A kind of method realizing the fast quick-recovery of sandbox based on file system filter driver
Technical field
The invention relates to malicious file detection field, particularly a kind of method realizing the fast quick-recovery of sandbox based on file system filter driver.
Background technology
In recent years, along with becoming increasingly conspicuous of network security problem, sandbox technology is applied in malicious file detection by people more and more.Apocrypha to be submitted in sandbox dynamic similation run, unknown malicious act not only can be avoided the destruction of real system, can also the behavioural information of apocrypha be caught and be analyzed, thus provide a kind of new scheme for the detection of malicious file.
The sandbox application that current malicious file detects, mainly contain task dispatch and virtual machine composition, task dispatch is responsible for receiving Detection task, is imported in the operating system of virtual machine by apocrypha by specific transmission mode, and analyzes from virtual middle acquisition apocrypha behavioural information.Under normal circumstances, in virtual machine, operating system has corresponding program and communicates with scheduler program, ensures that the mode that program can be specified according to task dispatch in virtual machine performs.In dummy machine system, also (behavior monitoring is generally inject the process space corresponding to apocrypha by DLL to there is task execution module and behavior monitoring module, the behavioural informations such as the api function of apocrypha call operation system and correlation parameter are obtained by HOOK mode), the behavioural information of behavior monitoring module apocrypha the most at last sends outside task dispatch to.Malicious act is wherein caught and analyzed to task dispatch, by screening these behavioural informations further, finally judges whether detected apocrypha is malicious file.
For ensureing completeness and the robustness of sandbox system, after each apocrypha dynamic similation has run, all need to carry out environment restoration to sandbox, finally to guarantee that the running orbit of next apocrypha can not be subject to the interference of previous apocrypha operation result.Current sandbox dynamic similation runs detection system, general is all based on the own mirror image reduction technique of virtual machine, namely a virtual machine image under open state can be carried when system is dispatched from the factory, before apocrypha is submitted to sandbox detection, first can carry out mirror image reduction to operating system in virtual machine, ensure that the running environment of each apocrypha is pure and stalwartness.Due to a large amount of I/O operation can be related to the mirror image reduction of operating system in virtual machine, and reduction mirrored procedure can relate to switching on and shutting down to operating system in virtual machine, can produce more time overhead, cause the problem that unit detection time of current sandbox detection system is longer, detectability is lower further.
Summary of the invention
Fundamental purpose of the present invention is to overcome deficiency of the prior art, provides a kind of and can save a large amount of IO expenses produced because of the mirror image reduction of operating system in virtual machine, and the malicious file detection method of energy significant increase detection efficiency.For solving the problems of the technologies described above, solution of the present invention is:
A kind of method realizing the fast quick-recovery of sandbox based on file system filter driver is provided, for utilizing sandbox virtual machine, detect the apocrypha that outside task dispatch is submitted to, the described method realizing the fast quick-recovery of sandbox based on file system filter driver specifically comprises the steps:
Steps A: the operating system in sandbox virtual machine and external tasks scheduler program, sets up apocrypha Detection task submission interface to arrange network communication mode; Described external tasks scheduler program is used to control the program that sandbox virtual machine is recovered, apocrypha is submitted to, apocrypha behavioural information is analyzed;
Step B: in the operating system of sandbox virtual machine, registration monitoring drives, and is redirected for the file operation to appointment process ID and all subprocesss thereof, registry operations;
Described monitoring drives, under Windows, use the program that filter Driver on FSD framework (SFilter or MiniFilter) is write, for realizing file redirection and registration table is redirected, namely monitoring drives is the Windows driver of file system filter driver based on operating system;
Step C: after the operating system of sandbox virtual machine receives apocrypha Detection task, (or opening) apocrypha is performed in hang-up mode, inject watchdog routine in order to catch the behavioural information of apocrypha, process ID is imported in monitoring driving, is redirected in order to file, registration table; Described watchdog routine (behavior monitoring module) energy (passing through DLL) injecting program process space, and obtain the api function of apocrypha call operation system and the behavioural information of correlation parameter by HOOK mode;
Step D: after apocrypha is complete, VME operating system externally task dispatch returns the behavioural information of catching, and fast quick-recovery sandbox environment, prepare the Detection task receiving next apocrypha.
In the present invention, described monitoring drives and is redirected the file operation of the process of appointment (tree), is realized by following manner:
Be inserted in the chain of messages of Windows system IO manager in sandbox virtual machine by monitoring is driven, about the operation of the establishment to file, reading and writing etc. in all I/O request bag (IRP and FastIO) of interception appointment process (tree), the file data realized appointment process (tree) produces is redirected.
In the present invention, described monitoring drives and is redirected the registration table of the process of appointment (tree), adopts the mode of framework call-back manner or API HOOK to process, realizes especially by following method:
When carrying out monitoring and driving initialization, first create the file of a HIVE form, then by the file mount of HIVE form in registration table; Then in sandbox virtual machine operating system environment, registration monitoring drives, and after initialization completes, create the redirection file catalogue of stochastic generation, initialization is redirected registration table path at random.
In the present invention, described step C specifically comprises following process:
Process C1: the operating system in sandbox virtual machine, from task dispatch, receives apocrypha to be detected;
Process C2: the operating system in sandbox virtual machine performs (or opening) apocrypha in hang-up mode, and process ID corresponding for apocrypha is imported into during the monitoring of registering in step B drives, monitoring drives and is used for being redirected the file of process (tree) corresponding to apocrypha and registry operations;
Process C3: watchdog routine is injected in the corresponding process space of apocrypha, prepares the behavioural information of monitoring apocrypha;
Process C4: performed by the apocrypha process resumption hung up, start the Detection task of apocrypha, watchdog routine continues the behavioural information of catching apocrypha, and behavioural information comprises api function and the correlation parameter of apocrypha call operation system.
In the present invention, described step D specifically comprises following process:
Process D1: apocrypha is complete, or after the opening time of non-PE file exceedes the detection time preset, terminate the monitoring to described apocrypha;
Process D2: the operating system externally task dispatch of sandbox virtual machine, return the behavioural information of the apocrypha that watchdog routine captures, external tasks scheduler program screens the behavioural information of acceptance further, catch and the malicious act in analytical behavior information, whether the apocrypha that final judgement is detected is malicious file;
Process D3: empty the information in redirected catalogue and redirected registration table path, recovers the original state after sandbox virtual machine to mirror image reduction.
Core concept of the present invention is: by the file system filter driver message mechanism of operating system, filter the behavior of detected apocrypha, then redirecting technique is passed through, apocrypha is performed the generation that (or opening) process relates to, amendment or the information such as the file deleted and registration table, be redirected to monitoring and drive the path of specifying during initialization, these paths are including but not limited to file path and registration table path, thus avoid causing substantial change to sandbox environment, after apocrypha has been detected, only need to clear up monitoring and drive the path of specifying during initialization, get final product fast quick-recovery sandbox environment, thus promote the detection efficiency of sandbox further.
Compared with prior art, the invention has the beneficial effects as follows:
The present invention compares with the sandbox detection system based on virtual machine image reduction technique, owing to not needing the operating system mirror image reduction technique using virtual machine when recovering sandbox environment, thus save the system overhead that a large amount of I/O operation brings, avoid the switching on and shutting down operation of the operating system related to because of mirror image reduction further simultaneously, thus improve the efficiency of sandbox environment recovery, greatly reduce the time that single apocrypha is detected, further, the significant increase detection efficiency of sandbox to apocrypha.
Accompanying drawing explanation
Fig. 1 is that sandbox of the present invention detects and environment restoration process flow diagram.
Embodiment
First it should be noted that, the present invention relates to malicious file detection field, is the application branch of computer technology in field of information security technology.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely.This category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail:
Realize a method for the fast quick-recovery of sandbox based on file system filter driver, utilize sandbox virtual machine, the apocrypha that outside task dispatch is submitted to is detected.The described method realizing the fast quick-recovery of sandbox based on file system filter driver, treatment scheme as shown in Figure 1, specifically comprises the steps:
Step 1: the operating system in sandbox virtual machine is in open state, prepares to receive apocrypha and detects.
A mirror image restoring operation can be carried out by the virtual machine all to sandbox, to ensure that the operating system (as Windows XP system) in virtual machine is pure and unpolluted, to guarantee the correctness checked apocrypha after sandbox system starts.After sandbox starts, the operating system in virtual machine will be in open state all the time, and preparation reception apocrypha detects.
Step 2: sandbox receives apocrypha, starts to carry out testing process.
Sandbox receives the apocrypha that external tasks scheduler program sends, and the mode that the file reception interface of outside scheduler program can be arranged with any network communication (as TCP socket communication) realizes.After completing the reception to apocrypha, start malicious file testing process.
Step 3: judge whether that registered monitoring drives.
By obtaining the activation bit (herein for monitoring drives title) of create name from operating system, if monitoring drives unregistered, then cannot get corresponding activation bit, and needing first to register monitoring and drive.
Step 4: registration monitoring drives.
In sandbox virtual machine operating system environment, registration monitoring drives, and initialization monitoring drives, and create redirection file catalogue, initialization is redirected registration table path.For preventing sandbox from escaping, the equal stochastic generation of file directory and registration table path.
Step 5: perform (or opening) apocrypha to hang up mode.
Monitoring performs (or opening) apocrypha to hang up mode under driving chartered situation, and obtains corresponding process ID.
Step 6: inject watchdog routine.
Watchdog routine, generally by the DLL injecting program process space, obtains the behavioural informations such as the api function of apocrypha call operation system and correlation parameter by HOOK mode.By creating remote thread, watchdog routine (dynamic link library) being injected in the process space of apocrypha, preparing the behavioural information of monitoring apocrypha.
Step 7: the process ID of apocrypha is passed to monitoring and drives.
The apocrypha got in step 5 is performed process ID corresponding to (or opening) pass in monitoring driving, monitoring drives and the file of all subprocesss to this process and this process, registry operations is monitored and be redirected.
Step 8: apocrypha place process of resuming operation.
To resume operation apocrypha place process.
Step 9: redirection file operates specified path, is redirected registration table to appointment registry-location.
After monitoring drives and obtains apocrypha process and subprocess ID thereof, by the file system filter driver message mechanism of operating system, filter behavior, then be redirected to the redirection file catalogue created in step 4 by redirecting technique the increase to file related in apocrypha process and all subprocess operational processs, amendment and Delete Row, the insertion of the registration table related to, amendment and deletion action be redirected to the registration table path created in step 4.
Further, if existed in apocrypha process, alternative document content is inquired about, or to the behavior that registration table content is inquired about, because apocrypha process itself may to being queried file or registration table key assignments upgrades, and be redirected in the file directory of specifying or the registry-location of specifying, so need in Query Result to merge to original file content with to the redirection file content of this file, need to merge the redirected key assignments of the original key assignments of registry entry and this registry entry, to guarantee the accuracy of the result inquired.
Step 10: monitor and record apocrypha behavioural information.
Watchdog routine obtains the behavioural informations such as the api function of apocrypha call operation system and correlation parameter in the mode of HOOK, and with the discernible form of outside task dispatch carry out preserving (or with the mode of the network communication of agreement externally task dispatch return the behavioural information of catching in real time).
Step 11: apocrypha is complete or overtime.
Apocrypha dynamic similation end of run, or the opening time of non-PE file (as Office Word document), after reaching the longest dry run time of the single apocrypha that sandbox system presets, sandbox initiatively can terminate the dry run of this apocrypha, thus terminates the detection to this apocrypha.
Step 12: return apocrypha behavioural information.
With agreement network communication mode externally task dispatch return the behavioural information of catching, carry out malicious judgement for external tasks scheduler program, to confirm whether this apocrypha is malicious file.
Step 13: delete redirection information, fast quick-recovery sandbox environment.
For ensureing completeness and the robustness of sandbox system, after each apocrypha dynamic similation has run, all need to carry out environment restoration to sandbox, finally to guarantee that the operation of next apocrypha can not be subject to the interference of previous apocrypha operation result.In described method of the present invention, the dry run of apocrypha is except changing the redirection file catalogue and redirected registration table path of specifying in step 4, do not change other any file and registry information in VME operating system, so only need simply to empty the information in redirected catalogue and redirected registration table path, just can recover the original state after virtual machine to mirror image reduction rapidly, thus save a large amount of time overhead because of the IO expense needed for mirror image reduction and virtual machine switching on and shutting down, make sandbox detection efficiency have significant increase.
So far, the Detection task of an apocrypha terminates, and sandbox environment also completes recovery.
Finally; it should be noted that above what enumerate is only preferred embodiment of the present invention, not in order to limit the present invention; all distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should be included in protection scope of the present invention.