CN108898012B - Method and apparatus for detecting illegal program - Google Patents
Method and apparatus for detecting illegal program Download PDFInfo
- Publication number
- CN108898012B CN108898012B CN201810502710.2A CN201810502710A CN108898012B CN 108898012 B CN108898012 B CN 108898012B CN 201810502710 A CN201810502710 A CN 201810502710A CN 108898012 B CN108898012 B CN 108898012B
- Authority
- CN
- China
- Prior art keywords
- data structure
- kernel data
- kernel
- target
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a method and a device for detecting an illegal program, and belongs to the technical field of computers. The method comprises the following steps: determining a first reading function and a second reading function corresponding to a first kernel data structure in a kernel space, wherein the first reading function is used for reading current structure content, and the second reading function is used for reading initial structure content; calling the first reading function to obtain the current structure content of a first kernel data structure in the kernel space, and calling the second reading function to obtain the initial structure content of the first kernel data structure pre-stored in the kernel space; and when the initial structure content of the first kernel data structure is different from the current structure content, determining that an illegal program exists in the first kernel data structure. By the method and the device, the illegal program in the kernel space can be detected.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting an illegal program.
Background
Illegal programs (such as Rootkits, etc.) are a tool for hiding traces and preserving root access when attacking an operating system. The illegal programs can be divided into application-level illegal programs and kernel-level illegal programs, the application-level illegal programs mainly modify system files of an application layer of an operating system and are easy to prevent and detect, and the kernel-level illegal programs mainly attack kernel spaces of the operating system and are difficult to prevent and detect, so that a method for detecting the illegal programs in the kernel spaces needs to be provided.
However, in the related art, a technician sets a detection program in a user space to detect an application-level illegal program in the user space.
In this way, since the kernel-level illegal program is visible only in the kernel space, the detection program in the user space detects only the application-level illegal program, and cannot detect the kernel-level illegal program.
Disclosure of Invention
In order to solve the problem that kernel-level illegal programs cannot be detected, the embodiment of the application provides a method and a device for detecting illegal programs. The technical scheme is as follows:
in a first aspect, a method for detecting an illegal program is provided, the method comprising:
determining a first reading function and a second reading function corresponding to a first kernel data structure in a kernel space, wherein the first reading function is used for reading current structure content, and the second reading function is used for reading initial structure content; calling the first reading function to obtain the current structure content of the first kernel data structure in the kernel space, and calling the second reading function to obtain the initial structure content of the first kernel data structure pre-stored in the kernel space; and when the initial structure content of the first kernel data structure is different from the current structure content, determining that an illegal program exists in the first kernel data structure.
The first kernel data structure may have a system call table, an interrupt descriptor table, function pointers of some functions, a processing function (such as virtual file system hijacking), and the like.
In the solution shown in the embodiment of the present application, a detection program is installed in a host, a code of the detection program may be run by a Central Processing Unit (CPU) in the host, a part of the detection program is a user space installed in a Linux operating system of the host, a part of the detection program is a kernel space installed in the Linux operating system of the host, a part installed in the user space runs in the user space, and a part installed in the kernel space runs in the kernel space, and is used for detecting an illegal program in the kernel space. The detection program is also provided with an identification list of the first kernel data structure, and when an illegal program is detected, the identification list is traversed to detect the kernel data structure corresponding to the identification of each kernel data structure in the identification list. The kernel space includes a kernel program that runs at a privilege level higher than a preset level and has all privileges to access the hardware of the host. The user space comprises programs except the core program in the Linux operating system, and the programs only have access to system resources which are allowed to be used by the Linux operating system in the user space and cannot directly access the kernel space and hardware of the host.
When the host detects an illegal program in the kernel space, the CPU in the host may execute a code of the detection program in the kernel space, obtain an identifier of any kernel data structure in the identifier list (which may be referred to as an identifier of a first kernel data structure, hereinafter), and determine a first read function and a second read function corresponding to the first kernel data structure in the kernel space, where the first read function is used to read a current structure content of the kernel data structure, and the second read function is used to read an initial structure content of the kernel data structure. For example, in a Linux operating system, the first read function may be a probe _ kernel _ read function, and the second read function may be a kallsyms _ lookup _ name function.
And then running a code of the detection program in the kernel space through the CPU, calling a first reading function, taking the identifier of the first kernel data structure as the input of the first reading function, running the code of the first reading function to obtain the current structure content of the first kernel data structure, and calling a second reading function, taking the identifier of the first kernel data structure as the input of the second reading function, running the code of the second reading function to obtain the initial structure content of the first kernel data structure.
And then comparing the current structure content with the initial structure content of the first kernel data structure, and determining that an illegal program exists in the first kernel data structure when different contents exist.
In this way, the detection program is arranged in the kernel space, all kernel data structures in which the detection program may exist can be detected, and the detection capability is relatively strong.
In a possible mode, acquiring an identifier of the first kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type; and determining the kernel data structure type of the first kernel data structure according to the corresponding relation and the identifier of the first kernel data structure.
According to the scheme shown in the embodiment of the application, before the host runs the code of the detection program in the kernel space through the CPU and determines the first read function and the second read function of the first kernel data structure, the host can also obtain the identifier of the first kernel data structure in the identifier list and obtain the corresponding relation between the identifier of the kernel data structure in the detection program and the type of the kernel data structure. And using the identifier of the first kernel data structure, finding the identifier of the first kernel data structure and the corresponding first type in the corresponding relation, and determining the first type as the kernel data structure type of the first kernel data structure. The first type is used for indicating that an illegal program is determined in a comparison mode, namely the initial structure content and the current structure content of the kernel data structure are to be acquired. Thus, whether the first read function and the second read function are to be acquired or not can be determined by judging the kernel data structure type.
In a possible mode, acquiring the corresponding relation between the kernel data structure type and the identification of the read function; determining the identifications of two reading functions corresponding to the kernel data structure type to which the first kernel data structure belongs according to the kernel data structure type to which the first kernel data structure belongs and the corresponding relation between the kernel data structure type and the identification of the reading function; determining a first reading function corresponding to a first kernel data structure in the kernel space according to the identifier of the reading function with a first identifier in the identifiers of the two reading functions, and determining a second reading function corresponding to the first kernel data structure according to the identifier of the reading function with a second identifier in the identifiers of the two reading functions, wherein the first identifier is used for indicating the reading function to read the current structure content, and the second identifier is used for indicating the reading function to read the initial structure content.
According to the scheme shown in the embodiment of the application, the host can operate the code of the detection program in the kernel space through the CPU to obtain the corresponding relation between the kernel data structure type in the detection program and the identification of the reading function, and then the first type is used for searching the identification of the two reading functions corresponding to the first type in the corresponding relation. For the identifications of the two read functions, if there is a first marker in the identification of the read function, an identification of the first read function may be determined, which identification may be used to determine the first read function in kernel space, and if there is a second marker in the identification of the read function, an identification of the second read function may be determined, which identification may be used to determine the second read function in kernel space. For example, in a Linux operating system, the identifier of the first read function is probe _ kernel _ read, the identifier of the second read function is kallsyms _ lookup _ name, the first flag may be kernel, and the second flag may be kallsyms.
In a possible manner, when it is determined that a target module structure exists in the kernel space, determining that the target module structure is an illegal program, where the target module structure is used to delete a node in a kernel data structure linked list, and the node is an identifier of a kernel data structure that can be loaded by the target module structure in the kernel space.
In the solution shown in the embodiment of the present application, the target module structure is configured to delete a node in the kernel data structure linked list, where the node is an identifier of a kernel data structure that can be loaded by the target module structure in the kernel space. The host can run codes of the detection program in the kernel space through the CPU to acquire the module _ kset structural body and the module structural body, then the module _ kset structural body and the module structural body are compared to determine different contents, the different contents are determined to be the target module structural body, and the target module structural body is an illegal program. In this way, illegal programs that hide nodes can be determined.
In a possible mode, before illegal program detection is carried out, whether the detected system call has authority or not is judged, and a target system call is received, wherein the target system call is used for indicating illegal program detection; and when the target system call corresponds to a preset identifier, determining to detect the illegal program.
According to the scheme shown in the embodiment of the application, when the host runs the code of the detection program in the kernel space through the CPU, the code is generally called in a system calling mode, the system calling can be called as target system calling, whether the target system calling corresponds to the preset identification or not can be judged, if yes, illegal program detection is carried out, and if not, illegal program detection is not carried out.
The judgment mode may be determined by a white list, and the white list may be obtained by setting a system call identifier corresponding to the preset identifier in the white list. And if the white list has the identification of the target system call, determining that the target system call corresponds to a preset identification, and if the white list does not have the identification of the target system call, determining that the target system call does not correspond to the preset identification. Or, directly judging whether the target system call contains a preset mark, and if so, determining that the preset mark corresponds to the target system call. In this way, illegal access of the detection program can be prevented.
In one possible approach, the first kernel data structure is a first preset function, and when an initial function pointer and a current function pointer of the first preset function are different, it is determined that an illegal program exists in the first preset function.
