CN109471697B - Method, device and storage medium for monitoring system call in virtual machine - Google Patents
Method, device and storage medium for monitoring system call in virtual machine Download PDFInfo
- Publication number
- CN109471697B CN109471697B CN201711250086.3A CN201711250086A CN109471697B CN 109471697 B CN109471697 B CN 109471697B CN 201711250086 A CN201711250086 A CN 201711250086A CN 109471697 B CN109471697 B CN 109471697B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- system call
- information
- monitored
- monitored process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The embodiment of the invention provides a method, a device and a storage medium for monitoring system call in a virtual machine, which are used for solving the problems that the existing monitoring method is easy to be discovered and avoided by malicious software and the stability of a client is easy to be influenced. The method comprises the following steps: reading description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored; determining a memory segment of a monitored process in the virtual machine according to the read description information; acquiring information of the monitored process according to the data stored in the determined memory segment; according to the acquired information of the monitored process, determining that the currently executed system call is the system call initiated by the running monitored process; and processing the relevant information of the system call currently executed.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, and a storage medium for monitoring system calls in a virtual machine.
Background
With the development and popularization of computer technology, computer applications have fully penetrated into the work and life of people and become indispensable important tools and home entertainment equipment for people. Along with the wide use of computers, corresponding computer security problems also occur. In the face of the temptation of money, some hackers can steal computer information of users and destroy computer systems by using computer security holes through corresponding malicious programs, and huge economic losses are caused to vast computer users.
In order to detect relevant malicious programs, computer security researchers have developed corresponding antivirus tools, such as running a piece of unknown code in a sandbox and analyzing whether a location code is malicious by monitoring the running behavior. The sandbox is a device for monitoring operation behaviors to mine potential malicious code capability, the sandbox is operated in a virtual machine, and the virtual machine is a virtual device which is installed on a host machine by using virtual machine software.
At present, in a sandbox or a sandbox-like system, a method for monitoring a virtual machine operating system kernel layer Application Programming Interface (API) call is generally monitored inside a virtual machine based on the Hook (Hook) principle, and there are two common approaches, one is to modify a kernel system call table, and the other is to dynamically replace the kernel API according to an address of the kernel API, which essentially is to implement or insert a custom execution logic to the kernel API.
The monitoring methods are implemented inside the virtual machine, the technologies are relatively simple in implementation, but are easily discovered and escaped by malicious software through checking a well-known Hook point, on the other hand, because a monitoring program runs on a kernel layer of the virtual machine, the monitoring program has a great influence on the stability of an operating system of the virtual machine, and the result caused by the influence is always fatal, if the system is blocked, the service is abnormal, and if the system is broken down, the system is frequently halted.
In conclusion, the existing monitoring method is easy to find and avoid by malicious software and easy to influence the stability of the virtual machine.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a storage medium for monitoring system call in a virtual machine, which are used for solving the problems that the existing monitoring method is easy to be discovered and avoided by malicious software and the stability of a client is easy to be influenced.
Based on the above problem, an embodiment of the present invention provides a method for monitoring system calls in a virtual machine, including:
reading description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored;
determining a memory segment of a monitored process in the virtual machine according to the read description information;
acquiring information of the monitored process according to the data stored in the determined memory segment;
according to the acquired information of the monitored process, determining that the currently executed system call is the system call initiated by the running monitored process;
and processing the relevant information of the system call currently executed.
The device for monitoring system call in a virtual machine provided by the embodiment of the invention comprises a memory and a processor, wherein the memory is used for storing a plurality of instructions, and the processor is used for loading the instructions stored in the memory to execute:
reading description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored;
determining a memory segment of a monitored process in the virtual machine according to the read description information;
acquiring information of the monitored process according to the data stored in the determined memory segment;
according to the acquired information of the monitored process, determining that the currently executed system call is the system call initiated by the running monitored process;
and processing the relevant information of the system call currently executed.
The non-volatile storage computer storage medium provided by the embodiment of the present invention stores computer executable instructions, and when the computer executable instructions are executed, the method for monitoring system call in a virtual machine provided by the embodiment of the present invention is implemented.
The embodiment of the invention has the beneficial effects that:
the method, the device and the storage medium for monitoring the system call in the virtual machine, provided by the embodiment of the invention, firstly read the description information corresponding to the virtual machine to be monitored from the configuration file, then determine the memory segment of the monitored process in the virtual machine according to the read description information, then obtain the information of the monitored process according to the data stored in the determined memory segment, determine that the currently executed system call is the system call initiated by the currently running monitored process according to the information of the monitored process, and process the relevant information of the currently executed system call, thereby realizing the monitoring and processing of the system call to be monitored in the operating system of the virtual machine outside the virtual machine, namely on the host running the virtual machine, and further easily discovering and avoiding the system call by malicious software when monitoring the inside of the virtual machine, but also easily affect the stability of the virtual machine.
Drawings
Fig. 1 is a relationship diagram of each participating module when the method for monitoring system calls in a virtual machine according to the embodiment of the present invention is in operation;
fig. 2 is a flowchart of a method for monitoring a system call in a virtual machine according to an embodiment of the present invention;
fig. 3 is a flowchart of another method for monitoring system calls in a virtual machine according to an embodiment of the present invention;
fig. 4 is a structural diagram of an apparatus for monitoring a system call in a virtual machine according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method, a device and a storage medium for monitoring system call in a virtual machine, the method directly monitors the target process in the virtual machine from the outside of the virtual machine, namely from a host machine running the virtual machine, calling a corresponding operation interface to determine a memory interval of the virtual machine through the description information read from the configuration file and corresponding to the virtual machine to be monitored, then obtaining the memory segment of the monitored process in the virtual machine, further obtaining the information of the monitored process, so that when the system call currently being executed is a system call initiated by a running monitored process, the method processes the relevant information of the system call currently executed, thereby avoiding the problems that when monitoring is carried out in the virtual machine, the problem that the stability of the virtual machine is easily influenced is easily discovered and avoided by malicious software.
The relationship between each participating module when the method for monitoring system call in a virtual machine provided by the embodiment of the invention runs is shown in fig. 1, wherein virtual machine software works on a host machine and is responsible for managing the operation of the virtual machine, and an operation interface and a introspection operation interface provided by the host machine are needed; the virtual machine is virtual equipment which is installed on a host machine by utilizing virtual machine software; the host machine is a carrier of the virtual machine and is real physical equipment; the sandbox system runs in the virtual machine and is responsible for executing the program to be monitored; the monitoring program is a program containing codes capable of implementing the method for monitoring system calls in a virtual machine provided by the embodiment of the invention.
The following describes specific embodiments of a method, an apparatus, and a storage medium for monitoring a system call in a virtual machine according to embodiments of the present invention with reference to the accompanying drawings.
The method for monitoring system call in a virtual machine provided by the embodiment of the invention, as shown in fig. 2, includes:
s201, reading description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored; after a sample program is put into a sandbox, aiming at a virtual machine started by the sandbox, namely the virtual machine needing to be monitored;
s202, determining a memory segment of the monitored process in the virtual machine according to the read description information;
s203, acquiring information of the monitored process according to the data stored in the determined memory segment; the information of the monitored process comprises a process name, a process number, a process initial address, a stack, a father process number, a son process number and the like;
s204, determining that the currently executed system call is the system call initiated by the running monitored process according to the acquired information of the monitored process;
and S205, processing the relevant information of the currently executed system call.
The configuration file is related data structure information of each system collected in advance aiming at different virtual machine operating systems. The configuration file is used for describing and clarifying information of each virtual machine, and the information comprises the type of virtual machine software, the type of a virtual machine operating system, the name of the virtual machine, the offset of a key data structure, the file path of a kernel symbol table and the like.
When the operating system of the virtual machine is a Linux system, the configuration file thereof may be as shown in table 1:
| item(s) | Examples of the invention | Description of the invention |
| vm_type | kvm | Virtual machine type |
| vm_name | vm_ubuntu | Virtual machine name |
| os_type | linux | Type of virtual machine operating system |
| linux_task | 0x448 | Offset of task in current |
| linux_mm | 0x480 | Offset of mm in current |
| linux_pid | 0x4a8 | Offset of pid in current |
| Linux_pname | 0x678 | Offset of name in current |
| sysmap_path | /tmp/system.map | Path of kernel symbol table |
Table 1 when the operating system of the virtual machine is a Windows system, the configuration file can be as shown in table 2:
| item(s) | Examples of the invention | Description of the invention |
| vm_type | kvm | Virtual machine type |
| vm_name | vm_winxp | Virtual machine name |
| os_type | windows | Type of virtual machine operating system |
| win_task | 0x88 | Offset of task |
| win_pdbase | 0x18 | Offset of mm |
| win_pid | 0x84 | Offset of pid |
| win_pname | 0x174 | Cheap amount of pname |
| Sysmap_path | /tmp/system.map | Path of kernel symbol table |
Table 2 the configuration file may be represented in the following form:
optionally, a method for monitoring a system call in a virtual machine according to an embodiment of the present invention, as shown in fig. 3, includes:
s301, aiming at a virtual machine needing to be monitored, screening out description information corresponding to the virtual machine from a configuration file;
s302, calling a query interface of corresponding virtual machine software to search the virtual machine needing to be monitored from the active virtual machine according to the name of the virtual machine and the type of the virtual machine software described in the screened description information;
s303, searching a virtual machine uniquely corresponding to the screened description information from the active virtual machines according to the screened description information, and if so, executing S304; if not, go to S319;
if the virtual machine uniquely corresponding to the screened description information is not found, the virtual machine uniquely corresponding to the screened description information is not started or the screened description information (the name of the virtual machine and the type of the virtual machine software) has problems, so that a corresponding error prompt can be displayed and the process is ended; and if the virtual machine uniquely corresponding to the configuration can be found according to the information described in the configuration, reading all the information of the virtual machine found in the configuration file and storing the information.
S304, reading all the found description information of the virtual machine from the configuration file;
the verification of whether the screened description information is the description information of the virtual machine that needs to be monitored can be realized by calling the API provided by each virtual machine, and the specific form is not limited, and may be in a command line form, a python interface, or a c interface, but the effect is the same. Here, a kvm virtual machine is taken as an example, and a python interface provided by libvirt is called to implement. Open ('qemu:// system') is called to get all kvm virtual machine information and then the name is used to match the virtual machine to be monitored, and the function call is lookup byname (vm _ name).
After the description information in the configuration file is read, determining the type of an operating system of the virtual machine, and then checking the legality of the data of the read description information;
s305, judging whether the numerical value of the read description information is legal or not, and if so, executing S306; otherwise, executing S319;
when the numerical value of the read data of the description information is less than or equal to 0, the read data of the description information is considered to be illegal, and the process is ended; otherwise, the read description information data is legal;
s306, determining the memory offset of the virtual machine to be monitored from the read description information;
s307, performing process traversal according to the determined memory offset, and acquiring memory segments of all processes running in the virtual machine;
before traversal, a starting point address needs to be found, and the address is used as a starting point to traverse the memory interval of the whole virtual machine. Taking an address of init _ task plus an offset of task as a head in a linux system, taking an address of PsActiveProcesshead as the head in a windows system, and starting circular traversal by the head (starting point address) to obtain memory segments of all processes in the virtual machine;
in addition, the following two methods can be adopted to obtain the memory interval of the virtual machine:
(1) selecting a proper API according to a use scene by using an interface for accessing the memory provided by virtual machine management software, such as an interface for accessing the memory provided by qemu and an operation interface provided by libvirt;
(2) the method is realized by utilizing the introspection technology of the virtual machine, the existing common virtual machine software has a corresponding introspection mechanism, an open interface of the virtual machine software is called, the capture of a specified address is realized, the open source can also be realized by using an open source, the existing known libvmi open source project can already support xen and kvm virtual machines, and the supported virtual machines comprise windows (98/2000/2003/xp), linux and the like;
the two methods do not need to manually realize the conversion from the physical address to the virtual address, and the converted virtual address is directly obtained through the corresponding API interface, so the method is the most labor-saving and efficient method, and the data obtained by the method is the most accurate;
s308, determining the memory segment of the monitored process from the acquired memory segments of all the processes according to the process name of the monitored process;
s309, converting the data stored in the determined memory segment into high-level semantic information according to the data structure described in the read description information to obtain the information of the monitored process; the monitored process information comprises a process name, a process number, a process initial address, a stack, a parent process number, a child process number and the like;
the following two schemes can be adopted to convert the data stored in the determined memory segment, namely binary data, into high-level semantic information:
1. translating the binary data into semantic information of a human-understandable target system according to the corresponding data structure by analyzing the kernel data structure of the virtual machine;
2. the loading module or process information is directly obtained by using the ready-made library function and the access interface of the virtual machine software system, but the data obtained by the method is limited;
in the method for monitoring system call in a virtual machine provided by the embodiment of the invention, a first method is adopted for semantic conversion, so that more bottom-layer semantic information can be obtained, adjustment can be carried out at any time according to the self requirement, and the modification is more convenient;
s310, judging whether the monitored process is running, if so, executing S311, otherwise, executing S319;
the method for judging whether a process is still running in the Linux kernel comprises the steps of obtaining a task _ struct structure of the process, wherein the member state represents the value of the process, and if the value of the task _ struct.state is larger than 0, the process is stopped.
Judging whether a process is still running in the windows system, acquiring the pid or the pname of the process by using the process address obtained at the beginning, if the pid or the pname can be obtained successfully, indicating that the process is running, and if no information is obtained or an access error occurs, proving that the monitored process is finished.
S311, acquiring the currently executed system call;
s312, finding out an initial initiator of the system call according to stack information of the system call currently being executed;
for windows and linux, the currently executed system call is in the eax register, so that the system call id can be obtained only by obtaining the value of the eax register, and the executed system call and the position and information of other corresponding registers are obtained according to the system call id, wherein the eax register can be obtained by directly using a virtual register operation interface of virtual machine software.
For example, in a 32-bit linux system, the parameter of the ptrace system call (0x1a) obtains request from ebx, pid from ecx, addr from edx, and data from esi, both of which have a length of 32 bits.
The user mode address pointer as the system call parameter, the memory page where the memory address is located, is loaded into the physical memory at certain time when the system call is performed, and can be directly converted into the physical address for access.
The register transfer parameters of Windows system call can be obtained by disassembling the related functions or collected from the network; the call result of the system call monitored by the relevant code acquisition can be added at the instruction processing code such as iret, sysexit and the like. The calling result of the system call of the Linux system is in the EAX. For the Windows system, the transfer mechanism of the call result of the system call can be obtained through reverse engineering. The call results of typical system calls are found in EAX (lo word) and EDX (hi word).
S313, judging whether the function address of the initial initiator is in the address field of the running monitored process, if so, executing S314; otherwise, executing S310;
s314, determining that the currently executed system call is the system call initiated by the running monitored process;
s315, obtaining the relevant information of the currently executed system call;
s316, judging whether the acquired related information of the system call is acquired for the first time, if so, executing S317, otherwise, executing S318;
s317, recording the acquired related information of the system call;
s318, judging whether the acquired system call related information is different from the latest recorded system call related information, if so, executing S317, otherwise, executing S310; therefore, repeated recording can be removed, the related information of the system call which is completely the same in two times is prevented from being recorded as a system call log, the storage space is saved, the repeated recording of the system call which takes longer time is avoided, if the comparison result is completely the same, the log is not required to be recorded, the log can be recorded only under the condition that the related information of the system call which is obtained in the two times is different or is obtained for the first time (namely the system call log is not recorded before), the storage form of the system call log is not limited, the log can be a file, a database or even a binary system, and only the two reading and writing parties need to agree on one same format.
And S319, ending the flow of the method for monitoring the system call in the virtual machine provided by the embodiment of the invention.
The method for monitoring system call in a virtual machine provided by the embodiment of the invention has the advantages that the steps from the step of determining that the monitored process is running are always in a circulating state, the step of determining that the monitored process is running and the steps thereafter are continuously repeated until the monitored process is detected to be finished, the monitored process is displayed to be finished, and the completion of the acquisition process of the system call log is marked.
Based on the same inventive concept, embodiments of the present invention further provide an apparatus and a storage medium for monitoring system call in a virtual machine, and because the principle of the problem solved by the apparatus is similar to the method for monitoring system call in a virtual machine, the implementation of the apparatus and the storage medium may refer to the implementation of the method, and repeated details are not repeated.
As shown in fig. 4, the apparatus for monitoring a system call in a virtual machine according to an embodiment of the present invention includes a memory 41 and a processor 42, where the memory 41 is configured to store a plurality of instructions, and the processor 42 is configured to load the instructions stored in the memory 41 to execute:
reading description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored;
determining a memory segment of a monitored process in the virtual machine according to the read description information;
acquiring information of the monitored process according to the data stored in the determined memory segment;
according to the acquired information of the monitored process, determining that the currently executed system call is the system call initiated by the running monitored process;
and processing the relevant information of the system call currently executed.
Optionally, the processor 42 is configured to load instructions stored in the memory 41 to perform:
screening out description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored;
calling a query interface of corresponding virtual machine software to search the virtual machine needing to be monitored from the active virtual machine according to the name of the virtual machine and the type of the virtual machine software described in the screened description information;
and when the virtual machine uniquely corresponding to the screened description information can be found from the active virtual machines according to the screened description information, reading all the description information of the found virtual machines from the configuration file.
Further, the processor 42 is also configured to load instructions stored in the memory 41 to perform:
after the description information corresponding to the virtual machine is read from the configuration file, before the memory segment of the monitored process in the virtual machine is determined, the numerical value of the read description information is determined to be legal.
Optionally, the processor 42 is configured to load instructions stored in the memory 41 to perform:
determining the memory offset of the virtual machine to be monitored from the read description information;
performing process traversal according to the determined memory offset, and acquiring memory segments of all processes running in the virtual machine;
and determining the memory segment of the monitored process from the acquired memory segments of all the processes according to the process name of the monitored process.
Optionally, the processor 42 is configured to load instructions stored in the memory 41 to perform:
and converting the data stored in the determined memory segment into high-level semantic information according to the data structure described in the read description information to obtain the information of the monitored process.
Further, the processor 42 is also configured to load instructions stored in the memory 41 to perform:
after the information of the monitored process is obtained according to the data stored in the determined memory segment, the monitored process is determined to be running before the system call initiated by the running monitored process in the currently-executed system calls is determined according to the obtained information of the monitored process.
Optionally, the processor 42 is configured to load instructions stored in the memory 41 to perform:
finding an initial initiator of the system call according to stack information of the system call currently being executed;
when the function address of the initial initiator is in the address field of the running monitored process, determining that the currently executing system call is a system call initiated by the running monitored process.
Optionally, the processor 42 is configured to load instructions stored in the memory 41 to perform:
acquiring related information of currently executed system call;
and recording the acquired relevant information of the system call when the acquired relevant information of the system call is different from the latest recorded relevant information of the system call or the acquired relevant information of the system call is acquired for the first time.
The non-volatile storage computer storage medium provided by the embodiment of the present invention stores computer executable instructions, and when the computer executable instructions are executed, the method for monitoring system call in a virtual machine provided by the embodiment of the present invention is implemented.
Through the above description of the embodiments, those skilled in the art will clearly understand that the embodiments of the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.
Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (15)
1. A method for monitoring system calls in a virtual machine, comprising:
for a virtual machine needing to be monitored, reading description information corresponding to the virtual machine from a configuration file, wherein reading the description information corresponding to the virtual machine from the configuration file for the virtual machine needing to be monitored comprises: screening out description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored; calling a query interface of corresponding virtual machine software to search the virtual machine needing to be monitored from the active virtual machine according to the name of the virtual machine and the type of the virtual machine software described in the screened description information; when the virtual machine uniquely corresponding to the screened description information can be found from the active virtual machines according to the screened description information, reading all the found description information of the virtual machine from the configuration file;
determining a memory segment of a monitored process in the virtual machine according to the read description information;
acquiring information of the monitored process according to the data stored in the determined memory segment;
according to the acquired information of the monitored process, determining that the currently executed system call is the system call initiated by the running monitored process;
and processing the relevant information of the system call currently executed.
2. The method of claim 1, wherein after reading the description information corresponding to the virtual machine from the configuration file, before determining a memory segment of the monitored process in the virtual machine, the method further comprises:
it is determined that the value of the read description information is legitimate.
3. The method of claim 1, wherein determining a memory segment of a process being monitored in the virtual machine based on the read description information comprises:
determining the memory offset of the virtual machine to be monitored from the read description information;
performing process traversal according to the determined memory offset, and acquiring memory segments of all processes running in the virtual machine;
and determining the memory segment of the monitored process from the acquired memory segments of all the processes according to the process name of the monitored process.
4. The method of claim 1, wherein obtaining information of the monitored process based on data stored in the determined memory segment includes;
and converting the data stored in the determined memory segment into high-level semantic information according to the data structure described in the read description information to obtain the information of the monitored process.
5. The method of claim 1, wherein after obtaining information of the monitored process based on the data stored in the determined memory segment, prior to determining, from the obtained information of the monitored process, a system call initiated by the running monitored process among the currently executing system calls, the method further comprises:
it is determined that the monitored process is running.
6. The method of claim 1, wherein determining that the system call currently being executed is a system call initiated by a running monitored process based on the obtained information of the monitored process comprises:
finding an initial initiator of the system call according to stack information of the system call currently being executed;
when the function address of the initial initiator is in the address field of the running monitored process, determining that the currently executing system call is a system call initiated by the running monitored process.
7. The method of claim 1, wherein processing information related to a currently executing system call comprises:
acquiring related information of currently executed system call;
and recording the acquired relevant information of the system call when the acquired relevant information of the system call is different from the latest recorded relevant information of the system call or the acquired relevant information of the system call is acquired for the first time.
8. An apparatus for monitoring system calls in a virtual machine, the apparatus comprising a memory for storing a plurality of instructions and a processor for loading the instructions stored in the memory to perform:
for a virtual machine needing to be monitored, reading description information corresponding to the virtual machine from a configuration file, wherein for the virtual machine needing to be monitored, reading the description information corresponding to the virtual machine from the configuration file comprises the following steps: screening out description information corresponding to a virtual machine from a configuration file aiming at the virtual machine needing to be monitored; calling a query interface of corresponding virtual machine software to search the virtual machine needing to be monitored from the active virtual machine according to the name of the virtual machine and the type of the virtual machine software described in the screened description information; when the virtual machine uniquely corresponding to the screened description information can be found from the active virtual machines according to the screened description information, reading all the found description information of the virtual machine from the configuration file;
determining a memory segment of a monitored process in the virtual machine according to the read description information;
acquiring information of the monitored process according to the data stored in the determined memory segment;
according to the acquired information of the monitored process, determining that the currently executed system call is the system call initiated by the running monitored process;
and processing the relevant information of the system call currently executed.
9. The apparatus of claim 8, wherein the processor is further to load instructions stored in the memory to perform:
after the description information corresponding to the virtual machine is read from the configuration file, before the memory segment of the monitored process in the virtual machine is determined, the numerical value of the read description information is determined to be legal.
10. The apparatus of claim 8, wherein the processor is to load instructions stored in the memory to perform:
determining the memory offset of the virtual machine to be monitored from the read description information;
performing process traversal according to the determined memory offset, and acquiring memory segments of all processes running in the virtual machine;
and determining the memory segment of the monitored process from the acquired memory segments of all the processes according to the process name of the monitored process.
11. The apparatus of claim 8, wherein the processor is to load instructions stored in the memory to perform:
and converting the data stored in the determined memory segment into high-level semantic information according to the data structure described in the read description information to obtain the information of the monitored process.
12. The apparatus of claim 8, wherein the processor is further to load instructions stored in the memory to perform:
after the information of the monitored process is obtained according to the data stored in the determined memory segment, the monitored process is determined to be running before the system call initiated by the running monitored process in the currently-executed system calls is determined according to the obtained information of the monitored process.
13. The apparatus of claim 8, wherein the processor is to load instructions stored in the memory to perform:
finding an initial initiator of the system call according to stack information of the system call currently being executed;
when the function address of the initial initiator is in the address field of the running monitored process, determining that the currently executing system call is a system call initiated by the running monitored process.
14. The apparatus of claim 8, wherein the processor is to load instructions stored in the memory to perform:
acquiring related information of currently executed system call;
and recording the acquired relevant information of the system call when the acquired relevant information of the system call is different from the latest recorded relevant information of the system call or the acquired relevant information of the system call is acquired for the first time.
15. A non-transitory storage computer storage medium having stored thereon computer-executable instructions that, when executed, implement the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711250086.3A CN109471697B (en) | 2017-12-01 | 2017-12-01 | Method, device and storage medium for monitoring system call in virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711250086.3A CN109471697B (en) | 2017-12-01 | 2017-12-01 | Method, device and storage medium for monitoring system call in virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109471697A CN109471697A (en) | 2019-03-15 |
| CN109471697B true CN109471697B (en) | 2021-08-17 |
Family
ID=65658210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711250086.3A Active CN109471697B (en) | 2017-12-01 | 2017-12-01 | Method, device and storage medium for monitoring system call in virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109471697B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026599A (en) * | 2019-07-24 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Data collection method and device based on API call and storage device |
| CN111027072B (en) * | 2019-12-20 | 2024-02-27 | 北京安天网络安全技术有限公司 | Kernel Rootkit detection method and device based on elf binary standard analysis under Linux |
| CN111611580B (en) * | 2020-05-27 | 2022-09-23 | 福建天晴在线互动科技有限公司 | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system |
| CN114924810B (en) * | 2021-05-14 | 2024-02-23 | 武汉深之度科技有限公司 | Heterogeneous program execution method, heterogeneous program execution device, computing equipment and readable storage medium |
| CN113448690B (en) * | 2021-08-27 | 2022-02-01 | 阿里云计算有限公司 | Monitoring method and device |
| CN113961910A (en) * | 2021-09-09 | 2022-01-21 | 北京鸿腾智能科技有限公司 | Virtual machine security reinforcing method and device and storage medium |
| CN114490273A (en) * | 2022-02-25 | 2022-05-13 | 阿里巴巴(中国)有限公司 | Data processing method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793288A (en) * | 2014-02-14 | 2014-05-14 | 北京邮电大学 | Software watchdog system and method |
| CN105740046A (en) * | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
| CN106055385A (en) * | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
-
2017
- 2017-12-01 CN CN201711250086.3A patent/CN109471697B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793288A (en) * | 2014-02-14 | 2014-05-14 | 北京邮电大学 | Software watchdog system and method |
| CN105740046A (en) * | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
| CN106055385A (en) * | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
Non-Patent Citations (4)
| Title |
|---|
| A VMM-Based System Call Interposition Framework for Program Monitoring;Bo Li;《2010 IEEE 16th International Conference on Parallel and Distributed Systems》;20110120;全文 * |
| 周天宇.基于系统调用的云计算平台虚拟机安全监控与增强.《万方学位论文》.2017, * |
| 基于HMM的Linux主机入侵检测系统;王沛;《中国优秀博硕士学位论文全文数据库 (硕士)信息科技辑》;20040915;第2004年卷(第3期);I139-97 * |
| 基于系统调用的云计算平台虚拟机安全监控与增强;周天宇;《万方学位论文》;20171129;第15,27-29页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109471697A (en) | 2019-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109471697B (en) | Method, device and storage medium for monitoring system call in virtual machine | |
| US8978141B2 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| US9230106B2 (en) | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| EP3175386B1 (en) | Transparent detection and extraction of return-oriented-programming attacks | |
| US10102373B2 (en) | Method and apparatus for capturing operation in a container-based virtualization system | |
| WO2015131804A1 (en) | Call stack relationship acquiring method and apparatus | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| EP2988242B1 (en) | Information processing device, and information processing method | |
| CN104268473A (en) | Method and device for detecting application programs | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CA2811617C (en) | Commit sensitive tests | |
| CN105678160A (en) | System and method for providing access to original routines of boot drivers | |
| KR102045772B1 (en) | Electronic system and method for detecting malicious code | |
| US8769498B2 (en) | Warning of register and storage area assignment errors | |
| US10664594B2 (en) | Accelerated code injection detection using operating system controlled memory attributes | |
| WO2020111482A1 (en) | Reverse engineering method and system utilizing big data based on program execution context | |
| CN108009039B (en) | Terminal information recording method, device, storage medium and electronic equipment | |
| CN108255496B (en) | Method, system and related device for obtaining android application native layer code | |
| JP5766650B2 (en) | Information processing apparatus, monitoring method, and monitoring program | |
| EP2819055B1 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| CN107742080B (en) | Vulnerability mining method and device for virtualized environment | |
| US10102109B2 (en) | Exception resolution in a software development session | |
| CN109472133B (en) | Sandbox monitoring method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |