CN107992413B - Method and system for detecting untrusted search path vulnerability - Google Patents
Method and system for detecting untrusted search path vulnerability Download PDFInfo
- Publication number
- CN107992413B CN107992413B CN201711215918.8A CN201711215918A CN107992413B CN 107992413 B CN107992413 B CN 107992413B CN 201711215918 A CN201711215918 A CN 201711215918A CN 107992413 B CN107992413 B CN 107992413B
- Authority
- CN
- China
- Prior art keywords
- dll
- file
- target
- vulnerability
- loading function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method and a system for detecting a path vulnerability of an untrusted search, wherein the method comprises the following steps: configuring detection parameters of target software; generating a corresponding test file based on the file type supported by the target software; opening the test files one by one, and starting a target process; and judging whether an untrusted search path vulnerability exists according to a return value of a DLL loading function of the started target process when the test file is opened. By the scheme, the accuracy and comprehensiveness of vulnerability detection are improved.
Description
Technical Field
The invention relates to the field of data security, in particular to a method and a system for detecting a path vulnerability of an untrusted search.
Background
The untrusted search path vulnerability is one kind of software vulnerability, and the vulnerability mining method is generally manually mined by security laboratory researchers of various research institutions.
For example, a target file B is stored in a certain folder DIR, no other file exists in the folder at the moment, the file B is opened by double-clicking, the target software is started to open the file B, if the software is started, a dynamic link library abc.dll (DLL file) is loaded, but the dynamic link library file does not exist in the folder DIR, so that the dynamic link library is not loaded successfully, and the software continues to execute; however, if a trojan file with the same name as the nonexistent dynamic link library is stored in the folder, the trojan file can be smoothly loaded when the target file is opened by double clicking, so that software with the condition has a vulnerability, and the vulnerability is an untrusted search path vulnerability.
The process of discovering an untrusted search path vulnerability by white hat at the present stage is shown in fig. 1, and includes the following steps:
1) starting the process;
2) starting a process monitoring tool;
3) opening a target file;
4) detecting the file opening condition of a target process in a directory where a target file is located, judging whether a DLL to be opened exists or not, if not, jumping to the step 5, otherwise, jumping to the step 6);
5) then there may be a path vulnerability which cannot be trusted to search, and the process is finished;
6) and basically eliminating the existence of the untrustworthy search path loophole and ending.
At the present stage, a process monitoring tool is mainly used for manually judging whether the process monitoring tool is a leak, and the leak is put through due to the fact that manual detection is needed, the efficiency is low and the process monitoring tool is easy to overlook.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method for detecting a path vulnerability of an untrusted search, which is characterized by comprising the following steps of:
1) configuring detection parameters of target software;
2) generating a corresponding test file based on the file type supported by the target software;
3) opening the test files one by one, and starting a target process;
4) judging whether an untrusted search path vulnerability exists according to a return value of a DLL loading function of a started target process when a test file is opened;
5) judging that the test of all the test files is finished;
6) and (6) ending.
According to the embodiment of the present invention, preferably, the step 4) of judging whether an untrusted search path vulnerability exists according to a DLL load function return value of a target process specifically includes:
monitoring a DLL loading function;
if the DLL loading function returns a success value, no path vulnerability cannot be searched for, and the step 6) is skipped;
and if the DLL loading function returns a failure value, judging whether a DLL file in the DLL loading function parameters is in a directory where the test file is located, and if so, judging that an untrusted search path vulnerability exists.
According to the embodiment of the present invention, preferably, in step 1), configuring the detection parameters of the target software includes: and configuring the file types supported by the target software and all exe files contained by the target software.
According to the embodiment of the present invention, preferably, in step 2), a corresponding test file is generated based on the file type supported by the target software.
According to the embodiment of the present invention, preferably, when the target process is started in step 3), a monitoring DLL is injected into the target process, and the DLL loading function is: loadlibrary function.
In order to solve the technical problem, the invention provides a detection system for a path vulnerability of an untrusted search, which is characterized by comprising the following steps:
the target software configuration module is used for configuring detection parameters of the target software;
the test file generation module is used for generating a corresponding test file based on the file type supported by the target software;
the process starting module is used for opening the test files one by one and starting the target process;
and the vulnerability judgment module is used for judging whether the untrusted search path vulnerability exists according to the return value of the DLL loading function of the started target process when the test file is opened.
According to the embodiment of the present invention, preferably, the judging, by the vulnerability judging module, whether an untrusted search path vulnerability exists according to a DLL load function return value of the target process specifically includes:
monitoring a DLL loading function;
if the DLL loading function returns a success value, no path vulnerability cannot be searched for;
and if the DLL loading function returns a failure value, judging whether a DLL file in the DLL loading function parameters is in a directory where the test file is located, and if so, judging that an untrusted search path vulnerability exists.
According to the embodiment of the present invention, preferably, the detecting parameters configured by the target software configuration module include: and configuring the file types supported by the target software and all exe files contained by the target software.
According to the embodiment of the present invention, preferably, the process starting module injects a monitoring DLL to the target process while starting the target process, and the DLL loading function is: loadlibrary function.
To solve the above technical problem, the present invention provides a computer-readable storage medium storing a computer program, which is executed to implement a method of one of the above methods.
Through the technical scheme of the invention, the following technical effects are achieved:
the vulnerability scanning can be performed by non-professional technicians, and the vulnerability scanning method is simple and easy to use;
compared with manual work, the method is more efficient and rigorous, and the condition of missing judgment is avoided.
Drawings
FIG. 1 is a flow chart of a prior art method.
FIG. 2 is a flow chart of the detection method of the present invention.
Fig. 3 is a flow chart of software vulnerability detection of an internet company for an internet project.
Detailed Description
< detection method >
The invention discloses a method for detecting a path vulnerability of an untrusted search, which is characterized by comprising the following steps of:
1) configuring detection parameters of target software;
2) generating a corresponding test file based on the file type supported by the target software;
3) opening the test files one by one, and starting a target process;
4) judging whether an untrusted search path vulnerability exists according to a return value of a DLL loading function of a started target process when a test file is opened;
5) judging that the test of all the test files is finished;
6) and (6) ending.
The step 4) of judging whether the untrusted search path vulnerability exists according to the DLL load function return value of the target process specifically includes:
monitoring a DLL loading function;
if the DLL loading function returns a success value, no path vulnerability cannot be searched for, and the step 6) is skipped;
and if the DLL loading function returns a failure value, judging whether a DLL file in the DLL loading function parameters is in a directory where the test file is located, and if so, judging that an untrusted search path vulnerability exists.
In step 1), configuring the detection parameters of the target software includes: and configuring the file types supported by the target software and all exe files contained by the target software.
And in the step 2), generating a corresponding test file based on the file type supported by the target software.
The step 3) is that when the target process is started, a monitoring DLL is injected into the target process, and the DLL loading function is as follows: loadlibrary function.
< detection System >
The invention provides a detection system for a path vulnerability of an untrusted search, which is characterized by comprising the following steps:
the target software configuration module is used for configuring detection parameters of the target software;
the test file generation module is used for generating a corresponding test file based on the file type supported by the target software;
the process starting module is used for opening the test files one by one and starting the target process;
and the vulnerability judgment module is used for judging whether the untrusted search path vulnerability exists according to the return value of the DLL loading function of the started target process when the test file is opened.
The specific steps of judging whether the untrusted search path vulnerability exists or not by the vulnerability judgment module according to the DLL load function return value of the target process are as follows:
monitoring a DLL loading function;
if the DLL loading function returns a success value, no path vulnerability cannot be searched for;
and if the DLL loading function returns a failure value, judging whether a DLL file in the DLL loading function parameters is in a directory where the test file is located, and if so, judging that an untrusted search path vulnerability exists.
The detection parameters configured by the target software configuration module comprise: and configuring the file types supported by the target software and all exe files contained by the target software.
When the process starting module starts a target process, a monitoring DLL is injected into the target process, and the DLL loading function is as follows: loadlibrary function.
< detailed description >
Referring to fig. 2, a flow chart of detection when Windows loads a dynamic link library is illustrated. The method specifically comprises the following steps: the PATH specified by the application in the directory → current directory → Windows SYSTEM directory → Windows directory → PATH environment variable. If the DLL is not in the directory of the application program, the DLL can be sequentially searched, if a file is opened in a folder, the current directory of the software becomes the folder, the software loads the DLL and is not in the directory of the application program, the software searches the folder, at the moment, if the Trojan file is disguised as the DLL file, the software is loaded and successfully executed, namely, the path vulnerability of the untrusted search is not searched, and the process of detecting the path vulnerability in Windows is as follows:
and (I) configuring detection parameters, which mainly comprise file types supported by the target software and all exe files contained in the target software.
According to the method, the software is used for automatically detecting the vulnerability, before vulnerability detection is carried out, software related information, all exe executable files and supported file types need to be set, for example, the processes of the office have winword.exe, excel and the like, the supported file types have doc, ppt and the like, and after configuration is carried out, target software can monitor the behavior of the target process after starting according to configuration.
And (II) generating a corresponding test file based on the file type supported by the target software.
For example, WPS supports dozens of file types (. WPS,. doc,. docx,. xls, etc.), each of which requires testing, which is difficult to fully accomplish with manual inspection.
For each file type, a file is created, for example, a doc file is created, a ppt file is created, and contents are filled in the ppt file at will.
And (III) opening the test files one by one in order.
And (IV) the target process starts and opens the test file, and simultaneously injects a monitoring DLL into the target process to monitor the loadlibrary function.
One piece of software includes a plurality of executable files (exe files), and after the exe files are started, the exe files are called processes in an operating system, and during detection, the processes are detected as units.
The loadlibrary function is used for loading a dynamic link library (DLL file), and after the loading is successful, the process can execute the function in the dynamic link library, so that if the dynamic link library is a trojan, the trojan is executed.
And (V) judging whether the loadlibrary function returns the value successfully.
And (VI) if the file type is successful, the file type is not processed, and the process jumps to the step (III) to continue scanning the next file type.
And (seventhly) if the test file fails, judging whether the DLL file in the loadlibrary parameter is in the directory where the test file is located.
The loadlibrary parameter is introduced during the running process of the target software, and the parameter may be a DLL file name or a path of a DLL file, for example, "abc.dll" or "C: dll ", if the directory of the test file is" D: the folder of \ DIR' can be judged that C: \ abc.dll is not in the directory of the test file.
(eight) if so, the description is of a typical untrusted search path vulnerability.
If the loadlibrary fails to load, the file does not exist, and the file path to be loaded by the loadlibrary is in the test file directory, so that the Trojan horse is loaded when the same Trojan horse is placed in the test file directory, and the Trojan horse is a bug.
If not, jump to (III) to continue scanning the next file type.
As shown in fig. 3, for example, the software vulnerability detection process of an internet company is as follows:
and (I) the terminal vulnerability scanning program scans all application programs of the user terminal.
And (II) issuing a corresponding application vulnerability scanning strategy.
And (III) calling an untrusted search path scanning module to carry out vulnerability scanning on each application.
And (IV) counting vulnerability scanning results.
The company requires a user to be consciously compliant with a company system, non-company-licensed applications cannot be installed at will, for suspicious applications, employees need to apply to a network administrator, vulnerability scanning is carried out on the applications, the applications can be installed and used after no problem is confirmed, a vulnerability scanning tool used by the network administrator integrates an untrusted search path vulnerability scanning module, a plurality of vulnerabilities of the type are scanned, and safe use of the applications is greatly guaranteed.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be protected within the protection scope of the present invention.
Claims (3)
1. A method for detecting a path vulnerability of an untrusted search is characterized by comprising the following steps:
1) configuring detection parameters of target software, wherein the detection parameters comprise: configuring file types supported by target software and all exe files contained in the target software;
2) generating a corresponding test file based on the file type supported by the target software;
3) opening the test files one by one, and starting a target process; when starting the target process, injecting a monitoring DLL into the target process, wherein the DLL loading function is as follows: a loadlibrary function; the parameters of the loadlibrary function are transmitted in the running process of the target software;
4) judging whether an untrusted search path vulnerability exists according to a return value of a DLL loading function of a started target process when a test file is opened;
5) judging that the test of all the test files is finished;
6) finishing;
the step 4) of judging whether the untrusted search path vulnerability exists according to the DLL load function return value of the target process specifically includes:
monitoring a DLL loading function;
if the DLL loading function returns a success value, no path vulnerability cannot be searched for, and the step 6) is skipped;
and if the DLL loading function returns a failure value, judging whether a DLL file in the DLL loading function parameters is in a directory where the test file is located, and if so, judging that an untrusted search path vulnerability exists.
2. A detection system for a path vulnerability of an untrusted search is characterized by comprising the following modules:
the target software configuration module is used for configuring detection parameters of the target software, and the detection parameters comprise: configuring file types supported by target software and all exe files contained in the target software;
the test file generation module is used for generating a corresponding test file based on the file type supported by the target software;
the process starting module is used for opening the test files one by one and starting the target process; when starting the target process, injecting a monitoring DLL into the target process, wherein the DLL loading function is as follows: a loadlibrary function; the parameters of the loadlibrary function are transmitted in the running process of the target software;
the vulnerability judgment module is used for judging whether the untrusted search path vulnerability exists according to a return value of a DLL loading function of the started target process when the test file is opened;
the specific steps of judging whether the untrusted search path vulnerability exists or not by the vulnerability judgment module according to the DLL load function return value of the target process are as follows:
monitoring a DLL loading function;
if the DLL loading function returns a success value, no path vulnerability cannot be searched for;
and if the DLL loading function returns a failure value, judging whether a DLL file in the DLL loading function parameters is in a directory where the test file is located, and if so, judging that an untrusted search path vulnerability exists.
3. A computer-readable storage medium, which stores a computer program, the method of claim 1 being implemented by executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711215918.8A CN107992413B (en) | 2017-11-28 | 2017-11-28 | Method and system for detecting untrusted search path vulnerability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711215918.8A CN107992413B (en) | 2017-11-28 | 2017-11-28 | Method and system for detecting untrusted search path vulnerability |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107992413A CN107992413A (en) | 2018-05-04 |
| CN107992413B true CN107992413B (en) | 2021-01-05 |
Family
ID=62033750
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711215918.8A Active CN107992413B (en) | 2017-11-28 | 2017-11-28 | Method and system for detecting untrusted search path vulnerability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107992413B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| US8397300B2 (en) * | 2009-09-22 | 2013-03-12 | International Business Machines Corporation | Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software |
-
2017
- 2017-11-28 CN CN201711215918.8A patent/CN107992413B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8397300B2 (en) * | 2009-09-22 | 2013-03-12 | International Business Machines Corporation | Detecting security vulnerabilities relating to cryptographically-sensitive information carriers when testing computer software |
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
Non-Patent Citations (1)
| Title |
|---|
| 动态链接库预加载漏洞检测方法;彭帝等;《信息与电子工程》;20110831;第9卷(第4期);第516-517页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107992413A (en) | 2018-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109067815B (en) | Attack event tracing analysis method, system, user equipment and storage medium | |
| CN103077353B (en) | The method and apparatus of Initiative Defense rogue program | |
| CN106709325B (en) | Method and device for monitoring program | |
| Homayoun et al. | A blockchain-based framework for detecting malicious mobile applications in app stores | |
| EP3462358B1 (en) | System and method for detection of malicious code in the address space of processes | |
| Mercaldo et al. | Download malware? no, thanks: how formal methods can block update attacks | |
| CN110516448B (en) | Ash-tray testing method, device and equipment and readable storage medium | |
| CN102945348B (en) | Fileinfo collection method and device | |
| CN102663288A (en) | Virus killing method and device thereof | |
| US10055251B1 (en) | Methods, systems, and media for injecting code into embedded devices | |
| CN109800577B (en) | Method and device for identifying escape safety monitoring behavior | |
| CN103473501A (en) | Malware tracking method based on cloud safety | |
| CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| CN108959936B (en) | Automatic utilization method of buffer overflow vulnerability based on path analysis | |
| CN105678168A (en) | Method and apparatus for detecting Shellcode based on stack frame abnormity | |
| GB2510701A (en) | Detecting malware code injection by determining whether return address on stack thread points to suspicious memory area | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN107479874B (en) | DLL injection method and system based on Windows platform | |
| US20080028462A1 (en) | System and method for loading and analyzing files | |
| KR101674895B1 (en) | Java Security Analysis Device Based On Java Method Call Graph | |
| CN104915594A (en) | Application running method and device | |
| CN105205398A (en) | Shell checking method based on dynamic behaviors of APK (android package) packing software | |
| CN114238978A (en) | Vulnerability scanning system, vulnerability scanning method and computer equipment | |
| CN103067246A (en) | Method and apparatus used for processing file received based on instant communication service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |