Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
The flow chart that Fig. 1 shows the kernel leak detection method based on virtual machine according to an embodiment of the invention.
This method is run under server end virtual machine sandbox isolation environment, carries out dynamic kernel for the sample file for specifying
Vulnerability exploit is detected.As shown in figure 1, the method comprises the steps:
Step S101, starts communication agent process, and the communication agent process monitors designated port, waits and receive virtual
Detection bag and sample file are respectively stored into detection catalogue and interim mesh by the detection bag and sample file of machine external host transmission
Under record.
Communication agent process is responsible for carrying out the process of data interaction, file transmission with virtual machine external host.Work as service
When end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port, waits simultaneously
Receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is solved to detecting bag
Press operation, under the file storage that decompression is obtained to detection catalogue;In addition, sample file storage is arrived interim by communication agent process
Under catalogue.Subsequently, communication agent thread starts the scheduling management and control process in detection bag.
Step S102, starts the scheduling management and control process in detection bag, and the scheduling management and control process obtains sample file storage
Path, recognizes sample file type, selects detection pattern and each detection work(according to the config option in general detection configuration file
Energy point, to create the target detection configuration file for the sample file.
After scheduling management and control process initiation, scheduling management and control process obtains sample file store path, recognizes sample file
Type.Then, the general detection configuration file that management and control process reads itself association is dispatched, is detected according to sample file type selecting
Pattern and each detection function point, initialize itself each function, create the target detection configuration file for sample file.Subsequently,
Scheduling management and control process initiation auxiliary detection procedure, and the store path (can be URL) of sample file is passed by way of parameter
Pass auxiliary detection procedure.
Step S103, starts auxiliary detection procedure, and the auxiliary detection procedure utilizes the target detection configuration file control
The switch of each detection function point of system.
After auxiliary detection procedure starts, auxiliary detection procedure is initialized according to target detection configuration file, plus
The driver of core detection procedure is carried, using the switch of each detection function point of target detection configuration file control.
Step S104, starts core detection procedure, and the core detection procedure receives the sample that auxiliary detection procedure sends
The switching information of the relevant information of file and each detection function point, performs the detection of leak, generates daily record according to testing result
File, journal file is stored under Log Directory.
After the driver of auxiliary detection procedure loading core detection procedure, core detection procedure starts.Core is detected
Process receives the switching information of the relevant information of the sample file that auxiliary detection procedure sends and each detection function point, performs just
Beginningization is operated.Then, sample file is performed according to the switching information of the relevant information and each detection function point of sample file
Detection, generates journal file according to testing result, and journal file is stored under Log Directory.
The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment,
Realized and the data interaction of virtual machine external host and file transmission by communication agent process, by scheduling management and control process and auxiliary
Help detection procedure to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every
From, the detection environment of a closing is provided for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be to server
Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.
Fig. 2 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention
Figure.This method describes the overall plan of the kernel Hole Detection based on virtual machine, specifically husky in server end virtual machine
Run under case isolation environment, dynamic kernel vulnerability exploit detection is carried out for the sample file for specifying.As shown in Fig. 2
The method comprises the steps:
Step S201, when server end VME operating system is started shooting, communication agent process self-starting.
Communication agent process is responsible for carrying out the process of data interaction, file transmission with virtual machine external host.Work as service
When end VME operating system is started shooting, the self-starting therewith of communication agent process.
Step S202, communication agent process monitor designated port, wait pending data.
Server end virtual machine provides the designated port for accessing to virtual external main frame, after communication agent process initiation
The designated port is monitored just, the data for waiting virtual machine external host to send over.
Step S203, communication agent process receive the detection bag and sample file of virtual machine external host transmission, will detection
Bag and sample file are respectively stored under detection catalogue and temp directory.
Detection bag and the sample file that virtual machine external host is transmitted by designated port is received in communication agent process
Afterwards, decompression operations are carried out to detection bag therein, under the file storage that decompression is obtained to detection catalogue, the detection catalogue can be with
For the catalogue that certain randomly generates;In addition, communication agent process stores sample file under temp directory.
Step S204, communication agent process initiation scheduling management and control process.
Communication agent process sends and starts order, for starting scheduling management and control process.
Step S205, communication agent process creation message communicating thread are set up and dispatch the communication link between management and control process
Connect.
After scheduling management and control process initiation, communication agent process creation message communicating thread, alternatively, by RPC
(Remote Procedure Call Protocol, remote procedure call protocol) sets up communication connection with scheduling management and control process.
Here, RPC is the mechanism in XMLRPCLIB storehouses, and XML RPC are the remote procedure calls using http protocol as host-host protocol
Mechanism, transmits order and data using the mode of XML texts.Using the communication connection, subsequently received can be come from tune
The message packets of degree management and control process are forwarded to virtual machine external host in real time.
Step S206, dispatches management and control process initialization itself function.
After scheduling management and control process initiation, scheduling management and control process obtains sample file store path, recognizes sample file class
Type.Then, the general detection configuration file that management and control process reads itself association is dispatched, mould is detected according to sample file type selecting
Formula and each detection function point, initialize itself each function.In addition, management and control process is dispatched according in general detection configuration file
Config option select overtime restrictive condition, wherein overtime restrictive condition concrete restriction core detection procedure perform detection when
It is long.By configuring overtime restrictive condition, it is to avoid the subsequently detection for certain sample file took long-time, lifted detection
Efficiency.
Step S207, scheduling management and control process creation screen interception thread and/or mouse emulation click on thread.
Alternatively, dispatch management and control process creation screen interception thread and/or mouse emulation clicks on thread.Wherein screen interception
The effect of thread is that the screen of the server being located to virtual machine carries out sectional drawing, and the screen picture being truncated to can pass through communication agent
Process is sent to virtual machine external host.It is to click on for screen coordinate analog mouse at random that mouse emulation clicks on the effect of thread
Operation, and it is directed to particular control analog mouse clicking operation.
Step S208, dispatches target detection configuration file of the management and control process creation for sample file, starts auxiliary detection
Process, and the store path of sample file is passed to into auxiliary detection procedure by way of parameter.
Scheduling management and control process is selected and is configured to config option therein by reading general detection configuration file,
Obtain the target detection configuration file for sample file.It is directed to different types of sample file, detection pattern and configuration
Detection function point is different, dispatches the target detection configuration text that management and control process can be that different types of sample file creates customization
Part.Then, management and control process initiation auxiliary detection procedure is dispatched, by the store path of sample file by way of command line parameter
Pass to auxiliary detection procedure.
Step S209, screen interception thread screen printing image at predetermined time intervals, the screen picture of intercepting is sent out in real time
Give communication agent process.
Step S210, mouse emulation are clicked on thread and are directed to screen coordinate analog mouse clicking operation at random, and for spy
Determine control analog mouse clicking operation.
Step S211, auxiliary detection procedure are initialized according to target detection configuration file, are configured using target detection
Document control respectively detects the switch of function point.
Auxiliary detection procedure passes through resolve command line parameter and target detection configuration file, and itself function is carried out initially
Change.Specifically, aid in detection procedure parsing to obtain sample file store path, detection pattern, respectively detect function point and other
The Back ground Informations such as some detection functional configuration options, calculate the MD5 of sample file, control the switch of each detection function point.Pass through
The sample data produced during subsequent detection can be associated, one by the MD5 of calculated sample file with task data
Sample file may correspond to multiple Detection tasks.Can also be by sample data and wooden horse information, VT, first killing engine by MD5
It is associated.In addition, the URL of unified storage, wooden horse, APT classes sample can also be carried out classification displaying by MD5.
Step S212, aids in detection procedure to load the driver of core detection procedure, to start core detection procedure.
Step S213, aids in detection procedure that the relevant information of sample file and each inspection are sent by way of IO control codes
The switching information of brake point.
Auxiliary detection procedure by way of IO control codes to core detection procedure send sample file relevant information with
And the switching information of each detection function point, to open the monitoring of inner nuclear layer vulnerability exploit behavior.
Step S214, auxiliary detection procedure start sample process, make sample process run sample file.
Step S215, core detection procedure perform initialization operation.
Core detection procedure driver load when, initialize driver needed for related data structures object and
Variable, these related data structures objects and variable and each Function detection point close association.
Step S216, core detection procedure create log recording thread.
For the ease of recording detection process, log recording thread is created, for recording the daily record produced in detection process.
Step S217, core detection procedure receive the sample file that auxiliary detection procedure is sent by way of IO control codes
Relevant information and each detection function point switching information.
Core detection procedure receives the various IO control codes that auxiliary detection procedure sends, and parsing is carried out to which and obtains sample text
The switching information of the relevant information of part and each detection function point.For the switching information of each detection function point, phase is opened in control
The monitoring of function point should be detected.
Step S218, core detection procedure perform Hole Detection.
The detectable leak of core detection procedure includes the URL and relevant various leaks, virus, wood about malicious web pages
Horse, the sample object attacked.In addition, sample object also includes:0Day, NDay, exposure period 0Day, position extension horse information,
Important website, the follow-up of position extension horse etc..Wherein, 0Day is to have been found to (be possible to not be disclosed), and official does not also have
The leak of associated patch.These leaks be found after immediately by malicious exploitation, for example using 0Day can with edit the registry, download
File, runtime file.The form of sample object can be file, executable program etc., the invention is not limited in this regard.
Step S219, log recording thread generate journal file according to testing result, by journal file storage to daily record mesh
Under record.
Follow-up identification engine can read journal file, and inside identification engine, (static, dynamic) is by the daily record of various needs
Information scratching out, is analyzed to testing result and screens, and carries out basic rule judgement.Wherein the rule on backstage is up to several
Hundred.So-called analysis choosing in short, is exactly with reference to static and dynamic daily record data, using rule and association analysiss, to sample
This hazard level is identified (black, in vain, grey).And the effect screened mainly is filtered out and has been hit using detection behavior characteristicss
Sample, and the sample of some high questionable conduct features, according to the demands of different groups, is distributed to data.
Step S220, in above-mentioned detection process, whether real-time judge meets overtime restrictive condition, if so, then terminates inspection
Testing result is packaged as packet and is sent to communication agent process by survey process, so that communication agent process sends the packet within
Give virtual machine external host.
The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment,
Realized and the data interaction of virtual machine external host and file transmission by communication agent process, by scheduling management and control process and auxiliary
Help detection procedure to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every
From, the detection environment of a closing is provided for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be to server
Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In this method, scheduling management and control process is according to logical
Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to
The detection of certain sample file took long-time, lifted the efficiency of detection.Scheduling management and control process creation screen interception thread and/
Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine
The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.
Fig. 3 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention
Figure.The present embodiment is mainly described in detail to the course of work of above-mentioned core detection procedure, and describes core inspection in detail
Survey process performs the particular content of Hole Detection.But it should be recognized that the method for the present embodiment is realize Hole Detection only
Cube case, it can not rely on the environment of previous embodiment description and under the premise of realize.The method of the present embodiment is in virtual machine
Run under sandbox isolation environment, as shown in figure 3, the method comprises the steps:
Step S301, load driver program.
Core detection procedure driver load when, initialize driver needed for related data structures object and
Variable.The process ID of at least one system process is recorded, is stored in recording HAL routine address tables (HalDispatchTable)
The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.
The switch of step S302, the relevant information of the sample file that receive user layer process sends and each detection function point
Information.
In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined
Survey process receive auxiliary detection procedure send various IO control codes, which is carried out parse obtain sample file relevant information with
And the switching information of each detection function point.
Step S303, opens inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.
Step S304, when the new process of system creation, new process is added in process creation record list.
When system start-up sample process is to run sample file, sample process is identified as the new process for being created, will
Sample process is added in process creation record list.
Step S305, detects to each operation behavior of inner nuclear layer of new process.
The present embodiment realizes the detection of each operation behavior of inner nuclear layer to new process by hook technology.Specifically, in core
After heart detection procedure receives the IO control codes that auxiliary detection procedure sends, parsing is carried out to which and identifies that " kernel is using prison
The labelling of control ", then the data according to incoming relief area (Buffer), select in corresponding distribution processor routine.According to
The switching information of the relevant information of sample file and each detection function point, links up with (Hook) SSDT (System Services
Descriptor Table, system service descriptor table) in for each Function detection point specified API and
NtQueryIntervalProfile。
Using hook, before system calls specified API and NtQueryIntervalProfile, self-defining letter is performed
Number, realizes the detection to each operation behavior of inner nuclear layer.
Step S306, generates journal file according to testing result, and journal file is stored under Log Directory.
The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment,
The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row
To monitor master control switch;The new process that monitoring system is created, detects to each operation behavior of inner nuclear layer of new process.This method
The detection of kernel leak is isolated from the outside, and the detection environment of a closing is provided for suspicious sample, even if suspicious sample is true
Real storage also will not cause damage to server side in leak, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.
Fig. 4 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention
Figure.The present embodiment has been further elaborated on the course of work of core detection procedure, such as Fig. 4 on the basis of the method shown in Fig. 3
Shown, the method comprises the steps:
Step S401, load driver program.
Core detection procedure driver load when, initialize driver needed for related data structures object and
Variable.The process ID of at least one system process is recorded, is stored in recording HAL routine address tables (HalDispatchTable)
The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.
Step S402, creates log recording thread.
For the ease of recording detection process, log recording thread is created, for recording the daily record produced in detection process.
Step S403, the relevant information of the sample file that receive user layer process is sent by IO control codes and each detection
The switching information of function point.
In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined
Survey process receive auxiliary detection procedure send various IO control codes, which is carried out parse obtain sample file relevant information with
And the switching information of each detection function point.
Specifically, core detection procedure identifies the labelling of " kernel is using monitoring ", Ran Hougen by parsing IO control codes
According to the data of incoming relief area (Buffer), select in corresponding distribution processor routine.
Step S404, according to the switching information of the relevant information and each detection function point of sample file, in hook SSDT
For the specified API and NtQueryIntervalProfile of each Function detection point.
The present embodiment realizes the detection of each operation behavior of inner nuclear layer to new process by hook technology.According to sample file
Relevant information and each detection function point switching information, link up with SSDT for each Function detection point specified API and
NtQueryIntervalProfile.The API for being linked up with is specially for internal memory, privilege, registration table, process/thread, file etc.
The crucial NTAPI of operation.And, process creation notification routines are set, when system has new process creation, into process creation
Notification routines perform associative operation.
Step S405, opens inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.
Step S406, when the new process of system creation, new process is added in process creation record list.
When the new process of system creation, initially enter process creation notification routines, in this routine record created it is new
The property value of process, for example:The property values such as Privileges, UserSID, OwnerSID.Then, new process is added to into process
Create in record list.
Step S407, detects to each operation behavior of inner nuclear layer of new process.
When new process calls NtQueryIntervalProfile, first judge whether the new process is recorded in process creation
In list, if it is not, then the new process is added in process creation record list;When new process calls aforementioned specified API, sentence
Whether the new process of breaking is in process creation record list, if it is not, then the new process is added in process creation record list.
In the case where guaranteeing that new process is added to process creation record list, using hook technology, in new process
The each operation behavior of stratum nucleare is detected, specifically comprising following several embodiments:
(1) HalDispatchTable detections
Using hook technology, before NtQueryIntervalProfile is called, obtain in HalDispatchTable
At least one Key Functions pointer value of storage;By at least one the crucial letter stored in acquired HalDispatchTable
At least one Key Functions stored in HalDispatchTable recorded in number pointer value and load driver program process
Pointer value is compared;If at least one Key Functions pointer value comparison is inconsistent, detects that new process is present and propose power behavior.
(2) Token replaces detection
Using hook technology, before specified API accordingly is called, according to recorded in load driver program process extremely
The process ID of a few system process obtains the EPROCESS structures address of at least one system process, while obtaining new process
EPROCESS structures address;By the pointer value in the Token domains in the EPROCESS structures address of new process and at least one system
The pointer value in the Token domains in the EPROCESS structures address of process is compared;If the EPROCESS structures address of new process
In the pointer value in Token domains and the EPROCESS structures address of one of system process in Token domains pointer value ratio
To consistent, then detect that new process is present and propose power behavior.
Here, it is intended that API can be:Establishment process (NtCreateUserProcess), other proceeding internal memories are created with
And read-write (NtAllocateVirtualMemory/NtProtectVirtualMemory/NtReadVir tualMemory/
NtWriteVirtualMemory), open other process/threads (NtOpenThread/NtOpenProcess/
NtSetContextThread), registration table read-write, file read-write etc..
(3) Token property values detection
Using hook technology, before specified API accordingly is called, the property value of the new process is obtained;Will be acquired
The property value of new process compare with the property value of the new process recorded in process creation notification routines;If comparing not
Unanimously, then detect that new process is present and propose power behavior.
In concrete comparison, by Privileges, TokenUser, and/or TokenOwner of the new process for obtaining with
Privileges, TokenUser, and/or TokenOwner of new process recorded in process creation notification routines is compared
It is right, if wherein there is a comparison inconsistent, detect that new process is present and propose power behavior.
Here, it is intended that API refers to the function related to Token.
(4) Token property values are empty detection
Using hook technology, before specified API accordingly is called, inquire about in the EPROCESS structures address of new process
Whether the ACL in Token domains is set to null;If so, then detect that new process is present and propose power behavior.
(5) kernel ROP (Return Oriented Programming, the new attack based on code reuse technology) inspections
Survey
Kernel ROP common at present is used to close SMEP (Supervisor Mode Execution Protection, prison
The pattern of superintending and directing performs protection) or CR4 depositors are changed, this method utilizes hook technology, CR4 depositors is operated in call stack
Before, check whether call stack is the call stack for allowing to call CR4 register modifying instructions, or, whether detection call stack is adjusted
With the instruction of disabling SMEP;If so, then detect that new process is present and propose power behavior.
(6) Bitmap is using detection
For conditional kernel address write operation is converted into kernel arbitrary address read-write operation using Bitmap
Behavior, detects to this behavior, if existing, detects that the new process is present and proposes power behavior.
Step S408, generates journal file according to testing result, and journal file is stored under Log Directory.
Generation daily record is got ready according to preset format, daily record is inserted in log buffer inventory.In log recording thread,
Continuously whether audit log buffer list has new daily record insertion, if having, new daily record is added and is written to configuration
In option in the journal file of specified path, and discharge the node of the new daily record in log buffer inventory.
This programme is got detection daily record generation form ready and is got ready for cache way.The daily record for being detected is temporary in log buffer
In inventory.The log recording thread poll log buffer inventory mode according to FIFO (first in first out) processes each daily record successively
Node, log content is added in write journal file, obtained by outside correlation scheduler module process upon completion of the assays and
Manage the journal file.
The packet of getting ready of this programme contains:Environment and document base information, detection function point trigger data etc..Environment and text
Part essential information is exported with forms such as flowing water daily records, and detection function point trigger data is exported in the form of user behaviors log.Its medium ring
Border and document base information are included:Sample process file MD5, sample file path, and major system modules title and file
Version etc..For HalDispatchTable is detected, detection function point trigger data is included:Process ID, Thread Id, it is tampered letter
Several title, distort after pointer value, detection when place Hooked API (NtQueryIntervalProfile) etc.;For
Token replaces detection, and detection function point trigger data is included:Process ID, Thread Id, Token addresses, hit system process name,
Place Hooked API etc. during detection.For Token property values are detected, detection function point trigger data is included:Process ID, thread
Place Hooked API etc. when ID, Privileges mask describes sequence, UserSID, OwnerSID, detection.Other detection sides
The detection function point trigger data of formula is similar to therewith, be will not be described here.
The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment,
The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row
To monitor master control switch;The new process that monitoring system is created, detects to each operation behavior of inner nuclear layer of new process.This method
The detection of kernel leak is isolated from the outside, and the detection environment of a closing is provided for suspicious sample, even if suspicious sample is true
Real storage also will not cause damage to server side in leak, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This
Method is arranged Hook Function for the corresponding API of each detection function point that user's layer process is provided, is being called by hook technology
Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, improve the effect of kernel Hole Detection
Rate.
Fig. 5 shows the kernel Hole Detection process protection method based on virtual machine according to an embodiment of the invention
Flow chart.The method that the present embodiment is provided is mainly used for the detection procedure that protection is run under virtual machine sandbox isolation environment
Address space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 5 institutes
Show, the method comprises the steps:
Step S501, obtains the relevant information of each detection subprocess, by the relevant information write process of each detection subprocess
In filter list.
After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file
Relevant field, parsing obtain the process name of one or more detection subprocess, obtain entering for each detection subprocess according to process name
The process ID of each detection subprocess is sent to core detection procedure by IO control codes by journey ID.
Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send
The process ID of journey.Specifically, core detection procedure is after receiving and being labeled as the IO control codes of " process ID filtration ", slow from input
Rush, the relevant information of detection subprocess is obtained according to process ID.In this method, related letter
Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it
Afterwards, by the EPROCESS structures address write process filter list of each detection subprocess.
Step S502, using hook technology, before specified API is called, obtains when the correlation of front upper and lower background text process
The relevant information of information and operation target process.
This method is linked up with to the specified API with regard to process, thread, memory address space operation, specifies API in Hook
Afterwards, step S502- step S504 is realized in self-defining function.In step S502, obtain when front upper and lower background text process
EPROCESS structures address and the EPROCESS structures address of operation target process.
Step S503, judges to operate whether the relevant information of target process is recorded in process filter list, and it is current on
Whether the relevant information of lower background text process is not recorded in process filter list, if so, then execution step S504;If it is not, then
Execution step S505.
Alternatively, judge to operate whether the EPROCESS structures address of target process is recorded in process filter list, and
When whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.
Step S504, termination call specified API.
If judge to operate the EPROCESS structures address of target process to record in process filter list, and when front upper and lower
The EPROCESS structures address of background text process is not recorded in process filter list, then show that there are other processes attempts to access that
Certain detection subprocess, then need to be prevented.For example, the conditional code of denied access is returned, specified API is called in termination.
Step S505, continues to call specified API, and the return value for specifying API is returned to caller.
If judge to operate the EPROCESS structures address of target process to be not recorded in process filter list, or, when
The EPROCESS structures address of front upper and lower background text process is recorded in process filter list, then continue to call specified API, to tune
User returns the return value for specifying API.
According to the kernel Hole Detection process protection method based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write process filter list in, before specified API is called, using hook obtain when front upper and lower background text process
Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh
The relevant information of mark process is matched with process filter list, determines whether that specified API is called in termination.Using this method, can protect
The address space of the detection procedure that shield is run under virtual machine sandbox isolation environment, prevents the malice sample process escaped by sandbox
Access, it is to avoid confidential information is stolen, is lifted at the safety of kernel Hole Detection under virtual machine sandbox isolation environment.
Fig. 6 shows the kernel Hole Detection document protection method based on virtual machine according to an embodiment of the invention
Flow chart.The method that the present embodiment is provided be mainly used for protecting in detection process produced by detection file, such as journal file
Deng preventing from being accessed, distort, encrypt or being damaged by the malice sample process that sandbox is escaped, it is to avoid thus caused detection unsuccessfully or
Results abnormity, safeguards the stable and performance of sandbox system.As shown in fig. 6, the method comprises the steps:
Step S601, obtains the relevant information of each detection subprocess, by the relevant information write process of each detection subprocess
In filter list.
After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file
Relevant field, parsing obtain the process name of one or more detection subprocess, obtain entering for each detection subprocess according to process name
The process ID of each detection subprocess is sent to core detection procedure by IO control codes by journey ID.
Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send
The process ID of journey.Specifically, core detection procedure is after receiving and being labeled as the IO control codes of " process ID filtration ", slow from input
Rush, the relevant information of detection subprocess is obtained according to process ID.In this method, related letter
Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it
Afterwards, by the EPROCESS structures address write process filter list of each detection subprocess.
Step S602, obtains the store path information of detection file, will be the store path information write of detection file privately owned
In catalogue list.
After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file
Relevant field, parsing obtain one or more detection files store paths, by IO control codes by it is each detection file storage
Path is sent to core detection procedure.
Core detection procedure receives each detection file that auxiliary detection procedure (user's layer process) is sent by IO control codes
Store path.Specifically, core detection procedure is after receiving and being labeled as the IO control codes of " privately owned catalogue ", from input buffering
The store path of the detection file when time transmission is obtained in area, string work is constructed according to the store path of detection file
To detect the store path information of file, the store path information of detection file is write in privately owned catalogue list.
Step S603, when file access operation is produced, judges whether the store path information of file access object records
In privately owned catalogue list.
The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example, exist
READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile is sent a letter and several realizes certainly function body
In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list, if so, then execution step
S604;If it is not, execution step S606.
Step S604, judges whether record in the process filter list when the relevant information of front upper and lower background text process
In.
If judging the store path information record of file access object in privately owned catalogue list, determine whether to work as
Whether the relevant information of front upper and lower background text process records in process filter list, specifically, judges when front upper and lower background text
Whether the EPROCESS structures address of process is recorded in process filter list, if so, then execution step S606;If it is not, then holding
Row step S605.
Step S605, if judging to be not recorded in process filter list when the relevant information of front upper and lower background text process,
Then refuse file access operation.
If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process
Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below
Send out, refuse file access operation.
Step S606, if judging, the store path information of file access object is not recorded in privately owned catalogue list, or
Person, judges to record in the process filter list when the relevant information of front upper and lower background text process, then proceeds to respond to file
Access operation.
If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor
The detection file of shield, then IPR continuation are distributed downwards, and response file accesses operation.If the store path information of file access object
Record is in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list, is shown to be
Detection subprocess attempts to access that detection file, then IPR continues to distribute downwards, and response file accesses operation.
According to the kernel Hole Detection document protection method based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write process filter list in, the store path information of detection file is write in privately owned catalogue list, works as product
During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process
Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using this method, can protect
The detection file that produces under virtual machine sandbox isolation environment of shield, prevent from being accessed, distorted by the malice sample process that sandbox is escaped,
Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stable and performance of sandbox system.
Fig. 7 shows the functional block of the kernel Hole Detection device based on virtual machine according to an embodiment of the invention
Figure.This device is run specifically under server end virtual machine sandbox isolation environment, is carried out for the sample file for specifying
Dynamic kernel vulnerability exploit detection.As shown in fig. 7, the device includes:Communication agent module 701, scheduling management and control module 702,
Auxiliary detection module 703, core detection module 704.
Communication agent module 701, is suitable to start communication agent process, makes communication agent process monitor designated port, waits
And detection bag and the sample file that virtual machine external host is transmitted is received, detection bag is respectively stored into into detection mesh with sample file
Under record and temp directory.Communication agent process is responsible for carrying out the process of data interaction, file transmission with virtual machine external host.
When service end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port,
Wait and receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is to detection bag
Decompression operations are carried out, under the file storage that decompression is obtained to detection catalogue;In addition, sample file is stored by communication agent process
To under temp directory.Subsequently, communication agent thread starts the scheduling management and control process in detection bag.
Scheduling management and control module 702, is suitable to start the scheduling management and control process in detection bag, makes scheduling management and control process obtain sample
File store path, recognize sample file type, according to it is general detection configuration file in config option select detection pattern and
Each detection function point, to create the target detection configuration file for the sample file.After scheduling management and control process initiation,
Scheduling management and control process obtains sample file store path, recognizes sample file type.Then, dispatch management and control process and read itself pass
The general detection configuration file of connection, according to sample file type selecting detection pattern and each detection function point, initializes itself each
Function, creates the target detection configuration file for sample file.Subsequently, management and control process initiation auxiliary detection procedure is dispatched, and
The store path (can be URL) of sample file is passed to into auxiliary detection procedure by way of parameter.
Auxiliary detection module 703, is suitable to start auxiliary detection procedure, makes auxiliary detection procedure using target detection configuration text
The switch of each detection function point of part control.After auxiliary detection procedure starts, auxiliary detection procedure is configured according to target detection
File is initialized, and loads the driver of core detection procedure, controls each detection function using target detection configuration file
The switch of point.
Core detection module 704, is suitable to start core detection procedure, makes core detection procedure receive auxiliary detection procedure and sends out
The switching information of the relevant information of the sample file for sending and each detection function point, performs Hole Detection, is given birth to according to testing result
Into journal file, journal file is stored under Log Directory.The driving journey of core detection procedure is loaded in auxiliary detection procedure
After sequence, core detection procedure starts.Core detection procedure receive auxiliary detection procedure send sample file relevant information with
And the switching information of each detection function point, perform initialization operation.Then, relevant information and each detection according to sample file
The switching information of function point performs the detection of sample file, generates journal file according to testing result, journal file storage is arrived
Under Log Directory.
Communication agent module 701 is further adapted for:Communication agent process creation message communicating thread is made, is set up and the tune
Communication connection between degree management and control process.After scheduling management and control process initiation, communication agent process creation message communicating thread can
Selection of land, sets up communication connection with scheduling management and control process by RPC.Using the communication connection, subsequently received can be come from
The message packets of scheduling management and control process are forwarded to virtual machine external host in real time.
Scheduling management and control module 702 is further adapted for:Scheduling management and control process creation screen interception thread is made, at predetermined time intervals
Screen printing image;Using the communication connection set up between scheduling management and control process and communication agent process, the screen map that will be intercepted
As being sent to the communication agent process in real time.
Communication agent module 701 is further adapted for:Make communication agent process that the screen picture of the intercepting is sent to void
Plan machine external host.
Scheduling management and control module 702 is further adapted for:Make scheduling management and control process creation mouse emulation click on thread, be directed at random
Screen coordinate analog mouse clicking operation, and it is directed to particular control analog mouse clicking operation.
Scheduling management and control module 702 is further adapted for:Scheduling management and control process is made according to the configuration in general detection configuration file
Option selects overtime restrictive condition;In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if
It is, then detection of end process testing result to be packaged as into packet and is sent to the communication agent process, for the communication generation
The packet is sent to virtual machine external host by reason process.
Core detection module 704 is further adapted for:Make core detection procedure receive the auxiliary detection procedure to control by IO
The switching information of the relevant information of the sample file that the mode of code processed sends and each detection function point.
The kernel Hole Detection device based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment,
Realized and the data interaction of virtual machine external host and file transmission by communication agent process, by scheduling management and control process and auxiliary
Help detection procedure to aid in core detection procedure to realize the detection of sample file.This device by the detection of kernel leak with it is outside every
From, the detection environment of a closing is provided for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be to server
Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In this device, scheduling management and control process is according to logical
Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to
The detection of certain sample file took long-time, lifted the efficiency of detection.Scheduling management and control process creation screen interception thread and/
Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine
The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.
Fig. 8 shows the functional block of the kernel Hole Detection device based on virtual machine in accordance with another embodiment of the present invention
Figure.The device is run under virtual machine sandbox isolation environment, as shown in figure 8, the device includes:Load-on module 801, receiver module
802, starting module 803, add module 804, detection module 805, daily record memory module 806.
Load-on module 801, is suitable to load driver program.In load driver program, initialization drives journey to load-on module 801
Related data structures object and variable needed for sequence.The process ID of at least one system process is recorded, HAL routine address tables are recorded
(HalDispatchTable) at least one Key Functions pointer value of storage in, for example
The function pointer value such as HALQuerySystemInformatica.
Receiver module 802, is suitable to the relevant information of the sample file of receive user layer process transmission and respectively detects function
The switching information of point.In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Connect
Receive module 802 and receive the various IO control codes that auxiliary detection procedure sends, which is carried out to parse the related letter for obtaining sample file
The switching information of breath and each detection function point.Specifically, the mark of " kernel is using monitoring " is identified by parsing IO control codes
Note, then the data according to incoming relief area (Buffer), select in corresponding distribution processor routine.
Starting module 803, is suitable to open inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.
Add module 804, is suitable to, when the new process of system creation, new process is added in process creation record list.
Detection module 805, is suitable to detect each operation behavior of inner nuclear layer of the new process.
Daily record memory module 806, is suitable to generate journal file according to testing result, by journal file storage to Log Directory
Under.
Further, the device also includes:Hook configuration module 807, be suitable to according to the relevant information of sample file and
The switching information of each detection function point, link up with SSDT for each Function detection point specified API and
NtQueryIntervalProfile.This device realizes the inspection of each operation behavior of inner nuclear layer to new process by hook technology
Survey.According to the switching information of the relevant information and each detection function point of sample file, in hook SSDT, each Function detection is directed to
The specified API and NtQueryIntervalProfile of point.The API for being linked up with specially for internal memory, privilege, registration table, enter
The crucial NTAPI of the operations such as journey/thread, file.
Further, the device also includes:Routine setup module 808, is suitable to arrange process creation notification routines;Described
The property value of the new process for being created is recorded in process creation notification routines.When the new process of system creation, routine setup module
808 property values that the new process for being created is recorded in process creation notification routines, for example:Privileges、UserSID、
The property values such as OwnerSID.
Above-mentioned detection module 805 is further adapted for:Using hook technology, call NtQueryIntervalProfile it
Before, at least one the Key Functions pointer value stored in obtaining HAL routine address tables;By in acquired HAL routine address tables
Store in HAL routine address tables recorded at least one Key Functions pointer value and load driver program process of storage
At least one Key Functions pointer value is compared;If described at least one Key Functions pointer value comparison is inconsistent, detect
Go out the new process presence and propose power behavior.
Above-mentioned detection module 805 is further adapted for:Using hook technology, before specified API accordingly is called, according to plus
The process ID for carrying at least one system process recorded in driver process obtains at least one system process
EPROCESS structures address, while obtaining the EPROCESS structures address of the new process;By the EPROCESS of the new process
Token domains in the pointer value in the Token domains in structure address and the EPROCESS structures address of at least one system process
Pointer value is compared;If the pointer value in the Token domains in the EPROCESS structures address of the new process and one of system
The pointer value in the Token domains in the EPROCESS structures address of system process is compared unanimously, then detect that the new process is present and carry
Power behavior.
Above-mentioned detection module 805 is further adapted for:Using hook technology, before specified API accordingly is called, institute is obtained
State the property value of new process;By the property value of acquired described new process and recorded in the process creation notification routines
The property value of new process compare;If comparison is inconsistent, detects that the new process is present and propose power behavior.
Above-mentioned detection module 805 is further adapted for:By the Privileges of the new process of the acquisition, TokenUser,
And/or the Privileges of TokenOwner and new process recorded in the process creation notification routines, UserSID,
And/or OwnerSID compares.
Above-mentioned detection module 805 is further adapted for:Using hook technology, before specified API accordingly is called, institute is inquired about
Whether the ACL stated in the Token domains in the EPROCESS structures address of new process is set to null;If so, then detect described newly to enter
Journey presence proposes power behavior.
Above-mentioned detection module 805 is further adapted for:Using hook technology, operation is carried out to CR4 depositors in call stack
Before, check whether the call stack is the call stack for allowing to call CR4 register modifying instructions, or, detect the call stack
Whether the instruction of disabling SMEP is called;If so, then detect that the new process is present and propose power behavior.
Above-mentioned detection module 805 is further adapted for:Detect whether to exist and conditional kernel address write operation is converted into
The behavior of kernel arbitrary address read-write operation, if so, then detects that the new process is present and proposes power behavior.
The kernel Hole Detection device based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment,
The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row
To monitor master control switch;The new process that monitoring system is created, detects to each operation behavior of inner nuclear layer of new process.This device
The detection of kernel leak is isolated from the outside, and the detection environment of a closing is provided for suspicious sample, even if suspicious sample is true
Real storage also will not cause damage to server side in leak, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This
Device is arranged Hook Function for the corresponding API of each detection function point that user's layer process is provided, is being called by hook technology
Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, improve the effect of kernel Hole Detection
Rate.
Fig. 9 shows the function of the kernel Hole Detection Process Protection based on virtual machine according to an embodiment of the invention
Block diagram.The device that the present embodiment is provided is mainly used for the ground for protecting the detection procedure run under virtual machine sandbox isolation environment
Location space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 9 institutes
Show, the device includes:Writing module 901, links up with processing module 902, and judge module 903 terminates module 904.Alternatively, also wrap
Include:Receiver module 905 and calling module 906.
Receiver module 905, is suitable to the process ID of each detection subprocess of receive user layer process transmission.
After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file
Relevant field, parsing obtain the process name of one or more detection subprocess, obtain entering for each detection subprocess according to process name
The process ID of each detection subprocess is sent to core detection procedure by IO control codes by journey ID.
Receiver module 905 inside core detection procedure receives auxiliary detection procedure (user's layer process) by IO control codes
The process ID of each detection subprocess for sending.Specifically, receiver module 905 receive be labeled as " process ID filtration " IO control
After code processed, obtain from input block when time process ID of transmission.
Writing module 901, is suitable to obtain the relevant information of each detection subprocess, the relevant information of each detection subprocess is write
Enter in process filter list.
Writing module 901 obtains the relevant information of detection subprocess according to process ID.Wherein, relevant information can be specially
EPROCESS structures address.After writing module 901 obtains the EPROCESS structures address of each detection subprocess, by each detection
In the EPROCESS structures address write process filter list of process.
Hook processing module 902, is suitable to utilize hook technology, before specified API is called, obtains when front upper and lower background text
The relevant information of the relevant information and operation target process of process.
902 couples of specified API with regard to process, thread, memory address space operation of hook processing module are linked up with,
After Hook specifies API, judge module 903 is realized in self-defining function and terminates the function of module 904.Hook processing module
902 obtain the EPROCESS of the EPROCESS structures address and operation target process for working as front upper and lower background text process structurally first
Location.
Judge module 903, is suitable to judge whether the relevant information of the operation target process is recorded in process filtration
It is in list and described when whether the relevant information of front upper and lower background text process is not recorded in the process filter list.Specifically
Ground, judge module 903 judge to operate whether the EPROCESS structures address of target process is recorded in process filter list, and work as
Whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.
Terminate module 904, judge to operate the relevant information of target process to record in process mistake if being suitable to judge module 903
In filter list, and when the relevant information of front upper and lower background text process is not recorded in process filter list, termination is called specified
API。
Calling module 906, if be suitable to judge module 903 judge to operate the relevant information of target process to be not recorded in it is described
In process filter list, or, when the relevant information of front upper and lower background text process is recorded in process filter list, then continue to adjust
Specified API is used, and the return value of the specified API is returned to caller.
According to the kernel Hole Detection Process Protection device based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write process filter list in, before specified API is called, using hook obtain when front upper and lower background text process
Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh
The relevant information of mark process is matched with process filter list, determines whether that specified API is called in termination.Using this device, can protect
The address space of the detection procedure that shield is run under virtual machine sandbox isolation environment, prevents the malice sample process escaped by sandbox
Access, it is to avoid confidential information is stolen, is lifted at the safety of kernel Hole Detection under virtual machine sandbox isolation environment.
Figure 10 shows the work(that the kernel Hole Detection file based on virtual machine according to an embodiment of the invention is protected
Can block diagram.The device that the present embodiment is provided be mainly used for protecting in detection process produced by detection file, such as journal file
Deng preventing from being accessed, distort, encrypt or being damaged by the malice sample process that sandbox is escaped, it is to avoid thus caused detection unsuccessfully or
Results abnormity, safeguards the stable and performance of sandbox system.As shown in Figure 10, the device includes:First writing module 1001, second
Writing module 1002, the first judge module 1003, the second judge module 1004 refuse module 1005;Alternatively, the device is also wrapped
Include:Receiver module 1006 and respond module 1007.
Receiver module 1006, is suitable to the store path of the detection file of receive user layer process transmission.
After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file
Relevant field, parsing obtain the storage road of the process name of one or more detection subprocess and one or more detection files
Footpath, obtains the process ID of each detection subprocess according to process name, by IO control codes by the process ID of each detection subprocess and each
The store path of detection file is sent to core detection procedure.
Receiver module 1006 inside core detection procedure receives auxiliary detection procedure (user's layer process) by IO controls
The process ID and the store path of each detection file of each detection subprocess that code sends.Specifically, core detection procedure is being received
To being labeled as after the IO control codes of " process ID filtration ", obtain from input block when time process ID of transmission;Core is detected
Process is obtained when time detection file of transmission after receiving and being labeled as the IO control codes of " privately owned catalogue ", from input block
Store path.
First writing module 1001, is suitable to obtain the relevant information of each detection subprocess, by the correlation of each detection subprocess
In information write process filter list.
First writing module 1001 obtains the relevant information of detection subprocess according to process ID.In this method, relevant information
EPROCESS structures address can be specially.First writing module 1001 obtain it is each detection subprocess EPROCESS structures address it
Afterwards, by the EPROCESS structures address write process filter list of each detection subprocess.
Second writing module 1002, is suitable to obtain the store path information of detection file, by the store path of detection file
Information is write in privately owned catalogue list.
Second writing module 1002 constructs string as detection file according to the store path of detection file
Store path information, the store path information of detection file is write in privately owned catalogue list.
First judge module 1003, is suitable to, when file access operation is produced, judge the store path of file access object
Whether information is recorded in privately owned catalogue list.
The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example, exist
READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile is sent a letter and several realizes certainly function body
In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list.
Second judge module 1004, if the first judge module 1003 judges the store path information note of file access object
Record judges filter name in the process when whether the relevant information of front upper and lower background text process records in privately owned catalogue list, then
Dan Zhong.
If judging the store path information record of file access object in privately owned catalogue list, the second judge module
1004 determine whether whether record in process filter list, specifically when the relevant information of front upper and lower background text process, sentence
Whether the disconnected EPROCESS structures address for working as front upper and lower background text process is recorded in process filter list.
Refusal module 1005, if be suitable to the second judge module 1004 judging when the relevant information of front upper and lower background text process
It is not recorded in process filter list, then refuses file access operation.
If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process
Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below
Send out, refuse file access operation.
Respond module 1007, judges the store path information of file access object not if being suitable to the first judge module 1003
Record in privately owned catalogue list, or, the second judge module 1004 is judged when the relevant information of front upper and lower background text process
Record then proceeds to respond to file access operation in process filter list.
If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor
The detection file of shield, then IPR continuation are distributed downwards, and response file accesses operation.If the store path information of file access object
Record is in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list, is shown to be
Detection subprocess attempts to access that detection file, then IPR continues to distribute downwards, and response file accesses operation.
According to the kernel Hole Detection file protection device based on virtual machine that the present embodiment is provided, by each detection subprocess
Relevant information write process filter list in, the store path information of detection file is write in privately owned catalogue list, works as product
During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process
Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using this device, can protect
The detection file that produces under virtual machine sandbox isolation environment of shield, prevent from being accessed, distorted by the malice sample process that sandbox is escaped,
Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stable and performance of sandbox system.
Present invention could apply to network security, terminal security, cloud security, using safety, safety management and security service
Etc. multiple fields.Product includes senior middle school low side next generation's fire wall, intrusion prevention system, ddos attack system of defense, virtual comprehensive
The products such as Service Gateway, sandbox, big data Safety Analysis System are closed, and the corresponding solution for being directed to tradition threat and unknown threat
Certainly scheme.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case where not having these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above to, in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, should the method for the disclosure be construed to reflect following intention:I.e. required guarantor
The more features of feature is expressly recited in each claim by the application claims ratio of shield.More precisely, such as following
Claims it is reflected as, inventive aspect is less than all features of single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more different from embodiment equipment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (includes adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In some included features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are examined realizing the kernel leak based on virtual machine according to embodiments of the present invention
The some or all functions of some or all parts surveyed in device.The present invention is also implemented as performing institute here
(for example, computer program and computer program are produced for some or all equipment of the method for description or program of device
Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more
The form of signal.Such signal can be downloaded from internet website and be obtained, or provide on carrier signal, or to appoint
What other forms is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
The invention discloses:A1, a kind of kernel leak detection method based on virtual machine, methods described is in virtual machine sandbox
Run under isolation environment, method includes:
Start communication agent process, the communication agent process monitors designated port, wait and receive main outside virtual machine
The detection bag and sample file of machine transmission, detection bag and sample file are respectively stored under detection catalogue and temp directory;
Start the scheduling management and control process in detection bag, the scheduling management and control process obtains sample file store path, identification
Sample file type, selects detection pattern and each detection function point according to the config option in general detection configuration file, to create
Build the target detection configuration file for the sample file;
Start auxiliary detection procedure, the auxiliary detection procedure controls each detection work(using the target detection configuration file
The switch that can be put;
Start core detection procedure, the core detection procedure receives the correlation of the sample file that auxiliary detection procedure sends
The switching information of information and each detection function point, performs Hole Detection, generates journal file according to testing result, by daily record text
Part is stored under Log Directory.
A2, the method according to A1, after the scheduling management and control process in detection bag is started, methods described also includes:
The communication agent process creation message communicating thread, sets up and the communication connection between the scheduling management and control process.
A3, the method according to A2, methods described also include:
The scheduling management and control process creation screen interception thread, at predetermined time intervals screen printing image;
Using the communication connection set up between scheduling management and control process and communication agent process, will be the screen picture for intercepting real-time
It is sent to the communication agent process;
The screen picture of the intercepting is sent to virtual machine external host by the communication agent process.
A4, the method according to A1, methods described also include:
The scheduling management and control process creation mouse emulation clicks on thread, clicks on behaviour for screen coordinate analog mouse at random
Make, and be directed to particular control analog mouse clicking operation.
A5, the method according to A1, methods described also include:The scheduling management and control process is according to general detection configuration text
Config option in part selects overtime restrictive condition;
In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if so, then detection of end mistake
Testing result is packaged as packet and is sent to the communication agent process by journey, so that the communication agent process is by the number
Virtual machine external host is sent to according to bag.
A6, the method according to A1, the core detection procedure receive the sample file that auxiliary detection procedure sends
The switching information of relevant information and each detection function point is specially:The core detection procedure receives the auxiliary detection procedure
The switching information of the relevant information of the sample file sent by way of IO control codes and each detection function point.
The invention also discloses:B7, a kind of kernel Hole Detection device based on virtual machine, described device are husky in virtual machine
Run under case isolation environment, device includes:
Communication agent module, is suitable to start communication agent process, makes the communication agent process monitor designated port, waits
And detection bag and the sample file that virtual machine external host is transmitted is received, detection bag is respectively stored into into detection mesh with sample file
Under record and temp directory;
Scheduling management and control module, is suitable to start the scheduling management and control process in detection bag, makes the scheduling management and control process obtain sample
Presents store path, recognizes sample file type, selects detection pattern according to the config option in general detection configuration file
With each detection function point, the target detection configuration file of the sample file is directed to establishment;
Auxiliary detection module, is suitable to start auxiliary detection procedure, makes the auxiliary detection procedure utilize the target detection
The switch of each detection function point of configuration file control;
Core detection module, is suitable to start core detection procedure, makes the core detection procedure receive auxiliary detection procedure
The switching information of the relevant information of the sample file of transmission and each detection function point, performs Hole Detection, according to testing result
Journal file is generated, journal file is stored under Log Directory.
B8, the device according to B7, the communication agent module are further adapted for:Make the communication agent process creation
Message communicating thread, sets up and the communication connection between the scheduling management and control process.
B9, the device according to B8, the scheduling management and control module are further adapted for:Make the scheduling management and control process creation
Screen interception thread, at predetermined time intervals screen printing image;Set up using between scheduling management and control process and communication agent process
Communication connection, the screen picture of intercepting is sent to into the communication agent process in real time;
The communication agent module is further adapted for:The communication agent process is made to send the screen picture of the intercepting
Give virtual machine external host.
B10, the device according to B7, the scheduling management and control module are further adapted for:Make the scheduling management and control process wound
Build mouse emulation and click on thread, be directed to screen coordinate analog mouse clicking operation at random, and be directed to particular control analog mouse
Clicking operation.
B11, the device according to B7, the scheduling management and control module are further adapted for:Make the scheduling management and control process root
Overtime restrictive condition is selected according to the config option in general detection configuration file;In the detection process for performing sample file, sentence
It is disconnected whether to meet overtime restrictive condition, if so, then detection of end process, by testing result be packaged as packet be sent to it is described logical
Letter agent process, so that the packet is sent to virtual machine external host by the communication agent process.
B12, the device according to B7, the core detection module are further adapted for:Connect the core detection procedure
Receive the relevant information of the sample file that the auxiliary detection procedure is sent by way of IO control codes and respectively detect function point
Switching information.