For example, the first preset function may be any one of proc _ reg _ open, proc _ root _ readdir, tcp4_ seq _ show, con _ open, and the like, and the function pointer refers to a storage address of the function code.
According to the scheme shown in the embodiment of the application, the host can obtain the initial structure content and the current structure content of the first preset function through the detection program, the initial structure content comprises an initial function pointer, and the current structure content comprises a current function pointer.
The host can run the code of the detection program in the kernel space through the CPU, compare the initial function pointer and the current function pointer of the first preset function, and determine that Rootkits exist in the first preset function when the current function pointer is different from the initial function pointer.
In a possible manner, the first kernel data structure may be a second preset function, and when an initial processing function and a current processing function of the second preset function are different, it is determined that an illegal program exists in the second preset function.
The second preset function may be one or more, and typically is more than one, for example, sys _ getdents64, sys _ getdents, composition _ sys _ getdents64, composition _ sys _ getdents, and the like. When the second preset function is executed, the code of the processing function of the second preset function is actually executed, the initial processing function of the second preset function refers to the initial function which is not modified by Rootkits, and the current processing function of the second preset function refers to the processing function which is obtained when the second preset function is executed currently.
According to the scheme shown in the embodiment of the application, the host can operate the code of the detection program in the kernel space through the CPU to obtain the initial structure content and the current structure content of the second preset function, wherein the initial structure content comprises an initial processing function, and the current structure content comprises a current processing function.
The host computer can run the code of the detection program in the kernel space through the CPU, compare the initial processing function with the current processing function, and determine that Rootkits exist in the second preset function when the current processing function is different from the initial processing function.
In one possible approach, the first kernel data structure may be a network filter function, and when the current network filter function is not the same as the white list, the different function is determined as an illegal program in the network filter function.
The network filtering function is a function for filtering transceiving content of the host, the white list may be preset and stored in a memory of the host (the memory may be a nonvolatile memory in the host), the white list may include the preset network filtering function, that is, the network filtering function set in the white list normally exists, such as iptable _ filter _ hook, ipv4_ conntrack _ defrag, and the like, that is, the white list is initial structure content of the network filtering function, and the current structure content is the currently acquired network filtering function.
According to the scheme shown in the embodiment of the application, the host can operate the codes of the detection program in the kernel space through the CPU to obtain the white list of the network filtering functions stored in the memory in advance, then the current network filtering functions are compared with the network filtering functions in the white list, and if the network filtering functions which do not belong to the white list exist in the current obtained network filtering functions, Rootkits exist in the network filtering functions.
In a second aspect, there is provided a method of detecting an illegal program, the method comprising:
determining a target reading function corresponding to a target kernel data structure in a kernel space, wherein the target reading function is used for reading the content of a current structure; calling the target reading function to obtain the current structure content of the target kernel data structure in the kernel space; and when a preset structure exists in the current structure content of the target kernel data structure, determining that an illegal program exists in the target kernel data structure, wherein the preset structure is a structure for executing illegal processing.
The preset structure may be preset and stored in the detection program, and the preset structure may be a structure for performing illegal processing, such as an instruction to change an execution path, a node in a keyboard record list, and the like.
According to the scheme shown in the embodiment of the application, when the host detects an illegal program in the kernel space, the CPU in the host may run a code of the detection program in the kernel space, obtain any kernel data structure (which may be referred to as a target kernel data structure hereinafter) in the identification list of the target read function, and determine the target read function of the target kernel data structure, where the target read function is used to read the current structure content of the kernel data structure. For example, in a Linux operating system, the target read function may be a probe _ kernel _ read function.
And then running a code of the detection program in the kernel space through the CPU, calling a target reading function, taking the identifier of the target kernel data structure as the input of the target reading function, running the code of the target reading function, and acquiring the current structure content of the target kernel data structure.
And then detecting the current structure content of the target kernel data structure, and when a preset structure exists, determining that an illegal program exists in the target kernel data structure.
Alternatively, the target read function may be the same function as the first read function.
In one possible approach, the method further comprises: acquiring the identifier of the target kernel data structure, and acquiring the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure; and determining the kernel data structure type of the target kernel data structure according to the corresponding relation and the identification of the target kernel data structure.
According to the scheme shown in the embodiment of the application, before the host computer determines the target reading function of the target kernel data structure by running the code of the detection program in the kernel space through the CPU, the host computer can also obtain the identifier of the target kernel data structure in the identifier list and obtain the corresponding relation between the identifier of the kernel data structure in the detection program and the type of the kernel data structure. And using the identifier of the target kernel data structure, finding a target type corresponding to the identifier of the target kernel data structure in the corresponding relation, and determining the target type as the kernel data structure type of the target kernel data structure. Wherein the target type is used for indicating that the illegal program is determined by means of judgment.
In a possible mode, acquiring the corresponding relation between the kernel data structure type and the identification of the read function; determining the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs according to the kernel data structure type to which the target kernel data structure belongs and the corresponding relation between the kernel data structure type and the identifier of the read function; and determining a target read function corresponding to the target kernel data structure according to the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs.
According to the scheme shown in the embodiment of the application, the host runs the code of the detection program in the kernel space through the CPU, and the corresponding relation between the kernel data structure type and the identification of the read function can be obtained. In the corresponding relation, the identifier of the corresponding read function is found by using the target type, then the read function corresponding to the identifier of the read function is obtained from the kernel space by using the identifier of the read function, and the read function is determined as the target read function. Thus, the target reading function can be determined according to the kernel data structure type.
In a possible mode, the kernel data structure is a keyboard record list, the keyboard record list is obtained, and when nodes exist in the keyboard record list, Rootkits exist in the keyboard record list.
In the solution shown in this embodiment of the present application, after the host computer runs the code of the detection program in the kernel space through the CPU, obtains the current structure content of the keyboard record list (keyboard _ notifier _ list), the CPU runs the code of the detection program in the kernel space, determines whether the keyboard _ notifier _ list includes the content (that is, determines whether the keyboard _ notifier _ list is empty), determines that the content is a notifier node if the keyboard _ notifier _ list has the content, determines that the keyboard _ notifier _ list includes a notifier node, and determines that the keyboard _ notifier _ list includes cookies. If the keyboard _ notifier _ list has no contents, it is determined that the keyboard _ notifier _ list has no Rootkits.
In one possible approach, the target kernel data structure is a third preset function, and when there is an instruction for changing the execution path at an entry of the processing function of the third preset function, it is determined that the third preset function has Rootkits.
According to the scheme shown in the embodiment of the application, the host can obtain the processing function of the third preset function by running the code of the detection program in the kernel space through the CPU, then identify the instruction at the entrance of the processing function of the third preset function by running the code of the detection program in the kernel space through the CPU, judge whether the instruction at the entrance of the processing function of the third preset function includes an instruction (such as call, jump and the like) for changing an execution path, and determine that the third preset function has Rootkits if the instruction at the entrance of the processing function of the third preset function includes the instruction. In this way, Rootkits of Inline hook type can be tested.
In a third aspect, there is provided a host computer comprising a processor and a memory, wherein the memory stores a computer program, and when the processor calls the computer program in the memory, the processor is caused to execute the following:
determining a first reading function and a second reading function corresponding to a first kernel data structure in a kernel space, wherein the first reading function is used for reading current structure content, and the second reading function is used for reading initial structure content;
calling the first reading function to obtain the current structure content of the first kernel data structure in the kernel space, and calling the second reading function to obtain the initial structure content of the first kernel data structure pre-stored in the kernel space;
and when the initial structure content of the first kernel data structure is different from the current structure content, determining that an illegal program exists in the first kernel data structure.
In one possible approach, the processor is further configured to:
acquiring an identifier of the first kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type;
and determining the kernel data structure type of the first kernel data structure according to the corresponding relation and the identifier of the first kernel data structure.
In one possible approach, the processor is configured to:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifications of two reading functions corresponding to the kernel data structure type to which the first kernel data structure belongs according to the kernel data structure type to which the first kernel data structure belongs and the corresponding relation between the kernel data structure type and the identification of the reading function;
determining a first reading function corresponding to a first kernel data structure in the kernel space according to the identifier of the reading function with a first identifier in the identifiers of the two reading functions, and determining a second reading function corresponding to the first kernel data structure according to the identifier of the reading function with a second identifier in the identifiers of the two reading functions, wherein the first identifier is used for indicating the reading function to read the current structure content, and the second identifier is used for indicating the reading function to read the initial structure content.
In one possible approach, the processor is further configured to:
and when determining that the target module structure body exists in the kernel space, determining that the target module structure body is an illegal program, wherein the target module structure body is used for deleting a node in a kernel data structure linked list, and the node is an identifier of a kernel data structure which can be loaded by the target module structure body in the kernel space.
In one possible approach, the processor is further configured to:
receiving a target system call, wherein the target system call is used for indicating illegal program detection;
and when the target system call corresponds to a preset identifier, determining to detect the illegal program.
In one possible approach, the kernel space includes a kernel that runs at a level of privilege above a preset level, with all privileges to access the hardware of the host.
In one possible mode, determining a target reading function corresponding to a target kernel data structure in a kernel space, wherein the target reading function is used for reading the content of a current structure;
calling the target reading function to obtain the current structure content of the target kernel data structure in the kernel space;
and when a preset structure exists in the current structure content of the target kernel data structure, determining that an illegal program exists in the target kernel data structure, wherein the preset structure is a structure for executing illegal processing.
In one possible approach, the processor is further configured to:
acquiring the identifier of the target kernel data structure, and acquiring the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure;
and determining the kernel data structure type of the target kernel data structure according to the corresponding relation and the identification of the target kernel data structure.
In one possible approach, the processor is configured to:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs according to the kernel data structure type to which the target kernel data structure belongs and the corresponding relation between the kernel data structure type and the identifier of the read function;
and determining a target read function corresponding to the target kernel data structure according to the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs.
In a fourth aspect, an apparatus for detecting an illegal program is provided, and the apparatus includes one or more modules that implement the method for detecting an illegal program provided in the first and second aspects by executing instructions.
In a fifth aspect, a computer-readable storage medium is provided, which stores instructions that, when executed on a host, cause the host to perform the method for detecting an illegal program provided in the first and second aspects.
A sixth aspect provides a computer program product comprising instructions which, when run on a host, cause the host to perform the method of detecting illegal programs as provided in the first and second aspects above.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
in the embodiment of the application, the initial structure content and the current structure content of the first kernel data structure in the kernel space can be respectively obtained through the first read function and the second read function, and whether an illegal program exists in the first kernel data structure can be determined through a comparison mode, so that the illegal program in the kernel space can be detected.
Drawings
Fig. 1a is a schematic structural diagram of a host according to an embodiment of the present disclosure;
fig. 1b is a schematic structural diagram of a user space and a kernel space according to an embodiment of the present application;
FIG. 2 is a characterization of the various types of Rootkits provided by embodiments of the present application;
FIG. 3 is a flowchart illustrating a method for detecting illegal programs according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a setup of a detection procedure provided in an embodiment of the present application;
FIG. 5 is a flowchart illustrating a method for detecting illegal programs according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a system for detecting Rootkits according to an embodiment of the present disclosure;
FIG. 7 is a schematic structural diagram of an apparatus for detecting Rootkits according to an embodiment of the present disclosure;
FIG. 8 is a schematic structural diagram of an apparatus for detecting Rootkits according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a device for detecting Rootkits according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The embodiment of the application provides a method for detecting illegal programs, wherein an execution main body of the method can be a host provided with a Linux operating system, and the host can be a terminal or a server.
Fig. 1a shows a block diagram of a host in an embodiment of the present application, which may include at least a receiver 101, a processor 102, a memory 103, and a transmitter 104. The receiver 101 may be configured to implement data reception, the transmitter 104 may be configured to transmit data, and may specifically be configured to transmit an illegal program in a kernel space, the memory 103 may be configured to store a software program and a module, and may specifically be configured to store an interrupt descriptor table, a system call table, and the like in this embodiment, and the processor 102 executes various functional applications and data processing by running the software program and the module stored in the memory 103. The memory 103 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the detection program, and the like. Further, the memory 103 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 103 may also include a memory controller to provide the processor 102, receiver 101, and transmitter 104 access to the memory 103. The processor 102 is a control center of the host, connects various parts of the entire proximity interference recognition apparatus using various interfaces and lines, and performs various functions of the host and processes data by running or executing software programs and/or modules stored in the memory 103 and calling data stored in the memory 103, thereby performing overall monitoring of the host.
Alternatively, processor 102 may include one or more processing cores; preferably, the processor 102 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application program, and the like. It will be appreciated that the modem processor described above may not be integrated into the processor 102.
In order to facilitate understanding of the embodiments of the present application, a system architecture, an application scenario, and concepts related to the terms of the embodiments of the present application will be described first.
The embodiment of the application can be applied to a host with a Linux operating system, where the host can be a terminal, such as a mobile terminal (e.g., a mobile phone, a tablet computer, etc.), a desktop computer, a notebook computer, etc., or a server, including but not limited to: stand-alone servers, computing servers, storage servers, cloud servers, and the like. As shown in FIG. 1b, the Linux operating system includes a user space and a kernel space, the user space is visible to the user, the kernel space is invisible to the user, and the user space and the kernel space can communicate with each other. The kernel space comprises a kernel program which is independent of a common application program, runs at a higher privilege level and has all the authority of accessing the hardware of the host, and the user space comprises programs except the kernel program in the Linux operating system, and the programs can only access the system resources which are allowed by the Linux operating system and are used by the user space and cannot directly access the kernel space and the hardware of the host. When the host runs a program, the process created by the program is initially run in the user space, and when it executes some processing (e.g., sending data via a network, etc.), it must complete by calling a system call function such as write, send, etc., and these system calls will call the code of the system call function in the kernel space to complete the request operation of the user space, and after the code completion operation is executed in the kernel space, it will return to the user space, which may also be referred to as returning to the user state.
Illegal programs, which may also be referred to as malicious programs, can hide themselves and designated files, processes, etc. in kernel space, and reside for a long time, with the highest access rights. Such as Rootkits, and the like. Rootkits are tools used by attackers to hide own traces and reserve root access rights during attack, Rootkits in a Linux operating system can be divided into application-level Rootkits and kernel-level Rootkits, the application-level Rootkits mainly modify system files of an application layer of the operating system and are easy to prevent and detect, and the kernel-level Rootkits mainly attack kernel spaces of the operating system and are difficult to prevent and detect.
The System Call Table (SCT) is a two-dimensional Table including System calls, each row in the two-dimensional Table includes a System Call number and a function pointer (which may also be referred to as a function pointer of a System Call function) corresponding to an execution function, and after receiving a System Call in a user space, a kernel space of the Linux operating System can find the function pointer corresponding to the execution function according to the System Call number.
An Interrupt Descriptor Table (IDT) is a data structure of x86 for implementing an Interrupt vector Table, and is used for recording a function pointer for finding a corresponding Interrupt processing function based on an Interrupt number when determining that an execution code is interrupted or abnormal.
A Virtual File System (VFS) is an abstraction layer that Linux operating systems build on top of various different File systems, based on which applications can transparently access files on a File System without knowing what type of File is. For example, the virtual file system may be an abstraction layer set above EXT2, EXT3, NFS, FAT 32.
In the embodiment of the present application, a scheme is described by taking an illegal program as Rootkits as an example, and before implementation, first, various Rootkits related to a kernel space in the embodiment of the present application are introduced:
as shown in FIG. 2, common Rootkits typically appear in several kernel data structures:
modifying or redirecting the system call list, characterized in that modifying the pointer of some system call functions in the system call list to make it execute the malicious function, or redirecting to the code executing the malicious function, executing the code of the original system call function at the same time of executing the code of the malicious function or after. Thus, when a call is made to some system function, the code of the malicious function is executed. For example, when sys _ write is called, it is directed to evil _ sys _ write, which recalls sys _ write while code of a malicious function is executed.
The virtual file system hijacking is characterized in that a structure body pointer (such as proc _ reg _ open, proc _ root _ readdir, tcp4_ seq _ show, con _ open and the like) of the virtual file system is tampered to enable the virtual file system to execute codes of malicious functions and the like.
The method comprises the steps of hijacking an interrupt descriptor table, modifying a pointer of an interrupt descriptor after the pointer of the interrupt descriptor is acquired through an interrupt descriptor table register, or writing a code of a processing function of the interrupt descriptor, setting an interrupt at a system call entrance, executing the code of a malicious function every time a system call is called, for example, replacing an original system _ call function with a rootkit _ system _ call (in a system call table) to achieve tampering of a set _ uid () system call, setting the interrupt at the rootkit _ system _ call entrance, tampering a function pointer of the interrupt processing function of an IDT or the code of the interrupt processing function, and executing the code of the malicious function every time when a set _ uid () system call is generated.
The network filter (Netfilter) hijacking is characterized in that a malicious hook function is added in nf _ hooks (network filter functions for recording and filtering transceiving contents), so that the intercepted contents are the contents, but the malicious hook function releases intrusion into a host.
Keyboard recorder (Keylogger) hijacking is characterized in that notifier records keyboard input is added in keyboard _ notifier _ list (a keyboard record list, a function for acquiring the input of a keyboard), and thus, a password, an account number and the like input by a user are copied.
The code of the system call function is modified, and the characteristic is that the processing function (namely the code which is actually executed) of the malicious function is directly added into the code of the system call function.
Modifying the execution flow of some key functions, which is characterized in that the execution flow of the functions is generally tampered by inserting instructions such as jmp (jump), call and the like, so that the code of the malicious functions is executed. For example, when the main flow is executed, the main flow is jumped to a code for executing a malicious function, and then the main flow is returned after the execution is finished, or the main flow is returned after the execution is finished by calling a malicious function.
By analyzing the common Rootkits, the detection modes are different based on different Rootkits types, so that the kernel data structure can be divided into the following two kernel data structure types:
the first type: such kernel data structures of Rootkits can only be determined by comparing the content of the initial structure of the kernel data structure with the content of the current structure. Such as a system call table, an interrupt descriptor table, function pointers and code for certain functions (e.g., virtual file system hijacking, etc.), etc. For a certain kernel data structure corresponding to the first type, the initial structure content of the kernel data structure is the structure content developed and not infected by Rootkits, and the current structure content of the kernel data structure is the structure content acquired when the kernel data structure is used at present.
Second type (which may also be referred to as target type): such kernel data structures of Rootkits are determined by determining whether certain preset structures exist in the current structure content of the kernel data structure. Such as keylogger hijacking, web filter hijacking, some function inserted into jmp, call, etc. instructions, etc. The preset structure may be an instruction (such as jmp, call, etc.) for changing the execution path, a node in the keyboard record list, etc.
The embodiment of the present application provides a method for detecting an illegal program, and a processing flow of the method will be described in detail below with reference to specific embodiments, as shown in fig. 3, the contents may be as follows:
The first kernel data structure is a kernel data structure in a kernel space and is easily infected with Rootkits, and the identifier of the first kernel data structure is compiled in a detection program to form an identifier list of the kernel data structure, such as a system call table, an interrupt descriptor table and the like of the first kernel data structure.
In implementation, code of a detection program is written, the code of the detection program can be executed by a processor (the processor can be a central processor of a host) in the host, and then the detection program is installed on the host, wherein one part of the detection program is a user space of a Linux operating system installed on the host, one part of the detection program is a kernel space of the Linux operating system installed on the host, the part installed in the user space is executed in the user space, and the part installed in the kernel space is executed in the kernel space for detecting Rootkits in the kernel space. For example, as shown in FIG. 4, the detection program may be Gra _ dbg in FIG. 4, Gra _ dbg user mode interface part in user space, and Gra _ dbg kernel detection part in kernel space.
When Rootkits in the kernel space need to be detected, a detection program in the host may be started, for example, a user may click a rootkit option displayed on an interface of the detection program, the host may detect a click instruction of the option, and the detection program is invoked to detect Rootkits in the kernel space in a part of the kernel space in a system call manner. The processing procedure can be as follows: the host can obtain an identifier list of kernel data structures set in the detection program through the part of the detection program installed in the kernel space, obtain an identifier of any kernel data structure (which may be referred to as an identifier of a first kernel data structure later) from the identifier list, and obtain a first read function and a second read function of the first kernel data structure according to the identifier of the first kernel data structure, where the first read function is used to read current structure content and the second read function is used to read initial structure content.
Optionally, before obtaining the first read function and the second read function, first determining a kernel data structure type to which the first kernel data structure belongs, and performing corresponding processing as follows:
acquiring an identifier of a first kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type; and determining the kernel data structure type of the first kernel data structure according to the corresponding relation and the identifier of the first kernel data structure.
In the correspondence between the identifier of the kernel data structure and the kernel data structure type, the identifiers of the plurality of kernel data structures may correspond to one kernel data structure type, or the identifiers of each kernel data structure may correspond to the kernel data structure types, except that the corresponding kernel data structure types of the identifiers of each kernel data structure are the same.
In implementation, the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure is compiled in the detection program. The host computer can run the code of the detection program in the kernel space through the CPU, obtain the identifier of the first kernel data structure from the identifier list, and obtain the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure. And then, determining a first type corresponding to the identifier of the first kernel data structure from the corresponding relation by using the identifier of the first kernel data structure, and determining the first type as the kernel data structure type to which the first kernel data structure belongs. The first read function and the second read function may subsequently be acquired using the first type.
Optionally, the host may determine, based on the first type, a first read function and a second read function corresponding to the first kernel data structure, and the corresponding processing may be as follows:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function; determining the identifications of two reading functions corresponding to the kernel data structure type to which the first kernel data structure belongs according to the kernel data structure type to which the first kernel data structure belongs and the corresponding relation between the kernel data structure type and the identification of the reading function; and determining a first reading function corresponding to the first kernel data structure in the kernel space according to the reading function identifier with the first mark in the two reading function identifiers, and determining a second reading function corresponding to the first kernel data structure according to the reading function identifier with the second mark in the two reading function identifiers.
The first mark is used for indicating a reading function to read the current structure content, and the second mark is used for indicating the reading function to read the initial structure content.
In implementation, the corresponding relationship between the kernel data structure type and the identifier of the read function is compiled in the detection program, and after the host determines that the kernel data structure type to which the first kernel data structure belongs is the first type, the host can run the code of the detection program through the CPU to obtain the corresponding relationship between the kernel data structure type compiled by the detection program and the identifier of the read function. And determining the identifiers of the two reading functions corresponding to the first type from the corresponding relation, then judging whether the identifiers of the two reading functions contain the first identifier, if so, determining the identifier of the reading function containing the first identifier as the identifier of the first reading function, and determining the first reading function in the kernel space by using the identifier. And it may be determined whether a second mark is included in the two identifications of the read function, if the second mark is included, the identification of the read function including the second mark is determined, and the second read function may be determined in the kernel space using the identification.
For example, in a Linux operating system, the identifier of the first read function is probe _ kernel _ read, the identifier of the second read function is kallsyms _ lookup _ name, the first flag may be kernel, and the second flag may be kallsyms.
In addition, when the first read function and the second read function corresponding to the first kernel data structure are obtained, the CPU may also run a code of the detection program in the kernel space to obtain a correspondence between the kernel data structure in the detection program and the identifier of the read function, obtain the identifiers of the two read functions corresponding to the identifier of the first kernel data structure from the correspondence using the identifier of the first read function, and then determine whether the first identifier is included in the identifiers of the two read functions. If a first marker is included, an identification of the read function including the first marker is determined, and the first read function may be determined in kernel space using the identification of the first read function. And it may be determined whether a second mark is included in the two identifications of the read function, if the second mark is included, the identification of the read function including the second mark is determined, and the second read function may be determined in the kernel space using the identification.
In addition, when the first read function and the second read function corresponding to the first kernel data structure are obtained, the CPU may run a code of the detection program in the kernel space to obtain a corresponding relationship between the kernel data structure type, the identifier of the read function, and the indication flag in the detection program, (in the corresponding relationship, the indication flag has the first flag and the second flag, and has the same meaning as the above). From the correspondence, identifiers of two read functions corresponding to the first type and indication marks corresponding to the two identifiers respectively can be determined, the indication marks are the identifiers of the read functions of the first marks and are determined as the identifiers of the first read functions, and the first read functions can be determined in the kernel space by using the identifiers. And the indication mark may be determined as an identification of the second read function, which identification may be used to determine the second read function in kernel space.
Optionally, the first kernel data structure may have a system call table, an interrupt descriptor table, a first preset function, and a second preset function.
In an implementation, the first kernel data structure may have a system call table, an interrupt descriptor table, a first preset function, and a second preset function. The system call table and the interrupt descriptor table are described later. The first preset function may be a function pointer of common susceptible Rootkits, for example, a structure pointer of a virtual file system, including but not limited to a function con _ open/pty, a function tcp _ seq _ show, or a function proc _ reg _ mmap/proc _ root _ readdir, etc. The second preset function may be a function of common code susceptibility Rootkits counted in advance. The first preset function may be the same as the first preset function.
In implementation, the host may run a code of the detection program in the kernel space through the CPU, use an identifier of the first kernel data structure as an input of the first read function, run the code of the first read function, find the actual address corresponding to the identifier of the first kernel data structure, and then use the actual address corresponding to the identifier of the first kernel data structure to read the current structure content of the first kernel data structure from the storage area corresponding to the actual address. And calling a second reading function in the kernel space, taking the identifier of the first kernel data structure as the input of the second reading function, finding the initial address corresponding to the identifier of the first kernel data structure, and then reading the initial structure content of the first kernel data structure from the storage area corresponding to the initial address by using the initial address corresponding to the identifier of the first kernel data structure. Thus, the current structure content and the initial structure content can be acquired.
For example, in a Linux operating system, for a first kernel data structure, a probe _ kernel _ read function may be called (that is, the first read function is the probe _ kernel _ read function), the identifier of the first kernel data structure is used as an input of the probe _ kernel _ read function, an actual address Addr _ current corresponding to the identifier of the first kernel data structure is found, and a current structure content of the first kernel data structure is obtained from a storage area corresponding to the actual address. And a kallsyms _ lookup _ name function (that is, the second read function is the kallsyms _ lookup _ name function) can be called, the identifier of the first kernel data structure is used as the input of the kallsyms _ lookup _ name function, the initial address Addr _ orig corresponding to the identifier of the first kernel data structure is found, and the initial structure content of the first kernel data structure is acquired from the storage area corresponding to the initial address.
For example, the first kernel data structure may have a system call table, an interrupt descriptor table, etc., the system call table includes two columns, and the initial structure content is as shown in table one:
| system call numbering | Function pointer of system call function |
| 0 | sys_read |
| 1 | sys_write |
| … | … |
| 332 | sys_ststx |
| 512 | compat_sys_rt_sigaction |
| … | … |
| 547 | compat_sys_rt_pwriterv64v2 |
Watch 1
The interrupt descriptor table includes two columns, and the initial structure content is shown in table two:
watch two
In implementation, after the host runs a code of the detection program in the kernel space through the CPU, and obtains the initial structure content and the current structure content of the first kernel data structure, the initial structure content and the current structure content may be compared, and if there are different contents, it is determined that the first kernel data structure is tampered with by an illegal program, and it may be determined that the illegal program exists in the first kernel data structure. For example, in the initial structure content of the system call table in the first table, the system call function pointer corresponding to 512 is at _ sys _ rt _ gesture, and in the current structure content of the system call table, the system call function pointer corresponding to 512 is at _ sys _ rt _ action, so that Rootkits of the first kernel data structure is at _ sys _ rt _ action.
It should be noted that, when the host detects the first kernel data structure, the host may obtain, through a general process in the detection program, an identifier of a kernel data structure in the identifier list each time, and then determine, from a correspondence between the identifier of the kernel data structure and the kernel data structure type, a kernel data structure type corresponding to the identifier of the kernel data structure. And determining a Rootkits detection mode according to the determined kernel data structure type, and determining whether Rootkits exist in the kernel data structure according to the Rootkits detection mode. And after the detection result of the kernel data structure is determined, acquiring the identifier of one kernel data structure in the identifiers of the rest kernel data structures in the identifier list, and determining whether rootkits exist in the kernel data structure according to the method. And repeating the steps until all the kernel data structures in the identification list are identified.
The host can control a plurality of threads by detecting a general process in a program, respectively acquire an identifier of a kernel data structure from the identifier list, and respectively determine the kernel data structure type corresponding to the identifier of the kernel data structure acquired by the host. And respectively determining a Rootkits detection mode according to the determined kernel data structure type, and determining whether Rootkits exist in the kernel data structure according to the Rootkits detection mode. The total process can check the running progress of each thread at any time, and if the total process determines that all the processes are executed completely, the total process can determine that the kernel data structures acquired by the multiple threads are detected completely, control the multiple threads, and detect the kernel data structures corresponding to the identifiers of the rest kernel data structures in the identifier list until all the identifiers of the kernel data structures in the identifier list are traversed.
Optionally, the first kernel data structure is a system call table, and the corresponding Rootkits detection method may be as follows:
and if the first kernel data structure is a system call table, the obtained initial structure content is the initial system call table, and the current structure content is the current system call table. The host computer can run the code of the detection program in the kernel space through the CPU, compare the function pointers of the system call functions respectively corresponding to the same system call number in the two system call tables, if different function pointers exist, determine the different function pointers in the current system call table as Rootkits of the first kernel data structure, and if the function pointers are the same, determine that no Rootkits exist in the system call table.
Optionally, the first kernel data structure may be an interrupt descriptor table, and the corresponding methods for detecting Rootkits may be as follows:
the first kernel data structure includes an interrupt descriptor table, and the obtained initial structure content is the initial interrupt descriptor table, and the current structure content is the current interrupt descriptor table. The host can compare the function pointers of the interrupt processing functions respectively corresponding to the same interrupt number in the two interrupt descriptor tables by running the codes of the detection program in the kernel space through the CPU, if different function pointers exist, the different function pointers in the current interrupt descriptor table are determined as Rootkits of the first kernel data structure, and if the function pointers are the same, no Rootkits exist in the interrupt descriptor table.
Optionally, the first kernel data structure is a first preset function, and the corresponding method for detecting Rootkits may be as follows:
and when the initial function pointer and the current function pointer of the first preset function are different, determining that the illegal program exists in the first preset function.
The first preset function may be one or multiple, and in general, the first preset function is multiple, for example, any one of a proc _ reg _ open function, a proc _ root _ readdir function, a tcp4_ seq _ show function, and a con _ open function, and the function pointer refers to a storage address of the function code.
In implementation, the host may operate a code of the detection program in the kernel space through the CPU to obtain an initial structure content and a current structure content of the first preset function, where the initial structure content includes an initial function pointer, and the current structure content includes a current function pointer.
The host can run the code of the detection program in the kernel space through the CPU, compare the initial function pointer and the current function pointer of the first preset function, and determine that Rootkits exist in the first preset function when the current function pointer is different from the initial function pointer.
Optionally, the first kernel data structure may be a second preset function, and the corresponding method for detecting Rootkits may be as follows:
and when the initial processing function and the current processing function of the second preset function are different, determining that the illegal program exists in the second preset function.
The second preset function may be one or more, and generally, the second preset function is more than one. For example, sys _ getdents64, sys _ getdents, composition _ sys _ getdents64, composition _ sys _ getdents, and the like. When the second preset function is executed, the code of the processing function of the second preset function is actually executed, the initial processing function of the second preset function refers to the original function which is not modified by Rootkits, and the current processing function of the second preset function refers to the processing function which is obtained when the second preset function is executed at present.
In implementation, the host may operate a code of the detection program in the kernel space through the CPU to obtain an initial structure content and a current structure content of each second preset function, where the initial structure content includes an initial processing function, and the current structure content includes a current processing function.
The host computer can run the code of the detection program in the kernel space through the CPU, compare the initial processing function with the current processing function, and determine that Rootkits exist in the second preset function when the current processing function is different from the initial processing function.
It should be noted that the first preset function and the second preset function mentioned above may be the same.
Optionally, the first kernel data structure may be a network filter function, and the corresponding method for detecting Rootkits may be as follows:
and when the current network filtering function is different from the white list, determining the different function as an illegal program in the network filtering function.
The network filtering function is a function for filtering transceiving contents of the host, the white list may be preset and stored in a memory (which may be a non-volatile memory in the host) of the host, and the white list may include the preset network filtering function, that is, the network filtering function set in the white list is normally present. For example, iptable _ filter _ hook, ipv4_ conntrack _ defrag, etc., that is, the white list is the initial structure content of the network filtering function, and the current structure content is the currently acquired network filtering function.
In implementation, the host may operate a code of the detection program in the kernel space through the CPU to obtain a white list of the network filter functions pre-stored in the memory, and then compare the current network filter function with the network filter functions in the white list, where if there is a network filter function that does not belong to the white list in the currently obtained network filter function, a rootkit exists in the network filter function.
For example, the host may run the code of the detection program in the kernel space by the CPU, and detect whether malicious functions other than the white list (e.g., iptable _ filter _ hook, ipv4_ conntrack _ defrag) exist in nf _ hooks of the Netfilter, so that detection of Netfilter type rootkits may be implemented.
Optionally, the general kernel space detection Rootkits are performed after receiving a system call (for running the code of the detection program in the kernel space), and in order to reduce the code of the detection program in the kernel space from being illegally accessed, the following processing may be performed:
receiving a target system call, wherein the target system call is used for indicating illegal program detection; and when the target system call corresponds to the preset identification, determining to detect the illegal program.
In implementation, when the host receives a target system call through the kernel space (the target system call is used to indicate a code of the running detection program in the kernel space), it may check whether the target system call corresponds to a preset identifier (for example, the preset identifier is used to indicate that the system call has a Netlink access right, and the preset identifier may be an identifier of CAP _ NET _ ADMIN). And if the preset identifier exists, determining that the target system call has a Netlink access right, and if the user corresponding to the target system call is a root user, performing illegal program detection, namely running a code of the detection program in the kernel space.
In addition, if the target system call has no preset identifier, the target system call is determined to have no Netlink access right, and the running of the code of the detection program in the kernel space can be refused. In this way, illegal access of the detection program can be prevented.
Optionally, whether the target system call has a preset identifier may be determined in a white list, an identifier of the system call corresponding to the preset identifier is set in the white list, if the identifier of the target system call exists in the white list, it is determined that the target system call corresponds to the preset identifier, and if the identifier of the target system call does not exist in the white list, it is determined that the target system call does not correspond to the preset identifier.
Optionally, the module structure body may also be detected, and the corresponding processing manner may be as follows:
and when determining that the target module structure body exists in the kernel space, determining that the target module structure body is an illegal program, wherein the target module structure body is used for deleting nodes in the kernel data structure linked list, and the nodes are identifiers of the kernel data structures which can be loaded by the target module structure body in the kernel space.
In implementation, the target module structure is configured to delete a node in the kernel data structure linked list, where the node is an identifier of a kernel data structure that can be loaded by the target module structure in the kernel space. The host can run codes of the detection program in the kernel space through the CPU to acquire the module _ kset structural body and the module structural body, then the module _ kset structural body and the module structural body are compared to determine different contents, the different contents are determined to be the target module structural body, and the target module structural body is an illegal program. Thus, by comparing the module _ kset structure body with the module structure body, Rootkits which hide nodes capable of loading the kernel data structure can be determined, and the Rootkits are used for deleting the nodes which can load the kernel module linked list in the kernel space.
In the embodiment of the application, the initial structure content and the current structure content of the first kernel data structure in the kernel space can be respectively obtained through the first read function and the second read function, and whether an illegal program exists in the first kernel data structure can be determined through a comparison mode, so that the illegal program in the kernel space can be detected.
As shown in fig. 5, another embodiment of the present application further provides a method for detecting a target kernel data structure by a judgment method, and the corresponding processing may be as follows:
The target kernel data structure is a kernel data structure in a kernel space and is easily infected with Rootkits, and the identification of the target kernel data structure is compiled into a detection program to form an identification list of the kernel data structure, for example, the target kernel data structure has a third preset function, a keyboard record table and the like.
In implementation, when rootkits in kernel space need to be detected, a detection procedure in the host may be initiated. For example, the user may click a rootkit option displayed on an interface of the detection program, the host may detect a click command of the option, and invoke the detection program to detect Rootkits in the kernel space in the portion of the kernel space by means of system call. The processing procedure can be as follows: the host can be installed in a part of the kernel space through the detection program, obtain an identifier list of kernel data structures set in the detection program, obtain an identifier of any kernel data structure (which may be referred to as an identifier of a target kernel data structure in the following) from the identifier list, and obtain a target reading function of the target kernel data structure according to the identifier of the target kernel data structure, where the target reading function is used to read the current structure content.
It should be noted that the target read function may be the same as the first read function mentioned above.
Optionally, before obtaining the target read function, first determining a kernel data structure type to which the target kernel data structure belongs, and performing corresponding processing as follows:
acquiring an identifier of a target kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type; and determining the kernel data structure type of the target kernel data structure according to the corresponding relation and the identification of the target kernel data structure.
In the correspondence between the identifier of the kernel data structure and the kernel data structure type, the identifiers of the plurality of kernel data structures may correspond to one kernel data structure type, or the identifiers of each kernel data structure may correspond to the kernel data structure types, except that the kernel data structure types corresponding to the identifiers of each kernel data structure are the same.
In implementation, the corresponding relationship between the identifier of the kernel data structure and the type of the kernel data structure is compiled in the detection program, and the host can run the code of the detection program in the kernel space through the CPU to obtain the identifier of the target kernel data structure and obtain the corresponding relationship between the identifier of the kernel data structure and the type of the kernel data structure. And then, determining a target type corresponding to the identifier of the target kernel data structure from the corresponding relation by using the identifier of the target kernel data structure, and determining the target type as the kernel data structure type to which the target kernel data structure belongs. And subsequently, acquiring a target reading function through the target type.
Optionally, the host may determine a target read function corresponding to the target kernel data structure based on the target type, and the corresponding processing may be as follows:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function; determining the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs according to the kernel data structure type to which the target kernel data structure belongs and the corresponding relation between the kernel data structure type and the identifier of the read function; and determining a target reading function corresponding to the target kernel data structure according to the identifier of the reading function corresponding to the kernel data structure type to which the target kernel data structure belongs.
In implementation, the corresponding relationship between the kernel data structure type compiled by the detection program and the identifier of the read function is compiled in the detection program, and after the host determines that the kernel data structure type to which the target kernel data structure belongs is the target type, the corresponding relationship between the kernel data structure type compiled by the detection program and the identifier of the read function can be obtained. And determining the mark of the reading function corresponding to the target type, determining the mark as the mark of the target reading function, and determining the target reading function based on the mark of the target reading function. For example, in a Linux operating system, the identification of the target read function may be probe _ kernel _ read.
In addition, when the target read function corresponding to the target kernel data structure is obtained, the corresponding relationship between the kernel data structure in the detection program and the identifier of the read function may also be obtained, the identifier of the target read function is used, the identifier of the read function corresponding to the identifier of the target kernel data structure is obtained from the corresponding relationship, and the identifier is determined as the identifier of the target read function. The identification can then be used to determine an objective read function in kernel space.
In implementation, the host may run the code of the detection program in the kernel space through the CPU, use the identifier of the target kernel data structure as the input of the target read function, run the code of the target read function, find the actual address corresponding to the identifier of the target kernel data structure, and then use the actual address corresponding to the identifier of the target kernel data structure. And reading the current structure content of the target kernel data structure from the storage area corresponding to the real address. For example, in a Linux operating system, for a target kernel data structure, a probe _ kernel _ read function may be called (that is, a target read function is a probe _ kernel _ read function), an identifier of the target kernel data structure is used as an input of the probe _ kernel _ read function, and an actual address Addr _ current corresponding to the identifier of the target kernel data structure is found. And acquiring the current structure content of the target kernel data structure from the storage area corresponding to the actual address.
The preset structure is a structure for performing illegal processing, such as an instruction for changing an execution path, a node in a keyboard record list, and the like.
In implementation, the host may run a code of the detection program in the kernel space through the CPU, determine whether a preset structure exists in the current structure content in the target kernel data structure, and if so, determine that an illegal program exists in the target kernel data structure.
Optionally, the target kernel data structure is a keyboard record list, and the corresponding Rootkits detection method may be as follows:
and acquiring a keyboard record list, and determining that Rootkits exist in the keyboard record list when nodes exist in the keyboard record list.
In implementation, after the host computer obtains the current structure content of the keyboard record list (keyboard _ notifier _ list) through the detection program, the CPU runs the code of the detection program in the kernel space to determine whether the keyboard _ notifier _ list includes the content (i.e. determines whether the keyboard _ notifier _ list is empty). If the key _ notifier _ list has the content, the content is determined as a notifier node, the notifier node is included in the key _ notifier _ list, and the presence of Rootkits in the key _ notifier _ list is determined. If the keyboard _ notifier _ list has no contents, it is determined that the keyboard _ notifier _ list has no Rootkits.
Optionally, the target kernel data structure is a third preset function, and the corresponding method for detecting Rootkits may be as follows:
and when an instruction for changing the execution path exists at the entrance of the processing function of the third preset function, determining that the third preset function has Rootkits.
In implementation, the host may obtain the processing function of the third preset function by the CPU running the code of the detection program in the kernel space. And then, running the code of the detection program in the kernel space by the CPU, identifying the instruction at the inlet of the processing function of the third preset function, and judging whether the instruction at the inlet of the processing function of the third preset function comprises an instruction (such as call, jump and the like) for changing an execution path. If the entry to the handling function of the third preset function is included, it is determined that the third preset function has Rootkits. If the entry to the processing function of the third preset function is not included, it is determined that the third preset function has no Rootkits. In this way, Rootkits of Inline hook type can be tested.
In the embodiment of the application, the current structure content of the target kernel data structure in the kernel space can be respectively obtained through the target reading function, and whether the illegal program exists in the target kernel data structure can be determined in a judging mode, so that the illegal program in the kernel space can be detected.
In addition, for the two embodiments of the present application, after determining Rootkits in the first kernel data structure and Rootkits in the target kernel data structure, the host may determine them as Rootkits in the kernel space. In this way, Rootkits in kernel space can be detected by a detection program in kernel space.
In addition, the host can send the detected Rootkits to the user space through a netlink protocol, and the host can display the detected Rootkits, so that the detection result can be conveniently checked by the user. Optionally, Rootkits in the first kernel data structure and the target kernel data structure may be sent separately.
Optionally, in this embodiment of the present application, a method for obtaining Rootkits in a kernel space of a Linux operating system on a host from a server is further provided, and corresponding processing may be as follows:
transmitting Rootkits in the kernel space to the user space through the detection program; rootkits in the kernel space are sent to the server through the user space.
In implementation, after determining Rootkits in kernel space by the host through the detection program, the Rootkits in kernel space can be sent to user space through a Netlink (internet link) protocol between the user space and the kernel space, and then the host can send the Rootkits in kernel space to a background server (which may be referred to as a server herein for short) of the detection program through the user space. The process can be realized by the CPU and the transmitter of the host together, the CPU transmits the Rootkits in the kernel space to the user space by running the codes of the detection program in the kernel space, and the transmitter of the host transmits the Rootkits in the kernel space to the server through a wireless network or a wired network.
Therefore, the kernel space Rootkits detection result of the host can be acquired from the server subsequently, and then the Rootkits are cleaned.
In addition, in the embodiment of the application, a plurality of hosts installed with Linux operating systems can be managed in a unified manner, and the processing process can be as follows:
as shown in fig. 6, on each host installed with the Linux operating system, a detection program is installed, and Rootkits detection instructions are periodically (for example, 00:00 points per day, etc.) sent to each managed host through the server. After receiving the Rootkits detection instruction, the host computer can perform Rootkits detection by running a detection program in a code in a kernel space through system call (the detection method is the same as the previous method and is not described again here). After Rootkits in the kernel space are obtained through a detection program in the kernel space, the host can send the detected Rootkits to the user space through a Netlink protocol between the user space and the kernel space, and then the host can send the detected Rootkits to the server through the user space.
Optionally, a code for cleaning Rootkits corresponding to a preset kernel data structure is compiled in the detection program, and after it is determined that Rootkits exist in a certain kernel data structure, the corresponding code for cleaning Rootkits can be found by using the identifier of the kernel data structure, and the code is run to clean the Rootkits in the kernel data structure. Or compiling another cleaning program, installing the cleaning program on the host, and cleaning Rootkits in the kernel data structure by starting the cleaning program through the detection program. And after cleaning, re-detecting by using the mode of detecting Rootkits, determining that Rootkits do not exist in a certain kernel data structure if the Rootkits do not exist in the re-detection for the kernel data structure, and not reporting when the Rootkits detection result is reported. If the Rootkits exist in the kernel data structure, determining that the Rootkits exist in the kernel data structure, and reporting the Rootkits existing in the kernel data structure when the detection result of the Rootkits is reported.
In addition, the embodiment of the application can be applied to an Android system, the Android (Android) system is built based on a Linux operating system, and the method for detecting Rootkits is similar to the method for detecting Rootkits by the Linux operating system, for example, the detection methods of kernel data structures such as a system call table and a network filter function are consistent.
In addition, the idea of the embodiment of the application can be applied to an ios system, a detection program is arranged in the kernel space of the ios system, and Rootkits in the kernel space of the ios system are detected.
It should be noted that, in the above two embodiments of the present application, the first read function and the target read function in the Linux operating system may be probe _ kernel _ read functions, and the second read function may be kallsyms _ lookup _ name functions, which is only an example, and no matter in the Linux operating system or in other operating systems, any function that can be used for reading the current structure content may be the first read function, and any function that can be used for reading the kernel space may be the second read function, which is not limited in the embodiment of the present application.
Fig. 7 is a block diagram of an apparatus for detecting an illegal program according to an embodiment of the present application. The apparatus may be implemented as part or all of an apparatus in software, hardware, or a combination of both. The host provided in the embodiment of the present application can implement the process shown in fig. 3 in the embodiment of the present application, and the apparatus includes: a determining module 710 and an obtaining module 720, wherein:
a determining module 710, configured to determine a first read function and a second read function corresponding to a first kernel data structure in a kernel space, where the first read function is used to read a current structure content, and the second read function is used to read an initial structure content; the determination function in step 301, as well as other implicit steps, may be implemented specifically.
An obtaining module 720, configured to call the first read function, obtain the current structural content of the first kernel data structure in the kernel space, and call the second read function, obtain the initial structural content of the first kernel data structure pre-stored in the kernel space; the obtaining function in step 302, and other implicit steps, may be implemented specifically.
The determining module 710 is further configured to determine that an illegal program exists in the first kernel data structure when the initial structure content of the first kernel data structure is different from the current structure content. The determination function in step 303, and other implicit steps may be implemented specifically.
Optionally, the obtaining module 720 is further configured to:
acquiring an identifier of the first kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type;
the determining module 710 is further configured to determine, according to the correspondence and the identifier of the first kernel data structure, a kernel data structure type to which the first kernel data structure belongs.
Optionally, the determining module 710 is configured to:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifications of two reading functions corresponding to the kernel data structure type to which the first kernel data structure belongs according to the kernel data structure type to which the first kernel data structure belongs and the corresponding relation between the kernel data structure type and the identification of the reading function;
determining a first reading function corresponding to a first kernel data structure in the kernel space according to the identifier of the reading function with a first identifier in the identifiers of the two reading functions, and determining a second reading function corresponding to the first kernel data structure according to the identifier of the reading function with a second identifier in the identifiers of the two reading functions, wherein the first identifier is used for indicating the reading function to read the current structure content, and the second identifier is used for indicating the reading function to read the initial structure content.
Optionally, the determining module 710 is further configured to:
and when determining that the target module structure body exists in the kernel space, determining that the target module structure body is an illegal program, wherein the target module structure body is used for deleting a node in a kernel data structure linked list, and the node is an identifier of a kernel data structure which can be loaded by the target module structure body in the kernel space.
Optionally, as shown in fig. 8, the apparatus further includes:
a receiving module 730, configured to receive a target system call, where the target system call is used to instruct performing illegal program detection;
the determining module 710 is further configured to determine to perform illegal program detection when the target system call corresponds to a preset identifier.
In the embodiment of the application, the initial structure content and the current structure content of the first kernel data structure in the kernel space can be respectively obtained through the first read function and the second read function, and whether an illegal program exists in the first kernel data structure can be determined through a comparison mode, so that the illegal program in the kernel space can be detected.
It should be noted that: in the apparatus for detecting an illegal program according to the above embodiment, when detecting an illegal program, only the division of each functional module is illustrated, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the above described functions. In addition, the apparatus for detecting an illegal program and the method for detecting an illegal program provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and will not be described herein again.
Fig. 9 is a block diagram of an apparatus for detecting an illegal program according to an embodiment of the present application. The apparatus may be implemented as part or all of an apparatus in software, hardware, or a combination of both. The host provided in the embodiment of the present application can implement the process shown in fig. 5 in the embodiment of the present application, and the apparatus includes: a determining module 910 and an obtaining module 920, wherein:
a determining module 910, configured to determine a target reading function corresponding to a target kernel data structure in a kernel space, where the target reading function is used to read a current structure content;
an obtaining module 920, configured to call the target read function, and obtain a current structure content of the target kernel data structure in the kernel space;
the determining module 910 is further configured to determine that an illegal program exists in the target kernel data structure when a preset structure exists in the current structure content of the target kernel data structure, where the preset structure at least includes an instruction for changing an execution path and a malicious hook function.
Optionally, the obtaining module 920 is further configured to:
acquiring the identifier of the target kernel data structure, and acquiring the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure;
the determining module 910 is further configured to determine, according to the correspondence and the identifier of the target kernel data structure, a kernel data structure type to which the target kernel data structure belongs.
Optionally, the determining module 910 is configured to:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs according to the kernel data structure type to which the target kernel data structure belongs and the corresponding relation between the kernel data structure type and the identifier of the read function;
and determining a target read function corresponding to the target kernel data structure according to the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs.
Optionally, the preset structure includes an instruction for changing the execution path and a node in the keyboard record list.
In the embodiment of the application, the current structure content of the target kernel data structure in the kernel space can be respectively obtained through the target reading function, and whether the illegal program exists in the target kernel data structure can be determined in a judging mode, so that the illegal program in the kernel space can be detected.
It should be noted that: in the apparatus for detecting an illegal program according to the above embodiment, when detecting an illegal program, only the division of each functional module is illustrated, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the above described functions. In addition, the apparatus for detecting an illegal program and the method for detecting an illegal program provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and will not be described herein again.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware or any combination thereof, and when the implementation is realized by software, all or part of the implementation may be realized in the form of a computer program product. The computer program product comprises one or more computer program instructions which, when loaded and executed on a device, cause a process or function according to an embodiment of the application to be performed, in whole or in part. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optics, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium can be any available medium that can be accessed by the apparatus or a data storage device, such as a server, a data center, etc., that is integrated into one or more available media. The usable medium may be a magnetic medium (such as a floppy Disk, a hard Disk, a magnetic tape, etc.), an optical medium (such as a Digital Video Disk (DVD), etc.), or a semiconductor medium (such as a solid state Disk, etc.).
The above description is only one embodiment of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (21)
1. A method of detecting an illegal program, the method comprising:
determining a first read function and a second read function corresponding to a first kernel data structure in a kernel space, wherein the first read function is used for reading current structure content, the second read function is used for reading initial structure content, and the first read function and the second read function are located in the kernel space;
calling the first reading function to obtain the current structure content of the first kernel data structure in the kernel space, and calling the second reading function to obtain the initial structure content of the first kernel data structure pre-stored in the kernel space;
and when the initial structure content of the first kernel data structure is different from the current structure content, determining that an illegal program exists in the first kernel data structure.
2. The method of claim 1, further comprising:
acquiring an identifier of the first kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type;
and determining the kernel data structure type of the first kernel data structure according to the corresponding relation and the identifier of the first kernel data structure.
3. The method of claim 2, wherein determining the first read function and the second read function corresponding to the first kernel data structure in the kernel space comprises:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifications of two reading functions corresponding to the kernel data structure type to which the first kernel data structure belongs according to the kernel data structure type to which the first kernel data structure belongs and the corresponding relation between the kernel data structure type and the identification of the reading function;
determining a first reading function corresponding to a first kernel data structure in the kernel space according to the identifier of the reading function with a first identifier in the identifiers of the two reading functions, and determining a second reading function corresponding to the first kernel data structure according to the identifier of the reading function with a second identifier in the identifiers of the two reading functions, wherein the first identifier is used for indicating the reading function to read the current structure content, and the second identifier is used for indicating the reading function to read the initial structure content.
4. The method of any of claims 1 to 3, further comprising:
and when determining that the target module structure body exists in the kernel space, determining that the target module structure body is an illegal program, wherein the target module structure body is used for deleting a node in a kernel data structure linked list, and the node is an identifier of a kernel data structure which can be loaded by the target module structure body in the kernel space.
5. The method of claim 1, further comprising:
receiving a target system call, wherein the target system call is used for indicating illegal program detection;
and when the target system call corresponds to a preset identifier, determining to detect the illegal program.
6. The method of claim 1, wherein the kernel space comprises a kernel that runs above a predetermined level of privilege, having all privileges to access hardware of the host.
7. A method of detecting an illegal program, the method comprising:
determining a target reading function corresponding to a target kernel data structure in a kernel space, wherein the target reading function is used for reading the content of a current structure, and the target reading function is located in the kernel space;
calling the target reading function to obtain the current structure content of the target kernel data structure in the kernel space;
and when a preset structure exists in the current structure content of the target kernel data structure, determining that an illegal program exists in the target kernel data structure, wherein the preset structure is a structure for executing illegal processing.
8. The method of claim 7, further comprising:
acquiring the identifier of the target kernel data structure, and acquiring the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure;
and determining the kernel data structure type of the target kernel data structure according to the corresponding relation and the identification of the target kernel data structure.
9. The method of claim 8, wherein determining the target read function corresponding to the target kernel data structure in the kernel space comprises:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs according to the kernel data structure type to which the target kernel data structure belongs and the corresponding relation between the kernel data structure type and the identifier of the read function;
and determining a target read function corresponding to the target kernel data structure according to the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs.
10. The method according to any one of claims 7 to 9, wherein the predetermined structure comprises instructions for changing the execution path, nodes in the keyboard log list.
11. A host computer, characterized in that the host computer comprises a memory and a processor, the memory stores a computer program, when the processor calls the computer program in the memory, the processor is caused to execute the method for detecting illegal programs according to any of claims 1-10.
12. An apparatus for detecting an illegal program, the apparatus comprising: the device comprises a determining module, a determining module and a judging module, wherein the determining module is used for determining a first reading function and a second reading function corresponding to a first kernel data structure in a kernel space, the first reading function is used for reading current structure content, the second reading function is used for reading initial structure content, and the first reading function and the second reading function are located in the kernel space;
an obtaining module, configured to call the first read function, obtain a current structural content of the first kernel data structure in the kernel space, and call the second read function, obtain an initial structural content of the first kernel data structure pre-stored in the kernel space;
the determining module is further configured to determine that an illegal program exists in the first kernel data structure when the initial structure content of the first kernel data structure is different from the current structure content.
13. The apparatus of claim 12, wherein the obtaining module is further configured to:
acquiring an identifier of the first kernel data structure, and acquiring a corresponding relation between the identifier of the kernel data structure and a kernel data structure type;
the determining module is further configured to determine, according to the correspondence and the identifier of the first kernel data structure, a kernel data structure type to which the first kernel data structure belongs.
14. The apparatus of claim 13, wherein the determining module is configured to:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifications of two reading functions corresponding to the kernel data structure type to which the first kernel data structure belongs according to the kernel data structure type to which the first kernel data structure belongs and the corresponding relation between the kernel data structure type and the identification of the reading function;
determining a first reading function corresponding to a first kernel data structure in the kernel space according to the identifier of the reading function with a first identifier in the identifiers of the two reading functions, and determining a second reading function corresponding to the first kernel data structure according to the identifier of the reading function with a second identifier in the identifiers of the two reading functions, wherein the first identifier is used for indicating the reading function to read the current structure content, and the second identifier is used for indicating the reading function to read the initial structure content.
15. The apparatus of any of claims 12 to 14, wherein the determining module is further configured to:
and when determining that the target module structure body exists in the kernel space, determining that the target module structure body is an illegal program, wherein the target module structure body is used for deleting a node in a kernel data structure linked list, and the node is an identifier of a kernel data structure which can be loaded by the target module structure body in the kernel space.
16. The apparatus of claim 12, further comprising:
the system comprises a receiving module, a judging module and a processing module, wherein the receiving module is used for receiving a target system call, and the target system call is used for indicating illegal program detection;
the determining module is further configured to determine to perform illegal program detection when the target system call corresponds to a preset identifier.
17. An apparatus for detecting an illegal program, the apparatus comprising:
the device comprises a determining module, a determining module and a processing module, wherein the determining module is used for determining a target reading function corresponding to a target kernel data structure in a kernel space, the target reading function is used for reading the content of a current structure, and the target reading function is positioned in the kernel space;
the acquisition module is used for calling the target reading function and acquiring the current structure content of the target kernel data structure in the kernel space;
the determining module is further configured to determine that an illegal program exists in the target kernel data structure when a preset structure exists in the current structure content of the target kernel data structure, where the preset structure at least includes an instruction for changing an execution path and a malicious hook function.
18. The apparatus of claim 17, wherein the obtaining module is further configured to:
acquiring the identifier of the target kernel data structure, and acquiring the corresponding relation between the identifier of the kernel data structure and the type of the kernel data structure;
the determining module is further configured to determine, according to the correspondence and the identifier of the target kernel data structure, a kernel data structure type to which the target kernel data structure belongs.
19. The apparatus of claim 18, wherein the determining module is configured to:
acquiring the corresponding relation between the kernel data structure type and the identification of the read function;
determining the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs according to the kernel data structure type to which the target kernel data structure belongs and the corresponding relation between the kernel data structure type and the identifier of the read function;
and determining a target read function corresponding to the target kernel data structure according to the identifier of the read function corresponding to the kernel data structure type to which the target kernel data structure belongs.
20. A computer program product comprising instructions for causing a host to perform the method of any one of claims 1 to 10 when the computer program product is run on the host.
21. A computer-readable storage medium having stored thereon instructions which, when run on a host, cause the host to perform the method of any one of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810502710.2A CN108898012B (en) | 2018-05-23 | 2018-05-23 | Method and apparatus for detecting illegal program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810502710.2A CN108898012B (en) | 2018-05-23 | 2018-05-23 | Method and apparatus for detecting illegal program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108898012A CN108898012A (en) | 2018-11-27 |
| CN108898012B true CN108898012B (en) | 2021-01-29 |
Family
ID=64343107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810502710.2A Active CN108898012B (en) | 2018-05-23 | 2018-05-23 | Method and apparatus for detecting illegal program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108898012B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110232276A (en) * | 2019-06-03 | 2019-09-13 | 浙江大华技术股份有限公司 | A kind of hold-up interception method, terminal device and the computer storage medium of program operation |
| CN112307468B (en) * | 2019-07-31 | 2024-04-02 | 腾讯科技(深圳)有限公司 | Software detection method, software detection device and medium |
| CN111563259B (en) * | 2020-07-15 | 2020-12-01 | 北京升鑫网络科技有限公司 | Puppet process detection method and device, readable storage medium and computing device |
| CN113836529A (en) * | 2021-09-06 | 2021-12-24 | 杭州逗酷软件科技有限公司 | Process detection method, device, storage medium and computer equipment |
| CN114598740B (en) * | 2022-03-04 | 2024-02-02 | 北京优炫软件股份有限公司 | Micro-isolation data grabbing method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103679013A (en) * | 2012-09-03 | 2014-03-26 | 腾讯科技(深圳)有限公司 | System rogue program detecting method and device |
| CN103699839A (en) * | 2013-12-09 | 2014-04-02 | Tcl集团股份有限公司 | Method and device of detection processing of core-level rootkit |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
| CN106599685A (en) * | 2016-09-26 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Kernel level Rootkit detection method and system |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8839450B2 (en) * | 2007-08-02 | 2014-09-16 | Intel Corporation | Secure vault service for software components within an execution environment |
| US9734333B2 (en) * | 2012-04-17 | 2017-08-15 | Heat Software Usa Inc. | Information security techniques including detection, interdiction and/or mitigation of memory injection attacks |
| US9934376B1 (en) * | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
-
2018
- 2018-05-23 CN CN201810502710.2A patent/CN108898012B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103679013A (en) * | 2012-09-03 | 2014-03-26 | 腾讯科技(深圳)有限公司 | System rogue program detecting method and device |
| CN103699839A (en) * | 2013-12-09 | 2014-04-02 | Tcl集团股份有限公司 | Method and device of detection processing of core-level rootkit |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
| CN106599685A (en) * | 2016-09-26 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Kernel level Rootkit detection method and system |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108898012A (en) | 2018-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| CN109831420B (en) | Method and device for determining kernel process permission | |
| CN109471697B (en) | Method, device and storage medium for monitoring system call in virtual machine | |
| CN109784062B (en) | Vulnerability detection method and device | |
| JP5832954B2 (en) | Tag assignment device and tag assignment method | |
| CN111782416A (en) | Data reporting method, device, system, terminal and computer readable storage medium | |
| CN111125688B (en) | Process control method and device, electronic equipment and storage medium | |
| CN114065196A (en) | Java memory horse detection method and device, electronic equipment and storage medium | |
| CN111353143A (en) | Sensitive authority detection method and device and storage medium | |
| US11914710B2 (en) | System and method for application tamper discovery | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| CN111597553A (en) | Process processing method, device, equipment and storage medium in virus searching and killing | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing | |
| CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
| US20240028746A1 (en) | Exploit detection via induced exceptions | |
| CN112231198A (en) | Malicious process debugging method and device, electronic equipment and medium | |
| US10809924B2 (en) | Executable memory protection | |
| CN113010885B (en) | Method and device for detecting kernel thread disguised with start address | |
| CN113836542B (en) | Trusted white list matching method, system and device | |
| US11899782B1 (en) | Preserving DLL hooks | |
| RU2700185C1 (en) | Method for detecting hidden software in a computing system operating under a posix-compatible operating system | |
| CN108345789B (en) | Record the method and device of accessing operation information | |
| CN117150487A (en) | Dynamic link library file injection detection method and device | |
| CN117744082A (en) | Method and device for detecting malicious software in operating system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |