CN111898125A - Vulnerability scanning method and device based on registry - Google Patents

Vulnerability scanning method and device based on registry Download PDF

Info

Publication number
CN111898125A
CN111898125A CN202010433055.7A CN202010433055A CN111898125A CN 111898125 A CN111898125 A CN 111898125A CN 202010433055 A CN202010433055 A CN 202010433055A CN 111898125 A CN111898125 A CN 111898125A
Authority
CN
China
Prior art keywords
software
registry
file
information
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010433055.7A
Other languages
Chinese (zh)
Inventor
魏鑫
陈宏伟
何建锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Jiaotong University Jump Network Technology Co ltd
Original Assignee
Xi'an Jiaotong University Jump Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Jiaotong University Jump Network Technology Co ltd filed Critical Xi'an Jiaotong University Jump Network Technology Co ltd
Priority to CN202010433055.7A priority Critical patent/CN111898125A/en
Publication of CN111898125A publication Critical patent/CN111898125A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a registry-based vulnerability scanning method and device, wherein after the authority of a system registry is obtained, a specific registry path is read, software information in the system is obtained through screening and written into a file, a missed scanning task is established according to the requirement, the software name, version and installation directory information in the file are analyzed, and a vulnerability rule base is called to carry out targeted vulnerability scanning.

Description

Vulnerability scanning method and device based on registry
Technical Field
The invention belongs to the technical field of computer and network security, and particularly relates to a method for acquiring software information based on a registry to scan vulnerabilities.
Background
With the development of the internet, the network and WEB application sharing platform brings convenience to online transaction, e-government affairs, enterprise portals, community forums, e-commerce and the like for our lives, and meanwhile, network security incidents of vulnerability attacks are continuously generated and take on a growing situation. Vulnerabilities, i.e., flaws in the specific implementation of hardware, software, protocols, or system security policies, can allow an attacker to access or destroy a system without authorization.
Computer software bugs are caused by negligence of software developers during development or limitations of programming languages, cannot be completely avoided, and often need to be patched for remediation. Even the technologies such as firewall, intrusion detection and antivirus software cannot thoroughly avoid the threat brought by the loopholes of the computer software, and the loopholes bring huge information security threat to network hackers and computer software users. At present, the computer and internet technologies are different day by day, the frequency of bugs is higher and higher, and the security bug detection technology of computer software must be continuously improved to find and make up bugs, so as to ensure the safe and stable operation of the computer. The vulnerability scanning technology detects the security vulnerability of a designated remote or local computer system and software thereof by means of scanning and the like, discovers the security detection (penetration attack) behavior of a vulnerability, and performs system maintenance and vulnerability repair in a targeted manner to protect the security of the system. When targeted vulnerability discovery is performed on computer software, basic information of the software needs to be acquired to call corresponding vulnerability rules, so that how to accurately acquire software information becomes a key point for effective software missing scanning.
Disclosure of Invention
In view of the above background, the present invention provides a method and an apparatus for vulnerability scanning based on a registry, which acquire software information of a system from the registry, perform vulnerability scanning, and timely and actively discover potential threats existing in target software to prevent vulnerability in the bud.
On one hand, the vulnerability scanning method based on the registry comprises the following steps: searching a specific registry path, acquiring all registry information under each path, and writing the registry information into a first file; reading the first file, screening out software information in the first file, and storing the software information in a second file; analyzing the second file to obtain a software name, a version number and an installation directory of the target software; and starting a leakage scanning system, calling a preset leakage library, and scanning the target software for leaks.
The specific registry path includes at least one of:
Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall;
Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall;
Software\\Microsoft\\Internet Explorer。
acquiring registry information from the specific registry path, and screening software information from the registry information, wherein the screening comprises the following steps: the software installation method comprises the following steps of software name, software version number, software installation directory, software release manufacturer, complete path of a main program and complete path of uninstalled exe.
Before searching the specific registry path, judging whether a weak password exists in the target system through weak password guessing, and if the weak password exists, further logging in the target system by using the guessed user name and password to obtain the registry authority.
The acquiring of all registry information under each path includes: and remotely connecting a Python Winreg module to a target system, respectively acquiring all registry information under a path by accessing the specific path, and storing the key and the value of each registry item to the first file in an enumeration manner.
In another aspect, a vulnerability scanning apparatus includes:
the registry information searching module is used for searching a specific registry path and acquiring all registry information under each path;
the file storage module is used for storing a first file and a second file, wherein the first file comprises all registry information under a specific path, and the second file comprises screened software information;
the file analysis module is used for screening out software information from the first file, writing the software information into a second file, and analyzing target software information to be scanned from the second file;
and the vulnerability scanning module is used for scanning the vulnerability of the target software.
The vulnerability scanning device also comprises a weak password guessing module, which is used for reading and combining the user name and password dictionary information of the built-in dictionary and/or the self-built dictionary concurrently, and initiating a login attempt to the target system to judge whether the target system has a weak password;
if the target system has weak password, the guessed user name and password are used for logging in the target system, and the registry information searching module acquires the registry information of the specific path.
The technical scheme of the invention has the following beneficial effects: after the authority of the system registry is obtained, the software information in the system is obtained through screening by reading a specific registry path and is written into a file, a missed scanning task is established according to requirements, the software name, the version and the installation directory information in the file are analyzed, and a vulnerability rule base is called to carry out targeted vulnerability scanning.
Drawings
FIG. 1 is a schematic diagram of a workflow of an embodiment of a vulnerability scanning method based on a registry according to the present invention;
FIG. 2 is a block diagram of a vulnerability scanning apparatus according to an embodiment of the present invention;
fig. 3 to fig. 6 are examples of information contents displayed by a registry editor of a windows system according to an embodiment of the vulnerability scanning method of the present invention.
Detailed Description
The technical solution of the present invention will be described in detail below with reference to the accompanying drawings and embodiments.
The first is the explanation of the related technical terms:
the security loophole of software is generated for various reasons, such as: (1) the logic errors of an operating system and various application software are inevitable due to the limited capability, experience and safety technology of software design and programmers, and the programming of the operating system and various application software has certain defects, and moreover, the programmers cannot predict the possible situations, so that errors and bugs caused by negligence are inevitable. (2) Most of the programming and writing are performed in an ideal state, the ideal state can be realized and not necessarily in actual operation, and once the ideal assumption cannot be met, each module and security policy in the program are in conflict, which may cause a vulnerability. (3) In different types of software and hardware devices, software versions are different, and compatibility between software versions and hardware versions can also cause uncertain security holes. (4) After each piece of software is developed and released, as the user base grows and the software runs in an environment coexisting with other pieces of software, the existing vulnerabilities are gradually exposed, and as the patch is fixed, new potential vulnerabilities can be brought, namely, the vulnerabilities are gradually replaced by the new vulnerabilities.
For vulnerability scanning of software, the faced technical problems include but are not limited to: accuracy of vulnerability discovery and efficiency of vulnerability scanning and patching. The accuracy of vulnerability analysis is improved, a more accurate analysis method is needed, and the contradiction between vulnerability analysis accuracy and resource consumption is effectively relieved under reasonable time and resource conditions. The high efficiency of missing scanning comprises the intelligent promotion of software vulnerability analysis; at present, many methods, technologies and tools emerge from the vulnerability analysis field, and gradually get rid of the situation that the prior art depends on manual experience and intensive labor. However, it is still difficult to get away from the vulnerability prior knowledge of the analyst to a great extent, for example, the static analysis technology is mostly based on the characteristics of the historical vulnerability, the dynamic analysis is often based on knowledge such as vulnerability attack and abnormal input, but the summarization and extraction of the corresponding knowledge are very difficult and time-consuming, and it is urgently needed to improve the intelligence of the vulnerability analysis.
The inventor of the embodiment of the invention finds in practice that when the existing missed-scan system acquires the user name and the password of the windows system through the weak password guessing function, the registry authority of the system can be acquired, so that the system-level software information can be further acquired, and a basis is provided for subsequent vulnerability discovery.
The registry is a core database in the windows operating system, in which various parameters are stored, and supports system startup of windows, loading of hardware drivers and running of application programs, and plays a core role in the whole system. The information of the registry comprises the relevant configuration and state information of software and hardware.
The registry is composed of keys (also called main keys or "items" or "keys"), sub-keys (sub-items) and value items, wherein one key is a folder in a branch, and a sub-key is a sub-folder in the folder, and the sub-key is also a key; a value item is the current definition of a key, consisting of name, data type and assigned value; a key may have one or more values, each value having a different name, and a value being the default value for the key if the name of the value is null. For example, in the registry editor (regedit. exe), the data structure is shown below, where the command key is a sub-key of the open key (default) indicates that the value is a default value, the value name is null, the data type is REG _ SZ, and the data value is 1.
