CN108875371B - Sandbox analysis method and device, electronic equipment and storage medium - Google Patents
Sandbox analysis method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN108875371B CN108875371B CN201711426403.2A CN201711426403A CN108875371B CN 108875371 B CN108875371 B CN 108875371B CN 201711426403 A CN201711426403 A CN 201711426403A CN 108875371 B CN108875371 B CN 108875371B
- Authority
- CN
- China
- Prior art keywords
- sandbox
- program sample
- restarting
- virtual machine
- target operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The embodiment of the invention discloses a sandbox analysis method and device, electronic equipment and a storage medium, relates to the technical field of information security, and can greatly reduce the probability of sample evasion detection and effectively improve the sandbox detection capability. The method comprises the following steps: monitoring target operation related to a restarting system in a program sample input into the sandbox, and carrying out corresponding recording; when the virtual machine of the sandbox is shut down, the running site of the virtual machine is saved; determining whether the target operation exists in the running process of the program sample according to the recorded data; and restarting the virtual machine to continue data acquisition of the program sample under the condition that the target operation exists in the program sample running. The invention can be used in sandbox analysis.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a sandbox analysis method and device, electronic equipment and a storage medium.
Background
In the analysis of the malicious software, a dynamic sandbox is generally adopted for analysis, and the running environment of the software is simulated through a virtual machine, so that the malicious software can be normally executed in the sandbox to find out the malicious behavior of the malicious software.
The maximum value of the analysis time of a common sandbox is fixed, for example, ten minutes, if the running of the sample is not finished after ten minutes, the virtual machine in the sandbox is forced to be shut down, and then the collected behaviors of the virtual machine are analyzed. If the sample runs over within ten minutes, the behavior collection is considered to be completed, and the virtual machine is automatically shut down at the moment.
However, the inventor finds that some program samples actively restart the operating system in operation by a direct or indirect method, and continue to execute some malicious behaviors after the restart, and at this time, the sandbox system still considers that the program samples have been analyzed and are not at risk, so that many dangerous program samples are not detected, and the detection capability of the sandbox is greatly affected.
Disclosure of Invention
In view of this, embodiments of the present invention provide a sandbox analysis method, apparatus, electronic device and storage medium, which can greatly reduce the probability of sample evasion detection and effectively improve the sandbox detection capability.
In a first aspect, an embodiment of the present invention provides a sandbox analysis method, including: monitoring target operation related to a restarting system in a program sample input into the sandbox, and carrying out corresponding recording; when the virtual machine of the sandbox is shut down, the running site of the virtual machine is saved; determining whether the target operation exists in the running process of the program sample according to the recorded data; and restarting the virtual machine to continue data acquisition of the program sample under the condition that the target operation exists in the program sample running.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the target operation includes a restart operation and/or an operation that takes effect after the restart.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the target operation includes the restart operation; the monitoring target operations related to restarting the system in the program sample input into the sandbox comprises: monitoring the restart operation in the program sample by monitoring a preset API (Application Programming Interface) function or a preset system command.
With reference to the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the target operation includes an operation that takes effect after restart; the monitoring target operations related to restarting the system in the program sample input into the sandbox comprises: monitoring the program sample for at least one of: add or modify registry, add or modify driver files, add or modify bootable items.
With reference to the first aspect or any one of the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, after the restarting the virtual machine to continue to collect data of the program sample under the condition that the target operation exists in the program sample running, the method further includes: integrating data collected before and after restarting; the integrated data is analyzed.
In a second aspect, an embodiment of the present invention further provides a sandbox analysis apparatus, including: the monitoring unit is used for monitoring target operation related to the restarting system in the program sample input into the sandbox and carrying out corresponding recording; the storage unit is used for storing the running site of the virtual machine when the virtual machine of the sandbox is shut down; the determining unit is used for determining whether the target operation exists in the running process of the program sample according to the data recorded by the monitoring unit; and the restarting unit is used for restarting the virtual machine to continue to acquire the data of the program sample under the condition that the determining unit determines that the target operation exists in the running process of the program sample.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the target operation includes a restart operation and/or an operation that takes effect after the restart.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the target operation includes the restart operation; the monitoring unit is specifically configured to monitor the restart operation in the program sample by monitoring a preset API function or a preset system command.
With reference to the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the target operation includes an operation that takes effect after restart; the monitoring unit is specifically configured to monitor at least one of the following operations in the program sample: add or modify registry, add or modify driver files, add or modify bootable items.
With reference to the second aspect or any one possible implementation manner of the first to third possible implementation manners of the second aspect, in a fourth possible implementation manner of the second aspect, the apparatus further includes: an analysis unit, configured to, after restarting the virtual machine to continue data acquisition on the program sample: integrating data collected before and after restarting; the integrated data is analyzed.
In a third aspect, an embodiment of the present invention further provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor reads the executable program codes stored in the memory to run programs corresponding to the executable program codes, and is used for executing the sandbox analysis method provided by any one of the embodiments of the invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the sandbox analysis method provided in any one of the embodiments of the present invention.
The sandbox analysis method, the sandbox analysis device, the electronic device and the storage medium provided by the embodiment of the invention can monitor and record the target operation related to the restarting system in the program sample input into the sandbox, store the running site of the virtual machine when the virtual machine of the sandbox is shut down, determine whether the target operation exists in the running process of the program sample according to the recorded data, and restart the virtual machine to continue to acquire the data of the program sample if the target operation exists in the running process of the program sample. Therefore, when the detected program sample comprises some operations related to the restarting system, the sandbox can store the running field before the virtual machine is shut down and continue to acquire the data of the program sample after restarting, so that some malicious operations executed by the program sample after restarting are detected, the probability of the sample escaping detection is greatly reduced, and the sandbox detection capability is effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a sandbox analysis method according to an embodiment of the present invention;
FIG. 2 is another flow chart of a sandbox analysis method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a sandbox analysis apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first aspect, an embodiment of the present invention provides a sandbox analysis method, which can store an operation site before a virtual machine is shut down and continue to perform data acquisition on a program sample after a restart, so as to detect some malicious operations performed by the program sample after the restart, thereby greatly reducing a probability of sample detection evasion, and effectively improving a sandbox detection capability.
Fig. 1 is a flowchart of a sandbox analysis method according to an embodiment of the present invention, and as shown in fig. 1, the sandbox analysis method according to an embodiment of the present invention may include:
s11, monitoring target operation related to the restart system in the program sample input into the sandbox, and carrying out corresponding recording;
the program samples run in the virtual machine, and the virtual machine is shut down after one program sample is analyzed. Optionally, the program sample runtime may also include some related operations for the virtual machine to restart the system, i.e. target operations. When the target operations are monitored, corresponding records are recorded in a log recording mode and the like, so that data analysis is performed according to the records.
S12, when the virtual machine of the sandbox is shut down, the running site of the virtual machine is saved;
in this step, when the virtual machine of the sandbox is shut down due to the reasons that data acquisition is completed, or the analysis time limit is reached, or the program sample actively sends a restart command operation, and the like, the virtual machine is shut down but not destroyed, and the previous operation site is maintained.
S13, determining whether the target operation exists in the program sample operation according to the recorded data;
after the virtual machine is closed, the data collected by the virtual machine is analyzed in the process outside the virtual machine, and the virtual machine which has analyzed the sample cannot be destroyed before analysis. The data analysis also includes checking the recorded target operation related to restarting the system, so as to determine whether the target operation exists in the program sample operation according to the record in a log or other files.
And S14, restarting the virtual machine to continue data acquisition of the program sample under the condition that the target operation exists in the program sample running.
In this step, if the recorded log of the target operation related to the restart system is found in the recorded data, the analysis process is exited, the virtual machine which operates the program sample last time is restarted, the sample continues to be operated, data is collected, and the whole process of the sample operating again is monitored.
The sandbox analysis method provided by the embodiment of the invention can monitor and record the target operation related to restarting the system in the program sample input into the sandbox, when the virtual machine of the sandbox is shut down, the running site of the virtual machine is stored, then whether the target operation exists in the running of the program sample is determined according to the recorded data, and if the target operation exists, the virtual machine is restarted to continue to acquire the data of the program sample. Therefore, when the detected program sample comprises some operations related to the restarting system, the sandbox can store the running field before the virtual machine is shut down and continue to acquire the data of the program sample after restarting, so that some malicious operations executed by the program sample after restarting are detected, the probability of the sample escaping detection is greatly reduced, and the sandbox detection capability is effectively improved.
Optionally, in step S11, the target operation related to the restart system may include a restart operation and/or an operation that takes effect after the restart. The restart operation may include an operation of directly or indirectly restarting the computer system during the running process of the software, and the operation that takes effect after the restart may include an operation that the software needs to restart the computer system after some operations are completed before the software can normally work.
The specific monitoring means is different according to the target operation, and the following classification is described.
In an embodiment of the present invention, the target operation related to the rebooting system includes a rebooting operation, and based on this, the monitoring the target operation related to the rebooting system in the program sample input into the sandbox may include:
monitoring the restart operation in the program sample by monitoring a preset API function or a preset system command.
For the preset API function, optionally, in a Windows system, apiexitswindowsx () may be called, and operations of shutdown, restart, and cancellation may be implemented by transferring different parameters. Under the Linux system, a library function rebot () can be called or a system calling an API rebot (), and operations such as shutdown, restart and the like are realized by transmitting different parameters.
In particular, hook functions, hook specific APIs, may be registered. If the API is called, the registered hook function is triggered, log input is carried out in the hook function and is recorded in a corresponding log file, and if the API is not called, the behavior of restarting the system is not found.
For example, in an embodiment of the present invention, a hook function may be registered in the windows system with the exittwindows () function, a first argument of the hook function is determined, and if the first argument is EWX _ REBOOT, the operation is considered to be a restart operation, and a log is recorded, otherwise, no processing is performed. In the Linux system, a function of the redirect () can be realized, if the parameter of the redirect () is RB _ AUTOBOOT, the restart operation is considered, the log is recorded, and otherwise, no processing is performed.
For the preset system command, optionally, in a Windows system, shutdown, restart, and logout operations can be implemented through the command shutdown; in a Linux system, the system can be restarted by commands such as reboot, shutdown, half, init and the like.
Specifically, by monitoring the derivative processes (i.e., the process call relationship and all the child processes) of the program sample in the running process, if a certain derivative process is a restart command, it is considered that the sample has a restart behavior, otherwise, there is no restart behavior.
For example, in an embodiment of the present invention, whether a shutdown process exists in derived processes may be monitored in a windows system, if a re-judgment parameter exists, if an "r" option exists in the parameter, it is considered as a restart behavior, and a log is recorded, otherwise, no processing is performed. And whether a shutdown process, a rebot process and an init process exist in the sub-processes needs to be monitored under the linux system. If a shutdown process exists, judging whether the parameter has an r option, if so, proving that a restarting behavior exists, otherwise, not judging that the restarting behavior exists; for reboot, as long as the call is found, the reboot behavior can be proved, otherwise, the reboot behavior is not found; and judging whether the parameter is 1 or not for the init process, if so, indicating that a restarting behavior exists, and otherwise, not judging that the restarting behavior exists.
Optionally, the target operation related to restarting the system may further include an operation that takes effect after restarting; based on this, monitoring the target operation related to restarting the system in the program sample input into the sandbox may specifically include:
monitoring the program sample for at least one of: add or modify registry, add or modify driver files, add or modify bootable items.
Specifically, the operation of modifying the registry may in some cases require a reboot of the system to be effective because some components of the registry are occupied and cannot be replaced before the reboot, and during the reboot, those occupied registries are replaced. In addition, some changes or additions to drive-type files and operations to add or modify options for system self-booting also require a reboot of the system to be effective. Of course, there may be other operations that require the system to be restarted to be effective, and only these operations are listed here, and the embodiments of the present invention are not limited thereto.
And modifying or adding a registry key value and an item in windows by using a reg command, so that whether a reg process exists in the calling process in the program sample can be monitored, and if the reg process exists, the registry operation is considered to exist, and a log of the restart behavior is recorded. Optionally, the monitoring of adding the self-starting item in the Windows may be implemented by a registry, or by monitoring the change of the starting directory in the administrator directory. If a file is created in the starting directory under the administrator directory, the operation of creating self-starting in the program sample is shown, and a log is recorded.
The driver files are suffixed with sys in windows and with ko in linux, so that monitoring for adding or modifying driver files can be performed by monitoring whether there are any files of sys or ko in the execution of program samples. If write operation is carried out on the drive file such as sys or ko, the drive file is considered to be modified, and the drive file needs to be restarted, and the log of the restarting behavior is recorded.
After the program sample is run and the corresponding record is carried out, in step S12, when the virtual machine of the sandbox is shut down due to the reasons of data acquisition completion, analysis time limit arrival, or the program sample actively sending a restart command operation, the running site of the virtual machine needs to be saved; after the virtual machine is closed, in step S13, the data collected by the virtual machine may be analyzed outside the virtual machine, and it is determined whether a target operation related to restarting the system exists in the running of the program sample according to a record in a file such as a log. If so, the corresponding virtual machine is restarted to continue data collection of the program sample in step S14, so as to detect some malicious operations performed by the restarted program sample.
In order to further improve the analysis effect, in an embodiment of the present invention, after restarting the virtual machine to continue data collection on the program sample, the sandbox analysis method provided in an embodiment of the present invention may further include:
integrating data collected before and after restarting;
the integrated data is analyzed.
Optionally, before data integration, the data acquired twice may be analyzed respectively, then the data acquired twice may be integrated and analyzed for the second time, and after the analysis is finished, the virtual machine may be destroyed to release resources.
The sandbox analysis method provided by the embodiment of the present invention is described in detail below with specific embodiments.
As shown in fig. 2, a sandbox analysis method provided by an embodiment of the present invention may include:
s201, monitoring target operation related to a restarting system in a program sample input into a sandbox;
s202, monitoring that a reg process exists in the running of a program sample, considering that registry modification operation exists, and recording a log file;
s203, monitoring that ExitWindows () is called in the running process of a program sample through a hook function, determining that a restart operation exists and recording a log file, wherein the first parameter of the parameter is EWX _ REBOOT;
s204, shutting down the virtual machine, and storing the running site of the program sample;
s205, analyzing data collected by the virtual machine, and finding records in a log file;
s206, determining that target operation related to restarting a system exists in the running process of the program sample according to the record of the log file;
s207, restarting the virtual machine, re-running the program sample and performing corresponding monitoring and recording;
s208, analyzing the data collected by the virtual machine;
and S209, integrating the data acquired twice, and performing secondary analysis on the integrated data.
S202 and S203 have no chronological order, S202 may be executed first and S203 may be executed later, S203 may be executed first and S202 may be executed later, or S202 and S203 may be executed simultaneously.
According to the sandbox analysis method provided by the embodiment of the invention, when the detected program sample comprises some operations related to the restarting system, the sandbox can store the operation site in front of the virtual machine and continue to collect data of the program sample after restarting, so that some malicious operations executed by the program sample after restarting are detected, the probability of sample escape detection is greatly reduced, and the sandbox detection capability is effectively improved.
In a second aspect, an embodiment of the present invention further provides a sandbox analysis apparatus, which is capable of storing an operation site before a virtual machine is shut down and continuously performing data acquisition on a program sample after the virtual machine is restarted, so as to detect some malicious operations executed by the program sample after the restart, thereby greatly reducing a probability of the sample escaping detection, and effectively improving the sandbox detection capability.
As shown in fig. 3, the sandbox analyzing apparatus provided in this embodiment may include:
the monitoring unit 31 is used for monitoring target operations related to restarting the system in the program samples input into the sandbox and carrying out corresponding recording;
the saving unit 32 is configured to save an operation site of a virtual machine of the sandbox when the virtual machine is shut down;
a determining unit 33, configured to determine whether the target operation exists in the running of the program sample according to the data recorded by the monitoring unit 31;
and the restarting unit 34 is configured to restart the virtual machine to continue to perform data acquisition on the program sample when the determining unit 33 determines that the target operation exists in the program sample running.
The sandbox analysis device provided by the embodiment of the invention can monitor and record the target operation related to the restarting system in the program sample input into the sandbox, when the virtual machine of the sandbox is shut down, the running site of the virtual machine is stored, then whether the target operation exists in the running of the program sample is determined according to the recorded data, and if the target operation exists, the virtual machine is restarted to continue to acquire the data of the program sample. Therefore, when the detected program sample comprises some operations related to the restarting system, the sandbox can store the running field before the virtual machine is shut down and continue to acquire the data of the program sample after restarting, so that some malicious operations executed by the program sample after restarting are detected, the probability of the sample escaping detection is greatly reduced, and the sandbox detection capability is effectively improved.
Optionally, the target operation includes a restart operation and/or an operation that takes effect after the restart.
Optionally, the target operation comprises the restart operation; the monitoring unit is specifically configured to monitor the restart operation in the program sample by monitoring a preset API function or a preset system command.
Optionally, the target operation includes an operation that takes effect after restarting; the monitoring unit is specifically configured to monitor at least one of the following operations in the program sample: add or modify registry, add or modify driver files, add or modify bootable items.
Optionally, the sandbox analyzing apparatus further includes: an analysis unit, configured to, after restarting the virtual machine to continue data acquisition on the program sample: integrating data collected before and after restarting; the integrated data is analyzed.
In a third aspect, an embodiment of the present invention provides an electronic device, which is capable of saving an operation site before a virtual machine is shut down and continuously performing data acquisition on a program sample after a restart, so as to detect some malicious operations performed by the program sample after the restart, thereby greatly reducing a probability of sample escape detection, and effectively improving a sandbox detection capability.
As shown in fig. 4, an electronic device provided in an embodiment of the present invention may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, so as to execute the sandbox analysis method according to any one of the foregoing embodiments.
For specific execution processes of the above steps by the processor 42 and further steps executed by the processor 42 by running the executable program code, reference may be made to the description of the foregoing embodiments, which are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs can be executed by one or more processors to implement any one of the sandbox analysis methods provided in the foregoing embodiments, so that corresponding technical effects can also be achieved, which have been described in detail above and are not described herein again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A sandbox analysis method comprising:
monitoring target operation related to a restarting system in a program sample input into the sandbox, and carrying out corresponding recording;
when the virtual machine of the sandbox is shut down, the running site of the virtual machine is saved;
determining whether the target operation exists in the running process of the program sample according to the recorded data;
restarting the virtual machine to continue to perform data acquisition on the program sample under the condition that the target operation exists in the running of the program sample;
the target operation comprises a restart operation and/or an operation taking effect after the restart.
2. The method of claim 1, wherein the target operation comprises the reboot operation;
the monitoring target operations related to restarting the system in the program sample input into the sandbox comprises:
monitoring the restart operation in the program sample by monitoring a preset API function or a preset system command.
3. The method of claim 1, wherein the target operation comprises an operation that takes effect after reboot;
the monitoring target operations related to restarting the system in the program sample input into the sandbox comprises:
monitoring the program sample for at least one of: add or modify registry, add or modify driver files, add or modify bootable items.
4. The method of any one of claims 1 to 3, wherein after restarting the virtual machine to continue data collection for the program sample in the event that the target operation exists in the program sample run, the method further comprises:
integrating data collected before and after restarting;
the integrated data is analyzed.
5. A sandbox analysis apparatus comprising:
the monitoring unit is used for monitoring target operation related to the restarting system in the program sample input into the sandbox and carrying out corresponding recording;
the storage unit is used for storing the running site of the virtual machine when the virtual machine of the sandbox is shut down;
the determining unit is used for determining whether the target operation exists in the running process of the program sample according to the data recorded by the monitoring unit;
the restarting unit is used for restarting the virtual machine to continue to acquire data of the program sample under the condition that the determining unit determines that the target operation exists in the running process of the program sample;
the target operation comprises a restart operation and/or an operation taking effect after the restart.
6. The apparatus of claim 5, wherein the target operation comprises the reboot operation;
the monitoring unit is specifically configured to monitor the restart operation in the program sample by monitoring a preset API function or a preset system command.
7. The apparatus of claim 5, wherein the target operation comprises an operation that takes effect after reboot;
the monitoring unit is specifically configured to monitor at least one of the following operations in the program sample: add or modify registry, add or modify driver files, add or modify bootable items.
8. The apparatus of any of claims 5 to 7, further comprising: an analysis unit, configured to, after restarting the virtual machine to continue data acquisition on the program sample:
integrating data collected before and after restarting;
the integrated data is analyzed.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the sandbox analysis method of any one of the preceding claims 1 to 4.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the sandbox analysis method of any one of the preceding claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711426403.2A CN108875371B (en) | 2017-12-25 | 2017-12-25 | Sandbox analysis method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711426403.2A CN108875371B (en) | 2017-12-25 | 2017-12-25 | Sandbox analysis method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108875371A CN108875371A (en) | 2018-11-23 |
| CN108875371B true CN108875371B (en) | 2020-04-24 |
Family
ID=64325905
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711426403.2A Active CN108875371B (en) | 2017-12-25 | 2017-12-25 | Sandbox analysis method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108875371B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117708799A (en) * | 2022-09-09 | 2024-03-15 | 华为技术有限公司 | Restarting method and device for sandboxes |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9178900B1 (en) * | 2013-11-20 | 2015-11-03 | Trend Micro Inc. | Detection of advanced persistent threat having evasion technology |
| CN106682498A (en) * | 2016-08-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Sample executing method and device |
| CN107179934A (en) * | 2016-03-10 | 2017-09-19 | 中标软件有限公司 | The method and system of virtual machine automatic reduction in cloud computing environment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW201407503A (en) * | 2012-08-09 | 2014-02-16 | Quanta Comp Inc | System and method for work schedule of cloud platform |
-
2017
- 2017-12-25 CN CN201711426403.2A patent/CN108875371B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9178900B1 (en) * | 2013-11-20 | 2015-11-03 | Trend Micro Inc. | Detection of advanced persistent threat having evasion technology |
| CN107179934A (en) * | 2016-03-10 | 2017-09-19 | 中标软件有限公司 | The method and system of virtual machine automatic reduction in cloud computing environment |
| CN106682498A (en) * | 2016-08-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Sample executing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108875371A (en) | 2018-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8978141B2 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| US9652617B1 (en) | Analyzing security of applications | |
| US9230106B2 (en) | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment | |
| CN110737895A (en) | Extending dynamic detection of malware using static and dynamic malware analysis | |
| CN105302711B (en) | Application restoration method and device and terminal | |
| CN102141942A (en) | Method and device for monitoring and protecting equipment | |
| CN106203092B (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| WO2016198027A1 (en) | Multi-operation event execution method and device | |
| CN111062027A (en) | Method and device for preventing bad HID equipment from invading, electronic equipment and storage medium | |
| CN108090352B (en) | Detection system and detection method | |
| CN114741695A (en) | Malicious code monitoring method and device, electronic equipment and storage medium | |
| CN108875371B (en) | Sandbox analysis method and device, electronic equipment and storage medium | |
| CN111782294A (en) | Application program running method and device, electronic equipment and storage medium | |
| CN111062035A (en) | Lesog software detection method and device, electronic equipment and storage medium | |
| CN105787302B (en) | A kind of processing method of application program, device and electronic equipment | |
| CN112052454B (en) | Method, device and equipment for searching and killing applied viruses and computer storage medium | |
| CN108875363B (en) | Method and device for accelerating virtual execution, electronic equipment and storage medium | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN108875372B (en) | Code detection method and device, electronic equipment and storage medium | |
| US10776490B1 (en) | Verifying an operating system during a boot process using a loader | |
| CN112182581A (en) | Application testing method and device, application testing equipment and storage medium | |
| CN106169044B (en) | Method and device for protecting thread data and electronic equipment | |
| EP2819055A1 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| CN108875361A (en) | A kind of method, apparatus of monitoring programme, electronic equipment and storage medium | |
| CN110866247B (en) | Security defense method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |