CN106228067A - Malicious code dynamic testing method and device - Google Patents

Malicious code dynamic testing method and device Download PDF

Info

Publication number
CN106228067A
CN106228067A CN201610555960.3A CN201610555960A CN106228067A CN 106228067 A CN106228067 A CN 106228067A CN 201610555960 A CN201610555960 A CN 201610555960A CN 106228067 A CN106228067 A CN 106228067A
Authority
CN
China
Prior art keywords
event
file
performs
perform
execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610555960.3A
Other languages
Chinese (zh)
Inventor
傅涛
薛敏
孙文静
俞正兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
JIANGSU BOZHI SOFTWARE TECHNOLOGY Co Ltd
Original Assignee
JIANGSU BOZHI SOFTWARE TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by JIANGSU BOZHI SOFTWARE TECHNOLOGY Co Ltd filed Critical JIANGSU BOZHI SOFTWARE TECHNOLOGY Co Ltd
Priority to CN201610555960.3A priority Critical patent/CN106228067A/en
Publication of CN106228067A publication Critical patent/CN106228067A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A kind of malicious code dynamic testing method of embodiment of the present invention offer and device, relate to computer security technique field, the problems such as the speed existed when solving existing Malicious Code Detection is slow, efficiency is low, the main technical schemes of the present invention is: when detecting that in true environment file performs event, judge that described file performs event according to preset alarm storehouse the most suspicious, described preset alarm storehouse stores the characteristic information having various apocrypha to perform;If suspicious, then intercepting described file and perform event execution in described true environment, and copy to perform in virtual environment by described file execution event, in described virtual environment, storage has the file in true environment, catalogue;Perform event execution result in described virtual environment according to described file and preset malice performs results repository and judges that described file performs whether event is malicious code.The present invention is used for detecting malicious code.

Description

Malicious code dynamic testing method and device
Technical field
The present embodiments relate to computer security technique field, particularly relate to a kind of malicious code dynamic testing method and Device.
Background technology
Along with becoming increasingly popular of computer utility, the quantity of the rogue program including virus, wooden horse also increases rapidly, Wherein rogue program typically refers to the one section of program write with attack intension, is used for stealing user file, privacy, account etc. Information.Rogue program can encroach on the computer of user by a lot of routes of transmission, and the most portable move media, such as flash memory Dish, CD etc., and along with the extensive application of computer networking technology, the Internet is increasingly becoming the main path that rogue program is propagated One of, the rogue program files such as wooden horse are disguised oneself as other types file by hacker or rogue program disseminator, and lure user's point Hit and download, and rogue program is once downloaded to subscriber computer successful operation, hacker or rogue program disseminator and just may be used To utilize these rogue programs, carry out destroying subscriber computer, steal the malpractices such as userspersonal information.
The leak utilizing operating system and application software is implemented to attack, and is to make rogue program success on the user computer One of main means implanted and run.Leak refer to operating system software or the application software defect in logical design or The mistake produced when writing.These defects or mistake often can be utilized, by hacker, rogue programs such as implanting wooden horse, infringement Or control even to destroy subscriber computer software and hardware system, or steal capsule information and the information of user.
At present, intrusion detection is more of focused in existing research, few to the study of warning of invasion, can accomplish System pre-warning system is reached considerably less on the basis of security postures perception;And intrusion detection passes through manual type to suspicious In code, every instruction carries out feature analysis one by one, detects whether suspect code is malicious code, has that speed is slow, efficiency is low Technical problem.
Summary of the invention
Embodiments provide a kind of malicious code dynamic testing method and device, in order to solve prior art attacked by pestiferous factors The problems such as the speed existed during meaning code detection is slow, efficiency is low.
The problem existed for prior art, embodiments provides a kind of malicious code dynamic testing method, bag Include:
When detecting that in true environment file performs event, judge whether described file performs event according to preset alarm storehouse Suspicious, described preset alarm storehouse stores the characteristic information having various apocrypha to perform;
If suspicious, then intercept described file and perform event execution in described true environment, and described file is performed event Copying to perform in virtual environment, in described virtual environment, storage has the file in true environment, catalogue;
Perform event execution result in described virtual environment according to described file and preset malice performs results repository and judges institute Stating file and perform whether event is malicious code, described preset malice performs storage in results repository the execution of various malicious code Result.
Specifically, described event execution result in described virtual environment is performed according to described file and preset malice is held Row results repository judges that described file performs whether event is that malicious code includes:
Judge whether there is access registry operations during the execution of file execution event described in described virtual environment;
If not existing, then record described file and perform event access registry operations in described virtual environment;
If existing, then judge whether the access registry operations of described file execution event belongs to described preset malice and perform result Malicious registration table handling in storehouse;
If the access registry operations that described file performs event belongs to malicious registration table handling, then described file is performed event It is defined as malicious code.
Concrete, described perform event execution result in described virtual environment according to described file and preset malice is held Row results repository judges that described file performs whether event is that malicious code includes:
Judge whether the process operation of file execution event belongs to described preset malice in described virtual environment and perform results repository In malicious process operation;
If the process operation that described file performs event belongs to the malicious process operation that described preset malice performs in results repository, then Described file execution event is defined as malicious code.
Concrete, described perform event execution result in described virtual environment according to described file and preset malice is held Row results repository judges that described file performs whether event is that malicious code includes:
Judge whether the network operation of file execution event belongs to described preset malice in described virtual environment and perform results repository In hostile network operation;
Judge whether the service operations of file execution event belongs to described preset malice in described virtual environment and perform results repository In malicious service operation;
If the network operation that described file performs event belongs to the hostile network operation that described preset malice performs in results repository, or Described file performs the service operations of event and belongs to the malicious service operation that described preset malice performs in results repository, then by described File performs event and is defined as malicious code.
Further, described event execution result in described virtual environment and preset malice are performed according to described file After execution results repository judges whether described file execution event is malicious code, described method also includes:
If it is not malicious code that described file performs event, then recovers described file execution event and perform in true environment.
Embodiments provide a kind of malicious code device for dynamically detecting, including:
Judging unit, for when detecting that in true environment file performs event, judging described literary composition according to preset alarm storehouse It is the most suspicious that part performs event, stores the characteristic information having various apocrypha to perform in described preset alarm storehouse;
Performance element, if it is suspicious to perform event for described file, then intercepts described file and performs event in described true environment In execution, and by described file execution event copy in virtual environment perform, in described virtual environment storage have true ring File in border, catalogue;
Described judging unit, is additionally operable to perform event execution result in described virtual environment and preset evil according to described file Meaning performs results repository and judges that described file performs whether event is malicious code, and described preset malice performs to store in results repository to be had The execution result of various malicious codes.
Concrete, described judging unit includes:
Judge module, for judging whether there is access during the execution of file execution event described in described virtual environment Registry operations;
Logging modle, if for there is not described access registry operations, then records described file and performs event described virtual Access registry operations in environment;
Described judge module is additionally operable to, if there is described access registry operations, then judges that described file performs the access of event Whether registry operations belongs to described preset malice performs the malicious registration table handling in results repository;
Determine module, if the access registry operations for described file execution event belongs to malicious registration table handling, then by institute State file execution event and be defined as malicious code.
Described judge module, is additionally operable to judge whether the process operation of file execution event belongs in described virtual environment Described preset malice performs the malicious process operation in results repository;
Described determine module, perform the process operation of event and belong to described preset malice if being additionally operable to described file and perform results repository In malicious process operation, then by described file execution event be defined as malicious code.
Described judge module, is additionally operable to judge whether the network operation of file execution event belongs in described virtual environment Described preset malice performs the hostile network operation in results repository;
Described judge module, is additionally operable to judge whether the service operations of file execution event belongs to described in described virtual environment Preset malice performs the malicious service operation in results repository;
Described determine module, perform the network operation of event and belong to described preset malice if being additionally operable to described file and perform results repository In hostile network operation, or described file performs the service operations of event and belongs to described preset malice and perform the evil in results repository Meaning service operations, then be defined as malicious code by described file execution event.
Further, described device also includes:
Recovery unit, if performing event for described file is not malicious code, then recovers described file and performs event truly Environment performs.
A kind of malicious code dynamic testing method of embodiment of the present invention offer and device, when detecting in true environment When file performs event, judge that described file performs event according to preset alarm storehouse the most suspicious, if suspicious, then intercept described literary composition Part performs event execution in described true environment, and copies to perform in virtual environment by described file execution event, Perform event execution result in described virtual environment according to described file afterwards and preset malice performs results repository and judges described File performs whether event is malicious code.Different from traditional Malicious Code Detection, the embodiment of the present invention does not gather each The detection data of network link, but utilize the virtual specific virtual environment of execution Technology design, suspicious file is performed thing Part is directed in the virtual environment being isolated with true environment perform, and by recording, analyze, contrasting network application at virtual ring Domestic perform before and after the state changing features identification of 5 key modules such as file in main frame, registration table, process, service, network Detect malicious code, thus greatly reduced under true environment by the embodiment of the present invention that main frame is invaded or information is compromised Probability.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is this Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to root Other accompanying drawing is obtained according to these accompanying drawings.
A kind of malicious code dynamic testing method flow chart that Fig. 1 provides for the embodiment of the present invention;
The another kind of malicious code dynamic testing method flow chart that Fig. 2 provides for the embodiment of the present invention;
A kind of malicious code device for dynamically detecting structural representation that Fig. 3 provides for the embodiment of the present invention;
The another kind of malicious code device for dynamically detecting structural representation that Fig. 4 provides for the embodiment of the present invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is The a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under not making creative work premise, broadly falls into the scope of protection of the invention.
Embodiments provide a kind of malicious code dynamic testing method, as it is shown in figure 1, described method includes:
101, when detecting that in true environment file performs event, judge that described file performs event according to preset alarm storehouse The most suspicious.
Wherein, described preset alarm storehouse stores the characteristic information having various apocrypha to perform;Literary composition when true environment When part probe in detecting is to file execution event, the characteristic information that the various apocryphas being primarily based in preset alarm storehouse perform is sentenced It is the most suspicious that disconnected file performs event.
If 102 is suspicious, then intercept described file and perform event execution in described true environment, and by described file Execution event copies to perform in virtual environment.
Wherein, in described virtual environment, storage has the file in true environment, catalogue.If apocrypha performs thing Part, then intercept file, and copy in virtual environment by described file execution event, then hold under controlled virtual environment OK;Perform event if not apocrypha, the most do not hit preset alarm storehouse, then allow file perform in true environment, with The variation characteristic of file system after Shi Jilu execution operation, as the foundation of depth analysis.
In embodiments of the present invention, after apocrypha execution event is directed to virtual environment, perform feelings by monitoring file Condition judges that whether file is rogue program or with rogue program, if it is outputting alarm information, and is added by warning information Alarm storehouse, if not then cancelling interception, recovers file and performs event to execution in true environment.
103, perform event execution result in described virtual environment according to described file and preset malice performs result Storehouse judges that described file performs whether event is malicious code.
Wherein, during described preset malice performs results repository, storage has the execution result of various malicious code.Need explanation It is, owing to the various operations of malicious code the most all can complete by calling kernel level API function, therefore by using API Hook technical intercept also controls the file management API in Windows and just can obtain the malicious code operation information to file. These intercepted API functions will be called when having program reading and writing and establishment file.If program file to be created, will adjust Use ZwCreateFile function;Similarly, when reading the content of file, can correspondingly call ZwReadFile function, write literary composition During part, carry out ZwWriteFile function.Once finding that the API function being intercepted is called, system will utilize and reset To technology, the file in true environment, catalogue are redirected in virtual environment, i.e. the literary composition of the modification of program in virtual environment Part and catalogue are the copy of original, thus ensure that the safety of file system under true environment.
Embodiments provide another kind of malicious code dynamic testing method, as in figure 2 it is shown, described method includes:
201, when detecting that in true environment file performs event, judge that described file performs event according to preset alarm storehouse The most suspicious.
Wherein, described preset alarm storehouse stores the characteristic information having various apocrypha to perform.
If 202 is suspicious, then intercept described file and perform event execution in described true environment, and by described file Execution event copies to perform in virtual environment.
Wherein, in described virtual environment, storage has the file in true environment, catalogue.Step 202 includes: judge described Access registry operations whether is there is during the execution of the execution event of file described in virtual environment;If not existing, then record Described file performs event access registry operations in described virtual environment;If existing, then judge that described file performs thing Whether the access registry operations of part belongs to described preset malice performs the malicious registration table handling in results repository;If described file The access registry operations of execution event belongs to malicious registration table handling, then described file execution event is defined as malice generation Code.
It should be noted that all application informations of registration table record and the data base of drive information, it it is operation The core of system.System start-up, application program run and hardware drive program loads and all controlled by registration table, therefore pass through Described file performs the access registry operations of event and may determine that file performs whether event is malicious code.In the present invention In embodiment, it is necessary first to judge whether there is access during the execution of file execution event described in described virtual environment Registry operations, without the operation of access registration table, should write down operation note in real time, provides foundation for subsequent analysis.As Fruit has, then should judge to access whether registry operations belongs to the malicious registration table behaviour that described preset malice performs in results repository again Make, i.e. judge when duplicate of the document performs whether malicious modification, delete or create registry information, especially it should be noted that those affect is The registry entry that system starts.If belonging to malicious registration table handling, then described file execution event is defined as malicious code;As Fruit is not belonging to malicious registration table handling, then output function record, provides material for the manual examination and verification that may carry out in the future.
Windows is that registration table devises a set of Administration API, and rogue program is the most all the registration table provided by system Access API function obtain system information and revise, add or delete a list item or any program of key assignments to be opened, creates, Delete and registry entry is set, all must pass through kernel level function RegOpen-Key, RegCreateKey, RegDeleteKey Realize with RegSetValue.Therefore, should first check for when there being modification of program registry operations whether virtual environment exists This registry entry, if registry entry exists, the most directly opens in virtual environment this registry entry and returns;Otherwise check true ring Under border, whether this registry entry exists, if registry entry exists under real system, then utilizes the redirecting technique of virtual environment It is redirected in virtual environment perform again by the registry entry under real system.
For the embodiment of the present invention, step 202 includes: judge that file performs the process behaviour of event in described virtual environment Whether belong to the malicious process operation that described preset malice performs in results repository;If described file performs the process operation of event Belong to the malicious process operation that described preset malice performs in results repository, then described file execution event is defined as malice generation Code.In described virtual environment, process is mainly monitored in terms of 4 by the process operation of file execution event: implant operation Mainly monitor whether that existence is write proceeding internal memory, created the suspicious operations such as remote thread;Load-on module mainly monitors nonsystematic catalogue Under module loading and driver load;Amendment memory attribute is mainly monitored memory attribute and is revised as the row of attribute-executable For;Create kernel objects and pass through kernel objects, some malicious code can be identified.The malice that preset malice performs in results repository is entered The effect of journey operation is similar with the malicious registration table handling that preset malice performs in results repository, stores malicious code and performs entering The feature of all kinds of impacts that journey is likely to result in.
In embodiments of the present invention, step 202 also includes: judge that file performs the network of event in described virtual environment Whether operation belongs to the hostile network operation that described preset malice performs in results repository;Judge that file is held in described virtual environment Whether the service operations acting part belongs to the malicious service operation that described preset malice performs in results repository;If described file performs The network operation of event belongs to the hostile network operation that described preset malice performs in results repository, or described file performs event Service operations belongs to the malicious service operation that described preset malice performs in results repository, then described file execution event be defined as Malicious code.
Malicious code often utilizes the system service of Windows realize self-starting and obtain higher-rights.Owing to creating new clothes The network application of business is higher with the probability of malicious act, and therefore, the monitoring to service process is particularly significant.Service strategy sets The realization of meter mainly includes 2 aspects: logging program creates the information of service;Service execution is tracked.To virtual ring During domestic service is tracked, above-mentioned network application is just stoped to create in true environment once be found to have illegal operation New service, thus ensure to complete the detection to program, analysis on the premise of " normally " operation in program to be detected, and not Local true environment can be caused any destruction.
Assailant often uses puddle formula attack method when user browses webpage, lures that user accesses one and is inserted into into The Web link of malicious code or open a specific Email attachment.Web link or Email attachment often show focus News or other people content interested, once user accesses this link or adnexa, will cause follow-up vulnerability exploit Process.For this type of situation, the embodiment of the present invention utilizes the data traffic of network probe captured in real time network, based on existing spy Levy storehouse and analyze the network packet captured in real time.When finding suspicious network traffic, utilize virtual execution technology by this network Linker is redirected in virtual environment perform, and is finally stored in feature database by warning information.
203, perform event execution result in described virtual environment according to described file and preset malice performs result Storehouse judges that described file performs whether event is malicious code.
If it is not malicious code that 204 described files perform event, then recovers described file and perform event in true environment Perform.
A kind of malicious code dynamic testing method that the embodiment of the present invention provides, when detecting that in true environment file is held When acting part, judge that described file performs event according to preset alarm storehouse the most suspicious, if suspicious, then intercept described file and perform Event execution in described true environment, and copy to virtual environment performs by described file execution event, finally according to Described file performs event execution result in described virtual environment and preset malice performs results repository and judges that described file is held Act whether part is malicious code.Different from traditional Malicious Code Detection, the embodiment of the present invention does not gather each network rings The detection data of joint, but utilize the virtual specific virtual environment of execution Technology design, suspicious file is performed event orientation Perform in the virtual environment being isolated with true environment, and hold in virtual environment by recording, analyze, contrasting network application Before and after row, the state changing features recognition detection of 5 key modules such as the file in main frame, registration table, process, service, network goes out Malicious code, thus greatly reduce, by the embodiment of the present invention, the possibility that under true environment, main frame is invaded or information is compromised Property.
Further, as implementing of method described in Fig. 1, embodiments provide a kind of malicious code dynamic Detection device, as it is shown on figure 3, described device includes: judging unit 31, performance element 32.
Judging unit 31, for when detecting that in true environment file performs event, judging according to preset alarm storehouse It is the most suspicious that described file performs event, stores the characteristic information having various apocrypha to perform in described preset alarm storehouse;
Performance element 32, if it is suspicious to perform event for described file, then intercepts described file and performs event at described true ring Execution in border, and copy to virtual environment performs by described file execution event, in described virtual environment, storage has true File in environment, catalogue;
Described judging unit 31, is additionally operable to perform event execution result in described virtual environment and preset according to described file Malice performs results repository and judges that described file performs whether event is malicious code, and described preset malice performs to store in results repository There is the execution result of various malicious code.
It should be noted that each function list involved by a kind of malicious code device for dynamically detecting of embodiment of the present invention offer Other of unit describe accordingly, the corresponding description being referred in Fig. 1, do not repeat them here.The embodiment of the present invention can be passed through Hardware processor (hardware processor) realizes related function module.
Further, as implementing of method described in Fig. 2, embodiments provide another kind of malicious code and move State detection device, as shown in Figure 4, described device includes: judging unit 41, performance element 42.
Judging unit 41, for when detecting that in true environment file performs event, judging according to preset alarm storehouse It is the most suspicious that described file performs event, stores the characteristic information having various apocrypha to perform in described preset alarm storehouse;
Performance element 42, if it is suspicious to perform event for described file, then intercepts described file and performs event at described true ring Execution in border, and copy to virtual environment performs by described file execution event, in described virtual environment, storage has true File in environment, catalogue;
Described judging unit 41, is additionally operable to perform event execution result in described virtual environment and preset according to described file Malice performs results repository and judges that described file performs whether event is malicious code, and described preset malice performs to store in results repository There is the execution result of various malicious code.
For the embodiment of the present invention, described judging unit 41 includes:
Judge module 411, for judging whether exist during the execution of file execution event described in described virtual environment Access registry operations;
Logging modle 412, if for there is not described access registry operations, then records described file and performs event in described void Access registry operations in near-ring border;
Described judge module 411, if being additionally operable to there is described access registry operations, then judges that described file performs the visit of event Ask whether registry operations belongs to described preset malice and perform the malicious registration table handling in results repository;
Determine module 413, if the access registry operations for described file execution event belongs to malicious registration table handling, then will Described file performs event and is defined as malicious code.
Described judge module 411, is additionally operable to judge whether in described virtual environment file performs the process operation of event Belong to the malicious process operation that described preset malice performs in results repository;
Described determine module 413, perform the process operation of event and belong to described preset malice if being additionally operable to described file and perform knot The really operation of the malicious process in storehouse, then be defined as malicious code by described file execution event.
Described judge module 411, is additionally operable to judge whether in described virtual environment file performs the network operation of event Belong to the hostile network operation that described preset malice performs in results repository;
Described judge module 411, is additionally operable to judge whether the service operations of file execution event belongs in described virtual environment Described preset malice performs the malicious service operation in results repository;
Described determine module 413, perform the network operation of event and belong to described preset malice if being additionally operable to described file and perform knot The really operation of the hostile network in storehouse, or described file performs the service operations of event and belongs in described preset malice execution results repository Malicious service operation, then by described file execution event be defined as malicious code.
Further, described device also includes:
Recovery unit 43, if performing event for described file is not malicious code, then recovers described file and performs event very Real environment performs.
It should be noted that each function involved by the another kind of malicious code device for dynamically detecting of embodiment of the present invention offer Other of unit describe accordingly, the corresponding description being referred in Fig. 2, do not repeat them here.The embodiment of the present invention can be led to Cross hardware processor to realize related function module.
A kind of malicious code device for dynamically detecting that the embodiment of the present invention provides, when detecting that in true environment file is held When acting part, judge that described file performs event according to preset alarm storehouse the most suspicious, if suspicious, then intercept described file and perform Event execution in described true environment, and copy to virtual environment performs by described file execution event, finally according to Described file performs event execution result in described virtual environment and preset malice performs results repository and judges that described file is held Act whether part is malicious code.Different from traditional Malicious Code Detection, the embodiment of the present invention does not gather each network rings The detection data of joint, but utilize the virtual specific virtual environment of execution Technology design, suspicious file is performed event orientation Perform in the virtual environment being isolated with true environment, and hold in virtual environment by recording, analyze, contrasting network application Before and after row, the state changing features recognition detection of 5 key modules such as the file in main frame, registration table, process, service, network goes out Malicious code, thus greatly reduce, by the embodiment of the present invention, the possibility that under true environment, main frame is invaded or information is compromised Property.
Described malicious code device for dynamically detecting includes processor and memorizer, above-mentioned judging unit, performance element and extensive Multiple unit etc. all store in memory as program unit, processor perform storage said procedure unit in memory Realize corresponding function.
Processor comprises kernel, kernel goes memorizer is transferred corresponding program unit.Kernel can arrange one More than or, the speed existed during by adjusting kernel parameter and solving Malicious Code Detection in prior art is slow, efficiency is low etc. asks Topic.
Memorizer potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/ Or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM), memorizer includes that at least one is deposited Storage chip.
Present invention also provides a kind of computer program, when performing in data handling equipment, at the beginning of being adapted for carrying out Beginningization has the program code of following method step: when detecting that in true environment file performs event, according to preset alarm It is the most suspicious that storehouse judges that described file performs event, the feature letter that in described preset alarm storehouse, storage has various apocrypha to perform Breath;If suspicious, then intercept described file and perform event execution in described true environment, and it is multiple that described file is performed event Making in virtual environment and perform, in described virtual environment, storage has the file in true environment, catalogue;Perform according to described file Event execution result in described virtual environment and preset malice perform results repository and judge that whether described file execution event is Malicious code, described preset malice performs storage in results repository the execution result of various malicious code.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program Product.Therefore, the reality in terms of the application can use complete hardware embodiment, complete software implementation or combine software and hardware Execute the form of example.And, the application can use at one or more computers wherein including computer usable program code The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) The form of product.
The application is with reference to method, equipment (system) and the flow process of computer program according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one The step of the function specified in individual square frame or multiple square frame.
In a typical configuration, calculating equipment include one or more processor (CPU), input/output interface, Network interface and internal memory.
Memorizer potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/ Or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM).Memorizer is that computer-readable is situated between The example of matter.
Computer-readable medium includes that removable media permanent and non-permanent, removable and non-can be by any method Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer include, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), Dynamic random access memory (DRAM), other kinds of random access memory (RAM), read only memory (ROM), electricity Erasable Programmable Read Only Memory EPROM (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette tape, the storage of tape magnetic rigid disk or other Magnetic storage apparatus or any other non-transmission medium, can be used for the information that storage can be accessed by a computing device.According to herein In define, computer-readable medium does not include temporary computer readable media (transitory media), such as the data of modulation Signal and carrier wave.
These are only embodiments herein, be not limited to the application.To those skilled in the art, The application can have various modifications and variations.All made within spirit herein and principle any amendment, equivalent, Improve, within the scope of should be included in claims hereof.

Claims (10)

1. a malicious code dynamic testing method, it is characterised in that including:
When detecting that in true environment file performs event, judge whether described file performs event according to preset alarm storehouse Suspicious, described preset alarm storehouse stores the characteristic information having various apocrypha to perform;
If suspicious, then intercept described file and perform event execution in described true environment, and described file is performed event Copying to perform in virtual environment, in described virtual environment, storage has the file in true environment, catalogue;
Perform event execution result in described virtual environment according to described file and preset malice performs results repository and judges institute Stating file and perform whether event is malicious code, described preset malice performs storage in results repository the execution of various malicious code Result.
Method the most according to claim 1, it is characterised in that described according to described file perform event at described virtual ring Execution result and preset malice in border perform results repository and judge that described file performs whether event is that malicious code includes:
Judge whether there is access registry operations during the execution of file execution event described in described virtual environment;
If not existing, then record described file and perform event access registry operations in described virtual environment;
If existing, then judge whether the access registry operations of described file execution event belongs to described preset malice and perform result Malicious registration table handling in storehouse;
If the access registry operations that described file performs event belongs to malicious registration table handling, then described file is performed event It is defined as malicious code.
Method the most according to claim 1, it is characterised in that described according to described file perform event at described virtual ring Execution result and preset malice in border perform results repository and judge that described file performs whether event is that malicious code includes:
Judge whether the process operation of file execution event belongs to described preset malice in described virtual environment and perform results repository In malicious process operation;
If the process operation that described file performs event belongs to the malicious process operation that described preset malice performs in results repository, then Described file execution event is defined as malicious code.
Method the most according to claim 1, it is characterised in that described according to described file perform event at described virtual ring Execution result and preset malice in border perform results repository and judge that described file performs whether event is that malicious code includes:
Judge whether the network operation of file execution event belongs to described preset malice in described virtual environment and perform results repository In hostile network operation;
Judge whether the service operations of file execution event belongs to described preset malice in described virtual environment and perform results repository In malicious service operation;
If the network operation that described file performs event belongs to the hostile network operation that described preset malice performs in results repository, or Described file performs the service operations of event and belongs to the malicious service operation that described preset malice performs in results repository, then by described File performs event and is defined as malicious code.
5. according to the arbitrary described method of claim 1-4, it is characterised in that described perform event described according to described file Execution result in virtual environment and preset malice perform results repository judge described file execution event be whether malicious code it After, described method also includes:
If it is not malicious code that described file performs event, then recovers described file execution event and perform in true environment.
6. a malicious code device for dynamically detecting, it is characterised in that including:
Judging unit, for when detecting that in true environment file performs event, judging described literary composition according to preset alarm storehouse It is the most suspicious that part performs event, stores the characteristic information having various apocrypha to perform in described preset alarm storehouse;
Performance element, if it is suspicious to perform event for described file, then intercepts described file and performs event in described true environment In execution, and by described file execution event copy in virtual environment perform, in described virtual environment storage have true ring File in border, catalogue;
Described judging unit, is additionally operable to perform event execution result in described virtual environment and preset evil according to described file Meaning performs results repository and judges that described file performs whether event is malicious code, and described preset malice performs to store in results repository to be had The execution result of various malicious codes.
Device the most according to claim 6, it is characterised in that described judging unit includes:
Judge module, for judging whether there is access during the execution of file execution event described in described virtual environment Registry operations;
Logging modle, if for there is not described access registry operations, then records described file and performs event described virtual Access registry operations in environment;
Described judge module, if being additionally operable to there is described access registry operations, then judges that described file performs the access of event Whether registry operations belongs to described preset malice performs the malicious registration table handling in results repository;
Determine module, if the access registry operations for described file execution event belongs to malicious registration table handling, then by institute State file execution event and be defined as malicious code.
Device the most according to claim 7, it is characterised in that
Described judge module, is additionally operable to judge whether the process operation of file execution event belongs to described in described virtual environment Preset malice performs the malicious process operation in results repository;
Described determine module, perform the process operation of event and belong to described preset malice if being additionally operable to described file and perform results repository In malicious process operation, then by described file execution event be defined as malicious code.
Device the most according to claim 7, it is characterised in that
Described judge module, is additionally operable to judge whether the network operation of file execution event belongs to described in described virtual environment Preset malice performs the hostile network operation in results repository;
Described judge module, is additionally operable to judge whether the service operations of file execution event belongs to described in described virtual environment Preset malice performs the malicious service operation in results repository;
Described determine module, perform the network operation of event and belong to described preset malice if being additionally operable to described file and perform results repository In hostile network operation, or described file performs the service operations of event and belongs to described preset malice and perform the evil in results repository Meaning service operations, then be defined as malicious code by described file execution event.
10. according to the arbitrary described device of claim 6-9, it is characterised in that described device also includes:
Recovery unit, if performing event for described file is not malicious code, then recovers described file and performs event truly Environment performs.
CN201610555960.3A 2016-07-15 2016-07-15 Malicious code dynamic testing method and device Pending CN106228067A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610555960.3A CN106228067A (en) 2016-07-15 2016-07-15 Malicious code dynamic testing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610555960.3A CN106228067A (en) 2016-07-15 2016-07-15 Malicious code dynamic testing method and device

Publications (1)

Publication Number Publication Date
CN106228067A true CN106228067A (en) 2016-12-14

Family

ID=57519893

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610555960.3A Pending CN106228067A (en) 2016-07-15 2016-07-15 Malicious code dynamic testing method and device

Country Status (1)

Country Link
CN (1) CN106228067A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790287A (en) * 2017-03-03 2017-05-31 努比亚技术有限公司 A kind of Malware hold-up interception method and device
CN107103243A (en) * 2017-05-11 2017-08-29 北京安赛创想科技有限公司 The detection method and device of leak
CN107590382A (en) * 2017-09-29 2018-01-16 杭州安恒信息技术有限公司 A kind of malware detection analysis method and device based on virtual machine Dynamic Execution
CN109711169A (en) * 2018-05-04 2019-05-03 360企业安全技术(珠海)有限公司 Means of defence and device, system, storage medium, the electronic device of system file
CN110489211A (en) * 2019-08-16 2019-11-22 杭州安恒信息技术股份有限公司 Back method and device based on filter Driver on FSD frame
CN110866248A (en) * 2018-11-28 2020-03-06 北京安天网络安全技术有限公司 Lesovirus identification method and device, electronic equipment and storage medium
CN111859381A (en) * 2019-04-29 2020-10-30 深信服科技股份有限公司 File detection method, device, equipment and medium
CN113704760A (en) * 2021-08-31 2021-11-26 深信服科技股份有限公司 Page detection method and related device
CN114357450A (en) * 2022-01-07 2022-04-15 北京猎鹰安全科技有限公司 Malicious code detection method and device and storage medium
CN117240629A (en) * 2023-11-15 2023-12-15 北京兆维电子(集团)有限责任公司 Prediction method and prediction system based on network security intrusion

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593249A (en) * 2008-05-30 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of apocrypha analytical approach and system
CN101727348A (en) * 2008-10-10 2010-06-09 成都市华为赛门铁克科技有限公司 Method and device for analyzing suspicious codes
CN103281301A (en) * 2013-04-28 2013-09-04 上海海事大学 System and method for judging cloud safety malicious program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593249A (en) * 2008-05-30 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of apocrypha analytical approach and system
CN101727348A (en) * 2008-10-10 2010-06-09 成都市华为赛门铁克科技有限公司 Method and device for analyzing suspicious codes
CN103281301A (en) * 2013-04-28 2013-09-04 上海海事大学 System and method for judging cloud safety malicious program

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790287A (en) * 2017-03-03 2017-05-31 努比亚技术有限公司 A kind of Malware hold-up interception method and device
CN107103243B (en) * 2017-05-11 2020-05-05 北京安赛创想科技有限公司 Vulnerability detection method and device
CN107103243A (en) * 2017-05-11 2017-08-29 北京安赛创想科技有限公司 The detection method and device of leak
CN107590382A (en) * 2017-09-29 2018-01-16 杭州安恒信息技术有限公司 A kind of malware detection analysis method and device based on virtual machine Dynamic Execution
CN109711169A (en) * 2018-05-04 2019-05-03 360企业安全技术(珠海)有限公司 Means of defence and device, system, storage medium, the electronic device of system file
CN110866248A (en) * 2018-11-28 2020-03-06 北京安天网络安全技术有限公司 Lesovirus identification method and device, electronic equipment and storage medium
CN110866248B (en) * 2018-11-28 2022-06-10 北京安天网络安全技术有限公司 Lesovirus identification method and device, electronic equipment and storage medium
CN111859381A (en) * 2019-04-29 2020-10-30 深信服科技股份有限公司 File detection method, device, equipment and medium
CN110489211A (en) * 2019-08-16 2019-11-22 杭州安恒信息技术股份有限公司 Back method and device based on filter Driver on FSD frame
CN113704760A (en) * 2021-08-31 2021-11-26 深信服科技股份有限公司 Page detection method and related device
CN113704760B (en) * 2021-08-31 2024-05-24 深信服科技股份有限公司 Page detection method and related device
CN114357450A (en) * 2022-01-07 2022-04-15 北京猎鹰安全科技有限公司 Malicious code detection method and device and storage medium
CN117240629A (en) * 2023-11-15 2023-12-15 北京兆维电子(集团)有限责任公司 Prediction method and prediction system based on network security intrusion
CN117240629B (en) * 2023-11-15 2024-02-06 北京兆维电子(集团)有限责任公司 Prediction method and prediction system based on network security intrusion

Similar Documents

Publication Publication Date Title
CN106228067A (en) Malicious code dynamic testing method and device
US11882134B2 (en) Stateful rule generation for behavior based threat detection
CN110647744B (en) Method, device, medium and system for evidence collection analysis in file system
US8479276B1 (en) Malware detection using risk analysis based on file system and network activity
CN104766011B (en) The sandbox detection alarm method and system of Intrusion Detection based on host feature
US11451581B2 (en) Systems and methods for malware detection and mitigation
US10853488B2 (en) System and method for a security filewall system for protection of an information handling system
US9652597B2 (en) Systems and methods for detecting information leakage by an organizational insider
US11102245B2 (en) Deception using screen capture
CN106682495A (en) Safety protection method and safety protection device
CN105956468B (en) A kind of Android malicious application detection method and system based on file access dynamic monitoring
Damopoulos et al. Exposing mobile malware from the inside (or what is your mobile app really doing?)
CN110119619A (en) The system and method for creating anti-virus record
KR102648653B1 (en) Mail security-based zero-day URL attack defense service providing device and method of operation
Hutchinson et al. Are we really protected? An investigation into the play protect service
Bae et al. A collaborative approach on host and network level android malware detection
Kadir et al. Understanding android financial malware attacks: Taxonomy, characterization, and challenges
CN116340943A (en) Application program protection method, device, equipment, storage medium and program product
Kaur et al. Cybersecurity threats in Fintech
US9967263B2 (en) File security management apparatus and management method for system protection
Kara Cyber-espionage malware attacks detection and analysis: A case study
Casino et al. Analysis and correlation of visual evidence in campaigns of malicious office documents
Prajapati et al. Analysis of keyloggers in cybersecurity
Mohata et al. Mobile malware detection techniques
Verma et al. Preserving dates and timestamps for incident handling in android smartphones

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20161214