CN109271789A - Malicious process detection method, device, electronic equipment and storage medium - Google Patents
Malicious process detection method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109271789A CN109271789A CN201811135316.6A CN201811135316A CN109271789A CN 109271789 A CN109271789 A CN 109271789A CN 201811135316 A CN201811135316 A CN 201811135316A CN 109271789 A CN109271789 A CN 109271789A
- Authority
- CN
- China
- Prior art keywords
- thread
- target
- shellcode
- address space
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The embodiment of the present invention provides a kind of malicious process detection method, device, electronic equipment and storage medium, is difficult to the technical issues of driving process is controlled by Malware for solving, and wherein method includes: to obtain the corresponding process identification (PID) of target process;The corresponding multiple threads of the target process and multiple execution modules are determined according to the process identification (PID);The corresponding execution address space of each thread in the multiple thread is obtained, to obtain multiple execution address spaces;Determine the target process whether by malicious modification according to the multiple execution address space and the multiple execution module.Implement the embodiment of the present invention, the safety of electronic equipment can be improved.
Description
Technical field
The present invention relates to technical field of electronic equipment, and in particular to a kind of malicious process detection method, device, electronic equipment
And storage medium.
Background technique
Malware refers to virus, the program of worm and Trojan Horse for executing malice task on the computer systems, leads to
Destruction software process is crossed to implement control.And with the development of electronic device technology, the development and spread speed of Malware
It is getting faster.
Driver is generally referred to as device driver (Device Driver), be one kind can make electronic equipment and
The separate procedure of equipment communication.It is equivalent to the interface of hardware, operating system only passes through this interface, just can control hardware device
Work.If Malware is implanted into driver, the safety of electronic equipment is necessarily affected.
Summary of the invention
The embodiment of the present invention provides a kind of malicious process detection method, device, electronic equipment and storage medium, for solving
It is difficult to the technical issues of driving process is controlled by Malware, the safety of electronic equipment can be improved.
First aspect of the embodiment of the present invention provides a kind of malicious process detection method, comprising:
Obtain the corresponding process identification (PID) of target process;
The corresponding multiple threads of the target process and multiple execution modules are determined according to the process identification (PID);
The corresponding execution address space of each thread in the multiple thread is obtained, to obtain multiple execution address spaces;
Determine the target process whether by malice according to the multiple execution address space and the multiple execution module
Modification.
In conjunction with the embodiment of the present invention in a first aspect, first aspect of the embodiment of the present invention the first possible implementation
In, it is described to determine whether the target process is maliciously repaired according to the multiple execution address space and the multiple execution module
Change, comprising:
By each execution in each execution address space in the multiple execution address space and the multiple execution module
Module is matched;
If the multiple target executed in address space executes address space and holds with each in the multiple execution module
It fails to match for row module, then is labeled as the thread information that the target executes the corresponding subject thread of address space
Shellcode thread information;
Determine the target process whether by malicious modification according to the Shellcode thread information.
In conjunction with the first possible implementation of first aspect of the embodiment of the present invention, in first aspect of the embodiment of the present invention
Second of possible implementation in, it is described according to the Shellcode thread information determine the target process whether by
Malicious modification, comprising:
The corresponding initial address of Shellcode thread is obtained according to the Shellcode thread information;
The corresponding Shellcode module of the Shellcode thread is obtained according to the initial address;
Obtain the corresponding debugging file information of the Shellcode module;
If the debugging file information meets default interception rule, it is determined that the target process is by malicious modification.
In conjunction with second of possible implementation of first aspect of the embodiment of the present invention, in first aspect of the embodiment of the present invention
The third possible implementation in, the method also includes:
Obtaining the corresponding portable of each dangerous process in predetermined multiple dangerous processes can be performed PE the file information,
To obtain multiple PE the file informations;
The multiple PE the file information is analyzed, to obtain multiple target dimensions;
Obtain in the multiple PE the file information in every PE the file information with each target in the multiple target dimension
The corresponding characteristic information of dimension, to obtain multiple characteristic information collection;
The default interception rule is generated according to the multiple characteristic information collection.
In conjunction with the third possible implementation of first aspect of the embodiment of the present invention, in first aspect of the embodiment of the present invention
The 4th kind of possible implementation in, the multiple PE the file information of the analysis, to obtain multiple target dimensions, comprising:
The corresponding attribute type of every PE the file information in the multiple PE the file information is obtained, multiple Attribute class are obtained
Type;
The corresponding malicious modification probability of each attribute type in the multiple attribute type is obtained, is repaired with obtaining multiple malice
Change probability;
Using in the multiple malicious modification probability be less than targets threshold the corresponding attribute type of malicious modification probability as
The target dimension.
Second aspect of the embodiment of the present invention provides a kind of malicious process detection device, comprising:
Acquiring unit, for obtaining the corresponding process identification (PID) of target process;
Determination unit, for determining the corresponding multiple threads of the target process and multiple execution according to the process identification (PID)
Module;
The acquiring unit is also used to obtain the corresponding execution address space of each thread in the multiple thread, with
To multiple execution address spaces;
The determination unit is also used to according to the multiple execution address space and the determination of the multiple execution module
Whether target process is by malicious modification.
In conjunction with second aspect of the embodiment of the present invention, in the first possible implementation of second aspect of the embodiment of the present invention
In, determine the target process whether by malice according to the multiple execution address space and the multiple execution module described
Modification aspect, the determination unit be specifically used for by each execution address space in the multiple executions address space with it is described more
Each execution module is matched in a execution module;If it is the multiple execute address space in target execute address space with
It fails to match for each execution module in the multiple execution module, then the target is executed the corresponding score of address space
The thread information of journey is labeled as Shellcode thread information;The target process is determined according to the Shellcode thread information
Whether by malicious modification.
In conjunction with the first possible implementation of second aspect of the embodiment of the present invention, in second aspect of the embodiment of the present invention
Second of possible implementation in, whether the target process is determined according to the Shellcode thread information described
In terms of malicious modification, the acquiring unit is also used to obtain Shellcode thread pair according to the Shellcode thread information
The initial address answered;The corresponding Shellcode module of the Shellcode thread is obtained according to the initial address;Obtain institute
State the corresponding debugging file information of Shellcode module;If the determination unit meets specifically for the debugging file information
It is default to intercept rule, it is determined that the target process is by malicious modification.
In conjunction with second of possible implementation of second aspect of the embodiment of the present invention, in second aspect of the embodiment of the present invention
The third possible implementation in, the acquiring unit is also used to obtain each danger in predetermined multiple dangerous processes
PE the file information can be performed in the corresponding portable of dangerous process, to obtain multiple PE the file informations;Analyze the multiple PE file letter
Breath, to obtain multiple target dimensions;Obtain in the multiple PE the file information in every PE the file information with the multiple target
The corresponding characteristic information of each target dimension in dimension, to obtain multiple characteristic information collection;According to the multiple characteristic information collection
Generate the default interception rule.
In conjunction with the third possible implementation of second aspect of the embodiment of the present invention, in second aspect of the embodiment of the present invention
The 4th kind of possible implementation in, in the multiple PE the file information of the analysis, in terms of obtaining multiple target dimensions,
The acquiring unit is obtained specifically for the corresponding attribute type of PE the file information every in the multiple PE the file information of acquisition
Multiple attribute types;The corresponding malicious modification probability of each attribute type in the multiple attribute type is obtained, it is multiple to obtain
Malicious modification probability;The corresponding attribute type of malicious modification probability of targets threshold will be less than in the multiple malicious modification probability
As the target dimension.
The third aspect of the embodiment of the present invention provide a kind of electronic equipment, comprising: shell, processor, memory, circuit board and
Power circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Electricity
Source circuit, for each circuit or the device power supply for electronic equipment;Memory is for storing executable program code;Processor
Program corresponding with executable program code is run by reading the executable program code stored in memory, for holding
The malicious process detection method that row first aspect of the embodiment of the present invention provides.
Fourth aspect of the embodiment of the present invention provides a kind of non-transitorycomputer readable storage medium, wherein the storage
Medium realizes that first aspect of the embodiment of the present invention mentions for storing computer program, when the computer program is executed by processor
The malicious process detection method of confession.
The 5th aspect of the embodiment of the present invention provides a kind of application program, wherein the application program for holding at runtime
A kind of malicious process detection method that row first aspect of the embodiment of the present invention provides.
In the embodiment of the present invention, the corresponding process identification (PID) of target process is obtained, the mesh is determined according to the process identification (PID)
It is empty to obtain the corresponding execution address of each thread in the multiple thread for the corresponding multiple threads of mark process and multiple execution modules
Between to obtain multiple execution address spaces, the mesh is determined according to the multiple execution address space and the multiple execution module
Whether mark process is by malicious modification.In this way, according to thread execute specific location and process it is corresponding execute template position into
Whether row identification detects the target process by malicious modification, improves the Accuracy and high efficiency of detection Malware.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the invention, general for this field
For logical technical staff, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of malicious process detection method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another malicious process detection method provided in an embodiment of the present invention;
Fig. 3 is a kind of structure chart of malicious process detection device provided in an embodiment of the present invention;
Fig. 4 is the structure chart of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair
Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.
Description and claims of this specification and term " first " in the attached drawing, " second " and " third " etc. are
For distinguishing different objects, it is not use to describe a particular order.In addition, term " includes " and " having " and their any changes
Shape, it is intended that cover and non-exclusive include.Such as contain the process, method of a series of steps or units, system, product or
Equipment is not limited to listed step or unit, but optionally further comprising the step of not listing or unit or optional
Ground further includes the other step or units intrinsic for these process, methods, product or equipment.
Referenced herein " embodiment " is it is meant that a particular feature, structure, or characteristic described can wrap in conjunction with the embodiments
Containing at least one embodiment of the present invention.Each position in the description occur the phrase might not each mean it is identical
Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and
Implicitly understand, embodiment described herein can be combined with other embodiments.
Electronic equipment described in the embodiment of the present invention may include smart phone (such as Android phone), tablet computer,
Palm PC, laptop, mobile internet device (Mobile Internet Devices, MID) or wearable device
It is only citing Deng, above equipment, and it is non exhaustive, including but not limited to above-mentioned electronic equipment.
In order to facilitate understanding, the word designed in the embodiment of the present invention is explained first:
Process (Process) is program in computer about the primary operation activity on certain data acquisition system, be system into
The basic unit of row Resource Distribution and Schedule is the basis of operating system configuration.In computer structure of the early stage towards process design
In structure, process is the basic execution entity of program;In computer configuation of the present age towards threaded design, process is the appearance of thread
Device.Program is the description of instruction, data and its organizational form, and process is the entity of program.
Thread, sometimes referred to as lightweight process (Lightweight Process, LWP) are the minimum lists that program executes stream
Member.The thread of one standard is by Thread Id, current instruction pointer (PC), set of registers and storehouse composition.In addition, thread be into
An entity in journey, is the basic unit independently dispatched and assigned by system, and thread oneself does not possess system resource, only possesses
Essential resource in operation a bit, but it can be shared with the other threads for belonging to a process process be possessed it is complete
Portion's resource.One thread can create and cancel another thread, can concurrently execute between multiple threads in same process.
At least one thread of each program, if only one thread of program, that is, program itself.
(Portable Executable, PE) file: the program in Microsoft's Windows operating system can be performed in portable
File (may be to be performed indirectly, such as dynamic link library (Dynamic Link Library, DLL) file).
Dll file: in systems, many application programs are not a complete executable file, they are divided into
Some relatively independent dynamic link libraries, i.e. dll file.When executing some program, corresponding dll file will be adjusted
With each DLL realizes different software functions.Tester can write new dll file and allow target program load and execution.
Program data base (program database, PDB) file: being the Integrated Development Environment software provided using Microsoft
The symbol file for debugging that (Microsoft Visual studio, VS) is generated, in store Debugging message.PE file is deposited
Storage is usually with the presence of program data base (Program Database, PDB) document form.The in store application program two of PDB file
The debugging and project status information of binary file, have recorded all variables, the relative position of main information table and size, these tables
It can be reserved for resource, importing, export, reorientation, debugging, thread-local storage and The Component Object Model (Component Object
Model, COM) operation when for information about.Debugging message can help tuner to analyze the interior layout of debugged program, work as journey
When sequence recompilates, Debugging message can correctly reflect the modification of variable and function, can be to program using these information
Debugging configuration carry out increment link.
And Debugging message is equally generated in the operational process of the corresponding application program of Malware, i.e., there is also PDB file,
And the PDB file is difficult to modify, therefore analyzes the PDB file, facilitates the further analysis to malice sample and provides
Clue.
Shellcode is one section of code (being also possible to fill data), is for being sent to server by utilizing particular vulnerability
Code, general available permission.In addition, Shellcode is usually that data is used as to be sent under fire server.
The embodiment of the present invention provides a kind of malicious process detection method, device, electronic equipment and storage medium, for solving
It is difficult to the technical issues of driving process is controlled by Malware, the safety of electronic equipment can be improved.It carries out individually below
It is described in detail.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram of malicious process detection method provided in an embodiment of the present invention.Its
In, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in Figure 1, the malicious process detection side
Method may comprise steps of.
S101, the corresponding process identification (PID) of target process is obtained.
In this application, target process can be the corresponding process of operating system of electronic equipment, is also possible to electronics and sets
Corresponding process of standby middle installation application etc., further, which is driving process.
Method of the application for obtaining the corresponding process identification (PID) of target process without limitation, can be detected a starting and refer to
It enables, which includes the identification information of the target process, in this way, process identification (PID) can be obtained;It can also be according to target process pair
The file path answered obtains mark or process identification (PID) of target program etc..
The application also without limitation can pass through virus for obtaining the execution condition of the corresponding process identification (PID) of target process
Inspection software (such as: Jinshan anti-virus software) periodically target process is obtained, it can also be obtained etc. when target process starts,
That is, periodically or when starting detecting whether target process is modified by rogue program.
S102, the corresponding multiple threads of the target process and multiple execution modules are determined according to the process identification (PID).
In this application, thread includes the mark of executive process, and executing template also includes the corresponding mark of executive process, such as
This, can determine that the multiple threads for executing the target process are corresponding with the target process is executed according to the process identification (PID) of target process
Multiple execution modules.
S103, the corresponding execution address space of each thread in the multiple thread is obtained, to obtain multiple execution addresses
Space.
S104, determined according to the multiple execution address space and the multiple execution module the target process whether by
Malicious modification.
In this application, thread is not hardware, and executing address space is the position that thread executes, that is to say, that according to thread
The corresponding position for executing template of the specific location and process of execution is identified, to determine whether target process is maliciously repaired
Change.
In the malicious process detection method described in Fig. 1, obtain the corresponding process identification (PID) of target process, according to it is described into
Journey, which identifies, determines the corresponding multiple threads of target process and multiple execution modules, obtains each thread in the multiple thread
Corresponding execution address space according to the multiple execution address space and the multiple is held with obtaining multiple execution address spaces
Whether row module determines the target process by malicious modification.In this way, corresponding according to the specific location of thread execution and process
The position for executing template is identified, whether is detected the target process by malicious modification, is improved the accurate of detection Malware
Property and high efficiency.
It is consistent with the embodiment of Fig. 1, referring to Fig. 2, Fig. 2 is another malicious process detection provided in an embodiment of the present invention
The flow chart of method.Wherein, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in Fig. 2, the evil
Meaning process detection method may comprise steps of.
S201, the corresponding process identification (PID) of target process is obtained.
S202, the corresponding multiple threads of the target process and multiple execution modules are determined according to the process identification (PID).
S203, the corresponding execution address space of each thread in the multiple thread is obtained, to obtain multiple execution addresses
Space.
Wherein, step S201~S203 can refer to the description of step S101~S103, and details are not described herein.
S204, by each execution address space in the multiple execution address space with it is each in the multiple execution module
Execution module is matched.
If S205, the multiple target executed in address space execute address space and in the multiple execution module
It fails to match for each execution module, then is labeled as the thread information that the target executes the corresponding subject thread of address space
Shellcode thread information.
It is appreciated that since Shellcode is one section of code, if in the target process including Shellcode, thread pair
The inevitable address corresponding from execution module in the execution address answered is different, then executes ground for each in the multiple execution address space
Location space is matched with each execution module in the multiple execution module, when target executes address space and each execution mould
It fails to match for block, then it represents that it is one section of specific code that target, which executes address, therefore, the target can be executed address space and made
For Shellcode thread information, in this way, identified according to the Shellcode thread information, with determine target process whether by
Malicious modification.
S206, determine the target process whether by malicious modification according to the Shellcode thread information.
Since the corresponding thread of Shellcode thread information is mismatched with execution module, then further basis should
Whether Shellcode thread information is identified, to determine the target process by malicious modification.The application for how basis
Shellcode thread information determine target process whether by malicious modification without limitation, it is described in a kind of possible embodiment
Determine the target process whether by malicious modification according to the Shellcode thread information, comprising: according to described
Shellcode thread information obtains the corresponding initial address of Shellcode thread;According to initial address acquisition
The corresponding Shellcode module of Shellcode thread;Obtain the corresponding debugging file information of the Shellcode module;If institute
It states debugging file information and meets default interception rule, it is determined that the target process is by malicious modification.
Wherein, initial address is the corresponding execution address of Shellcode thread.It is appreciated that according to the Shellcode
Thread information obtains the corresponding initial address of Shellcode thread, determines further according to the initial address and executes the Shellcode line
The corresponding Shellcode module of journey, then the corresponding debugging file information of Shellcode module is obtained, if the debugging file information
Meet default interception rule, it is determined that target process is by malicious modification, and modifying content is that Shellcode thread information is corresponding
Program.
The application intercepts rule without limitation for default, can be the naming rule of file or variable name, is also possible to
The safety of store path can also be the relevance etc. between file identification and target process.
In a kind of possible embodiment, the method also includes: it obtains each in predetermined multiple dangerous processes
PE the file information can be performed in the corresponding portable of dangerous process, to obtain multiple PE the file informations;Analyze the multiple PE file
Information, to obtain multiple target dimensions;Obtain in the multiple PE the file information in every PE the file information with the multiple mesh
The corresponding characteristic information of each target dimension in dimension is marked, to obtain multiple characteristic information collection;According to the multiple characteristic information
Collection generates the default interception rule.
Wherein, dangerous process is safety verification and the dangerous process of tool of determination to be carried out in electronic equipment or to electricity
Sub- equipment generates dangerous process, for safety verification method without limitation, periodic scanning can be carried out by security software,
Can every time software starting when or installation software after carry out security sweep etc..
Multiple PE the file informations are the file information of the corresponding PE file of each dangerous process in multiple dangerous processes, wherein
It include PDB file, the i.e. Debugging message of the process in each PE the file information.
It is appreciated that obtaining the corresponding PE the file information of each dangerous process in multiple dangerous processes first to obtain multiple PE
Then the file information is analyzed to obtain multiple target dimensions to multiple PE the file informations, thus true according to multiple target dimensions
Fixed multiple characteristic information collection corresponding with multiple PE the file informations generate the default interception further according to multiple characteristic information collection and advise
Then, in this way, default interception rule is generated according to target dimension, convenient for improving the accuracy of detection.
The application for determine target dimension method without limitation, in a kind of possible embodiment, the analysis institute
Multiple PE the file informations are stated, to obtain multiple target dimensions, comprising: obtain every PE file letter in the multiple PE the file information
Corresponding attribute type is ceased, multiple attribute types are obtained;Obtain the corresponding evil of each attribute type in the multiple attribute type
Meaning modification probability, to obtain multiple malicious modification probability;The malice of targets threshold will be less than in the multiple malicious modification probability
The corresponding attribute type of probability is modified as the target dimension.
Wherein, attribute type includes file path, File header information, checks all records, and shows the inclined of each record
Move each types such as address, length, attribute, mark;Malicious modification probability is modified for each attribute type by rogue program general
Rate value, malicious modification probability is bigger, then easily modified.
It is appreciated that first determining that the corresponding attribute type of each the file information obtains multiple attribute types, then determine each
The malicious modification probability of attribute type obtains multiple malicious modification probability, in this way, choosing malicious modification from multiple attribute types
The attribute type that probability is less than targets threshold obtains multiple target dimensions, that is, the corresponding characteristic information of the target dimension chosen is difficult to
It is modified, to improve the accuracy of detection target program.
The application for targets threshold without limitation, in a kind of possible embodiment, the method also includes: using disappearing
Breath digest algorithm is compiled the target process, obtains hashed value;The targets threshold is determined according to the hashed value.
Wherein, Message Digest 5 (MD4 Message-Digest Algorithm) is a kind of password being widely used
Hash function can produce out the hashed value (hash value) of one 128 (16 byte), for ensuring that information transmission is complete
Unanimously.
It is appreciated that being compiled to obtain hashed value to target program using Message Digest 5, further according to hashed value pair
The malicious modification determine the probability targets threshold answered, in this way, can be convenient for the accuracy of determining targets threshold.
In the malicious process detection method described in Fig. 2, obtain the corresponding process identification (PID) of target process, according to it is described into
Journey, which identifies, determines the corresponding multiple threads of target process and multiple execution modules, obtains each thread in the multiple thread
Corresponding execution address space is to obtain multiple execution address spaces, then, holds each in the multiple execution address space
Row address space is matched with each execution module in the multiple execution module, if in the multiple execution address space
Target executes each execution module in address space and the multiple execution module, and it fails to match, then executes ground for the target
The thread information of the corresponding subject thread in location space is labeled as Shellcode thread information, is believed according to the Shellcode thread
Whether breath determines the target process by malicious modification.In this way, generally will not be with being present in normal module according to Shellcode
Whether the code in location space detects the target process by malicious modification, improves the Accuracy and high efficiency of detection Malware.
It is consistent with the embodiment of Fig. 1 and Fig. 2, referring to Fig. 3, Fig. 3 is a kind of malicious process provided in an embodiment of the present invention
The structure chart of detection device.Wherein, which can be set in the electronic equipments such as mobile phone, tablet computer,
As shown in figure 4, the malicious process detection device 300 includes:
Acquiring unit 301 is for obtaining the corresponding process identification (PID) of target process;
Determination unit 302 is used to determine the corresponding multiple threads of the target process according to the process identification (PID) and multiple hold
Row module;
The acquiring unit 301 is also used to obtain the corresponding execution address space of each thread in the multiple thread, with
Obtain multiple execution address spaces;
The determination unit 302 is also used to determine institute according to the multiple execution address space and the multiple execution module
Target process is stated whether by malicious modification.
In a kind of possible embodiment, described according to the multiple execution address space and the multiple execution module
Whether in terms of determining the target process by malicious modification, the determination unit 302 is specifically used for the multiple execution address
Each execution address space is matched with each execution module in the multiple execution module in space;If the multiple execution
Target in address space executes each execution module in address space and the multiple execution module, and it fails to match, then by institute
It states target and executes the thread information of the corresponding subject thread of address space labeled as Shellcode thread information;According to described
Whether Shellcode thread information determines the target process by malicious modification.
In a kind of possible embodiment, the target process is determined according to the Shellcode thread information described
Whether in terms of by malicious modification, the acquiring unit 301 is also used to be obtained according to the Shellcode thread information
The corresponding initial address of Shellcode thread;It is corresponding that the Shellcode thread is obtained according to the initial address
Shellcode module;Obtain the corresponding debugging file information of the Shellcode module;The determination unit 302 is specifically used for
If the debugging file information meets default interception rule, it is determined that the target process is by malicious modification.
In a kind of possible embodiment, the acquiring unit 301 is also used to obtain predetermined multiple dangerous processes
In the corresponding portable of each dangerous process PE the file information can be performed, to obtain multiple PE the file informations;It analyzes the multiple
PE the file information, to obtain multiple target dimensions;Obtain in the multiple PE the file information in every PE the file information with it is described
The corresponding characteristic information of each target dimension in multiple target dimensions, to obtain multiple characteristic information collection;According to the multiple spy
Reference breath collection generates the default interception rule.
In a kind of possible embodiment, in the multiple PE the file information of analysis, to obtain multiple target dimensions
Aspect, the acquiring unit 301 is specifically for the corresponding attribute of PE the file information every in the multiple PE the file information of acquisition
Type obtains multiple attribute types;The corresponding malicious modification probability of each attribute type in the multiple attribute type is obtained, with
Obtain multiple malicious modification probability;The malicious modification probability for being less than targets threshold in the multiple malicious modification probability is corresponding
Attribute type is as the target dimension.
In the malicious process detection device described in Fig. 3, obtain the corresponding process identification (PID) of target process, according to it is described into
Journey, which identifies, determines the corresponding multiple threads of target process and multiple execution modules, obtains each thread in the multiple thread
Corresponding execution address space according to the multiple execution address space and the multiple is held with obtaining multiple execution address spaces
Whether row module determines the target process by malicious modification.In this way, corresponding according to the specific location of thread execution and process
The position for executing template is identified, whether is detected the target process by malicious modification, is improved the accurate of detection Malware
Property and high efficiency.
It is consistent with the embodiment of Fig. 1 and Fig. 2, referring to Fig. 4, Fig. 4 is a kind of electronic equipment disclosed by the embodiments of the present invention.
Wherein, electronic equipment can be mobile phone, tablet computer etc..As shown in figure 4, the electronic equipment may include shell 401, processor
402, memory 403, circuit board 404 and power circuit 405, wherein circuit board 404 is placed in the space interior that shell surrounds,
Processor 402 and memory 403 are arranged on circuit board 404;Power circuit 405, for for electronic equipment each circuit or
Device power supply;Memory 403 is for storing executable program code;Processor 402 can by what is stored in reading memory 403
Program code is executed to run program corresponding with executable program code, for executing following steps:
Obtain the corresponding process identification (PID) of target process;
The corresponding multiple threads of the target process and multiple execution modules are determined according to the process identification (PID);
The corresponding execution address space of each thread in the multiple thread is obtained, to obtain multiple execution address spaces;
Determine the target process whether by malice according to the multiple execution address space and the multiple execution module
Modification.
As a kind of possible embodiment, described according to the multiple execution address space and the multiple execution mould
In terms of whether block determines the target process by malicious modification, the processor 402 is specifically used for executing following operation:
By each execution in each execution address space in the multiple execution address space and the multiple execution module
Module is matched;
If the multiple target executed in address space executes address space and holds with each in the multiple execution module
It fails to match for row module, then is labeled as the thread information that the target executes the corresponding subject thread of address space
Shellcode thread information;
Determine the target process whether by malicious modification according to the Shellcode thread information.
As a kind of possible embodiment, it is described according to the Shellcode thread information determine the target into
In terms of whether journey is by malicious modification, the processor 402 is specifically used for executing following operation:
The corresponding initial address of Shellcode thread is obtained according to the Shellcode thread information;
The corresponding Shellcode module of the Shellcode thread is obtained according to the initial address;
Obtain the corresponding debugging file information of the Shellcode module;
If the debugging file information meets default interception rule, it is determined that the target process is by malicious modification.
As a kind of possible embodiment, the processor 402 is also used to execute following operation:
Obtaining the corresponding portable of each dangerous process in predetermined multiple dangerous processes can be performed PE the file information,
To obtain multiple PE the file informations;
The multiple PE the file information is analyzed, to obtain multiple target dimensions;
Obtain in the multiple PE the file information in every PE the file information with each target in the multiple target dimension
The corresponding characteristic information of dimension, to obtain multiple characteristic information collection;
The default interception rule is generated according to the multiple characteristic information collection.
As a kind of possible embodiment, in the multiple PE the file information of analysis, to obtain multiple target dimensions
Degree aspect, the processor 402 are specifically used for executing following operation:
The corresponding attribute type of every PE the file information in the multiple PE the file information is obtained, multiple Attribute class are obtained
Type;
The corresponding malicious modification probability of each attribute type in the multiple attribute type is obtained, is repaired with obtaining multiple malice
Change probability;
Using in the multiple malicious modification probability be less than targets threshold the corresponding attribute type of malicious modification probability as
The target dimension.
In the electronic equipment described in Fig. 4, the corresponding process identification (PID) of target process is obtained, it is true according to the process identification (PID)
The fixed corresponding multiple threads of target process and multiple execution modules, obtain in the multiple thread that each thread is corresponding to be held
Row address space is true according to the multiple execution address space and the multiple execution module to obtain multiple execution address spaces
Whether the fixed target process is by malicious modification.In this way, according to the specific location and the corresponding execution template of process of thread execution
Position identified, whether detect the target process by malicious modification, improve the accuracy and efficiently of detection Malware
Property.
A kind of non-transitorycomputer readable storage medium is provided in one embodiment, is stored thereon with computer journey
Sequence, wherein the malicious process detection method as shown in Fig. 1 or Fig. 2 embodiment is realized when the computer program is executed by processor.
A kind of application program is provided in one embodiment, and the application program for executing such as Fig. 1 or Fig. 2 at runtime
Malicious process detection method shown in embodiment.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access
Memory, RAM), disk or CD etc..
It is provided for the embodiments of the invention malicious process detection method, device and electronic equipment above and has carried out detailed Jie
It continues, used herein a specific example illustrates the principle and implementation of the invention, and the explanation of above embodiments is only
It is to be used to help understand method and its core concept of the invention;At the same time, for those skilled in the art, according to this hair
Bright thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not manage
Solution is limitation of the present invention.
Claims (10)
1. a kind of malicious process detection method characterized by comprising
Obtain the corresponding process identification (PID) of target process;
The corresponding multiple threads of the target process and multiple execution modules are determined according to the process identification (PID);
The corresponding execution address space of each thread in the multiple thread is obtained, to obtain multiple execution address spaces;
Determine the target process whether by malicious modification according to the multiple execution address space and the multiple execution module.
2. the method according to claim 1, wherein described according to the multiple execution address space and described more
Whether a execution module determines the target process by malicious modification, comprising:
By each execution module in each execution address space in the multiple execution address space and the multiple execution module
It is matched;
If the multiple target executed in address space executes each execution mould in address space and the multiple execution module
It fails to match for block, then the thread information that the target executes the corresponding subject thread of address space is labeled as Shellcode
Thread information;
Determine the target process whether by malicious modification according to the Shellcode thread information.
3. according to the method described in claim 2, it is characterized in that, described determine institute according to the Shellcode thread information
Target process is stated whether by malicious modification, comprising:
The corresponding initial address of Shellcode thread is obtained according to the Shellcode thread information;
The corresponding Shellcode module of the Shellcode thread is obtained according to the initial address;
Obtain the corresponding debugging file information of the Shellcode module;
If the debugging file information meets default interception rule, it is determined that the target process is by malicious modification.
4. according to the method described in claim 3, it is characterized in that, the method also includes:
Obtaining the corresponding portable of each dangerous process in predetermined multiple dangerous processes can be performed PE the file information, with
To multiple PE the file informations;
The multiple PE the file information is analyzed, to obtain multiple target dimensions;
Obtain in the multiple PE the file information in every PE the file information with each target dimension in the multiple target dimension
Corresponding characteristic information, to obtain multiple characteristic information collection;
The default interception rule is generated according to the multiple characteristic information collection.
5. according to the method described in claim 4, it is characterized in that, the multiple PE the file information of analysis, more to obtain
A target dimension, comprising:
The corresponding attribute type of every PE the file information in the multiple PE the file information is obtained, multiple attribute types are obtained;
The corresponding malicious modification probability of each attribute type in the multiple attribute type is obtained, it is general to obtain multiple malicious modifications
Rate;
The corresponding attribute type of malicious modification probability of targets threshold will be less than in the multiple malicious modification probability as described in
Target dimension.
6. a kind of malicious process detection device characterized by comprising
Acquiring unit, for obtaining the corresponding process identification (PID) of target process;
Determination unit, for determining the corresponding multiple threads of the target process and multiple execution moulds according to the process identification (PID)
Block;
The acquiring unit is also used to obtain the corresponding execution address space of each thread in the multiple thread, more to obtain
A execution address space;
The determination unit is also used to determine the target according to the multiple execution address space and the multiple execution module
Whether process is by malicious modification.
7. device according to claim 6, which is characterized in that described according to the multiple execution address space and described
In terms of whether multiple execution modules determine the target process by malicious modification, the determination unit is specifically used for will be the multiple
Each execution address space in address space is executed to be matched with each execution module in the multiple execution module;If described
Target in multiple execution address spaces executes address space and matches mistake with each execution module in the multiple execution module
It loses, then the thread information that the target executes the corresponding subject thread of address space is labeled as Shellcode thread information;Root
Determine the target process whether by malicious modification according to the Shellcode thread information.
8. device according to claim 7, which is characterized in that determined described according to the Shellcode thread information
In terms of whether the target process is by malicious modification, the acquiring unit is also used to be obtained according to the Shellcode thread information
Take the corresponding initial address of Shellcode thread;It is corresponding that the Shellcode thread is obtained according to the initial address
Shellcode module;Obtain the corresponding debugging file information of the Shellcode module;If the determination unit is specifically used for
The debugging file information meets default interception rule, it is determined that the target process is by malicious modification.
9. a kind of electronic equipment characterized by comprising shell, processor, memory, circuit board and power circuit, wherein
Circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power circuit, for being electric
The each circuit or device of sub- equipment are powered;Memory is for storing executable program code;Processor is by reading memory
The executable program code of middle storage runs program corresponding with executable program code, for executing such as claim 1-
5 described in any item methods.
10. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the meter
Such as method as claimed in any one of claims 1 to 5 is realized when calculation machine program is executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811135316.6A CN109271789B (en) | 2018-09-27 | 2018-09-27 | Malicious process detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811135316.6A CN109271789B (en) | 2018-09-27 | 2018-09-27 | Malicious process detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109271789A true CN109271789A (en) | 2019-01-25 |
| CN109271789B CN109271789B (en) | 2021-09-28 |
Family
ID=65197976
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811135316.6A Active CN109271789B (en) | 2018-09-27 | 2018-09-27 | Malicious process detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109271789B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110889116A (en) * | 2019-11-15 | 2020-03-17 | 珠海豹趣科技有限公司 | Advertisement blocking method and device and electronic equipment |
| CN111639339A (en) * | 2020-05-26 | 2020-09-08 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN111651763A (en) * | 2020-05-26 | 2020-09-11 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN114285617A (en) * | 2021-12-20 | 2022-04-05 | 北京安天网络安全技术有限公司 | Network threat monitoring method and device, electronic equipment and readable storage medium |
| CN114792008A (en) * | 2022-06-24 | 2022-07-26 | 珠海市魅族科技有限公司 | Method, device, equipment and storage medium for reporting privilege-offering vulnerability data |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103839007A (en) * | 2014-03-03 | 2014-06-04 | 珠海市君天电子科技有限公司 | Method and system for detecting abnormal threading |
| CN105095763A (en) * | 2015-08-10 | 2015-11-25 | 北京金山安全软件有限公司 | vulnerability defense method and device and electronic equipment |
| CN105488405A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | PDB debug information based malicious code analysis method and system |
| US9411953B1 (en) * | 2013-05-24 | 2016-08-09 | Symantec Corporation | Tracking injected threads to remediate malware |
| CN106228066A (en) * | 2016-07-13 | 2016-12-14 | 北京金山安全软件有限公司 | Method and device for preventing malicious modification of process address space and terminal |
-
2018
- 2018-09-27 CN CN201811135316.6A patent/CN109271789B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9411953B1 (en) * | 2013-05-24 | 2016-08-09 | Symantec Corporation | Tracking injected threads to remediate malware |
| CN103839007A (en) * | 2014-03-03 | 2014-06-04 | 珠海市君天电子科技有限公司 | Method and system for detecting abnormal threading |
| CN105488405A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | PDB debug information based malicious code analysis method and system |
| CN105095763A (en) * | 2015-08-10 | 2015-11-25 | 北京金山安全软件有限公司 | vulnerability defense method and device and electronic equipment |
| CN106228066A (en) * | 2016-07-13 | 2016-12-14 | 北京金山安全软件有限公司 | Method and device for preventing malicious modification of process address space and terminal |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110889116A (en) * | 2019-11-15 | 2020-03-17 | 珠海豹趣科技有限公司 | Advertisement blocking method and device and electronic equipment |
| CN110889116B (en) * | 2019-11-15 | 2024-02-27 | 珠海豹趣科技有限公司 | Advertisement interception method and device and electronic equipment |
| CN111639339A (en) * | 2020-05-26 | 2020-09-08 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN111651763A (en) * | 2020-05-26 | 2020-09-11 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN111639339B (en) * | 2020-05-26 | 2023-06-23 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN111651763B (en) * | 2020-05-26 | 2023-08-22 | 珠海豹趣科技有限公司 | Process monitoring method and device, electronic equipment and storage medium |
| CN114285617A (en) * | 2021-12-20 | 2022-04-05 | 北京安天网络安全技术有限公司 | Network threat monitoring method and device, electronic equipment and readable storage medium |
| CN114792008A (en) * | 2022-06-24 | 2022-07-26 | 珠海市魅族科技有限公司 | Method, device, equipment and storage medium for reporting privilege-offering vulnerability data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109271789B (en) | 2021-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109271789A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
| US20180089422A1 (en) | Technologies for deterministic code flow integrity protection | |
| CN109388946A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
| CN101853200B (en) | High-efficiency dynamic software vulnerability exploiting method | |
| CN102722672B (en) | A kind of method and device detecting running environment authenticity | |
| US20110153689A1 (en) | Confirming the sensitivity of a data object in a managed object heap | |
| CN105760787B (en) | System and method for the malicious code in detection of random access memory | |
| CN109471697B (en) | Method, device and storage medium for monitoring system call in virtual machine | |
| CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
| CN102422299A (en) | Information device, program, method for preventing execution of unauthorized program code, and computer readable recording medium | |
| CN105701410A (en) | Information, device and system for obtaining information in source codes | |
| CN113569246A (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| CN110941552A (en) | Memory analysis method and device based on dynamic taint analysis | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN112671609A (en) | Asset census and safety detection method and device and terminal equipment | |
| US20180089432A1 (en) | System and method for characterizing malware | |
| EP3692456B1 (en) | Binary image stack cookie protection | |
| US20130152049A1 (en) | Warning of register and storage area assignment errors | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing | |
| US10133881B2 (en) | Method and circuit arrangement for protecting against scanning of an address space | |
| CN108733990B (en) | Block chain-based file protection method and terminal equipment | |
| CN107688481B (en) | Multi-node-supporting KVM virtual machine hiding process detection system | |
| EP3807799A1 (en) | Binary risk evaluation | |
| US20110131657A1 (en) | Hooking nonexported functions by the offset of the function | |
| Arnatovich et al. | Empirical Comparison of Intermediate Representations for Android Applications. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20191125 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Seal Interest Technology Co., Ltd. Address before: 519070, No. 10, main building, No. six, science Road, Harbour Road, Tang Wan Town, Guangdong, Zhuhai, 601F Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |