CN106650463A - System and method for preventing window system service description table from being tampered - Google Patents

System and method for preventing window system service description table from being tampered Download PDF

Info

Publication number
CN106650463A
CN106650463A CN201611169593.XA CN201611169593A CN106650463A CN 106650463 A CN106650463 A CN 106650463A CN 201611169593 A CN201611169593 A CN 201611169593A CN 106650463 A CN106650463 A CN 106650463A
Authority
CN
China
Prior art keywords
cpu
drive module
module
internal memory
virtualization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611169593.XA
Other languages
Chinese (zh)
Inventor
邢希双
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201611169593.XA priority Critical patent/CN106650463A/en
Publication of CN106650463A publication Critical patent/CN106650463A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a system and a method for preventing window system service description table from being tampered. The system comprises a CPU virtualization driver module, a communication driver module, and a master service process module. By the system and the method, the Rootkit backdoor program which is hidden by tampering system service description to make destruction is invalid completely, various programs in the Windows operating system run safely, safety and completeness of the system service description table are guaranteed fully, and further, hacker programs making destruction by tampering the system service description table is invalid completely, and safety and stability of the Windows operating system are improved effectively.

Description

Prevent windows system services from describing the system and method that table is tampered
Technical field
The present invention relates to computer hardware virtualization field and operating system security field, and in particular to a kind of hardware is virtual Change(Abbreviation HEV)Support technology under AMD CPU, prevents the Windows system services under windows systems from describing the quilt of table The system and method distorted.
Background technology
In the prior art, known technology is with the development of the new techniques such as cloud computing, big data, to Cloud Server With the security requirement more and more higher of PC terminals.Operating system is the core of Cloud Server and PC terminals, once operating system quilt Hacker or disabled user's control and utilization, consequence will be hardly imaginable.SSDT is the critical component of Windows operating system, is institute There is the unified entrance of application layer API, so the safety of SSDT is especially important.In fact, hacker is commonly used oneself writing Rootkit backdoor programs distorting SSDT, with reach it is hiding itself, the purpose of destruction system normal behaviour.Existing at present In assault statistics, the mode for distorting SSDT account for great majority.So how effectively to ensure the security of SSDT and complete Property just become be badly in need of solve technical problem.Operating system manufacturer has had appreciated that this problem, current 64 Windows behaviour Making system itself has had PatchGuard mechanism, and this mechanism can check whether SSDT is usurped between operating system runtime Change, if be tampered operating system report an error at once, machine of delaying.The PatchGuard mechanism of Windows operating system has very big Limitation, 1, the not no mechanism of 32-bit Windows operating system, and at present 32-bit operating system has a large number of users using;2、 This postmortem mechanism is leaky, because before an examination Rootkit backdoor programs may have been completed what oneself to be done Thing;3rd, the consequence of machine of delaying is that user can not accept, especially crucial service server;4th, senior hacker can be The operational mode of Windows operating system is placed in into debugging mode in Rootkit programs, the PatchGuard machines under debugging mode System is infirm.Therefore, want to prevent the SSDT of Windows operating system to be tampered, take in hardware virtualization aspect and arrange It is means once and for all to apply, and one kind passes through hardware virtualization(Abbreviation HEV)Support technology under AMD CPU(Referred to as Pacifica technologies)Windows system services describe the tamper resistant method of table and arise at the historic moment.
The content of the invention
The purpose of the present invention is aiming at the deficiency existing for prior art, and providing one kind prevents windows systems from taking The system and method that business description table is tampered, make to describe the Rootkit that table is hidden oneself, destroyed by changing system service Backdoor programs are entirely ineffective, run the various program safeties in Windows operating system, substantially ensure that system service describes table Security and integrality, and then make by changing system service that to describe the Hacker Program that table destroyed entirely ineffective, effectively The security that improve Windows operating system, stability.
This programme is achieved by the following technical measures:One kind prevents system service under windows operating systems from retouching The system that table is tampered is stated, it is characterized in that including such as lower module:
CPU virtualizes drive module, and the internal memory needed for for distributing hardware virtualization data structure arranges CPU registers (EFER)Flag bit, filling virtual machine control block indicate interception internal memory operation, from communication drive module obtain system service retouch State the memory address space scope of table SSDT, allow current operation system to operate on virtual cpu as virtual machine;Intercept write system The internal memory instruction of system service describing table address scope, allows the internal memory write to fail;Described hardware virtualization data structure includes Highest privilege enters area(Abbreviation HSA regions)And virtual machine control block(Abbreviation VMCB control blocks).
Communication drive module, the system service for obtaining current operation system describes the initial memory address and internal memory of table Address realm, then preserves the address, and the request message for starting CPU virtualization drive modules and main service processes module is monitored; Described communication drive module starts after the request message monitoring of CPU virtualization drive modules and main service processes module, simultaneously The request message that waiting for CPU virtualization modules are sent, including obtain system service and describe table address message and intercepted daily record and disappear Breath, simultaneously waits the acquisition that main service processes module is sent to intercept log information.If blocking of sending of CPU virtualization modules Log information is cut, it is buffered in message in daily record chained list.
Main service processes module, for installing CPU virtualization drive modules and communication drive module, two modules of unloading and Itself, carries out communication acquisition and distorts the interception daily record that system service describes table with the drive module that communicates, and first installs CPU virtualizations and drives Dynamic model block, then communication drive module is installed, CPU virtualization drive modules are first unloaded during unloading, then unload communication drive module.
It is a kind of to prevent system service under windows operating systems from describing the method that table is tampered, it is characterized in that being to include Following steps:
1)Loading communication drive module and CPU virtualization drive modules during main service processes module initialization;
2)After communication drive module operation, the system service for obtaining current operation system describes the initial memory address and internal memory of table Address realm, then preserves the address;The request message for starting CPU virtualization drive modules and main service processes module is monitored;
3)After CPU virtualization drive module operations, the internal memory needed for distribution hardware virtualization data structure is performed successively, arrange The flag bit of CPU registers, filling virtual machine control block indicate interception internal memory operation, obtain system service from communication drive module The memory address space scope of description table, current operation system is allowed to operate on virtual cpu as virtual machine;
4) CPU virtualization drive modules are after instruction is intercepted per bar, if internal memory write instruction and that write is SSDT Address realm, then allow the internal memory write to fail
5) drive module that communicates obtains the interception log information that CPU virtualization modules are sent, and message is buffered in into log chain In table;
6)Communication drive module receives the acquisition interception log information that main service processes module is sent, by message from daily record chained list Take out, and return to main service processes module;
Described CPU virtualizations drive module is realized by the way of kernel-driven, installed by main service processes, with operating system Operation automatic running;CPU virtualizes the code of drive module with ROOT mode operations CPU, with highest authority.
Communication drive module realize using kernel-driven by the way of, installed by main service processes, with operating system oneself Dynamic operation, the code that CPU is driven with the mode operation OS communications of non-ROOT and RO, the authority of the drive module that communicates is empty less than CPU Planization drive module is identical with other operating system nucleus codes.
The beneficial effect of this programme can be learnt according to the narration to such scheme, by the present invention in that being supported with AMD CPU Hardware virtualization technology and Windows operating system kernel-driven technology, in the case where user does not discover by operating system It is placed on transparent virtual layer and runs, monitor all write operations to SSDT, can thoroughly ensures in Windows operating system The security and integrality of SSDT.When main service processes start, two kernel modules are installed first, communication are first installed and drive mould Block, then CPU virtualization drive modules are installed, install automatically into SSDT guard modes.When main service processes are exited, automatically Two kernel modules of unloading, make operating system SSDT depart from protection.User is without carrying out other interventions.Communication drive module is formed Main service processes to operating system nucleus drives, then the passage driven to hardware virtualization, such that it is able to allowing user to see in time To CPU virtualization modules interception event as can be seen here, the present invention compared with prior art, with prominent substantive distinguishing features and Significant progressive, its beneficial effect implemented is also obvious.
Description of the drawings
Fig. 1 is the structural representation of present system.
Service processes module workflow diagram based on Fig. 2.
Fig. 3 is communication drive module Booting sequence figure.
Fig. 4 is communication drive module message processing flow-chart.
Fig. 5 is CPU virtualization modules initialization flowcharts.
Fig. 6 is that CPU virtualization modules instruct intercept process flow chart.
Specific embodiment
It is right below by a specific embodiment, and with reference to its accompanying drawing clearly to illustrate the technical characterstic of this programme This programme is illustrated.
By accompanying drawing as can be seen that the system service under windows operating systems that prevents of this programme describes what table was tampered System, is characterized in that including such as lower module:
CPU virtualizes drive module, and the internal memory needed for for distributing hardware virtualization data structure arranges CPU registers (EFER)Flag bit, filling virtual machine control block indicate interception internal memory operation, from communication drive module obtain system service retouch State the memory address space scope of table SSDT, allow current operation system to operate on virtual cpu as virtual machine;Intercept write system The internal memory instruction of system service describing table address scope, allows the internal memory write to fail;Described hardware virtualization data structure includes Highest privilege enters area(Abbreviation HSA regions)And virtual machine control block(Abbreviation VMCB control blocks).
Communication drive module, the system service for obtaining current operation system describes the initial memory address and internal memory of table Address realm, then preserves the address, and the request message for starting CPU virtualization drive modules and main service processes module is monitored; Described communication drive module starts after the request message monitoring of CPU virtualization drive modules and main service processes module, simultaneously The request message that waiting for CPU virtualization modules are sent, including obtain system service and describe table address message and intercepted daily record and disappear Breath, simultaneously waits the acquisition that main service processes module is sent to intercept log information.If blocking of sending of CPU virtualization modules Log information is cut, it is buffered in message in daily record chained list.
Main service processes module, for installing CPU virtualization drive modules and communication drive module, two modules of unloading and Itself, carries out communication acquisition and distorts the interception daily record that system service describes table with the drive module that communicates, and first installs CPU virtualizations and drives Dynamic model block, then communication drive module is installed, CPU virtualization drive modules are first unloaded during unloading, then unload communication drive module.
A kind of system service under windows operating systems that prevents based on said system describes the method that table is tampered, its It is characterized in that to be to comprise the steps:
1)Loading communication drive module and CPU virtualization drive modules during main service processes module initialization;
2)After communication drive module operation, the system service for obtaining current operation system describes the initial memory address and internal memory of table Address realm, then preserves the address;The request message for starting CPU virtualization drive modules and main service processes module is monitored; Communication drive module is realized by the way of kernel-driven, installed by main service processes, with operating system automatic running, The code that CPU is driven with the mode operation OS communications of non-ROOT and RO, the authority of the drive module that communicates drives less than CPU virtualizations Module is identical with other operating system nucleus codes.
3)After CPU virtualization drive module operations, the internal memory needed for distribution hardware virtualization data structure is performed successively, if Put the flag bit of CPU registers, filling virtual machine control block to indicate interception internal memory operation, obtain system clothes from communication drive module Business description table memory address space scope, allow current operation system to operate on virtual cpu as virtual machine;Described CPU Virtualization drive module is realized by the way of kernel-driven, installed by main service processes, with operating system automatic running; CPU virtualizes the code of drive module with ROOT mode operations CPU, with highest authority.
4) CPU virtualization drive modules are after instruction is intercepted per bar, if internal memory write instruction and write be The address realm of SSDT, then allow the internal memory write to fail
5) drive module that communicates obtains the interception log information that CPU virtualization modules are sent, and message is buffered in into log chain In table;
6)Communication drive module receives the acquisition interception log information that main service processes module is sent, by message from daily record chained list Take out, and return to main service processes module;
The present invention is not limited in above-mentioned specific embodiment, and those of ordinary skill in the art do in the essential scope of the present invention Change, remodeling, addition or the replacement for going out, should also belong to protection scope of the present invention.

Claims (6)

1. it is a kind of to prevent system service under windows operating systems from describing the system that table is tampered, it is characterized in that including following mould Block:
CPU virtualizes drive module, and the internal memory needed for for distributing hardware virtualization data structure arranges the mark of CPU registers Will position, filling virtual machine control block indicate and intercept internal memory operation, obtain the internal memory that system service describes table from communication drive module Address space range, current operation system is allowed to operate on virtual cpu as virtual machine;Intercept writing system service describing table ground The internal memory instruction of location scope, allows the internal memory write to fail;
Communication drive module, the system service for obtaining current operation system describes the initial memory address and memory address of table Scope, then preserves the address, and the request message for starting CPU virtualization drive modules and main service processes module is monitored;
Main service processes module, for install CPU virtualization drive module and communication drive module, unloading two modules and from Body, carries out communication acquisition and distorts the interception daily record that system service describes table with the drive module that communicates.
2. according to claim 1 to prevent system service under windows operating systems from describing the system that table is tampered, it is special Levying is:Described hardware virtualization data structure includes that highest privilege enters area and virtual machine control block.
It is 3. according to claim 1 and 2 to prevent system service under windows operating systems from describing the system that table is tampered, It is characterized in that:Described communication drive module starts the request message prison of CPU virtualization drive modules and main service processes module After listening, the request message that simultaneously waiting for CPU virtualization modules are sent, including obtain system service describe table address message and blocked Log information is cut, simultaneously waits the acquisition that main service processes module is sent to intercept log information, if CPU virtualization modules are sent out The interception log information come, it is buffered in message in daily record chained list.
4. it is a kind of to prevent system service under windows operating systems from describing the method that table is tampered, it is characterized in that be include as Lower step:
1)Loading communication drive module and CPU virtualization drive modules during main service processes module initialization;
2)After communication drive module operation, the system service for obtaining current operation system describes the initial memory address and internal memory of table Address realm, then preserves the address;The request message for starting CPU virtualization drive modules and main service processes module is monitored;
3)After CPU virtualization drive module operations, the internal memory needed for distribution hardware virtualization data structure is performed successively, arrange The flag bit of CPU registers, filling virtual machine control block indicate interception internal memory operation, obtain system service from communication drive module The memory address space scope of description table, current operation system is allowed to operate on virtual cpu as virtual machine;
4) CPU virtualization drive modules are after instruction is intercepted per bar, if internal memory write instruction and that write is SSDT Address realm, then allow the internal memory write to fail
5) drive module that communicates obtains the interception log information that CPU virtualization modules are sent, and message is buffered in into log chain In table;
6)Communication drive module receives the acquisition interception log information that main service processes module is sent, by message from daily record chained list Take out, and return to main service processes module.
5. according to claim 4 to prevent system service under windows operating systems from describing the method that table is tampered, it is special Levying is:Described CPU virtualizations drive module is realized by the way of kernel-driven, installed by main service processes, with operation system System operation automatic running;CPU virtualizes the code of drive module with ROOT mode operations CPU, with highest authority.
6. according to claim 5 to prevent system service under windows operating systems from describing the method that table is tampered, it is special Levying is:Communication drive module is realized by the way of kernel-driven, installed by main service processes, transported automatically with operating system OK, the authority of the drive module that communicates virtualizes drive module less than CPU, identical with other operating system nucleus codes.
CN201611169593.XA 2016-12-16 2016-12-16 System and method for preventing window system service description table from being tampered Pending CN106650463A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611169593.XA CN106650463A (en) 2016-12-16 2016-12-16 System and method for preventing window system service description table from being tampered

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611169593.XA CN106650463A (en) 2016-12-16 2016-12-16 System and method for preventing window system service description table from being tampered

Publications (1)

Publication Number Publication Date
CN106650463A true CN106650463A (en) 2017-05-10

Family

ID=58822097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611169593.XA Pending CN106650463A (en) 2016-12-16 2016-12-16 System and method for preventing window system service description table from being tampered

Country Status (1)

Country Link
CN (1) CN106650463A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109189558A (en) * 2018-09-04 2019-01-11 郑州云海信息技术有限公司 A kind of method and device for secure virtual machine protection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102129531A (en) * 2011-03-22 2011-07-20 北京工业大学 Xen-based active defense method
CN102339243A (en) * 2010-07-28 2012-02-01 昆达电脑科技(昆山)有限公司 Memory access control method
US20130318612A1 (en) * 2010-08-30 2013-11-28 International Business Machines Corporation Rootkit monitoring agent built into an operating system kernel
CN104899512A (en) * 2015-05-26 2015-09-09 浪潮电子信息产业股份有限公司 Windows system service descriptor table tamper-proofing apparatus and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102339243A (en) * 2010-07-28 2012-02-01 昆达电脑科技(昆山)有限公司 Memory access control method
US20130318612A1 (en) * 2010-08-30 2013-11-28 International Business Machines Corporation Rootkit monitoring agent built into an operating system kernel
CN102129531A (en) * 2011-03-22 2011-07-20 北京工业大学 Xen-based active defense method
CN104899512A (en) * 2015-05-26 2015-09-09 浪潮电子信息产业股份有限公司 Windows system service descriptor table tamper-proofing apparatus and method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109189558A (en) * 2018-09-04 2019-01-11 郑州云海信息技术有限公司 A kind of method and device for secure virtual machine protection

Similar Documents

Publication Publication Date Title
JP5978365B2 (en) System and method for performing network access control in a virtual environment
US10489187B2 (en) Systems and methods for auditing a virtual machine
EP3140770B1 (en) Attestation of a host containing a trusted execution environment
US9507939B1 (en) Systems and methods for batch processing of samples using a bare-metal computer security appliance
CN105095768B (en) Virtualization-based trusted server trust chain construction method
US10691475B2 (en) Security application for a guest operating system in a virtual computing environment
WO2017027103A1 (en) Systems and methods for detecting unknown vulnerabilities in computing processes
CN103984536B (en) I/O request number systems and its method in a kind of cloud computing platform
CN104321748A (en) Methods, systems and apparatus to capture error conditions in lightweight virtual machine managers
US10007785B2 (en) Method and apparatus for implementing virtual machine introspection
CN101246537A (en) Method for implementing reliable computation based on reliable multi-task operating system
US9942268B1 (en) Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments
CN103561045A (en) Safety monitoring system and method for Android system
CN103425563B (en) Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology
CN106650463A (en) System and method for preventing window system service description table from being tampered
CN102722678A (en) Executable program protection mechanism for virtual desktop
CN105740697B (en) Address space layout method of randomization and device in a kind of XP
CN104899512A (en) Windows system service descriptor table tamper-proofing apparatus and method
EP2354995B1 (en) Software licensing in a virtual computing environment
CN105550567A (en) USB device read-write authority management and control method of Windows virtual machine
JP5814138B2 (en) Security setting system, security setting method and program
CN111159703A (en) Virtual machine data leakage detection method and device
Rutkowska Software compartmentalization vs. physical separation
WO2017185202A1 (en) Virtualisation system monitoring method and apparatus
CN108268306A (en) Virutal machine memory isolation technology based on internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170510

RJ01 Rejection of invention patent application after publication