CN105574409B - A kind of injecting codes extracting method and device - Google Patents
A kind of injecting codes extracting method and device Download PDFInfo
- Publication number
- CN105574409B CN105574409B CN201510918017.XA CN201510918017A CN105574409B CN 105574409 B CN105574409 B CN 105574409B CN 201510918017 A CN201510918017 A CN 201510918017A CN 105574409 B CN105574409 B CN 105574409B
- Authority
- CN
- China
- Prior art keywords
- code
- api function
- program
- suspect program
- suspect
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 323
- 230000008569 process Effects 0.000 claims abstract description 273
- 238000002347 injection Methods 0.000 claims abstract description 122
- 239000007924 injection Substances 0.000 claims abstract description 122
- 238000000605 extraction Methods 0.000 claims abstract description 66
- 230000006870 function Effects 0.000 claims description 355
- 239000000284 extract Substances 0.000 claims description 29
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 26
- 238000001514 detection method Methods 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 11
- 238000012163 sequencing technique Methods 0.000 claims description 9
- 230000008439 repair process Effects 0.000 claims description 8
- 238000002955 isolation Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000014759 maintenance of location Effects 0.000 claims 2
- 238000007689 inspection Methods 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 6
- 241000700605 Viruses Species 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 230000006378 damage Effects 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000002452 interceptive effect Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000002775 capsule Substances 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000000266 injurious effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of injecting codes extracting methods, including:Run suspect program, during running suspect program, whether the process that suspect program is detected by PIN tools to other processes (especially white process) is filled with code (possible rogue program), it is filled with code if detecting, passes through the code of PIN tools extraction injection.The present invention has effectively solved the technical issues of being difficult to extract the code being injected into white process in the prior art, realizes the technique effect for quickly extracting the code being injected into white process.Be conducive to analyze injecting codes in this way, identify whether it is malicious code, and take corresponding measure in time, to ensure that computer security.Meanwhile the invention also discloses a kind of injecting codes extraction elements.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of injecting codes extracting method and devices.
Background technology
As the quantity of becoming increasingly popular for computer application, the rogue program including virus, wooden horse also increases rapidly,
Trojan horse program therein is that one kind can be by running on the user's computer, and then steals user file, privacy, account etc.
Information, some can also even allow the rogue program of hacker's remote control user computer.It is simple in terms of destroying compared to more traditional
The virus for the purpose of machine equipment is calculated, wooden horse with more the purpose for obtaining interests, steals the injurious act of computer user
The behavior of information can usually cause huge loss to user, therefore the harm of trojan horse program also bigger.Rogue program can lead to
Many routes of transmission are crossed to encroach on the computer of user, such as portable move media, such as flash disk, CD etc., and with calculating
The extensive use of machine network technology, internet are increasingly becoming one of the main path of rogue program propagation, hacker or rogue program
Disseminator disguises oneself as the rogue programs file such as wooden horse other types file, and user is lured to click and download, and rogue program
Once being downloaded to subscriber computer and successful operation, hacker or rogue program disseminator can utilize these rogue programs,
Destruction subscriber computer is carried out, the malfeasances such as userspersonal information are stolen.
Implement to attack using the loophole of operating system and application software, is that rogue program is made to succeed on the user computer
One of the main means of implantation and operation.Loophole refer to defect in logical design of operating system software or application software or
The mistake generated when writing.These defects or mistake can often be encroached on by hacker using the rogue programs such as wooden horse are implanted into
Or control even destroys subscriber computer software and hardware system, or steal the capsule information and information of user.
Antivirus software effectively can carry out prevention and killing to rogue program, and still, rogue program is killed virus to hide
Malicious code is usually injected into white process and (is recorded in the process in white list, will not be looked by antivirus software by the killing of software
Kill) in, to be attacked computer in white process, for the code being injected into white process, general is difficult to be carried
It takes, it is difficult to be analyzed, this brings grave danger to computer security.
Invention content
In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly
State the injecting codes extracting method and device of problem.
One aspect of the present invention provides a kind of injecting codes extracting method, including:
Run a suspect program;
During running the suspect program, equipments of recording PIN is executed by application programming interface, described in detection
Whether the process of suspect program to other processes is filled with code;
If detecting, the process of the suspect program is filled with code to other processes, passes through the PIN, extraction
The code that the process of the suspect program is injected to other processes.
Preferably, described during running the suspect program, whether the process of the suspect program is detected to other
Process is filled with code, including:
During running the suspect program, in each application programming interface API that the suspect program calls
The head and tail of function is inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitor code can
Monitor each api function that the suspect program calls, and the relevant information for each api function that the suspect program is called
In the journal file for storing the PIN;
The relevant information for each api function that the suspect program calls is extracted from the journal file of the PIN;
Relevant information based on each api function that the suspect program calls judges the API that the suspect program calls
Whether default api function is had in function, wherein the default api function is used for other process injecting codes and/or number
According to;
If having the default api function in the api function that the suspect program calls, it is determined that the suspect program into
Journey is filled with code to other processes.
Preferably, described by the PIN, extract the generation that the process of the suspect program is injected to other processes
Code, including:
The relevant information of the default api function is extracted from the journal file of the PIN;
From the relevant information of the default api function, the process for extracting the suspect program is noted to other processes
The code entered.
Preferably, described by the PIN, extract the code that the process of the suspect program is injected to other processes
Later, further include:
Export the code that the process of the suspect program is injected to other processes.
Preferably, described by the PIN, extract the code that the process of the suspect program is injected to other processes
Later, further include:
By the PIN, judge whether the code that the process of the suspect program is injected to other processes is malice
Code;
It, can by described in if the code that the process of the suspect program is injected to other processes is the malicious code
Doubtful program is determined as rogue program.
Preferably, described by the PIN, judge the code that the process of the suspect program is injected to other processes
Whether it is malicious code, including:
Run the code that the process of the suspect program is injected to other processes;
By the PIN, the api function sequence of the code call of the injection when code for running the injection is obtained
Relevant information;
Based on the relevant information of the api function sequence, judge whether the api function sequence is legal;
If the api function sequence is illegal, the code of the injection is determined as malicious code.
Preferably, described by the PIN, obtain the code call of the injection when code for running the injection
The relevant information of api function sequence, including:
In the coding process that the process for running the suspect program is injected to other processes, in the generation of the injection
The head and tail of each api function in code is inserted into the monitor code of the PIN, wherein described when executing the monitor code
Monitor code can monitor each api function of the code call of the injection, and by each of the code call of the injection
In the relevant information storage to the journal file of the PIN of api function;
The relevant information of each api function of the code call of the injection is extracted from the journal file of the PIN;
The relevant information of each api function of code call based on the injection, determines the code call of the injection
Api function sequence relevant information.
Preferably, the relevant information of the api function sequence of the code call of the injection, including:
The title of each api function of the code call of the injection when code of the injection is run, and
Run the sequencing of each api function of code call of the injection when code of the injection.
Preferably, the relevant information based on the api function sequence judges whether the api function sequence is legal,
Including:
Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice
In api function sequence library, wherein record has whole malicious codes when executed may in the malice api function sequence library
The api function sequence of calling;
If the api function sequence is recorded in the malice api function sequence library, it is determined that the api function sequence
It arranges illegal;
If the api function sequence is not recorded in the malice api function sequence library, it is determined that the api function
Sequence is legal.
Preferably, it is described the suspect program is determined as rogue program after, further include:
By the PIN, the finger for calling each api function in the suspect program in the suspect program is obtained
Enable code;
Export the instruction code for calling each api function in the suspect program in the suspect program.
Preferably, the finger for calling each api function in the suspect program obtained in the suspect program
Code is enabled, including:
In the journal file of the PIN, extract each in the suspect program for calling in the suspect program
The memory address of the instruction code of api function;
It is every in the suspect program for calling in the suspect program from being extracted in memory based on the memory address
The instruction code of a api function.
Preferably, it is described the suspect program is determined as rogue program after, further include:
The suspect program is deleted;Or
It destroys and repairs caused by the suspect program;Or
The suspect program is isolated;Or
Sample classification is carried out to the suspect program.
Another aspect of the present invention provides a kind of injecting codes extraction element, including:
Module is run, for running a suspect program;
Detection module, for during running the suspect program, record work to be executed by application programming interface
Has PIN, whether the process for detecting the suspect program to other processes is filled with code;
If extraction module leads to for detecting that the process of the suspect program is filled with code to other processes
The PIN is crossed, the code that the process of the suspect program is injected to other processes is extracted.
Preferably, the detection module, including:
It is inserted into submodule, is used for during running the suspect program, in each application that the suspect program calls
The head and tail of Program Interfaces api function is inserted into the monitor code of the PIN, wherein when executing the monitor code, institute
Each api function that the suspect program calls, and each API that the suspect program is called can be monitored by stating monitor code
In the relevant information storage to the journal file of the PIN of function;
First extracting sub-module, each API called for extracting the suspect program from the journal file of the PIN
The relevant information of function;
First judging submodule, the relevant information of each api function for being called based on the suspect program, judges institute
Whether have default api function, wherein the default api function is used for described other if stating in the api function of suspect program calling
Process injecting codes and/or data;
First determination sub-module, if having the default api function in the api function called for the suspect program,
Determine that the process of the suspect program is filled with code to other processes.
Preferably, the extraction module, including:
Second extracting sub-module, the related letter for extracting the default api function from the journal file of the PIN
Breath;
Third extracting sub-module, for from the relevant information of the default api function, extract the suspect program into
The code that journey is injected to other processes.
Preferably, the injecting codes extraction element further includes:
Output module, for described by the PIN, the process for extracting the suspect program is injected to other processes
Code after, export the code that the process of the suspect program is injected to other processes.
Preferably, the injecting codes extraction element further includes:
Judgment module, for described by the PIN, the process for extracting the suspect program is injected to other processes
Code after, by the PIN, judge whether the code that the process of the suspect program is injected to other processes is evil
Meaning code;
Determining module, if the code that the process for the suspect program is injected to other processes is the malice generation
Code, then be determined as rogue program by the suspect program.
Preferably, the judgment module, including:
Submodule is run, the code that the process for running the suspect program is injected to other processes;
Acquisition submodule, for by the PIN, obtaining the code call of the injection when code for running the injection
Api function sequence relevant information;
Second judgment submodule is used for the relevant information based on the api function sequence, judges the api function sequence
It is whether legal;
The code of the injection is determined as disliking by the second determination sub-module if illegal for the api function sequence
Meaning code.
Preferably, the acquisition submodule, is specifically used for:
In the coding process that the process for running the suspect program is injected to other processes, in the generation of the injection
The head and tail of each api function in code is inserted into the monitor code of the PIN, wherein described when executing the monitor code
Monitor code can monitor each api function of the code call of the injection, and by each of the code call of the injection
In the relevant information storage to the journal file of the PIN of api function;The injection is extracted from the journal file of the PIN
Code call each api function relevant information;The related letter of each api function of code call based on the injection
Breath, determines the relevant information of the api function sequence of the code call of the injection.
Preferably, the relevant information of the api function sequence of the code call of the injection, including:
The title of each api function of the code call of the injection when code of the injection is run, and
Run the sequencing of each api function of code call of the injection when code of the injection.
Preferably, the second judgment submodule, is specifically used for:
Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice
In api function sequence library, wherein record has whole malicious codes when executed may in the malice api function sequence library
The api function sequence of calling;If the api function sequence is recorded in the malice api function sequence library, it is determined that described
Api function sequence is illegal;If the api function sequence is not recorded in the malice api function sequence library, it is determined that institute
It is legal to state api function sequence.
Preferably, the injecting codes extraction element further includes:
Acquisition module, for it is described the suspect program is determined as rogue program after, pass through the PIN, obtain institute
State the instruction code for calling each api function in the suspect program in suspect program;
Output module is used to call each api function in the suspect program for exporting in the suspect program
Instruction code.
Preferably, the acquisition module, including:
4th extracting sub-module, for it is described the suspect program is determined as rogue program after, in the day of the PIN
In will file, extract in the suspect program for calling the interior of the instruction code of each api function in the suspect program
Deposit address;
5th extracting sub-module is used for for being based on the memory address from being extracted in memory in the suspect program
Call the instruction code of each api function in the suspect program.
Preferably, the injecting codes extraction element further includes:
Removing module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out
It deletes;Or
Repair module, for it is described the suspect program is determined as rogue program after, the suspect program is caused
Destruction repaired;Or
Isolation module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out
Isolation;Or
Classifying module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out
Sample is sorted out.
One or more technical solutions provided in the embodiments of the present application have at least the following technical effects or advantages:
A kind of injecting codes extracting method according to the present invention and device, can run a suspect program, suspicious running
In program process, whether the process that suspect program is detected by PIN tools to other processes (especially white process) is filled with generation
Code (may be malicious code), if detecting, the process of suspect program is filled with code to other processes, is carried by PIN tools
The code for taking the process of suspect program to be injected to other processes.The present invention, which has effectively solved, to be difficult in the prior art to being injected into
The technical issues of code in Bai Jincheng extracts realizes and quickly extracts the code being injected into white process
Technique effect.Be conducive to analyze the code of injection in this way, identify whether it is malicious code, and take correspondence in time
Measure, to ensure that computer security.And in the present invention, being based on PIN tools can be simultaneously to high-volume suspect program
The code of injection extracts operation, and exports high-volume journal file, analyzes these journal files, is conducive to quickly
It was found that unknown virus.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field
Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of injecting codes extracting method according to an embodiment of the invention;
Fig. 2 shows a kind of structure charts of injecting codes extraction element according to an embodiment of the invention.
Specific implementation mode
An embodiment of the present invention provides a kind of injecting codes extracting method and device, to solve to be difficult in the prior art pair
The technical issues of code being injected into white process extracts.
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Illustrate first, herein presented term "and/or", only a kind of incidence relation of description affiliated partner, table
Show may exist three kinds of relationships, for example, A and/or B, can indicate:Individualism A, exists simultaneously A and B, individualism B this three
Kind situation.In addition, character "/" herein, it is a kind of relationship of "or" to typically represent forward-backward correlation object.
As shown in Figure 1, a kind of injecting codes extracting method is present embodiments provided, including:
Step S101:Run a suspect program.
The term " suspect program " occurred herein refers to any program without refering in particular to property, is mainly used for difference and goes out hereinafter
Existing term " rogue program ".
Step S102:During running suspect program, by PIN, (Pin API Record Tool, API execute record
Tool), whether the process for detecting suspect program to other processes (especially white process) is filled with code.
In the prior art, rogue program is to hide the killing of antivirus software, usually by malicious code be injected into it is white into
In journey (being recorded in the process in white list, will not be by antivirus software killing), to be attacked computer in white process.
In this regard, in the present embodiment, being extracted to the code being injected into other processes using PIN tools.
PIN tools are a kind of binary detection frameworks, are suitable for X86-based and X64 frameworks, are generally used for journey
Sequence dynamic analysis use, support multiple platforms (such as:windows、linux、OSX).PIN tools are suitable for computer architecture originally
Analysis field, and the present embodiment by PIN tool applications in computer safety field, using PIN tools come other to being injected into
Code in process extracts.
It, can be during running suspect program, in each API that suspect program calls in specific implementation process
The head and tail of (Application Program Interface, application programming interface) function is inserted into the monitoring generation of PIN
Code, specific monitor code are exemplified below:
When executing the monitor code, which can monitor each api function of suspect program calling, and can
Doubt routine call each api function relevant information (such as:Function name, parameter, return value, return address, etc.) it deposits
In the journal file for storing up PIN.So each api function of suspect program calling can be extracted from the journal file of PIN
Relevant information, then based on suspect program call each api function relevant information, judge suspect program call api function
In whether have default api function;If suspect program call api function in have default api function, it is determined that suspect program into
Journey is filled with code to other processes.Wherein, which is used for other process injecting codes and/or data, example
Such as:" WriteProcessMemory " function.
Step S103:If detecting, the process of suspect program is filled with code to other processes, and by PIN, extraction can
Doubt the code that the process of program is injected to other processes.
As an alternative embodiment, step S103, specifically includes:
From the journal file of PIN extract preset api function (such as:" WriteProcessMemory " function) correlation
Information, then from the relevant information of default api function, extract the code that the process of suspect program is injected to other processes.
In specific implementation process, the code of injection is injected as the parameter of " WriteProcessMemory " function
Into other processes, and when operationally stating the monitor code of PIN, the relevant information of " WriteProcessMemory " function
(parameter for wherein including WriteProcessMemory " functions) has been extracted and has stored in the journal file of PIN.So
It can extract the relevant information of " WriteProcessMemory " function from the journal file of PIN, then from
In the relevant information of " WriteProcessMemory " function, the code that the process of suspect program is injected to other processes is extracted.
As an alternative embodiment, after the code that the process for extracting suspect program is injected to other processes,
The injecting codes extracting method further includes:
The code that the process of output suspect program is injected to other processes.
In specific implementation process, an interactive interface can be exported by a display screen, carry out the one of acquiring technology personnel
Predetermined registration operation (such as:Trigger a pre-set button, or one preset instructions of input, etc.), when getting the predetermined registration operation, then lead to
Cross the code that the process of display screen output suspect program is injected to other processes.In this way, convenient for technical staff to the generation of injection
Code is read and is analyzed, and when it is malicious code to determine the code injected, countermeasure can be quickly found out, to ensure
Computer security.
As an alternative embodiment, by PIN, the generation that the process of suspect program is injected to other processes is extracted
After code, the injecting codes extracting method further includes:
Judge whether the code that the process of suspect program is injected to other processes is malicious code by PIN;
If the code that the process of suspect program is injected to other processes is malicious code, suspect program is determined as malice
Program.
In specific implementation process, the code that the process of suspect program is injected to other processes can be run, and pass through PIN
Tool obtains the relevant information of the api function sequence for the code call injected when the code of operation injection, then is based on api function sequence
The relevant information of row judges whether api function sequence is legal, if api function sequence is illegal, the code of injection is determined as
Malicious code.Wherein, the relevant information for the api function sequence that the suspect code is called, including:Each of suspect code calling
The title of api function, and each called sequencing of api function.The api function sequence that the suspect code is called,
Can be:Whole api function institutes composition sequence that suspect code is called, or, the part api function institute that suspect code is called
Composition sequence.Wherein, different functions may be implemented in different api function sequences, such as:Api function sequence
“OpenProcess->WriteProcessMemory " is used for " striding course injection ";Again for example:Api function sequence
“SuspendThread->Setthreadcontext->ResumeThread ... ", for " malicious code switching to execute stream
Journey ... ".
It, can be in the coding process for running the injection, in each of the code of injection in specific implementation process
The head and tail of api function is inserted into the above-mentioned monitor code of PIN.When executing monitor code, monitor code can monitor injection
Each api function of code call, and by the relevant information of each api function of the code call of injection (such as:Api function
Title) storage is in the journal file of PIN.So the every of the code call of injection can be extracted from the journal file of PIN
The relevant information of a api function, then each api function of the code call based on injection relevant information, so that it may with determine note
The relevant information of the api function sequence of the code call entered.Wherein, the related letter of the api function sequence of the code call of injection
Breath, including:The title of each api function for the code call injected when the code for running injection, and run the code of injection
When the sequencing of each api function of code call that injects.
In specific implementation process, can based on the relevant information of api function sequence, judge api function sequence whether by
It is recorded in a malice api function sequence library, wherein record has whole malicious codes in quilt in the malice api function sequence library
The api function sequence that may be called when execution;If api function sequence is recorded in malice api function sequence library, it is determined that
Api function sequence is illegal;If api function sequence is not recorded in malice api function sequence library, it is determined that api function sequence
It is legal to arrange.
In specific implementation process, which is responsible for safeguarding update by professional technician, the malice
Malice api function sequence known to existing whole is stored in api function sequence library, these malice api function sequences are usually deposited
It is in malicious code, for being destroyed to computer.Wherein, the malice API letters of the malice api function sequence library record
Number Sequence is broadly divided into following a few classes:
(1) it is used to carry out the api function sequence that malice is distorted to registration table;Such as:“RegOpenKeyEx->
RegSetKeyValue…”。
(2) it is used to access the api function sequence of malicious link, or, the api function sequence for downloading rogue program;Example
Such as:“URLDownloadToFileA->CreateFile (%temp%/xxx.exe ...)->Winexec (%temp%/
xxx.exe)…”。
As an alternative embodiment, after suspect program is determined as rogue program, the injecting codes carry
Method is taken, further includes:
The instruction code for calling each api function in suspect program in suspect program is obtained by PIN, and is exported
The instruction code for calling each api function in suspect program in suspect program.
In specific implementation process, when operation carries the suspect program of PIN monitor codes, PIN tools can will be suspicious
In program the journal file of itself is arrived for calling the memory address of the instruction code of each api function in suspect program to store
In.So can extract in the journal file of PIN and be used to call each api function in suspect program in suspect program
The memory address of instruction code, then it is based on the memory address, go out the use in suspect program from extraction or unloading (dump) in memory
In the instruction code for calling each api function in suspect program.
In specific implementation process, an interactive interface can be provided by display screen, be shown in the interactive interface
There is the mark for whole api functions that suspect program called.It can be grasped by the selection of interactive interface acquiring technology personnel
Make (the selection is operated for selecting one or several API in whole API that suspect program calls), and is operated based on the selection
Determine that one or more of the selected api function of technical staff is used from being extracted in suspect program in the journal file of PIN later
In the memory address of the instruction code for the api function that calling technology personnel choose, extracted from memory further according to the memory address
Or unloading (dump) goes out the instruction code for the api function chosen for calling technology personnel in suspect program, and pass through display screen
These instruction codes are shown.In this way, convenient for technical staff to the instruction for calling each api function in malicious code
Code is read and is analyzed.
As an alternative embodiment, after suspect program is determined as rogue program, the injecting codes carry
Method is taken, further includes:Suspect program is deleted, or, carrying out deleting isolation to suspect program.
As an alternative embodiment, after suspect program is determined as rogue program, the injecting codes carry
Method is taken, further includes:It destroys and repairs caused by suspect program, and/or, sample classification is carried out to suspect program.
In specific implementation process, described destroyed caused by suspect program is repaired, including:Restore quilt in registration table
The information distorted restores the system file, etc. maliciously deleted.
In specific implementation process, multiple rule can be based on, sample classification is carried out to suspect program, such as:According to destruction
Type (such as:Distort registration table or download rogue program), or anti-void is judged whether there is according to API and its parameter
Quasi- machine (or anti-debug device flow) etc. rule carries out sample classification to suspect program.
The present embodiment has effectively solved the skill for being difficult to extract in the prior art to the code being injected into white process
Art problem realizes the technique effect for quickly extracting the code being injected into white process.Be conducive in this way to note
The code entered is analyzed, and identifies whether it is malicious code, and take corresponding measure in time, to ensure that computer is pacified
Entirely.
And in the present embodiment, the code of high-volume suspect program injection can be extracted simultaneously based on PIN tools
Operation, and high-volume journal file is exported, these journal files are analyzed, are conducive to quickly find unknown virus.
Based on above-mentioned injecting codes extracting method, the present embodiment additionally provides a kind of injecting codes extraction element, such as Fig. 2 institutes
Show, including:
Module 201 is run, for running a suspect program;
Detection module 202, for during running suspect program, equipments of recording to be executed by application programming interface
Whether PIN, the process for detecting suspect program to other processes are filled with code;
Extraction module 203, if for detecting that the process of suspect program is filled with code to other processes, by PIN,
The code that the process of extraction suspect program is injected to other processes.
As an alternative embodiment, detection module 202, including:
It is inserted into submodule, is used for during running suspect program, in each application programming that suspect program calls
The head and tail of interface api function is inserted into the monitor code of PIN, wherein when executing monitor code, monitor code can monitor can
Each api function of routine call is doubted, and the relevant information for each api function that suspect program is called stores the day to PIN
In will file;
First extracting sub-module, the phase for extracting each api function that suspect program calls from the journal file of PIN
Close information;
First judging submodule, the relevant information of each api function for being called based on suspect program, judges suspicious journey
Whether have default api function in the api function that sequence is called, wherein default api function be used for other process injecting codes and/
Or data;
First determination sub-module, if having default api function in the api function called for suspect program, it is determined that suspicious
The process of program is filled with code to other processes.
As an alternative embodiment, extraction module 203, including:
Second extracting sub-module, for extracting the relevant information for presetting api function from the journal file of PIN;
Third extracting sub-module extracts the process of suspect program to other for from the relevant information of default api function
The code of process injection.
As an alternative embodiment, the injecting codes extraction element, further includes:
Output module after the code that the process for by PIN, extracting suspect program inject to other processes, exports
The code that the process of suspect program is injected to other processes.
As an alternative embodiment, the injecting codes extraction element, further includes:
Judgment module after the code that the process for by PIN, extracting suspect program is injected to other processes, passes through
PIN judges whether the code that the process of suspect program is injected to other processes is malicious code;
Determining module will be suspicious if the code that the process for suspect program is injected to other processes is malicious code
Program is determined as rogue program.
As an alternative embodiment, the judgment module, including:
Run submodule, the code that the process for running suspect program is injected to other processes;
Acquisition submodule, for by PIN, obtaining the api function sequence for the code call injected when the code that operation is injected
The relevant information of row;
Second judgment submodule is used for the relevant information based on api function sequence, judges whether api function sequence is legal;
If the code of injection is determined as malicious code by the second determination sub-module illegal for api function sequence.
As an alternative embodiment, acquisition submodule, is specifically used for:
In the coding process that the process of operation suspect program is injected to other processes, in each of the code of injection
The head and tail of api function is inserted into the monitor code of PIN, wherein when executing monitor code, monitor code can monitor injection
Each api function of code call, and the relevant information of each api function of the code call of injection is stored into the day to PIN
In will file;The relevant information of each api function of the code call of injection is extracted from the journal file of PIN;Based on injection
Code call each api function relevant information, determine injection code call api function sequence relevant information.
As an alternative embodiment, the relevant information of the api function sequence of the code call of the injection, packet
It includes:
The title of each api function for the code call injected when the code for running injection, and
The sequencing of each api function of code call injected when the code for running injection.
As an alternative embodiment, second judgment submodule, is specifically used for:
Based on the relevant information of api function sequence, judge whether api function sequence is recorded in a malice api function sequence
It arranges in library, wherein record has the api function that whole malicious codes may call when executed in malice api function sequence library
Sequence;If api function sequence is recorded in malice api function sequence library, it is determined that api function sequence is illegal;If API letters
Number Sequence is not recorded in malice api function sequence library, it is determined that api function sequence is legal.
As an alternative embodiment, the injecting codes extraction element, further includes:
Acquisition module, by PIN, obtains the use in suspect program after suspect program is determined as rogue program
In the instruction code for calling each api function in suspect program;
Output module, for exporting the instruction code for calling each api function in suspect program in suspect program.
As an alternative embodiment, acquisition module, including:
4th extracting sub-module in the journal file of PIN, carries after suspect program is determined as rogue program
Take the memory address for calling the instruction code of each api function in suspect program in suspect program;
5th extracting sub-module is suspicious for calling in suspect program from being extracted in memory for being based on memory address
The instruction code of each api function in program.
As an alternative embodiment, the injecting codes extraction element, further includes:
Removing module deletes suspect program after suspect program is determined as rogue program;Or
Repair module is destroyed caused by suspect program and is repaiied after suspect program is determined as rogue program
It is multiple;Or
Isolation module is isolated suspect program after suspect program is determined as rogue program;Or
Classifying module carries out sample classification after suspect program is determined as rogue program to suspect program.
Since the injecting codes extraction element that the present embodiment is introduced is to implement injecting codes in the embodiment of the present application to extract
Device used by method, so based on the injecting codes extracting method described in the embodiment of the present application, the affiliated skill in this field
Art personnel can understand the specific implementation mode and its various change form of the injecting codes extraction element of the present embodiment, so
How method in the embodiment of the present application is realized if being no longer discussed in detail for the injecting codes extraction element at this.As long as this field
Those of skill in the art implement device used by injecting codes extracting method in the embodiment of the present application, belong to the application and are intended to protect
The range of shield.
Technical solution in above-mentioned the embodiment of the present application, at least has the following technical effect that or advantage:
A kind of injecting codes extracting method according to the present invention and device, can run a suspect program, suspicious running
In program process, whether the process that suspect program is detected by PIN tools to other processes (especially white process) is filled with generation
Code (may be malicious code), if detecting, the process of suspect program is filled with code to other processes, is carried by PIN tools
The code for taking the process of suspect program to be injected to other processes.The present invention, which has effectively solved, to be difficult in the prior art to being injected into
The technical issues of code in Bai Jincheng extracts realizes and quickly extracts the code being injected into white process
Technique effect.Be conducive to analyze the code of injection in this way, identify whether it is malicious code, and take correspondence in time
Measure, to ensure that computer security.And in the present invention, being based on PIN tools can be simultaneously to high-volume suspect program
The code of injection extracts operation, and exports high-volume journal file, analyzes these journal files, is conducive to quickly
It was found that unknown virus.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect
Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments
Including certain features rather than other feature, but the combination of the feature of different embodiment means to be in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment claimed it is arbitrary it
One mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors
Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are realized in a kind of injecting codes extraction element according to the ... of the embodiment of the present invention
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all equipment or program of device (for example, computer program and computer program product) of method.It is such
Realize that the program of the present invention can may be stored on the computer-readable medium, or can be with the shape of one or more signal
Formula.Such signal can be downloaded from internet website and be obtained, and either be provided on carrier signal or with any other shape
Formula provides.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch
To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of injecting codes extracting methods, which is characterized in that including:
Run a suspect program;
During running the suspect program, equipments of recording PIN is executed by application programming interface, described in detection
Whether the process of suspect program to other processes is filled with code;
If detecting, the process of the suspect program is filled with code to other processes, passes through the PIN, extraction
The code that the process of the suspect program is injected to other processes.
A2, the injecting codes extracting method as described in A1, which is characterized in that described to run the suspect program process
In, whether the process for detecting the suspect program to other processes is filled with code, including:
During running the suspect program, in each application programming interface API that the suspect program calls
The head and tail of function is inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitor code can
Monitor each api function that the suspect program calls, and the relevant information for each api function that the suspect program is called
In the journal file for storing the PIN;
The relevant information for each api function that the suspect program calls is extracted from the journal file of the PIN;
Relevant information based on each api function that the suspect program calls judges the API that the suspect program calls
Whether default api function is had in function, wherein the default api function is used for other process injecting codes and/or number
According to;
If having the default api function in the api function that the suspect program calls, it is determined that the suspect program into
Journey is filled with code to other processes.
A3, the injecting codes extracting method as described in A2, which is characterized in that described by the PIN, extraction is described suspicious
The code that the process of program is injected to other processes, including:
The relevant information of the default api function is extracted from the journal file of the PIN;
From the relevant information of the default api function, the process for extracting the suspect program is noted to other processes
The code entered.
A4, the injecting codes extracting method as described in A1, which is characterized in that described by the PIN, extraction is described suspicious
After the code that the process of program is injected to other processes, further include:
Export the code that the process of the suspect program is injected to other processes.
A5, the injecting codes extracting method as described in A1, which is characterized in that described by the PIN, extraction is described suspicious
After the code that the process of program is injected to other processes, further include:
By the PIN, judge whether the code that the process of the suspect program is injected to other processes is malice
Code;
It, can by described in if the code that the process of the suspect program is injected to other processes is the malicious code
Doubtful program is determined as rogue program.
A6, the injecting codes extracting method as described in A5, which is characterized in that it is described by the PIN, judge described suspicious
Whether the code that the process of program is injected to other processes is malicious code, including:
Run the code that the process of the suspect program is injected to other processes;
By the PIN, the api function sequence of the code call of the injection when code for running the injection is obtained
Relevant information;
Based on the relevant information of the api function sequence, judge whether the api function sequence is legal;
If the api function sequence is illegal, the code of the injection is determined as malicious code.
A7, the injecting codes extracting method as described in A6, which is characterized in that it is described by the PIN, it obtains described in operation
The relevant information of the api function sequence of the code call of the injection when code of injection, including:
In the coding process that the process for running the suspect program is injected to other processes, in the generation of the injection
The head and tail of each api function in code is inserted into the monitor code of the PIN, wherein described when executing the monitor code
Monitor code can monitor each api function of the code call of the injection, and by each of the code call of the injection
In the relevant information storage to the journal file of the PIN of api function;
The relevant information of each api function of the code call of the injection is extracted from the journal file of the PIN;
The relevant information of each api function of code call based on the injection, determines the code call of the injection
Api function sequence relevant information.
A8, the injecting codes extracting method as described in A6, which is characterized in that the api function of the code call of the injection
The relevant information of sequence, including:
The title of each api function of the code call of the injection when code of the injection is run, and
Run the sequencing of each api function of code call of the injection when code of the injection.
A9, the injecting codes extracting method as described in A6, which is characterized in that the phase based on the api function sequence
Information is closed, judges whether the api function sequence is legal, including:
Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice
In api function sequence library, wherein record has whole malicious codes when executed may in the malice api function sequence library
The api function sequence of calling;
If the api function sequence is recorded in the malice api function sequence library, it is determined that the api function sequence
It arranges illegal;
If the api function sequence is not recorded in the malice api function sequence library, it is determined that the api function
Sequence is legal.
