CN106778276B - Method and system for detecting malicious codes of entity-free files - Google Patents
Method and system for detecting malicious codes of entity-free files Download PDFInfo
- Publication number
- CN106778276B CN106778276B CN201611248606.2A CN201611248606A CN106778276B CN 106778276 B CN106778276 B CN 106778276B CN 201611248606 A CN201611248606 A CN 201611248606A CN 106778276 B CN106778276 B CN 106778276B
- Authority
- CN
- China
- Prior art keywords
- file
- path
- modules
- white list
- paths
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for detecting malicious codes of a non-entity file, which comprise the following steps: traversing the running processes and modules in the system; acquiring paths and file names corresponding to all processes and modules and forming records one by one; and judging whether a corresponding file exists under the system disk according to the path and the file name in the record, if so, abandoning the corresponding record, otherwise, preventing the operation of the related process and the module, and performing deep detection. The technical scheme of the invention can detect and prevent the entity-free file type malicious codes.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for detecting malicious codes of entity-free files.
Background
In the traditional malicious code detection software, all files in a computer disk are traversed, feature codes are extracted for comparison, and features are used for matching a memory.
There have been more and more APT (advanced sustainability threat) attack methods using an entity-free file, and after the malicious code using the entity-free file invades a host system, the malicious code itself or derived malicious code is injected into a system memory, and the entity file does not generate or exist in a disk, so that the attack detection of the traditional terminal security product on the entity-free file is weak. The malicious codes of the entity-free file class are possible to write the malicious codes into the registry, or the malicious codes delete the local files after running, so that the existing malicious code detection tool is stranded.
Disclosure of Invention
Aiming at the technical problems, the invention judges whether entity-free file malicious codes exist or not based on the corresponding relation between the process and the module and the file, and solves the problem that the traditional detection method based on the feature codes cannot effectively identify entity-free file malicious codes.
The invention is realized by adopting the following method: a method of detecting entity-free file malicious code, comprising:
traversing the running processes and modules in the system;
acquiring paths and file names corresponding to all processes and modules and forming records one by one;
and judging whether a corresponding file exists under the system disk according to the path and the file name in the record, if so, abandoning the corresponding record, otherwise, preventing the operation of the related process and the module, and performing deep detection.
Further, the obtaining of the paths and file names corresponding to all processes and modules and the forming of records one by one specifically include: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
Further, the determining whether a corresponding file exists in the system disk according to the path and the file name in the record further includes: and matching the path and file name records with a white list one by one, and discarding the path and file name records successfully matched with the white list.
Further, the white list is specifically a white list generated according to a path and a file name of the system file.
In the above method, the performing depth detection specifically includes: and analyzing and judging whether malicious codes exist in the related processes and modules, if so, extracting the features and adding the features to a feature library, and if not, extracting the paths and the file names and adding the paths and the file names to a white list.
The invention can be realized by adopting the following system: a system for detecting entity-free file malicious code, comprising:
the process and module traversing module is used for traversing the running processes and modules in the system;
the path and file name acquisition module is used for acquiring paths and file names corresponding to all processes and modules and forming records one by one;
and the malicious code judging module is used for judging whether a corresponding file exists under the system disk according to the path and the file name in the record, abandoning the corresponding record if the corresponding file exists, and preventing the operation of the related process and the module if the corresponding file does not exist, and performing deep detection.
Further, the path and file name obtaining module is specifically configured to: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
Further, still include: and the white list matching module is used for matching the path and file name records with the white list one by one and discarding the path and file name records successfully matched with the white list.
Further, the white list is specifically a white list generated according to a path and a file name of the system file.
In the above system, the performing depth detection specifically includes: and analyzing and judging whether malicious codes exist in the related processes and modules, if so, extracting the features and adding the features to a feature library, and if not, extracting the paths and the file names and adding the paths and the file names to a white list.
In summary, the invention monitors the running processes and modules in the system, and obtains the paths and file names corresponding to the processes and modules, and determines whether corresponding files exist in the system disk, if so, it is preliminarily determined that no entity file malicious codes exist, if not, it is considered highly suspicious, and deep detection can be continued, so as to determine whether malicious codes exist.
The beneficial effects are that: the method is different from the traditional memory-based detection in that the method does not depend on the memory characteristics for matching, but identifies and judges whether the malicious codes exist or not based on the corresponding relation between the process, the module and the file. The method and the system can be applied to antivirus products, and further solve the problem that the traditional detection method based on the feature codes cannot effectively detect the malicious codes without the entity files.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an embodiment 1 of a method for detecting entity-free file malicious codes according to the present invention;
FIG. 2 is a flowchart of an embodiment 2 of a method for detecting malicious codes without entity files according to the present invention;
fig. 3 is a block diagram of an embodiment of a system for detecting entity-free file malicious codes according to the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features, and advantages of the present invention more obvious and understandable, the following describes the technical solutions in the present invention in detail with reference to the accompanying drawings:
the present invention first provides an embodiment 1 of a method for detecting a malicious code of an entity-free file, as shown in fig. 1, including:
s101: traversing the running processes and modules in the system;
the module is a DLL dynamic link library file, the DLL file is placed in a system, and when a certain program is executed, the corresponding DLL file can be called.
S102: acquiring paths and file names corresponding to all processes and modules and forming records one by one;
the method specifically comprises the following steps: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
S103: and judging whether a corresponding file exists under the system disk according to the path and the file name in the record, if so, abandoning the corresponding record, otherwise, preventing the operation of the related process and the module, and performing deep detection.
When the path and the file name in the record are judged to have no corresponding file under the system disk, the relevant process and module are judged to be highly suspicious, an antivirus product is called or further analysis and judgment are carried out by an analyst, and whether entity-free malicious codes exist in the process and the module is finally judged. If the white list exists, extracting the features and adding the features to the feature library, and if the white list does not exist, extracting the path and the file name and adding the path and the file name to the white list.
The present invention also provides an embodiment 2 of a method for detecting a malicious code of an entity-free file, as shown in fig. 2, including:
s201: the running processes and modules within the system are traversed.
S202: and acquiring paths and file names corresponding to all processes and modules and forming records one by one.
The method specifically comprises the following steps: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
S203: and matching the path and file name records with a white list one by one, and discarding the path and file name records successfully matched with the white list.
Wherein, the white list may be, but is not limited to: and generating a white list according to the path and the file name of the system file. The goal is to filter system processes and modules. Or processes and modules considered to be secure that the user adds as needed.
S204: and judging whether a corresponding file exists under the system disk according to the path and the file name in the record, if so, abandoning the corresponding record, otherwise, preventing the operation of the related process and the module, and performing deep detection.
The depth detection specifically includes: and analyzing and judging whether malicious codes exist in the related processes and modules, if so, extracting the features and adding the features to a feature library, and if not, extracting the paths and the file names and adding the paths and the file names to a white list.
The present invention further provides an embodiment of a system for detecting malicious codes of a non-entity file, as shown in fig. 3, including:
a process and module traversing module 301, configured to traverse processes and modules running in the system;
a path and file name obtaining module 302, configured to obtain paths and file names corresponding to all processes and modules and form records item by item;
and the malicious code judging module 303 is configured to judge whether a corresponding file exists under the system disk according to the path and the file name in the record, abandon the corresponding record if the corresponding file exists, prevent the related process and the module from running if the corresponding file does not exist, and perform deep detection.
Preferably, the path and file name obtaining module is specifically configured to: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
Preferably, the method further comprises the following steps: and the white list matching module is used for matching the path and file name records with the white list one by one and discarding the path and file name records successfully matched with the white list.
More preferably, the white list is a white list generated according to a path and a file name of the system file.
In the above system embodiment, the performing depth detection specifically includes: and analyzing and judging whether malicious codes exist in the related processes and modules, if so, extracting the features and adding the features to a feature library, and if not, extracting the paths and the file names and adding the paths and the file names to a white list.
The embodiments in the present specification are described in a progressive manner, and the same or similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
As described above, the embodiments above provide a method and system embodiment for detecting a malicious code without an entity file, which first obtain a process and a module running in a system, obtain a path and a file name corresponding to the process and the module, determine whether a corresponding file exists under a system disk according to the path and the file name in a record, determine that no entity-type malicious code is suspected to exist if the corresponding file does not exist, and perform deep analysis and confirmation. The embodiment provided by the invention can solve the problem that the traditional detection method cannot detect the entity-free file malicious codes, and can effectively identify and prevent the entity-free file malicious codes.
The above examples are intended to illustrate but not to limit the technical solutions of the present invention. Any modification or partial replacement without departing from the spirit and scope of the present invention should be covered in the claims of the present invention.
Claims (10)
1. A method of detecting entity-free file malicious code, comprising:
traversing the running processes and modules in the system;
acquiring paths and file names corresponding to all processes and modules and forming records one by one;
and judging whether a corresponding file exists under the system disk according to the path and the file name in the record, if so, abandoning the corresponding record, otherwise, preventing the operation of the related process and the module, and performing deep detection.
2. The method according to claim 1, wherein the obtaining of the path and the file name corresponding to all the processes and modules and the forming of the record item by item specifically include: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
3. The method of claim 1, wherein before determining whether the corresponding file exists under the system disk according to the path and the file name in the record, further comprising: and matching the path and file name records with a white list one by one, and discarding the path and file name records successfully matched with the white list.
4. The method according to claim 3, wherein the white list is specifically a white list generated according to a path and a file name of the system file.
5. The method according to any one of claims 1 to 4, wherein the depth detection is performed by: and analyzing and judging whether malicious codes exist in the related processes and modules, if so, extracting the features and adding the features to a feature library, and if not, extracting the paths and the file names and adding the paths and the file names to a white list.
6. A system for detecting entity-free file malicious code, comprising:
the process and module traversing module is used for traversing the running processes and modules in the system;
the path and file name acquisition module is used for acquiring paths and file names corresponding to all processes and modules and forming records one by one;
and the malicious code judging module is used for judging whether a corresponding file exists under the system disk according to the path and the file name in the record, abandoning the corresponding record if the corresponding file exists, and preventing the operation of the related process and the module if the corresponding file does not exist, and performing deep detection.
7. The system of claim 6, wherein the path and filename acquisition module is specifically configured to: and acquiring paths and file names corresponding to all processes and modules, and recording the paths and the file names in a memory in a list form.
8. The system of claim 6, further comprising: and the white list matching module is used for matching the path and file name records with the white list one by one and discarding the path and file name records successfully matched with the white list.
9. The system according to claim 8, wherein the white list is specifically a white list generated according to a path and a file name of a system file.
10. The system according to any one of claims 6 to 9, wherein the depth detection is performed by: and analyzing and judging whether malicious codes exist in the related processes and modules, if so, extracting the features and adding the features to a feature library, and if not, extracting the paths and the file names and adding the paths and the file names to a white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611248606.2A CN106778276B (en) | 2016-12-29 | 2016-12-29 | Method and system for detecting malicious codes of entity-free files |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611248606.2A CN106778276B (en) | 2016-12-29 | 2016-12-29 | Method and system for detecting malicious codes of entity-free files |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106778276A CN106778276A (en) | 2017-05-31 |
| CN106778276B true CN106778276B (en) | 2020-06-19 |
Family
ID=58929318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611248606.2A Active CN106778276B (en) | 2016-12-29 | 2016-12-29 | Method and system for detecting malicious codes of entity-free files |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778276B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109918907B (en) * | 2019-01-30 | 2021-05-25 | 国家计算机网络与信息安全管理中心 | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform |
| CN111797392B (en) * | 2019-04-09 | 2023-08-08 | 国家计算机网络与信息安全管理中心 | Method, device and storage medium for controlling infinite analysis of derivative files |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984692A (en) * | 2010-11-15 | 2011-03-09 | 中兴通讯股份有限公司 | Method and device for preventing malicious software from transmitting data |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101604361A (en) * | 2008-06-11 | 2009-12-16 | 北京奇虎科技有限公司 | A kind of detection method of Malware and device |
| US8239940B2 (en) * | 2008-12-25 | 2012-08-07 | Trusteer Ltd. | Functional patching/hooking detection and prevention |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| US20120311710A1 (en) * | 2011-06-03 | 2012-12-06 | Voodoosoft Holdings, Llc | Computer program, method, and system for preventing execution of viruses and malware |
| CN102930207B (en) * | 2012-04-27 | 2015-11-04 | 北京金山安全软件有限公司 | API log monitoring method and device |
-
2016
- 2016-12-29 CN CN201611248606.2A patent/CN106778276B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984692A (en) * | 2010-11-15 | 2011-03-09 | 中兴通讯股份有限公司 | Method and device for preventing malicious software from transmitting data |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
Non-Patent Citations (2)
| Title |
|---|
| "一例"无实体文件"恶意样本分析报告";安天CERT;《百度文库 https://wenku.baidu.com/view/2efac1563186bceb19e8bbba.html》;20150508;第1-6页 * |
| "多起利用Powershell传播恶意代码的事件分析";Antiy CERT;《网页在线公开:https://www.antiy.com/response/Analysis_of_several_events_that_use_PowerShell_to_transmit_malware.html》;20160318;第1-8页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106778276A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8955124B2 (en) | Apparatus, system and method for detecting malicious code | |
| KR101554633B1 (en) | Apparatus and method for detecting malicious code | |
| US7739740B1 (en) | Detecting polymorphic threats | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| US8505099B2 (en) | Machine-implemented method and system for determining whether a to-be-analyzed software is a known malware or a variant of the known malware | |
| US9367687B1 (en) | Method for malware detection using deep inspection and data discovery agents | |
| JP2009129451A (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| US10579798B2 (en) | Electronic device and method for detecting malicious file | |
| CN113632432B (en) | Method and device for judging attack behaviors and computer storage medium | |
| CN106778276B (en) | Method and system for detecting malicious codes of entity-free files | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| CN104636661A (en) | Method and system for analyzing Android application program | |
| CN113591073A (en) | Web API security threat detection method and device | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN106874759B (en) | Identification method and system for Trojan horse randomized behavior | |
| CN103366115B (en) | Safety detecting method and device | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN110765456A (en) | Method and device for detecting hidden process and storage equipment | |
| CN107229865B (en) | Method and device for analyzing Webshell intrusion reason | |
| KR101725399B1 (en) | Apparatus and method for detection and execution prevention for malicious script based on host level | |
| CN109840417B (en) | Malicious software detection method and device | |
| KR101329037B1 (en) | System and method for detecting variety malicious code | |
| CN112395619A (en) | Vulnerability scanning method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |