CN109684826B - Application sandbox anti-escape method and electronic equipment - Google Patents
Application sandbox anti-escape method and electronic equipment Download PDFInfo
- Publication number
- CN109684826B CN109684826B CN201810035506.4A CN201810035506A CN109684826B CN 109684826 B CN109684826 B CN 109684826B CN 201810035506 A CN201810035506 A CN 201810035506A CN 109684826 B CN109684826 B CN 109684826B
- Authority
- CN
- China
- Prior art keywords
- filtering
- api call
- api
- opening
- registry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses an application program sandbox anti-escape method and electronic equipment, wherein the method comprises the following steps: acquiring an API call from a suspicious program; judging whether the API call is a preset API call; if so, the predetermined API call is intercepted and a fake API return value is returned to the API call to filter the detection behavior of the suspicious program on the sandbox environment. The invention can bypass the suspicious program to detect the virtual environment and ensure the normal execution of the suspicious program, and enables the suspicious program to execute the real malicious function through the forged return value so as to analyze the malicious sample in more detail, thereby generating more threat information and improving the detection capability of the malicious sample, thereby helping enterprises to identify the malicious program and helping analysts to understand the behavior of the sample more conveniently.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to an application program sandbox anti-escape method and electronic equipment.
Background
An application sandbox is an execution environment that restricts program behavior according to security policies. Early on, primarily for testing suspicious software etc., e.g. hackers often could run certain viruses or unsafe products in a sandbox environment in order to try them out.
The classic sandbox system is typically implemented by intercepting system calls, monitoring program behavior, and then controlling and restricting the use of computer resources by the program according to user-defined policies, such as rewriting registries, reading and writing disks, and the like.
The existing sandbox anti-escape technology generally performs interception at an application layer and performs corresponding processing on each escape technology in a one-to-one mode by modifying known characteristics, and the time is taken, and the coverage is narrow.
Disclosure of Invention
In view of the problem that the existing sandbox anti-escape technology is time-consuming and narrow in coverage, the invention provides an application sandbox anti-escape method and an electronic device.
In order to solve the above technical problem, embodiments of the present invention provide the following technical solutions.
An application sandbox anti-escape method comprising:
acquiring an API call from a suspicious program;
judging whether the API call is a preset API call;
if so, the API call is intercepted and a fake API return value is returned to the API call to filter the detection behavior of the suspicious program on the sandbox environment.
Preferably, if the API call is an unscheduled API call, the API call is executed and a normal API return value is returned.
Preferably, the predetermined API calls comprise one or more of the APIs for implementing the following functions: open relevant registry path filtering, query registry filtering, rename registry filtering, replace registry key filtering, modify registry filtering, open file filtering, query window filtering, search window extension function filtering, open registry key filtering, open process filtering, search process filtering, open mutex filtering, query file attribute filtering, open file filtering, query system information filtering, query process relevant information filtering, query file and directory filtering, query file volume information filtering, send control code acquisition information filtering to a specified device, open sign-link filtering of a specified driver.
Preferably, the predetermined API call is a system API call.
Preferably, the determining whether the API call is a predetermined API call; if so, intercepting the API call and returning a fake API return value to the API call comprises: judging the preset API call used for inquiring the disk capacity by the API call;
if so, a forged disk capacity value is returned.
In addition, an embodiment of the present invention further provides an electronic device, where the electronic device may apply the method for anti-escaping from an application sandbox according to the above embodiment, and the electronic device includes:
a processor configured to obtain an API call from a suspicious program and determine whether the API call is a predetermined API call; if so, the API call is intercepted and a fake API return value is returned to the API call to filter the detection behavior of the suspicious program on the sandbox environment.
Preferably, the processor is further configured to execute the API call and return a normal API return value if the API call is an unscheduled API call.
Preferably, the predetermined API calls comprise one or more of the APIs for implementing the following functions: open relevant registry path filtering, query registry filtering, rename registry filtering, replace registry key filtering, modify registry filtering, open file filtering, query window filtering, search window extension function filtering, open registry key filtering, open process filtering, search process filtering, open mutex filtering, query file attribute filtering, open file filtering, query system information filtering, query process relevant information filtering, query file and directory filtering, query file volume information filtering, send control code acquisition information filtering to a specified device, open sign-link filtering of a specified driver.
Preferably, the predetermined API call is a system API call.