A10, the injecting codes extracting method as described in A5~A9 is any, which is characterized in that described by the suspect program
It is determined as after rogue program, further includes:
By the PIN, the finger for calling each api function in the suspect program in the suspect program is obtained
Enable code;
Export the instruction code for calling each api function in the suspect program in the suspect program.
A11, the injecting codes extracting method as described in claim A10, which is characterized in that described to obtain the suspicious journey
The instruction code for calling each api function in the suspect program in sequence, including:
In the journal file of the PIN, extract each in the suspect program for calling in the suspect program
The memory address of the instruction code of api function;
It is every in the suspect program for calling in the suspect program from being extracted in memory based on the memory address
The instruction code of a api function.
A12, the injecting codes extracting method as described in A5~A9 is any, which is characterized in that described by the suspect program
It is determined as after rogue program, further includes:
The suspect program is deleted;Or
It destroys and repairs caused by the suspect program;Or
The suspect program is isolated;Or
Sample classification is carried out to the suspect program.
B13, a kind of injecting codes extraction element, which is characterized in that including:
Module is run, for running a suspect program;
Detection module, for during running the suspect program, record work to be executed by application programming interface
Has PIN, whether the process for detecting the suspect program to other processes is filled with code;
If extraction module leads to for detecting that the process of the suspect program is filled with code to other processes
The PIN is crossed, the code that the process of the suspect program is injected to other processes is extracted.
B14, the injecting codes extraction element as described in B13, which is characterized in that the detection module, including:
It is inserted into submodule, is used for during running the suspect program, in each application that the suspect program calls
The head and tail of Program Interfaces api function is inserted into the monitor code of the PIN, wherein when executing the monitor code, institute
Each api function that the suspect program calls, and each API that the suspect program is called can be monitored by stating monitor code
In the relevant information storage to the journal file of the PIN of function;
First extracting sub-module, each API called for extracting the suspect program from the journal file of the PIN
The relevant information of function;
First judging submodule, the relevant information of each api function for being called based on the suspect program, judges institute
Whether have default api function, wherein the default api function is used for described other if stating in the api function of suspect program calling
Process injecting codes and/or data;
First determination sub-module, if having the default api function in the api function called for the suspect program,
Determine that the process of the suspect program is filled with code to other processes.
B15, the injecting codes extraction element as described in B14, which is characterized in that the extraction module, including:
Second extracting sub-module, the related letter for extracting the default api function from the journal file of the PIN
Breath;
Third extracting sub-module, for from the relevant information of the default api function, extract the suspect program into
The code that journey is injected to other processes.
B16, the injecting codes extraction element as described in B13, which is characterized in that the injecting codes extraction element also wraps
It includes:
Output module, for described by the PIN, the process for extracting the suspect program is injected to other processes
Code after, export the code that the process of the suspect program is injected to other processes.
B17, the injecting codes extraction element as described in B13, which is characterized in that the injecting codes extraction element also wraps
It includes:
Judgment module, for described by the PIN, the process for extracting the suspect program is injected to other processes
Code after, by the PIN, judge whether the code that the process of the suspect program is injected to other processes is evil
Meaning code;
Determining module, if the code that the process for the suspect program is injected to other processes is the malice generation
Code, then be determined as rogue program by the suspect program.
B18, the injecting codes extraction element as described in B17, which is characterized in that the judgment module, including:
Submodule is run, the code that the process for running the suspect program is injected to other processes;
Acquisition submodule, for by the PIN, obtaining the code call of the injection when code for running the injection
Api function sequence relevant information;
Second judgment submodule is used for the relevant information based on the api function sequence, judges the api function sequence
It is whether legal;
The code of the injection is determined as disliking by the second determination sub-module if illegal for the api function sequence
Meaning code.
B19, the injecting codes extraction element as described in B18, which is characterized in that the acquisition submodule is specifically used for:
In the coding process that the process for running the suspect program is injected to other processes, in the generation of the injection
The head and tail of each api function in code is inserted into the monitor code of the PIN, wherein described when executing the monitor code
Monitor code can monitor each api function of the code call of the injection, and by each of the code call of the injection
In the relevant information storage to the journal file of the PIN of api function;The injection is extracted from the journal file of the PIN
Code call each api function relevant information;The related letter of each api function of code call based on the injection
Breath, determines the relevant information of the api function sequence of the code call of the injection.
B20, the injecting codes extraction element as described in B18, which is characterized in that the API letters of the code call of the injection
The relevant information of Number Sequence, including:
The title of each api function of the code call of the injection when code of the injection is run, and
Run the sequencing of each api function of code call of the injection when code of the injection.
B21, the injecting codes extraction element as described in claim B18, which is characterized in that described second judges submodule
Block is specifically used for:
Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice
In api function sequence library, wherein record has whole malicious codes when executed may in the malice api function sequence library
The api function sequence of calling;If the api function sequence is recorded in the malice api function sequence library, it is determined that described
Api function sequence is illegal;If the api function sequence is not recorded in the malice api function sequence library, it is determined that institute
It is legal to state api function sequence.
B22, the injecting codes extraction element as described in B17~B21 is any, which is characterized in that the injecting codes extraction
Device further includes:
Acquisition module, for it is described the suspect program is determined as rogue program after, pass through the PIN, obtain institute
State the instruction code for calling each api function in the suspect program in suspect program;
Output module is used to call each api function in the suspect program for exporting in the suspect program
Instruction code.
B23, the injecting codes extraction element as described in B22, which is characterized in that the acquisition module, including:
4th extracting sub-module, for it is described the suspect program is determined as rogue program after, in the day of the PIN
In will file, extract in the suspect program for calling the interior of the instruction code of each api function in the suspect program
Deposit address;
5th extracting sub-module is used for for being based on the memory address from being extracted in memory in the suspect program
Call the instruction code of each api function in the suspect program.
B24, the injecting codes extraction element as described in B17~B21 is any, which is characterized in that the injecting codes carry
Device is taken, further includes:
Removing module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out
It deletes;Or
Repair module, for it is described the suspect program is determined as rogue program after, the suspect program is caused
Destruction repaired;Or
Isolation module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out
Isolation;Or
Classifying module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out
Sample is sorted out.
Claims (22)
1. a kind of injecting codes extracting method, which is characterized in that including:
Run a suspect program;
During running the suspect program, equipments of recording PIN is executed by application programming interface, detection is described suspicious
Whether the process of program to other processes is filled with code;
If detecting, the process of the suspect program is filled with code to other processes, by the PIN, described in extraction
The code that the process of suspect program is injected to other processes;
Wherein, described during running the suspect program, equipments of recording PIN, inspection are executed by application programming interface
Whether the process for surveying the suspect program to other processes is filled with code, including:During running the suspect program,
The head and tail for each application programming interface api function that the suspect program calls is inserted into the monitor code of the PIN,
In, when executing the monitor code, the monitor code can monitor each api function that the suspect program calls, and
In the relevant information storage to the journal file of the PIN for each api function that the suspect program is called;From the PIN
Journal file in extract the relevant information of each api function that the suspect program calls;It is called based on the suspect program
Each api function relevant information, judge whether there is default api function in the api function that the suspect program calls,
In, the default api function is used for other process injecting codes and/or data;If the API that the suspect program calls
There is the default api function in function, it is determined that the process of the suspect program is filled with code to other processes.
2. injecting codes extracting method as described in claim 1, which is characterized in that it is described by the PIN, it can described in extraction
The code that the process of program is injected to other processes is doubted, including:
The relevant information of the default api function is extracted from the journal file of the PIN;
From the relevant information of the default api function, extract what the process of the suspect program was injected to other processes
Code.
3. injecting codes extracting method as described in claim 1, which is characterized in that it is described by the PIN, it can described in extraction
After the code that the process of doubtful program is injected to other processes, further include:
Export the code that the process of the suspect program is injected to other processes.
4. injecting codes extracting method as described in claim 1, which is characterized in that it is described by the PIN, it can described in extraction
After the code that the process of doubtful program is injected to other processes, further include:
By the PIN, judge whether the code that the process of the suspect program is injected to other processes is malicious code;
If the code that the process of the suspect program is injected to other processes is the malicious code, by the suspicious journey
Sequence is determined as rogue program.
5. injecting codes extracting method as claimed in claim 4, which is characterized in that it is described by the PIN, it can described in judgement
Whether the code for doubting process to the other processes injections of program is malicious code, including:
Run the code that the process of the suspect program is injected to other processes;
By the PIN, the correlation of the api function sequence of the code call of the injection when code for running the injection is obtained
Information;
Based on the relevant information of the api function sequence, judge whether the api function sequence is legal;
If the api function sequence is illegal, the code of the injection is determined as malicious code.
6. injecting codes extracting method as claimed in claim 5, which is characterized in that it is described by the PIN, obtain operation institute
The relevant information of the api function sequence of the code call of the injection when code of injection is stated, including:
In the coding process that the process for running the suspect program is injected to other processes, in the code of the injection
The head and tail of each api function be inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitoring
Code can monitor each api function of the code call of the injection, and by each API letters of the code call of the injection
In several relevant information storages to the journal file of the PIN;
The relevant information of each api function of the code call of the injection is extracted from the journal file of the PIN;
The relevant information of each api function of code call based on the injection, determines the API of the code call of the injection
The relevant information of the sequence of function.
7. injecting codes extracting method as claimed in claim 5, which is characterized in that the API letters of the code call of the injection
The relevant information of Number Sequence, including:
The title of each api function of the code call of the injection when code of the injection is run, and
Run the sequencing of each api function of code call of the injection when code of the injection.
8. injecting codes extracting method as claimed in claim 5, which is characterized in that described based on the api function sequence
Relevant information judges whether the api function sequence is legal, including:
Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice API letters
In Number Sequence library, wherein record has whole malicious codes that may call when executed in the malice api function sequence library
Api function sequence;
If the api function sequence is recorded in the malice api function sequence library, it is determined that the api function sequence is not
It is legal;
If the api function sequence is not recorded in the malice api function sequence library, it is determined that the api function sequence
It is legal.
9. the injecting codes extracting method as described in claim 4~8 is any, which is characterized in that described by the suspect program
It is determined as after rogue program, further includes:
By the PIN, the instruction generation for calling each api function in the suspect program in the suspect program is obtained
Code;
Export the instruction code for calling each api function in the suspect program in the suspect program.
10. injecting codes extracting method as claimed in claim 9, which is characterized in that described to obtain in the suspect program
Instruction code for calling each api function in the suspect program, including:
In the journal file of the PIN, extracts and be used to call each API letters in the suspect program in the suspect program
The memory address of several instruction codes;
It is each in the suspect program for calling in the suspect program from being extracted in memory based on the memory address
The instruction code of api function.
11. the injecting codes extracting method as described in claim 4~8 is any, which is characterized in that described by the suspect program
It is determined as after rogue program, further includes:
The suspect program is deleted;Or
It destroys and repairs caused by the suspect program;Or
The suspect program is isolated;Or
Sample classification is carried out to the suspect program.
12. a kind of injecting codes extraction element, which is characterized in that including:
Module is run, for running a suspect program;
Detection module, for during running the suspect program, equipments of recording to be executed by application programming interface
Whether PIN, the process for detecting the suspect program to other processes are filled with code;
If extraction module passes through institute for detecting that the process of the suspect program is filled with code to other processes
PIN is stated, the code that the process of the suspect program is injected to other processes is extracted;
Wherein, the detection module, including:
It is inserted into submodule, is used for during running the suspect program, in each application program that the suspect program calls
The head and tail of programming interface api function is inserted into the monitor code of the PIN, wherein when executing the monitor code, the prison
Control code can monitor each api function that the suspect program calls, and each api function that the suspect program is called
Relevant information storage in the journal file of the PIN;
First extracting sub-module, each api function called for extracting the suspect program from the journal file of the PIN
Relevant information;
First judging submodule, the relevant information of each api function for being called based on the suspect program can described in judgement
Whether have default api function, wherein the default api function is used for other processes if doubting in the api function of routine call
Injecting codes and/or data;
First determination sub-module, if having the default api function in the api function called for the suspect program, it is determined that
The process of the suspect program is filled with code to other processes.
13. injecting codes extraction element as claimed in claim 12, which is characterized in that the extraction module, including:
Second extracting sub-module, the relevant information for extracting the default api function from the journal file of the PIN;
Third extracting sub-module, for from the relevant information of the default api function, extract the process of the suspect program to
The code of other process injections.
14. injecting codes extraction element as claimed in claim 12, which is characterized in that the injecting codes extraction element, also
Including:
Output module extracts the generation that the process of the suspect program is injected to other processes for described by the PIN
After code, the code that the process of the suspect program is injected to other processes is exported.
15. injecting codes extraction element as claimed in claim 13, which is characterized in that the injecting codes extraction element, also
Including:
Judgment module extracts the generation that the process of the suspect program is injected to other processes for described by the PIN
After code, by the PIN, judge whether the code that the process of the suspect program is injected to other processes is malice generation
Code;
Determining module, if the code that the process for the suspect program is injected to other processes is the malicious code,
The suspect program is then determined as rogue program.
16. injecting codes extraction element as claimed in claim 15, which is characterized in that the judgment module, including:
Submodule is run, the code that the process for running the suspect program is injected to other processes;
Acquisition submodule, for by the PIN, obtaining the code call of the injection when code for running the injection
The relevant information of api function sequence;
Second judgment submodule is used for the relevant information based on the api function sequence, whether judges the api function sequence
It is legal;
The code of the injection is determined as malice generation by the second determination sub-module if illegal for the api function sequence
Code.
17. injecting codes extraction element as claimed in claim 16, which is characterized in that the acquisition submodule is specifically used for:
In the coding process that the process for running the suspect program is injected to other processes, in the code of the injection
The head and tail of each api function be inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitoring
Code can monitor each api function of the code call of the injection, and by each API letters of the code call of the injection
In several relevant information storages to the journal file of the PIN;The code of the injection is extracted from the journal file of the PIN
The relevant information of each api function called;The relevant information of each api function of code call based on the injection, really
The relevant information of the api function sequence of the code call of the fixed injection.
18. injecting codes extraction element as claimed in claim 16, which is characterized in that the API of the code call of the injection
The relevant information of the sequence of function, including:
The title of each api function of the code call of the injection when code of the injection is run, and
Run the sequencing of each api function of code call of the injection when code of the injection.
19. injecting codes extraction element as claimed in claim 16, which is characterized in that the second judgment submodule, specifically
For:
Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice API letters
In Number Sequence library, wherein record has whole malicious codes that may call when executed in the malice api function sequence library
Api function sequence;If the api function sequence is recorded in the malice api function sequence library, it is determined that the API letters
Number Sequence is illegal;If the api function sequence is not recorded in the malice api function sequence library, it is determined that the API
The sequence of function is legal.
20. the injecting codes extraction element as described in claim 15~19 is any, which is characterized in that the injecting codes extraction
Device further includes:
Acquisition module, for it is described the suspect program is determined as rogue program after, can described in acquisition by the PIN
Doubt the instruction code for calling each api function in the suspect program in program;
Output module, for exporting the instruction for calling each api function in the suspect program in the suspect program
Code.
21. injecting codes extraction element as claimed in claim 20, which is characterized in that the acquisition module, including:
4th extracting sub-module, for it is described the suspect program is determined as rogue program after, the PIN daily record text
In part, extract in the suspect program for calling in the suspect program memory of the instruction code of each api function
Location;
5th extracting sub-module is used to call for being based on the memory address from extracting in memory in the suspect program
The instruction code of each api function in the suspect program.
22. the injecting codes extraction element as described in claim 15~19 is any, which is characterized in that the injecting codes carry
Device is taken, further includes:
Removing module, for it is described the suspect program is determined as rogue program after, the suspect program is deleted;
Or
Repair module, for it is described the suspect program is determined as rogue program after, caused by the suspect program break
It is bad to be repaired;Or
Isolation module, for it is described the suspect program is determined as rogue program after, the suspect program is isolated;
Or
Classifying module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out sample
Sort out.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510918017.XA CN105574409B (en) | 2015-12-10 | 2015-12-10 | A kind of injecting codes extracting method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510918017.XA CN105574409B (en) | 2015-12-10 | 2015-12-10 | A kind of injecting codes extracting method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105574409A CN105574409A (en) | 2016-05-11 |
CN105574409B true CN105574409B (en) | 2018-09-04 |
Family
ID=55884528
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510918017.XA Active CN105574409B (en) | 2015-12-10 | 2015-12-10 | A kind of injecting codes extracting method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105574409B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106709325B (en) * | 2016-11-11 | 2020-09-25 | 腾讯科技(深圳)有限公司 | Method and device for monitoring program |
CN116108440B (en) * | 2023-04-12 | 2024-01-26 | 北京网藤科技有限公司 | Processing method, device, equipment and medium for injecting industrial control key software |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
CN104715195A (en) * | 2015-03-12 | 2015-06-17 | 广东电网有限责任公司信息中心 | Malicious code detecting system and method based on dynamic instrumentation |
CN104834859A (en) * | 2015-04-24 | 2015-08-12 | 南京邮电大学 | Method for dynamically detecting malicious behavior in Android App (Application) |
CN104866765A (en) * | 2015-06-03 | 2015-08-26 | 康绯 | Behavior characteristic similarity-based malicious code homology analysis method |
CN105138903A (en) * | 2015-08-14 | 2015-12-09 | 电子科技大学 | ROP attack detection method based on RET instructions and JMP instructions |
-
2015
- 2015-12-10 CN CN201510918017.XA patent/CN105574409B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
CN104715195A (en) * | 2015-03-12 | 2015-06-17 | 广东电网有限责任公司信息中心 | Malicious code detecting system and method based on dynamic instrumentation |
CN104834859A (en) * | 2015-04-24 | 2015-08-12 | 南京邮电大学 | Method for dynamically detecting malicious behavior in Android App (Application) |
CN104866765A (en) * | 2015-06-03 | 2015-08-26 | 康绯 | Behavior characteristic similarity-based malicious code homology analysis method |
CN105138903A (en) * | 2015-08-14 | 2015-12-09 | 电子科技大学 | ROP attack detection method based on RET instructions and JMP instructions |
Also Published As
Publication number | Publication date |
---|---|
CN105574409A (en) | 2016-05-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105550581B (en) | A kind of malicious code detecting method and device | |
CN103559446B (en) | Dynamic virus detection method and device for equipment based on Android system | |
US6907396B1 (en) | Detecting computer viruses or malicious software by patching instructions into an emulator | |
Kendall et al. | Practical malware analysis | |
CN107729752B (en) | One kind extorting software defense method and system | |
CN104517054B (en) | Method, device, client and server for detecting malicious APK | |
CN106326737B (en) | System and method for detecting the harmful file that can be executed on virtual stack machine | |
CN109033828A (en) | A kind of Trojan detecting method based on calculator memory analytical technology | |
CN107851155A (en) | For the system and method across multiple software entitys tracking malicious act | |
CN104462971B (en) | The method and apparatus that malicious application is recognized according to application program stated features | |
CN104268475B (en) | A kind of system for running application program | |
EP3262557A1 (en) | A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
Balachandran et al. | Potent and stealthy control flow obfuscation by stack based self-modifying code | |
CN107103237A (en) | A kind of detection method and device of malicious file | |
Fleck et al. | Pytrigger: A system to trigger & extract user-activated malware behavior | |
CN106682513A (en) | Detection method for target sample file and device | |
CN105574409B (en) | A kind of injecting codes extracting method and device | |
US8151117B2 (en) | Detection of items stored in a computer system | |
CN103970574B (en) | The operation method and device of office programs, computer system | |
CN106650439A (en) | Suspicious application program detection method and device | |
CN104239801B (en) | The recognition methods of 0day leaks and device | |
JP5613000B2 (en) | Application characteristic analysis apparatus and program | |
CN111475168A (en) | Code compiling method and device | |
Nasim et al. | Uncovering self code modification in Android | |
Webb | Evaluating tool based automated malware analysis through persistence mechanism detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Co-patentee after: QAX Technology Group Inc. Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Co-patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
CP01 | Change in the name or title of a patent holder |