CN110610086B - Illegal code identification method, system, device and storage medium - Google Patents
Illegal code identification method, system, device and storage medium Download PDFInfo
- Publication number
- CN110610086B CN110610086B CN201910814820.7A CN201910814820A CN110610086B CN 110610086 B CN110610086 B CN 110610086B CN 201910814820 A CN201910814820 A CN 201910814820A CN 110610086 B CN110610086 B CN 110610086B
- Authority
- CN
- China
- Prior art keywords
- code
- illegal
- stack
- operation data
- write operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention discloses an illegal code identification method, a system, a device and a storage medium, and relates to the field of computers. The method comprises the following steps: acquiring a code and recording the execution characteristics of the code; writing the code into an executable memory, and recording write operation data; before executing the code, judging whether the static consistency or the dynamic continuity of the code is legal or not according to the execution characteristics and the write operation data. The invention realizes the identification of unknown codes, realizes more accurate memory protection, does not need to wait for patch release, can realize blocking protection before code execution, and has stronger protection.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to an illegal code identification method, system, apparatus, and storage medium.
Background
At present, the main ways to prevent illegal codes are static scanning of disk files, static scanning of memory based on processes, patching, security policy protection based on firewalls, and the like. However, the existing prevention method only performs searching and killing on known viruses or attack codes, cannot identify unknown illegal codes, and cannot discover memory implantation and operation of unknown malicious codes.
Disclosure of Invention
The invention aims to solve the technical problem of providing an illegal code identification method, a system, a device and a storage medium aiming at the defects of the prior art.
The technical scheme for solving the technical problems is as follows:
an illegal code identification method comprising:
acquiring a code and recording the execution characteristics of the code;
writing the code into an executable memory, and recording write operation data;
before executing the code, judging whether the static consistency or the dynamic continuity of the code is legal or not according to the execution characteristics and the write operation data.
The invention has the beneficial effects that: according to the illegal code identification method provided by the invention, the execution characteristics of the code are recorded, the operation data of the code written into the memory is recorded, whether the static consistency or the dynamic continuity of the code is legal or not is judged through the execution characteristics and the written operation data, if the static consistency or the dynamic continuity of the code is illegal, the code is a self-generated code which cannot be traced to a source, and therefore blocking or alarming is carried out.
Another technical solution of the present invention for solving the above technical problems is as follows:
an illegal code identification system comprising:
the acquisition unit is used for acquiring a code and recording the execution characteristics of the code;
the writing unit is used for writing the codes into the executable memory and recording writing operation data;
and the judging unit is used for judging whether the static consistency or the dynamic continuity of the code is legal or not according to the execution characteristics and the write operation data before executing the code.
Another technical solution of the present invention for solving the above technical problems is as follows:
a storage medium, wherein instructions are stored, and when the instructions are read by a computer, the instructions cause the computer to execute the illegal code identification method according to the above technical scheme.
Another technical solution of the present invention for solving the above technical problems is as follows:
an illegal code recognition device comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the illegal code identification method according to the technical scheme.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a flow chart illustrating an illegal code identification method according to an embodiment of the present invention;
fig. 2 is a structural framework diagram provided by an illegal code identification system according to an embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth to illustrate, but are not to be construed to limit the scope of the invention.
At present, the main ways to prevent illegal codes are static scanning of disk files, static scanning of memory based on processes, patching, security policy protection based on firewalls, and the like. These security policies are implemented based on the knowledge of the illegal code. For example, static scanning of disk files is full disk and directory killing of ordinary antivirus software, static scanning of process-based memory is scanning of user processes and memory of operating system processes by ordinary antivirus software, and security policy protection based on firewalls is blocking of protocols and ports.
That is, these network security measures can only work on the premise that an illegal code or an illegal program is known, and when a new virus or a new trojan occurs, the code needs to be acquired and updated to an illegal code library, so that the illegal code cannot be blocked at the first time, and an unknown code cannot be effectively identified.
Based on the scheme, the scheme capable of effectively identifying the unknown illegal codes is provided, and frequent patching and updating of the code base are not needed.
As shown in fig. 1, a schematic flowchart is provided for an embodiment of an illegal code identification method according to the present invention, where the illegal code identification method includes:
and S1, acquiring the code and recording the execution characteristics of the code.
The execution characteristics refer to the execution flow of the code when executed, the source of the code, and the like. The execution flow may include function call, jump, function call return, system call return, and the like. The source may include from a disk file or memory, etc.
And S2, writing the code into the executable memory and recording the write operation data.
It should be noted that the executable memory may include a code segment register or a stack segment register. The write operation data may include the write location of the code segment, the return address in the stack, the parameter write location, etc.
S3, before executing the code, judging whether the static consistency or the dynamic continuity of the code is legal according to the execution characteristics and the writing operation data.
It should be noted that static consistency refers to whether the code in the current memory is consistent with the disk file, and dynamic continuity refers to whether the code in the execution stack is returned from an unexpected address in the stack, and the like.
For example, a certain piece of code comes from a disk, and whether the code is consistent with a corresponding executable file on the disk is judged by recording the execution characteristics and the write operation data of the certain piece of code, and if the code is not consistent with the corresponding executable file, the code is not originated from the disk file, can be self-generated code, or is malicious code implanted after being attacked.
According to the illegal code identification method provided by the embodiment, the execution characteristics of the code are recorded, the operation data of the code written into the memory is recorded, whether the static consistency or the dynamic continuity of the code is legal or not is judged through the execution characteristics and the written operation data, if the static consistency or the dynamic continuity of the code is illegal, the code is a self-generated code which cannot be traced, and therefore blocking or alarming is conducted.
Optionally, in some embodiments, the performing the feature may include: executing the process and the source, wherein the executable memory comprises: the write operation data of the code segment register comprises: writing code, wherein the write operation data of the stack segment register comprises: a return address in the stack and a return parameter in the stack;
wherein, the execution flow comprises: function call, function call return, system call, and system call return.
Optionally, in some embodiments, before executing the code, determining whether the static consistency of the code is legal according to the execution characteristic and the write operation data, specifically, the determining may include:
before executing the code, judging whether the source of the code is a disk file, and if so, recording description information of the code;
when the function is called or the system is called, whether the code is dynamically generated is judged:
if the code is dynamically generated, judging whether the code can trace the source, and if the code can not trace the source, judging that the code is a malicious code;
if the code is not dynamically generated, whether the written code is consistent with the disk file or not is judged, and if the written code is not consistent with the disk file, the code is judged to be a malicious code.
It should be noted that the description file of the code includes a code abstract, a code source, a code context, and the like, which can be used for subsequent analysis to assist in determining whether the code is legal.
It should be understood that, since the writing operation process and the execution characteristics of the code are recorded before, the source information of the code is recorded, and therefore, whether the code can be traced to the source and whether the written code is consistent with the disk file can be judged.
For example, if the code is a self-decompression/self-protection code which is dynamically generated, the code can be tracked and identified as a legal code; if the code implanted after the attack is not consistent with the content of the disk file, and the code is tracked from the code execution flow, the code is not converted from the content of the file, but comes from the modified memory, and the code can be confirmed to be malicious code.
Whether the code is dynamically generated or not is judged, self-generated codes which cannot trace the source and any codes implanted after being attacked can be timely checked, malicious codes can be detected without knowing the malicious codes in advance, so that the detection efficiency is improved, and the malicious codes can be accurately detected by analyzing the behaviors and the sources of code execution.
Alternatively, in some embodiments, when the code is determined to be malicious code, the malicious code may be blocked.
After the malicious code is judged, the malicious code is directly blocked, a system can be directly protected, and the protection safety is improved.
Optionally, in some embodiments, before executing the code, determining whether the dynamic continuity of the code is legal according to the execution characteristic and the write operation data may specifically include:
when the function call returns or the system call returns, whether the return address in the stack or the return parameter in the stack is modified or not is judged, and if the return address in the stack or the return parameter in the stack is modified, the code is judged to be suspicious.
For example, it may be identified that after a buffer overflow, the address/parameter is modified, and the code is suspect.
By judging the dynamic continuity of the code, the accuracy of the identification can be further improved.
Optionally, in some embodiments, the method may further include:
and when the function call returns or the system call returns, comparing and judging the description information of the code, and if the description information of the code is illegal, blocking the code from being executed.
For example, a code abstract, a code source, and a code context of the code may be analyzed, description information in the memory may be compared with description information in the disk file to see whether the description information is consistent with the description information in the disk file, and whether the code is a malicious code may be determined in an assisted manner.
By judging the description information of the code, the accuracy of judgment can be improved.
Optionally, in some embodiments, the description information may include: code digest, code source, and code context.
It is understood that some or all of the alternative embodiments described above may be included in some embodiments.
As shown in fig. 2, a structural framework diagram is provided for an embodiment of the illegal code identification system of the present invention, which includes:
the acquiring unit 1 is used for acquiring a code and recording the execution characteristics of the code;
the writing unit 2 is used for writing the codes into the executable memory and recording writing operation data;
and the judging unit 3 is used for judging whether the static consistency or the dynamic continuity of the code is legal or not according to the execution characteristics and the write operation data before executing the code.
Optionally, in some embodiments, the performing the feature may include: executing the process and the source, wherein the executable memory comprises: the write operation data of the code segment register comprises: writing code, wherein the write operation data of the stack segment register comprises: a return address in the stack and a return parameter in the stack;
wherein, the execution flow comprises: function call, function call return, system call, and system call return.
Optionally, in some embodiments, the determining unit 3 is specifically configured to determine, before executing the code, whether a source of the code is a disk file, and if so, record description information of the code; when the function is called or the system is called, whether the code is dynamically generated is judged: if the code is dynamically generated, judging whether the code can trace the source, and if the code can not trace the source, judging that the code is a malicious code; if the code is not dynamically generated, whether the written code is consistent with the disk file or not is judged, and if the written code is not consistent with the disk file, the code is judged to be a malicious code.
Optionally, in some embodiments, the judging unit 3 is further configured to block the code when the code is determined to be malicious code.
Optionally, in some embodiments, the determining unit 3 is specifically configured to determine, when the function call returns or the system call returns, whether a return address in the stack or a return parameter in the stack is modified, and if the return address in the stack or the return parameter in the stack is modified, determine that the code is a suspicious code.
Optionally, in some embodiments, the judging unit 3 is further configured to perform a comparison judgment on the description information of the code when the function call returns or the system call returns, and block the code from being executed if the description information of the code is illegal.
Optionally, in some embodiments, the description information may include: code digest, code source, and code context.
It is understood that some or all of the alternative embodiments described above may be included in some embodiments.
It should be noted that the above embodiments are product embodiments corresponding to the previous method embodiments, and for the description of each optional implementation in the product embodiments, reference may be made to corresponding descriptions in the above method embodiments, and details are not described here again.
In another embodiment of the present invention, there is provided a storage medium having instructions stored therein, which when read by a computer, cause the computer to execute the illegal code identification method according to any of the above-mentioned embodiments.
In another embodiment of the present invention, there is also provided an illegal code identification apparatus including:
a memory for storing a computer program;
a processor for executing a computer program to implement the illegal code identification method according to any of the above embodiments.
The reader should understand that in the description of this specification, reference to the description of the terms "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described method embodiments are merely illustrative, and for example, the division of steps into only one logical functional division may be implemented in practice in another way, for example, multiple steps may be combined or integrated into another step, or some features may be omitted, or not implemented.
The above method, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. An illegal code identification method, comprising:
acquiring a code and recording the execution characteristics of the code;
writing the code into an executable memory, and recording write operation data;
before executing the code, judging whether the static consistency or the dynamic continuity of the code is legal or not according to the execution characteristics and the write operation data;
the execution features include: executing a flow and a source, wherein the executable memory comprises: a code segment register and a stack segment register, the write operation data of the code segment register comprising: writing code, the write operation data of the stack segment register comprising: a return address in the stack and a return parameter in the stack;
wherein, the execution flow comprises: function call, function call return, system call and system call return;
before executing the code, judging whether the static consistency of the code is legal or not according to the execution characteristics and the write operation data, specifically comprising:
before executing the code, judging whether the source of the code is a disk file, and if so, recording the description information of the code;
when a function call or a system call is carried out, judging whether the code is dynamically generated:
if the code is dynamically generated, judging whether the code can trace the source, and if the code cannot trace the source, judging that the code is a malicious code;
if not, judging whether the written code is consistent with the disk file, and if not, judging that the code is a malicious code.
2. The illegal code identification method according to claim 1, characterized in that when the code is determined as a malicious code, the code is blocked.
3. The illegal code identification method according to claim 1, wherein before executing the code, determining whether the dynamic continuity of the code is legal according to the execution characteristics and the write operation data, specifically comprises:
when the function call returns or the system call returns, whether the return address in the stack or the return parameter in the stack is modified or not is judged, and if the return address in the stack or the return parameter in the stack is modified, the code is judged to be a suspicious code.
4. The illegal code identification method according to any one of claims 1 to 3, characterized by further comprising:
and when the function call returns or the system call returns, comparing and judging the description information of the code, and if the description information of the code is illegal, blocking the execution of the code.
5. The illegal code identification method according to claim 4, characterized in that the description information includes: code digest, code source, and code context.
6. An illegal code identification system, comprising:
the acquisition unit is used for acquiring a code and recording the execution characteristics of the code;
the writing unit is used for writing the codes into the executable memory and recording writing operation data;
the judging unit is used for judging whether the static consistency or the dynamic continuity of the code is legal or not according to the execution characteristics and the write operation data before the code is executed;
the execution features include: executing a flow and a source, wherein the executable memory comprises: a code segment register and a stack segment register, the write operation data of the code segment register comprising: writing code, the write operation data of the stack segment register comprising: a return address in the stack and a return parameter in the stack;
wherein, the execution flow comprises: function call, function call return, system call and system call return;
the judging unit is specifically configured to judge whether a source of the code is a disk file before executing the code, and if so, record description information of the code;
when a function call or a system call is carried out, judging whether the code is dynamically generated:
if the code is dynamically generated, judging whether the code can trace the source, and if the code cannot trace the source, judging that the code is a malicious code;
if not, judging whether the written code is consistent with the disk file, and if not, judging that the code is a malicious code.
7. A storage medium having stored therein instructions that, when read by a computer, cause the computer to execute the illegal code identification method according to any one of claims 1 to 5.
8. An illegal code recognition device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the illegal code identification method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910814820.7A CN110610086B (en) | 2019-08-30 | 2019-08-30 | Illegal code identification method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910814820.7A CN110610086B (en) | 2019-08-30 | 2019-08-30 | Illegal code identification method, system, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110610086A CN110610086A (en) | 2019-12-24 |
| CN110610086B true CN110610086B (en) | 2021-06-18 |
Family
ID=68890714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910814820.7A Active CN110610086B (en) | 2019-08-30 | 2019-08-30 | Illegal code identification method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110610086B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077522A (en) * | 2014-06-30 | 2014-10-01 | 江苏华大天益电力科技有限公司 | Process integrity detection method of operation system |
| CN106096407A (en) * | 2016-05-31 | 2016-11-09 | 华中科技大学 | The defence method that a kind of code reuse is attacked |
| CN106991324A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory |
| CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170330264A1 (en) * | 2016-05-10 | 2017-11-16 | YOURO, Inc. | Methods, apparatuses and systems for computer vision and deep learning |
-
2019
- 2019-08-30 CN CN201910814820.7A patent/CN110610086B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077522A (en) * | 2014-06-30 | 2014-10-01 | 江苏华大天益电力科技有限公司 | Process integrity detection method of operation system |
| CN106096407A (en) * | 2016-05-31 | 2016-11-09 | 华中科技大学 | The defence method that a kind of code reuse is attacked |
| CN106991324A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory |
| CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110610086A (en) | 2019-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11625485B2 (en) | Method of malware detection and system thereof | |
| JP6829718B2 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US10235520B2 (en) | System and method for analyzing patch file | |
| US8370931B1 (en) | Multi-behavior policy matching for malware detection | |
| US10055585B2 (en) | Hardware and software execution profiling | |
| US11159541B2 (en) | Program, information processing device, and information processing method | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| US8387147B2 (en) | Method and system for detecting and removing hidden pestware files | |
| US7607122B2 (en) | Post build process to record stack and call tree information | |
| US8321935B1 (en) | Identifying originators of malware | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| JP2009129451A (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
| JP6734481B2 (en) | Call stack acquisition device, call stack acquisition method, and call stack acquisition program | |
| JP2010262609A (en) | Efficient technique for dynamic analysis of malware | |
| CN108804920B (en) | Method for monitoring malicious code homology analysis based on cross-process behavior | |
| CN110610086B (en) | Illegal code identification method, system, device and storage medium | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| CN106778276B (en) | Method and system for detecting malicious codes of entity-free files | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| US8353038B1 (en) | Monitoring and managing changes to non-structured storage of system configuration information | |
| US20090094459A1 (en) | Method and system for associating one or more pestware-related indications with a file on a computer-readable storage medium of a computer | |
| Swapna et al. | Multiple Memory Image Instances Stratagem to Detect Fileless Malware | |
| CN115600204A (en) | Method and system for detecting shellcode malicious code and computer equipment | |
| KR20130078960A (en) | Malicious code which exploit office software vulnerability activity-based diagnosis and blocking methods | |
| CN115270119A (en) | Code injection attack detection mode based on internal memory forensics technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |