CN107577941B - Method and equipment for intercepting code bypass - Google Patents
Method and equipment for intercepting code bypass Download PDFInfo
- Publication number
- CN107577941B CN107577941B CN201710677344.XA CN201710677344A CN107577941B CN 107577941 B CN107577941 B CN 107577941B CN 201710677344 A CN201710677344 A CN 201710677344A CN 107577941 B CN107577941 B CN 107577941B
- Authority
- CN
- China
- Prior art keywords
- request message
- decoding
- character string
- decimal
- hexadecimal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000006243 chemical reaction Methods 0.000 claims description 34
- 230000009286 beneficial effect Effects 0.000 abstract description 5
- 230000002708 enhancing effect Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 12
- 238000012360 testing method Methods 0.000 description 10
- 230000008859 change Effects 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 230000002411 adverse Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 101150026195 hook gene Proteins 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and equipment for intercepting code bypassing. Wherein, the method comprises the following steps: hooking a request message input by a HOOK user; decoding the request message to obtain an original character string of the request message; matching the original character strings and determining whether the original character strings are attack operation bypassed by coding; if yes, intercepting the request message; and if not, releasing the request message. The embodiment of the invention can achieve the beneficial effects of avoiding malicious requests or malicious files from carrying out malicious attacks on the terminal system and further enhancing the security of the terminal system.
Description
The application is a divisional application of a method and equipment for intercepting code bypass:
application date of the original application: 20131220
Application No. of the original application: 201310712429.9
The invention of the original application is named: a method and apparatus for intercepting code bypassing.
Technical Field
The invention relates to the field of internet application, in particular to a method and equipment for intercepting code bypassing.
Background
With the development of information-oriented society, terminals (including computers, mobile phones and other devices) are more and more important in people's life. People increasingly rely on terminals to store personal information, such as various account information, private chat records, and even some pictures and photos. Therefore, if the terminal system is threatened by a malicious file (such as a malicious website or a computer virus), leakage of personal information is easily caused, and an estimated loss is caused to the user. Therefore, malicious files are effectively intercepted, the threat of the malicious files on the terminal system is avoided, and the security of the terminal system is very important to guarantee.
In the prior art, some identified malicious files or malicious requests can be effectively intercepted. However, with the change of attack means of technicians (also commonly referred to as hackers) who write malicious files or request to attack terminals, hackers can bypass software (such as firewall software and the like) which is commonly used in the prior art to intercept malicious files or malicious requests by constructing character strings and changing the positions or forms of the character strings. When a malicious file or a malicious request bypasses the interception software, a malicious attack is performed on the terminal system, so that information stored in the terminal is lost or leaked, the terminal or the terminal system or software installed on the terminal cannot normally run, and other adverse consequences are caused, so that learning or working of a user is adversely affected, and even the property of the user is threatened by security.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a method and apparatus for intercepting a coding bypass that overcomes or at least partially solves the above mentioned problems.
According to an aspect of an embodiment of the present invention, there is provided a method for intercepting a coding bypass, including: hooking a request message input by a HOOK user; decoding the request message to obtain an original character string of the request message; matching the original character string to determine whether the original character string is an attack operation bypassed by coding; if yes, intercepting the request message; and if not, releasing the request message.
Optionally, decoding the request message includes: and decoding the request message by adopting different decoding modes in sequence until the decoding is successful.
Optionally, decoding the request message sequentially in different decoding manners, including: decoding the request message in a decimal decoding mode; and/or decoding the request message in a hexadecimal decoding manner.
Optionally, decoding the request message in a decimal decoding manner, including: formatting the request message according to the decimal decoding mode, and increasing a semicolon after each decimal value; and searching the code corresponding to each decimal value to generate a decoded text.
Optionally, decoding the request message in a hexadecimal decoding manner includes: formatting the request message according to the hexadecimal decoding mode, and increasing a semicolon after each hexadecimal numerical value; and searching the code corresponding to each hexadecimal data to generate a decoded text.
Optionally, before formatting the request message according to the hexadecimal decoding manner, the method further includes: all upper case letters are converted to lower case letters.
Optionally, decoding the request message sequentially in different decoding manners, including: decoding the request message in a decimal decoding mode; and if the decoding fails, continuously adopting a hexadecimal decoding mode to decode the request message.
Optionally, the original character string form of the request message corresponding to the attack operation bypassed by the encoding includes at least one of: a string of partial case-to-case conversions; decimal coding with a semicolon behind a part of character strings; decimal coding without a semicolon after part of the character strings; hexadecimal coding with semicolon is carried out after part of character strings; and hexadecimal coding without semicolon after the partial character string.
Optionally, the request message comprises a URL request.
According to another aspect of the present invention, there is also provided an apparatus for intercepting an encoding bypass, including: a HOOK device configured to HOOK a request message input by a HOOK user; the decoder is configured to decode the request message and acquire an original character string of the request message; the matcher is configured to match the original character string and determine whether the original character string is an attack operation bypassed by coding; the interceptor is configured to intercept the request message if the request message is received; and the placer is configured to release the request message if the request message is not the received request message.
Optionally, the decoder is further configured to sequentially decode the request message in different decoding manners until the decoding is successful.
Optionally, the decoder is further configured to decode the request message in a decimal decoding manner; and/or decoding the request message by adopting a hexadecimal decoding mode.
Optionally, the decoder is further configured to decode the request message in a decimal decoding manner; and if the decoding fails, continuously adopting a hexadecimal decoding mode to decode the request message.
In the embodiment of the invention, the request message input by the user can be hooked, the request message is decoded, the original character string of the request message is obtained, the original character string is matched, whether the request message is an attack operation or not is determined according to the matching result, and the problem that effective interception is bypassed after the character string is deformed in position or form or other aspects in the prior art is solved. If the matching result is yes, the request message is effectively intercepted, and the safety of the user terminal system is ensured. And if the matching result is negative, releasing the request message to ensure that the request message input by the user can normally run. In the embodiment of the invention, the request message input by the user is decoded to obtain the original character string of the device, so that even if a malicious file or a malicious request disguises the change of the character string, the malicious file or the malicious request cannot be intercepted. According to the method for intercepting code bypassing provided by the embodiment of the invention, on the premise that the non-offensive request message input by the user can normally run, any attack operation which is not disguised or disguised in the forms of character string deformation and the like is guaranteed to be effectively intercepted, so that the beneficial effects of avoiding malicious requests or malicious files from maliciously attacking the terminal system and further enhancing the safety of the terminal system are achieved. Therefore, the method for intercepting code bypassing provided by the embodiment of the invention can avoid the information stored in the terminal from being lost or leaked, and can avoid the bad influence on the learning or work of the user and even the bad effect that the property of the user is threatened by the safety caused by the abnormal operation of the terminal or a terminal system or software installed on the terminal.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
The above and other objects, advantages and features of the present invention will become more apparent to those skilled in the art from the following detailed description of specific embodiments thereof, taken in conjunction with the accompanying drawings.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a process flow diagram of a method of intercepting an encoding bypass according to one embodiment of the invention;
FIG. 2 illustrates a process flow diagram of a method of intercepting an encoding bypass in accordance with a preferred embodiment of the present invention;
FIG. 3 is a flowchart of a process for decoding a request message in accordance with a preferred embodiment of the present invention; and
fig. 4 is a schematic structural diagram of an apparatus for intercepting code bypass according to an embodiment of the present invention.
Detailed Description
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
It is mentioned in the related art that with the change of attack means of technicians (also commonly referred to as hackers) who write malicious files or malicious requests to attack terminals, hackers can bypass software (such as firewall software and the like commonly used) for intercepting malicious files or malicious requests in the prior art by constructing character strings and changing the positions or forms of the character strings.
To solve the foregoing technical problem, an embodiment of the present invention provides a method for intercepting code bypass. FIG. 1 illustrates a process flow diagram of a method of intercepting an encoding bypass according to one embodiment of the invention. Referring to fig. 1, the flow includes at least step S102 to step S110.
And step S102, hooking the request message input by the HOOK user.
And step S104, decoding the request message to acquire an original character string of the request message.
And step S106, matching the original character strings, and determining whether the original character strings are attack operation bypassed by coding, if so, triggering step S108, and if not, triggering step S110.
And step S108, intercepting the request message.
And step S110, releasing the request message.
In the embodiment of the invention, the request message input by the user can be hooked, the request message is decoded, the original character string of the request message is obtained, the original character string is matched, whether the request message is an attack operation or not is determined according to the matching result, and the problem that effective interception is bypassed after the character string is deformed in position or form or other aspects in the prior art is solved. If the matching result is yes, the request message is effectively intercepted, and the safety of the user terminal system is ensured. And if the matching result is negative, releasing the request message to ensure that the request message input by the user can normally run. In the embodiment of the invention, the request message input by the user is decoded to obtain the original character string of the device, so that even if a malicious file or a malicious request disguises the change of the character string, the malicious file or the malicious request cannot be intercepted. According to the method for intercepting code bypassing provided by the embodiment of the invention, on the premise that the non-offensive request message input by the user can normally run, any attack operation which is not disguised or disguised in the forms of character string deformation and the like is guaranteed to be effectively intercepted, so that the beneficial effects of avoiding malicious requests or malicious files from maliciously attacking the terminal system and further enhancing the safety of the terminal system are achieved. Therefore, the method for intercepting code bypassing provided by the embodiment of the invention can avoid the information stored in the terminal from being lost or leaked, and can avoid the bad influence on the learning or work of the user and even the bad effect that the property of the user is threatened by the safety caused by the abnormal operation of the terminal or a terminal system or software installed on the terminal.
As shown in step S102 in fig. 1, the request message input by the user of HOOK (HOOK) may be a request message of any format. In this embodiment of the present invention, the request message is preferably a Uniform Resource Locator (URL) request. A URL request is a compact representation of the location and access method of a resource available on the internet, and each file on the internet has a unique URL. Therefore, in the embodiment of the present invention, the URL request is preferably used as the request message input by the user.
After the request message input by the user is hooked, according to step S104, the request message is decoded to obtain the original character string of the request message. When decoding the request message, the embodiment of the present invention may decode the request message in different decoding manners. Preferably, in the embodiment of the present invention, the request message is decoded by a decimal decoding method and/or decoded by a hexadecimal decoding method. Wherein, decimal is a digital system with 10-based components, and 0, 1, 2, 3, 4, 5, 6, 7, 8 and 9 are basic digital components. Hexadecimal is a representation of data in a computer. Hexadecimal is composed of 0-9, A-F, and the letters are not case-specific. The correspondence between hexadecimal and decimal is that 0-9 in hexadecimal corresponds to 0-9 in decimal, and a-F in hexadecimal corresponds to 10-15 in hexadecimal. In addition to the decimal and hexadecimal systems described above, the embodiment of the present invention may also use other N systems (e.g., octal systems) that can be recognized by the computer system to decode the request message, which is not limited by the embodiment of the present invention. Wherein N is a positive integer.
When the request message is decoded, if the request message is decoded in a decimal decoding mode, the position or the form and the like of the original character string are deformed, so that the part number in the original character string cannot be determined, and in order to ensure that the format of the original character string is consistent when the original character string is matched, and further ensure the matching accuracy of the original character string, the request message is formatted according to the decimal decoding mode, and the part number is added after each decimal value. For example, "& # 00106" is formatted and then converted into "& # 00106; ". After formatting, the code corresponding to each decimal value is searched, and code text is generated. If the request message is decoded by adopting a hexadecimal decoding mode, firstly, capital letters in the request message are converted into lowercase letters. For example, "& # 00106A" is converted to "& # 00106A". Secondly, because the position or the form of the original character string is deformed, the fact that the part numbers exist in the original character string cannot be determined, in order to ensure that the format of the original character string is consistent when the original character string is matched, and further ensure the matching accuracy of the original character string, the request message is formatted according to a hexadecimal decoding mode, and the part numbers are added after each hexadecimal numerical value. For example, "& # 00106A" is converted to "& # 00106A; ". After formatting, the corresponding code of each hexadecimal data is searched to generate a decoding text.
In the embodiment of the invention, the decimal decoding mode or the hexadecimal decoding mode can be independently selected to decode the request message, or the decimal decoding mode is firstly adopted to decode the request message, and secondly, if the decoding fails, the hexadecimal decoding mode is continuously adopted to decode the request message. Or firstly decoding the request message by adopting a hexadecimal decoding mode, and secondly, if the decoding fails, continuously decoding the request message by adopting a decimal decoding mode. The decoding mode and the sequence of decoding the request message by using any decoding mode are not limited in the embodiment of the invention. Both decimal decoding and hexadecimal decoding are commonly used. In practical application, decimal notation is mostly adopted for calculation, display or other related operations. Therefore, in the embodiment of the present invention, preferably, the request message is decoded by using a decimal decoding method, and if the decoding fails, the request message is decoded by using a hexadecimal decoding method. When the request message can be decoded in a decimal decoding mode, the decimal decoding mode is preferred, and the problem that the operation is complicated because the request message is decoded in an excessively complicated decoding mode is avoided. When the request message is failed to be decoded in the decimal decoding mode, the request message is continuously decoded in the hexadecimal decoding mode, and the bad consequences that the encoding can not be intercepted and the malicious file threatens a user equipment system due to the fact that the request message cannot be decoded when the request message cannot be decoded in the decimal decoding mode are avoided.
After decoding the request message, the original character string in the request message can be obtained. In the embodiment of the present invention, the original character string may be a character string in any form, including: at least one of the original character string forms of character strings with partial case conversion, character strings with partial decimal code conversion and semicolon, character strings without semicolon after partial decimal code conversion, character strings with semicolon after partial hexadecimal code conversion and character strings without semicolon after partial hexadecimal code conversion. To clarify the description of the above original character forms, the above several original character string forms are now exemplified:
partial case-converted string:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=JAvaScript:alert(12345)>TEST</a>
character string with semicolon after partial decimal code conversion:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%2300106%3BAvaScript:alert(12345)>TEST</a>
character strings without semicolon after partial decimal code conversion:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%2300106AvaScript:alert(12345)>TEST</a>
comparing the above-mentioned "character string with semicolon after partial decimal code conversion" and "character string without semicolon after partial decimal code conversion", it can be found that in the "character string with semicolon after partial decimal code conversion", the character "% 3B" exists after "% 26% 2300106". The character is a semicolon after decimal conversion. The embodiment of the invention correspondingly decodes the request message according to different deformations of the character string, and can effectively avoid the attack operation of changing the position or the form of the character string from bypassing the interception.
Partial hexadecimal code converted character string with semicolon:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%23x006A%3BAvaScript:alert(12345)>TEST</a>
partial hexadecimal code converted character string without semicolon:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%23x006AAvaScript:alert(12345)>TEST</a>
comparing the above-described "character string with semicolon after partial hexadecimal code conversion" and "character string without semicolon after partial hexadecimal code conversion", it can be found that in "character string with semicolon after partial hexadecimal code conversion", the character "% 3B" exists after "% 26% 23x 006A". The character is a semicolon after hexadecimal conversion. The embodiment of the invention correspondingly decodes the request message according to different deformations of the character string, and can effectively avoid the attack operation of changing the position or the form of the character string from bypassing the interception.
As described above, the original character string obtained after decoding the request message has various deformed positions (e.g., positions of upper and lower case conversion in the character string), and various deformed forms (e.g., whether the character string has a semicolon or not, whether the character string is decimal or hexadecimal, and the like). These diversities all cause some malicious files to be constructed as special requests, and further, by intercepting the malicious files, threats are caused to a terminal system and the like. In the embodiment of the invention, the request message can be decoded in a reasonable decoding mode to obtain the original character string of the request message, the operation shown in the step S106 in fig. 1 is executed to match the original character string, the original character string is matched with the character string in the attack feature library, and whether the original character string is the attack operation bypassed by coding or not is determined. If the attack operation is code-bypassed, the request message is intercepted, the safety of the terminal system is protected, and if the attack operation is not code-bypassed, the request message is released. The method for intercepting code bypassing provided by the embodiment of the invention can identify the special request message constructed by deformation, decode the special request message to obtain the original character string, further match the original character string, judge whether the request message is an interception attack or not, enhance the protection of the terminal system, improve the safety of the terminal system and improve the user experience.
The method for intercepting code bypass according to the present invention will now be described with reference to specific embodiments.
Example one
Fig. 2 is a flowchart illustrating a method for intercepting code bypassing according to a preferred embodiment of the present invention, which is used to support any one of the above methods for intercepting code bypassing and is set forth more clearly and easily. Referring to fig. 2, the preferred embodiment includes at least steps S202 to S216.
And step S202, hooking the request message input by the user.
In the preferred embodiment, two request messages hooked to the user input are set to be the first request message and the second request message respectively.
And step S204, decoding the request message.
And decoding the hooked first request message and the hooked second request message respectively in a decimal decoding mode.
Step S206, determining whether the first request message and the second request message are decoded successfully.
According to the judgment that the decoding using the decimal decoding manner for the first request message is successful, step S208 shown in fig. 2 is performed. If the decoding of the second request message fails using the decimal decoding scheme, the step S204 is repeatedly performed on the second request message. And repeatedly executing the decoding, decoding the second request message by using a hexadecimal decoding mode until the second request message is successfully decoded, and executing the step S208 after the decoding is successfully decoded.
And step S208, acquiring the original character string of the request message.
After the first request message and the second request message are decoded, original character strings corresponding to the first request message and the second request message are respectively obtained.
And step S210, matching the original character strings.
And respectively matching the original character strings of the first request message and the second request message to obtain a matching result.
And step S212, determining whether the first request message and the second request message are attack operation according to the matching result.
Specifically, in this example, it is determined that the first request message is not an attack operation bypassed by encoding according to the matching result, step S216 is performed. And determining that the second request message is an attack operation bypassed by the coding according to the matching result, and executing step S214.
And step S214, intercepting the request message, and ending the process.
And intercepting the request message after determining that the request message is an attack operation bypassed by encoding.
And step S216, releasing the request message, and ending the process.
After determining that the request message is not an attack operation bypassed by encoding, the request message is released.
The embodiment shown in fig. 2 introduces a method for intercepting code bypass. After the decimal decoding is performed on the second request message, if the decoding fails, the decoding continues to be performed on the second request message by using the hexadecimal decoding manner, as shown in step S206 in fig. 2. Fig. 3 shows a process of decoding the second request message. That is, the process of decoding the second request message in the first embodiment is taken as an example, and the decoding method for the request message provided by the embodiment of the present invention is described.
Example two
Fig. 3 is a flowchart illustrating a process of decoding a request message according to a preferred embodiment of the present invention. Referring to fig. 3, the flow includes at least step S302 to step S316.
Step S302, hooking a second request message input by the user on the website server of the user.
Step S304, formatting the second request message using decimal.
A decoding attempt is made on the hooked second request message, i.e. the request message is formatted according to a decimal decoding scheme, increasing the semicolon after each decimal value. According to the form of the original character string mentioned in the method for intercepting the code bypass of the embodiment of the invention, the character string contained in the request message may or may not have a semicolon. Therefore, in this step, the request message is formatted, and it is ensured that the decoded original character strings all have semicolons. For example:
after being formatted, the "& # 00106" is converted into "& # 00106; ".
And S306, carrying out decimal decoding on the second request message.
Specifically, the code corresponding to each decimal value is searched, and the decoded text is generated.
And step S308, judging whether the decimal decoding is successful. If the result is successful, step S316 is executed, and if the result is failed, step S310 is executed.
In this example, if the decimal decoding of the second request message fails as described above for step S206 in fig. 2, then step S310 is continued.
And step S310, carrying out lower case formatting on the second request message.
Before formatting the second request message according to hexadecimal decoding, all upper case characters are converted to lower case letters. For example:
the "& #. 00106A" is converted to "& #. 00106A".
Step S312, format the second request message according to hexadecimal, and add a semicolon after each hexadecimal value. According to the form of the original character string mentioned in the method for intercepting the code bypass of the embodiment of the invention, the character string contained in the request message may or may not have a semicolon. Therefore, in this step, the request message is formatted, and it is ensured that the decoded original character strings all have semicolons. For example:
converting "& #. 00106A" into "& #. 00106A; ".
And step S314, carrying out hexadecimal decoding on the second request message.
And searching the code corresponding to each hexadecimal data to generate a decoded text.
Step S316, the original character string in the second request message is obtained, and the process ends.
Based on the method for intercepting code bypassing provided by the above preferred embodiments, based on the same inventive concept, the embodiment of the present invention provides a device for intercepting code bypassing, which is used for implementing the above method for intercepting code bypassing.
Fig. 4 is a schematic structural diagram of an apparatus for intercepting code bypass according to an embodiment of the present invention. Referring to fig. 4, the apparatus for intercepting code bypass according to an embodiment of the present invention at least includes: a hook 410, a decoder 420, a matcher 430, an interceptor 440, and a releaser 450.
The functions of the components or components of the device for intercepting code bypass and the connection relationship between the components in the embodiment of the invention are introduced:
and a HOOK 410 configured to HOOK the request message input by the HOOK user.
The decoder 420, coupled to the hook 410, is configured to decode the request message to obtain the original character string of the request message.
The matcher 430 is coupled to the encoder 420, the interceptor 440, and the distributor 450, respectively, and is configured to match the original character string to determine whether the original character string is an attack operation bypassed by the encoding.
An interceptor 440, coupled to the matcher 430, configured to intercept the request message if so.
A distributor 450, coupled to the matcher 430, configured to distribute the request message if not.
In the embodiment of the invention, the request message input by the user can be hooked, the request message is decoded, the original character string of the request message is obtained, the original character string is matched, whether the request message is an attack operation or not is determined according to the matching result, and the problem that effective interception is bypassed after the character string is deformed in position or form or other aspects in the prior art is solved. If the matching result is yes, the request message is effectively intercepted, and the safety of the user terminal system is ensured. And if the matching result is negative, releasing the request message to ensure that the request message input by the user can normally run. In the embodiment of the invention, the request message input by the user is decoded to obtain the original character string of the device, so that even if a malicious file or a malicious request disguises the change of the character string, the malicious file or the malicious request cannot be intercepted. According to the method for intercepting code bypassing provided by the embodiment of the invention, on the premise that the non-offensive request message input by the user can normally run, any attack operation which is not disguised or disguised in the forms of character string deformation and the like is guaranteed to be effectively intercepted, so that the beneficial effects of avoiding malicious requests or malicious files from maliciously attacking the terminal system and further enhancing the safety of the terminal system are achieved. Therefore, the method for intercepting code bypassing provided by the embodiment of the invention can avoid the information stored in the terminal from being lost or leaked, and can avoid the bad influence on the learning or work of the user and even the bad effect that the property of the user is threatened by the safety caused by the abnormal operation of the terminal or a terminal system or software installed on the terminal.
As shown in fig. 4, the HOOK 410 HOOKs (HOOK) the request message input by the user, wherein the request message input by the user may be a request message in any format. In the embodiment of the present invention, the request message is preferably a URL request. A URL request is a compact representation of the location and access method of a resource available on the internet, and each file on the internet has a unique URL. Therefore, in the embodiment of the present invention, the URL request is preferably used as the request message input by the user.
After the hook 410 hooks the request message input by the user, the decoder 420 coupled to the hook 410 decodes the request message to obtain the original character string of the request message. When the decoder 420 decodes the request message, the request message may be decoded in different decoding manners. Preferably, in the embodiment of the present invention, the decoder 420 decodes the request message in a decimal decoding manner and/or decodes the request message in a hexadecimal decoding manner. Wherein, decimal is a digital system with 10-based components, and 0, 1, 2, 3, 4, 5, 6, 7, 8 and 9 are basic digital components. Hexadecimal is a representation of data in a computer. Hexadecimal is composed of 0-9, A-F, and the letters are not case-specific. The correspondence between hexadecimal and decimal is that 0-9 in hexadecimal corresponds to 0-9 in decimal, and a-F in hexadecimal corresponds to 10-15 in hexadecimal. In addition to the decimal and hexadecimal systems described above, the embodiment of the present invention may also use other N systems (e.g., octal systems) that can be recognized by the computer system to decode the request message, which is not limited by the embodiment of the present invention. Wherein N is a positive integer.
When the request message is decoded, if the decoder 420 decodes the request message in a decimal decoding mode, since the position or the form of the original character string is deformed, the part number in the original character string cannot be determined, in order to ensure that the format of the original character string is consistent when the original character string is matched, and further ensure the matching accuracy of the original character string, the request message is formatted according to the decimal decoding mode, and the part number is added after each decimal value. For example, "& # 00106" is formatted and then converted into "& # 00106; ". After formatting, the code corresponding to each decimal value is searched, and code text is generated. If the request message is decoded by adopting a hexadecimal decoding mode, firstly, capital letters in the request message are converted into lowercase letters. For example, "& # 00106A" is converted to "& # 00106A". Secondly, because the position or the form of the original character string is deformed, the fact that the part numbers exist in the original character string cannot be determined, in order to ensure that the format of the original character string is consistent when the original character string is matched, and further ensure the matching accuracy of the original character string, the request message is formatted according to a hexadecimal decoding mode, and the part numbers are added after each hexadecimal numerical value. For example, "& # 00106A" is converted to "& # 00106A; ". After formatting, the corresponding code of each hexadecimal data is searched to generate a decoding text.
In the embodiment of the present invention, the decoder 420 may select a decimal decoding mode or a hexadecimal decoding mode to decode the request message, or may first decode the request message by using the decimal decoding mode, and then, if the decoding fails, continue to decode the request message by using the hexadecimal decoding mode. Or firstly decoding the request message by adopting a hexadecimal decoding mode, and secondly, if the decoding fails, continuously decoding the request message by adopting a decimal decoding mode. The decoding mode and the sequence of decoding the request message by using any decoding mode are not limited in the embodiment of the invention. Both decimal decoding and hexadecimal decoding are commonly used. In practical application, decimal notation is mostly adopted for calculation, display or other related operations. Therefore, in the embodiment of the present invention, the decoder 420 preferably decodes the request message in a decimal decoding manner, and if the decoding fails, the request message is decoded in a hexadecimal decoding manner. When the request message can be decoded in the decimal decoding manner, the decoder 420 preferably selects the decimal decoding manner, thereby avoiding the complicated operation caused by decoding the request message in an excessively complicated decoding manner. When the decoding of the request message fails in the decimal decoding mode, the decoder 420 continues to decode the request message in the hexadecimal decoding mode, so that the adverse effects that the code can not be intercepted and the malicious file threatens the user equipment system due to the fact that the request message cannot be decoded when the request message cannot be decoded in the decimal mode are avoided.
After the decoder 420 decodes the request message, the original character string in the request message can be obtained. In the embodiment of the present invention, the original character string may be a character string in any form, including: at least one of the original character string forms of character strings with partial case conversion, character strings with partial decimal code conversion and semicolon, character strings without semicolon after partial decimal code conversion, character strings with semicolon after partial hexadecimal code conversion and character strings without semicolon after partial hexadecimal code conversion. To clarify the description of the above original character forms, the above several original character string forms are now exemplified:
partial case-converted string:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=JAvaScript:alert(12345)>TEST</a>
character string with semicolon after partial decimal code conversion:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%2300106%3BAvaScript:alert(12345)>TEST</a>
character strings without semicolon after partial decimal code conversion:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%2300106AvaScript:alert(12345)>TEST</a>
comparing the above-mentioned "character string with semicolon after partial decimal code conversion" and "character string without semicolon after partial decimal code conversion", it can be found that in the "character string with semicolon after partial decimal code conversion", the character "% 3B" exists after "% 26% 2300106". The character is a semicolon after decimal conversion. The embodiment of the invention correspondingly decodes the request message according to different deformations of the character string, and can effectively avoid the attack operation of changing the position or the form of the character string from bypassing the interception.
Partial hexadecimal code converted character string with semicolon:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%23x006A%3BAvaScript:alert(12345)>TEST</a>
partial hexadecimal code converted character string without semicolon:
http://localhost/info_Show.asp?ClassId=1&InfoId=17<ahref=%26%23x006AAvaScript:alert(12345)>TEST</a>
comparing the above-described "character string with semicolon after partial hexadecimal code conversion" and "character string without semicolon after partial hexadecimal code conversion", it can be found that in "character string with semicolon after partial hexadecimal code conversion", the character "% 3B" exists after "% 26% 23x 006A". The character is a semicolon after hexadecimal conversion. The embodiment of the invention correspondingly decodes the request message according to different deformations of the character string, and can effectively avoid the attack operation of changing the position or the form of the character string from bypassing the interception.
As described above, the original character string obtained after the decoder 420 decodes the request message has various deformed positions (e.g., positions of upper and lower case conversion in the character string), and various deformed forms (e.g., whether the character string has a semicolon or not, whether the character string is decimal-coded or hexadecimal-coded, etc.). These diversities all cause some malicious files to be constructed as special requests, and further, by intercepting the malicious files, threats are caused to a terminal system and the like. In the embodiment of the present invention, the decoder 420 can decode the request message through a reasonable decoding manner to obtain the original character string of the request message, match the original character string with the character string in the attack feature library by the matcher 430, and determine whether the original character string is an attack operation bypassed by encoding. If the attack operation bypassed by the encoding is performed, matcher 430 triggers interceptor 440 to intercept the request message, so as to protect the security of the terminal system, and if not, matcher 430 triggers releasing 450 to release the request message. The method for intercepting code bypassing provided by the embodiment of the invention can identify the special request message constructed by deformation, decode the special request message to obtain the original character string, further match the original character string, judge whether the request message is an interception attack or not, enhance the protection of the terminal system, improve the safety of the terminal system and improve the user experience.
According to any one or a combination of the above preferred embodiments, the following advantages can be achieved by the embodiments of the present invention:
in the embodiment of the invention, the request message input by the user can be hooked, the request message is decoded, the original character string of the request message is obtained, the original character string is matched, whether the request message is an attack operation or not is determined according to the matching result, and the problem that effective interception is bypassed after the character string is deformed in position or form or other aspects in the prior art is solved. If the matching result is yes, the request message is effectively intercepted, and the safety of the user terminal system is ensured. And if the matching result is negative, releasing the request message to ensure that the request message input by the user can normally run. In the embodiment of the invention, the request message input by the user is decoded to obtain the original character string of the device, so that even if a malicious file or a malicious request disguises the change of the character string, the malicious file or the malicious request cannot be intercepted. According to the method for intercepting code bypassing provided by the embodiment of the invention, on the premise that the non-offensive request message input by the user can normally run, any attack operation which is not disguised or disguised in the forms of character string deformation and the like is guaranteed to be effectively intercepted, so that the beneficial effects of avoiding malicious requests or malicious files from maliciously attacking the terminal system and further enhancing the safety of the terminal system are achieved. Therefore, the method for intercepting code bypassing provided by the embodiment of the invention can avoid the information stored in the terminal from being lost or leaked, and can avoid the bad influence on the learning or work of the user and even the bad effect that the property of the user is threatened by the safety caused by the abnormal operation of the terminal or a terminal system or software installed on the terminal.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in an apparatus for intercepting code bypasses in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Thus, it should be appreciated by those skilled in the art that while a number of exemplary embodiments of the invention have been illustrated and described in detail herein, many other variations or modifications consistent with the principles of the invention may be directly determined or derived from the disclosure of the present invention without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should be understood and interpreted to cover all such other variations or modifications.
Claims (8)
1. A method of intercepting an encoding bypass, comprising:
hooking (HOOK) a request message input by a user;
decoding the request message to obtain an original character string of the request message;
matching the original character string to determine whether the original character string is an attack operation bypassed by coding;
if yes, intercepting the request message;
if not, releasing the request message;
wherein decoding the request message comprises: decoding the request message by adopting different decoding modes in sequence until the decoding is successful;
wherein, decoding the request message sequentially by adopting different decoding modes comprises:
decoding the request message in a decimal decoding mode; and/or
Decoding the request message by adopting a hexadecimal decoding mode;
decoding the request message in a decimal decoding mode, wherein the decoding of the request message comprises the following steps: formatting the request message according to the decimal decoding mode, and increasing a semicolon after each decimal value;
searching the code corresponding to each decimal value to generate a decoding text;
and the original character string form of the request message corresponding to the attack operation bypassed by the coding comprises decimal coding with a semicolon behind a partial character string.
2. The method of claim 1, wherein decoding the request message in a hexadecimal decoding manner comprises:
formatting the request message according to the hexadecimal decoding mode, and increasing a semicolon after each hexadecimal numerical value;
and searching the code corresponding to each hexadecimal data to generate a decoded text.
3. The method of claim 2, wherein prior to formatting the request message according to the hexadecimal decoding scheme, further comprising: all upper case letters are converted to lower case letters.
4. The method according to any one of claims 1 to 3, wherein decoding the request message in different decoding manners in sequence comprises:
decoding the request message in a decimal decoding mode;
and if the decoding fails, continuously adopting a hexadecimal decoding mode to decode the request message.
5. The method of any of claims 1 to 3, wherein the original string form of the request message to which the encoding bypassed attack operation corresponds further comprises at least one of:
a string of partial case-to-case conversions;
decimal coding without a semicolon after part of the character strings;
hexadecimal coding with semicolon is carried out after part of character strings;
and hexadecimal coding without semicolon after the partial character string.
6. The method of any of claims 1 to 3, wherein the request message comprises a Uniform Resource Locator (URL) request.
7. An apparatus to intercept coding bypasses, comprising:
a HOOK configured to HOOK (HOOK) a request message input by a user;
the decoder is configured to decode the request message and acquire an original character string of the request message;
the matcher is configured to match the original character string and determine whether the original character string is an attack operation bypassed by coding;
the interceptor is configured to intercept the request message if the request message is received;
the releaser is configured to release the request message if the request message is not the same as the request message;
the decoder is also configured to decode the request message in different decoding modes in sequence until the decoding is successful;
wherein the decoder is further configured to decode the request message in a decimal decoding manner; and/or, decoding the request message by adopting a hexadecimal decoding mode;
wherein the decoder decodes the request message in a decimal decoding manner, including: formatting the request message according to the decimal decoding mode, and increasing a semicolon after each decimal value; searching the code corresponding to each decimal value to generate a decoding text;
and the original character string form of the request message corresponding to the attack operation bypassed by the coding comprises decimal coding with a semicolon behind a partial character string.
8. The apparatus of claim 7, wherein the decoder is further configured to decode the request message in a decimal decoding manner; and if the decoding fails, continuously adopting a hexadecimal decoding mode to decode the request message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710677344.XA CN107577941B (en) | 2013-12-20 | 2013-12-20 | Method and equipment for intercepting code bypass |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710677344.XA CN107577941B (en) | 2013-12-20 | 2013-12-20 | Method and equipment for intercepting code bypass |
| CN201310712429.9A CN103699841B (en) | 2013-12-20 | 2013-12-20 | Intercept the method and apparatus that coding is bypassed |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310712429.9A Division CN103699841B (en) | 2013-12-20 | 2013-12-20 | Intercept the method and apparatus that coding is bypassed |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107577941A CN107577941A (en) | 2018-01-12 |
| CN107577941B true CN107577941B (en) | 2020-08-28 |
Family
ID=50361365
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710677344.XA Active CN107577941B (en) | 2013-12-20 | 2013-12-20 | Method and equipment for intercepting code bypass |
| CN201310712429.9A Active CN103699841B (en) | 2013-12-20 | 2013-12-20 | Intercept the method and apparatus that coding is bypassed |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310712429.9A Active CN103699841B (en) | 2013-12-20 | 2013-12-20 | Intercept the method and apparatus that coding is bypassed |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN107577941B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108108267B (en) * | 2016-11-25 | 2021-06-22 | 北京国双科技有限公司 | Data recovery method and device |
| CN107154938A (en) * | 2017-05-05 | 2017-09-12 | 北京奇虎科技有限公司 | The safety detection method and safety detection device of coding information |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102508674A (en) * | 2011-12-02 | 2012-06-20 | 方正国际软件有限公司 | Method based on JSON (javascript serialized object notation) for passing object-oriented parameters and system |
| US8252727B2 (en) * | 1999-11-03 | 2012-08-28 | Maxygen, Inc. | Antibody diversity generation |
| CN102930211A (en) * | 2012-11-07 | 2013-02-13 | 北京奇虎科技有限公司 | Method for intercepting malicious URLs in multi-kernel browser and multi-kernel browser |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901221B (en) * | 2009-05-27 | 2012-08-29 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting cross site scripting |
| CN103207877B (en) * | 2012-01-17 | 2016-12-14 | 阿里巴巴集团控股有限公司 | Coding/decoding method and device |
| CN103092922B (en) * | 2012-12-28 | 2018-04-10 | 国家计算机网络与信息安全管理中心 | A kind of automatic decoding method for after the URL codings containing spcial character |
-
2013
- 2013-12-20 CN CN201710677344.XA patent/CN107577941B/en active Active
- 2013-12-20 CN CN201310712429.9A patent/CN103699841B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8252727B2 (en) * | 1999-11-03 | 2012-08-28 | Maxygen, Inc. | Antibody diversity generation |
| CN102508674A (en) * | 2011-12-02 | 2012-06-20 | 方正国际软件有限公司 | Method based on JSON (javascript serialized object notation) for passing object-oriented parameters and system |
| CN102930211A (en) * | 2012-11-07 | 2013-02-13 | 北京奇虎科技有限公司 | Method for intercepting malicious URLs in multi-kernel browser and multi-kernel browser |
Non-Patent Citations (1)
| Title |
|---|
| 基于Apache的web应用安全防护研究;周敬利等;《计算机工程与科学》;20060430;第28卷(第4期);第2页右栏第3.2.1节,图2 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103699841B (en) | 2017-08-25 |
| CN107577941A (en) | 2018-01-12 |
| CN103699841A (en) | 2014-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10104063B2 (en) | Android-based mobile equipment security protection method, and device | |
| WO2017101865A1 (en) | Data processing method and device | |
| WO2015169158A1 (en) | Information protection method and system | |
| US8578174B2 (en) | Event log authentication using secure components | |
| CN107786564B (en) | Attack detection method and system based on threat intelligence and electronic equipment | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| WO2013139216A1 (en) | Method and device for extracting characteristic code of apk virus | |
| WO2013060186A1 (en) | Method and apparatus for processing website address risk detection | |
| US10176317B2 (en) | Method and apparatus for managing super user password on smart mobile terminal | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| WO2014071867A1 (en) | Program processing method and system, and client and server for program processing | |
| CN111163094B (en) | Network attack detection method, network attack detection device, electronic device, and medium | |
| CN107577941B (en) | Method and equipment for intercepting code bypass | |
| CN114003904A (en) | Information sharing method, device, computer equipment and storage medium | |
| CN108989298B (en) | Equipment safety monitoring method and device and computer readable storage medium | |
| WO2015188728A1 (en) | Mobile payment security protection method, apparatus and cloud server | |
| CN116016174A (en) | Rule base upgrading method and device, electronic equipment and storage medium | |
| CN110597557B (en) | System information acquisition method, terminal and medium | |
| CN111262842B (en) | Webpage tamper-proofing method and device, electronic equipment and storage medium | |
| CN113890758A (en) | Threat information method, device, equipment and computer storage medium | |
| CN109472138B (en) | Method, device and storage medium for detecting snort rule conflict | |
| JP5941745B2 (en) | Application analysis apparatus, application analysis system, and program | |
| CN111950040A (en) | Environment sensing method and device of terminal equipment, computer equipment and storage medium | |
| CN111723373A (en) | Vulnerability exploitation file detection method and device of composite binary document |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Applicant after: QAX Technology Group Inc. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |