CN105678168A - Method and apparatus for detecting Shellcode based on stack frame abnormity - Google Patents
Method and apparatus for detecting Shellcode based on stack frame abnormity Download PDFInfo
- Publication number
- CN105678168A CN105678168A CN201511020089.9A CN201511020089A CN105678168A CN 105678168 A CN105678168 A CN 105678168A CN 201511020089 A CN201511020089 A CN 201511020089A CN 105678168 A CN105678168 A CN 105678168A
- Authority
- CN
- China
- Prior art keywords
- stack frame
- stack
- address
- return address
- ebp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention relates to the field of computers, and in particular to a method and an apparatus for detecting Shellcode based on stack frame abnormity. The method comprises the following steps: based on each designated API function, separately generating a corresponding stack frame chain, and separately detecting each stack frame of each stack frame chain in order, selecting all stack frames with abnormities, wherein the detection of one stack frame includes the following steps: detecting whether an element indicator of the one stack frame suits a preset condition, and if the element indicator is determined not to meet the preset condition, determining the one stack frame is abnormal; and the element indicator including one or a combination of stack frame length, stack frame EBP address and stack frame returning address. The mere detection of the stack frame chain which corresponds to a designated API function can avoid blind detection on all functions, and reduces system performance spending. And the method selects abnormal stack frames based on the element indicator of the stack frame, which increases the system detection performance and reduce rate of false alarm.
Description
Technical field
The present invention relates to computer realm, particularly relate to a kind of shellcode detection method abnormal based on stack and device.
Background technology
In existing various computer softwares, result in computer due to the defect of the opening of system, interactivity and software self or service system is subject to the attack of malicious code and leak, particularly when system vulnerability triggers the execution of other places code shellcode, Shellcode is the core of spilling program and worm-type virus, assailant can utilize shellcode realize remote download or load other module, so that assailant optionally controls computer.
Shellcode is the attack code that assailant writes to target process; its major function is for removing DEP (DataExecutionPrevention; DEP); code reorientation; acquisition system application programming interface (ApplicationProgrammingInterface; API) address, loads and downloads. Shellcode is normally in stack or heap, the system of Shellcode is called and stack all can be utilized to realize the transmission of parameter and call return, and the code that DEP technology makes routine data memory headroom can not perform, then just there is Return-to-lib and ROP attack technology, for passing through constructing variable and return address on stack, make program execution flow jump directly to the function address space of dynamic link library, but the return address that this structure can cause stack frame is abnormal.
Under prior art, the method for shellcode detection is as follows:
1) based on the shellcode detection method of signature, kernel32.dll address is resolved for utilizing shellcode to need, the scanning heuristic knowledge such as SEH address or system call detection shellcode, the specific character string or the ad hoc structure that are mainly based upon shellcode detect, and are a kind of detection modes carried out before shellcode is loaded.
As can be seen here, based on the shellcod detection method of signature, it is possible to shellcode known in the externally input of detection program or network data, some uncommon shellcode then be cannot be carried out to detection.
2) based on the shellcode detection method of integrity, also it is a kind of detection mode carried out before shellcode is loaded, the backtracking mode utilizing EBP travels through the integrity of EBP step by step and detects whether there is stack extremely, further, since the execution of shellcode causes program pointer deviation normal trace, enter forbidden code region, therefore, based on the legal PC jump list set up, the position of restriction user function calling system function, it is possible to detect effective shellcode.
As can be seen here, shellcode detection method based on integrity, it is difficult to ensure that the integrity of stack chain, if there is shellcode, forbidden code district will be entered during detection, but do not detect abnormal before can detect always, the cost of extra expense and in real time detection is all relatively larger, and dynamically redirects and easily produce wrong report.
3) the shellcode detection method of Behavior-based control, it it is a kind of detection mode carried out in shellcode performs, utilize the rule detecting the judgement Deviant Behavior preset, and then intercept and analyze this abnormal system API Calls, this is due to when shellcode performs, system API is called the method for calling being likely to be different from normal procedure module to API by it, such as, BLADE may identify which position and the certain dialog box of user action, realize user view and file association, thus detecting the download behavior of shellcode. Again such as, BrowserGuard can detect the download behavior of shellcode according to the navigation patterns of user.
As can be seen here, the shellcode detection of Behavior-based control, depend on the default rule judging exception, this is accomplished by this rule have to be accurate, it is thus possible to the phenomenon of wrong report occurs.
Summary of the invention
The embodiment of the present invention provides a kind of shellcode detection method abnormal based on stack and device, it is possible to shellcode effectively detected, and performance cost is smaller, reports by mistake close to zero.
The concrete technical scheme that the embodiment of the present invention provides is as follows:
A kind of shellcode detection method abnormal based on stack, generates corresponding stack frame chain respectively based on each api function specified, and detects each the stack frame in each stack frame chain respectively successively, filter out all abnormal stack frames, wherein, when detecting a stack frame, including:
Whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address.
In the embodiment of the present invention, corresponding stack frame chain is generated respectively based on each api function specified, and detect each the stack frame in each stack frame chain respectively successively, filter out all abnormal stack frames, wherein, when detecting a stack frame, including: whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address. So, detect just for the stack frame chain that the api function specified is corresponding, it is to avoid all functions are carried out detection blindly, reduces systematic function expense; And, the directly element index according to stack frame, filter out abnormal stack frame, improve system detection performance, reduce rate of false alarm.
It is also preferred that the left above-mentioned api function, at least include with the one in minor function or combination in any: Loadlibrary, CreatePorcessInternetW, CreatFile, GetProcAddress, WinExec, ShellExecute.
It is also preferred that the left generate corresponding stack frame chain based on the api function specified, specifically include:
Determine all functions related in the process calling said one api function, and the call relation between above-mentioned all functions and call order;
The executive mode being based respectively on each function generates corresponding stack frame, and is associated by all stack frames generated with calling order based on above-mentioned call relation, forms corresponding stack frame chain.
It is also preferred that the left when the element index determining said one stack frame does not meet pre-conditioned, specifically include with the next item down or combination in any:
Stack frame length is more than default threshold value;
Stack frame EBP address error; Wherein, stack frame EBP address represents the position of the upper stack frame calling said one stack frame;
Stack frame return address mistake; Wherein, stack frame return address represents that the function call that said one stack frame is corresponding needs the position, code area at next the instruction place performed after terminating.
It is also preferred that the left above-mentioned stack frame EBP address error, specifically include following any one or combination in any:
Stack frame EBP address is not in the internal memory of current stack frame;
Stack frame EBP address is not incremented by according to default order;
Stack frame EBP address is unreadable.
It is also preferred that the left above-mentioned stack frame return address mistake, specifically include following any one or combination in any:
Stack frame return address is unreadable;
Stack frame return address is not in effective code area;
The previous bar instruction of stack frame return address is not CALL instruction;
The previous bar CALL instruction of stack frame return address is not pointed towards a complete function;
The internal memory that stack frame return address is pointed to is writeable;
Stack frame return address can not perform.
It is also preferred that the left determine when the element index of said one stack frame does not meet pre-conditioned, perform following operation further:
If it is determined that the stack frame length of said one stack frame is more than default threshold value, then at least prompting said one stack frame is abnormal, and directly exits detection;
If it is determined that the stack frame EBP address error of said one stack frame, then at least prompting said one stack frame is abnormal, and carry out the reconstruct of stack frame chain based on a upper normal stack frame of said one stack frame and the normal stack frame in next return address of said one stack frame, and after reconstruct completes, choose the normal stack frame in above-mentioned next return address and proceed to detect next time;
If it is determined that the stack frame return address mistake of said one stack frame, then at least prompting said one stack frame is abnormal, and the next stack frame choosing said one stack frame proceeds to detect next time.
This way it is not necessary to set up the legal API sequence with stack frame information, it is not required that analytical function name, reduce performance cost, and when stack frame exception, be reconstructed, solve the problem that stack frame EBP address lacks or destroys.
It is also preferred that the left for any one stack frame chain, after any one stack frame chain above-mentioned screens, farther include:
For any one stack frame chain above-mentioned, generate corresponding tlv triple and be shown; Above-mentioned tlv triple is used for characterizing abnormal conditions or the normal condition of each stack frame in any one stack frame chain above-mentioned.
It is also preferred that the left farther include:
For the stack frame of each exception filtered out, carry out shellcode location positioning respectively, wherein, when carrying out shellcode location positioning for the stack frame of any one exception filtered out, specifically include:
Determine the function that the stack frame of any one exception above-mentioned is corresponding, and position the position, code area at the instruction place calling above-mentioned function, using position, above-mentioned code area as the shellcode position navigated to.
So, according to all of abnormal stack frame filtered out, position, it is determined that the position of shellcode, this way it is not necessary to set up shellcode feature database, according to stack frame abnormal conditions, unknown shellcode can be detected, and without setting up feature database, be effectively improved system detection performance.
A kind of shellcode detecting device abnormal based on stack, including:
Generate unit, for generating corresponding stack frame chain respectively based on each api function specified;
Detection unit, for detecting each the stack frame in each stack frame chain respectively successively, filters out all abnormal stack frames, wherein, when detecting a stack frame, specifically for:
Whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address.
In the embodiment of the present invention, corresponding stack frame chain is generated respectively based on each api function specified, and detect each the stack frame in each stack frame chain respectively successively, filter out all abnormal stack frames, wherein, when detecting a stack frame, including: whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address. So, detect just for the stack frame chain that the api function specified is corresponding, it is to avoid all functions are carried out detection blindly, reduces systematic function expense; And, the directly element index according to stack frame, filter out abnormal stack frame, improve system detection performance, reduce rate of false alarm.
It is also preferred that the left above-mentioned api function, at least include with the one in minor function or combination in any: Loadlibrary, CreatePorcessInternetW, CreatFile, GetProcAddress, WinExec, ShellExecute.
It is also preferred that the left when generating corresponding stack frame chain based on the api function specified, generate unit specifically for:
Determine all functions related in the process calling said one api function, and the call relation between above-mentioned all functions and call order;
The executive mode being based respectively on each function generates corresponding stack frame, and is associated by all stack frames generated with calling order based on above-mentioned call relation, forms corresponding stack frame chain.
It is also preferred that the left when the element index determining said one stack frame does not meet pre-conditioned, specifically include with the next item down or combination in any:
Stack frame length is more than default threshold value;
Stack frame EBP address error; Wherein, stack frame EBP address represents the position of the upper stack frame calling said one stack frame;
Stack frame return address mistake; Wherein, stack frame return address represents that the function call that said one stack frame is corresponding needs the position, code area at next the instruction place performed after terminating.
It is also preferred that the left above-mentioned stack frame EBP address error, specifically include following any one or combination in any:
Stack frame EBP address is not in the internal memory of current stack frame;
Stack frame EBP address is not incremented by according to default order;
Stack frame EBP address is unreadable.
It is also preferred that the left above-mentioned stack frame return address mistake, specifically include following any one or combination in any:
Stack frame return address is unreadable;
Stack frame return address is not in effective code area;
The previous bar instruction of stack frame return address is not CALL instruction;
The previous bar CALL instruction of stack frame return address is not pointed towards a complete function;
The internal memory that stack frame return address is pointed to is writeable;
Stack frame return address can not perform.
It is also preferred that the left determine when the element index of said one stack frame does not meet pre-conditioned, detection unit is further used for performing following operation:
If it is determined that the stack frame length of said one stack frame is more than default threshold value, then at least prompting said one stack frame is abnormal, and directly exits detection;
If it is determined that the stack frame EBP address error of said one stack frame, then at least prompting said one stack frame is abnormal, and carry out the reconstruct of stack frame chain based on a upper normal stack frame of said one stack frame and the normal stack frame in next return address of said one stack frame, and after reconstruct completes, choose the normal stack frame in above-mentioned next return address and proceed to detect next time;
If it is determined that the stack frame return address mistake of said one stack frame, then at least prompting said one stack frame is abnormal, and the next stack frame choosing said one stack frame proceeds to detect next time.
This way it is not necessary to set up the legal API sequence with stack frame information, it is not required that analytical function name, reduce performance cost, and when stack frame exception, be reconstructed, solve the problem that stack frame EBP address lacks or destroys.
It is also preferred that the left for any one stack frame chain, after any one stack frame chain above-mentioned screens, farther include:
Display unit, for for any one stack frame chain above-mentioned, generating corresponding tlv triple and be shown; Above-mentioned tlv triple is used for characterizing abnormal conditions or the normal condition of each stack frame in any one stack frame chain above-mentioned.
It is also preferred that the left farther include:
Positioning unit, for for the stack frame of each exception filtered out, carrying out shellcode location positioning respectively, wherein, when carrying out shellcode location positioning for the stack frame of any one exception filtered out, specifically for:
Determine the function that the stack frame of any one exception above-mentioned is corresponding, and position the position, code area at the instruction place calling above-mentioned function, using position, above-mentioned code area as the shellcode position navigated to.
So, according to all of abnormal stack frame filtered out, position, it is determined that the position of shellcode, this way it is not necessary to set up shellcode feature database, according to stack frame abnormal conditions, unknown shellcode can be detected, and without setting up feature database, be effectively improved system detection performance.
Accompanying drawing explanation
Fig. 1 is in the embodiment of the present invention, based on the shellcode detection method general introduction flow chart that stack is abnormal;
Fig. 2 is in the embodiment of the present invention, the different situation schematic diagrams that stack is abnormal;
Fig. 3 is in the embodiment of the present invention, detects the method detail flowchart that a stack frame is abnormal;
Fig. 4 is in the embodiment of the present invention, based on the shellcode structure of the detecting device schematic diagram that stack is abnormal.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the present invention, is not whole embodiments. Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
In order to shellcode effectively be detected, and reduce performance cost and rate of false alarm, in the embodiment of the present invention, corresponding stack frame chain is generated respectively based on each api function specified, and detect each the stack frame in each stack frame chain respectively successively, according to stack frame Deviant Behavior, including stack frame length, stack frame extension base pointer depositor (ExtendedBasePointer, EBP) or combination in any in address and stack frame return address, then filter out all abnormal stack frames, and then shellcode detected.
Consulting shown in Fig. 1, in the embodiment of the present invention, the idiographic flow based on the shellcode detection method of stack exception is as follows:
Step 100: generate corresponding stack frame chain respectively based on each api function specified.
In reality, shellcode can perform various operation by calling system api function in the process of implementation, including removing DEP, from deciphering, code reorientation, acquisition system API address, download executable programs, loading procedure etc., and then system is attacked, wherein, above-mentioned api function, at least include with the one in minor function or combination in any: ZwSetInformationProcess, LoadLibrary, CreatePorcessInternetW, CreatFile, GetProcAddress, UrlDownLoadToFile, WinExec, ShellExecute, InternetReadFile, GetCommandLineA, CreateRemoteThread etc.
So, just can for the api function of these sensitivities, need not detect for all of function, decrease systematic function expense, only need to analyze the above-mentioned api function specified calls the abnormal conditions of stack frame during generation, thus according to the definition detection shellcode that stack frame is abnormal, and the code that there is leak can be positioned.
Perform in step 100, when generating corresponding stack frame chain based on the api function specified, specifically include:
, it is determined that call all functions related in the process of said one api function, and the call relation between above-mentioned all functions and call order first.
Then, the executive mode being based respectively on each function generates corresponding stack frame, and is associated by all stack frames generated with calling order based on above-mentioned call relation, forms corresponding stack frame chain.
In reality, function is in invoked procedure, system can automatically for its one stack frame of distribution, calling each time of each function, there is a stack frame of its own independence, this stack frame stores various information required during function call, including function parameter, the local variable of function, function return address and stack frame EBP address etc.
Wherein, executive mode based on each function generates corresponding stack frame, specifically include: each function is in invoked procedure, all the parameter comprised in each function and local variable are carried out pop down, return address is stacked, the address being about to call the code area at next instruction place of the instruction of current function is pressed in stack, call when end returns for current function and continue executing with program, EBP depositor points to the bottom (high address) of current stack frame, stack frame EBP address is pointed at the bottom of the stack of a upper stack frame calling current stack frame, expanded stacked pointer register (Extendedstackpointer, ESP) stack top (top of the activity inventory of next press-in stack of stack is pointed to, i.e. low address), the stack frame of current function is saved as between ESP and EBP.
Step 110: detect each the stack frame in each stack frame chain respectively successively, filter out all abnormal stack frames, wherein, when detecting a stack frame, including: whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address.
When performing step 110, for each the stack frame in each stack frame chain, detect, filter out all abnormal stack frame in each stack frame chain, describe in detail detecting a stack frame below: when detecting a stack frame, whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal.
Wherein, when the element index determining said one stack frame does not meet pre-conditioned, specifically include with the next item down or combination in any: stack frame length is more than default threshold value, stack frame EBP address error, stack frame return address mistake, it is to say, stack frame is anomaly divided into stack frame length exception, stack frame EBP address error and stack frame return address mistake.
Consult shown in table 1, the concrete condition abnormal for triggering stack frame.
Table 1
Based on table 1, following is a brief introduction of the situation of three kinds of exceptions in the above-mentioned stack frame exception of lower triggering:
1) LONG_LENGTH: stack frame length is more than default threshold value. The length of each stack frame has certain rule, if stack frame length runs counter to this rule, namely stack frame length is more than default threshold value, and stack frame length will be caused abnormal.
2) stack frame EBP address error, specifically includes following any one or combination in any:
OUT_ATACK: stack frame EBP address is not in the internal memory of current stack frame.
NO_INCREASE: stack frame EBP address is not incremented by according to default order. Current EBP depositor represents the base address of above-mentioned stack frame, stack frame EBP address represents the position of the upper stack frame calling above-mentioned stack frame, recall based on stack frame EBP, function call order is from high to low, when so recalling, stack frame EBP address should comply with order from low to high, otherwise, it is impossible to traces back to next stack frame by stack frame EBP.
NO_REAN: stack frame EBP address is unreadable.
3) stack frame return address mistake, specifically includes following any one or combination in any:
NO_READ: stack frame return address is unreadable.
NOT_IN_LOADED_MODULES: stack frame return address is not in effective code area, namely not in the module loaded. Stack frame return address represents that the function call that said one stack frame is corresponding needs the position, code area at next the instruction place performed after terminating, therefore, stack frame return address in valid code district, otherwise must cannot jump to next instruction and continue executing with program, cause stack frame return address mistake.
NO_COMPLETE_CALL_BEFORE: the previous bar CALL instruction of stack frame return address is not pointed towards a complete function.
CAN_BE_WRITTEN: the internal memory that stack frame return address is pointed to is writeable. The code address of next instruction needing execution after stack frame calls end is pointed in stack frame return address, and the internal memory that time normal, stack frame return address is pointed to is not writeable, when writeable, can cause stack frame return address mistake.
NO_CALL_BEFORE: the previous bar instruction of stack frame return address is not CALL instruction. The foundation of stack frame is on the basis calling CALL instruction, and therefore the previous bar instruction in stack frame return address must be CALL instruction, otherwise can cause stack frame return address mistake.
NO_EXECUTE: stack frame return address can not perform.
Further, it is determined that when the element index of said one stack frame does not meet pre-conditioned, perform following operation further, particularly may be divided into following three kinds of situations:
The first situation: if it is determined that the stack frame length of said one stack frame is more than default threshold value, then at least prompting said one stack frame is abnormal, and directly exits detection.
In reality, it is possible to define the function discriminant function as stack frame length, for instance for IsFrameLengthNormal (), when for NORMAL, return true, when for LONG_LENGTH, return false; If that return is false, then judges that said one stack frame is abnormal, and exit detection, if that return is true, then proceed stack frame EBP detection and the detection of stack frame return address.
The second situation: if it is determined that the stack frame EBP address error of said one stack frame, then at least prompting said one stack frame is abnormal, and carry out the reconstruct of stack frame chain based on a upper normal stack frame of said one stack frame and the normal stack frame in next return address of said one stack frame, and after reconstruct completes, choose the normal stack frame in above-mentioned next return address and proceed to detect next time.
In reality, it is possible to define the function discriminant function as stack frame EBP address, for instance for IsEbpNormal (), when for NORMAL, return true, when for OUT_ATACK, NO_INCREASE or NO_REAN, return false.
If return be true time, then proceed stack frame return address detection, if return be false time, then specifically perform following steps:
, it is determined that a upper normal stack frame of said one stack frame, and to export an above-mentioned upper normal stack frame and said one stack frame abnormal first.
Then, based on an above-mentioned upper normal stack frame, the normal stack frame in next return address obtaining said one stack frame is searched.
Such as, the stack frame EBP address of an above-mentioned upper normal stack frame is LastEBP, LastEBP is added 0X0c, skip the stack frame base address of a normal stack frame, return address and first DWORD, start to scan in units of single byte, often read a byte, a DWORD will be read, the discriminant function of call frame return address judges whether in this DWORD internal memory be a normal stack frame return address, if not continuing to read, if it is stop search, and whether a DWORD before judging this DWORD is a normal stack frame EBP address. if not then continuing search for normal return address, and judge whether it exists normal stack frame EBP address before, until finding next normal stack frame or exceeding default search volume size.
Finally, the reconstruct of stack frame chain is carried out based on a upper normal stack frame of said one stack frame and the normal stack frame in next return address of said one stack frame, and after reconstruct completes, choose the normal stack frame in above-mentioned next return address and proceed to detect next time.
The third situation: if it is determined that the stack frame return address mistake of said one stack frame, then at least prompting said one stack frame is abnormal, and the next stack frame choosing said one stack frame proceeds to detect next time.
In reality, the function discriminant function as stack frame return address can be defined, it is such as IsRetAddrNormal (), true is returned when for NORMAL, in for NO_REAN, NOT_IN_LOADED_MODULES, NO_COMPLETE_CALL_BEFORE, CAN_BE_WRITTEN, NO_CALL_BEFORE and NO_EXECUTE any one time, return false. If that return is false, then determine a upper normal stack frame of said one stack frame, and export an above-mentioned upper normal stack frame and said one stack frame exception, and the next stack frame choosing above-mentioned following stack frame continues to detect next time, if that return is true, then output said one stack frame is normal, and the next stack frame choosing above-mentioned following stack frame continues to detect next time.
Further, for any one stack frame chain, after any one stack frame chain above-mentioned screens, for any one stack frame chain above-mentioned, generate corresponding tlv triple and be shown; Above-mentioned tlv triple is used for characterizing abnormal conditions or the normal condition of each stack frame in any one stack frame chain above-mentioned.
Such as, the corresponding tlv triple that any one stack frame chain generates is:<NormalSF, AbnormalSF}r, NormalSF>(wherein, NormalSF represents normal stack frame, and AbnormalSF represents abnormal stack frame, and r represents continuous print exception stack frame). So, if an api function is by normal call, it is output as sky, otherwise or multiple tlv triple of output, wherein, the closer to the abnormal stack frame in the source of calling, more energy response procedures EIP pointer is (wherein, the storage of EIP pointer is the address of the instruction of secondary execution under CPU) situation of jumping into shellcode from normal code section, its relevant information can be used to position module and the function that leak occurs and the position that shellcode is in internal memory.
Such as, in reality, following six kinds of situations can be summarized as by abnormal for stack, consult shown in Fig. 2, be in the normal situation of stack frame length, the stack frame EBP address of each stack frame and the normal condition of stack frame return address and abnormal conditions, wherein, NEBP represents stack frame EBP address error, and NRET represents stack frame return address mistake, EBP represents that stack frame EBP address is normal, and RET represents that stack frame return address is normal.
Each situation above-mentioned, can be indicated by a tlv triple.
Further, for the stack frame of each exception filtered out, carry out shellcode location positioning respectively, wherein, when carrying out shellcode location positioning for the stack frame of any one exception filtered out, specifically include:
Determine the function that the stack frame of any one exception above-mentioned is corresponding, and position the position, code area at the instruction place calling above-mentioned function, using position, above-mentioned code area as the shellcode position navigated to.
Specifically, when program is run, EIP pointer from normal mode block code jump into shellcode time, stack frame can be caused abnormal. Therefore, for the stack frame of any one exception filtered out, abnormal stack frame contains, along the next normal stack frame of reverse direction, the module information redirected, and namely calls the code area at the instruction place of above-mentioned abnormal stack frame, is the position that there occurs leak. If all modules that traversal program has loaded, namely the dynamic data library module that function belongs to, the title of acquisition module, memory mechanism, length, have been derived from function table, stack frame return address is used to carry out traveling through and mating, just can navigate to the generation module name of leak, function name and the skew relative to function first address, these information can help quickly location 0day leak, prepares for analyzing leak patch installing in time.
Adopt a concrete application scenarios that above-described embodiment is made further description below. Shown in Fig. 3, in the embodiment of the present invention, execution process during one stack frame of detection is specific as follows:
Step 300: this stack frame detects, namely detects for any one the stack frame in the stack frame chain specifying api function to generate.
Step 301: judge that whether stack frame length is less than predetermined threshold value, if so, then performs step 302, otherwise performs step 309.
Step 302: judge that whether stack frame EBP address is normal, if so, then performs step 306, otherwise performs step 303.
Step 303: the upper normal stack frame and this stack frame that export above-mentioned stack frame are abnormal.
It is to say, when stack frame EBP address error, it is determined that this stack frame is abnormal, and it needs to be determined that a upper normal stack frame of above-mentioned abnormal this stack frame, in order to the reconstruct of follow-up step 304.
Step 304: based on a upper normal stack frame, search the normal stack frame in next return address obtaining above-mentioned abnormal this stack frame, and carry out the reconstruct of stack frame chain based on the normal stack frame of an above-mentioned upper normal stack frame and above-mentioned next return address, if reconstruct is normal, then perform step 305, otherwise perform step 309.
It is to say, when stack frame EBP address error, carry out the reconstruct of stack frame chain, but might not normally reconstruct, if can not find the normal stack frame in next return address, then cannot be carried out reconstruct.
Step 305: the normal stack frame in the next return address of output.
Step 306: judge that whether stack frame return address is normal, if so, then performs step 308, otherwise, performs step 307.
Step 307: export an EBP (normally) and this stack frame (exception).
It is to say, when stack frame return address mistake, it is determined that this stack frame is abnormal, and determines a upper normal stack frame of above-mentioned abnormal this stack frame, and is exported by this stack frame abnormal to a upper normal stack frame and judgement.
Step 308: choose next stack frame.
Step 309: exit detection.
Based on above-described embodiment, consult shown in Fig. 4, in the embodiment of the present invention, based on the shellcode detecting device that stack is abnormal, specifically include:
Generate unit 40, for generating corresponding stack frame chain respectively based on each api function specified;
Detection unit 41, for detecting each the stack frame in each stack frame chain respectively successively, filters out all abnormal stack frames, wherein, when detecting a stack frame, specifically for:
Whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address.
It is also preferred that the left above-mentioned api function, at least include with minor function: Loadlibrary, CreatePorcessInternetW, CreatFile, GetProcAddress, WinExec, ShellExecute.
It is also preferred that the left when generating corresponding stack frame chain based on the api function specified, generate unit 40 specifically for:
Determine all functions related in the process calling said one api function, and the call relation between above-mentioned all functions and call order;
The executive mode being based respectively on each function generates corresponding stack frame, and is associated by all stack frames generated with calling order based on above-mentioned call relation, forms corresponding stack frame chain.
It is also preferred that the left when the element index determining said one stack frame does not meet pre-conditioned, specifically include with the next item down or combination in any:
Stack frame length is more than default threshold value;
Stack frame EBP address error; Wherein, stack frame EBP address represents the position of the upper stack frame calling said one stack frame;
Stack frame return address mistake; Wherein, stack frame return address represents that the function call that said one stack frame is corresponding needs the position, code area at next the instruction place performed after terminating.
It is also preferred that the left above-mentioned stack frame EBP address error, specifically include following any one or combination in any:
Stack frame EBP address is not in the internal memory of current stack frame;
Stack frame EBP address is not incremented by according to default order;
Stack frame EBP address is unreadable.
It is also preferred that the left above-mentioned stack frame return address mistake, specifically include following any one or combination in any:
Stack frame return address is unreadable;
Stack frame return address is not in effective code area;
The previous bar instruction of stack frame return address is not CALL instruction;
The previous bar CALL instruction of stack frame return address is not pointed towards a complete function;
The internal memory that stack frame return address is pointed to is writeable;
Stack frame return address can not perform.
It is also preferred that the left determine when the element index of said one stack frame does not meet pre-conditioned, detection unit 41 is further used for performing following operation:
If it is determined that the stack frame length of said one stack frame is more than default threshold value, then at least prompting said one stack frame is abnormal, and directly exits detection;
If it is determined that the stack frame EBP address error of said one stack frame, then at least prompting said one stack frame is abnormal, and carry out the reconstruct of stack frame chain based on a upper normal stack frame of said one stack frame and the normal stack frame in next return address of said one stack frame, and after reconstruct completes, choose the normal stack frame in above-mentioned next return address and proceed to detect next time;
If it is determined that the stack frame return address mistake of said one stack frame, then at least prompting said one stack frame is abnormal, and the next stack frame choosing said one stack frame proceeds to detect next time.
It is also preferred that the left for any one stack frame chain, after any one stack frame chain above-mentioned screens, farther include:
Display unit 42, for for any one stack frame chain above-mentioned, generating corresponding tlv triple and be shown; Above-mentioned tlv triple is used for characterizing abnormal conditions or the normal condition of each stack frame in any one stack frame chain above-mentioned.
It is also preferred that the left farther include:
Positioning unit 43, for for the stack frame of each exception filtered out, carrying out shellcode location positioning respectively, wherein, when carrying out shellcode location positioning for the stack frame of any one exception filtered out, specifically for:
Determine the function that the stack frame of any one exception above-mentioned is corresponding, and position the position, code area at the instruction place calling above-mentioned function, using position, above-mentioned code area as the shellcode position navigated to.
In sum, in the embodiment of the present invention, corresponding stack frame chain is generated respectively based on each api function specified, and detect each the stack frame in each stack frame chain respectively successively, filter out all abnormal stack frames, wherein, when detecting a stack frame, including: whether the element index of detection said one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that said one stack frame is abnormal; Wherein, above-mentioned element index includes or combination in any in stack frame length, stack frame EBP address and stack frame return address. So, detect just for the stack frame chain that the api function specified is corresponding, it is to avoid all functions are carried out detection blindly, reduces systematic function expense; And, the directly element index according to stack frame, filter out abnormal stack frame, improve system detection performance, reduce rate of false alarm;
According to all of abnormal stack frame filtered out, position, it is determined that the position of shellcode, this way it is not necessary to set up shellcode feature database, according to stack frame abnormal conditions, unknown shellcode can be detected, and without setting up feature database, be effectively improved system detection performance; And, it is not necessary to set up the legal API sequence with stack frame information, it is not required that analytical function name, reduce performance cost, and when stack frame exception, be reconstructed, solve the problem that stack frame EBP address lacks or destroys.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program. Therefore, the present invention can adopt the form of complete hardware embodiment, complete software implementation or the embodiment in conjunction with software and hardware aspect. And, the present invention can adopt the form at one or more upper computer programs implemented of computer-usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) wherein including computer usable program code.
The present invention is that flow chart and/or block diagram with reference to method according to embodiments of the present invention, equipment (system) and computer program describe. It should be understood that can by the combination of the flow process in each flow process in computer program instructions flowchart and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame. These computer program instructions can be provided to produce a machine to the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device so that the instruction performed by the processor of computer or other programmable data processing device is produced for realizing the device of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide in the computer-readable memory that computer or other programmable data processing device work in a specific way, the instruction making to be stored in this computer-readable memory produces to include the manufacture of command device, and this command device realizes the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices provides for realizing the step of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art are once know basic creative concept, then these embodiments can be made other change and amendment. So, claims are intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, the embodiment of the present invention can be carried out various change and the modification spirit and scope without deviating from the embodiment of the present invention by those skilled in the art. So, if these amendments of the embodiment of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (18)
1. the shellcode detection method based on stack exception, it is characterized in that, corresponding stack frame chain is generated respectively based on each the application programming interface api function specified, and detect each the stack frame in each stack frame chain respectively successively, filter out all abnormal stack frames, wherein, when detecting a stack frame, including:
Whether the element index of detection one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that one stack frame is abnormal; Wherein, described element index includes or combination in any in stack frame length, stack frame extension base pointer depositor EBP address and stack frame return address.
2. the method for claim 1, it is characterized in that, described api function, at least includes with the one in minor function or combination in any: Loadlibrary, CreatePorcessInternetW, CreatFile, GetProcAddress, WinExec, ShellExecute.
3. the method for claim 1, it is characterised in that generate corresponding stack frame chain based on the api function specified, specifically include:
Determine all functions related in the process calling one api function, and the call relation between described all functions and call order;
The executive mode being based respectively on each function generates corresponding stack frame, and is associated by all stack frames generated with calling order based on described call relation, forms corresponding stack frame chain.
4. the method for claim 1, it is characterised in that when the element index determining one stack frame does not meet pre-conditioned, specifically include with the next item down or combination in any:
Stack frame length is more than default threshold value;
Stack frame EBP address error; Wherein, stack frame EBP address represents the position of the upper stack frame calling one stack frame;
Stack frame return address mistake; Wherein, stack frame return address represents that the function call that one stack frame is corresponding needs the position, code area at next the instruction place performed after terminating.
5. method as claimed in claim 4, it is characterised in that described stack frame EBP address error, specifically includes following any one or combination in any:
Stack frame EBP address is not in the internal memory of current stack frame;
Stack frame EBP address is not incremented by according to default order;
Stack frame EBP address is unreadable.
6. method as claimed in claim 4, it is characterised in that described stack frame return address mistake, specifically includes following any one or combination in any:
Stack frame return address is unreadable;
Stack frame return address is not in effective code area;
The previous bar instruction of stack frame return address is not CALL instruction;
The previous bar CALL instruction of stack frame return address is not pointed towards a complete function;
The internal memory that stack frame return address is pointed to is writeable;
Stack frame return address can not perform.
7. the method as described in any one of claim 4-6, it is characterised in that determine when the element index of one stack frame does not meet pre-conditioned, performs following operation further:
If it is determined that the stack frame length of one stack frame is more than default threshold value, then at least prompting one stack frame is abnormal, and directly exits detection;
If it is determined that the stack frame EBP address error of one stack frame, then at least prompting one stack frame is abnormal, and carry out the reconstruct of stack frame chain based on a upper normal stack frame of one stack frame and the normal stack frame in next return address of one stack frame, and after reconstruct completes, choose the normal stack frame in described next return address and proceed to detect next time;
If it is determined that the stack frame return address mistake of one stack frame, then at least prompting one stack frame is abnormal, and the next stack frame choosing one stack frame proceeds to detect next time.
8. the method as described in any one of claim 1-7, it is characterised in that for any one stack frame chain, after any one stack frame chain described screens, farther includes:
For any one stack frame chain described, generate corresponding tlv triple and be shown; Described tlv triple is used for characterizing abnormal conditions or the normal condition of each stack frame in any one stack frame chain described.
9. the method as described in any one of claim 1-7, it is characterised in that farther include:
For the stack frame of each exception filtered out, carry out shellcode location positioning respectively, wherein, when carrying out shellcode location positioning for the stack frame of any one exception filtered out, specifically include:
The function that the stack frame of any one exception described in determining is corresponding, and position the position, code area at the instruction place calling described function, using position, described code area as the shellcode position navigated to.
10. the shellcode detecting device based on stack exception, it is characterised in that including:
Generate unit, for generating corresponding stack frame chain respectively based on each the application programming interface api function specified;
Detection unit, for detecting each the stack frame in each stack frame chain respectively successively, filters out all abnormal stack frames, wherein, when detecting a stack frame, specifically for:
Whether the element index of detection one stack frame meets pre-conditioned, determine do not meet pre-conditioned time, it is determined that one stack frame is abnormal; Wherein, described element index includes or combination in any in stack frame length, stack frame extension base pointer depositor EBP address and stack frame return address.
11. device as claimed in claim 10, it is characterized in that, described api function, at least includes with the one in minor function or combination in any: Loadlibrary, CreatePorcessInternetW, CreatFile, GetProcAddress, WinExec, ShellExecute.
12. device as claimed in claim 10, it is characterised in that when generating corresponding stack frame chain based on the api function specified, generate unit specifically for:
Determine all functions related in the process calling one api function, and the call relation between described all functions and call order;
The executive mode being based respectively on each function generates corresponding stack frame, and is associated by all stack frames generated with calling order based on described call relation, forms corresponding stack frame chain.
13. device as claimed in claim 10, it is characterised in that when the element index determining one stack frame does not meet pre-conditioned, specifically include with the next item down or combination in any:
Stack frame length is more than default threshold value;
Stack frame EBP address error; Wherein, stack frame EBP address represents the position of the upper stack frame calling one stack frame;
Stack frame return address mistake; Wherein, stack frame return address represents that the function call that one stack frame is corresponding needs the position, code area at next the instruction place performed after terminating.
14. device as claimed in claim 13, it is characterised in that described stack frame EBP address error, specifically include following any one or combination in any:
Stack frame EBP address is not in the internal memory of current stack frame;
Stack frame EBP address is not incremented by according to default order;
Stack frame EBP address is unreadable.
15. device as claimed in claim 13, it is characterised in that described stack frame return address mistake, specifically include following any one or combination in any:
Stack frame return address is unreadable;
Stack frame return address is not in effective code area;
The previous bar instruction of stack frame return address is not CALL instruction;
The previous bar CALL instruction of stack frame return address is not pointed towards a complete function;
The internal memory that stack frame return address is pointed to is writeable;
Stack frame return address can not perform.
16. the device as described in any one of claim 13-15, it is characterised in that determine when the element index of one stack frame does not meet pre-conditioned, detection unit is further used for performing following operation:
If it is determined that the stack frame length of one stack frame is more than default threshold value, then at least prompting one stack frame is abnormal, and directly exits detection;
If it is determined that the stack frame EBP address error of one stack frame, then at least prompting one stack frame is abnormal, and carry out the reconstruct of stack frame chain based on a upper normal stack frame of one stack frame and the normal stack frame in next return address of one stack frame, and after reconstruct completes, choose the normal stack frame in described next return address and proceed to detect next time;
If it is determined that the stack frame return address mistake of one stack frame, then at least prompting one stack frame is abnormal, and the next stack frame choosing one stack frame proceeds to detect next time.
17. the device as described in any one of claim 10-16, it is characterised in that for any one stack frame chain, after any one stack frame chain described screens, farther include:
Display unit, for for any one stack frame chain described, generating corresponding tlv triple and be shown; Described tlv triple is used for characterizing abnormal conditions or the normal condition of each stack frame in any one stack frame chain described.
18. the device as described in any one of claim 10-16, it is characterised in that farther include:
Positioning unit, for for the stack frame of each exception filtered out, carrying out shellcode location positioning respectively, wherein, when carrying out shellcode location positioning for the stack frame of any one exception filtered out, specifically for:
The function that the stack frame of any one exception described in determining is corresponding, and position the position, code area at the instruction place calling described function, using position, described code area as the shellcode position navigated to.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511020089.9A CN105678168A (en) | 2015-12-29 | 2015-12-29 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511020089.9A CN105678168A (en) | 2015-12-29 | 2015-12-29 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105678168A true CN105678168A (en) | 2016-06-15 |
Family
ID=56298006
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511020089.9A Pending CN105678168A (en) | 2015-12-29 | 2015-12-29 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105678168A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203076A (en) * | 2016-06-24 | 2016-12-07 | 武汉绿色网络信息服务有限责任公司 | A kind of EBP of utilization judges the method for malicious file |
| CN106802785A (en) * | 2016-12-13 | 2017-06-06 | 北京华为数字技术有限公司 | A kind of stack analysis method and device |
| CN108664250A (en) * | 2018-03-27 | 2018-10-16 | 北京奇艺世纪科技有限公司 | A kind of code process method and device |
| CN109711172A (en) * | 2018-06-26 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Data prevention method and device |
| CN111177727A (en) * | 2019-09-23 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device |
| CN112395600A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | False alarm removing method, device and equipment for malicious behaviors |
| CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818822A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Buffer field overflow attack detection |
| CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
| CN101539883A (en) * | 2009-05-05 | 2009-09-23 | 北京和利时系统工程有限公司 | Error tracking method of embedded system and device thereof |
-
2015
- 2015-12-29 CN CN201511020089.9A patent/CN105678168A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818822A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Buffer field overflow attack detection |
| CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
| CN101539883A (en) * | 2009-05-05 | 2009-09-23 | 北京和利时系统工程有限公司 | Error tracking method of embedded system and device thereof |
Non-Patent Citations (1)
| Title |
|---|
| 梁玉 等: "S-Tracker:基于栈异常的shellcode检测方法", 《华中科技大学学报(自然科学版)》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203076A (en) * | 2016-06-24 | 2016-12-07 | 武汉绿色网络信息服务有限责任公司 | A kind of EBP of utilization judges the method for malicious file |
| CN106203076B (en) * | 2016-06-24 | 2020-03-17 | 武汉绿色网络信息服务有限责任公司 | Method for judging malicious file by utilizing EBP (electronic book protocol) |
| CN106802785A (en) * | 2016-12-13 | 2017-06-06 | 北京华为数字技术有限公司 | A kind of stack analysis method and device |
| CN106802785B (en) * | 2016-12-13 | 2019-07-09 | 北京华为数字技术有限公司 | A kind of stack analysis method and device |
| CN108664250A (en) * | 2018-03-27 | 2018-10-16 | 北京奇艺世纪科技有限公司 | A kind of code process method and device |
| CN108664250B (en) * | 2018-03-27 | 2022-02-01 | 北京奇艺世纪科技有限公司 | Code processing method and device |
| CN109711172A (en) * | 2018-06-26 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Data prevention method and device |
| CN109829307A (en) * | 2018-06-26 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | Process behavior recognition methods and device |
| CN112395600A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | False alarm removing method, device and equipment for malicious behaviors |
| CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
| CN112395600B (en) * | 2019-08-15 | 2023-08-01 | 奇安信安全技术(珠海)有限公司 | Misinformation removing method, device and equipment for malicious behaviors |
| CN111177727A (en) * | 2019-09-23 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105678168A (en) | Method and apparatus for detecting Shellcode based on stack frame abnormity | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| CN105630463B (en) | For detecting the method and device of JAR packet conflict | |
| US20050108562A1 (en) | Technique for detecting executable malicious code using a combination of static and dynamic analyses | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN111832026B (en) | Vulnerability utilization positioning method, system, device and medium | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN112527674B (en) | AI frame safety evaluation method, device, equipment and storage medium | |
| Liao et al. | Smartdagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability | |
| KR20180010053A (en) | Extraction system and method of risk code for vulnerability analysis | |
| WO2023035751A1 (en) | Intelligent confusion for mobile terminal application | |
| CN113312618A (en) | Program vulnerability detection method and device, electronic equipment and medium | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| CN105765531A (en) | Generic unpacking of program binaries | |
| CN110414218B (en) | Kernel detection method and device, electronic equipment and storage medium | |
| CN112632547A (en) | Data processing method and related device | |
| CN114328168A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| KR100876637B1 (en) | Apparatus and method for detecting software attacks on linux | |
| CN113805861B (en) | Code generation method based on machine learning, code editing system and storage medium | |
| CN106709359A (en) | Detection method of Android application vulnerabilities | |
| KR101306656B1 (en) | Apparatus and method for providing dynamic analysis information of malignant code | |
| KR20190060355A (en) | Model verification method through model change analysis and medel verification apparatus using the same | |
| CN114356441B (en) | Plug-in preloading method and device, electronic equipment and storage medium | |
| CN107895115A (en) | Method and device for preventing stack overflow and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160615 |