Preferably, the processor determines whether the API call is a predetermined API call; if so, intercepting the API call and returning a fake API return value to the API call comprises:
judging the preset API call used for inquiring the disk capacity by the API call;
if so, a forged disk capacity value is returned.
Based on the above disclosure, the embodiments of the present invention have the following advantages:
the embodiment of the invention can bypass the suspicious program to detect the virtual environment and ensure the normal execution of the suspicious program, and enables the suspicious program to execute a real malicious function through the forged return value so as to analyze a malicious sample in more detail, thereby generating more threat information and improving the detection capability of the malicious sample, thereby helping enterprises to identify the malicious program and helping analysts to understand the behavior of the sample more conveniently.
Drawings
FIG. 1 is a schematic flow chart illustrating an anti-escape method for an application sandbox in an embodiment of the present invention;
FIG. 2 is a schematic illustration of an application sandbox escape method according to an embodiment of the present invention;
fig. 3 is a schematic block diagram of an electronic device in an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic flowchart illustrating an anti-escape method for an application sandbox according to an embodiment of the present invention, and fig. 2 is a schematic illustration illustrating an escape method for an application sandbox according to an embodiment of the present invention. The method and the device can filter the detection behaviors of some programs on the sandbox environment by hooking the key API of the system.
When the suspicious program is executed in the virtual environment, the invention firstly obtains the API information called by the suspicious program, and then judges whether the API information is a common API call or a system key API call. If the API is a common API call, filtering is not performed; if the API is called by the key API of the system, a forged return value is returned to the API, and the API is actually intercepted and filtered, so that the virtual environment can be detected by bypassing a suspicious program, the normal execution of the suspicious program is ensured, the suspicious program can execute a real malicious function through the forged return value, and a malicious sample can be analyzed in more detail, so that more threat intelligence is generated, the detection capability of the malicious sample is improved, and enterprises can be helped to identify the malicious program and help analysts to understand the behavior of the sample more conveniently.
The principle of the invention is schematically illustrated by means of an embodiment.
As shown in fig. 1, an anti-escape method for an application sandbox in an embodiment of the present invention may include:
acquiring an API call from a suspicious program;
judging whether the API call is a preset API call;
if so, intercepting the API call and returning a fake API return value to the API call so as to filter the detection behavior of the suspicious program on the sandbox environment; and if the API call is not the preset API call, executing the API call and returning a normal API return value.
For example, when a suspicious program in a sandbox attempts to query the size of the sandbox system disk, if the disk size of the original virtual environment is 40GB, the present invention intercepts the API and returns a false or fake return value 106GB to it, which bypasses the suspicious program's check for abnormal disks and ensures the normal execution of the suspicious program.
The system key APIs involved in the invention at least comprise APIs as shown in the following table.
| API names | Filtering function |
| NtCreateKey | Opening relevant registry Path Filter |
| NtQueryValueKey | Query registry filtering |
| NtRenameKey | Renaming registry filtering |
| NtReplaceKey | Replacement registry key filtering |
| NtSetValueKey | Modifying registry filtering |
| NtCreateFile | Open file filtering |
| NtUserQueryWindow | Query window filtering |
| NtUserFindWindowEx | Search window extension function filtering |
| NtOpenKey | Opening registry key filtering |
| NtOpenProcess | Open process filtering |
| NtGetNextProcess | Lookup process filtering |
| NtCreateMutant | Opening mutex filtering |
| NtQueryAttributesFile | Query file attribute filtering |
| NtOpenFile | Open file filtering |
| NtQuerySystemInformation | Query system information filtering |
| NtQueryProcessInformation | Query process related information filtering |
| NtQueryDirectoryFile | Query file and directory filtering |
| NtQueryVolumeInformationFile | Query filebook information filtering |
| NtDeviceIoControlFile | Sending control code to designated device to obtain information filtering |
| NtCreateSymbolicLinkObject | Opening sign-link filtering for specified drivers |
By adopting the technical scheme, the anti-detection capability of the sandbox can be effectively improved, and some malicious samples with the sandbox detection capability can be analyzed in more detail through the method, so that more threat information is produced, the detection capability of the malicious samples is improved, and enterprises are helped to identify the malicious programs and the analysts are helped to understand the behaviors of the samples more conveniently.
The key API of the system is hooked, and the returned value of the API is forged, so that detection behaviors of some malicious samples are filtered, and the purpose that the samples execute real malicious functions is achieved.
In addition, an embodiment of the present invention may further provide an electronic device, where the electronic device may apply the method for anti-escaping from the application sandbox according to the above embodiment, so as to achieve the anti-detection capability of the electronic device.
Specifically, as shown in fig. 3, the electronic device in the embodiment of the present invention may include:
a monitoring module 1 configured to detect a suspicious program running in the virtual environment and to notify the processor 2 when the suspicious program is detected. If monitoring the API call of the kernel layer, the safe call and monitoring of the API of the kernel layer can be realized.
The processor 2 (e.g., the anti-escape processing module in fig. 2) may obtain the API call from the suspicious program, and determine whether the API call is a predetermined API call; if so, the API call is intercepted and a fake API return value is returned to the API call to filter the detection behavior of the suspicious program on the sandbox environment. For example, when a suspicious program in a sandbox attempts to query the size of the sandbox system disk, if the disk size of the original virtual environment is 40GB, the present invention intercepts the API and returns a false or fake return value 106GB to it, which bypasses the suspicious program's check for abnormal disks and ensures the normal execution of the suspicious program.
The predetermined API call in the embodiment of the present invention may include one or more of APIs for implementing the following functions: open relevant registry path filtering, query registry filtering, rename registry filtering, replace registry key filtering, modify registry filtering, open file filtering, query window filtering, search window extension function filtering, open registry key filtering, open process filtering, search process filtering, open mutex filtering, query file attribute filtering, open file filtering, query system information filtering, query process relevant information filtering, query file and directory filtering, query file volume information filtering, send control code acquisition information filtering to a specified device, open sign-link filtering of a specified driver.
In addition, the electronic device in the embodiment of the present invention may include: the personal PC, or just the application sandbox anti-escape device installed in the above device, may be used to perform the monitoring and anti-detection of suspicious programs.
By adopting the technical scheme, the anti-detection capability of the sandbox can be effectively improved, and some malicious samples with the sandbox detection capability can be analyzed in more detail through the method, so that more threat information is produced, the detection capability of the malicious samples is improved, and enterprises are helped to identify the malicious programs and the analysts are helped to understand the behaviors of the samples more conveniently.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (4)
1. An application sandbox anti-escape method comprising:
acquiring an API call from a suspicious program;
judging whether the API call is a preset API call;
if so, the API call is intercepted, and
returning a forged API return value to the API call to bypass the suspicious program to detect the virtual environment and filter the detection behavior of the suspicious program on the sandbox environment;
if the API call is not a preset API call, executing the API call and returning a normal API return value;
wherein the predetermined API calls are system API calls, including a plurality of APIs to implement: NtCreateKey for opening relevant registry path filtering, NtQueryValueKey for querying registry filtering, NtRenameKey for renaming registry filtering, nttreplacekey for replacing registry key filtering, NtSetValueKey for modifying registry filtering, NtCreateFile for opening file filtering, NtUserQueryWindow for querying window filtering, NtUserFindWindowEx for finding window extension function filtering, NtOpenKey for opening registry key filtering, NtOpenProcess for opening process filtering, NtGetNextProcess for lookup process filtering, NtCreateMutant for opening mutex filtering, ntqueryattributefile for query file attribute filtering, NtOpenFile for opening file filtering, ntqueryasystemlnformation for query system information filtering, NtQueryProcessInformation for query process related information filtering, ntqueryadirecyfile for query file and directory filtering, ntqueryvollumeinformatnfile for query file volume information filtering, NtDeviceIoControlFile for sending control code acquisition information filtering to a specified device, ntcreatesesbolickobject for opening symbolic link filtering of a specified driver.
2. The method of claim 1, wherein the determining whether the API call is a predetermined API call; if so, intercepting the API call and returning a fake API return value to the API call comprises: judging the preset API call used for inquiring the disk capacity by the API call;
if so, a forged disk capacity value is returned.
3. An electronic device, the electronic device comprising:
a processor configured to obtain an API call from a suspicious program and determine whether the API call is a predetermined API call; if so, intercepting the API call, and returning a fake API return value to the API call so as to bypass the suspicious program to detect the virtual environment and filter the detection behavior of the suspicious program on the sandbox environment; if the API call is not a preset API call, executing the API call and returning a normal API return value;
wherein the predetermined API calls are system API calls, including a plurality of APIs to implement: NtCreateKey for opening relevant registry path filtering, NtQueryValueKey for querying registry filtering, NtRenameKey for renaming registry filtering, nttreplacekey for replacing registry key filtering, NtSetValueKey for modifying registry filtering, NtCreateFile for opening file filtering, NtUserQueryWindow for querying window filtering, NtUserFindWindowEx for finding window extension function filtering, NtOpenKey for opening registry key filtering, NtOpenProcess for opening process filtering, NtGetNextProcess for lookup process filtering, NtCreateMutant for opening mutex filtering, ntqueryattributefile for query file attribute filtering, NtOpenFile for opening file filtering, ntqueryasystemlnformation for query system information filtering, NtQueryProcessInformation for query process related information filtering, ntqueryadirecyfile for query file and directory filtering, ntqueryvollumeinformatnfile for query file volume information filtering, NtDeviceIoControlFile for sending control code acquisition information filtering to a specified device, ntcreatesesbolickobject for opening symbolic link filtering of a specified driver.
4. The electronic device of claim 3, wherein the processor determines whether the API call is a predetermined API call; if so, intercepting the API call and returning a fake API return value to the API call comprises:
judging the preset API call used for inquiring the disk capacity by the API call;
if so, a forged disk capacity value is returned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810035506.4A CN109684826B (en) | 2018-01-15 | 2018-01-15 | Application sandbox anti-escape method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810035506.4A CN109684826B (en) | 2018-01-15 | 2018-01-15 | Application sandbox anti-escape method and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109684826A CN109684826A (en) | 2019-04-26 |
| CN109684826B true CN109684826B (en) | 2021-01-29 |
Family
ID=66184344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810035506.4A Active CN109684826B (en) | 2018-01-15 | 2018-01-15 | Application sandbox anti-escape method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109684826B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111611580B (en) * | 2020-05-27 | 2022-09-23 | 福建天晴在线互动科技有限公司 | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system |
| CN114553539A (en) * | 2022-02-22 | 2022-05-27 | 深信服科技股份有限公司 | Method and device for defending malicious program and related equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN103500308A (en) * | 2012-09-28 | 2014-01-08 | 卡巴斯基实验室封闭式股份公司 | System and method for countering detection of emulation by malware |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103927484B (en) * | 2014-04-21 | 2017-03-08 | 西安电子科技大学宁波信息技术研究院 | Rogue program behavior catching method based on Qemu simulator |
| US9390268B1 (en) * | 2015-08-04 | 2016-07-12 | Iboss, Inc. | Software program identification based on program behavior |
| CN105488414A (en) * | 2015-09-25 | 2016-04-13 | 深圳市安之天信息技术有限公司 | Method and system for preventing malicious codes from detecting virtual environments |
-
2018
- 2018-01-15 CN CN201810035506.4A patent/CN109684826B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN103500308A (en) * | 2012-09-28 | 2014-01-08 | 卡巴斯基实验室封闭式股份公司 | System and method for countering detection of emulation by malware |
Non-Patent Citations (1)
| Title |
|---|
| 针对虚拟机查毒的规避方法研究;蒋晓峰等;《信息安全与通信保密》;20110210(第2期);第55-57页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109684826A (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11625485B2 (en) | Method of malware detection and system thereof | |
| Javaheri et al. | Detection and elimination of spyware and ransomware by intercepting kernel-level system routines | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| EP3039608B1 (en) | Hardware and software execution profiling | |
| US9679136B2 (en) | Method and system for discrete stateful behavioral analysis | |
| KR100786725B1 (en) | Analysis system for malicious code and method thereof | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| CN107992751B (en) | Real-time threat detection method based on branch behavior model | |
| KR101086203B1 (en) | A proactive system against malicious processes by investigating the process behaviors and the method thereof | |
| US11288362B2 (en) | System and method for creating antivirus records for antivirus applications | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN109684826B (en) | Application sandbox anti-escape method and electronic equipment | |
| KR100959276B1 (en) | A system for preventing installation of malicious codes using a control list at the kernel level and the computer-readable recording medium having recording the program thereof | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| US20220327207A1 (en) | Arrangement and method of threat detection in a computer or computer network | |
| US20230214489A1 (en) | Rootkit detection based on system dump files analysis | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| US11763004B1 (en) | System and method for bootkit detection | |
| EP3522058B1 (en) | System and method of creating antivirus records | |
| WO2022238987A1 (en) | A scenario-based cyber security system and method | |
| CN114553539A (en) | Method and device for defending malicious program and related equipment | |
| CN117972683A (en) | Kernel-level security terminal and installation method | |
| 陳悦庭 et al. | Computer Security Symposium 2014 22-24 October 2014 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |