CN110069936A - A kind of wooden horse steganography method and detection method - Google Patents

A kind of wooden horse steganography method and detection method Download PDF

Info

Publication number
CN110069936A
CN110069936A CN201910251422.9A CN201910251422A CN110069936A CN 110069936 A CN110069936 A CN 110069936A CN 201910251422 A CN201910251422 A CN 201910251422A CN 110069936 A CN110069936 A CN 110069936A
Authority
CN
China
Prior art keywords
trojan
loader
steganography
sequence
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910251422.9A
Other languages
Chinese (zh)
Inventor
田辉
梅俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei High Dimensional Data Technology Co Ltd
Original Assignee
Hefei High Dimensional Data Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei High Dimensional Data Technology Co Ltd filed Critical Hefei High Dimensional Data Technology Co Ltd
Priority to CN201910251422.9A priority Critical patent/CN110069936A/en
Publication of CN110069936A publication Critical patent/CN110069936A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of wooden horse steganography method and detection methods, belong to technical field of network security, are included in transmission load ciphertext part and loader, the load ciphertext part in data transmission channel and are embedded with trojan horse program;When the page where the loader and the load ciphertext part is accessed and obtains, the loader is run decrypting the trojan horse program into memory, and run the trojan horse program in memory.The present invention discloses a kind of new steganography wooden horses to be implanted into approach, while providing corresponding detection method, perfect detection of the antivirus software for wooden horse.

Description

A kind of wooden horse steganography method and detection method
Technical field
The present invention relates to technical field of network security, in particular to a kind of wooden horse steganography method and detection method.
Background technique
With the development of interconnection technique, trojan horse program is spread unchecked in network, and New Trojan Horse and mutation wooden horse continue to bring out, deeply Defence could diametrically be made by studying miscellaneous wooden horse, be of great significance to guaranteeing network security.
In the Chinese invention patent of 107800705 A of Publication No. CN, describe a kind of based on Information Hiding Techniques Wooden horse is implanted into approach, is encrypted based on one-dimensional chaos encryption algorithm to trojan horse program, uses discrete cosine transform (Discrete Cosine Transform, DCT) Steganography by trojan horse program steganography to jpeg image file, then builds web server, quilt It controls host and obtains steganography wooden horse from web server.It has the disadvantage that first is that in wooden horse implantation process, due to wooden horse Program by steganography into carrier, so distribution when need comprising carry ciphertext part or from Web server obtain carry ciphertext part, if It is bigger that picture addition be will lead into program inside loader.Second is that in the detection process, due to the rate of false alarm based on steganography May be relatively high, the simple loader that detects not can determine that steganography wooden horse, can only determine abnormal behaviour, lead to trojan horse detection result not Accurately.
Summary of the invention
The purpose of the present invention is to provide a kind of wooden horse steganography method and detection methods, to disclose steganography wooden horse implantation approach With corresponding detection method.
In order to achieve the above object, the present invention provides a kind of wooden horse steganography method, include the following steps:
Transmission carries ciphertext part in data transmission channel and loader, the load ciphertext part are embedded with trojan horse program;
When the page where the loader and the load ciphertext part is accessed and obtains, the loader is run with by the wood Horse program is decrypted into memory, and runs the trojan horse program in memory.
Further, it is transmitted in data transmission channel described before carrying ciphertext part and loader, further includes:
The trojan horse program is encrypted to ciphertext using AES (Advanced Encryption Standard) algorithm;
The ciphertext is embedded into each pixel lowest order of the carrier image using LSB algorithm, obtains the load ciphertext part.
Further, it after the trojan horse program is encrypted to ciphertext by the utilization Advanced Encryption Standardalgorithm, also wraps It includes:
The carrier image, and statistical picture pixel quantity are parsed using libpng module;
According to described image pixel quantity, judge whether the embedding capacity of the carrier image is greater than the ciphertext size;
If so, the ciphertext is embedded into carrier image, the load ciphertext part is obtained.
Further, when the page where the loader and the load ciphertext part is accessed, run loader with The trojan horse program is decrypted into memory, and runs the trojan horse program in memory, comprising:
The loader parses the load ciphertext part using libpng module, to extract the ciphertext from the load ciphertext part;
Decryption obtains the trojan horse program from the ciphertext, and checks whether the trojan horse program is PE formatted file;
If so, creation PE structural body, and trojan horse program correspondence is imported into the PE structural body;
Each section correspondence mappings of PE structural body into the memory and are run.
Further, each section correspondence mappings of PE structural body into the memory and are run described, comprising:
The trojan horse program is loaded into corresponding library, and runs the trojan horse program in entry point address.
Further, further includes:
Modification registration table protects the trojan horse program so that self-starting and setting file attribute is arranged.
On the other hand, the present invention provides a kind of steganography Trojan detecting method, includes the following steps:
System call sequence and operation file sequence are obtained, and extracts the Trojan characteristics of loader, constructs wood using Trojan characteristics Horse characteristic sequence;
Judge whether the operation file sequence is executable file format;
If so, according to the Trojan characteristics sequence and the system call sequence, it is determined whether detect the loader;
If detecting the loader, it is determined that detect doubtful trojan horse program.
Further, described according to the Trojan characteristics sequence and the system call sequence, it is determined whether to detect institute State loader, comprising:
The similarity for calculating the Trojan characteristics sequence Yu pre-stored Trojan characteristics standard sequence, it is similar to obtain the first kind Degree;
It calculates the system call sequence and pre-stored system calls the similarity of standard sequence, it is similar to obtain the second class Degree;
First kind similarity and the second class similarity are compared with similarity threshold respectively, if any in two comparison results Comparison result be greater than when, then determine detect the loader.
Further, if detecting the loader described, it is determined that after detecting doubtful trojan horse program, also wrap It includes:
In file operation sequence in detection time window the suffix of filename whether be carrier image format suffix, the carrier figure As for being embedded in the trojan horse program;
If so, being determined as abnormal operation, and whether the operation file for detecting the operation file sequence is to cross wooden horse by steganography The image file of program.
Further, further includes:
If the loader determines that result, the abnormal operation determine that result and the operation file steganography wooden horse determine result Wantonly two results are that it is abnormal to determine that detection process occurs when being;
If three results are when being, it is determined that detect the trojan horse program.
Compared with prior art, there are following technical effects by the present invention: the present invention passes during wooden horse steganography originally Pass on the channel of trojan horse program transmit loader and and carry ciphertext part, user access loader and carry ciphertext part where the page And when obtaining, trojan horse program is run into wooden horse journey into memory from decryption in ciphertext part is carried directly from memory using loader Sequence.With trojan horse program is decrypted into disk in the prior art, can be compared, drape over one's shoulders by wooden horse that antivirus software detects implantation approach Reveal a kind of steganography wooden horse implantation approach, can bypass the detection of antivirus software.Simultaneously during trojan horse detection, due to based on hidden The rate of false alarm write may be relatively high, and the simple loader that detects not can determine that steganography wooden horse, can only determine abnormal behaviour, and this programme is logical It crosses when loader determines to occur abnormal, whether detection operation file is the image file crossed by steganography, to determine whether to detect To trojan horse program, the accuracy for leading to trojan horse detection result ensure that.
Detailed description of the invention
With reference to the accompanying drawing, specific embodiments of the present invention will be described in detail:
Fig. 1 is a kind of flow diagram of wooden horse steganography method;
Fig. 2 is trojan horse program steganography schematic diagram;
Fig. 3 is a kind of flow diagram of steganography Trojan detecting method;
Fig. 4 is steganography trojan horse program detection principle diagram.
Specific embodiment
In order to further explain feature of the invention, reference should be made to the following detailed description and accompanying drawings of the present invention.Institute Attached drawing is only for reference and purposes of discussion, is not used to limit protection scope of the present invention.
As shown in Figure 1 to Figure 2, present embodiment discloses a kind of wooden horse steganography method, include the following steps S1 to S3:
S1, transmission carries ciphertext part in data transmission channel and loader, the load ciphertext part are embedded with trojan horse program;
S2, when the page where the loader and the load ciphertext part is accessed and obtains, run the loader with by institute It states trojan horse program to decrypt into memory, and runs the trojan horse program in memory.
It should be noted that loader is the software simulating Windows operating system load executable file and realizing, By building Web server using Python SimpleHTTPServer module in linux system, and by loader and carry close File is uploaded on Web server, when user downloads loader and carries ciphertext part by extension horse website or backdoor programs, load Device operation, to extract trojan horse program from load ciphertext part and run.By the way that trojan horse program is directly decrypted to interior using loader It in depositing, and runs in memory, can avoid traditional decrypt trojan horse program into disk and easily detected by antivirus software, disclosed A kind of new way that wooden horse is implanted into is of great significance safely to guarantee national network targetedly to make defence.
Further, in above-mentioned steps S1: transmission carries ciphertext part and loader, the load ciphertext part in data transmission channel It is embedded with before trojan horse program, further includes:
The trojan horse program is encrypted to ciphertext using AES (Advanced Encryption Standard) algorithm;
The ciphertext is embedded into each pixel lowest order of the carrier image using LSB algorithm, obtains the load ciphertext part.
It should be noted that using the combination of the filename Cn of bearer documents and salt Salt as key in the present embodiment, and Trojan horse program is encrypted to ciphertext using Advanced Encryption Standardalgorithm (Advanced Encryption Standard, AES).Benefit With hidden text information least significant bit method (Least Significant Bit, LSB), ciphertext is embedded into carrier image Each pixel lowest order, obtain carry ciphertext part.
More preferably, further include following steps before ciphertext is embedded into carrier image:
The carrier image, and statistical picture pixel quantity are parsed using libpng module;
According to described image pixel quantity, judge whether the embedding capacity of the carrier image is greater than the ciphertext size;
If so, the ciphertext is embedded into carrier image, the load ciphertext part is obtained;
If it is not, then replacing the suitable carrier image of embedded space, then ciphertext is embedded in carrier image.
It should be noted that being judged by before ciphertext is embedded in carrier image using the pixel quantity of carrier image Whether carrier image space is embedded in ciphertext enough, to guarantee the integrality of ciphertext insertion.
Further, above-mentioned steps S2: when the page where the loader and the load ciphertext part is accessed, operation adds Device is carried decrypting the trojan horse program into memory, and runs the trojan horse program in memory, includes the following steps S21 extremely S25:
S21, the loader parse the load ciphertext part using libpng module, described close to extract from the load ciphertext part Text;
S22, decryption obtains the trojan horse program from the ciphertext, and checks whether the trojan horse program is PE formatted file, S23 is thened follow the steps, if not if so then execute step S24;
S23, wooden horse steganography process terminate;
S24, creation PE structural body, and trojan horse program correspondence is imported into the PE structural body;
S32, storage allocation space, and PE structural body one-to-one correspondence is mapped in memory headroom, it is run;I.e. by PE structure Each section (section) of body is mapped to the address that the virtual address of image_section_header structure is specified On.
Further, the process that trojan horse program is run in memory includes:
Trojan horse program needs import library, then trojan horse program is loaded into corresponding library;
Corresponding permission is set for each section, and is executed from entry point address.
Further, the trojan horse program is also protected so that self-starting and setting file attribute is arranged by modification registration table.
The present embodiment is by the way that in the originally transmission channel of transmission trojan horse program, transmission loader and load ciphertext part are having When user accesses and obtains loader and carries ciphertext part, loader is run, the trojan horse program carried in ciphertext part is decrypted to memory Middle operation can bypass the detection of antivirus software, disclose a kind of new steganography wooden horse implantation approach.
As Figure 3-Figure 4, the present embodiment correspondence discloses a kind of detection method of steganography wooden horse, for above-mentioned disclosure The steganography wooden horse that is implanted into of wooden horse implantation approach detected, include the following steps S101 to S104:
S101, system call sequence and operation file sequence are obtained, and extracts the Trojan characteristics of loader, utilize Trojan characteristics structure Build Trojan characteristics sequence;
It should be noted that obtaining file operation sequence by file manipulation function such as ReadDirectoryChangesW function Column;System call sequence is obtained by Hook KiFastCallEntry function etc..It can wherein be obtained using file operation sequence The specific file of user's operation is got, for being associated with the format of loader and subsequent file, identifies whether to be abnormal behaviour.It utilizes The system function of the available routine call of system call sequence, sensitive system calls the (function of matching loader for identification Can).
Specifically, by MapViewOfFile, ProcessIAT, PeLdrApplyRelocations, These functions of PeLdrExecuteEP are compiled into executable file, obtain the binary features sequence of each function, and by each letter The corresponding binary sequence of number, which carries out matching as character string, can construct Trojan characteristics sequence.
Wherein, the method that MapViewOfFile is used to obtain File Mapping to memory, ProcessIAT function is for handling Table is imported and exported, loads required functional module, PeLdrApplyRelocations function is for relocating file in memory Position, PeLdrExecuteEP function be used for enter program entry point.Since above-mentioned several functions are the core letters of loader Number, by extracting the binary features sequence of these functions, that is, may recognize that loader.
S102, judge whether the operation file sequence is executable file format, if so then execute step S103, if not Then directly exit the program;
S103, according to the Trojan characteristics sequence and the system call sequence, it is determined whether detect the loader, if S104 is thened follow the steps, thens follow the steps S102 if not;
If S104, detecting the loader, it is determined that detect doubtful trojan horse program.
The thing for needing to illustrate, the executable file format of operation file sequence include the formats such as exe, dll, and this programme is being grasped Make the operation file format in file sequence to calculate separately the similarity and system tune of Trojan characteristics sequence after executable format With the similarity of layout sequence, determined whether to detect the loader according to calculated similarity, if detecting loader , it is determined that the file being currently being operated is doubtful trojan horse program file, and warning user stops operation.
Further, above-mentioned steps S103: according to the Trojan characteristics sequence and the system call sequence, it is determined whether It detects the loader, specifically comprises the following steps:
The similarity for calculating the Trojan characteristics sequence Yu pre-stored Trojan characteristics standard sequence, it is similar to obtain the first kind Degree;
Specifically, Trojan characteristics sequence is subjected to piecemeal by standard of Trojan characteristics standard sequence size, utilizes simhash and sea Prescribed distance calculates the similarity value of every piece of Trojan characteristics sequence and Trojan characteristics standard sequence.
It calculates the system call sequence and pre-stored system calls the similarity of standard sequence, obtain the second class phase Like degree;
Specifically, it calls normative document size to carry out piecemeal with system system call file, utilizes simhash and Hamming distances Calculate the similarity value that every block system calls file and system calls normative document.
First kind similarity and the second class similarity are compared with similarity threshold respectively, if in two comparison results Any comparison result be greater than when, then determine detect the loader.
Specifically, multiple first kind similarities are compared with similarity threshold, by multiple second class similarities and phase Compare like degree threshold value row, if there is the case where being greater than setting similarity threshold in multiple first kind similarity values, it is determined that file For loader, for judging whether the file on static analysis disk is loader;If existing in multiple second class similarity values The case where greater than setting similarity threshold, it is determined that file is loader, for judging whether Study document is load in memory Device.Similarity threshold can value be 0.6, its calculation formula is hamming (simhash (a), simhash (b))/len (a)。
It should be noted that the present embodiment is by Trojan characteristics sequence and system call file sequence respectively according to the base of setting Quasi- sequence carries out piecemeal, multiple first kind similarity values and multiple second class similarity values is obtained, in multiple first kind similarities Similarity threshold with setting is partially larger than in multiple second class similarities, that is, may recognize that loader.Hash value ratio can be made up Compared with when need the identical deficiency that just can determine that loader.
Further, during actual trojan horse detection, since the trojan horse program detection rate of false alarm based on steganography compares Height, detects loader, not can determine that be exactly to detect steganography wooden horse, and can only be judged that there is abnormal behaviour.Cause This, further includes following steps S105 to S107 on the basis of the present embodiment detects loader in the above-described embodiments:
In file operation sequence in S105, detection time window the suffix of filename whether be carrier image format suffix, should Carrier image is for being embedded in the trojan horse program;If so then execute step S106, if otherwise directly skipping, next time is identified File in window;
S106, loader and image file are identified this association situation are determined as abnormal operation behavior, and detect institute Whether the operation file for stating operation file sequence is the image file that trojan horse program is crossed by steganography, if so then execute step S107, S105 is thened follow the steps if not;
S107, steganography trojan horse program is confirmly detected.
It should be noted that carrier image refers to the object for hiding classified information, carrier image lattice in the present embodiment Formula is the image file formats such as jpeg, bmp, when detecting the file format in time window is the file format of carrier image, It can be determined as abnormal operation behavior.
Specifically, detection operation file whether be the image file crossed by steganography process are as follows: further analysis operation text Part, the least significant bit of statistics file obtain P value using Chi-square statistic, if P value close to showing that image function contains if 1 Secret information, on the contrary show image without steganography close to 0.
It should be noted that during trojan horse detection, it is simple to detect since the rate of false alarm based on steganography may be relatively high Loader not can determine that steganography wooden horse, can only determine abnormal behaviour, this programme is by detecting when loader determines to occur abnormal Whether operation file is the image file crossed by steganography, and to determine whether to detect trojan horse program, ensure that leads to trojan horse detection As a result accuracy, perfect detection of the antivirus software for steganography wooden horse.
Further, if the loader determines that result, the abnormal operation determine that result and the operation file are hidden It writes wooden horse and determines that wantonly two results of result are that it is abnormal to determine that detection process occurs when being;
If three results are when being, it is determined that detect the trojan horse program.
It should be noted that being loader by decision file sequence and/or system call sequence, determining that appearance is different Often operation and decision file steganography, which have in these three situations of trojan horse program, there are any two kinds of situations, it is determined that detects It is now abnormal, if three kinds of situations meet, it is determined that detect steganography trojan horse program.The present embodiment considers loader from multiple dimensions Detection and identification, discrimination with higher, lower rate of false alarm.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (10)

1. a kind of wooden horse steganography method characterized by comprising
Transmission carries ciphertext part in data transmission channel and loader, the load ciphertext part are embedded with trojan horse program;
When the page where the loader and the load ciphertext part is accessed and obtains, the loader is run with by the wood Horse program is decrypted into memory, and runs the trojan horse program in memory.
2. wooden horse steganography method as described in claim 1, which is characterized in that carried in the transmission in data transmission channel close Before file and loader, further includes:
The trojan horse program is encrypted to ciphertext using Advanced Encryption Standardalgorithm AES;
The ciphertext is embedded into each pixel lowest order of the carrier image using LSB algorithm, obtains the load ciphertext part.
3. wooden horse steganography method as claimed in claim 1 or 2, which is characterized in that utilize aes algorithm by the wooden horse described After program encryption is at ciphertext, further includes:
The carrier image, and statistical picture pixel quantity are parsed using libpng module;
According to described image pixel quantity, judge whether the embedding capacity of the carrier image is greater than the ciphertext size;
If so, the ciphertext is embedded into carrier image, the load ciphertext part is obtained.
4. wooden horse steganography method as claimed in claim 1 or 2, which is characterized in that it is described in the loader and it is described carry it is close When the page is accessed where file, loader is run decrypting the trojan horse program into memory, and run institute in memory State trojan horse program, comprising:
The loader parses the load ciphertext part using libpng module, to extract the ciphertext from the load ciphertext part;
Decryption obtains the trojan horse program from the ciphertext, and checks whether the trojan horse program is PE formatted file;
If so, creation PE structural body, and trojan horse program correspondence is imported into the PE structural body;
Each section correspondence mappings of PE structural body into the memory and are run.
5. wooden horse steganography method as claimed in claim 4, which is characterized in that in each section correspondence mappings by PE structural body Into the memory and run, comprising:
The trojan horse program is loaded into corresponding library, and runs the trojan horse program in entry point address.
6. wooden horse steganography method as claimed in claim 4, which is characterized in that further include:
Modification registration table protects the trojan horse program so that self-starting and setting file attribute is arranged.
7. a kind of steganography Trojan detecting method characterized by comprising
System call sequence and operation file sequence are obtained, and extracts the Trojan characteristics of loader, constructs wood using Trojan characteristics Horse characteristic sequence;
Judge whether the operation file sequence is executable file format;
If so, according to the Trojan characteristics sequence and the system call sequence, it is determined whether detect the loader;
If detecting the loader, it is determined that detect doubtful trojan horse program.
8. steganography Trojan detecting method as claimed in claim 7, which is characterized in that it is described according to the Trojan characteristics sequence and The system call sequence, it is determined whether detect the loader, comprising:
The similarity for calculating the Trojan characteristics sequence Yu pre-stored Trojan characteristics standard sequence, it is similar to obtain the first kind Degree;
It calculates the system call sequence and pre-stored system calls the similarity of standard sequence, it is similar to obtain the second class Degree;
First kind similarity and the second class similarity are compared with similarity threshold respectively, if any in two comparison results Comparison result be greater than when, then determine detect the loader.
9. steganography Trojan detecting method as claimed in claim 7, which is characterized in that if detecting the loader described, After then confirmly detecting doubtful trojan horse program, further includes:
In file operation sequence in detection time window the suffix of filename whether be carrier image format suffix, the carrier figure As for being embedded in the trojan horse program;
If so, loader and image file, which are identified this association situation, is determined as abnormal operation behavior, and detect Whether the operation file of the operation file sequence is the image file that trojan horse program is crossed by steganography.
10. steganography Trojan detecting method as claimed in claim 7, which is characterized in that further include:
If the loader determines that result, the abnormal operation determine that result and the operation file steganography wooden horse determine result Wantonly two results are that it is abnormal to determine that detection process occurs when being;
If three results are when being, it is determined that detect the trojan horse program.
CN201910251422.9A 2019-03-29 2019-03-29 A kind of wooden horse steganography method and detection method Pending CN110069936A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910251422.9A CN110069936A (en) 2019-03-29 2019-03-29 A kind of wooden horse steganography method and detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910251422.9A CN110069936A (en) 2019-03-29 2019-03-29 A kind of wooden horse steganography method and detection method

Publications (1)

Publication Number Publication Date
CN110069936A true CN110069936A (en) 2019-07-30

Family

ID=67366768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910251422.9A Pending CN110069936A (en) 2019-03-29 2019-03-29 A kind of wooden horse steganography method and detection method

Country Status (1)

Country Link
CN (1) CN110069936A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111767540A (en) * 2020-07-07 2020-10-13 杭州安恒信息技术股份有限公司 Automatic analysis method and device for Jart malicious software and computer readable storage medium
CN114629711A (en) * 2022-03-21 2022-06-14 广东云智安信科技有限公司 Method and system for detecting special Trojan horse of Windows platform

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1920877A (en) * 2006-09-19 2007-02-28 北京邮电大学 Statistic supervision and structure supervision based hidden messages analysis system
CN104200164A (en) * 2014-09-10 2014-12-10 北京金山安全软件有限公司 Loader virus searching and killing method, device and terminal
CN104346570A (en) * 2014-12-01 2015-02-11 西安邮电大学 Trojan horse decision system based on dynamic code sequence tracking analysis
CN106682505A (en) * 2016-05-04 2017-05-17 腾讯科技(深圳)有限公司 Virus detection method, terminal, server and system
CN107800705A (en) * 2017-11-02 2018-03-13 北京邮电大学 A kind of wooden horse implantation approach based on Information Hiding Techniques
US20180351968A1 (en) * 2017-05-30 2018-12-06 Cyemptive Technologies, Inc. Real-time detection of and protection from malware and steganography in a kernel mode

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1920877A (en) * 2006-09-19 2007-02-28 北京邮电大学 Statistic supervision and structure supervision based hidden messages analysis system
CN104200164A (en) * 2014-09-10 2014-12-10 北京金山安全软件有限公司 Loader virus searching and killing method, device and terminal
CN104346570A (en) * 2014-12-01 2015-02-11 西安邮电大学 Trojan horse decision system based on dynamic code sequence tracking analysis
CN106682505A (en) * 2016-05-04 2017-05-17 腾讯科技(深圳)有限公司 Virus detection method, terminal, server and system
US20180351968A1 (en) * 2017-05-30 2018-12-06 Cyemptive Technologies, Inc. Real-time detection of and protection from malware and steganography in a kernel mode
CN107800705A (en) * 2017-11-02 2018-03-13 北京邮电大学 A kind of wooden horse implantation approach based on Information Hiding Techniques

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111767540A (en) * 2020-07-07 2020-10-13 杭州安恒信息技术股份有限公司 Automatic analysis method and device for Jart malicious software and computer readable storage medium
CN114629711A (en) * 2022-03-21 2022-06-14 广东云智安信科技有限公司 Method and system for detecting special Trojan horse of Windows platform
CN114629711B (en) * 2022-03-21 2024-02-06 广东云智安信科技有限公司 Method and system for detecting special Trojan horse on Windows platform

Similar Documents

Publication Publication Date Title
CN110351239B (en) Block chain-based electronic contract storage method and device and electronic equipment
US10986103B2 (en) Signal tokens indicative of malware
US7346780B2 (en) Integrity ordainment and ascertainment of computer-executable instructions
KR101503785B1 (en) Method And Apparatus For Protecting Dynamic Library
US9798981B2 (en) Determining malware based on signal tokens
KR101567620B1 (en) Secure memory management system and method
EP3455764B1 (en) Method and apparatus for dynamic executable verification
US7607122B2 (en) Post build process to record stack and call tree information
CN105408912A (en) Process authentication and resource permissions
Suarez-Tangil et al. Stegomalware: Playing hide and seek with malicious components in smartphone apps
KR20150041095A (en) Method and devices for selective ram scrambling
CN103988467A (en) Cryptographic system and methodology for securing software cryptography
US20140150101A1 (en) Method for recognizing malicious file
CN103617401A (en) Method and device for protecting data files
WO2017181968A1 (en) Method for processing application file, method and device for accessing application file, and storage medium
US20120284534A1 (en) Memory Device and Method for Accessing the Same
EP1507414B1 (en) Circuit for restricting data access
CN108334754A (en) The encrypting and decrypting method and system of embedded system program
CN110069936A (en) A kind of wooden horse steganography method and detection method
CN103034810B (en) A kind of detection method, device and electronic equipment
CN110245464B (en) Method and device for protecting file
CN108733990B (en) Block chain-based file protection method and terminal equipment
Gkaniatsou et al. Getting to know your card: reverse-engineering the smart-card application protocol data unit
US20130061312A1 (en) Security token for securely executing an application on a host computer
CN113836529A (en) Process detection method, device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination