CN108875371A - A kind of sandbox analysis method, device, electronic equipment and storage medium - Google Patents
A kind of sandbox analysis method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN108875371A CN108875371A CN201711426403.2A CN201711426403A CN108875371A CN 108875371 A CN108875371 A CN 108875371A CN 201711426403 A CN201711426403 A CN 201711426403A CN 108875371 A CN108875371 A CN 108875371A
- Authority
- CN
- China
- Prior art keywords
- sandbox
- program sample
- object run
- virtual machine
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the present invention discloses a kind of sandbox analysis method, device, electronic equipment and storage medium, is related to field of information security technology, can greatly reduce the probability that sample escapes detection, effectively promote sandbox detectability.The method includes:Object run relevant to system is restarted in the program sample of monitoring input sandbox, and recorded accordingly;When the shutdown of the virtual machine of the sandbox, the operation scene of the virtual machine is saved;It is determined in the operation of described program sample according to the data of record with the presence or absence of the object run;There are in the case where the object run, restart the virtual machine to continue to carry out data acquisition to described program sample in the operation of described program sample.The present invention can be used in sandbox analysis.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of sandbox analysis method, device, electronic equipment and deposit
Storage media.
Background technique
Dynamic sandbox is generallyd use in malware analysis to be analyzed, and the operation ring of virtual machine simulation softward is passed through
Border enables Malware normally to execute in sandbox, finds its malicious act.
The maximum value of the analysis duration of general sandbox be it is fixed, such as ten minutes, if the sample does not have also ten minutes later
Have end of run, then the virtual machine in sandbox forced to shut down, then it is acquired to behavior analyze.If sample
This end of run in ten minutes, then it is assumed that behavior acquisition is completed, and virtual machine can automatic shutdown at this time.
However, it is found by the inventors that certain program samples actively can go to restart by direct or indirect method in operation
Operating system, and continue to execute some malicious acts after restarting, and sandbox system still will be considered that the program sample at this time
This has been analyzed completion and there is no risk, and the program sample so as to cause many danger is not detected among out, largely effects on sand
The detectability of case.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of sandbox analysis method, device, electronic equipment and storage medium, energy
Enough greatly reduce the probability that sample escapes detection, effectively promotes sandbox detectability.
In a first aspect, the embodiment of the present invention provides a kind of sandbox analysis method, including:The program sample of monitoring input sandbox
In object run relevant to system is restarted, and recorded accordingly;When the shutdown of the virtual machine of the sandbox, described in preservation
The operation scene of virtual machine;It is determined in the operation of described program sample according to the data of record with the presence or absence of the object run;?
There are in the case where the object run, restart the virtual machine to continue to described program sample in the operation of described program sample
Carry out data acquisition.
With reference to first aspect, in the first possible implementation of the first aspect, the object run includes restarting
The operation for operating and/or coming into force after restarting.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect
In, the object run includes the reboot operation;It is relevant to system is restarted in the program sample of the monitoring input sandbox
Object run includes:By monitoring default API, (Application Programming Interface, application programming are connect
Mouthful) function or predetermined system order, monitor the reboot operation in described program sample.
The possible implementation of with reference to first aspect the first, in the third possible implementation of first aspect
In, the object run includes the operation to come into force after restarting;It is described monitoring input sandbox program sample in restart system phase
The object run of pass includes:Monitor at least one following operation in described program sample:Addition or modification registration table, addition or
Modification driving file, addition or modification self-starting item.
With reference to first aspect or first aspect first to the third possible implementation kind any possible reality
Existing mode, in a fourth possible implementation of the first aspect, described there are the mesh in the operation of described program sample
In the case where mark operation, the virtual machine is restarted to continue after carrying out data acquisition to described program sample, the method is also
Including:The data acquired before restarting and after restarting are integrated;Data after integration are analyzed.
Second aspect, the embodiment of the present invention also provide a kind of sandbox analytical equipment, including:Monitoring unit, for monitoring
Object run relevant to system is restarted in the program sample of sandbox is inputted, and is recorded accordingly;Storage unit, for working as
When the virtual machine shutdown of the sandbox, the operation scene of the virtual machine is saved;Determination unit, for according to the monitoring unit
The data of record determine in the operation of described program sample with the presence or absence of the object run;Unit is restarted, in the determination
Unit determines that there are in the case where the object run, restart the virtual machine to continue to described in the operation of described program sample
Program sample carries out data acquisition.
In conjunction with second aspect, in the first possible implementation of the second aspect, the object run includes restarting
The operation for operating and/or coming into force after restarting.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect
In, the object run includes the reboot operation;The monitoring unit is specifically used for presetting api function or pre- by monitoring
If system command, the reboot operation in described program sample is monitored.
In conjunction with the first possible implementation of second aspect, in the third possible implementation of second aspect
In, the object run includes the operation to come into force after restarting;The monitoring unit, specifically in monitoring described program sample
At least one operation below:Addition or modification registration table, addition or modification driving file, addition or modification self-starting item.
In conjunction with first any possible realization into the third possible implementation of second aspect or second aspect
Mode, in the fourth possible implementation of the second aspect, described device further includes:Analytical unit, it is described for restarting
Virtual machine is to continue to after the progress data acquisition of described program sample:The data acquired before restarting and after restarting are carried out whole
It closes;Data after integration are analyzed.
The third aspect, the embodiment of the present invention also provide a kind of electronic equipment, and the electronic equipment includes:Shell, processing
Device, memory, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory
Setting is on circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing
Executable program code;Processor is run and executable program generation by reading the executable program code stored in memory
The corresponding program of code, the sandbox analysis method provided for executing any embodiment of the present invention.
Fourth aspect, the embodiment of the present invention also provide a kind of computer readable storage medium, described computer-readable to deposit
Storage media is stored with one or more program, and one or more of programs can be executed by one or more processor,
To realize the sandbox analysis method of any embodiment offer of the present invention.
Sandbox analysis method, device, electronic equipment and the storage medium that the embodiment of the present invention provides, can monitor input
In the program sample of sandbox with restart the relevant object run of system and progress is corresponding records, when the virtual organ of the sandbox
When machine, the operation scene of the virtual machine is saved, then determines in the operation of described program sample whether deposit according to the data of record
In the object run, and if so, restarting the virtual machine to continue to carry out data acquisition to described program sample.In this way,
When in detected program sample including some operations relevant to system is restarted, before sandbox can save virtual machine shutdown
Operation scene simultaneously continues to carry out data acquisition to program sample after restart, to detect to restart rear program sample executes one
A little malicious operations greatly reduce the probability that sample escapes detection, effectively improve sandbox detectability.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of flow chart for the sandbox analysis method that the embodiment of the present invention provides;
Fig. 2 is another flow chart for the sandbox analysis method that the embodiment of the present invention provides;
Fig. 3 is a kind of structural schematic diagram for the sandbox analytical equipment that the embodiment of the present invention provides;
Fig. 4 is a kind of structural schematic diagram for the electronic equipment that the embodiment of the present invention provides.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
In a first aspect, the embodiment of the present invention provides a kind of sandbox analysis method, the operation before virtual machine shutdown can be saved
Scene simultaneously continues to carry out data acquisition to program sample after restart, to detect to restart some evils that rear program sample executes
Meaning operation greatly reduces the probability that sample escapes detection, effectively improves sandbox detectability.
Fig. 1 is a kind of flow chart for the sandbox analysis method that the embodiment of the present invention provides, as shown in Figure 1, present invention ground
Embodiment provide sandbox analysis method may include:
S11, monitoring inputs object run relevant to system is restarted in the program sample of sandbox, and is remembered accordingly
Record;
Wherein, program sample is run in virtual machine, virtual machine to a program sample analysis after can shut down.It is optional
, program sample may also will include some relevant operations for allowing virtual machine restart system, i.e. object run when running.When
It when monitoring these object runs, can be recorded accordingly by modes such as record logs, to carry out data according to record
Analysis.
S12 saves the operation scene of the virtual machine when the shutdown of the virtual machine of the sandbox;
In this step, when since data acquire completion or analyze time limit arrival or program sample actively issues reset command
When the reasons such as operation cause the virtual machine of sandbox to shut down, virtual machine shuts down but does not destroy, and operation scene before is also protected
It holds.
S13 is determined in the operation of described program sample according to the data of record with the presence or absence of the object run;
After virtual machine is closed, the collected data process of virtual machine is analyzed outside virtual machine, before analysis cannot
Destroy the virtual machine for analyzing the sample.Data analysis also includes looking into the object run relevant to system is restarted of record
It sees, to be determined in the operation of program sample according to the record in the files such as log with the presence or absence of such object run.
S14, there are in the case where the object run, restart the virtual machine to continue in the operation of described program sample
Data acquisition is carried out to described program sample.
In this step, if having found the day of the object run relevant to system is restarted of record in the data of record
Will then exits analytic process, reopens the last virtual machine for running the program sample, continues to run sample, acquires data,
The overall process that monitoring sample is run again.
The sandbox analysis method that the embodiment of the present invention provides, can monitor in the program sample of input sandbox and be with restarting
It unites and relevant object run and is recorded accordingly, when the shutdown of the virtual machine of the sandbox, save the fortune of the virtual machine
Row scene, then being determined in the operation of described program sample according to the data of record whether there is the object run, if there is
Restart the virtual machine then to continue to carry out data acquisition to described program sample.In this way, being wrapped when in detected program sample
When including some operations relevant to system is restarted, sandbox can save the operation scene before virtual machine shutdown and continue after restart
Data acquisition is carried out to program sample, to detect to restart some malicious operations that rear program sample executes, is greatly reduced
Sample escapes the probability of detection, effectively improves sandbox detectability.
Optionally, in step s 11, object run relevant to system is restarted may include reboot operation and/or restart
The operation to come into force afterwards.Wherein, reboot operation may include software direct or indirect restarting computer in the process of running
The operation of system, the operation to come into force after restarting may include that software needs to restart computer system after completing certain operations
The operation that could be worked normally afterwards.
According to the difference of object run, specific monitoring means is also different, below sub-category be illustrated.
In one embodiment of the invention, object run relevant to system is restarted includes reboot operation, then is based on this,
The monitoring inputs object run relevant to system is restarted in the program sample of sandbox:
By monitoring default api function or predetermined system order, the reboot operation in described program sample is monitored.
Under Windows system, APIExitWindowsEx () optionally can be called for default api function, led to
It crosses and transmits different parameters and may be implemented to shut down, restart, infuse the operation to disappear.Under linux system, library function can be called
Reboot () or calling system call API reboot (), realize shutdown by transmitting different parameters, the operation such as restart.
Specifically, can be by registering hook function, the specific API of hook.It can be triggered if the API is invoked
The hook function of registration carries out log input inside hook function and is recorded in corresponding journal file, if do not adjusted
The behavior for not finding to restart system is then thought with the API.
For example, in one embodiment of the invention, can be infused to ExitWindows () function in windows system
Volume hook function, judges first parameter of parameter in hook function, if first parameter is EWX_REBOOT, then it is assumed that be
Reboot operation, record log are otherwise without any processing.In linux system can with hook reboot () function, if
The parameter of reboot () is that RB_AUTOBOOT is then considered that reboot operation, record log are otherwise without any processing.
It, optionally, can be by ordering shutdown may be implemented under Windows system for predetermined system order
Shutdown, restarts, the operation of cancellation;It, can be real by order reboot, shutdown, half, init etc. under linux system
Now to the reboot operation of system.
Specifically, can by monitor the program sample in the process of running derivative process (i.e. process call relation with
And all subprocess), if some derivative process is the order restarted, then it is assumed that the sample has the behavior restarted, and does not otherwise have
Have and restarts behavior.
For example, in one embodiment of the invention, can be monitored in windows system in derivative process whether there is or not
Shutdown process, if there is judging parameter again, if there is " r " option in parameter, then it is assumed that it is to restart behavior, record log,
Otherwise without any processing.For need to monitor under Linux system in subprocess whether have shutdown, reboot, init into
Journey.If there is shutdown process, then judge whether there is " r " option in parameter, have, prove to restart behavior, otherwise without weight
Set out for;As long as discovery has calling for reboot, so that it may prove to restart behavior, otherwise not restart behavior;It is right
Need to judge whether parameter is 1 in init process, if it is 1, then explanation, which has, restarts behavior, does not otherwise restart behavior.
Optionally, object run relevant to system is restarted can also include the operation to come into force after restarting;Based on this, monitor
Inputting object run relevant to system is restarted in the program sample of sandbox may particularly include:
Monitor at least one following operation in described program sample:Addition or modification registration table, addition or modification driving
File, addition or modification self-starting item.
Specifically, the operation of modification registration table needs to restart in some cases system and can just come into force, because of note
Some component programs of volume table are just occupied before not restarting, can not replace, during restarting, make those occupied registration tablies
Just replaced.In addition, the option of change or the addition and addition or modification system self-starting of some driving type files
Operation, it is also desirable to which restarting system can just come into force.It is of course possible to which needing to restart system there are also other operations can just come into force, herein
Only enumerate above several, the embodiment of the present invention does not limit this.
Therefore reg order modification or addition registration table key assignments and list item can be used in windows can monitor this
It whether there is reg process in calling process in program sample, and if so, thinking there are registry operations, then record restarts row
For log.Optionally, the monitoring that self-starting item is added in Windows, can both be realized by way of registration table, can also
To be realized by the variation of the starting catalogue under monitoring management person's catalogue.If having file under the starting catalogue under administrator's catalogue
It is created, then has the operation of creation self-starting, record log in read-me sample.
It is using .ko as suffix, therefore for adding or repairing using .sys as suffix, in linux that file is driven in windows
Whether the monitoring for changing driving file can be by having the file for operating .sys or .ko in monitoring programme sample implementation procedure.Such as
Fruit has write operation to the driving file such as .sys or .ko, then it is assumed that it has modified driving file, needs to restart, record is restarted
The log of behavior.
It runs program sample and carries out after recording accordingly, in step s 12 when acquiring completion or analysis due to data
It is limited to reach or program sample actively issues the reasons such as reset command operation when the virtual machine of sandbox being caused to shut down, need to save void
The operation scene of quasi- machine;When virtual machine close after, in step s 13 can outside virtual machine to the collected data of virtual machine into
Journey analysis determines in the operation of program sample according to the record in the files such as log with the presence or absence of target relevant to system is restarted
Operation.If it is present corresponding virtual machine is restarted in step S14 with continue to program sample carry out data acquisition, so as to
It detects to restart some malicious operations that rear program sample executes.
In order to further improve analytical effect, in one embodiment of the invention, the virtual machine is restarted to continue pair
After described program sample carries out data acquisition, the sandbox analysis method that the embodiment of the present invention provides can also include:
The data acquired before restarting and after restarting are integrated;
Data after integration are analyzed.
Optionally, before carrying out Data Integration, first the data acquired twice can also be analyzed respectively, then will twice
Second of analysis is integrated and carried out to collected data, and virtual machine is destroyed after analysis, discharges resource.
The sandbox analysis method that the embodiment of the present invention provides is described in detail below by specific embodiment.
As shown in Fig. 2, the sandbox analysis method that the embodiment of the present invention provides may include:
S201, monitoring input object run relevant to system is restarted in the program sample of sandbox;
S202, monitor that there are reg processes in the operation of program sample, it is believed that there are modification registry operations, and day is recorded
Will file;
S203, it monitors to have invoked ExitWindows () in the operation of program sample by hook function, and parameter first
Parameter is EWX_REBOOT, it is believed that there are reboot operations, and journal file is recorded;
S204, virtual machine shutdown, the operation scene of save routine sample;
The data that S205, analysis virtual machine acquire, find the record in journal file;
S206, determine that there is target relevant to system is restarted in program sample operation grasps according to the record of journal file
Make;
S207, restart the virtual machine, rerun the program sample and monitored and recorded accordingly;
S208, the collected data of virtual machine are analyzed;
S209, it collected data will integrate twice, and secondary analysis is carried out to the data after integration.
Wherein, S202 and S203 has no temporal sequencing, can first carry out S202, execute S203 afterwards, can also be with
S203 is first carried out, executes S202 afterwards, can be performed simultaneously with S202 and S203.
The sandbox analysis method that the embodiment of the present invention provides is when in detected program sample including some with restarting
Unite relevant operation when, sandbox can save virtual machine shutdown before operation scene and continue after restart to program sample carry out
Data acquisition greatly reduces sample and escapes detection to detect to restart some malicious operations that rear program sample executes
Probability effectively improves sandbox detectability.
Second aspect, the embodiment of the present invention also provide a kind of sandbox analytical equipment, before capable of saving virtual machine shutdown
Operation scene simultaneously continues to carry out data acquisition to program sample after virtual machine is restarted, to detect that restarting rear program sample holds
Capable some malicious operations greatly reduce the probability that sample escapes detection, effectively improve sandbox detectability.
As shown in figure 3, sandbox analytical equipment provided in this embodiment, it may include:
Monitoring unit 31 is gone forward side by side for monitoring object run relevant to system is restarted in the program sample for inputting sandbox
The corresponding record of row;
Storage unit 32, for when the shutdown of the virtual machine of the sandbox, saving the operation scene of the virtual machine;
Determination unit 33, the data for being recorded according to monitoring unit 31 determine whether deposit in the operation of described program sample
In the object run;
Unit 34 is restarted, for determining that there are the feelings of the object run in the operation of described program sample in determination unit 33
Under condition, the virtual machine is restarted to continue to carry out data acquisition to described program sample.
The sandbox analytical equipment that the embodiment of the present invention provides, can monitor in the program sample of input sandbox and be with restarting
It unites and relevant object run and is recorded accordingly, when the shutdown of the virtual machine of the sandbox, save the fortune of the virtual machine
Row scene, then being determined in the operation of described program sample according to the data of record whether there is the object run, if there is
Restart the virtual machine then to continue to carry out data acquisition to described program sample.In this way, being wrapped when in detected program sample
When including some operations relevant to system is restarted, sandbox can save the operation scene before virtual machine shutdown and continue after restart
Data acquisition is carried out to program sample, to detect to restart some malicious operations that rear program sample executes, is greatly reduced
Sample escapes the probability of detection, effectively improves sandbox detectability.
Optionally, the object run includes reboot operation and/or the operation that comes into force after restarting.
Optionally, the object run includes the reboot operation;The monitoring unit is specifically used for default by monitoring
Api function or predetermined system order monitor the reboot operation in described program sample.
Optionally, the object run includes the operation to come into force after restarting;The monitoring unit is specifically used for described in monitoring
At least one following operation in program sample:Addition or modification registration table, are added or modification drives file, and addition or modification are certainly
Startup item.
Optionally, the sandbox analytical equipment further includes:Analytical unit, for restarting the virtual machine to continue to described
Program sample carries out after data acquisition:The data acquired before restarting and after restarting are integrated;To the data after integration into
Row analysis.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, the operation scene before capable of saving virtual machine shutdown
And continue to carry out data acquisition to program sample after restart, to detect to restart some malice behaviour that rear program sample executes
Make, greatly reduces the probability that sample escapes detection, effectively improve sandbox detectability.
As shown in figure 4, the electronic equipment that the embodiment of the present invention provides, may include:Shell 41, processor 42, storage
Device 43, circuit board 44 and power circuit 45, wherein circuit board 44 is placed in the space interior that shell 41 surrounds, 42 He of processor
Memory 43 is arranged on circuit board 44;Power circuit 45, for each circuit or the device power supply for above-mentioned electronic equipment;It deposits
Reservoir 43 is for storing executable program code;Processor 42 by read in memory 43 executable program code that stores come
Program corresponding with executable program code is run, for executing sandbox analysis method described in aforementioned any embodiment.
Processor 42 to the specific implementation procedures of above-mentioned steps and processor 42 by operation executable program code come
The step of further executing may refer to the description of previous embodiment, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment:The characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes:Smart phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment:This kind of equipment belongs to the scope of personal computer, there is calculating and processing function
Can, generally also have mobile Internet access characteristic.This Terminal Type includes:PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device:This kind of equipment can show and play multimedia content.Such equipment includes:Audio,
Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server:There is provided the equipment of the service of calculating, the composition of server includes that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
Fourth aspect, the embodiment of the present invention also provide a kind of computer readable storage medium, described computer-readable to deposit
Storage media is stored with one or more program, and one or more of programs can be executed by one or more processor,
To realize any sandbox analysis method of previous embodiment offer, therefore it is also able to achieve corresponding technical effect, above
It is described in detail, details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence " including one ... ", it is not excluded that
There is also other identical elements in the process, method, article or apparatus that includes the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist
Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (12)
1. a kind of sandbox analysis method, which is characterized in that including:
Object run relevant to system is restarted in the program sample of monitoring input sandbox, and recorded accordingly;
When the shutdown of the virtual machine of the sandbox, the operation scene of the virtual machine is saved;
It is determined in the operation of described program sample according to the data of record with the presence or absence of the object run;
There are in the case where the object run, restart the virtual machine to continue to the journey in the operation of described program sample
Sequence sample carries out data acquisition.
2. the method according to claim 1, wherein after the object run includes reboot operation and/or restarts
The operation to come into force.
3. according to the method described in claim 2, it is characterized in that, the object run includes the reboot operation;
The monitoring inputs object run relevant to system is restarted in the program sample of sandbox:
By monitoring default api function or predetermined system order, the reboot operation in described program sample is monitored.
4. according to the method described in claim 2, it is characterized in that, the object run includes the operation to come into force after restarting;
The monitoring inputs object run relevant to system is restarted in the program sample of sandbox:
Monitor at least one following operation in described program sample:Addition or modification registration table, addition or modification driving file,
Addition or modification self-starting item.
5. method according to claim 1 to 4, which is characterized in that described in the operation of described program sample
There are in the case where the object run, restart the virtual machine with continue to described program sample carry out data acquisition after,
The method also includes:
The data acquired before restarting and after restarting are integrated;
Data after integration are analyzed.
6. a kind of sandbox analytical equipment, which is characterized in that including:
Monitoring unit for monitoring object run relevant to system is restarted in the program sample for inputting sandbox, and carries out corresponding
Record;
Storage unit, for when the shutdown of the virtual machine of the sandbox, saving the operation scene of the virtual machine;
Determination unit, the data for being recorded according to the monitoring unit determine in the operation of described program sample with the presence or absence of institute
State object run;
Unit is restarted, for determining the case where there are the object runs in the operation of described program sample in the determination unit
Under, the virtual machine is restarted to continue to carry out data acquisition to described program sample.
7. device according to claim 6, which is characterized in that after the object run includes reboot operation and/or restarts
The operation to come into force.
8. device according to claim 7, which is characterized in that the object run includes the reboot operation;
The monitoring unit is specifically used for monitoring in described program sample by monitoring default api function or predetermined system order
The reboot operation.
9. device according to claim 7, which is characterized in that the object run includes the operation to come into force after restarting;
The monitoring unit, specifically at least one following operation in monitoring described program sample:Addition or modification registration
Table, addition or modification driving file, addition or modification self-starting item.
10. device according to any one of claims 6 to 9, which is characterized in that further include:Analytical unit, for restarting
The virtual machine is to continue to after the progress data acquisition of described program sample:
The data acquired before restarting and after restarting are integrated;
Data after integration are analyzed.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes:Shell, processor, memory, circuit board and electricity
Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply
Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing
Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding
The described in any item sandbox analysis methods of row preceding claims 1 to 5.
12. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage have one or
Multiple programs, one or more of programs can be executed by one or more processor, with realize preceding claims 1 to
Sandbox analysis method described in any one of 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711426403.2A CN108875371B (en) | 2017-12-25 | 2017-12-25 | Sandbox analysis method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711426403.2A CN108875371B (en) | 2017-12-25 | 2017-12-25 | Sandbox analysis method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108875371A true CN108875371A (en) | 2018-11-23 |
| CN108875371B CN108875371B (en) | 2020-04-24 |
Family
ID=64325905
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711426403.2A Active CN108875371B (en) | 2017-12-25 | 2017-12-25 | Sandbox analysis method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108875371B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024051719A1 (en) * | 2022-09-09 | 2024-03-14 | 华为技术有限公司 | Sandbox restarting method and apparatus |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140047447A1 (en) * | 2012-08-09 | 2014-02-13 | Quanta Computer Inc. | Work scheduling method and system implemented via cloud platform |
| US9178900B1 (en) * | 2013-11-20 | 2015-11-03 | Trend Micro Inc. | Detection of advanced persistent threat having evasion technology |
| CN106682498A (en) * | 2016-08-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Sample executing method and device |
| CN107179934A (en) * | 2016-03-10 | 2017-09-19 | 中标软件有限公司 | The method and system of virtual machine automatic reduction in cloud computing environment |
-
2017
- 2017-12-25 CN CN201711426403.2A patent/CN108875371B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140047447A1 (en) * | 2012-08-09 | 2014-02-13 | Quanta Computer Inc. | Work scheduling method and system implemented via cloud platform |
| US9178900B1 (en) * | 2013-11-20 | 2015-11-03 | Trend Micro Inc. | Detection of advanced persistent threat having evasion technology |
| CN107179934A (en) * | 2016-03-10 | 2017-09-19 | 中标软件有限公司 | The method and system of virtual machine automatic reduction in cloud computing environment |
| CN106682498A (en) * | 2016-08-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Sample executing method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024051719A1 (en) * | 2022-09-09 | 2024-03-14 | 华为技术有限公司 | Sandbox restarting method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108875371B (en) | 2020-04-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20160232374A1 (en) | Permission control method and apparatus | |
| CN108875364B (en) | Threat determination method and device for unknown file, electronic device and storage medium | |
| EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
| CN102141942A (en) | Method and device for monitoring and protecting equipment | |
| US8640233B2 (en) | Environmental imaging | |
| CN104866770B (en) | Sensitive data scanning method and system | |
| CN107870860A (en) | Bury a checking system and method | |
| CN106203092B (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN103678096B (en) | The adaptation method of testing and device of client application | |
| CN105512562A (en) | Vulnerability mining method and device and electronic equipment | |
| CN106126291A (en) | Method and device for deleting malicious file and electronic equipment | |
| CN109032929A (en) | Program log record obtaining method and device and electronic equipment | |
| CN105138366A (en) | Recognition software silent installation method and device | |
| CN108875371A (en) | A kind of sandbox analysis method, device, electronic equipment and storage medium | |
| CN105787302B (en) | A kind of processing method of application program, device and electronic equipment | |
| CN103279334A (en) | Android software rapid dynamic detection device and method | |
| US10833939B2 (en) | Providing positive confirmation of a mobile or portable computer wipe | |
| CN105956475A (en) | DLL file interception processing method and device and electronic equipment | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN113900893B (en) | Log acquisition method and related equipment thereof | |
| CN108874462A (en) | A kind of browser behavior acquisition methods, device, storage medium and electronic equipment | |
| US9369875B1 (en) | Enabling anti-theft mode for a mobile device | |
| CN115378628A (en) | Sandbox-based malicious sample detection method and system, host, electronic device and storage medium | |
| CN113961427A (en) | System memory analysis method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |