A kind of detection method for injection attack and device
Technical field
The application is related to APP security technology areas, more particularly to a kind of detection method for injection attack and device.
Background technology
As mobile Internet industry is fast-developing, mobile applications (Application, abbreviation APP) are in blowout
Outburst, especially widely used android system application program.However, the spy that increases income because of android system in itself
Property, android system application program equally also turns into assault with personal computer (personal computer, PC)
Main object, android system application program is subject to the attack of virus, injection, wooden horse, rogue software and software of going fishing,
Had a strong impact on client safely, reduce the income of Consumer's Experience and application developer.
Wherein, injection attacks are primarily referred to as the attack of implantation tool.Specifically attack pattern is:Implantation tool can by itself
Perform the process that attack is wanted in file injection.Executable file injection is wanted after the process of attack, and rear extended meeting is run, operation knot
Fruit operates to the related data of the process.For example, for financial industry application program, implantation tool by
The process injection executable file of the application program, data during modification application program business operation, such as account, the amount of money etc..
Therefore, how to find whether process is injected into instrument attack and seems extremely important.
The content of the invention
The purpose of the embodiment of the present application is there is provided a kind of detection method for injection attack and device, to detect that target is entered
Whether journey is attacked by implantation tool.
In a first aspect, the embodiment of the present application provides a kind of detection method for injection attack, including:
Determine the characteristic value of the executable file under target process;
If in the characteristic value of the executable file under the target process, there is the characteristic value matched with preset value, then really
The fixed target process is injected into instrument attack;Wherein, the preset value is the characteristic value of predetermined implantation tool.
Alternatively, the target process is the process in Linux system, the executable file under the determination target process
Characteristic value, specifically include:
According to the process number of target process, the maps files matched in proc file system with the process number are determined;
According to the maps files, the characteristic value of the executable file under the target process is determined.
Alternatively, the characteristic value of the executable file includes following at least one:
The title of executable file;
The cryptographic Hash of executable file.
Alternatively, when the characteristic value of the executable file is the cryptographic Hash of executable file, described in the basis
Maps files, determine the characteristic value of the executable file under the target process, specifically include:
Determine the unique mark of the executable file recorded in the maps files;
According to the unique mark, the executable file is determined;
Using the cryptographic Hash of the executable file as the executable file characteristic value.
Alternatively, it is determined that the target process be injected into instrument attack after, methods described also includes:
The executable file that target process lower eigenvalue is matched with the preset value, is defined as implantation tool injection target
Illegal executable file in process.
Alternatively, after illegal executable file is determined, methods described also includes:
The illegal executable file is deleted.
Alternatively, it is determined that the target process be injected into instrument attack after, methods described also includes:
Terminate the target process;And/or,
Export the prompt message that the target process is injected into instrument attack.
Second aspect, the embodiment of the present application additionally provides a kind of injection attacks detection means, including:
Characteristic value determining module, the characteristic value for determining the executable file under target process;
Injection attacks determining module, if in characteristic value for the executable file under the target process, exist with advance
If being worth the characteristic value of matching, it is determined that the target process is injected into instrument attack;Wherein, the preset value is predetermined
The characteristic value of implantation tool.
Alternatively, the target process is the process in Linux system, and the characteristic value determining module is specifically included:The
One determination sub-module and the second determination sub-module;
First determination sub-module, for the process number according to target process, determine in proc file system with it is described
The maps files of process number matching;
Second determination sub-module, for according to the maps files, determining the executable text under the target process
The characteristic value of part.
Alternatively, described device also includes:
Injection attacks processing module, for after the determination target process is injected into instrument attack, terminating described
Target process;And/or, export the prompt message that the target process is injected into instrument attack.
At least one above-mentioned technical scheme that the embodiment of the present application is used, due to being by the spy of predetermined implantation tool
Value indicative is compared as preset value with the characteristic value of the executable file under target process, therefore, when under target process can
When the characteristic value for performing file is matched with the preset value, illustrate there is the executable file of implantation tool under target process,
Illustrate that target process receives injection attacks;Otherwise, illustrate that target process is not affected by injection attacks.So, can obtain with
Lower beneficial effect:Target process is capable of detecting when whether by injection attacks, is to take defensive measure to prevent target process in time
It is injected into instrument attack to lay a good foundation, improves the experience that user uses application program.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, constitutes the part of the application, this Shen
Schematic description and description please is used to explain the application, does not constitute the improper restriction to the application.In the accompanying drawings:
Fig. 1 is a kind of flow chart for detection method for injection attack that the embodiment of the present application 1 is provided;
Fig. 2 is a kind of flow chart for detection method for injection attack that the embodiment of the present application 2 is provided;
Fig. 3 is a kind of flow chart for detection method for injection attack that the embodiment of the present application 3 is provided;
Fig. 4 is a kind of structural representation for injection attacks detection means that the embodiment of the present application 4 is provided;
Fig. 5 is a kind of structural representation for injection attacks detection means that the embodiment of the present application 5 is provided;
Fig. 6 is a kind of structural representation for injection attacks detection means that the embodiment of the present application 6 is provided.
Embodiment
To make the purpose, technical scheme and advantage of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described corresponding accompanying drawing.Obviously, described embodiment is only the application one
Section Example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out the every other embodiment obtained under the premise of creative work, belong to the scope of the application protection.
In order to solve problems of the prior art, the embodiment of the present invention propose a kind of detection method for injection attack and
Device, to detect injection attacks, is to take defensive measure in time, prevents internal memory number when implantation tool is run to application program
Laid a good foundation according to operation is carried out, improve the experience that user uses application program.
First a kind of detection method for injection attack provided in an embodiment of the present invention is illustrated below.
Firstly, it is necessary to explanation, a kind of executive agent for detection method for injection attack that the embodiment of the present application is provided can
To be the electronic equipment for being provided with android system, for example, mobile phone, tablet personal computer etc..Described executive agent is not constituted
Restriction to the application, for the ease of description, the embodiment of the present application is the mobile phone for being provided with android system with executive agent
Exemplified by illustrate.
Realize a kind of detection method for injection attack that the embodiment of the present application is provided functional software can for fail-safe software,
Functional module in fail-safe software etc..Described functional software does not constitute the restriction to the application yet.
Below in conjunction with accompanying drawing, the technical scheme that each embodiment of the application is provided is described in detail.
Embodiment 1
Fig. 1 is refer to, Fig. 1 is a kind of flow chart for detection method for injection attack that the embodiment of the present invention 1 is provided.Due to treating
The corresponding injection process of the corresponding target process of destination application and implantation tool of protection is two separate processes,
Injection process can not directly operate the related data in target process, therefore, and implantation tool is in order to operate the phase in target process
Data are closed, illegal executable file can be injected into target process, and by running these illegal executable files come indirectly
Operate the related data in target process.But the executable file of the characteristic value and target process of illegal executable file in itself
Characteristic value be different.In consideration of it, as shown in figure 1, the embodiment of the present application 1 provide a kind of detection method for injection attack, can
With including:
S101, the executable file determined under target process characteristic value;
If in the characteristic value of S102, executable file under the target process, there is the characteristic value matched with preset value,
Then determine that the target process is injected into instrument attack;Wherein, the preset value is the characteristic value of predetermined implantation tool.
Step S101 is introduced in detail below.
Process be application program in computer on the once operation activity on certain data acquisition system, be that system carries out resource
Distribution and the base unit of scheduling.During application program launching, operating system can a newly-built process perform the application program.Can
File is performed to refer to that the file of load and execution can be carried out by operating system.
Generally, an application program performance form during operation is process, the executable file of this application program
Process is mapped to by virtual address.Such as, when a process is created, a virtual address space is created first, then
The exehead of the process is read, the virtual address in virtual address and executable file are mapped into foundation mapping closes
System.
Below by taking the target process in Linux system as an example, illustrate a kind of step S101 concrete implementation mode, namely
The target process is the process in Linux system.
Due to the maps files storage in the proc file system under Linux system, process is mapped to each hold
The list that the mapping area and its access rights of part and library file in internal memory of composing a piece of writing are constituted.Therefore, step S101 specifically may be used
With including:
Step 1, the process number according to target process, determine the maps texts matched in proc file system with the process number
Part;
Android system is the operating system based on linux kernel, in linux system, and each process has one
Process number (PID or pid), process number is a positive number, to some process in unique mark system.
Step 2, according to the maps files, determine the characteristic value of the executable file under the target process.
It will be appreciated by those skilled in the art that, in linux system /proc catalogues are a kind of file system, i.e. proc texts
Part system.From unlike other common file system, proc file system is a kind of pseudo file system (namely virtual file
System), what is stored in proc file system is a series of special files of current inner running status, and user can be by these
Fileview is about system hardware and the information for the process being currently running.
Based on proc file system particularity as described above, the file in proc file system is also often referred to as virtual text
Part, and there is the characteristics of some are unique.For example, although a large amount of letters can be returned to by being checked using viewing command during some of which file
Breath, but the size of these files in itself can be shown as 0 byte.
In order to check and using upper convenience, these virtual files are generally stored in different mesh according to correlation classification
In record even subdirectory.For example, what is stored in/proc/scsi catalogues is all small computer system interfaces on current system
The relevant information of (Small Computer System Interface, SCSI) equipment;What is stored in/proc/pid is system
The relevant information for the process being currently running, wherein pid are the process number for the process being currently running, it is envisaged that obtained,
Certain process terminates catalogue related to the process afterwards and can disappeared automatically.
The characteristic value of the executable file includes following at least one:The title of executable file, executable file
Cryptographic Hash.It is understood that other can distinguish illegal executable file and the characteristic value of legal executable file is also suitable
In the application, above two characteristic value should not constitute the restriction to the application protection domain.
In general, illegal executable file refers to the executable file in implantation tool injection target process, it is legal
Executable file refers to the executable file of target process itself.
, can be by the title of executable file separately as holding under target process in the first specific implementation
The characteristic value of style of writing part, to determine target process whether by injection attacks.To avoid the cryptographic Hash for calculating executable file from leading
The system resource overhead of cause.
However, implantation tool is possible to that detection can be evaded by way of the title of modification or hiding executable file, lead
Cause the testing result using the acquisition of the first specific implementation inaccurate.
Therefore, in second of specific implementation, if by the title of executable file determine target process not by
, then further will be executable to injection attacks (determining that target process is not affected by injection attacks using the first specific implementation)
Whether the cryptographic Hash of file determines target process by injection attacks as the characteristic value of executable file.To prevent from injecting work
Have and evade detection by way of changing or hiding the title of illegal executable file, improve Detection accuracy.
Certainly, in the third specific implementation, the cryptographic Hash of executable file can also be entered separately as target
The characteristic value of executable file under journey, to determine that target process, whether by injection attacks, improves Detection accuracy.
Specifically, when the characteristic value of the executable file is the cryptographic Hash of executable file, above-mentioned steps 2, namely
It is described according to the maps files, the step of determining the characteristic value of executable file under the target process can specifically wrap
Include:
Sub-step 1, determine the unique mark of each executable file that is recorded in the maps files;
Sub-step 2, according to the unique mark, determine the executable file;
Sub-step 3, using the cryptographic Hash of the executable file as the executable file characteristic value.
Wherein, the unique mark of executable file can be that the filename of executable file, file are first-class.
Due in proc file system /proc/pid/maps files typically in the form of a list exist (hereinafter referred to as
Maps tables), seven column datas have been usually noted in the list, wherein, the 7th row have recorded the unique of the executable file of process
Mark, and corresponding executable file is mapped to by the unique mark.
Therefore, when implementing, it can be searched according to the in maps tables the 7th unique mark for arranging the executable file recorded
To corresponding executable file (binary file);The cryptographic Hash of the executable file found is calculated using hash algorithm, and
Characteristic value of the cryptographic Hash that calculating is obtained as executable file.
The binary value of random length can be mapped as the smaller binary value of regular length by hash algorithm, and this is small by two
Hex value is referred to as cryptographic Hash.Cryptographic Hash is the unique and extremely compact numerical value representation of one piece of data, can therefore, it is possible to reflect
Perform the feature of file.Specific calculating process belongs to prior art, and here is omitted.
Step S102 is described in detail below.
First, it will be appreciated by those skilled in the art that, implantation tool is generally referred to, illegal executable to target process injection
File, and operate the rogue program of the related data in target process by running these illegal executable files.For example, often
The SQL injection instrument seen.
The characteristic value of predetermined implantation tool, is that applicant is counted to existing implantation tool, analyzed in advance,
And extract obtained from the executable file characteristic value of these implantation tools preserved.Due to existing implantation tool more than one
Individual, therefore, the characteristic value of predetermined implantation tool is more than one.When implementing, applicant will be predetermined
The characteristic value of implantation tool is stored in a database (being properly termed as injecting property data base).
Further, since new implantation tool emerges in an endless stream, and therefore, the injection property data base addressed in the embodiment of the present application
It is not unalterable, the injection property data base can be timed or be updated periodically, to add emerging injection
The characteristic value of instrument, this is all rational.
A kind of detection method for injection attack that the embodiment of the present application 1 is provided, due to being by predetermined implantation tool
Characteristic value is compared as preset value with the characteristic value of the executable file under target process, therefore, when under target process
When the characteristic value of executable file is matched with the preset value, illustrate there is the executable file of implantation tool under target process,
Namely explanation target process receives injection attacks;Otherwise, illustrate that target process is not affected by injection attacks.So, this method energy
Target process is enough detected whether by injection attacks, is to take defensive measure to prevent target process to be injected into instrument attack in time
Lay a good foundation, improve the experience that user uses application program.
In addition, it is necessary to explanation, can be right when implementing the detection method for injection attack of the offer of the embodiment of the present invention 1
All executable files under target process have been performed both by after step S101, then go to perform step S102;Can also be to target
After an executable file difference execution of step S101 and S102 under process, determine that target process is not affected by injection attacks
When, then step S101 and S102 are performed respectively to another executable file under target process.This is all rational, and due to
Latter approach be possible to only need to under target process a few, even one executable file perform step S101 and
S102, just can determine that out target process by injection attacks, thus latter approach can shorten determination target process whether by
To the time of injection attacks, injection attacks detection efficiency is improved.
Embodiment 2
Fig. 2 is refer to, Fig. 2 is a kind of flow chart for detection method for injection attack that the embodiment of the present invention 2 is provided.Fig. 2 institutes
A kind of detection method for injection attack that the embodiment shown is provided, is, methods described with the difference of the embodiment shown in Fig. 1
It can also include:
S103, the executable file for matching target process lower eigenvalue with the preset value, are defined as implantation tool note
Enter the illegal executable file in target process.
Alternatively, after step s 103, methods described can also include:
S104, the illegal executable file deleted.
Be not difficult to find out, it is determined that and delete implantation tool injection target process in illegal executable file, be defence injection
One of effective means of attack, after deletion, can prevent internal memory number when implantation tool is run to android system application program
According to being operated, it is ensured that secure user data, the experience that user uses application program is improved.
Embodiment 3
Fig. 3 is refer to, Fig. 3 is a kind of flow chart for detection method for injection attack that the embodiment of the present invention 3 is provided.Fig. 3 institutes
A kind of detection method for injection attack that the embodiment shown is provided, is, institute with the difference of the embodiment shown in Fig. 1 or Fig. 2
The method of stating can also include:
S105, terminate the target process;And/or, export the prompt message that the target process is injected into instrument attack.
Wherein, the prompt message can also be included in addition to the information of instrument attack is injected into comprising target process:Build
Information is discussed, for example, it is proposed that user's target end process, it is proposed that user carries out killing etc. using fail-safe software to implantation tool.
It can be appreciated that target end process and/or output prompt message are also the effective means for defending injection attacks, also can
Enough prevent internal storage data when implantation tool is run to android system application program from operating, it is ensured that user data is pacified
Entirely, the experience that user uses application program is improved.
Corresponding to above method embodiment, present invention also provides a kind of injection attacks detection means, in detail below
Explanation.
Embodiment 4
Fig. 4 is refer to, Fig. 4 is a kind of structural representation for injection attacks detection means that the embodiment of the present invention 4 is provided.Such as
Shown in Fig. 4, a kind of injection attacks detection means that the embodiment of the present application 4 is provided can include:
Characteristic value determining module 401, the characteristic value for determining the executable file under target process;
It is stated that maps files storage in proc file system under Linux system, process in embodiment 1
The list that mapping area and its access rights of each executable file and library file being mapped in internal memory are constituted.Cause
This, in a kind of specific implementation, the characteristic value determining module 401 is specifically included:First determination sub-module and second true
Stator modules;
First determination sub-module, for the process number according to target process, determine in proc file system with the process
Number matching maps files;
Second determination sub-module, for according to the maps files, determining the executable file under the target process
Characteristic value.
Specifically, the characteristic value of the executable file includes following at least one:It is the title of executable file, executable
The cryptographic Hash of file.It is understood that other can distinguish the characteristic value of illegal executable file and legal executable file
The application is also applied for, above two characteristic value should not constitute the restriction to the application protection domain.
When the characteristic value of the executable file is the cryptographic Hash of executable file, above-mentioned second determination sub-module is specific
It can include:
First determination subelement, for the unique mark for the executable file for determining to record in the maps files;
Second determination subelement, for according to the unique mark, determining the executable file;
3rd determination subelement, for using the cryptographic Hash of the executable file as the executable file feature
Value.
Injection attacks determining module 402, if in characteristic value for the executable file under the target process, exist with
The characteristic value of preset value matching, it is determined that the target process is injected into instrument attack;Wherein, the preset value is predetermined
Implantation tool characteristic value.
A kind of injection attacks detection means that the embodiment of the present application 4 is provided, due to being by predetermined implantation tool
Characteristic value is compared as preset value with the characteristic value of the executable file under target process, therefore, when under target process
When the characteristic value of executable file is matched with the preset value, illustrate there is the executable file of implantation tool under target process,
Namely explanation target process receives injection attacks;Otherwise, illustrate that target process is not affected by injection attacks.So, the device energy
Target process is enough detected whether by injection attacks, is to take defensive measure to prevent target process to be injected into instrument attack in time
Lay a good foundation, improve the experience that user uses application program.
Embodiment 5
Fig. 5 is refer to, Fig. 5 is a kind of structural representation for injection attacks detection means that the embodiment of the present invention 5 is provided.Figure
A kind of injection attacks detection means that embodiment shown in 5 is provided, is with the difference of the embodiment shown in Fig. 1, described
Device can also include:
Determining module 403, for the executable file for matching target process lower eigenvalue with the preset value, is defined as
Illegal executable file in implantation tool injection target process.
Alternatively, described device can also include:
Removing module 404, for the illegal executable file to be deleted.
Be not difficult to find out, it is determined that and delete implantation tool injection target process in illegal executable file, be defence injection
One of effective means of attack, after deletion, can prevent internal memory number when implantation tool is run to android system application program
According to being operated, it is ensured that secure user data, the experience that user uses application program is improved.
Embodiment 6
Fig. 6 is refer to, Fig. 6 is a kind of structural representation for injection attacks detection means that the embodiment of the present invention 6 is provided.Figure
A kind of injection attacks detection means that embodiment shown in 6 is provided, is with the difference of the embodiment shown in Fig. 4 or Fig. 5,
Described device can also include:
Injection attacks processing module 405, for after the determination target process is injected into instrument attack, terminating institute
State target process;And/or, export the prompt message that the target process is injected into instrument attack.
It can be appreciated that target end process and/or output prompt message are also the effective means for defending injection attacks, also can
Enough prevent internal storage data when implantation tool is run to android system application program from operating, it is ensured that user data is pacified
Entirely, the experience that user uses application program is improved.
It should be noted that because device embodiment is substantially similar to embodiment of the method, therefore, present specification is to dress
The fairly simple of embodiment description is put, related part is referring to embodiment of the method.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the application can be used in one or more computers for wherein including computer usable program code
The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The application is the flow with reference to method, equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram
Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real
The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements are not only including those key elements, but also wrap
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including key element
Also there is other identical element in process, method, commodity or equipment.
Embodiments herein is these are only, the application is not limited to.To those skilled in the art,
The application can have various modifications and variations.All any modifications made within spirit herein and principle, equivalent substitution,
Improve etc., it should be included within the scope of claims hereof.