CN110888771A - Method and device for monitoring and analyzing process, electronic equipment and storage medium - Google Patents
Method and device for monitoring and analyzing process, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN110888771A CN110888771A CN201811608344.5A CN201811608344A CN110888771A CN 110888771 A CN110888771 A CN 110888771A CN 201811608344 A CN201811608344 A CN 201811608344A CN 110888771 A CN110888771 A CN 110888771A
- Authority
- CN
- China
- Prior art keywords
- sample process
- virtual
- operating system
- monitoring
- environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 326
- 238000012544 monitoring process Methods 0.000 title claims abstract description 74
- 230000006399 behavior Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 7
- 239000010410 layer Substances 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 239000012792 core layer Substances 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The embodiment of the invention discloses a method and a device for monitoring and analyzing a process, electronic equipment and a storage medium, which relate to the technical field of computer security and are convenient for improving the analysis efficiency of a sample. The method for monitoring and analyzing the process comprises the following steps: monitoring the loading of the sample process in the current operating system; monitoring that a first sample process is loaded in a current operating system, and creating a first virtual running environment for the first sample process; and when the second sample process is monitored to be loaded in the current operating system, creating a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment. The method is suitable for analyzing the operation behavior of the sample process.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method and an apparatus for monitoring and analyzing a process, an electronic device, and a storage medium.
Background
Currently, when each sample is analyzed in a computer system, a virtual machine needs to be started, and then a log is output after the analysis is finished.
In the existing sample analysis mode, each sample corresponds to one virtual machine, and when a plurality of samples to be analyzed are more, a plurality of virtual machines need to be started simultaneously, so that a large amount of system resources are consumed, more time is needed for starting and finishing the virtual machines, the analysis speed is slow, and the analysis efficiency is low.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for monitoring and analyzing a process, so as to improve an analysis efficiency of a sample.
In a first aspect, an embodiment of the present invention provides a method for monitoring and analyzing a process, including: monitoring the loading of the sample process in the current operating system; monitoring that a first sample process is loaded in a current operating system, and creating a first virtual running environment for the first sample process; and when the second sample process is monitored to be loaded in the current operating system, creating a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment.
According to a specific implementation manner of the embodiment of the present invention, the monitoring of the loading of the sample process in the current operating system includes: monitoring the loading of a sample process in a current operating system in the same virtual machine; alternatively, the loading of the sample process in the current operating system running directly on the physical device is monitored.
According to a specific implementation manner of the embodiment of the present invention, the creating a first virtual operating environment for a first sample process includes: creating a first public resource and a variable of the first sample process during operation for the first sample process; the creating a second virtual execution environment for a second sample process includes: a second common resource and a variable at runtime of the second sample process are created for the second sample process.
According to a specific implementation manner of the embodiment of the present invention, after the first virtual execution environment is created for the first sample process, the method further includes: redirecting an operation object of the first sample process to the first virtual running environment; after creating the second virtual execution environment for the second sample process, the method further comprises: the operands of the second sample process are redirected to the second virtual execution environment.
According to a specific implementation manner of the embodiment of the present invention, after the redirection of the operation object of the second sample process to the second virtual execution environment, the method further includes: and outputting the running monitoring logs of the first sample process and the second sample process.
In a second aspect, an embodiment of the present invention provides an apparatus for monitoring and analyzing a process, including: the monitoring module is used for monitoring the loading of the sample process in the current operating system; the first virtual environment creating module is used for monitoring that a first sample process is loaded in a current operating system and creating a first virtual running environment for the first sample process; the second virtual environment creating module is used for monitoring that a second sample process is loaded in the current operating system and creating a second virtual running environment for the second sample process; wherein the second virtual execution environment is isolated from the first virtual execution environment.
According to a specific implementation manner of the embodiment of the present invention, the monitoring module is specifically configured to: monitoring the loading of a sample process in a current operating system in the same virtual machine; alternatively, the loading of the sample process in the current operating system running directly on the physical device is monitored.
According to a specific implementation manner of the embodiment of the present invention, the first virtual environment creating module is specifically configured to monitor that, when the first sample process is loaded in the current operating system, a first common resource and a variable during running of the first sample process are created for the first sample process; the second virtual environment creating module is specifically configured to monitor that a second common resource and a variable of the second sample process during running are created for the second sample process when the second sample process is loaded in the current operating system.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: the first redirection module is used for redirecting the operation object of the first sample process to the first virtual running environment; and the second redirection module is used for redirecting the operation object of the second sample process to the second virtual running environment.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes: and the log output module is used for outputting the running monitoring logs of the first sample process and the second sample process.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes the program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the method of any one of the foregoing implementation modes.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement a method according to any one of the foregoing implementation manners.
The embodiment of the invention provides a method, a device, electronic equipment and a storage medium for monitoring and analyzing a process, by monitoring the loading of the sample process in the current operating system, it is monitored that when the first sample process is loaded in the current operating system, creating a first virtual execution environment for the first sample process, monitoring that the second sample process is loaded in the current operating system, creating a second virtual execution environment for a second sample process, the second virtual execution environment isolated from the first virtual execution environment, thus, different sample processes can be run in parallel in the same operating system, the different sample processes are run in respective independent virtual running environments, therefore, the operation behaviors of a plurality of different sample processes can be monitored and analyzed simultaneously in the same operating system, and the analysis efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart illustrating an embodiment of a method for monitoring and analyzing a process according to the present invention;
FIG. 2 is a schematic structural diagram of an embodiment of an apparatus for monitoring and analyzing a process according to the present invention;
FIG. 3 is a schematic structural diagram of another embodiment of an apparatus for monitoring and analyzing a process according to the present invention;
FIG. 4 is a schematic structural diagram of an apparatus for monitoring and analyzing a process according to another embodiment of the present invention;
fig. 5 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first aspect, embodiments of the present invention provide a method for monitoring and analyzing a process, which is convenient for improving an analysis efficiency of a sample.
Fig. 1 is a schematic flow diagram of an embodiment of a method for monitoring and analyzing a process according to the present invention, and as shown in fig. 1, the method of this embodiment may include:
The current operating system may be an operating system installed on a virtual machine, or an operating system directly running on a physical hardware device, that is, an operating system of a real computer. The operating system may be a Windows operating system, a Linux operating system, or the like.
In order to run different sample processes in parallel in the same operating system and avoid mutual influence between different sample processes to ensure accuracy of an analysis result, in this embodiment, different virtual operating environments need to be created for different sample processes running in the same operating system, respectively, and the virtual operating environments created for the sample processes are isolated from each other, that is, the virtual operating environments of the sample processes are relatively independent, and one sample process can only perform related operations in the corresponding virtual operating environment.
And 103, when the second sample process is monitored to be loaded in the current operating system, creating a second virtual operating environment for the second sample process, wherein the second virtual operating environment is isolated from the first virtual operating environment.
In this embodiment, a plurality of different sample processes may be run in parallel in the same operating system, and after a first virtual running environment is created for a first sample process when it is monitored that the first sample process is loaded in the current operating system, a second virtual running environment is created for a second sample process when it is monitored that the second sample process is loaded in the current operating system.
In the embodiment of the invention, the loading of the sample process in the current operating system is monitored, when the first sample process is monitored to be loaded in the current operating system, the first virtual operating environment is created for the first sample process, and when the second sample process is monitored to be loaded in the current operating system, the second virtual operating environment is created for the second sample process, wherein the second virtual operating environment is isolated from the first virtual operating environment, so that different sample processes can be operated in parallel in the same operating system, and the different sample processes are operated in respective independent virtual operating environments, therefore, the operating behaviors of a plurality of different sample processes can be monitored and analyzed simultaneously in the same operating system, and the analysis efficiency is improved.
In an embodiment of the present invention, the monitoring the loading of the sample process in the current operating system (step 101) may include: the loading of a sample process in the current operating system in the same virtual machine is monitored.
In this embodiment, the virtual machine is a complete computer system that has a complete hardware system function and runs in a completely isolated environment through software simulation. For example, the system can be VMware Workstation, VirtualBox under Windows operating system; it may also be a KVM under Linux operating system, etc. Multiple virtual machines can be installed under one operating system, and each virtual machine can be provided with a respective operating system. The operating system in the virtual machine may be a Windows operating system, a Linux operating system, or the like.
In this embodiment, only one virtual machine may be installed on the host machine, and a plurality of monitoring samples may be run in parallel in the virtual machine. By monitoring the loading of the sample process in the operating system of the virtual machine, when the first sample process is monitored to be loaded in the current operating system, the operating system of the virtual machine creates a first virtual running environment for the first sample process, and when the second sample process is monitored to be loaded in the current operating system, the operating system of the virtual machine creates a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment.
In this embodiment, a plurality of different sample processes run in parallel in the operating system of the same virtual machine, so that the plurality of different sample processes are monitored and analyzed in parallel. In another embodiment of the present invention, the monitoring the loading of the sample process in the current operating system (step 101) may include: the loading of the sample process in the current operating system running directly on the physical device, i.e., the loading of the sample process in the operating system of the real computer, is monitored.
In this embodiment, by monitoring loading of a sample process in an operating system of a real computer, when it is monitored that a first sample process is loaded in a current operating system, the operating system of the real computer creates a first virtual operating environment for the first sample process, and when it is monitored that a second sample process is loaded in the current operating system, the operating system of the real computer creates a second virtual operating environment for a second sample process, where the second virtual operating environment is isolated from the first virtual operating environment.
The method has the advantages that the multiple sample processes are directly and parallelly operated in the operating system of the same real computer, the operating behaviors of the multiple different sample processes can be monitored and analyzed in parallel, and a virtual machine does not need to be installed, so that the situation that the analysis result is inaccurate due to the fact that the behaviors of the sample processes of anti-virtual machines are not triggered is avoided.
In an embodiment of the present invention, the monitoring that the first sample process is loaded in the current operating system, and creating a first virtual execution environment for the first sample process (step 102), may include: a first common resource and a variable at which the first sample process runs are created for the first sample process.
The first common resource may include a first file system, a first registry, a first cache, a first user directory, and the like.
The file system can be created by virtualizing a memory hard disk in the memory, or can be created directly in a fixed directory under a physical hard disk.
Regarding the creation of the first registry, a database can be customized and stored in a memory in a tree structure, or a text file can be directly used for recording, and the database can be deleted after use.
With respect to the creation of the first user directory, a corresponding set of user directories may be automatically created based on the sample process ID upon monitoring that the first sample process is loaded in the current operating system.
The user directory is used for storing user personal data. For example, in the Linux operating system, besides the root user, the setting files, desktop files, and personal data of other users are all placed in their respective user directories. For example, the test user, personal data and files such as the desktop are all put under the/home/test/directory.
A sample process runtime variable refers to a PATH (PATH) used by the process runtime, such as a python script interpreter PATH, a java virtual machine installation PATH, a flash plug-in PATH, various sdk locations, a temporary buffer PATH, some default locations, such as c: \\ program files \ my document, and the like, as well as runtime libraries that need to be used when a process is started, thread stack default size, PEB (process environment block), TEB (thread environment block), access token (token), mutex (mutex), criticality (criticality), atom (atom), various vector tables, and the like.
Regarding the creation of the variable during the running of the first sample process, the environment variable is converted (translated or replaced) by inserting an intermediate layer between the sample and the environment of the operating system, so that the sample is mistaken for the provided environment variable, namely the environment variable of the operating system.
In an embodiment of the present invention, the monitoring that the second sample process is loaded in the current operating system creates a second virtual execution environment for the second sample process (step 103), including: a second common resource and a variable at runtime of the second sample process are created for the second sample process.
The second common resource may include a second file system, a second registry, a second cache, a second user directory, and the like.
The process of creating the second common resource is similar to the process of creating the first common resource, and is not described herein again.
The meaning and creation of the variable during the running of the second sample process are basically the same as the meaning and creation process of the variable during the running of the first sample process, and are not described herein again.
After the virtual running environment is created, further, in order to monitor the operation process of the sample process in the virtual running environment, it is necessary to redirect the operation object of the sample process to the created virtual running environment, so that the sample process performs corresponding operations such as reading and writing in the created virtual running environment, specifically, in an embodiment of the present invention, after a first virtual running environment is created for a first sample process, the method may further include: the operands of the first sample process are redirected to the first virtual execution environment.
After creating the second virtual execution environment for the second sample process, the method further comprises: the operands of the second sample process are redirected to the second virtual execution environment.
There are several ways to redirect the operands of the sample process into the virtual execution environment, and the following are several by way of example:
core layer-based method
1) And modifying the kernel of the operating system, and adding preset function codes through the protection of PatchGuard. Wherein, PatchGuard is the kernel protection system of Windows Vista.
2) Hooking an Application Programming Interface (API), passing through the protection of the PatchGuard, so that the sample points to the pre-constructed virtual runtime environment through a preset hooking function during runtime.
3) And redirecting the operation of the sample process to the constructed virtual running environment through the written filter driver.
(II) mode based on application layer
1) And injecting an API called by each process for HOOK in an APC (Asynchronous Procedure Call) mode at an application layer.
2) Injecting HOOK to the API called by each process in a CRT (Create Remote thread) mode, and operating the object of the sample process (comprising: file path, registry, environment variable, etc.) to point to a pre-constructed virtual operating environment.
3) And replacing a DLL (dynamic link library) called by the system, and redirecting the object operated by the sample process to point to the virtual running environment constructed in advance.
The above core layer-based approach and the application layer-based approach may be used alone or in combination with each other to maximize performance optimization.
After the operation object of the first sample process is redirected to the first virtual running environment, the running process of the first sample process can be recorded and analyzed to form a running monitoring log about the first sample process; similarly, after the operation object of the second sample process is redirected to the second virtual execution environment, the operation process of the second sample process can be recorded and analyzed to form an operation monitoring log about the second sample process.
In an embodiment of the present invention, after redirecting the operand of the second sample process to the second virtual execution environment, the method may further include: and outputting the running monitoring logs of the first sample process and the second sample process so as to determine whether the first sample process and the second sample process have malicious behaviors according to the logs.
In a second aspect, embodiments of the present invention provide an apparatus for monitoring and analyzing a process, which facilitates improving efficiency of analyzing a sample.
Fig. 2 is a schematic structural diagram of an embodiment of an apparatus for monitoring and analyzing a process according to the present invention, and as shown in fig. 2, the apparatus of this embodiment may include: a monitoring module 11, a first virtual environment creation module 12, and a second virtual environment creation module 13; the monitoring module 11 is configured to monitor loading of a sample process in a current operating system; the first virtual environment creating module 12 is configured to monitor that a first virtual running environment is created for a first sample process when the first sample process is loaded in a current operating system; the second virtual environment creating module 13 is configured to monitor that a second virtual running environment is created for a second sample process when the second sample process is loaded in the current operating system; wherein the second virtual execution environment is isolated from the first virtual execution environment.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
In an embodiment of the present invention, the monitoring module 11 is specifically configured to: the loading of a sample process in the current operating system in the same virtual machine is monitored.
In this embodiment, the virtual machine is a complete computer system that has a complete hardware system function and runs in a completely isolated environment through software simulation. For example, the system can be VMware Workstation, VirtualBox under Windows operating system; it may also be a KVM under Linux operating system, etc. Multiple virtual machines can be installed under one operating system, and each virtual machine can be provided with a respective operating system. The operating system in the virtual machine may be a Windows operating system, a Linux operating system, or the like.
In this embodiment, only one virtual machine may be installed on the host machine, and a plurality of monitoring samples may be run in parallel in the virtual machine. By monitoring the loading of the sample process in the operating system of the virtual machine, when the first sample process is monitored to be loaded in the current operating system, the operating system of the virtual machine creates a first virtual running environment for the first sample process, and when the second sample process is monitored to be loaded in the current operating system, the operating system of the virtual machine creates a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment.
In this embodiment, a plurality of different sample processes run in parallel in the operating system of the same virtual machine, so that the plurality of different sample processes are monitored and analyzed in parallel. The embodiment of the present invention is not limited thereto, and in another embodiment of the present invention, the monitoring module 11 may also be specifically configured to: the loading of the sample process in the current operating system running directly on the physical device is monitored.
In this embodiment, by monitoring loading of a sample process in an operating system of a real computer, when it is monitored that a first sample process is loaded in a current operating system, the operating system of the real computer creates a first virtual operating environment for the first sample process, and when it is monitored that a second sample process is loaded in the current operating system, the operating system of the real computer creates a second virtual operating environment for a second sample process, where the second virtual operating environment is isolated from the first virtual operating environment.
The method has the advantages that the multiple sample processes are directly and parallelly operated in the operating system of the same real computer, the operating behaviors of the multiple different sample processes can be simultaneously monitored and analyzed, and a virtual machine does not need to be installed, so that the situation that the analysis result is inaccurate due to the fact that the sample process behaviors of anti-virtual machines are not triggered is avoided.
In an embodiment of the present invention, the first virtual environment creating module 12 is specifically configured to monitor that when a first sample process is loaded in a current operating system, a first common resource and a variable of the first sample process during running are created for the first sample process; the second virtual environment creating module 13 is specifically configured to monitor that a second common resource and a variable of the second sample process during running are created for the second sample process when the second sample process is loaded in the current operating system.
In this embodiment, the process of creating the first common resource and the variable during the first sample process running for the first sample process and the process of creating the second common resource and the variable during the second sample process running for the second sample process are basically the same as the method embodiment described above, and are not described here again.
After the virtual running environment is created, further, in order to monitor the operation process of the sample process in the virtual running environment, it is necessary to redirect the operation object of the sample process to the created virtual running environment, so that the sample process performs corresponding operations such as reading and writing in the created virtual running environment, specifically, as shown in fig. 3, in another embodiment of the present invention, the apparatus further includes: a first redirection module 14 and a second redirection module 15; the first redirection module 14 is configured to redirect an operation object of the first sample process to the first virtual execution environment; the second redirection module 15 is configured to redirect the operation object of the second sample process to the second virtual execution environment.
The manner of redirecting the operation object of the sample process to the virtual operating environment is the same as the corresponding manner in the above method embodiment, and details are not repeated here.
After the operation object of the first sample process is redirected to the first virtual running environment, the running process of the first sample process can be recorded and analyzed to form a running monitoring log about the first sample process; similarly, after the operation object of the second sample process is redirected to the second virtual execution environment, the operation process of the second sample process can be recorded and analyzed to form an operation monitoring log about the second sample process.
Referring to fig. 4, in another embodiment of the present invention, the apparatus further comprises: and the log output module 15 is used for outputting the running monitoring logs of the first sample process and the second sample process so as to determine whether the first sample process and the second sample process have malicious behaviors according to the logs.
In a third aspect, an embodiment of the present invention further provides an electronic device. Fig. 5 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention, which may implement the process of the embodiment shown in fig. 1 of the present invention, and as shown in fig. 5, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, for executing the method described in any of the foregoing embodiments.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1 of the present invention, and are not described herein again.
The electronic device may exist in a variety of forms including, but not limited to, a desktop computer having computing and processing capabilities, a server or other electronic device having computing and processing capabilities.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, the one or more programs being executable by one or more processors for performing the method of any of the preceding embodiments.
According to the method, the device, the electronic equipment and the storage medium for monitoring and analyzing the processes, the loading of the sample processes in the current operating system is monitored, the first virtual operating environment is created for the first sample process when the first sample process is monitored to be loaded in the current operating system, the second virtual operating environment is created for the second sample process when the second sample process is monitored to be loaded in the current operating system, and the second virtual operating environment is isolated from the first virtual operating environment, so that different sample processes can be operated in parallel in the same operating system, and different sample processes are operated in respective independent virtual operating environments, and therefore the operating behaviors of a plurality of different sample processes can be monitored and analyzed simultaneously in the same operating system, and the analysis efficiency is improved.
When a plurality of sample processes are directly and parallelly operated in the operating system of the same real computer, the situation that the analysis result is inaccurate due to the fact that the behaviors of the sample processes of some anti-virtual machines are not triggered is avoided.
When the operation objects of the sample process are redirected, the kernel-layer-based mode and the application-layer-based mode can be combined with each other to optimize the performance to the maximum extent. After monitoring the operation behaviors of the first sample process and the second sample process in the virtual running environment to form a monitoring log, the running monitoring log of the first sample process and the second sample process can be output so as to determine whether the first sample process and the second sample process have malicious behaviors according to the log.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A method of monitoring and analyzing a process, comprising:
monitoring the loading of the sample process in the current operating system;
monitoring that a first sample process is loaded in a current operating system, and creating a first virtual running environment for the first sample process;
and when the second sample process is monitored to be loaded in the current operating system, creating a second virtual running environment for the second sample process, wherein the second virtual running environment is isolated from the first virtual running environment.
2. The method of claim 1, wherein monitoring loading of the sample process in the current operating system comprises:
monitoring the loading of a sample process in a current operating system in the same virtual machine; alternatively, the first and second electrodes may be,
the loading of the sample process in the current operating system running directly on the physical device is monitored.
3. The method of claim 1,
the creating a first virtual execution environment for a first sample process includes: creating a first public resource and a variable of the first sample process during operation for the first sample process;
the creating a second virtual execution environment for a second sample process includes: a second common resource and a variable at runtime of the second sample process are created for the second sample process.
4. The method of claim 1, wherein after creating the first virtual execution environment for the first sample process, the method further comprises: redirecting an operation object of the first sample process to the first virtual running environment;
after creating the second virtual execution environment for the second sample process, the method further comprises: the operands of the second sample process are redirected to the second virtual execution environment.
5. The method of claim 4, wherein after redirecting the operands of the second sample process to the second virtual execution environment, the method further comprises:
and outputting the running monitoring logs of the first sample process and the second sample process.
6. An apparatus for monitoring and analyzing a process, comprising:
the monitoring module is used for monitoring the loading of the sample process in the current operating system;
the first virtual environment creating module is used for monitoring that a first sample process is loaded in a current operating system and creating a first virtual running environment for the first sample process;
the second virtual environment creating module is used for monitoring that a second sample process is loaded in the current operating system and creating a second virtual running environment for the second sample process; wherein the second virtual execution environment is isolated from the first virtual execution environment.
7. The apparatus according to claim 6, wherein the monitoring module is specifically configured to:
monitoring the loading of a sample process in a current operating system in the same virtual machine; alternatively, the first and second electrodes may be,
the loading of the sample process in the current operating system running directly on the physical device is monitored.
8. The apparatus of claim 6,
the first virtual environment creating module is specifically used for monitoring that when a first sample process is loaded in a current operating system, a first public resource and a variable of the first sample process during running are created for the first sample process;
the second virtual environment creating module is specifically configured to monitor that a second common resource and a variable of the second sample process during running are created for the second sample process when the second sample process is loaded in the current operating system.
9. The apparatus of claim 6, further comprising:
the first redirection module is used for redirecting the operation object of the first sample process to the first virtual running environment;
and the second redirection module is used for redirecting the operation object of the second sample process to the second virtual running environment.
10. The apparatus of claim 9, further comprising:
and the log output module is used for outputting the running monitoring logs of the first sample process and the second sample process.
11. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of the preceding claims.
12. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any preceding claim.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811608344.5A CN110888771A (en) | 2018-12-26 | 2018-12-26 | Method and device for monitoring and analyzing process, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811608344.5A CN110888771A (en) | 2018-12-26 | 2018-12-26 | Method and device for monitoring and analyzing process, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110888771A true CN110888771A (en) | 2020-03-17 |
Family
ID=69745737
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811608344.5A Pending CN110888771A (en) | 2018-12-26 | 2018-12-26 | Method and device for monitoring and analyzing process, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110888771A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050246718A1 (en) * | 2004-04-30 | 2005-11-03 | Microsoft Corporation | VEX-virtual extension framework |
| CN101561769A (en) * | 2009-05-25 | 2009-10-21 | 北京航空航天大学 | Process migration tracking method based on multi-core platform virtual machine |
| US20100318997A1 (en) * | 2009-06-15 | 2010-12-16 | Microsoft Corporation | Annotating virtual application processes |
| CN102736944A (en) * | 2012-06-25 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Method and device for detecting application program sample |
| CN103778368A (en) * | 2014-01-23 | 2014-05-07 | 重庆邮电大学 | Safe progress isolating method based on system virtualization technology |
| CN107741877A (en) * | 2017-11-06 | 2018-02-27 | 湖南红手指信息技术有限公司 | A kind of method, storage medium and the processor of cloud handset starting virtual opetrating system |
-
2018
- 2018-12-26 CN CN201811608344.5A patent/CN110888771A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050246718A1 (en) * | 2004-04-30 | 2005-11-03 | Microsoft Corporation | VEX-virtual extension framework |
| CN101561769A (en) * | 2009-05-25 | 2009-10-21 | 北京航空航天大学 | Process migration tracking method based on multi-core platform virtual machine |
| US20100318997A1 (en) * | 2009-06-15 | 2010-12-16 | Microsoft Corporation | Annotating virtual application processes |
| CN102736944A (en) * | 2012-06-25 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Method and device for detecting application program sample |
| CN103778368A (en) * | 2014-01-23 | 2014-05-07 | 重庆邮电大学 | Safe progress isolating method based on system virtualization technology |
| CN107741877A (en) * | 2017-11-06 | 2018-02-27 | 湖南红手指信息技术有限公司 | A kind of method, storage medium and the processor of cloud handset starting virtual opetrating system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sen et al. | Jalangi: A selective record-replay and dynamic analysis framework for JavaScript | |
| US10303490B2 (en) | Apparatus and method for optimizing startup of embedded system | |
| US20180373551A1 (en) | Systems and methods for using dynamic templates to create application containers | |
| US9684786B2 (en) | Monitoring an application in a process virtual machine | |
| CN109408393B (en) | Application testing method, device and equipment and computer readable storage medium | |
| CN109471697B (en) | Method, device and storage medium for monitoring system call in virtual machine | |
| US8607203B1 (en) | Test automation framework using dependency injection | |
| CN107766130B (en) | Method and device for migrating virtual machine to container | |
| JP2015524126A (en) | Adaptively portable library | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| US9710355B2 (en) | Selective loading of code elements for code analysis | |
| CN107015841B (en) | Preprocessing method for program compiling and program compiling device | |
| US20150378724A1 (en) | Identifying code that exhibits ideal logging behavior | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| WO2014099828A1 (en) | Test scope determination based on code change(s) | |
| CN111338925A (en) | Applet test method, device and system, electronic equipment and storage medium | |
| US8904346B1 (en) | Method and system for automated load testing of web applications | |
| CN112667361A (en) | Management method and device based on system virtual machine, electronic equipment and storage medium | |
| CN109271164B (en) | Method and system for storing data, and storage medium | |
| US10552135B1 (en) | Reducing a size of an application package | |
| CN114201382A (en) | Test case generation method and device, storage medium and electronic equipment | |
| US9710360B2 (en) | Optimizing error parsing in an integrated development environment | |
| US20160085523A1 (en) | Selectively loading precompiled header(s) and/or portion(s) thereof | |
| CN110888771A (en) | Method and device for monitoring and analyzing process, electronic equipment and storage medium | |
| US20170286072A1 (en) | Custom class library generation method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |