CN104751057A - Method and device used for enhancing safety of computer system - Google Patents
Method and device used for enhancing safety of computer system Download PDFInfo
- Publication number
- CN104751057A CN104751057A CN201510111889.5A CN201510111889A CN104751057A CN 104751057 A CN104751057 A CN 104751057A CN 201510111889 A CN201510111889 A CN 201510111889A CN 104751057 A CN104751057 A CN 104751057A
- Authority
- CN
- China
- Prior art keywords
- path
- virtualized environment
- file object
- data structure
- bottom data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention provides a method and device used for enhancing the safety of a computer system. The method comprises the following steps that for a file object related to a program operating in a virtualization environment, a bottom layer data structure of the file object is obtained; a non-virtualization environment path is used in the bottom layer data structure of the file object and used for indicating the path related to the file object. According to the method and the device, as the program operating in the virtualization environment can not judge whether the program itself operates in the virtualization environment according to the course path or the file path, the problem that malicious software hides the malicious behaviors when perceiving that the malicious software operates in the virtualization environment so as to escape from the detection of security software can be effectively avoided. Compared with the prior art, the method solves the problem thoroughly, the influence on the stability and the efficiency of the system is little, and the safety of the computer system is enhanced.
Description
Technical field
The present invention relates to security fields, particularly relating to a kind of method for strengthening computer system security and device.
Background technology
In prior art, sandbox is a part for the dynamic protection technology of fail-safe software.Sandbox, mainly through providing an isolation, virtual operation platform, enables program normally operate in this virtualized environment, and can not produce any impact to other parts of this computer system.Whether whether the program operated in sandbox can inquire about the modes such as the path of its process path or its file created, and carry out perception with sandbox virtual environment introductory path himself operate in virtualized environment by judging to comprise in these paths.For the program of the unknown, user can attempt using this program to determine its whether safety in virtualized environment, then when confirming that this unknown program is safe program, then runs this program in real system environment.But some Malwares carry out perception by said method himself whether runs in virtualized environment, thus hide its malicious act when running in virtualized environment, thus escape the detection of fail-safe software.In order to overcome this problem, in prior art, the perception for running environment can be stoped by the operation of tackling acquisition process path or file path as much as possible.But the point of aforesaid way needs interception is too much, cannot ensure comprehensively with thorough.Further, aforesaid way also may the stability of influential system and efficiency.Therefore, program how is more effectively stoped to be a problem needing to solve for the perception of virtual running environment.
Summary of the invention
The object of this invention is to provide a kind of method for strengthening computer system security and device.
According to an aspect of the present invention, provide a kind of method strengthening computer system security, wherein, the method comprises the following steps:
-for the file object be associated with the program run in virtualized environment, obtain the bottom data structure of described file object;
-in the bottom data structure of described file object, using non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.
According to another aspect of the present invention, provide a kind of device for strengthening computer system security, wherein, this device comprises:
-for for the file object be associated with the program run in virtualized environment, obtain the device of the bottom data structure of described file object;
-for using the device in non-virtualized environment path in the bottom data structure of described file object, described non-virtualized environment path is used to indicate the path be associated with described file object.
The invention enables the program run in virtualized environment cannot judge whether it runs in virtualized environment according to process path or file path, thus efficiently avoid Malware and hide its malicious act when perceiving himself and running in virtualized environment, to escape the problem of the detection of fail-safe software.Compared with prior art, the inventive method thoroughly solves the problems referred to above, and affects less on system stability and efficiency, thus enhances the security of computer system.
Accompanying drawing explanation
By reading the detailed description done non-limiting example done with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:
Fig. 1 illustrates the process flow diagram of the method for strengthening computer system security of the embodiment according to one aspect of the invention;
Fig. 2 illustrates the schematic diagram of the device for strengthening computer system security of embodiment according to a further aspect of the present invention.
In accompanying drawing, same or analogous Reference numeral represents same or analogous parts.
Embodiment
Before in further detail exemplary embodiment being discussed, it should be mentioned that some exemplary embodiments are described as the process or method described as process flow diagram.Although operations is described as the process of order by process flow diagram, many operations wherein can be implemented concurrently, concomitantly or simultaneously.In addition, the order of operations can be rearranged.Described process can be terminated when its operations are completed, but can also have the additional step do not comprised in the accompanying drawings.Described process can correspond to method, function, code, subroutine, subroutine etc.
Within a context alleged " computer equipment ", also referred to as " computer ", refer to the intelligent electronic device that can be performed the predetermined process such as numerical evaluation and/or logical calculated process by operation preset program or instruction, it can comprise processor and storer, the survival instruction that prestores in memory is performed to perform predetermined process process by processor, or perform predetermined process process by the hardware such as ASIC, FPGA, DSP, or combined by said two devices and realize.Computer equipment includes but not limited to server, PC, notebook computer, panel computer, smart mobile phone etc.
Described computer equipment comprises subscriber equipment and the network equipment.Wherein, described subscriber equipment includes but not limited to computer, smart mobile phone, PDA etc.; The described network equipment includes but not limited to the server group that single network server, multiple webserver form or the cloud be made up of a large amount of computing machine or the webserver based on cloud computing (Cloud Computing), wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computing machine collection.Wherein, described computer equipment isolated operation can realize the present invention, also accessible network by realizing the present invention with the interactive operation of other computer equipments in network.Wherein, the network residing for described computer equipment includes but not limited to internet, wide area network, Metropolitan Area Network (MAN), LAN (Local Area Network), VPN etc.
It should be noted that; described subscriber equipment, the network equipment and network etc. are only citing; other computer equipments that are existing or that may occur from now on or network, as being applicable to the present invention, within also should being included in scope, and are contained in this with way of reference.
Method (some of them are illustrated by process flow diagram) discussed below can be implemented by hardware, software, firmware, middleware, microcode, hardware description language or its combination in any.When implementing by software, firmware, middleware or microcode, program code or code segment in order to implement necessary task can be stored in machine or computer-readable medium (such as storage medium).(one or more) processor can implement necessary task.
Concrete structure disclosed herein and function detail are only representational, and are the objects for describing exemplary embodiment of the present invention.But the present invention can carry out specific implementation by many replacement forms, and should not be construed as only being limited to the embodiments set forth herein.
Should be understood that, although may have been used term " first ", " second " etc. here to describe unit, these unit should not limit by these terms.These terms are used to be only used to a unit and another unit to distinguish.For example, when not deviating from the scope of exemplary embodiment, first module can be called as second unit, and second unit can be called as first module similarly.Here used term "and/or" comprise one of them or more any and all combinations of listed associated item.
Should be understood that, when a unit is called as " connection " or " coupling " to another unit, it can directly connect or be coupled to another unit described, or can there is temporary location.On the other hand, " when being directly connected " or " directly coupled " to another unit, then there is not temporary location when a unit is called as.Should explain in a comparable manner the relation be used between description unit other words (such as " and be in ... between " compared to " and be directly in ... between ", " with ... contiguous " compared to " and with ... be directly close to " etc.).
Here used term is only used to describe specific embodiment and be not intended to limit exemplary embodiment.Unless context refers else clearly, otherwise singulative used here " ", " one " are also intended to comprise plural number.It is to be further understood that, the existence of the feature that term used here " comprises " and/or " comprising " specifies to state, integer, step, operation, unit and/or assembly, and do not get rid of and there is or add other features one or more, integer, step, operation, unit, assembly and/or its combination.
Also it should be mentioned that and to replace in implementation at some, the function/action mentioned can according to being different from occurring in sequence of indicating in accompanying drawing.For example, depend on involved function/action, in fact the two width figure in succession illustrated can perform simultaneously or sometimes can perform according to contrary order substantially.
Below in conjunction with accompanying drawing, the present invention is described in further detail.
In computer systems, which current, for determining unknown program whether safety, first user can attempt using this program in virtualized environment, and when confirming that this unknown program is safe, then this program is run in actual computer system environments.Usually, the program run in virtualized environment should not have an impact to other parts of computer system.In the prior art, usually, for the program operated in virtualized environment, the file that it created or revised will be placed in virtualized environment, and therefore the file path of these files will comprise virtualized environment introductory path.Further, when program image file is placed in virtualized environment itself, in this program process path, also virtualized environment introductory path will be comprised.
Such as, in Windows system, sandbox technology can be used for providing virtualized environment.In the prior art, the file that program created or revised run in sandbox will be placed in sandbox environment, and have the path of this sandbox environment.Further, when program image file is placed in sandbox environment itself, in this program process path, also the path of this sandbox environment will be comprised.In Windows system, program obtains file path or process path by User space handle.This User space handle correspond to a file object in Windows kernel state Object Manager.This file object has corresponding bottom data structure in file system.Such as, when using new technology file system, the bottom data structure of this file object is CCB (Context Control Block, environmental Kuznets Curves block).Usually, for the program operated in sandbox, will use the path of this sandbox environment in the CCB structure of the file object associated by this program, be also virtualized environment path.Therefore, in prior art, program can obtain this virtualized environment path by operation User space handle, thus perception runs in virtualized environment himself.As described above, program may cause safety problem for the perception of virtual running environment.The invention solves this problem, to enhance computer system security.
Further, those skilled in the art should also be understood that herein, the exemplary description that the associated description for virtualized environment only provides for ease of reader understanding's principle of the invention, but not for any restriction of the scope of application of the present invention.Further, hereinafter use Windows operating system, sandbox, CCB structure etc. are described embodiment although skilled person should also be understood that, it is only for ease of the object of reader understanding, but not for any restriction of the present invention.Scope of the present invention by claims but not above-mentioned explanation limit.
Fig. 1 illustrates the process flow diagram of the method for strengthening computer system security of the embodiment according to one aspect of the invention.
The inventive method is realized by computer equipment.Described computer equipment includes but not limited to server, PC, notebook computer, panel computer, smart mobile phone etc.
According to one embodiment of present invention, described computer system is based on Windows operating system, and described virtualized environment is sandbox environment, and described bottom data structure is CCB data structure.For ease of understanding, as nothing is otherwise noted especially, computer system is hereinafter based on Windows operating system, use NTFS (New Technology File System, New Technology File System) file system, and utilize sandbox technology to provide virtualized environment in this Windows operating system.It will be understood by those skilled in the art that the principle of the invention is also applicable to based on use FAT (File Allocation Table, file allocation table) the Windows operating system of file system or the computer system of other similar operations systems.
First, in step s 11, for the file object be associated with the program run in virtualized environment, the bottom data structure of described file object is obtained.
Herein, file object means the file expression in an operating system that is associated with the program run.The bottom data structure of file object means the bottom data structure of this file object in file system, CCB structure such as mentioned above.
The file object be associated with program refer to this program run involved by file object.Such as, for the program run in Windows operating system, its file object be associated can comprise the file object of the kernel state corresponding to User space file handle of this program, wherein, the file handle supported of any Windows operating system such as the file handle that can be correlated with for the file handle relevant to the file that this program uses, the named pipes that uses with this program of the User space file handle of this program.Especially, the file object that this program is associated can for the file object be associated with the image file of this program.The process object of this program is using the process path of the path in the bottom data structure of described file object as described program process.
Particularly, in step s 11, for the file object be associated with the program run in virtualized environment, can such as by mutual with operating system or by the bottom data structure with mode obtains this file object such as file system is mutual.
Then, in step s 12, in the bottom data structure of described file object, non-virtualized environment path is used, for indicating the path be associated with described file object.As described above, virtualized environment path means and virtualized environment, the path that such as sandbox environment is relevant, such as sandbox path.Correspondingly, non-virtualized environment path means the true environment path of this computer system.For ease of describing and understanding, hereinafter, the path of " sandbox " will be comprised using pathname as virtualized environment path, and the path not comprising " sandbox " in pathname is as non-virtualized environment path.
Particularly, in step s 12, by mutual with operating system, or the mode such as data in direct control correspondence memory address, non-virtualized environment path is used, for indicating the path be associated with described file object in the bottom data structure of described file object.As described above, when obtaining path included in the bottom data structure of file object by operation User space handle, accessed path will be non-virtualized environment path.It should be noted, when file physical store is in virtualized environment, such as, in sandbox time, its actual file path is sandbox path.Therefore, used in step s 12 non-virtualized environment path is different from the actual file path of this file.
In a preferred embodiment, in step s 12, can according to the mapping relations between virtualized environment path and non-virtualized environment path, in the bottom data structure of described file object, use non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.Such as, when file physical store is in virtualized environment, such as, in sandbox time, its actual file path should comprise this virtualized environment path, such as sandbox path c: sandbox.Assuming that this sandbox path c: sandbox is mapped to non-virtualized environment path c:, then can according to these mapping relations, in the CCB structure of file object corresponding to this file, use non-virtualized environment path c: to indicate the path of this file.
In one embodiment, can mapping relations between configuration virtual environment path and non-virtualized environment path.Such as, connect example, can configure according to actual needs sandbox path c: sandbox be mapped to non-virtualized environment path c:.In addition, the mapping relations between virtualized environment path and non-virtualized environment path can also be adjusted according to actual needs, such as by c: sandbox be adjusted to be mapped to non-virtualized environment path d:.
In one embodiment, in step s 11, for the file object be associated with the program run in virtualized environment, the bottom data structure of described file object will be created.Such as, for the program P1 run in sandbox, this program P1 will create file F1, and this file F1 will be placed in sandbox environment, under it is actually stored in c: sandbox catalogue.For the file object FO1 corresponding to this file F1, can by call Windows operating system provide Driver Library function to create the bottom data structure of this file object FO1, the CCB structure of such as new technology file system.Then, in step s 12, use non-virtualized environment path in the bottom data structure of created described file object, described non-virtualized environment path is used to indicate the path be associated with described file object.Particularly, such as can use non-virtualized environment path by the Driver Library function of retouching operation system in the bottom data structure of created file object, and not re-use virtualized environment path.Connect example, for the CCB structure of file object FO1, by use non-virtualized environment path c: indicate the path be associated with described file object FO1, the also path of i.e. file F1.Or, when virtualized environment path c: sandbox be mapped to non-virtualized environment path d: time, for the CCB structure of file object FO1, can use non-virtualized environment path d: indicate the path of file F1.
In another embodiment, in step s 11, for the file object be associated with the program run in virtualized environment, the existing bottom data structure of described file object is obtained.Such as, for the program P1 run in sandbox, this program P1 creates file F1, and this file F1 is arranged in sandbox environment, under it is actually stored in c: sandbox catalogue.Correspondingly, operating system is FO1 for this file F1 creates file object, and creates bottom data structure C CB structure for this file object FO1, and wherein this CCB structure comprises sandbox environment path c: sandbox, and it is virtualized environment path.Can such as by obtaining the CCB structure of this file object FO1 alternately with operating system.Or can retouching operation system Driver Library function come create CCB structure time send message, when after the message receiving this establishment CCB structure, this CCB structure can be obtained based on this message.Then, in step s 12, non-virtualized environment path can be revised as in the virtualized environment path in the described bottom data structure of described file object, described non-virtualized environment path is used to indicate the path be associated with described file object.Connect example, by directly carrying out operation to the content of correspondence memory address, the virtualized environment path c: sandbox in the CCB structure of this file object FO1 can be revised as non-virtualized environment path c: to indicate the path of the file F1 corresponding to this file object FO1.Or, when virtualized environment path c: sandbox is mapped to non-virtualized environment path d:, the virtualized environment path c: sandbox in the CCB structure of this file object FO1 can be revised as non-virtualized environment path d:.
It will be understood by those skilled in the art that, herein, the associated description virtual path being revised as non-virtualized path is only exemplary and indefiniteness describes, there are other various implementations and do not deviate from spirit of the present invention or category, and being contained in this by reference.
In one embodiment, the file object that the described program with running in virtualized environment is associated is the file object be associated with the image file of described program.The process object of this program is using the process path of the non-virtualized environment path in the bottom data structure of described file object as described program process.Herein, the process object of program refers to the expression of the process of the program of this operation in the operating system of computer system.Such as, the image file of suppose program is P1.exe, its deposit in sandbox environment catalogue c: in sandbox, also namely the Actual path of this image file P1.exe be virtual environment path c: sandbox.Assuming that c: sandbox be mapped to non-virtualized environment path d:.According to method mentioned above, use in the bottom data structure C CB structure of the file object FO1 that can be associated at this image file P1.exe non-virtualized environment path d:.Then for the process object of this program, its by the non-virtualized environment path in this CCB structure of the file object FO1 corresponding to this image file P1.exe d: as the process path of this program process.Also namely, this program will think its process path be non-virtualized environment path d:, thus can not perceive and himself run in virtualized environment.
In one embodiment, described computer system is based on Windows operating system, and described virtualized environment is sandbox environment, and described bottom data structure is CCB data structure.
Fig. 2 illustrates the schematic diagram of the device for strengthening computer system security of embodiment according to a further aspect of the present invention.
The inventive method is realized by computer equipment.Described computer equipment includes but not limited to server, PC, notebook computer, panel computer, smart mobile phone etc.
According to one embodiment of present invention, described computer system is based on Windows operating system, and described virtualized environment is sandbox environment, and described bottom data structure is CCB data structure.For ease of understanding, as nothing is otherwise noted especially, computer system is hereinafter based on Windows operating system, use NTFS (New Technology File System, New Technology File System) file system, and utilize sandbox technology to provide virtualized environment in this Windows operating system.It will be understood by those skilled in the art that the principle of the invention is also applicable to based on use FAT (File Allocation Table, file allocation table) the Windows operating system of file system or the computer system of other similar operations systems.
As shown in Figure 2, this device being used for strengthening computer system security comprises for for the file object be associated with the program run in virtualized environment, obtains the device 21 of the bottom data structure of described file object, hereinafter referred to as acquisition device 21; And for using the device 22 in non-virtualized environment path in the bottom data structure of described file object, hereinafter referred to as non-virtualized environment path operative installations 22, described non-virtualized environment path is used to indicate the path be associated with described file object
First, acquisition device 21, for the file object be associated with the program run in virtualized environment, obtains the bottom data structure of described file object.
Herein, file object means the file expression in an operating system that is associated with the program run.The bottom data structure of file object means the bottom data structure of this file object in file system, CCB structure such as mentioned above.
The file object be associated with program refer to this program run involved by file object.Such as, for the program run in Windows operating system, its file object be associated can comprise the file object of the kernel state corresponding to User space file handle of this program, wherein, the file handle supported of any Windows operating system such as the file handle that can be correlated with for the file handle relevant to the file that this program uses, the named pipes that uses with this program of the User space file handle of this program.Especially, the file object that this program is associated can for the file object be associated with the image file of this program.The process object of this program is using the process path of the path in the bottom data structure of described file object as described program process.
Particularly, acquisition device 21, can such as by mutual with operating system or by the bottom data structure with mode obtains this file object such as file system is mutual for the file object be associated with the program run in virtualized environment.
Then, non-virtualized environment path operative installations 22 uses non-virtualized environment path in the bottom data structure of described file object, for indicating the path be associated with described file object.As described above, virtualized environment path means and virtualized environment, the path that such as sandbox environment is relevant, such as sandbox path.Correspondingly, non-virtualized environment path means the true environment path of this computer system.For ease of describing and understanding, hereinafter, the path of " sandbox " will be comprised using pathname as virtualized environment path, and the path not comprising " sandbox " in pathname is as non-virtualized environment path.
Particularly, non-virtualized environment path operative installations 22 is by mutual with operating system, or the mode such as data in direct control correspondence memory address, non-virtualized environment path is used, for indicating the path be associated with described file object in the bottom data structure of described file object.As described above, when obtaining path included in the bottom data structure of file object by operation User space handle, accessed path will be non-virtualized environment path.It should be noted, when file physical store is in virtualized environment, such as, in sandbox time, its actual file path is sandbox path.Therefore, the non-virtualized environment path that uses of non-virtualized environment path operative installations 22 is different from the actual file path of this file.
In a preferred embodiment, non-virtualized environment path operative installations 22 can according to the mapping relations between virtualized environment path and non-virtualized environment path, in the bottom data structure of described file object, use non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.Such as, when file physical store is in virtualized environment, such as, in sandbox time, its actual file path should comprise this virtualized environment path, such as sandbox path c: sandbox.Assuming that this sandbox path c: sandbox be mapped to non-virtualized environment path c:, then non-virtualized environment path operative installations 22 can according to these mapping relations, in the CCB structure of file object corresponding to this file, use non-virtualized environment path c: to indicate the path of this file.
In one embodiment, the described device for strengthening computer system security also comprises the device for the mapping relations between configuration virtual environment path and non-virtualized environment path, hereinafter referred to as inking device 23 (not shown).Inking device 23 can mapping relations between configuration virtual environment path and non-virtualized environment path.Such as, connect example, inking device 23 can configure according to actual needs sandbox path c: sandbox be mapped to non-virtualized environment path c:.In addition, inking device 23 can also adjust the mapping relations between virtualized environment path and non-virtualized environment path according to actual needs, such as by c: sandbox be adjusted to be mapped to non-virtualized environment path d:.
In one embodiment, acquisition device 21, for the file object be associated with the program run in virtualized environment, will create the bottom data structure of described file object.Such as, for the program P1 run in sandbox, this program P1 will create file F1, and this file F1 will be placed in sandbox environment, under it is actually stored in c: sandbox catalogue.For the file object FO1 corresponding to this file F1, acquisition device 21 can by call Windows operating system provide Driver Library function to create the bottom data structure of this file object FO1, the CCB structure of such as new technology file system.Then, non-virtualized environment path operative installations 22 uses non-virtualized environment path in the bottom data structure of created described file object, and described non-virtualized environment path is used to indicate the path be associated with described file object.Particularly, non-virtualized environment path operative installations 22 such as can use non-virtualized environment path by the Driver Library function of retouching operation system in the bottom data structure of created file object, and does not re-use virtualized environment path.Connect example, for the CCB structure of file object FO1, non-virtualized environment path operative installations 22 by use non-virtualized environment path c: indicate the path be associated with described file object FO1, the also path of i.e. file F1.Or, when virtualized environment path c: sandbox be mapped to non-virtualized environment path d: time, for the CCB structure of file object FO1, non-virtualized environment path operative installations 22 can use non-virtualized environment path d: indicate the path of file F1.
In another embodiment, acquisition device 21, for the file object be associated with the program run in virtualized environment, obtains the existing bottom data structure of described file object.Such as, for the program P1 run in sandbox, this program P1 creates file F1, and this file F1 is arranged in sandbox environment, under it is actually stored in c: sandbox catalogue.Correspondingly, operating system is FO1 for this file F1 creates file object, and creates bottom data structure C CB structure for this file object FO1, and wherein this CCB structure comprises sandbox environment path c: sandbox, and it is virtualized environment path.Acquisition device 21 can such as by obtaining the CCB structure of this file object FO1 with operating system alternately.Or acquisition device 21 can retouching operation system Driver Library function come create CCB structure time send message, when after the message receiving this establishment CCB structure, this CCB structure can be obtained based on this message.Then, non-virtualized environment path can be revised as in virtualized environment path in the described bottom data structure of described file object by non-virtualized environment path operative installations 22, and described non-virtualized environment path is used to indicate the path be associated with described file object.Connect example, the virtualized environment path c: sandbox in the CCB structure of this file object FO1 can be revised as non-virtualized environment path c: to indicate the path of the file F1 corresponding to this file object FO1 by directly carrying out operation to the content of correspondence memory address by non-virtualized environment path operative installations 22.Or, when virtualized environment path c: sandbox is mapped to non-virtualized environment path d:, the virtualized environment path c: sandbox in the CCB structure of this file object FO1 can be revised as non-virtualized environment path d: by non-virtualized environment path operative installations 22.
It will be understood by those skilled in the art that, herein, the associated description virtual path being revised as non-virtualized path is only exemplary and indefiniteness describes, there are other various implementations and do not deviate from spirit of the present invention or category, and being contained in this by reference.
In one embodiment, the file object that the described program with running in virtualized environment is associated is the file object be associated with the image file of described program.The process object of this program is using the process path of the non-virtualized environment path in the bottom data structure of described file object as described program process.Herein, the process object of program refers to the expression of the process of the program of this operation in the operating system of computer system.Such as, the image file of suppose program is P1.exe, its deposit in sandbox environment catalogue c: in sandbox, also namely the Actual path of this image file P1.exe be virtual environment path c: sandbox.Assuming that c: sandbox be mapped to non-virtualized environment path d:.According to method mentioned above, use in the bottom data structure C CB structure of the file object FO1 that non-virtualized environment path operative installations 22 can be associated at this image file P1.exe non-virtualized environment path d:.Then for the process object of this program, its by the non-virtualized environment path in this CCB structure of the file object FO1 corresponding to this image file P1.exe d: as the process path of this program process.Also namely, this program will think its process path be non-virtualized environment path d:, thus can not perceive and himself run in virtualized environment.
In one embodiment, described computer system is based on Windows operating system, and described virtualized environment is sandbox environment, and described bottom data structure is CCB data structure.
It should be noted that the present invention can be implemented in the assembly of software and/or software restraint, such as, each device of the present invention can adopt special IC (ASIC) or any other similar hardware device to realize.In one embodiment, software program of the present invention can perform to realize step mentioned above or function by processor.Similarly, software program of the present invention (comprising relevant data structure) can be stored in computer readable recording medium storing program for performing, such as, and RAM storer, magnetic or CD-ROM driver or flexible plastic disc and similar devices.In addition, steps more of the present invention or function can adopt hardware to realize, such as, as coordinating with processor thus performing the circuit of each step or function.
To those skilled in the art, obviously the invention is not restricted to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit of the present invention or essential characteristic, the present invention can be realized in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, scope of the present invention is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the present invention.Any Reference numeral in claim should be considered as the claim involved by limiting.In addition, obviously " comprising " one word do not get rid of other unit or step, odd number does not get rid of plural number.Multiple unit of stating in system claims or device also can be realized by software or hardware by a unit or device.First, second word such as grade is used for representing title, and does not represent any specific order.
Although show and describe exemplary embodiment especially above, it will be appreciated by those skilled in the art that when not deviating from the spirit and scope of claims, can change to some extent in its form and details.Here sought protection is set forth in the dependent claims.
Claims (14)
1., for strengthening a method for computer system security, wherein, the method comprises:
-for the file object be associated with the program run in virtualized environment, obtain the bottom data structure of described file object;
-in the bottom data structure of described file object, using non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.
2. method according to claim 1, wherein, the described file object for being associated with the program run in virtualized environment, the step obtaining the bottom data structure of described file object comprises:
-for the file object be associated with the program run in virtualized environment, create the bottom data structure of described file object;
Wherein, the described step in non-virtualized environment path that uses in the bottom data structure of described file object comprises:
-in the bottom data structure of created described file object, using non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.
3. method according to claim 1, wherein, the described file object for being associated with the program run in virtualized environment, the step obtaining the bottom data structure of described file object comprises:
-for the file object be associated with the program run in virtualized environment, obtain the existing bottom data structure of described file object;
Wherein, the described step in non-virtualized environment path that uses in the bottom data structure of described file object comprises:
-non-virtualized environment path is revised as in the virtualized environment path in the described bottom data structure of described file object, described non-virtualized environment path is used to indicate the path be associated with described file object.
4. according to the method in any one of claims 1 to 3, wherein, the described step in non-virtualized environment path that uses in the bottom data structure of described file object comprises:
-according to the mapping relations between virtualized environment path and non-virtualized environment path, in the bottom data structure of described file object, use non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.
5. method according to claim 4, wherein, also comprises:
Mapping relations between-configuration virtual environment path and non-virtualized environment path.
6. method according to any one of claim 1 to 5, wherein, described computer system is based on Windows operating system, and described virtualized environment is sandbox environment, and described bottom data structure is CCB data structure.
7. method according to any one of claim 1 to 6, wherein, the file object that the described program with running in virtualized environment is associated is the file object be associated with the image file of described program, and the process object of described program is using the process path of the non-virtualized environment path in the bottom data structure of described file object as described program process.
8. for strengthening a device for computer system security, wherein, this device comprises:
-for for the file object be associated with the program run in virtualized environment, obtain the device of the bottom data structure of described file object;
-for using the device in non-virtualized environment path in the bottom data structure of described file object, described non-virtualized environment path is used to indicate the path be associated with described file object.
9. device according to claim 8, wherein, described for for the file object be associated with the program run in virtualized environment, the device obtaining the bottom data structure of described file object is used for:
-for the file object be associated with the program run in virtualized environment, create the bottom data structure of described file object;
Wherein, described for using the device in non-virtualized environment path to be used in the bottom data structure of described file object:
-in the bottom data structure of created described file object, using non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.
10. device according to claim 8, wherein, described for for the file object be associated with the program run in virtualized environment, the device obtaining the bottom data structure of described file object is used for:
-for the file object be associated with the program run in virtualized environment, obtain the existing bottom data structure of described file object;
Wherein, described for using the device in non-virtualized environment path to be used in the bottom data structure of described file object:
-non-virtualized environment path is revised as in the virtualized environment path in the described bottom data structure of described file object, described non-virtualized environment path is used to indicate the path be associated with described file object.
Device according to any one of 11. according to Claim 8 to 10, wherein, described for using the device in non-virtualized environment path to be used in the bottom data structure of described file object:
-according to the mapping relations between virtualized environment path and non-virtualized environment path, in the bottom data structure of described file object, use non-virtualized environment path, described non-virtualized environment path is used to indicate the path be associated with described file object.
12. devices according to claim 11, wherein, also comprise:
-for the device of the mapping relations between configuration virtual environment path and non-virtualized environment path.
Device according to any one of 13. according to Claim 8 to 12, wherein, described computer system is based on Windows operating system, and described virtualized environment is sandbox environment, and described bottom data structure is CCB data structure.
Device according to any one of 14. according to Claim 8 to 13, wherein, the file object that the described program with running in virtualized environment is associated is the file object be associated with the image file of described program, and the process object of described program is using the process path of the non-virtualized environment path in the bottom data structure of described file object as described program process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510111889.5A CN104751057B (en) | 2015-03-13 | 2015-03-13 | Method and device for enhancing security of computer system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510111889.5A CN104751057B (en) | 2015-03-13 | 2015-03-13 | Method and device for enhancing security of computer system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104751057A true CN104751057A (en) | 2015-07-01 |
| CN104751057B CN104751057B (en) | 2018-08-24 |
Family
ID=53590729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510111889.5A Active CN104751057B (en) | 2015-03-13 | 2015-03-13 | Method and device for enhancing security of computer system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104751057B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488414A (en) * | 2015-09-25 | 2016-04-13 | 深圳市安之天信息技术有限公司 | Method and system for preventing malicious codes from detecting virtual environments |
| CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
| CN106709352A (en) * | 2015-11-12 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080307414A1 (en) * | 2007-06-05 | 2008-12-11 | International Business Machines Corporation | Creating a virtual machine image with a software deployment system |
| CN101373502A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
| CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
| CN102609649A (en) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for collecting malicious software automatically |
| CN103020525A (en) * | 2012-12-20 | 2013-04-03 | 北京奇虎科技有限公司 | Anti-detecting method and device of virtual machine system |
| US20140317745A1 (en) * | 2013-04-19 | 2014-10-23 | Lastline, Inc. | Methods and systems for malware detection based on environment-dependent behavior |
-
2015
- 2015-03-13 CN CN201510111889.5A patent/CN104751057B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080307414A1 (en) * | 2007-06-05 | 2008-12-11 | International Business Machines Corporation | Creating a virtual machine image with a software deployment system |
| CN101373502A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
| CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
| CN102609649A (en) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for collecting malicious software automatically |
| CN103020525A (en) * | 2012-12-20 | 2013-04-03 | 北京奇虎科技有限公司 | Anti-detecting method and device of virtual machine system |
| US20140317745A1 (en) * | 2013-04-19 | 2014-10-23 | Lastline, Inc. | Methods and systems for malware detection based on environment-dependent behavior |
Non-Patent Citations (1)
| Title |
|---|
| 彭晓曦 等: "Windows可安装文件系统应用研究", 《微计算机信息》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488414A (en) * | 2015-09-25 | 2016-04-13 | 深圳市安之天信息技术有限公司 | Method and system for preventing malicious codes from detecting virtual environments |
| CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
| CN106709352A (en) * | 2015-11-12 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
| CN106709352B (en) * | 2015-11-12 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104751057B (en) | 2018-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10025615B2 (en) | Dynamic guest virtual machine identifier allocation | |
| US20200401698A1 (en) | Analysis system, analysis method, analysis device, and storage medium | |
| CN101866408B (en) | Transparent trust chain constructing system based on virtual machine architecture | |
| CN104392175A (en) | System and method and device for processing cloud application attack behaviors in cloud computing system | |
| CN107807839B (en) | Method and device for modifying memory data of virtual machine and electronic equipment | |
| US20170097837A1 (en) | Binary editing of applications executed by virtual machines | |
| CN103530167A (en) | Virtual machine memory data migration method and relevant device and cluster system | |
| US10031817B2 (en) | Checkpoint mechanism in a compute embedded object storage infrastructure | |
| CN105989252A (en) | Function level packing-oriented unpacking method and system | |
| CN104239122A (en) | VM (virtual machine) migration method and device | |
| CN104350486A (en) | Method and apparatus for virtual machine interoperability | |
| CN104883384A (en) | Method and apparatus for providing end capabilities of client for light application | |
| CN104751057A (en) | Method and device used for enhancing safety of computer system | |
| CN105488415A (en) | System process scanning method and apparatus | |
| US10146569B2 (en) | Template based software scans | |
| US10467078B2 (en) | Crash dump extraction of guest failure | |
| CN105045595A (en) | Plug-in integrating method and plug-in integrating device | |
| US20150227383A1 (en) | Application program virtualization system and method of virtualizing application program of user terminal | |
| US9304874B2 (en) | Virtual machine-guest driven state restoring by hypervisor | |
| US10452838B2 (en) | Providing joint access to an isolated computer object by both an isolated computer application and a non-isolated computer application | |
| CN104765680A (en) | Method and device for automatically testing software | |
| US10102007B2 (en) | Simultaneously capturing status information for multiple operating modes | |
| RU2013146656A (en) | METHOD AND SYSTEM OF SIMULTANEOUS INSTALLATION OF MULTIPLE APPLICATIONS USING THE RESTORATION OF A FALSE BACKUP ARCHIVE | |
| CN108132828B (en) | Libvirt-based virtual mechanism building method, device and equipment | |
| US20200153797A1 (en) | Secure Use of Dual Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190814 Address after: 100085 Beijing, Haidian District, No. ten on the ground floor, No. 10 Baidu building, layer 2 Patentee after: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. Address before: 100091 C, block, building No. 4, Zhongguancun Software Park, No. 8, West flourishing West Road, Beijing, China 1-03 Patentee before: Pacify a Heng Tong (Beijing) Science and Technology Ltd. |
|
| TR01 | Transfer of patent right |