CN108351936B - 检测虚拟机或者仿真器的程序规避 - Google Patents

检测虚拟机或者仿真器的程序规避 Download PDF

Info

Publication number
CN108351936B
CN108351936B CN201680065519.5A CN201680065519A CN108351936B CN 108351936 B CN108351936 B CN 108351936B CN 201680065519 A CN201680065519 A CN 201680065519A CN 108351936 B CN108351936 B CN 108351936B
Authority
CN
China
Prior art keywords
program
virtual environment
computing device
executed
attempting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201680065519.5A
Other languages
English (en)
Chinese (zh)
Other versions
CN108351936A (zh
Inventor
M·萨拉耶格赫
R·古普塔
N·伊斯兰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Publication of CN108351936A publication Critical patent/CN108351936A/zh
Application granted granted Critical
Publication of CN108351936B publication Critical patent/CN108351936B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)
CN201680065519.5A 2015-11-11 2016-10-11 检测虚拟机或者仿真器的程序规避 Active CN108351936B (zh)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US14/937,949 2015-11-11
US14/937,949 US9984231B2 (en) 2015-11-11 2015-11-11 Detecting program evasion of virtual machines or emulators
PCT/US2016/056443 WO2017083044A1 (en) 2015-11-11 2016-10-11 Detecting program evasion of virtual machines or emulators

Publications (2)

Publication Number Publication Date
CN108351936A CN108351936A (zh) 2018-07-31
CN108351936B true CN108351936B (zh) 2021-11-23

Family

ID=57223762

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680065519.5A Active CN108351936B (zh) 2015-11-11 2016-10-11 检测虚拟机或者仿真器的程序规避

Country Status (7)

Country Link
US (1) US9984231B2 (enExample)
EP (1) EP3374920B1 (enExample)
JP (1) JP2018534695A (enExample)
KR (1) KR20180081726A (enExample)
CN (1) CN108351936B (enExample)
TW (1) TWI735475B (enExample)
WO (1) WO2017083044A1 (enExample)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2706953C1 (ru) * 2015-12-30 2019-11-21 Хиллс Пет Нутришн, Инк. Композиции корма для домашних животных с контролируемым высвобождением для доставки источника полифенола
US10783239B2 (en) * 2017-08-01 2020-09-22 Pc Matic, Inc. System, method, and apparatus for computer security
US10621348B1 (en) * 2017-08-15 2020-04-14 Ca, Inc. Detecting a malicious application executing in an emulator based on a check made by the malicious application after making an API call
US10546128B2 (en) * 2017-10-06 2020-01-28 International Business Machines Corporation Deactivating evasive malware
TWI650671B (zh) * 2017-10-17 2019-02-11 中華電信股份有限公司 惡意程式分析方法及裝置
US11853425B2 (en) * 2020-10-09 2023-12-26 Sophos Limited Dynamic sandbox scarecrow for malware management
CN115145677A (zh) * 2021-03-30 2022-10-04 深圳云安宝科技有限公司 模拟器检测方法、装置、电子设备及存储介质
KR102523008B1 (ko) * 2021-04-15 2023-04-19 주식회사 엔씨소프트 오류의 검출에 기반하여 게임의 모드를 적응적으로 전환하기 위한 전자 장치, 방법, 및 컴퓨터 판독가능 저장 매체
US11934515B2 (en) * 2021-12-02 2024-03-19 Bank Of America Corporation Malware deterrence using computer environment indicators
CN119718963B (zh) * 2025-02-28 2025-06-06 江西五十铃汽车有限公司 一种基于计算机平台Vspy的诊断测试方法

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101515320A (zh) * 2009-04-10 2009-08-26 中国科学院软件研究所 一种攻击时漏洞检测方法及其系统
CN101946466A (zh) * 2007-12-21 2011-01-12 英特尔公司 多个应用的对等流传输和api服务
CN102034050A (zh) * 2011-01-25 2011-04-27 四川大学 基于虚拟机和敏感Native API调用感知的恶意软件动态检测方法
CN102682229A (zh) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 一种基于虚拟化技术的恶意代码行为检测方法
WO2013067505A1 (en) * 2011-11-03 2013-05-10 Cyphort, Inc. Systems and methods for virtualization and emulation assisted malware detection
CN103500308A (zh) * 2012-09-28 2014-01-08 卡巴斯基实验室封闭式股份公司 用于对抗由恶意软件对仿真的检测的系统和方法
JP2014071796A (ja) * 2012-10-01 2014-04-21 Nec Corp マルウェア検知装置、マルウェア検知システム、マルウェア検知方法、及びプログラム

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6697971B1 (en) * 2000-10-24 2004-02-24 Hewlett-Packard Development Company, L.P. System and method for detecting attempts to access data residing outside of allocated memory
US7552426B2 (en) * 2003-10-14 2009-06-23 Microsoft Corporation Systems and methods for using synthetic instructions in a virtual machine
US8763125B1 (en) * 2008-09-26 2014-06-24 Trend Micro, Inc. Disabling execution of malware having a self-defense mechanism
TW201137660A (en) * 2009-12-23 2011-11-01 Ibm Method and system for protecting an operating system against unauthorized modification
US9501644B2 (en) * 2010-03-15 2016-11-22 F-Secure Oyj Malware protection
US8904537B2 (en) 2011-05-09 2014-12-02 F—Secure Corporation Malware detection
US8826440B2 (en) * 2011-10-19 2014-09-02 Google Inc. Defensive techniques to increase computer security
US9104870B1 (en) * 2012-09-28 2015-08-11 Palo Alto Networks, Inc. Detecting malware
US9521156B2 (en) * 2013-02-10 2016-12-13 Paypal, Inc. Method and product for providing a predictive security product and evaluating existing security products
US9342343B2 (en) * 2013-03-15 2016-05-17 Adventium Enterprises, Llc Wrapped nested virtualization
US10230757B2 (en) * 2013-08-27 2019-03-12 Minerva Labs Ltd. Method and system for handling malware
US9185128B2 (en) * 2013-08-30 2015-11-10 Bank Of America Corporation Malware analysis methods and systems
US9355246B1 (en) * 2013-12-05 2016-05-31 Trend Micro Inc. Tuning sandbox behavior based on static characteristics of malware
US9223964B2 (en) 2013-12-05 2015-12-29 Mcafee, Inc. Detecting JAVA sandbox escaping attacks based on JAVA bytecode instrumentation and JAVA method hooking
US9294486B1 (en) * 2014-03-05 2016-03-22 Sandia Corporation Malware detection and analysis
US10084813B2 (en) * 2014-06-24 2018-09-25 Fireeye, Inc. Intrusion prevention and remedy system
US9992225B2 (en) * 2014-09-12 2018-06-05 Topspin Security Ltd. System and a method for identifying malware network activity using a decoy environment
US9411959B2 (en) * 2014-09-30 2016-08-09 Juniper Networks, Inc. Identifying an evasive malicious object based on a behavior delta
US9413774B1 (en) * 2014-10-27 2016-08-09 Palo Alto Networks, Inc. Dynamic malware analysis of a URL using a browser executed in an instrumented virtual machine environment
US10339300B2 (en) * 2015-03-23 2019-07-02 Binary Guard Corp. Advanced persistent threat and targeted malware defense
US20160357965A1 (en) * 2015-06-04 2016-12-08 Ut Battelle, Llc Automatic clustering of malware variants based on structured control flow
US9703956B1 (en) * 2015-06-08 2017-07-11 Symantec Corporation Systems and methods for categorizing virtual-machine-aware applications for further analysis
US9935972B2 (en) * 2015-06-29 2018-04-03 Fortinet, Inc. Emulator-based malware learning and detection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101946466A (zh) * 2007-12-21 2011-01-12 英特尔公司 多个应用的对等流传输和api服务
CN101515320A (zh) * 2009-04-10 2009-08-26 中国科学院软件研究所 一种攻击时漏洞检测方法及其系统
CN102034050A (zh) * 2011-01-25 2011-04-27 四川大学 基于虚拟机和敏感Native API调用感知的恶意软件动态检测方法
CN102682229A (zh) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 一种基于虚拟化技术的恶意代码行为检测方法
WO2013067505A1 (en) * 2011-11-03 2013-05-10 Cyphort, Inc. Systems and methods for virtualization and emulation assisted malware detection
CN103500308A (zh) * 2012-09-28 2014-01-08 卡巴斯基实验室封闭式股份公司 用于对抗由恶意软件对仿真的检测的系统和方法
JP2014071796A (ja) * 2012-10-01 2014-04-21 Nec Corp マルウェア検知装置、マルウェア検知システム、マルウェア検知方法、及びプログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Bare-metal Analysis-based Evasive Malware Detection;Kirat, D;《23rd USENIX Security Symposium》;20140822;第287-301页 *

Also Published As

Publication number Publication date
TW201717087A (zh) 2017-05-16
EP3374920A1 (en) 2018-09-19
EP3374920B1 (en) 2020-04-22
WO2017083044A1 (en) 2017-05-18
US20170132411A1 (en) 2017-05-11
CN108351936A (zh) 2018-07-31
US9984231B2 (en) 2018-05-29
KR20180081726A (ko) 2018-07-17
TWI735475B (zh) 2021-08-11
JP2018534695A (ja) 2018-11-22

Similar Documents

Publication Publication Date Title
CN108351936B (zh) 检测虚拟机或者仿真器的程序规避
US9383934B1 (en) Bare-metal computer security appliance
Yan et al. Understanding and detecting overlay-based android malware at market scales
EP2891104B1 (en) Detecting a malware process
US20180060569A1 (en) Detection and Prevention of Malicious Shell Exploits
EP3028203A1 (en) Signal tokens indicative of malware
CN105103158A (zh) 剖析代码执行
JP2021051745A (ja) コンピュータ装置およびメモリ管理方法
Kim et al. Large-scale analysis on anti-analysis techniques in real-world malware
Mohsen et al. Android keylogging threat
US11126721B2 (en) Methods, systems and apparatus to detect polymorphic malware
US20170185778A1 (en) Executing full logical paths for malware detection
Yang et al. Eavesdropping user credentials via GPU side channels on smartphones
CN110516445B (zh) 反检测恶意代码的识别方法、装置及存储介质
US10290033B1 (en) Method, system, and computer-readable medium for warning users about untrustworthy application payment pages
CN111062035A (zh) 一种勒索软件检测方法、装置、电子设备及存储介质
US11636205B2 (en) Method and system for detecting malware using memory map
CN113646763B (zh) shellcode的检测方法及装置
CN114531294A (zh) 一种网络异常感知方法、装置、终端及存储介质
EP4312401B1 (en) Methods and systems for analyzing environment-sensitive malware with coverage-guided fuzzing
Wapet Preventing the release of illegitimate applications on mobile markets
Paleari Dealing with next-generation malware
Fattori Hardware-Assisted Virtualization and its Applications to Systems Security
CN114861183A (zh) 一种文档宏安全检测方法、装置、电子设备及存储介质
Yang et al. Research on malicious behavior of firmware based on hardware resources access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant