CN106709325B - Method and device for monitoring program - Google Patents
Method and device for monitoring program Download PDFInfo
- Publication number
- CN106709325B CN106709325B CN201611043652.9A CN201611043652A CN106709325B CN 106709325 B CN106709325 B CN 106709325B CN 201611043652 A CN201611043652 A CN 201611043652A CN 106709325 B CN106709325 B CN 106709325B
- Authority
- CN
- China
- Prior art keywords
- function
- injection
- module
- dll
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses a method and a device for monitoring a program, and belongs to the technical field of computers. The method of the invention comprises loading a monitored program; when the monitored program is operated, inserting piles into each application programming interface API function called by the monitored program; acquiring a function name of the API function; judging whether the API function meets preset judgment logic or not according to the function name of the API function; if yes, judging that the monitored program has dynamic link library DLL injection; detecting the injection type of DLL injection according to preset detection logic; and acquiring injection information. The invention can effectively judge whether the monitored program is injected into the DLL module and the injection mode, and only needs to output the information of the API function which is consistent with the judgment logic, and does not process and output other API functions, thereby obviously improving the monitoring efficiency.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for monitoring a program.
Background
In the prior art, for performance reasons, the active defense module in the device only checks whether the executable file (e.g., exe file) of the program can be trusted, but not the program-loaded DLL (Dynamic Link Library) file. DLL injection refers to placing a DLL in the address space of a process to make it part of that process.
The characteristics of active defense in the prior art are utilized by some malicious programs, the malicious programs pack the Trojan DLL and the trusted white program together by using a DLL injection technology, and when the white program is executed, the Trojan DLL is loaded, so that the aim of breaking through the active defense by using the white program is fulfilled.
In the prior art, the extraction of the injection code of the suspicious program DLL is realized by using a instrumentation tool, the precondition is that the DLL injection code is required, and in most cases, only a normal process is a monitored process, and the detection mode does not work. The instrumentation is a method for inserting some probes (also called as detectors) into a program on the basis of ensuring the original logic integrity of the tested program, and by executing the probes and throwing out characteristic data of program operation, and analyzing the data, control flow and data flow information of the program can be obtained, and further dynamic information such as logic coverage and the like can be obtained, thereby realizing the test purpose.
In addition, in the prior art, each API executed by a suspicious program is instrumented and monitored, and one program API is numerous and limited by the efficiency of an instrumentation tool, so that the method has low efficiency and poor practicability. Among them, an API (application programming Interface) is a predefined function.
Disclosure of Invention
The invention provides a method and a device for monitoring a program, which are used for actively monitoring whether DLL injection occurs in the program or not and judging whether the injection type is malicious injection or not on the premise that an injection code is not obtained in advance.
According to an aspect of the present invention, there is provided a method of monitoring a program, including:
determining a monitored program;
loading a monitored program;
when the monitored program is operated, inserting piles into each application programming interface API function called by the monitored program;
acquiring a function name of the API function;
judging whether the API function meets preset judgment logic or not according to the function name of the API function;
if yes, judging that the monitored program has dynamic link library DLL injection;
detecting the injection type of DLL injection according to preset detection logic;
acquiring injection information injected into a DLL module of a monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic.
According to another aspect of the present invention, there is provided an apparatus for monitoring a program, comprising:
the determining module is used for determining the monitored program;
the loading module is used for loading the monitored program;
the instrumentation module is used for instrumenting each application programming interface API function called by the monitored program when the monitored program runs;
the function name acquisition module is used for acquiring the function name of the API function;
the injection judging module is used for judging whether the API function meets preset judging logic or not according to the function name of the API function; if yes, judging that the monitored program has dynamic link library DLL injection;
the injection type acquisition module is used for detecting the injection type of the DLL injection according to preset detection logic;
the injection information acquisition module is used for acquiring injection information injected into a DLL module of the monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic.
According to the method and the device for monitoring the program, the program to be monitored is determined; loading a monitored program; when the monitored program is operated, inserting piles into each application programming interface API function called by the monitored program; acquiring a function name of the API function; judging whether the API function meets preset judgment logic or not according to the function name of the API function; if yes, judging that the monitored program has dynamic link library DLL injection; detecting the injection type of DLL injection according to preset detection logic; acquiring injection information injected into a DLL module of a monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic. The invention can effectively judge whether the monitored program is injected into the DLL module, when the monitored program is injected into the DLL module, and the injection mode, thereby realizing the extraction of the injection code and the judgment of the injection type. By adopting the preset judgment logic, the invention only needs to output the information of the API function in the DLL module which is consistent with the judgment logic, and does not process and output other API functions, thereby obviously improving the monitoring efficiency. In addition, in the invention, the pile inserting tool can automatically monitor a large batch of programs at the same time, the codes are injected and extracted, and a large batch of log files are output, so that the manual intervention is reduced, and the efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions and advantages of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a block diagram of a hardware configuration of a computer terminal of a method of monitoring a program according to an embodiment of the present invention;
fig. 2 is a flowchart of a method of monitoring a program according to embodiment 1 of the present invention;
fig. 3 is a flowchart of step S208 according to embodiment 1 of the present invention;
FIG. 4 is still another flowchart of the method according to embodiment 1 of the present invention;
fig. 5 is a flowchart of step S209 according to embodiment 1 of the present invention;
fig. 6 is still another flowchart of step S209 according to embodiment 1 of the present invention;
fig. 7 is a block diagram of an apparatus for monitoring a program according to embodiment 2 of the present invention;
fig. 8 is a block diagram of a structure of a computer terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a method of monitoring a program, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The method provided by the embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or a similar computing device. Taking the example of running on a computer terminal, fig. 1 is a hardware block diagram of a computer terminal according to the method of monitoring a program according to an embodiment of the present invention. As shown in fig. 1, the computer terminal 100 may include one or more (only one shown) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, computer terminal 100 may also include more or fewer components than shown in FIG. 2, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store software programs and modules of application software, such as program instructions/modules corresponding to the method of the monitoring program in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104, that is, implementing the method of the monitoring program described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 100. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
Under the above operating environment, the present application provides a method of monitoring a program as shown in fig. 2. The method can be applied to a computer terminal and can also be applied to intelligent terminal equipment, the intelligent terminal equipment is executed by a processor in the intelligent terminal equipment, and the intelligent terminal equipment can be an intelligent mobile phone, a tablet personal computer and the like. The intelligent terminal device is provided with at least one application program, and the embodiment of the invention does not limit the types of the application programs, and can be a system application program or a software application program.
FIG. 2 is a flow diagram of a method of monitoring a program according to an embodiment of the invention. As shown in fig. 2, an alternative of the method of monitoring the program includes the following steps:
in step S201, a monitored program is determined.
The monitored program in the present application may be an EXE (executable file) or a DLL (dynamic link library), and generally refers to any program.
For Windows operating system, the monitored program is PE file, which is called portable executable file, and common EXE, DLL, OCX, SYS and COM are PE files, and PE file is a program file (which may be executed indirectly, such as DLL) on microsoft Windows operating system.
Step S202, the monitored program is loaded.
The loading of the monitored program in the application refers to loading the monitored program through a binary dynamic instrumentation tool.
Binary instrumentation means that under the condition that a source code of a program is not needed, a target program is directly decoded, and instrumentation work is carried out at a corresponding position. Binary instrumentation occurs before the program runs, called static instrumentation, and during the program runs, called dynamic instrumentation.
The binary dynamic instrumentation means that instrumentation filtering is performed on instructions or other characteristics of a program according to a preset rule in the program execution process.
Step S203, when the monitored program runs, inserting the API function of each application program programming interface called by the monitored program.
An API (Application Programming Interface) is a predefined function that is intended to provide applications and developers the ability to access a set of routines based on certain software or hardware, without having to access source code or understand the details of the internal workings. In the Windows operating system, the API functions are contained in the dynamic link library DLL file under the Windows system directory.
The instrumentation is a method for inserting some probes (also called as detectors) into a program on the basis of ensuring the original logic integrity of the tested program, wherein the probes are also called as monitoring codes or instrumentation codes, characteristic data of the program operation are thrown out through the execution of the probes, and the control flow and data flow information of the program can be obtained through the analysis of the data, so that dynamic information such as logic coverage and the like can be obtained, thereby realizing the test purpose.
In the prior art, in order to achieve the purpose of controlling a target process by HOOK (HOOK) other processes, a prepared function DLL (dynamic link library) is often injected into the target process, so that various monitoring software can be avoided, and the monitoring software cannot be detected.
As an alternative embodiment, the present application monitors each API function called by the monitoring program through a PIN API Record Tool.
PIN is a binary dynamic instrumentation tool widely used at home and abroad at present, is compiled by JIT (Just-In-Time), is researched and published by Intel corporation, and achieves the purpose of monitoring a target process by inserting a probe into a program. The programming interface adopts C/C + +, supports a plurality of platforms (Window, Linux and the like), has multiple instrumentation granularity, is as large as function instrumentation and as small as instruction instrumentation, and detects DLL injection behaviors of the monitored program by using the tool.
As an alternative embodiment, the instrumentation of each API function called by the monitored program when the monitored program is running includes: and inserting instrumentation code into the head part and the tail part of each Application Programming Interface (API) function of the monitored program through an instrumentation tool. That is, instrumentation code is inserted at the entry and return of each API function to the monitored program.
Because of the large number of APIs for a program, it is inefficient to peg each instruction of the API function for each application programming interface. According to the method and the device, only the instrumentation codes are inserted into the head and the tail of the API function of the monitored program, namely, only function instrumentation is carried out, and instruction instrumentation is not carried out, so that the monitoring efficiency can be greatly improved.
Taking a PIN instrumentation tool as an example, in the present application, a function instrumentation (RTN _ InsertCall) monitoring is performed on a program. The stake code is as follows:
and step S204, acquiring the function name of the API function.
When the API function of the monitored program is dynamically instrumented, the output value of the instrumented code is obtained, and the output value of the instrumented code is the function name of the API function. However, it should be noted that the output values of the instrumentation codes are only used for logic judgment in the subsequent monitoring process, and only when the preset judgment is satisfied, the output values of the instrumentation codes are output and instrumentation is further performed on the relevant API, thereby greatly improving the monitoring processing efficiency of the program.
And S205, judging whether the API function meets preset judgment logic according to the function name of the API function.
If yes, go to step S206. If not, the monitored program is judged that the DLL injection does not occur.
Specifically, the preset determination logic may be:
the preset judgment logic is as follows: calling a CreateRemoteThread function and a LoadLibrary function after detecting that data are written into the memory of the monitored program;
or, after detecting that the data is written into the monitored program memory, calling a CreateRemoteThreadEx function and a LoadLibrary function;
alternatively, it is detected that a LoadLibrary function is called in the APC queue and a soft interrupt occurs before the LoadLibrary function call.
Meeting this condition may be determined as DLL injection.
It should be noted that the above are only exemplary three judgment logics, and the judgment logic in the present application is not limited to the above three judgment logics.
Step S206, judging that the monitored program generates dynamic link library DLL injection.
And step S207, detecting the injection type of the DLL injection according to preset detection logic.
As an alternative embodiment, the step S207 of the present application includes:
extracting a function name of an API function which meets preset judgment logic;
if the CreateRemoteThread function and the LoadLibrary function are called after the data are written into the monitored program memory are detected, or the CreateRemoteThreadEx function and the LoadLibrary function are called after the data are written into the monitored program memory are detected, the injection type of DLL injection is judged to be remote thread injection;
and if the fact that the LoadLibrary function is called in the APC queue is detected, and soft interruption occurs before the LoadLibrary function is executed, judging that the injection type of DLL injection is APC injection of an asynchronous call process.
Specifically, if a LoadLibrary function is detected in a call sequence of an API function and a soft interrupt occurs before the LoadLibrary function is executed, it is determined that the injection type of DLL injection is APC injection.
The inventor of the present invention obtains a judgment logic for judging whether DLL injection occurs and an injection type through an analysis and research on remote thread injection and APC (Asynchronous Procedure Call).
The remote thread injection mode calls two functions of a CreateRemoteThread function (or a CreateRemoteThreadEx function) and a LoadLibrary function after data is written into a target process memory to complete DLL injection. Therefore, in the API function calling sequence, if the condition is met, the DLL injection can be determined, and the injection mode is remote thread injection.
The APC injection method is a mechanism that uses the registered function in the APC when the thread wakes up to be executed, and usually inserts the LoadLibrary function into the APC queue of the thread. So inside the call sequence, the LoadLibrary function is executed and the thread generates a soft interrupt before this function, such as calling the SleepEx function or the waitfonsingleibjectex function. An instruction sequence that satisfies this condition may be determined to be DLL injected and the injection mode is APC injected.
At present, a patent is available for extracting an injection code by utilizing a instrumentation tool, the premise is that the injection code is required, under most conditions, only a normal process is a monitored process, the detection mode does not work, the injection judgment without malicious codes is realized, and the practical range is wider. In addition, the method comprises the steps of firstly obtaining a calling sequence of the API function according to an output value of the instrumentation code; secondly, judging whether the calling sequence of the API function meets preset judgment logic, if so, judging to send DLL injection, and further judging the injection type.
It should be noted that, the current detection logic is classified according to two injection modes, i.e., remote thread injection and APC injection, and is only an exemplary mode, and the present invention is not limited to the above two detection logics, and the detection logic of the present invention can be added for more types of injection modes, so as to perfect detection of DLL injection.
Step S208, acquiring injection information of the DLL module injected into the monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic.
As an alternative embodiment, as shown in fig. 3, step S208 includes:
in step S301, information of the output API function is extracted.
Step S301, obtaining parameters, function names, module names and stack information of the API functions meeting the preset judgment logic.
And step S302, positioning an injection point of the DLL module injected into the monitored program.
Locating the injection point refers to locating the LoadLibrary function.
And step S303, acquiring the information of the injection point according to the parameters, the function name, the module name and the stack information of the API function.
Specifically, the information of the injection point may include: parameters of the LoadLibrary function, memory address, return value, stack information, and module address of the module in which the LoadLibrary function is located.
After the injection point information injected into the DLL module of the monitored program and the context information of the injection point are obtained, the injection point information and the context information can be stored in a log file. According to the application, only the relevant information (such as parameters, names, modules, stacks and the like) of the API function meeting the preset judgment logic is stored in the log file, and the relevant information of the API function injected by the non-DLL is automatically filtered and is not output, so that the monitoring efficiency can be improved, and the system storage space is saved.
The program for acquiring the injection code injected into the DLL module of the monitored program is as follows:
as an alternative embodiment, as shown in fig. 4, after step S208, the method further includes:
step S209, tracking and executing the DLL module injected into the monitored program, extracting an API function sequence executed by the DLL module, and determining whether the DLL module injected into the monitored program is a malicious process according to the API function sequence.
As an alternative embodiment, as shown in fig. 5, step S209 includes:
step S501, the DLL module injected into the monitored program is tracked and executed.
Step S502, extracting the function name of the API function in the DLL module and the calling sequence of the API function.
Step S502 includes extracting the name, parameters, and calling order of the injected DLL code calling API function.
After detecting that the monitored program is injected by the DLL, monitoring codes (instrumentation codes) are inserted into the head and the tail of each API function in the DLL module when the injected DLL module is executed, and when the monitoring codes are executed, the monitoring codes can record each API function and save information such as parameters of the functions in a log file.
When screening whether the injection DLL module is malicious or not, extracting an API function sequence called by the injection DLL module from the log file, wherein the API function sequence comprises the following steps: and when the monitoring program is operated, injecting DLL codes to call the name, the parameters and the sequence of the API function.
It should be noted that in step S502, the calling sequence of the API function is a calling sequence composed of all API functions in the DLL module; or the calling sequence of the API function is a calling sequence formed by partial API functions in the DLL module.
The calling sequences of different API functions may have different functions, such as "movefile- > shellexecute", for copying an execution file; for example, "suspend read- > setthreadcontext- > resumerhread …" is used to switch the execution path by malicious code.
Searching a calling sequence of the API function in a preset malicious sequence library, and if the calling sequence is found, judging that the DLL module is a malicious process; if not, judging that the DLL module is not a malicious process.
Step S503, searching whether a preset malicious sequence library has a call sequence of the API function. If so, step S504 is executed, and if not, step S505 is executed.
Step S504, the DLL module is judged to be a malicious process.
Step S505, determining that the DLL module is not a malicious process.
Judging whether the calling sequence of the API function has a record in a preset malicious sequence library, if so, judging that the API function sequence is illegal, and if not, judging that the API function sequence is legal.
The preset malicious sequence library records the API function sequence which all malicious codes may call when being executed.
The preset malicious sequence library may be, for example, a tiber system in Tencent, and is maintained and updated by a professional technician, and all existing known malicious API function sequences are stored in the malicious API function sequence library and used for destroying a computer. The malicious API function sequences recorded in the malicious API function sequence library are mainly classified into the following categories:
(1) modifying the API function sequence of the registry;
such as: "RegOpenKeyEx- > RegSetKeyValue …".
(2) Accessing a malicious connected API function sequence or an API function sequence for downloading a malicious program.
Such as:
“URLDownloadToFIleA->CreateFile(%temp%xxx.exe,…)->winexec(%temp%/xxx.exe)…”。
through the step S209, the API function calling sequence injected into the DLL is monitored, so that the injected codes are analyzed, whether malicious behaviors exist or not is identified, and the safety of a computer is ensured.
As an alternative embodiment, as shown in fig. 6, after step S501, the method further includes:
s506, acquiring the address space of the DLL module and the address space of the monitored program.
And S507, judging whether the DLL module is an injection DLL module or not according to the address space of the DLL module and the address space of the monitored program.
With steps S506 and S507, it can be further verified whether the DLL module is an injection DLL module through the address space.
According to the method for monitoring the program, each Application Programming Interface (API) function of the monitored program is monitored through the instrumentation tool; running the monitored program; judging whether the monitored API function meets preset judgment logic or not; if yes, judging that the monitored program has dynamic link library DLL injection; outputting information of an API function meeting preset judgment logic; detecting the injection type of DLL injection according to preset detection logic; and acquiring injection information injected into the DLL module of the monitored program according to the output information of the API function. The invention can effectively judge whether the monitored program is injected into the DLL module, when the monitored program is injected into the DLL module, and the injection mode, thereby realizing the extraction of the injection code and the judgment of the injection type. By adopting the preset judgment logic, the invention only needs to output the information of the API function in the DLL module which is consistent with the judgment logic, and does not process and output other API functions, thereby obviously improving the monitoring efficiency. In addition, in the invention, the pile inserting tool can automatically monitor a large batch of programs at the same time, the codes are injected and extracted, and a large batch of log files are output, so that the manual intervention is reduced, and the efficiency is improved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to the embodiment of the invention, the device for implementing the method of the monitoring program is also provided. Fig. 7 is a schematic diagram of an apparatus for monitoring a program according to a first embodiment of the present invention, as shown in fig. 7, the apparatus including:
a determining module 701, configured to determine a monitored program.
And a loading module 702, configured to load the monitored program.
And the instrumentation module 703 is configured to, when the monitored program is running, instrumentation each API function called by the monitored program.
A function name obtaining module 704, configured to obtain a function name of the API function.
An injection judgment module 705, configured to judge whether the API function meets a preset judgment logic according to the function name of the API function; if yes, judging that the monitored program has dynamic link library DLL injection;
an injection type obtaining module 706, configured to detect an injection type of the DLL injection according to a preset detection logic;
an injection information obtaining module 707 for obtaining injection information injected into the DLL module of the monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic.
As an alternative embodiment, the apparatus further comprises: the malicious injection determining module 708 is configured to track and execute a DLL module injected into the monitored program, extract an API function sequence executed by the DLL module, and determine whether the DLL module injected into the monitored program is a malicious process according to the API function sequence.
As an alternative embodiment, the pile inserting module 703 further includes: and a function instrumentation unit 7031 for inserting instrumentation codes into the head and tail of each API function of the monitored program.
The preset judgment logic is as follows: calling a CreateRemoteThread function and a LoadLibrary function or calling the CreateRemoteThreadEx function and the LoadLibrary function after detecting that data are written into the memory of the monitored program;
or, the preset judgment logic is: a LoadLibrary function is detected in a call sequence of the API function and a soft interrupt occurs prior to the LoadLibrary function call.
As an alternative embodiment, the injection type obtaining module 706 includes:
a first function extracting unit 7061, configured to extract a function name of an API function that satisfies a preset judgment logic.
A first type determining unit 7062, configured to call a createremotetrathreadlike function and a LoadLibrary function after detecting that data is written into the memory of the monitored program, or call the createremotetrathreadex function and the LoadLibrary function after detecting that data is written into the memory of the monitored program, and determine that the injection type of DLL injection is remote thread injection.
A second type determining unit 7063, configured to determine that the injection type of DLL injection is APC injection in an asynchronous call process if it is detected that a LoadLibrary function is called in an APC queue and a soft interrupt occurs before the LoadLibrary function is executed.
As an alternative embodiment, the injection information obtaining module 707 includes:
the function information acquiring module 7071 is configured to acquire parameters, function names, module names, and stack information of API functions that satisfy preset determination logic.
An injection point location module 7072 is used to locate an injection point for injection into the DLL module of the monitored program.
And the injection point information acquisition module 7073 is configured to acquire the information of the injection point according to the parameter, the function name, the module name, and the stack information of the API function.
As an alternative embodiment, the malicious injection determination module 708 includes:
a tracking unit 7081, configured to track execution of a DLL module injected into the monitored program;
an extracting unit 7082, configured to extract a function name of an API function in the DLL module and a call sequence of the API function;
a malicious injection determining unit 7083, configured to search a preset malicious sequence library for a call sequence of the API function, and if found, determine that the DLL module is a malicious process; if not, judging that the DLL module is not a malicious process.
As an alternative embodiment, the malicious injection determination module 708 further includes:
an address space obtaining unit 7084, configured to obtain an address space of the DLL module and an address space of the monitored program;
and the address space judging unit 7085 is configured to judge whether the DLL module is an injection DLL module according to the address space of the DLL module and the address space of the monitored program.
According to an apparatus for monitoring a program of the present invention,
by determining a monitored program; loading a monitored program; when the monitored program is operated, inserting piles into each application programming interface API function called by the monitored program; acquiring a function name of the API function; judging whether the API function meets preset judgment logic or not according to the function name of the API function; if yes, judging that the monitored program has dynamic link library DLL injection; detecting the injection type of DLL injection according to preset detection logic; acquiring injection information injected into a DLL module of a monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic. The invention can effectively judge whether the monitored program is injected into the DLL module, when the monitored program is injected into the DLL module, and the injection mode, thereby realizing the extraction of the injection code and the judgment of the injection type. By adopting the preset judgment logic, the invention only needs to output the information of the API function in the DLL module which is consistent with the judgment logic, and does not process and output other API functions, thereby obviously improving the monitoring efficiency. In addition, in the invention, the pile inserting tool can automatically monitor a large batch of programs at the same time, the codes are injected and extracted, and a large batch of log files are output, so that the manual intervention is reduced, and the efficiency is improved.
Example 3
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the method of monitoring a program according to the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
in a first step, a monitored program is determined.
And secondly, loading the monitored program.
And thirdly, when the monitored program runs, instrumentation is carried out on each API function called by the monitored program.
And fourthly, acquiring the function name of the API function.
And fifthly, judging whether the API function meets preset judgment logic or not according to the function name of the API function.
And sixthly, if yes, judging that the dynamic link library DLL injection occurs in the monitored program.
And seventhly, detecting the injection type of DLL injection according to preset detection logic.
Eighthly, acquiring injection information of the DLL module injected into the monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic.
Optionally, the specific examples in this embodiment may refer to the examples described in embodiment 1 and embodiment 2, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Example 4
The embodiment of the invention also provides a computer terminal, which can be any computer terminal device in a computer terminal group. The method is mainly applied to a PC (personal computer) end or a server end by being limited by a platform of the pile inserting tool.
Alternatively, fig. 8 is a block diagram of a structure of a computer terminal according to an embodiment of the present invention. As shown in fig. 8, the computer terminal a may include: one or more (only one shown) processors 161 and memory 163.
The memory 163 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for monitoring programs in the embodiments of the present invention, and the processor 161 executes various functional applications and data processing by executing the software programs and modules stored in the memory 163, that is, implements the monitoring programs. Memory 163 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 163 may further include memory located remotely from the processor 161, which may be connected to the computer terminal a via a network.
Among them, the memory 163 is used to store, in particular, information of preset action conditions and preset authorized users, and application programs.
Processor 161 may invoke the information and applications stored by memory 163 via a transmission means to perform the following steps:
optionally, the processor 161 may further execute the following program codes:
in a first step, a monitored program is determined.
And secondly, loading the monitored program.
And thirdly, when the monitored program runs, instrumentation is carried out on each API function called by the monitored program.
And fourthly, acquiring the function name of the API function.
And fifthly, judging whether the API function meets preset judgment logic or not according to the function name of the API function.
And sixthly, if yes, judging that the dynamic link library DLL injection occurs in the monitored program.
And seventhly, detecting the injection type of DLL injection according to preset detection logic.
Eighthly, acquiring injection information of the DLL module injected into the monitored program; the injection information includes parameters, function names, module names, and stack information of API functions that satisfy preset judgment logic.
Optionally, the specific examples in this embodiment may refer to the examples described in embodiment 1 and embodiment 2, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (12)
1. A method of monitoring a program, comprising:
determining a monitored program;
running a monitored program;
when the monitored program is operated, inserting piles into each application programming interface API function of the monitored program;
acquiring a function name of the API function;
judging whether the API function meets a preset judgment logic step according to the function name of the API function;
if yes, judging that the monitored program has dynamic link library DLL injection;
detecting the injection type of DLL injection according to a preset detection logic step;
acquiring injection information injected into a DLL module of a monitored program; the injection information comprises parameters, function names, module names and stack information of API functions meeting preset judgment logic steps;
wherein, the preset judging logic steps are as follows:
calling a CreateRemoteThread function and a LoadLibrary function after detecting that data are written into the memory of the monitored program;
or, after detecting that the data is written into the monitored program memory, calling a CreateRemoteThreadEx function and a LoadLibrary function;
alternatively, it is detected that a LoadLibrary function is called in the APC queue and a soft interrupt occurs before the LoadLibrary function call.
2. The method of monitoring a program according to claim 1, wherein after obtaining injection information injected into a DLL module of the monitored program, further comprising:
tracking and executing a DLL module injected into a monitored program, extracting an API function sequence executed in the DLL module, and judging whether the DLL module injected into the monitored program is a malicious process according to the API function sequence.
3. The method for monitoring a program according to claim 1, wherein said detecting an injection type of the DLL injection according to a preset detection logic step comprises:
extracting a function name of the API function which meets the preset judgment logic step;
if the CreateRemoteThread function and the LoadLibrary function are called after the data are written into the monitored program memory are detected, or the CreateRemoteThreadEx function and the LoadLibrary function are called after the data are written into the monitored program memory are detected, the injection type of DLL injection is judged to be remote thread injection;
and if the fact that a LoadLibrary function is called in an APC queue and soft interruption occurs before the LoadLibrary function is executed is detected, judging that the injection type of DLL injection is APC injection in an asynchronous call process.
4. The method of monitoring a program of claim 1, wherein obtaining injection information injected into a DLL module of the monitored program comprises:
acquiring parameters, function names, module names and stack information of API functions meeting preset judgment logic steps;
positioning an injection point of a DLL module injected into the monitored program;
and acquiring the information of the injection point according to the parameters, the function name, the module name and the stack information of the API function.
5. The method for monitoring programs according to claim 2, wherein the tracking execution of the DLL module injected into the monitored program, the extraction of the API function sequence executed by the DLL module, and the judgment of whether the DLL module injected into the monitored program is a malicious process according to the API function sequence comprises:
tracking execution of a DLL module injected into the monitored program;
extracting a function name of an API function and a calling sequence of the API function in the DLL module;
searching a calling sequence of the API function in a preset malicious sequence library, and if the calling sequence is found, judging that the DLL module is a malicious process; if not, judging that the DLL module is not a malicious process.
6. The method of monitoring a program of claim 5, wherein the tracking execution is injected into a DLL module of the monitored program, further comprising:
acquiring an address space of the DLL module and an address space of a monitored program;
and judging whether the DLL module is an injection DLL module or not according to the address space of the DLL module and the address space of the monitored program.
7. An apparatus for monitoring a program, comprising:
the determining module is used for determining the monitored program;
the running module is used for running the monitored program;
the instrumentation module is used for instrumenting each Application Programming Interface (API) function of the monitored program when the monitored program runs;
the function name acquisition module is used for acquiring the function name of the API function;
the injection judging module is used for judging whether the API function meets the preset judging logic step or not according to the function name of the API function; if yes, judging that the monitored program has dynamic link library DLL injection;
the injection type acquisition module is used for detecting the injection type of the DLL injection according to the preset detection logic step;
the injection information acquisition module is used for acquiring injection information injected into a DLL module of the monitored program; the injection information comprises parameters, function names, module names and stack information of API functions meeting preset judgment logic steps;
wherein, the preset judging logic steps are as follows:
calling a CreateRemoteThread function and a LoadLibrary function after detecting that data are written into the memory of the monitored program;
or, after detecting that the data is written into the monitored program memory, calling a CreateRemoteThreadEx function and a LoadLibrary function;
alternatively, it is detected that a LoadLibrary function is called in the APC queue and a soft interrupt occurs before the LoadLibrary function call.
8. The program monitoring apparatus according to claim 7, further comprising: and the malicious injection judging module is used for tracking and executing the DLL module injected into the monitored program, extracting the API function sequence executed by the DLL module, and judging whether the DLL module injected into the monitored program is a malicious process or not according to the API function sequence.
9. The program monitoring apparatus according to claim 7, wherein the injection type obtaining module comprises:
a first function extraction unit for extracting a function name of the API function that satisfies a preset judgment logic step;
the first type judging unit is used for calling a CreateRemoteThread function and a LoadLibrary function after detecting that data are written into a monitored program memory, or calling the CreateRemoteThreadEx function and the LoadLibrary function after detecting that data are written into the monitored program memory, and judging that the injection type of DLL injection is remote thread injection;
and the second type judgment unit is used for calling the LoadLibrary function in the APC queue and judging that the injection type of DLL injection is APC injection in an asynchronous calling process if soft interruption occurs before the LoadLibrary function is executed.
10. The program monitoring apparatus according to claim 7, wherein the injection information obtaining module comprises:
the function information acquisition module is used for acquiring parameters, function names, module names and stack information of the API functions meeting the preset judgment logic steps;
the injection point positioning module is used for positioning the injection point of the DLL module injected into the monitored program;
and the injection point information acquisition module is used for acquiring the information of the injection point according to the parameters, the function name, the module name and the stack information of the API function.
11. The apparatus of a monitoring program according to claim 8, wherein the malicious injection determination module comprises:
the tracking unit is used for tracking and executing the DLL module injected into the monitored program;
the extraction unit is used for extracting the function name of the API function in the DLL module and the calling sequence of the API function;
the malicious injection judging unit is used for searching the calling sequence of the API function in a preset malicious sequence library, and if the calling sequence is found, judging that the DLL module is a malicious process; if not, judging that the DLL module is not a malicious process.
12. The apparatus of a monitoring program according to claim 11, wherein the malicious injection determination module further comprises:
the address space acquisition unit is used for acquiring the address space of the DLL module and the address space of the monitored program;
and the address space judging unit is used for judging whether the DLL module is an injection DLL module or not according to the address space of the DLL module and the address space of the monitored program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611043652.9A CN106709325B (en) | 2016-11-11 | 2016-11-11 | Method and device for monitoring program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611043652.9A CN106709325B (en) | 2016-11-11 | 2016-11-11 | Method and device for monitoring program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106709325A CN106709325A (en) | 2017-05-24 |
| CN106709325B true CN106709325B (en) | 2020-09-25 |
Family
ID=58933818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611043652.9A Active CN106709325B (en) | 2016-11-11 | 2016-11-11 | Method and device for monitoring program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106709325B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277019B (en) * | 2017-06-23 | 2020-05-12 | 武汉斗鱼网络科技有限公司 | Data plaintext acquisition method and device, electronic terminal and readable storage medium |
| CN109472135B (en) * | 2017-12-29 | 2022-02-22 | 北京安天网络安全技术有限公司 | Method, device and storage medium for detecting process injection |
| CN110308943B (en) * | 2018-03-20 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Program running method and device, computing equipment and storage medium |
| CN110737892B (en) * | 2018-07-20 | 2021-11-09 | 武汉斗鱼网络科技有限公司 | Detection method aiming at APC injection and related device |
| CN109408346A (en) * | 2018-09-26 | 2019-03-01 | 北京城市网邻信息技术有限公司 | Method of data capture, device, equipment and storage medium |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
| CN110554932A (en) * | 2019-08-02 | 2019-12-10 | 恒鸿达科技有限公司 | Method for detecting abnormality of api module |
| CN110955894B (en) * | 2019-11-22 | 2022-09-30 | 深信服科技股份有限公司 | Malicious content detection method and device, electronic equipment and readable storage medium |
| CN111931166B (en) * | 2020-09-24 | 2021-06-22 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
| CN115549980B (en) * | 2022-09-13 | 2023-04-18 | 应急管理部大数据中心 | Network flow auditing device and method for protocol re-editing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| CN105373729A (en) * | 2015-12-24 | 2016-03-02 | 北京奇虎科技有限公司 | Information processing method and system |
| CN105574409A (en) * | 2015-12-10 | 2016-05-11 | 北京奇虎科技有限公司 | Injection code extraction method and device |
-
2016
- 2016-11-11 CN CN201611043652.9A patent/CN106709325B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| CN105574409A (en) * | 2015-12-10 | 2016-05-11 | 北京奇虎科技有限公司 | Injection code extraction method and device |
| CN105373729A (en) * | 2015-12-24 | 2016-03-02 | 北京奇虎科技有限公司 | Information processing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106709325A (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106709325B (en) | Method and device for monitoring program | |
| KR100938672B1 (en) | The method and apparatus for detecting dll inserted by malicious code | |
| CN102663288B (en) | Virus killing method and device thereof | |
| EP3420489B1 (en) | Cybersecurity systems and techniques | |
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| RU2531861C1 (en) | System and method of assessment of harmfullness of code executed in addressing space of confidential process | |
| US8959641B2 (en) | Foiling a document exploit attack | |
| US20130122861A1 (en) | System and method for verifying apps for smart phone | |
| EP2515250A1 (en) | System and method for detection of complex malware | |
| EP2940957A1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN110826064A (en) | Malicious file processing method and device, electronic device and storage medium | |
| US20140373153A1 (en) | Anti-Malware Tool for Mobile Apparatus | |
| WO2017012241A1 (en) | File inspection method, device, apparatus and non-volatile computer storage medium | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| US11232193B1 (en) | Automated generation of a sandbox configuration for malware detection | |
| CN114065204A (en) | File-free Trojan horse searching and killing method and device | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| US10360371B1 (en) | Systems and methods for protecting automated execution environments against enumeration attacks | |
| CN103501300A (en) | Method, terminal and server for detecting phishing attack | |
| CN112580041B (en) | Malicious program detection method and device, storage medium and computer equipment | |
| US11409871B1 (en) | Universal tracing of side-channel processes in computing environments | |
| US20170126716A1 (en) | Malware detection | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |