CN107992413A - A kind of detection method and system of insincere searching route loophole - Google Patents
A kind of detection method and system of insincere searching route loophole Download PDFInfo
- Publication number
- CN107992413A CN107992413A CN201711215918.8A CN201711215918A CN107992413A CN 107992413 A CN107992413 A CN 107992413A CN 201711215918 A CN201711215918 A CN 201711215918A CN 107992413 A CN107992413 A CN 107992413A
- Authority
- CN
- China
- Prior art keywords
- loophole
- dll
- file
- insincere
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of detection method and system of insincere searching route loophole, this method comprises the following steps:Configure the detection parameters of target software;The file type supported based on target software, generates corresponding test file;Test file is opened one by one, starts target process;During according to opening test file, the return value of the DLL loading functions of the target process started judges whether insincere searching route loophole.With this solution, the accuracy of Hole Detection and comprehensive is improved.
Description
Technical field
The present invention relates to data security arts, and in particular to a kind of detection method of insincere searching route loophole and is
System.
Background technology
Insincere searching route loophole is one kind of software vulnerability, the method for digging of such loophole, usually by each research
The security laboratory researcher of mechanism carries out hand digging.
For example a file destination B is housed in certain file DIR, and there is no other files in file at this time, it is double
Open file B is impacted, at this moment target software starts, to open file B, if software loads dynamic link library when startup
Abc.dll (dll file), but do not have this dynamic link library file in file DIR, therefore this dynamic link library, do not have
Load successfully, software continues to execute;But if storage one and this dynamic link library name being not present in this document folder
The same wooden horse file of word, then, when double-clicking opening file destination, the wooden horse file will be smoothly loaded, therefore, is deposited
Such case software there are loophole, such loophole is exactly insincere searching route loophole.
White-hat excavates the flow of insincere searching route loophole as shown in Figure 1, it comprises the following steps at this stage:
1) flow starts;
2) launching process monitoring tools;
3) file destination is opened;
4) the File Open situation of target process catalogue where file destination is detected, judges whether the DLL to be opened deposits
If it does not exist, then jumping to step 5, step 6) is otherwise being jumped to;
5) then terminate there may be insincere searching route loophole;
6) can exclude, there are insincere searching route loophole, to terminate substantially.
Mainly using process monitoring instrument artificial judgment, whether it is loophole at this stage, due to needing artificial detection, efficiency
Lowly, and easily leakage is seen, causes loophole to be let off.
The content of the invention
In order to solve the above technical problems, the present invention provides a kind of detection method of insincere searching route loophole, it is special
Sign is that this method comprises the following steps:
1) detection parameters of target software are configured;
2) file type supported based on target software, generates corresponding test file;
3) test file is opened one by one, starts target process;
4) when according to test file is opened, the return value of the DLL loading functions of the target process started judges whether to deposit
In insincere searching route loophole;
5) test of whole test files has been completed in judgement;
6) terminate.
According to an embodiment of the invention, it is preferred that the step 4) is sentenced according to the DLL loading function return values of target process
It is disconnected to be specifically included with the presence or absence of insincere searching route loophole:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole, step is jumped to
6);
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is
The no catalogue where test file, if there are insincere searching route loophole for judgement if.
According to an embodiment of the invention, it is preferred that in the step 1), configuring the detection parameters of target software includes:Match somebody with somebody
Put the file type that target software is supported, all exe files that target software is included.
According to an embodiment of the invention, it is preferred that the file type supported in the step 2) based on target software, it is raw
Into corresponding test file.
According to an embodiment of the invention, it is preferred that while the step 3) starts target process, injected to target process
DLL is monitored, the DLL loading functions are:Loadlibrary functions.
In order to solve the above technical problems, the present invention provides a kind of detecting system of insincere searching route loophole, it is special
Sign is that this method comprises the following steps:
Target software configuration module, configures the detection parameters of target software;
Test file generation module, the file type supported based on target software, generates corresponding test file;
Process initiation module, opens test file one by one, starts target process;
Loophole judgment module, according to open test file when, the return value of the DLL loading functions of the target process started
Judge whether insincere searching route loophole.
According to an embodiment of the invention, it is preferred that loophole judgment module is according to the DLL loading function return values of target process
Judge whether that insincere searching route loophole specifically includes:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole;
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is
The no catalogue where test file, if there are insincere searching route loophole for judgement if.
According to an embodiment of the invention, it is preferred that the detection parameters of the target software configuration module configuration include:Configuration
The file type that target software is supported, all exe files that target software is included.
According to an embodiment of the invention, it is preferred that while process initiation module starts target process, noted to target process
Enter and monitor DLL, the DLL loading functions are:Loadlibrary functions.
In order to solve the above technical problems, the present invention provides a kind of computer-readable recording medium, which has meter
Calculation machine program, the method for realizing one of the above method by performing the computer program.
By technical scheme, following technique effect is achieved:
(1) vulnerability scanning can be carried out by non-specialized-technical personnel, it is easy to use;
(2) for manually, the present invention is more efficient more rigorous, is not in the situation of failing to judge.
Brief description of the drawings
Fig. 1 is the method flow diagram of the prior art.
Fig. 2 is the detection method flow chart of the present invention.
Fig. 3 is the software vulnerability overhaul flow chart of certain internet project Internet firm.
Embodiment
<Detection method>
The invention discloses a kind of detection method of insincere searching route loophole, it is characterised in that this method include with
Lower step:
1) detection parameters of target software are configured;
2) file type supported based on target software, generates corresponding test file;
3) test file is opened one by one, starts target process;
4) when according to test file is opened, the return value of the DLL loading functions of the target process started judges whether to deposit
In insincere searching route loophole;
5) test of whole test files has been completed in judgement;
6) terminate.
The step 4) judges whether that insincere searching route is leaked according to the DLL loading function return values of target process
Hole specifically includes:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole, step is jumped to
6);
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is
The no catalogue where test file, if there are insincere searching route loophole for judgement if.
In the step 1), configuring the detection parameters of target software includes:The file type that configuration target software is supported,
All exe files that target software is included.
The file type supported in the step 2) based on target software, generates corresponding test file.
While the step 3) starts target process, monitoring DLL is injected to target process, the DLL loading functions are:
Loadlibrary functions.
<Detecting system>
The present invention provides a kind of detecting system of insincere searching route loophole, it is characterised in that this method include with
Lower step:
Target software configuration module, configures the detection parameters of target software;
Test file generation module, the file type supported based on target software, generates corresponding test file;
Process initiation module, opens test file one by one, starts target process;
Loophole judgment module, according to open test file when, the return value of the DLL loading functions of the target process started
Judge whether insincere searching route loophole.
Loophole judgment module judges whether insincere searching route according to the DLL loading function return values of target process
Loophole specifically includes:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole;
If the DLL loading functions return to fail values, judge that the dll file in the DLL loading functions parameter is
The no catalogue where test file, if there are insincere searching route loophole for judgement if.
The detection parameters of the target software configuration module configuration include:The file type that configuration target software is supported,
All exe files that target software is included.
While process initiation module starts target process, monitoring DLL, the DLL loading functions are injected to target process
For:Loadlibrary functions.
<Embodiment>
Such as Fig. 2, overhaul flow chart when Windows loads dynamic link library has been illustrated.Specifically according to:
Catalogue → current directory → Windows system directories → windows directory → PATH environmental variances where application program are specified
Path loaded.If the not no catalogues where application program of DLL, then it will be searched successively, if
When we open a file in certain file, the current directory of software is changing to this document folder, and the software this
When load DLL not catalogues where application program again, it be searched in will being pressed from both sides to this document, at this time, if wooden horse file pretends
Into this dll file, will be loaded by software, and successful execution, here it is the insincere search road of insincere searching route loophole
Footpath loophole, the flow that insincere searching route loophole is detected in Windows are as follows:
(1) detection parameters, the main file type supported including target software, the institute that target software is included are configured
There are exe files.
The invention detects loophole automatically using software, it is necessary to set this secondary detection before Hole Detection is carried out
Software relevant information, all exe executable files, and the file type supported, such as office its processes have
Winword.exe, excel etc., and the file type supported has doc, ppt etc., after these are configured, target software ability
It is enough according to configuration, the behavior after monitoring objective process initiation.
(2) file type supported based on target software, generates corresponding test file.
For example WPS supports tens kinds of file types (.wps .doc .docx .xls etc.), each is required for carrying out
Test, this is that artificial detection is difficult to accomplish comprehensively.
A file is created to each file type, such as, a doc file is created, creates a ppt file, and
Inside arbitrarily fill content.
(3) test file is opened one by one in order.
(4) target process, which starts and injected while opening test file to target process, monitors DLL, right
Loadlibrary functions are monitored.
One software includes multiple executable files (exe files), after exe file starts, be referred to as in operating system into
Journey, during detection, is detected in units of process.
Loadlibrary functions are for loading dynamic link library (dll file), and after loading successfully, process can be held
Function in Mobile state chained library, therefore, if dynamic link library is if a wooden horse, then wooden horse will be performed
.
(5) judge whether loadlibrary function return values succeed.
(6) do not handled if it is successful, letting off, and jump to (three) and continue to scan on a kind of lower file type.
(7) if it fails, judge dll file in loadlibrary parameters whether where test file catalogue.
It is to be passed in target software operational process in loadlibrary parameters, and this parameter, can be one
The path of dll file name or a dll file, for example can be that " abc.dll " can also be " C:Abc.dll ",
If the catalogue of test file is " D:DIR " files, it is possible to judge, C:Abc.dll not catalogues where test file.
(8) if being typical insincere searching route loophole in, explanation.
If loadlibrary loadings have failed, illustrate that this file is not present, and these to be loaded of loadlibrary
A file path in test file catalogue, illustrates again, puts a wooden horse of the same name at this time in test file catalogue, will load wood
Horse, therefore this is a loophole.
(9) if not, jumping to (three) continues to scan on a kind of lower file type.
As Fig. 3, such as the software vulnerability testing process of certain Internet firm are as follows:
(1) terminal vulnerability scanner scanning all application programs of user terminal.
(2) respective application vulnerability scanning strategy is issued.
(3) insincere searching route scan module is called to carry out vulnerability scanning to each application.
(4) vulnerability scanning result is counted.
The said firm requires user's voluntary observance company system, the application of non-company's license must not be arbitrarily installed, for suspicious
Using, employee needs to apply to network administrator, carries out vulnerability scanning to the application, can be installed and used after confirming no problem,
The hole scanner that network administrator uses is integrated with insincere searching route vulnerability scanning module, scanned it is multiple such
Type loophole, greatly ensure that the safe handling of application.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvement for being made etc., should all protect the guarantor in the present invention
Within the scope of shield.
Claims (10)
1. a kind of detection method of insincere searching route loophole, it is characterised in that this method comprises the following steps:
1) detection parameters of target software are configured;
2) file type supported based on target software, generates corresponding test file;
3) test file is opened one by one, starts target process;
4) when according to test file is opened, the return value of the DLL loading functions of the target process started judges whether not
Credible searching route loophole;
5) test of whole test files has been completed in judgement;
6) terminate.
2. according to the method described in claim 1, the step 4) is according to the judgement of the DLL loading functions return value of target process
It is no that there are insincere searching route loophole to specifically include:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole, step 6) is jumped to;
If the DLL loading functions return to fail values, judge dll file in the DLL loading functions parameter whether
Catalogue where test file, if there are insincere searching route loophole for judgement if.
3. according to the method described in claim 1, in the step 1), configuring the detection parameters of target software includes:Configure mesh
The file type that mark software is supported, all exe files that target software is included.
4. according to the method described in claim 1, the file type supported in the step 2) based on target software, generates phase
The test file answered.
5. according to the method described in claim 1, while the step 3) starts target process, inject and monitor to target process
DLL, the DLL loading functions are:Loadlibrary functions.
6. a kind of detecting system of insincere searching route loophole, it is characterised in that this method comprises the following steps:
Target software configuration module, configures the detection parameters of target software;
Test file generation module, the file type supported based on target software, generates corresponding test file;
Process initiation module, opens test file one by one, starts target process;
Loophole judgment module, during according to opening test file, the return values of the DLL loading functions of the target process started judges
With the presence or absence of insincere searching route loophole.
7. system according to claim 6, loophole judgment module judges according to the DLL loading functions return value of target process
Specifically included with the presence or absence of insincere searching route loophole:
DLL loading functions are monitored;
If the DLL loading functions return to success value, there is no insincere searching route loophole;
If the DLL loading functions return to fail values, judge dll file in the DLL loading functions parameter whether
Catalogue where test file, if there are insincere searching route loophole for judgement if.
8. system according to claim 6, the detection parameters of the target software configuration module configuration include:Configure target
The file type that software is supported, all exe files that target software is included.
9. system according to claim 6, while process initiation module starts target process, injects to target process and supervises
DLL is controlled, the DLL loading functions are:Loadlibrary functions.
10. a kind of computer-readable recording medium, which has computer program, is realized by performing the computer program
Such as the method for one of claim 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711215918.8A CN107992413B (en) | 2017-11-28 | 2017-11-28 | Method and system for detecting untrusted search path vulnerability |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711215918.8A CN107992413B (en) | 2017-11-28 | 2017-11-28 | Method and system for detecting untrusted search path vulnerability |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107992413A true CN107992413A (en) | 2018-05-04 |
CN107992413B CN107992413B (en) | 2021-01-05 |
Family
ID=62033750
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711215918.8A Active CN107992413B (en) | 2017-11-28 | 2017-11-28 | Method and system for detecting untrusted search path vulnerability |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107992413B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
US8397300B2 (en) * | 2009-09-22 | 2013-03-12 | International Business Machines Corporation | Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software |
-
2017
- 2017-11-28 CN CN201711215918.8A patent/CN107992413B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8397300B2 (en) * | 2009-09-22 | 2013-03-12 | International Business Machines Corporation | Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software |
CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
Non-Patent Citations (1)
Title |
---|
彭帝等: "动态链接库预加载漏洞检测方法", 《信息与电子工程》 * |
Also Published As
Publication number | Publication date |
---|---|
CN107992413B (en) | 2021-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ohm et al. | Towards detection of software supply chain attacks by forensic artifacts | |
US10540176B2 (en) | Method and system for controlling software risks for software development | |
Lindorfer et al. | Lines of malicious code: Insights into the malicious software industry | |
US11455400B2 (en) | Method, system, and storage medium for security of software components | |
US7836500B2 (en) | Computer virus and malware cleaner | |
CN103077353B (en) | The method and apparatus of Initiative Defense rogue program | |
Ray et al. | A case study of cross-system porting in forked projects | |
US10417416B1 (en) | Methods and systems for detecting computer security threats | |
WO2017091360A1 (en) | Method and system for controlling software risks for software development | |
US20090287641A1 (en) | Method and system for crawling the world wide web | |
CN101604361A (en) | A kind of detection method of Malware and device | |
CN102483780A (en) | Anti-virus scanning | |
CN102736978A (en) | Method and device for detecting installation status of application program | |
KR20120071834A (en) | Automatic management system for group and mutant information of malicious code | |
NL2027556B1 (en) | Method and system for generating a list of indicators of compromise | |
CN105631312A (en) | Method and system for processing rogue programs | |
Møller et al. | Automated detection of client-state manipulation vulnerabilities | |
CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
CN110188574A (en) | A kind of the webpage tamper resistant systems and its method of Docker container | |
Scalco et al. | On the feasibility of detecting injections in malicious npm packages | |
US20240193266A1 (en) | Known-Deployed File Metadata Repository and Analysis Engine | |
Wang et al. | {MetaSymploit}:{Day-One} Defense against Script-based Attacks with {Security-Enhanced} Symbolic Analysis | |
US11709935B2 (en) | Detecting potentially malicious code in data through data profiling with an information analyzer | |
CN112579330B (en) | Processing method, device and equipment for abnormal data of operating system | |
CN105095754A (en) | Method, device and mobile terminal for processing virus applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |