CN108446160A - A kind of virtual machine hides process detection method and system - Google Patents

Abstract

The present invention provides a kind of virtual machine hides process detection method and system, by obtaining User space process view, the kernel view based on process chained list and three class view of trusted kernel state process view based on CPU scheduling, cross validation is carried out, realizes effective detection to virtual machine hides process.Implement the present invention, without recompilating and loading Hypervisor, cloud platform tenant's own service is not influenced, it can effectively detect simultaneously and carry out directly modification for kernel objects to hide the behaviors such as own process, further improve comprehensive degree, accuracy rate and the high efficiency of virtual machine hides process detection.

Description

A kind of virtual machine hides process detection method and system

Technical field

The present invention relates to a kind of virtual machine hides process detection methods, are suitable for network safety filed.

Background technology

Virus wooden horse is more to move under water to collect user in systems no longer merely for the purpose of destroying custom system now Data steal user privacy information to try to gain wealth.In order to hide for a long time in system without soft by user and antivirus Part finds that Malware escapes the detection of security monitor program often through itself hiding behavior, wherein hiding own process It is most basic one of function.Such Malware, hide itself, ensure existence be primary demand, it enable itself in target Hide for a long time in host, steal information and it is not detectable, to cause bigger to endanger.And current cloud computing is grown rapidly, how Effectively detection is located at the hidden process in virtual machine, and protection secure virtual machine also becomes the urgent of platform provider with privacy and is essential It asks.While with《National network safety law》《Networking products and service Safety Examination method》The promulgation of equal laws and method, net Network Safety Examination, which will become, to be improved networking products and services safely controllable level, guarding network security risk, safeguards national security One of important channel, but still lack coherent detection means at present, under cloud computing environment hidden process detection be also covered by the model Under farmland.The difficulty currently faced includes mainly：

（1）Service disruption limits.Hidden process is normally operated in system lower-level, by repairing to realize hiding for itself Change or get around systematic protection mechanism, achievees the purpose that escape detection, early period are latent.Testing mechanism in order to realize to hidden process, It needs in system bottom（Such as Hypervisor layers of host or virtual machine kernel layer）Realize corresponding detection function, however it is related Coming into force for testing mechanism needs system to be recompilated or restarted load, cause the regular traffic service of cloud platform tenant by It interrupts.Testing mechanism needs to realize under conditions of zero interference with means.

（2）Detect comprehensive and accuracy rate limitation.It is comprehensive generally to be faced with accuracy covering always detection instrument The problem of, hidden process detection can further increase the difficulty of detection, especially with no standard according to characteristics such as, dynamically changeables It is to need to realize the detection to hidden process under conditions of zero interference, there will be certain in the comprehensive of detection, accuracy Compromise.How to realize that covering surface is complete, detects efficiently and accurately is hidden process detection urgent problem to be solved.

Invention content

The technical problem to be solved in the present invention is to provide a kind of more efficient virtual machine hides process detection methods, have energy It is enough to realize the characteristic for servicing non-interrupted virtual machine hides process detection.

The technical solution adopted by the present invention is as follows：

A kind of virtual machine hides process detection method, specific method are：Obtain User space process view, based in process chained list Core view and three class view of trusted kernel state process view dispatched based on CPU, carry out cross validation, realize to virtual machine hides Effective detection of process；The cross validation includes：

The comparison of User space process view and kernel view based on process chained list, obtains the difference of two class views, by User space Do not have in process view, and the process having in the kernel view based on process chained list is as suspicious process；

User space process view and based on CPU scheduling trusted kernel state process view comparison, obtain the difference of two class views, To not have in User space process view, and in the trusted kernel state process view based on CPU scheduling the process that has as it is suspicious into Journey；

The comparison of kernel view based on process chained list and the trusted kernel state process view based on CPU scheduling, obtains two classes and regards The difference of figure will not have in the kernel view based on process chained list, and have in the trusted kernel state process view based on CPU scheduling Process, and have in the kernel view based on process chained list, and do not have in the trusted kernel state process view based on CPU scheduling Process is as suspicious process；

Above-mentioned three classes view intersection comparison comparison result is converged, all suspicious process are differentiated, virtual machine hides are formed Process list.

When carrying out cross validation to above-mentioned three class view, the keyword that process ID is compared as intersection carries out view Comparison, obtains the difference of two class views.

Obtain User space process view specific method be：Proc file system is accessed to obtain by client layer api function Take virtual machine user state process view；Specific method step is：

A1, proc file system and process directory traversal：Calling system API Access function, by browsing/proc file system Relevant information obtains the information of system current system operation process；

A2, User space process view structure：On the Information base of above-mentioned process directory traversal, API is consulted in conjunction with process status Function, obtains the related status information of each process item by item, and convergence is formed when User space runs process view.

Obtain the kernel state view based on process chained list specific method step be：

B1, kernel process chained list traversal is carried out：The first process created to operating system nucleus is realized by init_task processes Positioning, pass through double-linked circular list, traverse all processes of current system, using process number as inquire major key；

B2, the kernel state view structure based on process chained list：On the basis of above-mentioned kernel process chained list traverses, in conjunction with process shape State consults api function, obtains the related status information of each process item by item, and convergence is formed when kernel state runs process view.

Obtaining the specific method step based on the CPU trusted kernel state process views dispatched is：

C1, setting process scheduling intercept point：In virtual machine kernel layer by intercepting point mode, closed in linux system process scheduling Intercept point is added in key function, to get the process executed by CPU scheduling, and then builds true process view；

C2, process execution is intercepted and captured：In intercept point, to any one, scheduled process intercepts, and intercepts laggard traveling journey letter The acquisition of breath；

C3, recovering process execute：It obtains and is scheduled after progress information, restore the execution of the process, scheduled process is made to enter fortune Row state；

C4, the trusted kernel state process view structure based on CPU scheduling：Converge the correlated condition letter of each process got Breath is formed when kernel state runs process view.

A kind of virtual machine hides process detection system, including memory and processor；It is stored in the memory a plurality of Instruction, described instruction include loading and executing suitable for processor：

User space process view, the kernel view based on process chained list and the trusted kernel state process based on CPU scheduling is obtained to regard Three class view of figure carries out cross validation；The cross validation includes：

To not have in User space process view, and the process having in the kernel view based on process chained list is as suspicious process；

The process that will not have in User space process view, and have in the trusted kernel state process view based on CPU scheduling is used as can The process of doubting；

To not have in kernel view based on process chained list, and based on CPU scheduling trusted kernel state process view in some into The process for having in journey, and the kernel view based on process chained list, and not having in the trusted kernel state process view based on CPU scheduling As suspicious process；

All suspicious process are differentiated, virtual machine hides process list is formed.

Described instruction includes loading and executing suitable for processor：The keyword that process ID is compared as intersection, to view It is compared.

Described instruction includes loading and executing suitable for processor：

A1, calling system API Access function obtain system current system fortune by relevant information in browsing/proc file system The information of traveling journey；

A2, api function is consulted in conjunction with process status, obtains the related status information of each process item by item, convergence, which is formed, works as user State runs process view.

Described instruction includes loading and executing suitable for processor：

B1, the positioning that the first process created to operating system nucleus is realized by init_task processes, pass through bidirectional circulating chain Table traverses all processes of current system, using process number as inquiry major key；

B2, api function is consulted in conjunction with process status, obtains the related status information of each process item by item, convergence, which is formed, works as kernel State runs process view.

Described instruction includes loading and executing suitable for processor：

C1, it is obtained in linux system process scheduling Key Functions addition intercept point by interception point mode in virtual machine kernel layer Get the process executed by CPU scheduling；

C2, in intercept point, to any one, scheduled process intercepts, and carries out the acquisition of progress information；

C3, recovery have obtained the execution of the scheduled process of the progress information；

The related status information for each process that C4, convergence are got is formed when kernel state runs process view.

Compared with prior art, the beneficial effects of the invention are as follows：More efficient virtual machine hides process detection is realized, it is real Show the detection to hidden process, without recompilating and loading Hypervisor, and does not influence tenant's own service, while more It has mended and has carried out the problem of directly modification is to hide own process for kernel objects, further improved the complete of hidden process detection Face degree and accuracy rate.

Description of the drawings

Fig. 1 is virtual machine hides process detection tool construction frame diagram.

Fig. 2 is virtual machine hides process view comparison process figure.

Fig. 3 is that the virtual machine user state process view of a wherein embodiment of the invention obtains flow chart.

Fig. 4 traverses kernel process chained list in kernel view of the acquisition based on process chained list for a wherein embodiment of the invention Flow chart.

Fig. 5 be in the trusted kernel state process view that the acquisition of a wherein embodiment of the invention is dispatched based on CPU really into Journey view builds schematic diagram.

Fig. 6 is intercept point in the trusted kernel state process view that the acquisition of a wherein embodiment of the invention is dispatched based on CPU Selection and process implementation procedure figure.

Specific implementation mode

In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not For limiting the present invention.

This specification（Including abstract and attached drawing）Disclosed in any feature unless specifically stated can be equivalent by other Or the alternative features with similar purpose are replaced.That is, unless specifically stated, each feature is a series of equivalent or class Like an example in feature.

As depicted in figs. 1 and 2, a kind of virtual machine hides process detection method, specific method are：User space process is obtained to regard Figure, the kernel view based on process chained list and three class view of trusted kernel state process view based on CPU scheduling, carry out cross-pair Than realizing effective detection to virtual machine hides process；The cross validation includes：

The comparison of User space process view and kernel view based on process chained list, obtains the difference of two class views, by User space Do not have in process view, and the process having in the kernel view based on process chained list is as suspicious process；

User space process view and based on CPU scheduling trusted kernel state process view comparison, obtain the difference of two class views, To not have in User space process view, and in the trusted kernel state process view based on CPU scheduling the process that has as it is suspicious into Journey；

The comparison of kernel view based on process chained list and the trusted kernel state process view based on CPU scheduling, obtains two classes and regards The difference of figure will not have in the kernel view based on process chained list, and have in the trusted kernel state process view based on CPU scheduling Process, and have in the kernel view based on process chained list, and do not have in the trusted kernel state process view based on CPU scheduling Process is as suspicious process；

Above-mentioned three classes view intersection comparison comparison result is converged, all suspicious process are differentiated, virtual machine hides are formed Process list.

The present invention in virtual machine internal by passing through cross validation's User space process view, the kernel state based on process chained list View and the trusted kernel state process view dispatched based on CPU, are realized in the case where virtual in-flight services zero are interrupted to hidden The detection of Tibetan process provides technical support for cloud service network Safety Examination.On the one hand, using based on virtual machine internal detection machine System realizes hidden process detection, and without recompility and load Hypervisor, realizing in cloud computing environment is not influencing tenant The detection to hidden process in virtual machine is completed while own service.On the other hand, it is compared by multidimensional view, makes up and be directed to Kernel objects are directly changed（Such as extract kernel process chained list）The problem of to hide own process, is further promoted and is hidden The comprehensive degree and accuracy rate of process detection.

As one of specific embodiment, when carrying out cross validation to above-mentioned three class view, using process ID as intersection The keyword compared, compares view, obtains the difference of two class views.

Proc file system under (SuSE) Linux OS is a Virtual File System, it is in the form of a file to user Space provides access interface, these interfaces can be used for obtaining the information of associated components at runtime or change the row of component For.It substantially contains following information：Memory management, operating system progress information, device driver, system bus, network Deng.Since it comprises process relevant informations in current operation system, therefore usually it can access this article by User space api function Part system gets the process being currently running in system.In (SuSE) Linux OS, the realization principles such as Shell orders ps, top It is by accessing proc file system to get progress information in system.

Therefore, in virtual machine hides process detection method, as one of specific embodiment, User space process is obtained The specific method of view is：Proc file system is accessed to obtain virtual machine user state process view by client layer api function； As shown in figure 3, specific method step is：

A1, proc file system and process directory traversal：In (SuSE) Linux OS the essential information of process can all be stored in/ In proc file system, calling system API Access function, by relevant information in browsing/proc file system, acquisition system is worked as The information of preceding system operation process；

A2, User space process view structure：On the Information base of above-mentioned process directory traversal, API is consulted in conjunction with process status Function, obtains the related status information of each process item by item, and convergence is formed when User space runs process view.

Since system operation is in a dynamic process, dynamic will be also presented in User space process view with system operation The feature of variation, therefore, the process that above-mentioned User space view obtains also will be a dynamic process, and the sampling period can basis User is set for dynamic and adjusts.

In (SuSE) Linux OS, process structure body is defined as task_struct.In order to facilitate each process of management Structure, (SuSE) Linux OS are that each process structure body maintains a double-linked circular list, are realized by chained list The interconnection between task member in task_struct structures.The head pointer of chained list is init_task processes, it is directed toward operation First process that system kernel creates, each process subsequently created can all be added its process structure body as node Into double-linked circular list.

Therefore, by traversing the double-linked circular list, process view information can be got in virtual machine kernel layer.As A kind of specific embodiment, as shown in figure 4, the specific method step for obtaining the kernel state view based on process chained list is：

B1, kernel process chained list traversal is carried out：The first process created to operating system nucleus is realized by init_task processes Positioning, pass through double-linked circular list, traverse all processes of current system, using process number as inquire major key；

B2, the kernel state view structure based on process chained list：On the basis of above-mentioned kernel process chained list traverses, in conjunction with process shape State consults api function, obtains the related status information of each process item by item, and convergence is formed when kernel state runs process view.

Since system operation is in a dynamic process, dynamic will be also presented in kernel state process view with system operation The feature of variation, therefore, the process that above-mentioned kernel state view obtains also will be a dynamic process, and the sampling period can basis User is set for dynamic and adjusts.

In (SuSE) Linux OS, after the completion of new process is created, ready state will be marked as and be placed in ready queue In, process needs the distribution of waiting for CPU timeslice to complete implementation procedure.Each process meeting time-sharing multiplex CPU time slice, to reach The purpose of sharing CPU resource.And for hidden process existing for the program form of back door, also centainly needing the scheduling by system Control authority is executed to obtain CPU, to achieve the purpose that it is attacked.The process view the most believable that this method obtains, just It is by intercepting and capturing process requested CPU traffic orders, to build the true process view of system.

Therefore, as one of specific embodiment, as shown in figure 5, obtaining the trusted kernel state process dispatched based on CPU The specific method step of view is：

C1, setting process scheduling intercept point：In virtual machine kernel layer by intercepting point mode, closed in linux system process scheduling Intercept point is added in key function, to get the process executed by CPU scheduling, and then builds true process view；

C2, process execution is intercepted and captured：In intercept point, to any one, scheduled process intercepts, and intercepts laggard traveling journey letter Breath（The relevant informations such as the ID including progress）Acquisition；

C3, recovering process execute：It obtains and is scheduled after progress information, restore the execution of the process, scheduled process is made to enter fortune Row state；

C4, the trusted kernel state process view structure based on CPU scheduling：Converge the correlated condition letter of each process got Breath is formed when kernel state runs process view.

In step C1, in order to capture process scheduling, need that process scheduling intercept point, specific steps such as 6 institute of attached drawing is arranged Show.Process completion is created to is by CPU scheduling implementation procedure：1→2→3→4→5→6→7.It is dynamic for capture bottom process scheduling Make, obtain more believable process view, this method in virtual machine kernel layer by intercepting point mode, in linux system process It dispatches Key Functions and intercept point is added, to get the process executed by CPU scheduling, and then build true process view.Add Entering the scheduled flow that executes of the process after intercept point is：1→2→3→4→8→9→6→7.

The related status information of each process got is converged, is formed when kernel state runs process view.

Since system operation is in a dynamic process, dynamic will be also presented in kernel state process view with system operation The feature of variation, therefore, the process that above-mentioned kernel state view obtains also will be a dynamic process, and the sampling period can basis User is set for dynamic and adjusts.

In virtual machine user state by User space API, accesses the acquisition of the proc file system under Linux User space process and regard Figure；First layer virtual machine process kernel state view is obtained by traversing linux kernel process chained list in virtual machine kernel state, is passed through Link up with linux kernel process scheduling related system function；Obtain the more believable virtual machine process kernel state view of the second layer；From And realize that being based on virtual machine internal testing mechanism realizes hidden process detection, it is real without recompilating and loading Hypervisor Detection of the completion to hidden process in virtual machine while not influencing tenant's own service in existing cloud computing environment.

A kind of virtual machine hides process detection system, including memory and processor；It is stored in the memory a plurality of Instruction, described instruction include loading and executing suitable for processor：

User space process view, the kernel view based on process chained list and the trusted kernel state process based on CPU scheduling is obtained to regard Three class view of figure carries out cross validation；The cross validation includes：

To not have in User space process view, and the process having in the kernel view based on process chained list is as suspicious process；

The process that will not have in User space process view, and have in the trusted kernel state process view based on CPU scheduling is used as can The process of doubting；

To not have in kernel view based on process chained list, and based on CPU scheduling trusted kernel state process view in some into The process for having in journey, and the kernel view based on process chained list, and not having in the trusted kernel state process view based on CPU scheduling As suspicious process；

All suspicious process are differentiated, virtual machine hides process list is formed.

Described instruction includes loading and executing suitable for processor：The keyword that process ID is compared as intersection, to view It is compared.

Described instruction includes loading and executing suitable for processor：

A1, calling system API Access function obtain system current system fortune by relevant information in browsing/proc file system The information of traveling journey；

A2, api function is consulted in conjunction with process status, obtains the related status information of each process item by item, convergence, which is formed, works as user State runs process view.

Described instruction includes loading and executing suitable for processor：

B1, the positioning that the first process created to operating system nucleus is realized by init_task processes, pass through bidirectional circulating chain Table traverses all processes of current system, using process number as inquiry major key；

B2, api function is consulted in conjunction with process status, obtains the related status information of each process item by item, convergence, which is formed, works as kernel State runs process view.

Described instruction includes loading and executing suitable for processor：

C1, it is obtained in linux system process scheduling Key Functions addition intercept point by interception point mode in virtual machine kernel layer Get the process executed by CPU scheduling；

C2, in intercept point, to any one, scheduled process intercepts, and carries out the acquisition of progress information；

C3, recovery have obtained the execution of the scheduled process of the progress information；

The related status information for each process that C4, convergence are got is formed when kernel state runs process view.

The present invention is scanned around virtual memory by changing memory address mappings relationship for rogue program, distorts process letter It ceases the problems such as making detection feature failure and the detection of the hidden process based on virtual machine controller need to interrupt cloud platform tenant's business Deficiency, the virtual machine hides process detection method based on cross-view comparison of proposition：On the one hand, there is network security to examine zero Detectability is interrupted, the hidden process testing mechanism based on multiple view is realized in virtual machine internal, without recompilating and loading Hypervisor is realized in cloud computing environment and is completed to hidden process in virtual machine while not influencing tenant's own service Detection；On the other hand, there is hidden process multi-dimensions test ability, regarded by cross validation's User space process in virtual machine internal Figure, the kernel state view based on process chained list and the trusted kernel state process view based on CPU scheduling, to detect in virtual machine Existing hidden process is compensated for and is directly changed for kernel objects（Such as extract kernel process chained list）To hide itself The problem of process, further promotes the comprehensive degree and accuracy rate of hidden process detection.

Claims (10)

1. a kind of virtual machine hides process detection method, specific method are：Obtain User space process view, based on process chained list Kernel view and three class view of trusted kernel state process view dispatched based on CPU, carry out cross validation, realize hidden to virtual machine Effective detection of Tibetan process；The cross validation includes：

The comparison of User space process view and kernel view based on process chained list, obtains the difference of two class views, by User space Do not have in process view, and the process having in the kernel view based on process chained list is as suspicious process；

User space process view and based on CPU scheduling trusted kernel state process view comparison, obtain the difference of two class views, To not have in User space process view, and in the trusted kernel state process view based on CPU scheduling the process that has as it is suspicious into Journey；

The comparison of kernel view based on process chained list and the trusted kernel state process view based on CPU scheduling, obtains two classes and regards The difference of figure will not have in the kernel view based on process chained list, and have in the trusted kernel state process view based on CPU scheduling Process, and have in the kernel view based on process chained list, and do not have in the trusted kernel state process view based on CPU scheduling Process is as suspicious process；

Above-mentioned three classes view intersection comparison comparison result is converged, all suspicious process are differentiated, virtual machine hides are formed Process list.

2. virtual machine hides process detection method according to claim 1, when carrying out cross validation to three class view, The keyword that process ID is compared as intersection, compares view, obtains the difference of two class views.

3. virtual machine hides process detection method according to claim 1 or 2 obtains the specific side of User space process view Method is：Proc file system is accessed to obtain virtual machine user state process view by client layer api function；Specific method step For：

A1, proc file system and process directory traversal：Calling system API Access function, by browsing/proc file system Relevant information obtains the information of system current system operation process；

A2, User space process view structure：On the Information base of above-mentioned process directory traversal, API is consulted in conjunction with process status Function, obtains the related status information of each process item by item, and convergence is formed when User space runs process view.

4. virtual machine hides process detection method according to claim 1 or 2 obtains the kernel state based on process chained list and regards The specific method step of figure is：

B1, kernel process chained list traversal is carried out：The first process created to operating system nucleus is realized by init_task processes Positioning, pass through double-linked circular list, traverse all processes of current system, using process number as inquire major key；

B2, the kernel state view structure based on process chained list：On the basis of above-mentioned kernel process chained list traverses, in conjunction with process shape State consults api function, obtains the related status information of each process item by item, and convergence is formed when kernel state runs process view.

5. virtual machine hides process detection method according to claim 1 or 2 obtains the trusted kernel dispatched based on CPU The specific method step of state process view is：

C1, setting process scheduling intercept point：In virtual machine kernel layer by intercepting point mode, closed in linux system process scheduling Intercept point is added in key function, to get the process executed by CPU scheduling, and then builds true process view；

C2, process execution is intercepted and captured：In intercept point, to any one, scheduled process intercepts, and intercepts laggard traveling journey letter The acquisition of breath；

C3, recovering process execute：It obtains and is scheduled after progress information, restore the execution of the process, scheduled process is made to enter fortune Row state；

C4, the trusted kernel state process view structure based on CPU scheduling：Converge the correlated condition letter of each process got Breath is formed when kernel state runs process view.

6. a kind of virtual machine hides process detection system, including memory and processor；A plurality of finger is stored in the memory It enables, described instruction includes loading and executing suitable for processor：

User space process view, the kernel view based on process chained list and the trusted kernel state process based on CPU scheduling is obtained to regard Three class view of figure carries out cross validation；The cross validation includes：

To not have in User space process view, and the process having in the kernel view based on process chained list is as suspicious process；

The process that will not have in User space process view, and have in the trusted kernel state process view based on CPU scheduling is used as can The process of doubting；

To not have in kernel view based on process chained list, and based on CPU scheduling trusted kernel state process view in some into The process for having in journey, and the kernel view based on process chained list, and not having in the trusted kernel state process view based on CPU scheduling As suspicious process；

All suspicious process are differentiated, virtual machine hides process list is formed.

7. virtual machine hides process detection system according to claim 6, described instruction includes being suitable for processor load simultaneously It executes：The keyword that process ID is compared as intersection, compares view.

8. the virtual machine hides process detection system described according to claim 6 or 7, described instruction includes being suitable for processor to load And it executes：

A1, calling system API Access function obtain system current system fortune by relevant information in browsing/proc file system The information of traveling journey；

A2, api function is consulted in conjunction with process status, obtains the related status information of each process item by item, convergence, which is formed, works as user State runs process view.

9. the virtual machine hides process detection system described according to claim 6 or 7, described instruction includes being suitable for processor to load And it executes：

B1, the positioning that the first process created to operating system nucleus is realized by init_task processes, pass through bidirectional circulating chain Table traverses all processes of current system, using process number as inquiry major key；

B2, api function is consulted in conjunction with process status, obtains the related status information of each process item by item, convergence, which is formed, works as kernel State runs process view.

10. the virtual machine hides process detection system described according to claim 6 or 7, described instruction includes adding suitable for processor It carries and executes：

C1, it is obtained in linux system process scheduling Key Functions addition intercept point by interception point mode in virtual machine kernel layer Get the process executed by CPU scheduling；

C2, in intercept point, to any one, scheduled process intercepts, and carries out the acquisition of progress information；

C3, recovery have obtained the execution of the scheduled process of the progress information；

The related status information for each process that C4, convergence are got is formed when kernel state runs process view.