CN107992413A - A kind of detection method and system of insincere searching route loophole - Google Patents

A kind of detection method and system of insincere searching route loophole Download PDF

Info

Publication number
CN107992413A
CN107992413A CN201711215918.8A CN201711215918A CN107992413A CN 107992413 A CN107992413 A CN 107992413A CN 201711215918 A CN201711215918 A CN 201711215918A CN 107992413 A CN107992413 A CN 107992413A
Authority
CN
China
Prior art keywords
loophole
dll
file
insincere
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711215918.8A
Other languages
Chinese (zh)
Other versions
CN107992413B (en
Inventor
曲恩纯
喻波
王志海
彭洪涛
安鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201711215918.8A priority Critical patent/CN107992413B/en
Publication of CN107992413A publication Critical patent/CN107992413A/en
Application granted granted Critical
Publication of CN107992413B publication Critical patent/CN107992413B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a kind of detection method and system of insincere searching route loophole, this method comprises the following steps:Configure the detection parameters of target software;The file type supported based on target software, generates corresponding test file;Test file is opened one by one, starts target process;During according to opening test file, the return value of the DLL loading functions of the target process started judges whether insincere searching route loophole.With this solution, the accuracy of Hole Detection and comprehensive is improved.

Description

A kind of detection method and system of insincere searching route loophole
Technical field
The present invention relates to data security arts, and in particular to a kind of detection method of insincere searching route loophole and is System.
Background technology
Insincere searching route loophole is one kind of software vulnerability, the method for digging of such loophole, usually by each research The security laboratory researcher of mechanism carries out hand digging.
For example a file destination B is housed in certain file DIR, and there is no other files in file at this time, it is double Open file B is impacted, at this moment target software starts, to open file B, if software loads dynamic link library when startup Abc.dll (dll file), but do not have this dynamic link library file in file DIR, therefore this dynamic link library, do not have Load successfully, software continues to execute;But if storage one and this dynamic link library name being not present in this document folder The same wooden horse file of word, then, when double-clicking opening file destination, the wooden horse file will be smoothly loaded, therefore, is deposited Such case software there are loophole, such loophole is exactly insincere searching route loophole.
White-hat excavates the flow of insincere searching route loophole as shown in Figure 1, it comprises the following steps at this stage:
1) flow starts;
2) launching process monitoring tools;
3) file destination is opened;
4) the File Open situation of target process catalogue where file destination is detected, judges whether the DLL to be opened deposits If it does not exist, then jumping to step 5, step 6) is otherwise being jumped to;
5) then terminate there may be insincere searching route loophole;
6) can exclude, there are insincere searching route loophole, to terminate substantially.
Mainly using process monitoring instrument artificial judgment, whether it is loophole at this stage, due to needing artificial detection, efficiency Lowly, and easily leakage is seen, causes loophole to be let off.
The content of the invention
In order to solve the above technical problems, the present invention provides a kind of detection method of insincere searching route loophole, it is special Sign is that this method comprises the following steps:
1) detection parameters of target software are configured;
2) file type supported based on target software, generates corresponding test file;
3) test file is opened one by one, starts target process;
4) when according to test file is opened, the return value of the DLL loading functions of the target process started judges whether to deposit In insincere searching route loophole;
5) test of whole test files has been completed in judgement;
6) terminate.
According to an embodiment of the invention, it is preferred that the step 4) is sentenced according to the DLL loading function return values of target process It is disconnected to be specifically included with the presence or absence of insincere searching route loophole:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole, step is jumped to 6);
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is The no catalogue where test file, if there are insincere searching route loophole for judgement if.
According to an embodiment of the invention, it is preferred that in the step 1), configuring the detection parameters of target software includes:Match somebody with somebody Put the file type that target software is supported, all exe files that target software is included.
According to an embodiment of the invention, it is preferred that the file type supported in the step 2) based on target software, it is raw Into corresponding test file.
According to an embodiment of the invention, it is preferred that while the step 3) starts target process, injected to target process DLL is monitored, the DLL loading functions are:Loadlibrary functions.
In order to solve the above technical problems, the present invention provides a kind of detecting system of insincere searching route loophole, it is special Sign is that this method comprises the following steps:
Target software configuration module, configures the detection parameters of target software;
Test file generation module, the file type supported based on target software, generates corresponding test file;
Process initiation module, opens test file one by one, starts target process;
Loophole judgment module, according to open test file when, the return value of the DLL loading functions of the target process started Judge whether insincere searching route loophole.
According to an embodiment of the invention, it is preferred that loophole judgment module is according to the DLL loading function return values of target process Judge whether that insincere searching route loophole specifically includes:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole;
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is The no catalogue where test file, if there are insincere searching route loophole for judgement if.
According to an embodiment of the invention, it is preferred that the detection parameters of the target software configuration module configuration include:Configuration The file type that target software is supported, all exe files that target software is included.
According to an embodiment of the invention, it is preferred that while process initiation module starts target process, noted to target process Enter and monitor DLL, the DLL loading functions are:Loadlibrary functions.
In order to solve the above technical problems, the present invention provides a kind of computer-readable recording medium, which has meter Calculation machine program, the method for realizing one of the above method by performing the computer program.
By technical scheme, following technique effect is achieved:
(1) vulnerability scanning can be carried out by non-specialized-technical personnel, it is easy to use;
(2) for manually, the present invention is more efficient more rigorous, is not in the situation of failing to judge.
Brief description of the drawings
Fig. 1 is the method flow diagram of the prior art.
Fig. 2 is the detection method flow chart of the present invention.
Fig. 3 is the software vulnerability overhaul flow chart of certain internet project Internet firm.
Embodiment
<Detection method>
The invention discloses a kind of detection method of insincere searching route loophole, it is characterised in that this method include with Lower step:
1) detection parameters of target software are configured;
2) file type supported based on target software, generates corresponding test file;
3) test file is opened one by one, starts target process;
4) when according to test file is opened, the return value of the DLL loading functions of the target process started judges whether to deposit In insincere searching route loophole;
5) test of whole test files has been completed in judgement;
6) terminate.
The step 4) judges whether that insincere searching route is leaked according to the DLL loading function return values of target process Hole specifically includes:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole, step is jumped to 6);
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is The no catalogue where test file, if there are insincere searching route loophole for judgement if.
In the step 1), configuring the detection parameters of target software includes:The file type that configuration target software is supported, All exe files that target software is included.
The file type supported in the step 2) based on target software, generates corresponding test file.
While the step 3) starts target process, monitoring DLL is injected to target process, the DLL loading functions are: Loadlibrary functions.
<Detecting system>
The present invention provides a kind of detecting system of insincere searching route loophole, it is characterised in that this method include with Lower step:
Target software configuration module, configures the detection parameters of target software;
Test file generation module, the file type supported based on target software, generates corresponding test file;
Process initiation module, opens test file one by one, starts target process;
Loophole judgment module, according to open test file when, the return value of the DLL loading functions of the target process started Judge whether insincere searching route loophole.
Loophole judgment module judges whether insincere searching route according to the DLL loading function return values of target process Loophole specifically includes:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole;
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is The no catalogue where test file, if there are insincere searching route loophole for judgement if.
The detection parameters of the target software configuration module configuration include:The file type that configuration target software is supported, All exe files that target software is included.
While process initiation module starts target process, monitoring DLL, the DLL loading functions are injected to target process For:Loadlibrary functions.
<Embodiment>
Such as Fig. 2, overhaul flow chart when Windows loads dynamic link library has been illustrated.Specifically according to: Catalogue → current directory → Windows system directories → windows directory → PATH environmental variances where application program are specified Path loaded.If the not no catalogues where application program of DLL, then it will be searched successively, if When we open a file in certain file, the current directory of software is changing to this document folder, and the software this When load DLL not catalogues where application program again, it be searched in will being pressed from both sides to this document, at this time, if wooden horse file pretends Into this dll file, will be loaded by software, and successful execution, here it is the insincere search road of insincere searching route loophole Footpath loophole, the flow that insincere searching route loophole is detected in Windows are as follows:
(1) detection parameters, the main file type supported including target software, the institute that target software is included are configured There are exe files.
The invention detects loophole automatically using software, it is necessary to set this secondary detection before Hole Detection is carried out Software relevant information, all exe executable files, and the file type supported, such as office its processes have Winword.exe, excel etc., and the file type supported has doc, ppt etc., after these are configured, target software ability It is enough according to configuration, the behavior after monitoring objective process initiation.
(2) file type supported based on target software, generates corresponding test file.
For example WPS supports tens kinds of file types (.wps .doc .docx .xls etc.), each is required for carrying out Test, this is that artificial detection is difficult to accomplish comprehensively.
A file is created to each file type, such as, a doc file is created, creates a ppt file, and Inside arbitrarily fill content.
(3) test file is opened one by one in order.
(4) target process, which starts and injected while opening test file to target process, monitors DLL, right Loadlibrary functions are monitored.
One software includes multiple executable files (exe files), after exe file starts, be referred to as in operating system into Journey, during detection, is detected in units of process.
Loadlibrary functions are for loading dynamic link library (dll file), and after loading successfully, process can be held Function in Mobile state chained library, therefore, if dynamic link library is if a wooden horse, then wooden horse will be performed .
(5) judge whether loadlibrary function return values succeed.
(6) do not handled if it is successful, letting off, and jump to (three) and continue to scan on a kind of lower file type.
(7) if it fails, judge dll file in loadlibrary parameters whether where test file catalogue.
It is to be passed in target software operational process in loadlibrary parameters, and this parameter, can be one The path of dll file name or a dll file, for example can be that " abc.dll " can also be " C:Abc.dll ", If the catalogue of test file is " D:DIR " files, it is possible to judge, C:Abc.dll not catalogues where test file.
(8) if being typical insincere searching route loophole in, explanation.
If loadlibrary loadings have failed, illustrate that this file is not present, and these to be loaded of loadlibrary A file path in test file catalogue, illustrates again, puts a wooden horse of the same name at this time in test file catalogue, will load wood Horse, therefore this is a loophole.
(9) if not, jumping to (three) continues to scan on a kind of lower file type.
As Fig. 3, such as the software vulnerability testing process of certain Internet firm are as follows:
(1) terminal vulnerability scanner scanning all application programs of user terminal.
(2) respective application vulnerability scanning strategy is issued.
(3) insincere searching route scan module is called to carry out vulnerability scanning to each application.
(4) vulnerability scanning result is counted.
The said firm requires user's voluntary observance company system, the application of non-company's license must not be arbitrarily installed, for suspicious Using, employee needs to apply to network administrator, carries out vulnerability scanning to the application, can be installed and used after confirming no problem, The hole scanner that network administrator uses is integrated with insincere searching route vulnerability scanning module, scanned it is multiple such Type loophole, greatly ensure that the safe handling of application.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent substitution and improvement for being made etc., should all protect the guarantor in the present invention Within the scope of shield.

Claims (10)

1. a kind of detection method of insincere searching route loophole, it is characterised in that this method comprises the following steps:
1) detection parameters of target software are configured;
2) file type supported based on target software, generates corresponding test file;
3) test file is opened one by one, starts target process;
4) when according to test file is opened, the return value of the DLL loading functions of the target process started judges whether not Credible searching route loophole;
5) test of whole test files has been completed in judgement;
6) terminate.
2. according to the method described in claim 1, the step 4) is according to the judgement of the DLL loading functions return value of target process It is no that there are insincere searching route loophole to specifically include:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole, step 6) is jumped to;
If the DLL loading functions return to fail values, judge dll file in the DLL loading functions parameter whether Catalogue where test file, if there are insincere searching route loophole for judgement if.
3. according to the method described in claim 1, in the step 1), configuring the detection parameters of target software includes:Configure mesh The file type that mark software is supported, all exe files that target software is included.
4. according to the method described in claim 1, the file type supported in the step 2) based on target software, generates phase The test file answered.
5. according to the method described in claim 1, while the step 3) starts target process, inject and monitor to target process DLL, the DLL loading functions are:Loadlibrary functions.
6. a kind of detecting system of insincere searching route loophole, it is characterised in that this method comprises the following steps:
Target software configuration module, configures the detection parameters of target software;
Test file generation module, the file type supported based on target software, generates corresponding test file;
Process initiation module, opens test file one by one, starts target process;
Loophole judgment module, during according to opening test file, the return values of the DLL loading functions of the target process started judges With the presence or absence of insincere searching route loophole.
7. system according to claim 6, loophole judgment module judges according to the DLL loading functions return value of target process Specifically included with the presence or absence of insincere searching route loophole:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole;
If the DLL loading functions return to fail values, judge dll file in the DLL loading functions parameter whether Catalogue where test file, if there are insincere searching route loophole for judgement if.
8. system according to claim 6, the detection parameters of the target software configuration module configuration include:Configure target The file type that software is supported, all exe files that target software is included.
9. system according to claim 6, while process initiation module starts target process, injects to target process and supervises DLL is controlled, the DLL loading functions are:Loadlibrary functions.
10. a kind of computer-readable recording medium, which has computer program, is realized by performing the computer program Such as the method for one of claim 1-5.
CN201711215918.8A 2017-11-28 2017-11-28 Method and system for detecting untrusted search path vulnerability Active CN107992413B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711215918.8A CN107992413B (en) 2017-11-28 2017-11-28 Method and system for detecting untrusted search path vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711215918.8A CN107992413B (en) 2017-11-28 2017-11-28 Method and system for detecting untrusted search path vulnerability

Publications (2)

Publication Number Publication Date
CN107992413A true CN107992413A (en) 2018-05-04
CN107992413B CN107992413B (en) 2021-01-05

Family

ID=62033750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711215918.8A Active CN107992413B (en) 2017-11-28 2017-11-28 Method and system for detecting untrusted search path vulnerability

Country Status (1)

Country Link
CN (1) CN107992413B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability
US8397300B2 (en) * 2009-09-22 2013-03-12 International Business Machines Corporation Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8397300B2 (en) * 2009-09-22 2013-03-12 International Business Machines Corporation Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
彭帝等: "动态链接库预加载漏洞检测方法", 《信息与电子工程》 *

Also Published As

Publication number Publication date
CN107992413B (en) 2021-01-05

Similar Documents

Publication Publication Date Title
Ohm et al. Towards detection of software supply chain attacks by forensic artifacts
US10540176B2 (en) Method and system for controlling software risks for software development
Lindorfer et al. Lines of malicious code: Insights into the malicious software industry
US11455400B2 (en) Method, system, and storage medium for security of software components
US7836500B2 (en) Computer virus and malware cleaner
CN103077353B (en) The method and apparatus of Initiative Defense rogue program
Ray et al. A case study of cross-system porting in forked projects
US10417416B1 (en) Methods and systems for detecting computer security threats
WO2017091360A1 (en) Method and system for controlling software risks for software development
US20090287641A1 (en) Method and system for crawling the world wide web
CN101604361A (en) A kind of detection method of Malware and device
CN102483780A (en) Anti-virus scanning
CN102736978A (en) Method and device for detecting installation status of application program
KR20120071834A (en) Automatic management system for group and mutant information of malicious code
NL2027556B1 (en) Method and system for generating a list of indicators of compromise
CN105631312A (en) Method and system for processing rogue programs
Møller et al. Automated detection of client-state manipulation vulnerabilities
CN103279707A (en) Method, device and system for actively defending against malicious programs
CN110188574A (en) A kind of the webpage tamper resistant systems and its method of Docker container
Scalco et al. On the feasibility of detecting injections in malicious npm packages
US20240193266A1 (en) Known-Deployed File Metadata Repository and Analysis Engine
Wang et al. {MetaSymploit}:{Day-One} Defense against Script-based Attacks with {Security-Enhanced} Symbolic Analysis
US11709935B2 (en) Detecting potentially malicious code in data through data profiling with an information analyzer
CN112579330B (en) Processing method, device and equipment for abnormal data of operating system
CN105095754A (en) Method, device and mobile terminal for processing virus applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant