CN105574409B

CN105574409B - A kind of injecting codes extracting method and device

Info

Publication number: CN105574409B
Application number: CN201510918017.XA
Authority: CN
Inventors: 王伟波
Original assignee: Beijing Qihoo Technology Co Ltd; Beijing Qianxin Technology Co Ltd
Current assignee: Qax Technology Group Inc; Beijing Qihoo Technology Co Ltd
Priority date: 2015-12-10
Filing date: 2015-12-10
Publication date: 2018-09-04
Anticipated expiration: 2035-12-10
Also published as: CN105574409A

Abstract

The invention discloses a kind of injecting codes extracting methods, including：Run suspect program, during running suspect program, whether the process that suspect program is detected by PIN tools to other processes (especially white process) is filled with code (possible rogue program), it is filled with code if detecting, passes through the code of PIN tools extraction injection.The present invention has effectively solved the technical issues of being difficult to extract the code being injected into white process in the prior art, realizes the technique effect for quickly extracting the code being injected into white process.Be conducive to analyze injecting codes in this way, identify whether it is malicious code, and take corresponding measure in time, to ensure that computer security.Meanwhile the invention also discloses a kind of injecting codes extraction elements.

Description

A kind of injecting codes extracting method and device

Technical field

The present invention relates to field of computer technology more particularly to a kind of injecting codes extracting method and devices.

Background technology

As the quantity of becoming increasingly popular for computer application, the rogue program including virus, wooden horse also increases rapidly, Trojan horse program therein is that one kind can be by running on the user's computer, and then steals user file, privacy, account etc. Information, some can also even allow the rogue program of hacker's remote control user computer.It is simple in terms of destroying compared to more traditional The virus for the purpose of machine equipment is calculated, wooden horse with more the purpose for obtaining interests, steals the injurious act of computer user The behavior of information can usually cause huge loss to user, therefore the harm of trojan horse program also bigger.Rogue program can lead to Many routes of transmission are crossed to encroach on the computer of user, such as portable move media, such as flash disk, CD etc., and with calculating The extensive use of machine network technology, internet are increasingly becoming one of the main path of rogue program propagation, hacker or rogue program Disseminator disguises oneself as the rogue programs file such as wooden horse other types file, and user is lured to click and download, and rogue program Once being downloaded to subscriber computer and successful operation, hacker or rogue program disseminator can utilize these rogue programs, Destruction subscriber computer is carried out, the malfeasances such as userspersonal information are stolen.

Implement to attack using the loophole of operating system and application software, is that rogue program is made to succeed on the user computer One of the main means of implantation and operation.Loophole refer to defect in logical design of operating system software or application software or The mistake generated when writing.These defects or mistake can often be encroached on by hacker using the rogue programs such as wooden horse are implanted into Or control even destroys subscriber computer software and hardware system, or steal the capsule information and information of user.

Antivirus software effectively can carry out prevention and killing to rogue program, and still, rogue program is killed virus to hide Malicious code is usually injected into white process and (is recorded in the process in white list, will not be looked by antivirus software by the killing of software Kill) in, to be attacked computer in white process, for the code being injected into white process, general is difficult to be carried It takes, it is difficult to be analyzed, this brings grave danger to computer security.

Invention content

In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly State the injecting codes extracting method and device of problem.

One aspect of the present invention provides a kind of injecting codes extracting method, including：

Run a suspect program；

During running the suspect program, equipments of recording PIN is executed by application programming interface, described in detection Whether the process of suspect program to other processes is filled with code；

If detecting, the process of the suspect program is filled with code to other processes, passes through the PIN, extraction The code that the process of the suspect program is injected to other processes.

Preferably, described during running the suspect program, whether the process of the suspect program is detected to other Process is filled with code, including：

During running the suspect program, in each application programming interface API that the suspect program calls The head and tail of function is inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitor code can Monitor each api function that the suspect program calls, and the relevant information for each api function that the suspect program is called In the journal file for storing the PIN；

The relevant information for each api function that the suspect program calls is extracted from the journal file of the PIN；

Relevant information based on each api function that the suspect program calls judges the API that the suspect program calls Whether default api function is had in function, wherein the default api function is used for other process injecting codes and/or number According to；

If having the default api function in the api function that the suspect program calls, it is determined that the suspect program into Journey is filled with code to other processes.

Preferably, described by the PIN, extract the generation that the process of the suspect program is injected to other processes Code, including：

The relevant information of the default api function is extracted from the journal file of the PIN；

From the relevant information of the default api function, the process for extracting the suspect program is noted to other processes The code entered.

Preferably, described by the PIN, extract the code that the process of the suspect program is injected to other processes Later, further include：

Export the code that the process of the suspect program is injected to other processes.

By the PIN, judge whether the code that the process of the suspect program is injected to other processes is malice Code；

It, can by described in if the code that the process of the suspect program is injected to other processes is the malicious code Doubtful program is determined as rogue program.

Preferably, described by the PIN, judge the code that the process of the suspect program is injected to other processes Whether it is malicious code, including：

Run the code that the process of the suspect program is injected to other processes；

By the PIN, the api function sequence of the code call of the injection when code for running the injection is obtained Relevant information；

Based on the relevant information of the api function sequence, judge whether the api function sequence is legal；

If the api function sequence is illegal, the code of the injection is determined as malicious code.

Preferably, described by the PIN, obtain the code call of the injection when code for running the injection The relevant information of api function sequence, including：

In the coding process that the process for running the suspect program is injected to other processes, in the generation of the injection The head and tail of each api function in code is inserted into the monitor code of the PIN, wherein described when executing the monitor code Monitor code can monitor each api function of the code call of the injection, and by each of the code call of the injection In the relevant information storage to the journal file of the PIN of api function；

The relevant information of each api function of the code call of the injection is extracted from the journal file of the PIN；

The relevant information of each api function of code call based on the injection, determines the code call of the injection Api function sequence relevant information.

Preferably, the relevant information of the api function sequence of the code call of the injection, including：

The title of each api function of the code call of the injection when code of the injection is run, and

Run the sequencing of each api function of code call of the injection when code of the injection.

Preferably, the relevant information based on the api function sequence judges whether the api function sequence is legal, Including：

Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice In api function sequence library, wherein record has whole malicious codes when executed may in the malice api function sequence library The api function sequence of calling；

If the api function sequence is recorded in the malice api function sequence library, it is determined that the api function sequence It arranges illegal；

If the api function sequence is not recorded in the malice api function sequence library, it is determined that the api function Sequence is legal.

Preferably, it is described the suspect program is determined as rogue program after, further include：

By the PIN, the finger for calling each api function in the suspect program in the suspect program is obtained Enable code；

Export the instruction code for calling each api function in the suspect program in the suspect program.

Preferably, the finger for calling each api function in the suspect program obtained in the suspect program Code is enabled, including：

In the journal file of the PIN, extract each in the suspect program for calling in the suspect program The memory address of the instruction code of api function；

It is every in the suspect program for calling in the suspect program from being extracted in memory based on the memory address The instruction code of a api function.

The suspect program is deleted；Or

It destroys and repairs caused by the suspect program；Or

The suspect program is isolated；Or

Sample classification is carried out to the suspect program.

Another aspect of the present invention provides a kind of injecting codes extraction element, including：

Module is run, for running a suspect program；

Detection module, for during running the suspect program, record work to be executed by application programming interface Has PIN, whether the process for detecting the suspect program to other processes is filled with code；

If extraction module leads to for detecting that the process of the suspect program is filled with code to other processes The PIN is crossed, the code that the process of the suspect program is injected to other processes is extracted.

Preferably, the detection module, including：

It is inserted into submodule, is used for during running the suspect program, in each application that the suspect program calls The head and tail of Program Interfaces api function is inserted into the monitor code of the PIN, wherein when executing the monitor code, institute Each api function that the suspect program calls, and each API that the suspect program is called can be monitored by stating monitor code In the relevant information storage to the journal file of the PIN of function；

First extracting sub-module, each API called for extracting the suspect program from the journal file of the PIN The relevant information of function；

First judging submodule, the relevant information of each api function for being called based on the suspect program, judges institute Whether have default api function, wherein the default api function is used for described other if stating in the api function of suspect program calling Process injecting codes and/or data；

First determination sub-module, if having the default api function in the api function called for the suspect program, Determine that the process of the suspect program is filled with code to other processes.

Preferably, the extraction module, including：

Second extracting sub-module, the related letter for extracting the default api function from the journal file of the PIN Breath；

Third extracting sub-module, for from the relevant information of the default api function, extract the suspect program into The code that journey is injected to other processes.

Preferably, the injecting codes extraction element further includes：

Output module, for described by the PIN, the process for extracting the suspect program is injected to other processes Code after, export the code that the process of the suspect program is injected to other processes.

Preferably, the injecting codes extraction element further includes：

Judgment module, for described by the PIN, the process for extracting the suspect program is injected to other processes Code after, by the PIN, judge whether the code that the process of the suspect program is injected to other processes is evil Meaning code；

Determining module, if the code that the process for the suspect program is injected to other processes is the malice generation Code, then be determined as rogue program by the suspect program.

Preferably, the judgment module, including：

Submodule is run, the code that the process for running the suspect program is injected to other processes；

Acquisition submodule, for by the PIN, obtaining the code call of the injection when code for running the injection Api function sequence relevant information；

Second judgment submodule is used for the relevant information based on the api function sequence, judges the api function sequence It is whether legal；

The code of the injection is determined as disliking by the second determination sub-module if illegal for the api function sequence Meaning code.

Preferably, the acquisition submodule, is specifically used for：

In the coding process that the process for running the suspect program is injected to other processes, in the generation of the injection The head and tail of each api function in code is inserted into the monitor code of the PIN, wherein described when executing the monitor code Monitor code can monitor each api function of the code call of the injection, and by each of the code call of the injection In the relevant information storage to the journal file of the PIN of api function；The injection is extracted from the journal file of the PIN Code call each api function relevant information；The related letter of each api function of code call based on the injection Breath, determines the relevant information of the api function sequence of the code call of the injection.

Preferably, the second judgment submodule, is specifically used for：

Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice In api function sequence library, wherein record has whole malicious codes when executed may in the malice api function sequence library The api function sequence of calling；If the api function sequence is recorded in the malice api function sequence library, it is determined that described Api function sequence is illegal；If the api function sequence is not recorded in the malice api function sequence library, it is determined that institute It is legal to state api function sequence.

Preferably, the injecting codes extraction element further includes：

Acquisition module, for it is described the suspect program is determined as rogue program after, pass through the PIN, obtain institute State the instruction code for calling each api function in the suspect program in suspect program；

Output module is used to call each api function in the suspect program for exporting in the suspect program Instruction code.

Preferably, the acquisition module, including：

4th extracting sub-module, for it is described the suspect program is determined as rogue program after, in the day of the PIN In will file, extract in the suspect program for calling the interior of the instruction code of each api function in the suspect program Deposit address；

5th extracting sub-module is used for for being based on the memory address from being extracted in memory in the suspect program Call the instruction code of each api function in the suspect program.

Preferably, the injecting codes extraction element further includes：

Removing module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out It deletes；Or

Repair module, for it is described the suspect program is determined as rogue program after, the suspect program is caused Destruction repaired；Or

Isolation module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out Isolation；Or

Classifying module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out Sample is sorted out.

One or more technical solutions provided in the embodiments of the present application have at least the following technical effects or advantages：

A kind of injecting codes extracting method according to the present invention and device, can run a suspect program, suspicious running In program process, whether the process that suspect program is detected by PIN tools to other processes (especially white process) is filled with generation Code (may be malicious code), if detecting, the process of suspect program is filled with code to other processes, is carried by PIN tools The code for taking the process of suspect program to be injected to other processes.The present invention, which has effectively solved, to be difficult in the prior art to being injected into The technical issues of code in Bai Jincheng extracts realizes and quickly extracts the code being injected into white process Technique effect.Be conducive to analyze the code of injection in this way, identify whether it is malicious code, and take correspondence in time Measure, to ensure that computer security.And in the present invention, being based on PIN tools can be simultaneously to high-volume suspect program The code of injection extracts operation, and exports high-volume journal file, analyzes these journal files, is conducive to quickly It was found that unknown virus.

Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention, And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.

Description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings：

Fig. 1 shows a kind of flow chart of injecting codes extracting method according to an embodiment of the invention；

Fig. 2 shows a kind of structure charts of injecting codes extraction element according to an embodiment of the invention.

Specific implementation mode

An embodiment of the present invention provides a kind of injecting codes extracting method and device, to solve to be difficult in the prior art pair The technical issues of code being injected into white process extracts.

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.

Illustrate first, herein presented term "and/or", only a kind of incidence relation of description affiliated partner, table Show may exist three kinds of relationships, for example, A and/or B, can indicate：Individualism A, exists simultaneously A and B, individualism B this three Kind situation.In addition, character "/" herein, it is a kind of relationship of "or" to typically represent forward-backward correlation object.

As shown in Figure 1, a kind of injecting codes extracting method is present embodiments provided, including：

Step S101：Run a suspect program.

The term " suspect program " occurred herein refers to any program without refering in particular to property, is mainly used for difference and goes out hereinafter Existing term " rogue program ".

Step S102：During running suspect program, by PIN, (Pin API Record Tool, API execute record Tool), whether the process for detecting suspect program to other processes (especially white process) is filled with code.

In the prior art, rogue program is to hide the killing of antivirus software, usually by malicious code be injected into it is white into In journey (being recorded in the process in white list, will not be by antivirus software killing), to be attacked computer in white process. In this regard, in the present embodiment, being extracted to the code being injected into other processes using PIN tools.

PIN tools are a kind of binary detection frameworks, are suitable for X86-based and X64 frameworks, are generally used for journey Sequence dynamic analysis use, support multiple platforms (such as：windows、linux、OSX).PIN tools are suitable for computer architecture originally Analysis field, and the present embodiment by PIN tool applications in computer safety field, using PIN tools come other to being injected into Code in process extracts.

It, can be during running suspect program, in each API that suspect program calls in specific implementation process The head and tail of (Application Program Interface, application programming interface) function is inserted into the monitoring generation of PIN Code, specific monitor code are exemplified below：

When executing the monitor code, which can monitor each api function of suspect program calling, and can Doubt routine call each api function relevant information (such as：Function name, parameter, return value, return address, etc.) it deposits In the journal file for storing up PIN.So each api function of suspect program calling can be extracted from the journal file of PIN Relevant information, then based on suspect program call each api function relevant information, judge suspect program call api function In whether have default api function；If suspect program call api function in have default api function, it is determined that suspect program into Journey is filled with code to other processes.Wherein, which is used for other process injecting codes and/or data, example Such as：" WriteProcessMemory " function.

Step S103：If detecting, the process of suspect program is filled with code to other processes, and by PIN, extraction can Doubt the code that the process of program is injected to other processes.

As an alternative embodiment, step S103, specifically includes：

From the journal file of PIN extract preset api function (such as：" WriteProcessMemory " function) correlation Information, then from the relevant information of default api function, extract the code that the process of suspect program is injected to other processes.

In specific implementation process, the code of injection is injected as the parameter of " WriteProcessMemory " function Into other processes, and when operationally stating the monitor code of PIN, the relevant information of " WriteProcessMemory " function (parameter for wherein including WriteProcessMemory " functions) has been extracted and has stored in the journal file of PIN.So It can extract the relevant information of " WriteProcessMemory " function from the journal file of PIN, then from In the relevant information of " WriteProcessMemory " function, the code that the process of suspect program is injected to other processes is extracted.

As an alternative embodiment, after the code that the process for extracting suspect program is injected to other processes, The injecting codes extracting method further includes：

The code that the process of output suspect program is injected to other processes.

In specific implementation process, an interactive interface can be exported by a display screen, carry out the one of acquiring technology personnel Predetermined registration operation (such as：Trigger a pre-set button, or one preset instructions of input, etc.), when getting the predetermined registration operation, then lead to Cross the code that the process of display screen output suspect program is injected to other processes.In this way, convenient for technical staff to the generation of injection Code is read and is analyzed, and when it is malicious code to determine the code injected, countermeasure can be quickly found out, to ensure Computer security.

As an alternative embodiment, by PIN, the generation that the process of suspect program is injected to other processes is extracted After code, the injecting codes extracting method further includes：

Judge whether the code that the process of suspect program is injected to other processes is malicious code by PIN；

If the code that the process of suspect program is injected to other processes is malicious code, suspect program is determined as malice Program.

In specific implementation process, the code that the process of suspect program is injected to other processes can be run, and pass through PIN Tool obtains the relevant information of the api function sequence for the code call injected when the code of operation injection, then is based on api function sequence The relevant information of row judges whether api function sequence is legal, if api function sequence is illegal, the code of injection is determined as Malicious code.Wherein, the relevant information for the api function sequence that the suspect code is called, including：Each of suspect code calling The title of api function, and each called sequencing of api function.The api function sequence that the suspect code is called, Can be：Whole api function institutes composition sequence that suspect code is called, or, the part api function institute that suspect code is called Composition sequence.Wherein, different functions may be implemented in different api function sequences, such as：Api function sequence “OpenProcess->WriteProcessMemory " is used for " striding course injection "；Again for example：Api function sequence “SuspendThread->Setthreadcontext->ResumeThread ... ", for " malicious code switching to execute stream Journey ... ".

It, can be in the coding process for running the injection, in each of the code of injection in specific implementation process The head and tail of api function is inserted into the above-mentioned monitor code of PIN.When executing monitor code, monitor code can monitor injection Each api function of code call, and by the relevant information of each api function of the code call of injection (such as：Api function Title) storage is in the journal file of PIN.So the every of the code call of injection can be extracted from the journal file of PIN The relevant information of a api function, then each api function of the code call based on injection relevant information, so that it may with determine note The relevant information of the api function sequence of the code call entered.Wherein, the related letter of the api function sequence of the code call of injection Breath, including：The title of each api function for the code call injected when the code for running injection, and run the code of injection When the sequencing of each api function of code call that injects.

In specific implementation process, can based on the relevant information of api function sequence, judge api function sequence whether by It is recorded in a malice api function sequence library, wherein record has whole malicious codes in quilt in the malice api function sequence library The api function sequence that may be called when execution；If api function sequence is recorded in malice api function sequence library, it is determined that Api function sequence is illegal；If api function sequence is not recorded in malice api function sequence library, it is determined that api function sequence It is legal to arrange.

In specific implementation process, which is responsible for safeguarding update by professional technician, the malice Malice api function sequence known to existing whole is stored in api function sequence library, these malice api function sequences are usually deposited It is in malicious code, for being destroyed to computer.Wherein, the malice API letters of the malice api function sequence library record Number Sequence is broadly divided into following a few classes：

(1) it is used to carry out the api function sequence that malice is distorted to registration table；Such as：“RegOpenKeyEx-> RegSetKeyValue…”。

(2) it is used to access the api function sequence of malicious link, or, the api function sequence for downloading rogue program；Example Such as：“URLDownloadToFileA->CreateFile (%temp%/xxx.exe ...)->Winexec (%temp%/ xxx.exe)…”。

As an alternative embodiment, after suspect program is determined as rogue program, the injecting codes carry Method is taken, further includes：

The instruction code for calling each api function in suspect program in suspect program is obtained by PIN, and is exported The instruction code for calling each api function in suspect program in suspect program.

In specific implementation process, when operation carries the suspect program of PIN monitor codes, PIN tools can will be suspicious In program the journal file of itself is arrived for calling the memory address of the instruction code of each api function in suspect program to store In.So can extract in the journal file of PIN and be used to call each api function in suspect program in suspect program The memory address of instruction code, then it is based on the memory address, go out the use in suspect program from extraction or unloading (dump) in memory In the instruction code for calling each api function in suspect program.

In specific implementation process, an interactive interface can be provided by display screen, be shown in the interactive interface There is the mark for whole api functions that suspect program called.It can be grasped by the selection of interactive interface acquiring technology personnel Make (the selection is operated for selecting one or several API in whole API that suspect program calls), and is operated based on the selection Determine that one or more of the selected api function of technical staff is used from being extracted in suspect program in the journal file of PIN later In the memory address of the instruction code for the api function that calling technology personnel choose, extracted from memory further according to the memory address Or unloading (dump) goes out the instruction code for the api function chosen for calling technology personnel in suspect program, and pass through display screen These instruction codes are shown.In this way, convenient for technical staff to the instruction for calling each api function in malicious code Code is read and is analyzed.

As an alternative embodiment, after suspect program is determined as rogue program, the injecting codes carry Method is taken, further includes：Suspect program is deleted, or, carrying out deleting isolation to suspect program.

As an alternative embodiment, after suspect program is determined as rogue program, the injecting codes carry Method is taken, further includes：It destroys and repairs caused by suspect program, and/or, sample classification is carried out to suspect program.

In specific implementation process, described destroyed caused by suspect program is repaired, including：Restore quilt in registration table The information distorted restores the system file, etc. maliciously deleted.

In specific implementation process, multiple rule can be based on, sample classification is carried out to suspect program, such as：According to destruction Type (such as：Distort registration table or download rogue program), or anti-void is judged whether there is according to API and its parameter Quasi- machine (or anti-debug device flow) etc. rule carries out sample classification to suspect program.

The present embodiment has effectively solved the skill for being difficult to extract in the prior art to the code being injected into white process Art problem realizes the technique effect for quickly extracting the code being injected into white process.Be conducive in this way to note The code entered is analyzed, and identifies whether it is malicious code, and take corresponding measure in time, to ensure that computer is pacified Entirely.

And in the present embodiment, the code of high-volume suspect program injection can be extracted simultaneously based on PIN tools Operation, and high-volume journal file is exported, these journal files are analyzed, are conducive to quickly find unknown virus.

Based on above-mentioned injecting codes extracting method, the present embodiment additionally provides a kind of injecting codes extraction element, such as Fig. 2 institutes Show, including：

Module 201 is run, for running a suspect program；

Detection module 202, for during running suspect program, equipments of recording to be executed by application programming interface Whether PIN, the process for detecting suspect program to other processes are filled with code；

Extraction module 203, if for detecting that the process of suspect program is filled with code to other processes, by PIN, The code that the process of extraction suspect program is injected to other processes.

As an alternative embodiment, detection module 202, including：

It is inserted into submodule, is used for during running suspect program, in each application programming that suspect program calls The head and tail of interface api function is inserted into the monitor code of PIN, wherein when executing monitor code, monitor code can monitor can Each api function of routine call is doubted, and the relevant information for each api function that suspect program is called stores the day to PIN In will file；

First extracting sub-module, the phase for extracting each api function that suspect program calls from the journal file of PIN Close information；

First judging submodule, the relevant information of each api function for being called based on suspect program, judges suspicious journey Whether have default api function in the api function that sequence is called, wherein default api function be used for other process injecting codes and/ Or data；

First determination sub-module, if having default api function in the api function called for suspect program, it is determined that suspicious The process of program is filled with code to other processes.

As an alternative embodiment, extraction module 203, including：

Second extracting sub-module, for extracting the relevant information for presetting api function from the journal file of PIN；

Third extracting sub-module extracts the process of suspect program to other for from the relevant information of default api function The code of process injection.

As an alternative embodiment, the injecting codes extraction element, further includes：

Output module after the code that the process for by PIN, extracting suspect program inject to other processes, exports The code that the process of suspect program is injected to other processes.

Judgment module after the code that the process for by PIN, extracting suspect program is injected to other processes, passes through PIN judges whether the code that the process of suspect program is injected to other processes is malicious code；

Determining module will be suspicious if the code that the process for suspect program is injected to other processes is malicious code Program is determined as rogue program.

As an alternative embodiment, the judgment module, including：

Run submodule, the code that the process for running suspect program is injected to other processes；

Acquisition submodule, for by PIN, obtaining the api function sequence for the code call injected when the code that operation is injected The relevant information of row；

Second judgment submodule is used for the relevant information based on api function sequence, judges whether api function sequence is legal；

If the code of injection is determined as malicious code by the second determination sub-module illegal for api function sequence.

As an alternative embodiment, acquisition submodule, is specifically used for：

In the coding process that the process of operation suspect program is injected to other processes, in each of the code of injection The head and tail of api function is inserted into the monitor code of PIN, wherein when executing monitor code, monitor code can monitor injection Each api function of code call, and the relevant information of each api function of the code call of injection is stored into the day to PIN In will file；The relevant information of each api function of the code call of injection is extracted from the journal file of PIN；Based on injection Code call each api function relevant information, determine injection code call api function sequence relevant information.

As an alternative embodiment, the relevant information of the api function sequence of the code call of the injection, packet It includes：

The title of each api function for the code call injected when the code for running injection, and

The sequencing of each api function of code call injected when the code for running injection.

As an alternative embodiment, second judgment submodule, is specifically used for：

Based on the relevant information of api function sequence, judge whether api function sequence is recorded in a malice api function sequence It arranges in library, wherein record has the api function that whole malicious codes may call when executed in malice api function sequence library Sequence；If api function sequence is recorded in malice api function sequence library, it is determined that api function sequence is illegal；If API letters Number Sequence is not recorded in malice api function sequence library, it is determined that api function sequence is legal.

Acquisition module, by PIN, obtains the use in suspect program after suspect program is determined as rogue program In the instruction code for calling each api function in suspect program；

Output module, for exporting the instruction code for calling each api function in suspect program in suspect program.

As an alternative embodiment, acquisition module, including：

4th extracting sub-module in the journal file of PIN, carries after suspect program is determined as rogue program Take the memory address for calling the instruction code of each api function in suspect program in suspect program；

5th extracting sub-module is suspicious for calling in suspect program from being extracted in memory for being based on memory address The instruction code of each api function in program.

Removing module deletes suspect program after suspect program is determined as rogue program；Or

Repair module is destroyed caused by suspect program and is repaiied after suspect program is determined as rogue program It is multiple；Or

Isolation module is isolated suspect program after suspect program is determined as rogue program；Or

Classifying module carries out sample classification after suspect program is determined as rogue program to suspect program.

Since the injecting codes extraction element that the present embodiment is introduced is to implement injecting codes in the embodiment of the present application to extract Device used by method, so based on the injecting codes extracting method described in the embodiment of the present application, the affiliated skill in this field Art personnel can understand the specific implementation mode and its various change form of the injecting codes extraction element of the present embodiment, so How method in the embodiment of the present application is realized if being no longer discussed in detail for the injecting codes extraction element at this.As long as this field Those of skill in the art implement device used by injecting codes extracting method in the embodiment of the present application, belong to the application and are intended to protect The range of shield.

Technical solution in above-mentioned the embodiment of the present application, at least has the following technical effect that or advantage：

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：It is i.e. required to protect Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including certain features rather than other feature, but the combination of the feature of different embodiment means to be in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment claimed it is arbitrary it One mode can use in any combination.

The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) are realized in a kind of injecting codes extraction element according to the ... of the embodiment of the present invention Some or all components some or all functions.The present invention is also implemented as executing side as described herein Some or all equipment or program of device (for example, computer program and computer program product) of method.It is such Realize that the program of the present invention can may be stored on the computer-readable medium, or can be with the shape of one or more signal Formula.Such signal can be downloaded from internet website and be obtained, and either be provided on carrier signal or with any other shape Formula provides.

It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of injecting codes extracting methods, which is characterized in that including：

Run a suspect program；

A2, the injecting codes extracting method as described in A1, which is characterized in that described to run the suspect program process In, whether the process for detecting the suspect program to other processes is filled with code, including：

A3, the injecting codes extracting method as described in A2, which is characterized in that described by the PIN, extraction is described suspicious The code that the process of program is injected to other processes, including：

A4, the injecting codes extracting method as described in A1, which is characterized in that described by the PIN, extraction is described suspicious After the code that the process of program is injected to other processes, further include：

A5, the injecting codes extracting method as described in A1, which is characterized in that described by the PIN, extraction is described suspicious After the code that the process of program is injected to other processes, further include：

A6, the injecting codes extracting method as described in A5, which is characterized in that it is described by the PIN, judge described suspicious Whether the code that the process of program is injected to other processes is malicious code, including：

A7, the injecting codes extracting method as described in A6, which is characterized in that it is described by the PIN, it obtains described in operation The relevant information of the api function sequence of the code call of the injection when code of injection, including：

A8, the injecting codes extracting method as described in A6, which is characterized in that the api function of the code call of the injection The relevant information of sequence, including：

A9, the injecting codes extracting method as described in A6, which is characterized in that the phase based on the api function sequence Information is closed, judges whether the api function sequence is legal, including：

A10, the injecting codes extracting method as described in A5~A9 is any, which is characterized in that described by the suspect program It is determined as after rogue program, further includes：

A11, the injecting codes extracting method as described in claim A10, which is characterized in that described to obtain the suspicious journey The instruction code for calling each api function in the suspect program in sequence, including：

A12, the injecting codes extracting method as described in A5~A9 is any, which is characterized in that described by the suspect program It is determined as after rogue program, further includes：

The suspect program is deleted；Or

It destroys and repairs caused by the suspect program；Or

The suspect program is isolated；Or

Sample classification is carried out to the suspect program.

B13, a kind of injecting codes extraction element, which is characterized in that including：

Module is run, for running a suspect program；

B14, the injecting codes extraction element as described in B13, which is characterized in that the detection module, including：

B15, the injecting codes extraction element as described in B14, which is characterized in that the extraction module, including：

B16, the injecting codes extraction element as described in B13, which is characterized in that the injecting codes extraction element also wraps It includes：

B17, the injecting codes extraction element as described in B13, which is characterized in that the injecting codes extraction element also wraps It includes：

B18, the injecting codes extraction element as described in B17, which is characterized in that the judgment module, including：

B19, the injecting codes extraction element as described in B18, which is characterized in that the acquisition submodule is specifically used for：

B20, the injecting codes extraction element as described in B18, which is characterized in that the API letters of the code call of the injection The relevant information of Number Sequence, including：

B21, the injecting codes extraction element as described in claim B18, which is characterized in that described second judges submodule Block is specifically used for：

B22, the injecting codes extraction element as described in B17~B21 is any, which is characterized in that the injecting codes extraction Device further includes：

B23, the injecting codes extraction element as described in B22, which is characterized in that the acquisition module, including：

B24, the injecting codes extraction element as described in B17~B21 is any, which is characterized in that the injecting codes carry Device is taken, further includes：

Claims

1. a kind of injecting codes extracting method, which is characterized in that including：

Run a suspect program；

During running the suspect program, equipments of recording PIN is executed by application programming interface, detection is described suspicious Whether the process of program to other processes is filled with code；

If detecting, the process of the suspect program is filled with code to other processes, by the PIN, described in extraction The code that the process of suspect program is injected to other processes；

Wherein, described during running the suspect program, equipments of recording PIN, inspection are executed by application programming interface Whether the process for surveying the suspect program to other processes is filled with code, including：During running the suspect program, The head and tail for each application programming interface api function that the suspect program calls is inserted into the monitor code of the PIN, In, when executing the monitor code, the monitor code can monitor each api function that the suspect program calls, and In the relevant information storage to the journal file of the PIN for each api function that the suspect program is called；From the PIN Journal file in extract the relevant information of each api function that the suspect program calls；It is called based on the suspect program Each api function relevant information, judge whether there is default api function in the api function that the suspect program calls, In, the default api function is used for other process injecting codes and/or data；If the API that the suspect program calls There is the default api function in function, it is determined that the process of the suspect program is filled with code to other processes.

2. injecting codes extracting method as described in claim 1, which is characterized in that it is described by the PIN, it can described in extraction The code that the process of program is injected to other processes is doubted, including：

From the relevant information of the default api function, extract what the process of the suspect program was injected to other processes Code.

3. injecting codes extracting method as described in claim 1, which is characterized in that it is described by the PIN, it can described in extraction After the code that the process of doubtful program is injected to other processes, further include：

4. injecting codes extracting method as described in claim 1, which is characterized in that it is described by the PIN, it can described in extraction After the code that the process of doubtful program is injected to other processes, further include：

By the PIN, judge whether the code that the process of the suspect program is injected to other processes is malicious code；

If the code that the process of the suspect program is injected to other processes is the malicious code, by the suspicious journey Sequence is determined as rogue program.

5. injecting codes extracting method as claimed in claim 4, which is characterized in that it is described by the PIN, it can described in judgement Whether the code for doubting process to the other processes injections of program is malicious code, including：

By the PIN, the correlation of the api function sequence of the code call of the injection when code for running the injection is obtained Information；

6. injecting codes extracting method as claimed in claim 5, which is characterized in that it is described by the PIN, obtain operation institute The relevant information of the api function sequence of the code call of the injection when code of injection is stated, including：

In the coding process that the process for running the suspect program is injected to other processes, in the code of the injection The head and tail of each api function be inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitoring Code can monitor each api function of the code call of the injection, and by each API letters of the code call of the injection In several relevant information storages to the journal file of the PIN；

The relevant information of each api function of code call based on the injection, determines the API of the code call of the injection The relevant information of the sequence of function.

7. injecting codes extracting method as claimed in claim 5, which is characterized in that the API letters of the code call of the injection The relevant information of Number Sequence, including：

8. injecting codes extracting method as claimed in claim 5, which is characterized in that described based on the api function sequence Relevant information judges whether the api function sequence is legal, including：

Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice API letters In Number Sequence library, wherein record has whole malicious codes that may call when executed in the malice api function sequence library Api function sequence；

If the api function sequence is recorded in the malice api function sequence library, it is determined that the api function sequence is not It is legal；

If the api function sequence is not recorded in the malice api function sequence library, it is determined that the api function sequence It is legal.

9. the injecting codes extracting method as described in claim 4~8 is any, which is characterized in that described by the suspect program It is determined as after rogue program, further includes：

By the PIN, the instruction generation for calling each api function in the suspect program in the suspect program is obtained Code；

10. injecting codes extracting method as claimed in claim 9, which is characterized in that described to obtain in the suspect program Instruction code for calling each api function in the suspect program, including：

In the journal file of the PIN, extracts and be used to call each API letters in the suspect program in the suspect program The memory address of several instruction codes；

It is each in the suspect program for calling in the suspect program from being extracted in memory based on the memory address The instruction code of api function.

11. the injecting codes extracting method as described in claim 4~8 is any, which is characterized in that described by the suspect program It is determined as after rogue program, further includes：

The suspect program is deleted；Or

It destroys and repairs caused by the suspect program；Or

The suspect program is isolated；Or

Sample classification is carried out to the suspect program.

12. a kind of injecting codes extraction element, which is characterized in that including：

Module is run, for running a suspect program；

Detection module, for during running the suspect program, equipments of recording to be executed by application programming interface Whether PIN, the process for detecting the suspect program to other processes are filled with code；

If extraction module passes through institute for detecting that the process of the suspect program is filled with code to other processes PIN is stated, the code that the process of the suspect program is injected to other processes is extracted；

Wherein, the detection module, including：

It is inserted into submodule, is used for during running the suspect program, in each application program that the suspect program calls The head and tail of programming interface api function is inserted into the monitor code of the PIN, wherein when executing the monitor code, the prison Control code can monitor each api function that the suspect program calls, and each api function that the suspect program is called Relevant information storage in the journal file of the PIN；

First extracting sub-module, each api function called for extracting the suspect program from the journal file of the PIN Relevant information；

First judging submodule, the relevant information of each api function for being called based on the suspect program can described in judgement Whether have default api function, wherein the default api function is used for other processes if doubting in the api function of routine call Injecting codes and/or data；

First determination sub-module, if having the default api function in the api function called for the suspect program, it is determined that The process of the suspect program is filled with code to other processes.

13. injecting codes extraction element as claimed in claim 12, which is characterized in that the extraction module, including：

Second extracting sub-module, the relevant information for extracting the default api function from the journal file of the PIN；

Third extracting sub-module, for from the relevant information of the default api function, extract the process of the suspect program to The code of other process injections.

14. injecting codes extraction element as claimed in claim 12, which is characterized in that the injecting codes extraction element, also Including：

Output module extracts the generation that the process of the suspect program is injected to other processes for described by the PIN After code, the code that the process of the suspect program is injected to other processes is exported.

15. injecting codes extraction element as claimed in claim 13, which is characterized in that the injecting codes extraction element, also Including：

Judgment module extracts the generation that the process of the suspect program is injected to other processes for described by the PIN After code, by the PIN, judge whether the code that the process of the suspect program is injected to other processes is malice generation Code；

Determining module, if the code that the process for the suspect program is injected to other processes is the malicious code, The suspect program is then determined as rogue program.

16. injecting codes extraction element as claimed in claim 15, which is characterized in that the judgment module, including：

Acquisition submodule, for by the PIN, obtaining the code call of the injection when code for running the injection The relevant information of api function sequence；

Second judgment submodule is used for the relevant information based on the api function sequence, whether judges the api function sequence It is legal；

The code of the injection is determined as malice generation by the second determination sub-module if illegal for the api function sequence Code.

17. injecting codes extraction element as claimed in claim 16, which is characterized in that the acquisition submodule is specifically used for：

In the coding process that the process for running the suspect program is injected to other processes, in the code of the injection The head and tail of each api function be inserted into the monitor code of the PIN, wherein when executing the monitor code, the monitoring Code can monitor each api function of the code call of the injection, and by each API letters of the code call of the injection In several relevant information storages to the journal file of the PIN；The code of the injection is extracted from the journal file of the PIN The relevant information of each api function called；The relevant information of each api function of code call based on the injection, really The relevant information of the api function sequence of the code call of the fixed injection.

18. injecting codes extraction element as claimed in claim 16, which is characterized in that the API of the code call of the injection The relevant information of the sequence of function, including：

19. injecting codes extraction element as claimed in claim 16, which is characterized in that the second judgment submodule, specifically For：

Based on the relevant information of the api function sequence, judge whether the api function sequence is recorded in a malice API letters In Number Sequence library, wherein record has whole malicious codes that may call when executed in the malice api function sequence library Api function sequence；If the api function sequence is recorded in the malice api function sequence library, it is determined that the API letters Number Sequence is illegal；If the api function sequence is not recorded in the malice api function sequence library, it is determined that the API The sequence of function is legal.

20. the injecting codes extraction element as described in claim 15~19 is any, which is characterized in that the injecting codes extraction Device further includes：

Acquisition module, for it is described the suspect program is determined as rogue program after, can described in acquisition by the PIN Doubt the instruction code for calling each api function in the suspect program in program；

Output module, for exporting the instruction for calling each api function in the suspect program in the suspect program Code.

21. injecting codes extraction element as claimed in claim 20, which is characterized in that the acquisition module, including：

4th extracting sub-module, for it is described the suspect program is determined as rogue program after, the PIN daily record text In part, extract in the suspect program for calling in the suspect program memory of the instruction code of each api function Location；

5th extracting sub-module is used to call for being based on the memory address from extracting in memory in the suspect program The instruction code of each api function in the suspect program.

22. the injecting codes extraction element as described in claim 15~19 is any, which is characterized in that the injecting codes carry Device is taken, further includes：

Removing module, for it is described the suspect program is determined as rogue program after, the suspect program is deleted； Or

Repair module, for it is described the suspect program is determined as rogue program after, caused by the suspect program break It is bad to be repaired；Or

Isolation module, for it is described the suspect program is determined as rogue program after, the suspect program is isolated； Or

Classifying module, for it is described the suspect program is determined as rogue program after, to the suspect program carry out sample Sort out.