data driven lexical analysis |
| CN1983295A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for recognizing virus |
| CN101667230A (en) * | 2008-09-02 | 2010-03-10 | 北京瑞星国际软件有限公司 | Method and device for monitoring script execution |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
| CN104252596A (en) * | 2013-06-28 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Script virus monitoring method and device |
-
2015
- 2015-01-13 CN CN201510016091.2A patent/CN104537306A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020073330A1 (en) * | 2000-07-14 | 2002-06-13 | Computer Associates Think, Inc. | Detection of polymorphic script language viruses by data driven lexical analysis |
| CN1983295A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for recognizing virus |
| CN101667230A (en) * | 2008-09-02 | 2010-03-10 | 北京瑞星国际软件有限公司 | Method and device for monitoring script execution |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
| CN104252596A (en) * | 2013-06-28 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Script virus monitoring method and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229112A (en) * | 2016-12-22 | 2018-06-29 | 阿里巴巴集团控股有限公司 | A kind of operation method and device for protecting application program, application program |
| CN108229112B (en) * | 2016-12-22 | 2022-06-03 | 阿里巴巴集团控股有限公司 | Protection application program, and running method and device of application program |
| CN114036517A (en) * | 2021-11-02 | 2022-02-11 | 安天科技集团股份有限公司 | Virus identification method and device, electronic equipment and storage medium |
| KR102549124B1 (en) * | 2022-12-15 | 2023-06-29 | 시큐레터 주식회사 | Methods and apparatus for for detecting and decoding obfuscated vbscript |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10114946B2 (en) | Method and device for detecting malicious code in an intelligent terminal | |
| Ma et al. | Cdrep: Automatic repair of cryptographic misuses in android applications | |
| US9560059B1 (en) | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection | |
| US9407658B1 (en) | System and method for determining modified web pages | |
| KR101857001B1 (en) | Android dynamic loading file extraction method, recording medium and system for performing the method | |
| CN105683990B (en) | Method and apparatus for protecting dynamic base | |
| CN106919811B (en) | File detection method and device | |
| CN107273723B (en) | So file shell adding-based Android platform application software protection method | |
| CN108399319B (en) | Source code protection method, application server and computer readable storage medium | |
| CN106548046B (en) | Device and method for protecting code | |
| KR101861341B1 (en) | Deobfuscation apparatus of application code and method of deobfuscating application code using the same | |
| CN105975867B (en) | A kind of data processing method | |
| CN105701423A (en) | Data storage method and device applied to cloud payment transactions | |
| CN104537306A (en) | Method and device for recognizing virus file | |
| CN113190877A (en) | Model loading method and device, readable storage medium and electronic equipment | |
| CN110147653B (en) | Application program security reinforcing method and device | |
| CN105930728A (en) | Application examining method and device | |
| US7779269B2 (en) | Technique for preventing illegal invocation of software programs | |
| CN109408085A (en) | Upgrade method, device, system and the storage medium of hardware wallet | |
| Niu et al. | Clone analysis and detection in android applications | |
| CN105975860B (en) | A kind of trust file management method, device and equipment | |
| Bokolo et al. | Hybrid analysis based cross inspection framework for android malware detection | |
| Patsakis et al. | Assessing llms in malicious code deobfuscation of real-world malware campaigns | |
| Yoo et al. | String deobfuscation scheme based on dynamic code extraction for mobile malwares | |
| CN110740112B (en) | Authentication method, apparatus and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150422 |