CN110647743A - Malicious behavior identification method and device and storage device - Google Patents
Malicious behavior identification method and device and storage device Download PDFInfo
- Publication number
- CN110647743A CN110647743A CN201810668717.1A CN201810668717A CN110647743A CN 110647743 A CN110647743 A CN 110647743A CN 201810668717 A CN201810668717 A CN 201810668717A CN 110647743 A CN110647743 A CN 110647743A
- Authority
- CN
- China
- Prior art keywords
- office program
- office
- determining
- starting process
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention provides a method and a device for identifying malicious behaviors and storage equipment, which are used for solving the problem that the existing antivirus software is difficult to detect the behavior that Office viruses attack systems by using overflow vulnerabilities. The method comprises the following steps: monitoring whether an Office program calls a CreateRemoteThread function for creating a remote thread in the starting process; and if the Office program calls a CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for identifying malicious behaviors and storage equipment.
Background
At present, Office software becomes indispensable software for users due to convenience and practicability, and Office requirements of Personal Computers (PCs) with limited internal networks or PCs capable of being connected with public networks need to be provided with the Office software, so that when Office documents with malicious behaviors are operated, the Office documents are attacked regardless of physical isolation, and loss of user data, property and the like is caused. Based on this, it is becoming a more and more favored means for hackers to make attacks using Office vulnerabilities.
At present, the detection of Office documents is mostly to judge whether malicious codes exist through feature codes, but when a document utilizes a 0Day vulnerability which is not disclosed by Office software, an antivirus engine cannot detect the document which utilizes the 0Day to construct a specific format. In addition, currently, through various existing tools, Office documents in a specific format are constructed so as to trigger buffer overflow more and more easily, hackers can easily attack the system by using the buffer overflow, the user can hardly perceive the attack by using the overflow vulnerability, and conventional antivirus software is difficult to detect at present.
In summary, it is difficult for the current antivirus software to detect the behavior of the virus in the Office program attacking the system by using the overflow vulnerability.
Disclosure of Invention
The embodiment of the invention provides a method and a device for identifying malicious behaviors and storage equipment, which are used for solving the problem that the existing antivirus software is difficult to detect the behavior that Office viruses attack systems by using overflow vulnerabilities.
Based on the above problem, an identification method for malicious behavior provided by the embodiment of the present invention includes:
monitoring whether an Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and if the Office program calls a CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program.
The device for identifying malicious behaviors comprises a memory and a processor, wherein the memory is used for storing a plurality of instructions, and the processor is used for loading the instructions stored in the memory to execute:
monitoring whether an Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and if the Office program calls a CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program.
The embodiment of the invention also provides a device for identifying malicious behaviors, which comprises:
the monitoring module is used for monitoring whether the Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and the determining module is used for determining that malicious behaviors exist in the Office program after the Office program calls the CreateRemoteThread function in the starting process.
The embodiment of the invention provides a storage device, wherein a plurality of instructions are stored in the storage device, and the instructions are suitable for being loaded by a processor and executing the steps of the method for identifying malicious behaviors, provided by the embodiment of the invention.
The embodiment of the invention has the beneficial effects that:
according to the method, the device and the storage equipment for identifying the malicious behaviors, whether the malicious behaviors exist in the Office program is identified by monitoring whether the Office program calls a CreateRemoteThread function or not in the starting process; and if the Office program calls the CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program. That is to say, the method, the apparatus, and the storage device for identifying malicious behavior provided in the embodiments of the present invention monitor the API called in the process of starting the Office program, so that the Office file in a specific format constructed by using various vulnerabilities can be detected, and a defect that a document attacked by an overflow vulnerability cannot be detected when detecting whether the Office program includes malicious codes through feature codes is overcome.
Drawings
Fig. 1 is a flowchart of a method for identifying malicious behavior according to an embodiment of the present invention;
fig. 2 is a flowchart of another malicious behavior identification method according to an embodiment of the present invention;
fig. 3 is a block diagram of an apparatus for identifying malicious activities according to an embodiment of the present invention;
fig. 4 is a block diagram of another malicious behavior authentication apparatus according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method, a device and a storage device for identifying malicious behaviors, wherein when it is monitored that an Office program calls a CreateRemoteThread function in the starting process, the malicious behaviors in the Office program are determined. That is to say, the method, the apparatus, and the storage device for identifying malicious behavior provided in the embodiments of the present invention monitor the API called in the process of starting the Office program, so as to detect the Office file in a specific format constructed by using various vulnerabilities, make up for the defect that a document attacked by an overflow vulnerability cannot be detected when detecting whether the Office program contains malicious codes by using the feature codes, and ensure the detection rate when attacking a system by using a buffer overflow vulnerability or an undisclosed 0day vulnerability.
The following describes specific embodiments of a method, an apparatus, and a storage device for identifying malicious behavior according to embodiments of the present invention with reference to the accompanying drawings.
When a plurality of Office documents are opened, a plurality of Office programs are operated in the background and correspond to the Office documents one by one. For example, in a period of time after the icon of the document 1 is double-clicked and before the interface of the document 1 is presented, the Office program 1 corresponding to the document 1 is in a starting process; in a period of time after the icon of the document 2 is double-clicked and before the interface of the document 2 is presented, the Office program 2 corresponding to the document 2 is in a starting process.
Through tests, research personnel find that multithreading is started to carry out early preparation in the normal Office starting process, but all threads in the normal word main process cannot call the createremotetrathreadable function. Because the format of the word document does not write the corresponding shellcode to too much space of a hacker, malicious codes can be injected through a createremotetrathreaded function, so that the system is attacked. Therefore, when the Office program is found to call the createremotetrathreadend function, it can be considered that a malicious behavior exists in the Office program.
Based on this, the method for identifying malicious behavior provided by the embodiment of the present invention, as shown in fig. 1, specifically includes the following steps:
s101, monitoring that an Office program calls and creates a remote thread CreateRemoteThread function in the starting process;
and S102, determining that malicious behaviors exist in the Office program.
In addition, research and development personnel find through tests that various resource allocations can be carried out and early-stage preparation can be carried out in the normal Office starting process, and no process can be started before the system API ShowWindow function is called. And malicious codes often use the vulnerability of the Office program to construct a specific text format, which causes the Office program to start the malicious program pointed by the malicious codes before calling ShowWindow, that is, to start a new process.
Therefore, further, as shown in fig. 2, an identification method of a malicious activity according to an embodiment of the present invention includes:
s201, monitoring whether the Office program calls a CreateRemoteThread function or not in the starting process; if the Office program calls the createremotetethread function in the starting process, executing S202; if the Office program does not call the createremotetethreadable function in the starting process, executing S203;
s202, determining that malicious behaviors exist in the Office program;
s203, monitoring whether a new process is created before a ShowWindow function is called in the starting process of the Office program; if a new process is created before the ShowWindow function is called, S202 is executed; if no new process is created before the ShowWindow function is called, executing S204;
and S204, determining that no malicious behaviors are found in the Office program.
Furthermore, after the fact that the malicious behaviors exist in the Office program is determined, the Office program can be blocked, and the malicious program is prevented from being triggered. Therefore, as shown in fig. 2, the method for identifying malicious behavior according to the embodiment of the present invention further includes:
and S205, prohibiting the Office program from running.
When the malicious behavior identification method provided by the embodiment of the invention is specifically implemented, a monitoring module can monitor the starting process, the thread initialization and the API calling sequence of the Office process; and then the judging module judges whether the corresponding Office document has malicious behaviors according to the monitoring result, and blocks the running of the malicious behaviors by forbidding the operation of the Office program.
Based on the same inventive concept, the embodiment of the present invention further provides an apparatus for identifying malicious behaviors, and as the principle of the problem solved by the apparatus is similar to the method for identifying malicious behaviors, the implementation of the apparatus can refer to the implementation of the method, and repeated details are not repeated.
An embodiment of the present invention further provides an apparatus for identifying a malicious behavior, as shown in fig. 3, including a memory 31 and a processor 32, where the memory 31 is configured to store a plurality of instructions, and the processor 32 is configured to load the instructions stored in the memory 31 to execute:
monitoring whether an Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and if the Office program calls a CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program.
The processor 32 is also configured to load instructions stored in the memory 31 to perform:
when the CreateRemoteThread function is not called by the Office program in the starting process, monitoring whether a new process is created before the ShowWindow function is called by the Office program in the starting process;
and if so, determining that malicious behaviors exist in the Office program.
The processor 32 is also configured to load instructions stored in the memory 31 to perform:
determining that no new process is created before a ShowWindow function is called in the starting process of the Office program;
determining that no malicious behavior is found in the Office program.
The processor 32 is also configured to load instructions stored in the memory 31 to perform:
and when determining that malicious behaviors exist in the Office program, prohibiting the Office program from running.
An embodiment of the present invention further provides an apparatus for identifying a malicious behavior, as shown in fig. 4, including:
a monitoring module 41, configured to monitor whether the Office program calls a create remote thread createremotetrathreadlike function in the starting process;
a determining module 42, configured to determine that a malicious behavior exists in the Office program after the Office program calls the createremote thread function in the starting process.
The embodiment of the invention also provides a storage device, wherein a plurality of instructions are stored in the storage device, and the instructions are suitable for being loaded by the processor and executing the steps of the method for identifying the malicious behavior provided by the embodiment of the invention.
Through the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present invention may be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.
Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method for identifying malicious acts, comprising:
monitoring whether an Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and if the Office program calls a CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program.
2. The method of claim 1, wherein the Office program does not call a createremotetethreadlike function during startup, the method further comprising:
monitoring whether a new process is created before a ShowWindow function is called in the starting process of the Office program;
and if so, determining that malicious behaviors exist in the Office program.
3. The method of claim 2, wherein the method further comprises:
determining that no new process is created before a ShowWindow function is called in the starting process of the Office program;
determining that no malicious behavior is found in the Office program.
4. The method of claim 1 or 2, wherein the method further comprises:
and when determining that malicious behaviors exist in the Office program, prohibiting the Office program from running.
5. An apparatus for authenticating malicious activities, the apparatus comprising a memory configured to store a plurality of instructions and a processor configured to load the instructions stored in the memory to perform:
monitoring whether an Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and if the Office program calls a CreateRemoteThread function in the starting process, determining that malicious behaviors exist in the Office program.
6. The apparatus of claim 5, wherein the processor is further to load instructions stored in the memory to perform:
when the CreateRemoteThread function is not called by the Office program in the starting process, monitoring whether a new process is created before the ShowWindow function is called by the Office program in the starting process;
and if so, determining that malicious behaviors exist in the Office program.
7. The apparatus of claim 6, wherein the processor is further to load instructions stored in the memory to perform:
determining that no new process is created before a ShowWindow function is called in the starting process of the Office program;
determining that no malicious behavior is found in the Office program.
8. The apparatus of claim 5 or 6, wherein the processor is further to load instructions stored in the memory to perform:
and when determining that malicious behaviors exist in the Office program, prohibiting the Office program from running.
9. An apparatus for authenticating a malicious activity, comprising:
the monitoring module is used for monitoring whether the Office program calls a CreateRemoteThread function for creating a remote thread in the starting process;
and the determining module is used for determining that malicious behaviors exist in the Office program after the Office program calls the CreateRemoteThread function in the starting process.
10. A memory device having stored therein a plurality of instructions adapted to be loaded by a processor and to perform the steps of the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810668717.1A CN110647743A (en) | 2018-06-26 | 2018-06-26 | Malicious behavior identification method and device and storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810668717.1A CN110647743A (en) | 2018-06-26 | 2018-06-26 | Malicious behavior identification method and device and storage device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110647743A true CN110647743A (en) | 2020-01-03 |
Family
ID=69008587
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810668717.1A Pending CN110647743A (en) | 2018-06-26 | 2018-06-26 | Malicious behavior identification method and device and storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110647743A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN104217157A (en) * | 2014-07-31 | 2014-12-17 | 珠海市君天电子科技有限公司 | Anti-vulnerability-exploitation method and system |
| CN104809391A (en) * | 2014-01-26 | 2015-07-29 | 华为技术有限公司 | Buffer overflow attack detecting device, method and safeguard system |
| CN105117648A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Detection system and method for 0DAY/malicious document based on virtual machine |
-
2018
- 2018-06-26 CN CN201810668717.1A patent/CN110647743A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN102737188A (en) * | 2012-06-27 | 2012-10-17 | 北京奇虎科技有限公司 | Method and device for detecting malicious webpage |
| CN104809391A (en) * | 2014-01-26 | 2015-07-29 | 华为技术有限公司 | Buffer overflow attack detecting device, method and safeguard system |
| CN104217157A (en) * | 2014-07-31 | 2014-12-17 | 珠海市君天电子科技有限公司 | Anti-vulnerability-exploitation method and system |
| CN105117648A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Detection system and method for 0DAY/malicious document based on virtual machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| EP3430556B1 (en) | System and method for process hollowing detection | |
| US7721333B2 (en) | Method and system for detecting a keylogger on a computer | |
| RU2530210C2 (en) | System and method for detecting malware preventing standard user interaction with operating system interface | |
| US8719935B2 (en) | Mitigating false positives in malware detection | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| KR102210627B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| US9465936B2 (en) | Systems and methods for detecting return-oriented programming (ROP) exploits | |
| US9372989B2 (en) | Robust malware detector | |
| US9158915B1 (en) | Systems and methods for analyzing zero-day attacks | |
| US10003606B2 (en) | Systems and methods for detecting security threats | |
| JP6680437B2 (en) | System and method for detecting unknown vulnerabilities in a computing process | |
| WO2017160760A1 (en) | System and method for reverse command shell detection | |
| CN106709325B (en) | Method and device for monitoring program | |
| US11288090B1 (en) | Methods, systems, and media for injecting code into embedded devices | |
| RU2568285C2 (en) | Method and system for analysing operation of software detection rules | |
| EP3337106B1 (en) | Identification system, identification device and identification method | |
| JP2009031859A (en) | Information collection system and information collection method | |
| US7472288B1 (en) | Protection of processes running in a computer system | |
| US9652615B1 (en) | Systems and methods for analyzing suspected malware | |
| CN113632432A (en) | Method and device for judging attack behavior and computer storage medium | |
| US9552481B1 (en) | Systems and methods for monitoring programs | |
| US9483643B1 (en) | Systems and methods for creating behavioral signatures used to detect malware | |
| US10360371B1 (en) | Systems and methods for protecting automated execution environments against enumeration attacks | |
| US20080028462A1 (en) | System and method for loading and analyzing files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200103 |