CN106557701A - kernel leak detection method and device based on virtual machine - Google Patents

Abstract

The invention discloses a kind of kernel leak detection method and device based on virtual machine.Wherein method includes：Start communication agent process, the communication agent process monitors designated port, wait and receive detection bag and sample file；Start the scheduling management and control process in detection bag, obtain sample file store path, recognize sample file type, the target detection configuration file for sample file is created according to general detection configuration file；Start auxiliary detection procedure, using the switch of each detection function point of target detection configuration file control；Start core detection procedure, perform Hole Detection, journal file is generated according to testing result, journal file is stored under Log Directory.The detection of kernel leak is isolated from the outside by the present invention, is provided the detection environment of a closing for suspicious sample, even if suspicious sample is implicitly present in leak, also server side will not be caused damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.

Description

Kernel leak detection method and device based on virtual machine

Technical field

The present invention relates to computer security technique field, and in particular to a kind of kernel leak detection method based on virtual machine And device.

Background technology

Network malicious act refer to the data in hardware, software and its system of network system be subject to malicious code to attack and Destroyed, changed, revealed, cause system continuously reliably normally can not run, the behavior of network service outages.With information The popularization of change, a large amount of appearance of network new opplication, the behavior shown by network malicious code also emerge in an endless stream, most popular at present Network malicious act be web page horse hanging, steal account number, port scan, vulnerability scanning, ARP (Address Resolution Protocol, address resolution protocol) deception, IP (Internet Protocol, Internet Protocol) kidnap, DDOS (Distributed Denial of Service, distributed denial of service) attack, flooding, Trojan attack etc..

Leak is implemented or defect present on System Security Policy in hardware, software, agreement, such that it is able to make Attacker can access in the case of undelegated or destroy system.How core of the kernel as operating system, detect kernel Leak is the most important thing of security protection work.In prior art, hacker is obtained often through the mode of the power that carries in intrusion system The highest authority of the system of obtaining, so as to obtain the control of operating system.In simple terms, the power of carrying is exactly by a low rights, is limited The many users of system lift highest authority in system (such as administrator right).Control of authority is the foundation stone of system safety, and The foundation stone of all fail-safe softwares, once such a threshold is broken, any defensive measure is all invalid.Therefore, how to have Effect ground detection kernel leak, prevention hacker carries out system attack by way of putting forward power becomes that prior art is urgently to be resolved hurrily to ask Topic.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on State the kernel leak detection method based on virtual machine and device of problem.

According to an aspect of the invention, there is provided a kind of kernel leak detection method based on virtual machine, methods described Run under virtual machine sandbox isolation environment, method includes：

Start communication agent process, the communication agent process monitors designated port, wait and receive main outside virtual machine The detection bag and sample file of machine transmission, detection bag and sample file are respectively stored under detection catalogue and temp directory；

Start the scheduling management and control process in detection bag, the scheduling management and control process obtains sample file store path, identification Sample file type, selects detection pattern and each detection function point according to the config option in general detection configuration file, to create Build the target detection configuration file for the sample file；

Start auxiliary detection procedure, the auxiliary detection procedure controls each detection work(using the target detection configuration file The switch that can be put；

Start core detection procedure, the core detection procedure receives the correlation of the sample file that auxiliary detection procedure sends The switching information of information and each detection function point, performs Hole Detection, generates journal file according to testing result, by daily record text Part is stored under Log Directory.

According to a further aspect in the invention, there is provided a kind of kernel Hole Detection device based on virtual machine, described device Run under virtual machine sandbox isolation environment, device includes：

Communication agent module, is suitable to start communication agent process, makes the communication agent process monitor designated port, waits And detection bag and the sample file that virtual machine external host is transmitted is received, detection bag is respectively stored into into detection mesh with sample file Under record and temp directory；

Scheduling management and control module, is suitable to start the scheduling management and control process in detection bag, makes the scheduling management and control process obtain sample Presents store path, recognizes sample file type, selects detection pattern according to the config option in general detection configuration file With each detection function point, the target detection configuration file of the sample file is directed to establishment；

Auxiliary detection module, is suitable to start auxiliary detection procedure, makes the auxiliary detection procedure utilize the target detection The switch of each detection function point of configuration file control；

Core detection module, is suitable to start core detection procedure, makes the core detection procedure receive auxiliary detection procedure The switching information of the relevant information of the sample file of transmission and each detection function point, performs Hole Detection, according to testing result Journal file is generated, journal file is stored under Log Directory.

The kernel leak detection method based on virtual machine and device of present invention offer is under virtual machine sandbox isolation environment Operation, realizes the data interaction and file transmission with virtual machine external host by communication agent process, enters by scheduling management and control Journey aids in core detection procedure to realize the detection of sample file with auxiliary detection procedure.The present invention by the detection of kernel leak with Outside isolation, provides the detection environment of a closing for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be right Server side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of the drawings

By the detailed description for reading hereafter preferred implementation, various other advantages and benefit are common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for the purpose for illustrating preferred implementation, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings：

The flow chart that Fig. 1 shows the kernel leak detection method based on virtual machine according to an embodiment of the invention；

Fig. 2 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 3 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 4 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 5 shows the kernel Hole Detection process protection method based on virtual machine according to an embodiment of the invention Flow chart；

Fig. 6 shows the kernel Hole Detection document protection method based on virtual machine according to an embodiment of the invention Flow chart；

Fig. 7 shows the functional block of the kernel Hole Detection device based on virtual machine according to an embodiment of the invention Figure；

Fig. 8 shows the functional block of the kernel Hole Detection device based on virtual machine in accordance with another embodiment of the present invention Figure；

Fig. 9 shows the function of the kernel Hole Detection Process Protection based on virtual machine according to an embodiment of the invention Block diagram；

Figure 10 shows the work(that the kernel Hole Detection file based on virtual machine according to an embodiment of the invention is protected Can block diagram.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

The flow chart that Fig. 1 shows the kernel leak detection method based on virtual machine according to an embodiment of the invention. This method is run under server end virtual machine sandbox isolation environment, carries out dynamic kernel for the sample file for specifying Vulnerability exploit is detected.As shown in figure 1, the method comprises the steps：

Step S101, starts communication agent process, and the communication agent process monitors designated port, waits and receive virtual Detection bag and sample file are respectively stored into detection catalogue and interim mesh by the detection bag and sample file of machine external host transmission Under record.

Communication agent process is responsible for carrying out the process of data interaction, file transmission with virtual machine external host.Work as service When end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port, waits simultaneously Receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is solved to detecting bag Press operation, under the file storage that decompression is obtained to detection catalogue；In addition, sample file storage is arrived interim by communication agent process Under catalogue.Subsequently, communication agent thread starts the scheduling management and control process in detection bag.

Step S102, starts the scheduling management and control process in detection bag, and the scheduling management and control process obtains sample file storage Path, recognizes sample file type, selects detection pattern and each detection work(according to the config option in general detection configuration file Energy point, to create the target detection configuration file for the sample file.

After scheduling management and control process initiation, scheduling management and control process obtains sample file store path, recognizes sample file Type.Then, the general detection configuration file that management and control process reads itself association is dispatched, is detected according to sample file type selecting Pattern and each detection function point, initialize itself each function, create the target detection configuration file for sample file.Subsequently, Scheduling management and control process initiation auxiliary detection procedure, and the store path (can be URL) of sample file is passed by way of parameter Pass auxiliary detection procedure.

Step S103, starts auxiliary detection procedure, and the auxiliary detection procedure utilizes the target detection configuration file control The switch of each detection function point of system.

After auxiliary detection procedure starts, auxiliary detection procedure is initialized according to target detection configuration file, plus The driver of core detection procedure is carried, using the switch of each detection function point of target detection configuration file control.

Step S104, starts core detection procedure, and the core detection procedure receives the sample that auxiliary detection procedure sends The switching information of the relevant information of file and each detection function point, performs the detection of leak, generates daily record according to testing result File, journal file is stored under Log Directory.

After the driver of auxiliary detection procedure loading core detection procedure, core detection procedure starts.Core is detected Process receives the switching information of the relevant information of the sample file that auxiliary detection procedure sends and each detection function point, performs just Beginningization is operated.Then, sample file is performed according to the switching information of the relevant information and each detection function point of sample file Detection, generates journal file according to testing result, and journal file is stored under Log Directory.

The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment, Realized and the data interaction of virtual machine external host and file transmission by communication agent process, by scheduling management and control process and auxiliary Help detection procedure to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every From, the detection environment of a closing is provided for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be to server Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.

Fig. 2 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure.This method describes the overall plan of the kernel Hole Detection based on virtual machine, specifically husky in server end virtual machine Run under case isolation environment, dynamic kernel vulnerability exploit detection is carried out for the sample file for specifying.As shown in Fig. 2 The method comprises the steps：

Step S201, when server end VME operating system is started shooting, communication agent process self-starting.

Communication agent process is responsible for carrying out the process of data interaction, file transmission with virtual machine external host.Work as service When end VME operating system is started shooting, the self-starting therewith of communication agent process.

Step S202, communication agent process monitor designated port, wait pending data.

Server end virtual machine provides the designated port for accessing to virtual external main frame, after communication agent process initiation The designated port is monitored just, the data for waiting virtual machine external host to send over.

Step S203, communication agent process receive the detection bag and sample file of virtual machine external host transmission, will detection Bag and sample file are respectively stored under detection catalogue and temp directory.

Detection bag and the sample file that virtual machine external host is transmitted by designated port is received in communication agent process Afterwards, decompression operations are carried out to detection bag therein, under the file storage that decompression is obtained to detection catalogue, the detection catalogue can be with For the catalogue that certain randomly generates；In addition, communication agent process stores sample file under temp directory.

Step S204, communication agent process initiation scheduling management and control process.

Communication agent process sends and starts order, for starting scheduling management and control process.

Step S205, communication agent process creation message communicating thread are set up and dispatch the communication link between management and control process Connect.

After scheduling management and control process initiation, communication agent process creation message communicating thread, alternatively, by RPC (Remote Procedure Call Protocol, remote procedure call protocol) sets up communication connection with scheduling management and control process. Here, RPC is the mechanism in XMLRPCLIB storehouses, and XML RPC are the remote procedure calls using http protocol as host-host protocol Mechanism, transmits order and data using the mode of XML texts.Using the communication connection, subsequently received can be come from tune The message packets of degree management and control process are forwarded to virtual machine external host in real time.

Step S206, dispatches management and control process initialization itself function.

After scheduling management and control process initiation, scheduling management and control process obtains sample file store path, recognizes sample file class Type.Then, the general detection configuration file that management and control process reads itself association is dispatched, mould is detected according to sample file type selecting Formula and each detection function point, initialize itself each function.In addition, management and control process is dispatched according in general detection configuration file Config option select overtime restrictive condition, wherein overtime restrictive condition concrete restriction core detection procedure perform detection when It is long.By configuring overtime restrictive condition, it is to avoid the subsequently detection for certain sample file took long-time, lifted detection Efficiency.

Step S207, scheduling management and control process creation screen interception thread and/or mouse emulation click on thread.

Alternatively, dispatch management and control process creation screen interception thread and/or mouse emulation clicks on thread.Wherein screen interception The effect of thread is that the screen of the server being located to virtual machine carries out sectional drawing, and the screen picture being truncated to can pass through communication agent Process is sent to virtual machine external host.It is to click on for screen coordinate analog mouse at random that mouse emulation clicks on the effect of thread Operation, and it is directed to particular control analog mouse clicking operation.

Step S208, dispatches target detection configuration file of the management and control process creation for sample file, starts auxiliary detection Process, and the store path of sample file is passed to into auxiliary detection procedure by way of parameter.

Scheduling management and control process is selected and is configured to config option therein by reading general detection configuration file, Obtain the target detection configuration file for sample file.It is directed to different types of sample file, detection pattern and configuration Detection function point is different, dispatches the target detection configuration text that management and control process can be that different types of sample file creates customization Part.Then, management and control process initiation auxiliary detection procedure is dispatched, by the store path of sample file by way of command line parameter Pass to auxiliary detection procedure.

Step S209, screen interception thread screen printing image at predetermined time intervals, the screen picture of intercepting is sent out in real time Give communication agent process.

Step S210, mouse emulation are clicked on thread and are directed to screen coordinate analog mouse clicking operation at random, and for spy Determine control analog mouse clicking operation.

Step S211, auxiliary detection procedure are initialized according to target detection configuration file, are configured using target detection Document control respectively detects the switch of function point.

Auxiliary detection procedure passes through resolve command line parameter and target detection configuration file, and itself function is carried out initially Change.Specifically, aid in detection procedure parsing to obtain sample file store path, detection pattern, respectively detect function point and other The Back ground Informations such as some detection functional configuration options, calculate the MD5 of sample file, control the switch of each detection function point.Pass through The sample data produced during subsequent detection can be associated, one by the MD5 of calculated sample file with task data Sample file may correspond to multiple Detection tasks.Can also be by sample data and wooden horse information, VT, first killing engine by MD5 It is associated.In addition, the URL of unified storage, wooden horse, APT classes sample can also be carried out classification displaying by MD5.

Step S212, aids in detection procedure to load the driver of core detection procedure, to start core detection procedure.

Step S213, aids in detection procedure that the relevant information of sample file and each inspection are sent by way of IO control codes The switching information of brake point.

Auxiliary detection procedure by way of IO control codes to core detection procedure send sample file relevant information with And the switching information of each detection function point, to open the monitoring of inner nuclear layer vulnerability exploit behavior.

Step S214, auxiliary detection procedure start sample process, make sample process run sample file.

Step S215, core detection procedure perform initialization operation.

Core detection procedure driver load when, initialize driver needed for related data structures object and Variable, these related data structures objects and variable and each Function detection point close association.

Step S216, core detection procedure create log recording thread.

For the ease of recording detection process, log recording thread is created, for recording the daily record produced in detection process.

Step S217, core detection procedure receive the sample file that auxiliary detection procedure is sent by way of IO control codes Relevant information and each detection function point switching information.

Core detection procedure receives the various IO control codes that auxiliary detection procedure sends, and parsing is carried out to which and obtains sample text The switching information of the relevant information of part and each detection function point.For the switching information of each detection function point, phase is opened in control The monitoring of function point should be detected.

Step S218, core detection procedure perform Hole Detection.

The detectable leak of core detection procedure includes the URL and relevant various leaks, virus, wood about malicious web pages Horse, the sample object attacked.In addition, sample object also includes：0Day, NDay, exposure period 0Day, position extension horse information, Important website, the follow-up of position extension horse etc..Wherein, 0Day is to have been found to (be possible to not be disclosed), and official does not also have The leak of associated patch.These leaks be found after immediately by malicious exploitation, for example using 0Day can with edit the registry, download File, runtime file.The form of sample object can be file, executable program etc., the invention is not limited in this regard.

Step S219, log recording thread generate journal file according to testing result, by journal file storage to daily record mesh Under record.

Follow-up identification engine can read journal file, and inside identification engine, (static, dynamic) is by the daily record of various needs Information scratching out, is analyzed to testing result and screens, and carries out basic rule judgement.Wherein the rule on backstage is up to several Hundred.So-called analysis choosing in short, is exactly with reference to static and dynamic daily record data, using rule and association analysiss, to sample This hazard level is identified (black, in vain, grey).And the effect screened mainly is filtered out and has been hit using detection behavior characteristicss Sample, and the sample of some high questionable conduct features, according to the demands of different groups, is distributed to data.

Step S220, in above-mentioned detection process, whether real-time judge meets overtime restrictive condition, if so, then terminates inspection Testing result is packaged as packet and is sent to communication agent process by survey process, so that communication agent process sends the packet within Give virtual machine external host.

The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment, Realized and the data interaction of virtual machine external host and file transmission by communication agent process, by scheduling management and control process and auxiliary Help detection procedure to aid in core detection procedure to realize the detection of sample file.This method by the detection of kernel leak with it is outside every From, the detection environment of a closing is provided for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be to server Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In this method, scheduling management and control process is according to logical Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to The detection of certain sample file took long-time, lifted the efficiency of detection.Scheduling management and control process creation screen interception thread and/ Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.

Fig. 3 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure.The present embodiment is mainly described in detail to the course of work of above-mentioned core detection procedure, and describes core inspection in detail Survey process performs the particular content of Hole Detection.But it should be recognized that the method for the present embodiment is realize Hole Detection only Cube case, it can not rely on the environment of previous embodiment description and under the premise of realize.The method of the present embodiment is in virtual machine Run under sandbox isolation environment, as shown in figure 3, the method comprises the steps：

Step S301, load driver program.

Core detection procedure driver load when, initialize driver needed for related data structures object and Variable.The process ID of at least one system process is recorded, is stored in recording HAL routine address tables (HalDispatchTable) The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.

The switch of step S302, the relevant information of the sample file that receive user layer process sends and each detection function point Information.

In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined Survey process receive auxiliary detection procedure send various IO control codes, which is carried out parse obtain sample file relevant information with And the switching information of each detection function point.

Step S303, opens inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.

Step S304, when the new process of system creation, new process is added in process creation record list.

When system start-up sample process is to run sample file, sample process is identified as the new process for being created, will Sample process is added in process creation record list.

Step S305, detects to each operation behavior of inner nuclear layer of new process.

The present embodiment realizes the detection of each operation behavior of inner nuclear layer to new process by hook technology.Specifically, in core After heart detection procedure receives the IO control codes that auxiliary detection procedure sends, parsing is carried out to which and identifies that " kernel is using prison The labelling of control ", then the data according to incoming relief area (Buffer), select in corresponding distribution processor routine.According to The switching information of the relevant information of sample file and each detection function point, links up with (Hook) SSDT (System Services Descriptor Table, system service descriptor table) in for each Function detection point specified API and NtQueryIntervalProfile。

Using hook, before system calls specified API and NtQueryIntervalProfile, self-defining letter is performed Number, realizes the detection to each operation behavior of inner nuclear layer.

Step S306, generates journal file according to testing result, and journal file is stored under Log Directory.

The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment, The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row To monitor master control switch；The new process that monitoring system is created, detects to each operation behavior of inner nuclear layer of new process.This method The detection of kernel leak is isolated from the outside, and the detection environment of a closing is provided for suspicious sample, even if suspicious sample is true Real storage also will not cause damage to server side in leak, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.

Fig. 4 shows the flow process of the kernel leak detection method based on virtual machine in accordance with another embodiment of the present invention Figure.The present embodiment has been further elaborated on the course of work of core detection procedure, such as Fig. 4 on the basis of the method shown in Fig. 3 Shown, the method comprises the steps：

Step S401, load driver program.

Core detection procedure driver load when, initialize driver needed for related data structures object and Variable.The process ID of at least one system process is recorded, is stored in recording HAL routine address tables (HalDispatchTable) The function pointer values such as at least one Key Functions pointer value, such as HALQuerySystemInformatica.

Step S402, creates log recording thread.

For the ease of recording detection process, log recording thread is created, for recording the daily record produced in detection process.

Step S403, the relevant information of the sample file that receive user layer process is sent by IO control codes and each detection The switching information of function point.

In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Core is examined Survey process receive auxiliary detection procedure send various IO control codes, which is carried out parse obtain sample file relevant information with And the switching information of each detection function point.

Specifically, core detection procedure identifies the labelling of " kernel is using monitoring ", Ran Hougen by parsing IO control codes According to the data of incoming relief area (Buffer), select in corresponding distribution processor routine.

Step S404, according to the switching information of the relevant information and each detection function point of sample file, in hook SSDT For the specified API and NtQueryIntervalProfile of each Function detection point.

The present embodiment realizes the detection of each operation behavior of inner nuclear layer to new process by hook technology.According to sample file Relevant information and each detection function point switching information, link up with SSDT for each Function detection point specified API and NtQueryIntervalProfile.The API for being linked up with is specially for internal memory, privilege, registration table, process/thread, file etc. The crucial NTAPI of operation.And, process creation notification routines are set, when system has new process creation, into process creation Notification routines perform associative operation.

Step S405, opens inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.

Step S406, when the new process of system creation, new process is added in process creation record list.

When the new process of system creation, initially enter process creation notification routines, in this routine record created it is new The property value of process, for example：The property values such as Privileges, UserSID, OwnerSID.Then, new process is added to into process Create in record list.

Step S407, detects to each operation behavior of inner nuclear layer of new process.

When new process calls NtQueryIntervalProfile, first judge whether the new process is recorded in process creation In list, if it is not, then the new process is added in process creation record list；When new process calls aforementioned specified API, sentence Whether the new process of breaking is in process creation record list, if it is not, then the new process is added in process creation record list.

In the case where guaranteeing that new process is added to process creation record list, using hook technology, in new process The each operation behavior of stratum nucleare is detected, specifically comprising following several embodiments：

(1) HalDispatchTable detections

Using hook technology, before NtQueryIntervalProfile is called, obtain in HalDispatchTable At least one Key Functions pointer value of storage；By at least one the crucial letter stored in acquired HalDispatchTable At least one Key Functions stored in HalDispatchTable recorded in number pointer value and load driver program process Pointer value is compared；If at least one Key Functions pointer value comparison is inconsistent, detects that new process is present and propose power behavior.

(2) Token replaces detection

Using hook technology, before specified API accordingly is called, according to recorded in load driver program process extremely The process ID of a few system process obtains the EPROCESS structures address of at least one system process, while obtaining new process EPROCESS structures address；By the pointer value in the Token domains in the EPROCESS structures address of new process and at least one system The pointer value in the Token domains in the EPROCESS structures address of process is compared；If the EPROCESS structures address of new process In the pointer value in Token domains and the EPROCESS structures address of one of system process in Token domains pointer value ratio To consistent, then detect that new process is present and propose power behavior.

Here, it is intended that API can be：Establishment process (NtCreateUserProcess), other proceeding internal memories are created with And read-write (NtAllocateVirtualMemory/NtProtectVirtualMemory/NtReadVir tualMemory/ NtWriteVirtualMemory), open other process/threads (NtOpenThread/NtOpenProcess/ NtSetContextThread), registration table read-write, file read-write etc..

(3) Token property values detection

Using hook technology, before specified API accordingly is called, the property value of the new process is obtained；Will be acquired The property value of new process compare with the property value of the new process recorded in process creation notification routines；If comparing not Unanimously, then detect that new process is present and propose power behavior.

In concrete comparison, by Privileges, TokenUser, and/or TokenOwner of the new process for obtaining with Privileges, TokenUser, and/or TokenOwner of new process recorded in process creation notification routines is compared It is right, if wherein there is a comparison inconsistent, detect that new process is present and propose power behavior.

Here, it is intended that API refers to the function related to Token.

(4) Token property values are empty detection

Using hook technology, before specified API accordingly is called, inquire about in the EPROCESS structures address of new process Whether the ACL in Token domains is set to null；If so, then detect that new process is present and propose power behavior.

(5) kernel ROP (Return Oriented Programming, the new attack based on code reuse technology) inspections Survey

Kernel ROP common at present is used to close SMEP (Supervisor Mode Execution Protection, prison The pattern of superintending and directing performs protection) or CR4 depositors are changed, this method utilizes hook technology, CR4 depositors is operated in call stack Before, check whether call stack is the call stack for allowing to call CR4 register modifying instructions, or, whether detection call stack is adjusted With the instruction of disabling SMEP；If so, then detect that new process is present and propose power behavior.

(6) Bitmap is using detection

For conditional kernel address write operation is converted into kernel arbitrary address read-write operation using Bitmap Behavior, detects to this behavior, if existing, detects that the new process is present and proposes power behavior.

Step S408, generates journal file according to testing result, and journal file is stored under Log Directory.

Generation daily record is got ready according to preset format, daily record is inserted in log buffer inventory.In log recording thread, Continuously whether audit log buffer list has new daily record insertion, if having, new daily record is added and is written to configuration In option in the journal file of specified path, and discharge the node of the new daily record in log buffer inventory.

This programme is got detection daily record generation form ready and is got ready for cache way.The daily record for being detected is temporary in log buffer In inventory.The log recording thread poll log buffer inventory mode according to FIFO (first in first out) processes each daily record successively Node, log content is added in write journal file, obtained by outside correlation scheduler module process upon completion of the assays and Manage the journal file.

The packet of getting ready of this programme contains：Environment and document base information, detection function point trigger data etc..Environment and text Part essential information is exported with forms such as flowing water daily records, and detection function point trigger data is exported in the form of user behaviors log.Its medium ring Border and document base information are included：Sample process file MD5, sample file path, and major system modules title and file Version etc..For HalDispatchTable is detected, detection function point trigger data is included：Process ID, Thread Id, it is tampered letter Several title, distort after pointer value, detection when place Hooked API (NtQueryIntervalProfile) etc.；For Token replaces detection, and detection function point trigger data is included：Process ID, Thread Id, Token addresses, hit system process name, Place Hooked API etc. during detection.For Token property values are detected, detection function point trigger data is included：Process ID, thread Place Hooked API etc. when ID, Privileges mask describes sequence, UserSID, OwnerSID, detection.Other detection sides The detection function point trigger data of formula is similar to therewith, be will not be described here.

The kernel leak detection method based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment, The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row To monitor master control switch；The new process that monitoring system is created, detects to each operation behavior of inner nuclear layer of new process.This method The detection of kernel leak is isolated from the outside, and the detection environment of a closing is provided for suspicious sample, even if suspicious sample is true Real storage also will not cause damage to server side in leak, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This Method is arranged Hook Function for the corresponding API of each detection function point that user's layer process is provided, is being called by hook technology Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, improve the effect of kernel Hole Detection Rate.

Fig. 5 shows the kernel Hole Detection process protection method based on virtual machine according to an embodiment of the invention Flow chart.The method that the present embodiment is provided is mainly used for the detection procedure that protection is run under virtual machine sandbox isolation environment Address space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 5 institutes Show, the method comprises the steps：

Step S501, obtains the relevant information of each detection subprocess, by the relevant information write process of each detection subprocess In filter list.

After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file Relevant field, parsing obtain the process name of one or more detection subprocess, obtain entering for each detection subprocess according to process name The process ID of each detection subprocess is sent to core detection procedure by IO control codes by journey ID.

Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send The process ID of journey.Specifically, core detection procedure is after receiving and being labeled as the IO control codes of " process ID filtration ", slow from input Rush, the relevant information of detection subprocess is obtained according to process ID.In this method, related letter Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it Afterwards, by the EPROCESS structures address write process filter list of each detection subprocess.

Step S502, using hook technology, before specified API is called, obtains when the correlation of front upper and lower background text process The relevant information of information and operation target process.

This method is linked up with to the specified API with regard to process, thread, memory address space operation, specifies API in Hook Afterwards, step S502- step S504 is realized in self-defining function.In step S502, obtain when front upper and lower background text process EPROCESS structures address and the EPROCESS structures address of operation target process.

Step S503, judges to operate whether the relevant information of target process is recorded in process filter list, and it is current on Whether the relevant information of lower background text process is not recorded in process filter list, if so, then execution step S504；If it is not, then Execution step S505.

Alternatively, judge to operate whether the EPROCESS structures address of target process is recorded in process filter list, and When whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.

Step S504, termination call specified API.

If judge to operate the EPROCESS structures address of target process to record in process filter list, and when front upper and lower The EPROCESS structures address of background text process is not recorded in process filter list, then show that there are other processes attempts to access that Certain detection subprocess, then need to be prevented.For example, the conditional code of denied access is returned, specified API is called in termination.

Step S505, continues to call specified API, and the return value for specifying API is returned to caller.

If judge to operate the EPROCESS structures address of target process to be not recorded in process filter list, or, when The EPROCESS structures address of front upper and lower background text process is recorded in process filter list, then continue to call specified API, to tune User returns the return value for specifying API.

According to the kernel Hole Detection process protection method based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write process filter list in, before specified API is called, using hook obtain when front upper and lower background text process Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh The relevant information of mark process is matched with process filter list, determines whether that specified API is called in termination.Using this method, can protect The address space of the detection procedure that shield is run under virtual machine sandbox isolation environment, prevents the malice sample process escaped by sandbox Access, it is to avoid confidential information is stolen, is lifted at the safety of kernel Hole Detection under virtual machine sandbox isolation environment.

Fig. 6 shows the kernel Hole Detection document protection method based on virtual machine according to an embodiment of the invention Flow chart.The method that the present embodiment is provided be mainly used for protecting in detection process produced by detection file, such as journal file Deng preventing from being accessed, distort, encrypt or being damaged by the malice sample process that sandbox is escaped, it is to avoid thus caused detection unsuccessfully or Results abnormity, safeguards the stable and performance of sandbox system.As shown in fig. 6, the method comprises the steps：

Step S601, obtains the relevant information of each detection subprocess, by the relevant information write process of each detection subprocess In filter list.

After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file Relevant field, parsing obtain the process name of one or more detection subprocess, obtain entering for each detection subprocess according to process name The process ID of each detection subprocess is sent to core detection procedure by IO control codes by journey ID.

Core detection procedure is received auxiliary detection procedure (user's layer process) and is entered by each detection that IO control codes send The process ID of journey.Specifically, core detection procedure is after receiving and being labeled as the IO control codes of " process ID filtration ", slow from input Rush, the relevant information of detection subprocess is obtained according to process ID.In this method, related letter Breath can be specially EPROCESS structures address.Core detection procedure obtain it is each detection subprocess EPROCESS structures address it Afterwards, by the EPROCESS structures address write process filter list of each detection subprocess.

Step S602, obtains the store path information of detection file, will be the store path information write of detection file privately owned In catalogue list.

After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file Relevant field, parsing obtain one or more detection files store paths, by IO control codes by it is each detection file storage Path is sent to core detection procedure.

Core detection procedure receives each detection file that auxiliary detection procedure (user's layer process) is sent by IO control codes Store path.Specifically, core detection procedure is after receiving and being labeled as the IO control codes of " privately owned catalogue ", from input buffering The store path of the detection file when time transmission is obtained in area, string work is constructed according to the store path of detection file To detect the store path information of file, the store path information of detection file is write in privately owned catalogue list.

Step S603, when file access operation is produced, judges whether the store path information of file access object records In privately owned catalogue list.

The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example, exist READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile is sent a letter and several realizes certainly function body In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list, if so, then execution step S604；If it is not, execution step S606.

Step S604, judges whether record in the process filter list when the relevant information of front upper and lower background text process In.

If judging the store path information record of file access object in privately owned catalogue list, determine whether to work as Whether the relevant information of front upper and lower background text process records in process filter list, specifically, judges when front upper and lower background text Whether the EPROCESS structures address of process is recorded in process filter list, if so, then execution step S606；If it is not, then holding Row step S605.

Step S605, if judging to be not recorded in process filter list when the relevant information of front upper and lower background text process, Then refuse file access operation.

If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below Send out, refuse file access operation.

Step S606, if judging, the store path information of file access object is not recorded in privately owned catalogue list, or Person, judges to record in the process filter list when the relevant information of front upper and lower background text process, then proceeds to respond to file Access operation.

If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor The detection file of shield, then IPR continuation are distributed downwards, and response file accesses operation.If the store path information of file access object Record is in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list, is shown to be Detection subprocess attempts to access that detection file, then IPR continues to distribute downwards, and response file accesses operation.

According to the kernel Hole Detection document protection method based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write process filter list in, the store path information of detection file is write in privately owned catalogue list, works as product During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using this method, can protect The detection file that produces under virtual machine sandbox isolation environment of shield, prevent from being accessed, distorted by the malice sample process that sandbox is escaped, Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stable and performance of sandbox system.

Fig. 7 shows the functional block of the kernel Hole Detection device based on virtual machine according to an embodiment of the invention Figure.This device is run specifically under server end virtual machine sandbox isolation environment, is carried out for the sample file for specifying Dynamic kernel vulnerability exploit detection.As shown in fig. 7, the device includes：Communication agent module 701, scheduling management and control module 702, Auxiliary detection module 703, core detection module 704.

Communication agent module 701, is suitable to start communication agent process, makes communication agent process monitor designated port, waits And detection bag and the sample file that virtual machine external host is transmitted is received, detection bag is respectively stored into into detection mesh with sample file Under record and temp directory.Communication agent process is responsible for carrying out the process of data interaction, file transmission with virtual machine external host. When service end VME operating system is started shooting, the self-starting therewith of communication agent process.Communication agent process monitors designated port, Wait and receive the detection bag and sample file of the associated process transmission of virtual machine external host.Communication agent process is to detection bag Decompression operations are carried out, under the file storage that decompression is obtained to detection catalogue；In addition, sample file is stored by communication agent process To under temp directory.Subsequently, communication agent thread starts the scheduling management and control process in detection bag.

Scheduling management and control module 702, is suitable to start the scheduling management and control process in detection bag, makes scheduling management and control process obtain sample File store path, recognize sample file type, according to it is general detection configuration file in config option select detection pattern and Each detection function point, to create the target detection configuration file for the sample file.After scheduling management and control process initiation, Scheduling management and control process obtains sample file store path, recognizes sample file type.Then, dispatch management and control process and read itself pass The general detection configuration file of connection, according to sample file type selecting detection pattern and each detection function point, initializes itself each Function, creates the target detection configuration file for sample file.Subsequently, management and control process initiation auxiliary detection procedure is dispatched, and The store path (can be URL) of sample file is passed to into auxiliary detection procedure by way of parameter.

Auxiliary detection module 703, is suitable to start auxiliary detection procedure, makes auxiliary detection procedure using target detection configuration text The switch of each detection function point of part control.After auxiliary detection procedure starts, auxiliary detection procedure is configured according to target detection File is initialized, and loads the driver of core detection procedure, controls each detection function using target detection configuration file The switch of point.

Core detection module 704, is suitable to start core detection procedure, makes core detection procedure receive auxiliary detection procedure and sends out The switching information of the relevant information of the sample file for sending and each detection function point, performs Hole Detection, is given birth to according to testing result Into journal file, journal file is stored under Log Directory.The driving journey of core detection procedure is loaded in auxiliary detection procedure After sequence, core detection procedure starts.Core detection procedure receive auxiliary detection procedure send sample file relevant information with And the switching information of each detection function point, perform initialization operation.Then, relevant information and each detection according to sample file The switching information of function point performs the detection of sample file, generates journal file according to testing result, journal file storage is arrived Under Log Directory.

Communication agent module 701 is further adapted for：Communication agent process creation message communicating thread is made, is set up and the tune Communication connection between degree management and control process.After scheduling management and control process initiation, communication agent process creation message communicating thread can Selection of land, sets up communication connection with scheduling management and control process by RPC.Using the communication connection, subsequently received can be come from The message packets of scheduling management and control process are forwarded to virtual machine external host in real time.

Scheduling management and control module 702 is further adapted for：Scheduling management and control process creation screen interception thread is made, at predetermined time intervals Screen printing image；Using the communication connection set up between scheduling management and control process and communication agent process, the screen map that will be intercepted As being sent to the communication agent process in real time.

Communication agent module 701 is further adapted for：Make communication agent process that the screen picture of the intercepting is sent to void Plan machine external host.

Scheduling management and control module 702 is further adapted for：Make scheduling management and control process creation mouse emulation click on thread, be directed at random Screen coordinate analog mouse clicking operation, and it is directed to particular control analog mouse clicking operation.

Scheduling management and control module 702 is further adapted for：Scheduling management and control process is made according to the configuration in general detection configuration file Option selects overtime restrictive condition；In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if It is, then detection of end process testing result to be packaged as into packet and is sent to the communication agent process, for the communication generation The packet is sent to virtual machine external host by reason process.

Core detection module 704 is further adapted for：Make core detection procedure receive the auxiliary detection procedure to control by IO The switching information of the relevant information of the sample file that the mode of code processed sends and each detection function point.

The kernel Hole Detection device based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment, Realized and the data interaction of virtual machine external host and file transmission by communication agent process, by scheduling management and control process and auxiliary Help detection procedure to aid in core detection procedure to realize the detection of sample file.This device by the detection of kernel leak with it is outside every From, the detection environment of a closing is provided for suspicious sample, even if suspicious sample is implicitly present in leak, also will not be to server Side causes damage, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.In this device, scheduling management and control process is according to logical Overtime restrictive condition is selected with the config option in detection configuration file, by configuring overtime restrictive condition, it is to avoid be subsequently directed to The detection of certain sample file took long-time, lifted the efficiency of detection.Scheduling management and control process creation screen interception thread and/ Or mouse emulation clicks on thread, the image that server screen is presented can be passed to virtual machine external host, outside virtual machine The user of main frame checks the progress and concrete condition of detection process, and effect of visualization is good.

Fig. 8 shows the functional block of the kernel Hole Detection device based on virtual machine in accordance with another embodiment of the present invention Figure.The device is run under virtual machine sandbox isolation environment, as shown in figure 8, the device includes：Load-on module 801, receiver module 802, starting module 803, add module 804, detection module 805, daily record memory module 806.

Load-on module 801, is suitable to load driver program.In load driver program, initialization drives journey to load-on module 801 Related data structures object and variable needed for sequence.The process ID of at least one system process is recorded, HAL routine address tables are recorded (HalDispatchTable) at least one Key Functions pointer value of storage in, for example The function pointer value such as HALQuerySystemInformatica.

Receiver module 802, is suitable to the relevant information of the sample file of receive user layer process transmission and respectively detects function The switching information of point.In the present embodiment, user's layer process also refers to the auxiliary detection procedure described in above-described embodiment.Connect Receive module 802 and receive the various IO control codes that auxiliary detection procedure sends, which is carried out to parse the related letter for obtaining sample file The switching information of breath and each detection function point.Specifically, the mark of " kernel is using monitoring " is identified by parsing IO control codes Note, then the data according to incoming relief area (Buffer), select in corresponding distribution processor routine.

Starting module 803, is suitable to open inner nuclear layer behavior monitoring master control switch according to the switching information of each detection function point.

Add module 804, is suitable to, when the new process of system creation, new process is added in process creation record list.

Detection module 805, is suitable to detect each operation behavior of inner nuclear layer of the new process.

Daily record memory module 806, is suitable to generate journal file according to testing result, by journal file storage to Log Directory Under.

Further, the device also includes：Hook configuration module 807, be suitable to according to the relevant information of sample file and The switching information of each detection function point, link up with SSDT for each Function detection point specified API and NtQueryIntervalProfile.This device realizes the inspection of each operation behavior of inner nuclear layer to new process by hook technology Survey.According to the switching information of the relevant information and each detection function point of sample file, in hook SSDT, each Function detection is directed to The specified API and NtQueryIntervalProfile of point.The API for being linked up with specially for internal memory, privilege, registration table, enter The crucial NTAPI of the operations such as journey/thread, file.

Further, the device also includes：Routine setup module 808, is suitable to arrange process creation notification routines；Described The property value of the new process for being created is recorded in process creation notification routines.When the new process of system creation, routine setup module 808 property values that the new process for being created is recorded in process creation notification routines, for example：Privileges、UserSID、 The property values such as OwnerSID.

Above-mentioned detection module 805 is further adapted for：Using hook technology, call NtQueryIntervalProfile it Before, at least one the Key Functions pointer value stored in obtaining HAL routine address tables；By in acquired HAL routine address tables Store in HAL routine address tables recorded at least one Key Functions pointer value and load driver program process of storage At least one Key Functions pointer value is compared；If described at least one Key Functions pointer value comparison is inconsistent, detect Go out the new process presence and propose power behavior.

Above-mentioned detection module 805 is further adapted for：Using hook technology, before specified API accordingly is called, according to plus The process ID for carrying at least one system process recorded in driver process obtains at least one system process EPROCESS structures address, while obtaining the EPROCESS structures address of the new process；By the EPROCESS of the new process Token domains in the pointer value in the Token domains in structure address and the EPROCESS structures address of at least one system process Pointer value is compared；If the pointer value in the Token domains in the EPROCESS structures address of the new process and one of system The pointer value in the Token domains in the EPROCESS structures address of system process is compared unanimously, then detect that the new process is present and carry Power behavior.

Above-mentioned detection module 805 is further adapted for：Using hook technology, before specified API accordingly is called, institute is obtained State the property value of new process；By the property value of acquired described new process and recorded in the process creation notification routines The property value of new process compare；If comparison is inconsistent, detects that the new process is present and propose power behavior.

Above-mentioned detection module 805 is further adapted for：By the Privileges of the new process of the acquisition, TokenUser, And/or the Privileges of TokenOwner and new process recorded in the process creation notification routines, UserSID, And/or OwnerSID compares.

Above-mentioned detection module 805 is further adapted for：Using hook technology, before specified API accordingly is called, institute is inquired about Whether the ACL stated in the Token domains in the EPROCESS structures address of new process is set to null；If so, then detect described newly to enter Journey presence proposes power behavior.

Above-mentioned detection module 805 is further adapted for：Using hook technology, operation is carried out to CR4 depositors in call stack Before, check whether the call stack is the call stack for allowing to call CR4 register modifying instructions, or, detect the call stack Whether the instruction of disabling SMEP is called；If so, then detect that the new process is present and propose power behavior.

Above-mentioned detection module 805 is further adapted for：Detect whether to exist and conditional kernel address write operation is converted into The behavior of kernel arbitrary address read-write operation, if so, then detects that the new process is present and proposes power behavior.

The kernel Hole Detection device based on virtual machine that the present embodiment is provided is run under virtual machine sandbox isolation environment, The switching information of the relevant information of the sample file sent according to user's layer process and each detection function point, opens inner nuclear layer row To monitor master control switch；The new process that monitoring system is created, detects to each operation behavior of inner nuclear layer of new process.This device The detection of kernel leak is isolated from the outside, and the detection environment of a closing is provided for suspicious sample, even if suspicious sample is true Real storage also will not cause damage to server side in leak, there is provided a kind of safely and efficiently kernel Hole Detection mechanism.This Device is arranged Hook Function for the corresponding API of each detection function point that user's layer process is provided, is being called by hook technology Before API, perform detection operation can timely and effectively find the problems such as putting forward power and utilize, improve the effect of kernel Hole Detection Rate.

Fig. 9 shows the function of the kernel Hole Detection Process Protection based on virtual machine according to an embodiment of the invention Block diagram.The device that the present embodiment is provided is mainly used for the ground for protecting the detection procedure run under virtual machine sandbox isolation environment Location space, prevents the malice sample process escaped by sandbox from accessing, discharge or revealing, it is to avoid confidential information is stolen.Such as Fig. 9 institutes Show, the device includes：Writing module 901, links up with processing module 902, and judge module 903 terminates module 904.Alternatively, also wrap Include：Receiver module 905 and calling module 906.

Receiver module 905, is suitable to the process ID of each detection subprocess of receive user layer process transmission.

After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file Relevant field, parsing obtain the process name of one or more detection subprocess, obtain entering for each detection subprocess according to process name The process ID of each detection subprocess is sent to core detection procedure by IO control codes by journey ID.

Receiver module 905 inside core detection procedure receives auxiliary detection procedure (user's layer process) by IO control codes The process ID of each detection subprocess for sending.Specifically, receiver module 905 receive be labeled as " process ID filtration " IO control After code processed, obtain from input block when time process ID of transmission.

Writing module 901, is suitable to obtain the relevant information of each detection subprocess, the relevant information of each detection subprocess is write Enter in process filter list.

Writing module 901 obtains the relevant information of detection subprocess according to process ID.Wherein, relevant information can be specially EPROCESS structures address.After writing module 901 obtains the EPROCESS structures address of each detection subprocess, by each detection In the EPROCESS structures address write process filter list of process.

Hook processing module 902, is suitable to utilize hook technology, before specified API is called, obtains when front upper and lower background text The relevant information of the relevant information and operation target process of process.

902 couples of specified API with regard to process, thread, memory address space operation of hook processing module are linked up with, After Hook specifies API, judge module 903 is realized in self-defining function and terminates the function of module 904.Hook processing module 902 obtain the EPROCESS of the EPROCESS structures address and operation target process for working as front upper and lower background text process structurally first Location.

Judge module 903, is suitable to judge whether the relevant information of the operation target process is recorded in process filtration It is in list and described when whether the relevant information of front upper and lower background text process is not recorded in the process filter list.Specifically Ground, judge module 903 judge to operate whether the EPROCESS structures address of target process is recorded in process filter list, and work as Whether the EPROCESS structures address of front upper and lower background text process is not recorded in process filter list.

Terminate module 904, judge to operate the relevant information of target process to record in process mistake if being suitable to judge module 903 In filter list, and when the relevant information of front upper and lower background text process is not recorded in process filter list, termination is called specified API。

Calling module 906, if be suitable to judge module 903 judge to operate the relevant information of target process to be not recorded in it is described In process filter list, or, when the relevant information of front upper and lower background text process is recorded in process filter list, then continue to adjust Specified API is used, and the return value of the specified API is returned to caller.

According to the kernel Hole Detection Process Protection device based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write process filter list in, before specified API is called, using hook obtain when front upper and lower background text process Relevant information and operation target process relevant information, by will work as front upper and lower background text process relevant information and operation mesh The relevant information of mark process is matched with process filter list, determines whether that specified API is called in termination.Using this device, can protect The address space of the detection procedure that shield is run under virtual machine sandbox isolation environment, prevents the malice sample process escaped by sandbox Access, it is to avoid confidential information is stolen, is lifted at the safety of kernel Hole Detection under virtual machine sandbox isolation environment.

Figure 10 shows the work(that the kernel Hole Detection file based on virtual machine according to an embodiment of the invention is protected Can block diagram.The device that the present embodiment is provided be mainly used for protecting in detection process produced by detection file, such as journal file Deng preventing from being accessed, distort, encrypt or being damaged by the malice sample process that sandbox is escaped, it is to avoid thus caused detection unsuccessfully or Results abnormity, safeguards the stable and performance of sandbox system.As shown in Figure 10, the device includes：First writing module 1001, second Writing module 1002, the first judge module 1003, the second judge module 1004 refuse module 1005；Alternatively, the device is also wrapped Include：Receiver module 1006 and respond module 1007.

Receiver module 1006, is suitable to the store path of the detection file of receive user layer process transmission.

After the driver of auxiliary detection procedure loading core detection procedure, read in target detection configuration file Relevant field, parsing obtain the storage road of the process name of one or more detection subprocess and one or more detection files Footpath, obtains the process ID of each detection subprocess according to process name, by IO control codes by the process ID of each detection subprocess and each The store path of detection file is sent to core detection procedure.

Receiver module 1006 inside core detection procedure receives auxiliary detection procedure (user's layer process) by IO controls The process ID and the store path of each detection file of each detection subprocess that code sends.Specifically, core detection procedure is being received To being labeled as after the IO control codes of " process ID filtration ", obtain from input block when time process ID of transmission；Core is detected Process is obtained when time detection file of transmission after receiving and being labeled as the IO control codes of " privately owned catalogue ", from input block Store path.

First writing module 1001, is suitable to obtain the relevant information of each detection subprocess, by the correlation of each detection subprocess In information write process filter list.

First writing module 1001 obtains the relevant information of detection subprocess according to process ID.In this method, relevant information EPROCESS structures address can be specially.First writing module 1001 obtain it is each detection subprocess EPROCESS structures address it Afterwards, by the EPROCESS structures address write process filter list of each detection subprocess.

Second writing module 1002, is suitable to obtain the store path information of detection file, by the store path of detection file Information is write in privately owned catalogue list.

Second writing module 1002 constructs string as detection file according to the store path of detection file Store path information, the store path information of detection file is write in privately owned catalogue list.

First judge module 1003, is suitable to, when file access operation is produced, judge the store path of file access object Whether information is recorded in privately owned catalogue list.

The present embodiment realizes that the protection of detection file is mainly realized in the function body of IRP distribution functions.For example, exist READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile is sent a letter and several realizes certainly function body In, realization judges whether the store path information of file access object is recorded in privately owned catalogue list.

Second judge module 1004, if the first judge module 1003 judges the store path information note of file access object Record judges filter name in the process when whether the relevant information of front upper and lower background text process records in privately owned catalogue list, then Dan Zhong.

If judging the store path information record of file access object in privately owned catalogue list, the second judge module 1004 determine whether whether record in process filter list, specifically when the relevant information of front upper and lower background text process, sentence Whether the disconnected EPROCESS structures address for working as front upper and lower background text process is recorded in process filter list.

Refusal module 1005, if be suitable to the second judge module 1004 judging when the relevant information of front upper and lower background text process It is not recorded in process filter list, then refuses file access operation.

If the store path information record of file access object is in privately owned catalogue list, and work as front upper and lower background text process Relevant information is not recorded in process filter list, shows have other processes to attempt to access that detection file, then IPR does not divide still further below Send out, refuse file access operation.

Respond module 1007, judges the store path information of file access object not if being suitable to the first judge module 1003 Record in privately owned catalogue list, or, the second judge module 1004 is judged when the relevant information of front upper and lower background text process Record then proceeds to respond to file access operation in process filter list.

If the store path information of file access object is not recorded in privately owned catalogue list, show that what is accessed is not required to guarantor The detection file of shield, then IPR continuation are distributed downwards, and response file accesses operation.If the store path information of file access object Record is in privately owned catalogue list, and when the relevant information of front upper and lower background text process is recorded in process filter list, is shown to be Detection subprocess attempts to access that detection file, then IPR continues to distribute downwards, and response file accesses operation.

According to the kernel Hole Detection file protection device based on virtual machine that the present embodiment is provided, by each detection subprocess Relevant information write process filter list in, the store path information of detection file is write in privately owned catalogue list, works as product During raw file access operation, by the store path information of file access object and the relevant information point when front upper and lower background text process Not with process filter list and privately owned directory name is single-phase matches, determine whether to refuse file access operation.Using this device, can protect The detection file that produces under virtual machine sandbox isolation environment of shield, prevent from being accessed, distorted by the malice sample process that sandbox is escaped, Encryption is damaged, it is to avoid therefore caused detection failure or results abnormity, safeguard the stable and performance of sandbox system.

Present invention could apply to network security, terminal security, cloud security, using safety, safety management and security service Etc. multiple fields.Product includes senior middle school low side next generation's fire wall, intrusion prevention system, ddos attack system of defense, virtual comprehensive The products such as Service Gateway, sandbox, big data Safety Analysis System are closed, and the corresponding solution for being directed to tradition threat and unknown threat Certainly scheme.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this Bright preferred forms.

In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case where not having these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist Above to, in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, should the method for the disclosure be construed to reflect following intention：I.e. required guarantor The more features of feature is expressly recited in each claim by the application claims ratio of shield.More precisely, such as following Claims it is reflected as, inventive aspect is less than all features of single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more different from embodiment equipment.Can be the module or list in embodiment Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (includes adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In some included features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.

The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) are examined realizing the kernel leak based on virtual machine according to embodiments of the present invention The some or all functions of some or all parts surveyed in device.The present invention is also implemented as performing institute here (for example, computer program and computer program are produced for some or all equipment of the method for description or program of device Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more The form of signal.Such signal can be downloaded from internet website and be obtained, or provide on carrier signal, or to appoint What other forms is provided.

It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.

The invention discloses：A1, a kind of kernel leak detection method based on virtual machine, methods described is in virtual machine sandbox Run under isolation environment, method includes：

Start communication agent process, the communication agent process monitors designated port, wait and receive main outside virtual machine The detection bag and sample file of machine transmission, detection bag and sample file are respectively stored under detection catalogue and temp directory；

Start the scheduling management and control process in detection bag, the scheduling management and control process obtains sample file store path, identification Sample file type, selects detection pattern and each detection function point according to the config option in general detection configuration file, to create Build the target detection configuration file for the sample file；

Start auxiliary detection procedure, the auxiliary detection procedure controls each detection work(using the target detection configuration file The switch that can be put；

Start core detection procedure, the core detection procedure receives the correlation of the sample file that auxiliary detection procedure sends The switching information of information and each detection function point, performs Hole Detection, generates journal file according to testing result, by daily record text Part is stored under Log Directory.

A2, the method according to A1, after the scheduling management and control process in detection bag is started, methods described also includes： The communication agent process creation message communicating thread, sets up and the communication connection between the scheduling management and control process.

A3, the method according to A2, methods described also include：

The scheduling management and control process creation screen interception thread, at predetermined time intervals screen printing image；

Using the communication connection set up between scheduling management and control process and communication agent process, will be the screen picture for intercepting real-time It is sent to the communication agent process；

The screen picture of the intercepting is sent to virtual machine external host by the communication agent process.

A4, the method according to A1, methods described also include：

The scheduling management and control process creation mouse emulation clicks on thread, clicks on behaviour for screen coordinate analog mouse at random Make, and be directed to particular control analog mouse clicking operation.

A5, the method according to A1, methods described also include：The scheduling management and control process is according to general detection configuration text Config option in part selects overtime restrictive condition；

In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if so, then detection of end mistake Testing result is packaged as packet and is sent to the communication agent process by journey, so that the communication agent process is by the number Virtual machine external host is sent to according to bag.

A6, the method according to A1, the core detection procedure receive the sample file that auxiliary detection procedure sends The switching information of relevant information and each detection function point is specially：The core detection procedure receives the auxiliary detection procedure The switching information of the relevant information of the sample file sent by way of IO control codes and each detection function point.

The invention also discloses：B7, a kind of kernel Hole Detection device based on virtual machine, described device are husky in virtual machine Run under case isolation environment, device includes：

Communication agent module, is suitable to start communication agent process, makes the communication agent process monitor designated port, waits And detection bag and the sample file that virtual machine external host is transmitted is received, detection bag is respectively stored into into detection mesh with sample file Under record and temp directory；

Scheduling management and control module, is suitable to start the scheduling management and control process in detection bag, makes the scheduling management and control process obtain sample Presents store path, recognizes sample file type, selects detection pattern according to the config option in general detection configuration file With each detection function point, the target detection configuration file of the sample file is directed to establishment；

Auxiliary detection module, is suitable to start auxiliary detection procedure, makes the auxiliary detection procedure utilize the target detection The switch of each detection function point of configuration file control；

Core detection module, is suitable to start core detection procedure, makes the core detection procedure receive auxiliary detection procedure The switching information of the relevant information of the sample file of transmission and each detection function point, performs Hole Detection, according to testing result Journal file is generated, journal file is stored under Log Directory.

B8, the device according to B7, the communication agent module are further adapted for：Make the communication agent process creation Message communicating thread, sets up and the communication connection between the scheduling management and control process.

B9, the device according to B8, the scheduling management and control module are further adapted for：Make the scheduling management and control process creation Screen interception thread, at predetermined time intervals screen printing image；Set up using between scheduling management and control process and communication agent process Communication connection, the screen picture of intercepting is sent to into the communication agent process in real time；

The communication agent module is further adapted for：The communication agent process is made to send the screen picture of the intercepting Give virtual machine external host.

B10, the device according to B7, the scheduling management and control module are further adapted for：Make the scheduling management and control process wound Build mouse emulation and click on thread, be directed to screen coordinate analog mouse clicking operation at random, and be directed to particular control analog mouse Clicking operation.

B11, the device according to B7, the scheduling management and control module are further adapted for：Make the scheduling management and control process root Overtime restrictive condition is selected according to the config option in general detection configuration file；In the detection process for performing sample file, sentence It is disconnected whether to meet overtime restrictive condition, if so, then detection of end process, by testing result be packaged as packet be sent to it is described logical Letter agent process, so that the packet is sent to virtual machine external host by the communication agent process.

B12, the device according to B7, the core detection module are further adapted for：Connect the core detection procedure Receive the relevant information of the sample file that the auxiliary detection procedure is sent by way of IO control codes and respectively detect function point Switching information.

Claims (10)

1. a kind of kernel leak detection method based on virtual machine, methods described are run under virtual machine sandbox isolation environment, side Method includes：

Start communication agent process, the communication agent process monitors designated port, wait and receive virtual machine external host biography Defeated detection bag and sample file, detection bag and sample file are respectively stored under detection catalogue and temp directory；

Start the scheduling management and control process in detection bag, the scheduling management and control process obtains sample file store path, recognizes sample File type, selects detection pattern and each detection function point according to the config option in general detection configuration file, to create pin Target detection configuration file to the sample file；

Start auxiliary detection procedure, the auxiliary detection procedure controls each detection function point using the target detection configuration file Switch；

Start core detection procedure, the core detection procedure receives the relevant information of the sample file that auxiliary detection procedure sends And the switching information of each detection function point, Hole Detection is performed, journal file is generated according to testing result, journal file is deposited Store up under Log Directory.

2. method according to claim 1, after the scheduling management and control process in detection bag is started, methods described is also wrapped Include：The communication agent process creation message communicating thread, sets up and the communication connection between the scheduling management and control process.

3. method according to claim 2, methods described also include：

The scheduling management and control process creation screen interception thread, at predetermined time intervals screen printing image；

Using the communication connection set up between scheduling management and control process and communication agent process, the screen picture of intercepting is sent in real time To the communication agent process；

The screen picture of the intercepting is sent to virtual machine external host by the communication agent process.

4. method according to claim 1, methods described also include：

The scheduling management and control process creation mouse emulation clicks on thread, is directed to screen coordinate analog mouse clicking operation at random, with And it is directed to particular control analog mouse clicking operation.

5. method according to claim 1, methods described also include：The scheduling management and control process is according to general detection configuration Config option in file selects overtime restrictive condition；

In the detection process for performing sample file, judge whether to meet overtime restrictive condition, if so, then detection of end process, Testing result is packaged as into packet and is sent to the communication agent process, so that the communication agent process is by the packet It is sent to virtual machine external host.

6. method according to claim 1, the core detection procedure receive the sample file that auxiliary detection procedure sends Relevant information and the switching information of each detection function point be specially：The core detection procedure receive the auxiliary detect into The switching information of the relevant information of the sample file that journey is sent by way of IO control codes and each detection function point.

7. a kind of kernel Hole Detection device based on virtual machine, described device are run under virtual machine sandbox isolation environment, are filled Put including：

Communication agent module, is suitable to start communication agent process, makes the communication agent process monitor designated port, waits to be concatenated Receive the detection bag and sample file of the transmission of virtual machine external host, will detection bag and sample file be respectively stored into detection catalogue and Under temp directory；

Scheduling management and control module, is suitable to start the scheduling management and control process in detection bag, makes the scheduling management and control process obtain sample text Part store path, recognizes sample file type, according to the config option selection detection pattern in general detection configuration file and respectively Detection function point, to create the target detection configuration file for the sample file；

Auxiliary detection module, is suitable to start auxiliary detection procedure, the auxiliary detection procedure is configured using the target detection Document control respectively detects the switch of function point；

Core detection module, is suitable to start core detection procedure, makes the core detection procedure receive auxiliary detection procedure and sends Sample file relevant information and the switching information of each detection function point, perform Hole Detection, generated according to testing result Journal file, journal file is stored under Log Directory.

8. device according to claim 7, the communication agent module are further adapted for：Make the communication agent process wound Message communicating thread is built, is set up and the communication connection between the scheduling management and control process.

9. device according to claim 8, the scheduling management and control module are further adapted for：Make the scheduling management and control process wound Screen interception thread is built, at predetermined time intervals screen printing image；Built between management and control process and communication agent process using dispatching The screen picture of intercepting is sent to the communication agent process by vertical communication connection in real time；

The communication agent module is further adapted for：Make the communication agent process that the screen picture of the intercepting is sent to void Plan machine external host.

10. device according to claim 7, the scheduling management and control module are further adapted for：Make the scheduling management and control process Create mouse emulation and click on thread, be directed to screen coordinate analog mouse clicking operation at random, and Mus simulated for particular control Mark clicking operation.