As shown in fig. 1, the vulnerability scanning method based on the registry includes the following steps:
s1, searching a specific registry path, acquiring all registry information under each path, and writing the registry information into a first file; as a preferred implementation manner, in the embodiment of the present invention, a windeg module of Python is remotely connected to a target system, all registry information under a path is respectively obtained by accessing the specific path, and a key and a value of each registry are stored in the first file in an enumeration manner.
Since the Windows registry API is exposed to Python as a built-in module of the Python, the Winreg module can be used to operate the registry of the Windows system.
The specific registry path includes at least one of:
Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall;
Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall;
Software\\Microsoft\\Internet Explorer。
in a preferred embodiment, the searching for the specific registry path in S1 includes determining whether the target system has a weak password by weak password guessing, and if the target system has a weak password, further using the guessed user name and password to log in the target system to obtain the registry authority. The weak password guessing comprises the steps of concurrently reading and combining user name and password dictionary information of the built-in dictionary and/or the self-built dictionary, and initiating login attempt to judge whether the target system has a weak password.
S2, reading the first file, screening out software information in the first file, and storing the software information in a second file; the software information is screened out from the software information, and the software information is obtained by screening: the software installation method comprises the following steps of software name, software version number, software installation directory, software release manufacturer, complete path of a main program, complete path of uninstalled exe and the like.
S3, analyzing the second file to obtain the software name, the version number and the installation directory of the target software;
s4, starting a leakage scanning system, calling a preset leakage library, and scanning the target software for leaks; and when the loophole is scanned, confirming and automatically repairing the loophole.
As shown in fig. 2, a vulnerability scanning apparatus includes:
the registry information searching module is used for searching a specific registry path and acquiring all registry information under each path;
the file storage module is used for storing a first file and a second file, wherein the first file comprises all registry information under a specific path, and the second file comprises screened software information;
the file analysis module is used for screening out software information from the first file, writing the software information into a second file, and analyzing target software information to be scanned from the second file;
and the vulnerability scanning module is used for scanning the vulnerability of the target software.
As a preferred embodiment, the vulnerability scanning apparatus further comprises:
the weak password guessing module is used for reading and combining the user name and password dictionary information of the built-in dictionary and/or the self-built dictionary concurrently and initiating login attempt to the target system so as to judge whether the target system has a weak password; if the target system has a weak password, logging in the target system by using the guessed user name and password, and acquiring registry information of a specific path by a registry information searching module;
and the vulnerability library module is provided with a vulnerability rule library and is used for being called by a missing scanning engine and carrying out vulnerability scanning on the target software.
The vulnerability scanning method is specifically described below by using a specific embodiment.
Since the specified relevant registry keys are not the same among different computer Software, embodiments of the present invention, and the registry paths are not the same among different Software, and the first level keys displayed in the registry editor of the windows system include HKEY _ CLASSES _ ROOT, HKEY _ CURRENT _ USER, HKEY _ LOCAL _ MACHINE, HKEY _ USERs, HKEY _ CURRENT _ CONFIG, etc., therefore, embodiments of the present invention do not limit the one-level menu, and only limit the lower level paths starting from "Software" or "Software" (the limited registry paths are identified by underlining lines in the following description).
Example one
First, a pret module of Python is used to remotely connect to a target system (the guessing process of the weak password guessing module is not described here), and a specified registry path is accessed, in this embodiment, all three specific paths are accessed, and the registry information as shown below can be obtained (specifically shown in fig. 3 to fig. 6):
HHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\ Uninstall\\Google Chrome;
HHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\ CurrentVersion\\Uninstall\\nailing;
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ Uninstall\ \ AutoCAD 2014-Simplified Chinese (Simplified Chinese);
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer
the registry information of the specific software can be acquired from the registration paths, and for convenience of storage, the embodiment sets the first file to store the registry information, specifically, according to the lowest-level key (i.e., Google Chrome, nail, etc.), the key (i.e., key) and the value (including three items of "name", "type", and "data") of each registry key are both stored in the first file in an enumeration manner.
And secondly, reading the first file and screening out the software information in the first file. Since part of the lowest-level keys do not represent software-related information, a filtering is required, such as some character strings "{ 46AA30DF-ED7B-438a-9462-60AB9A6D57E4 }" that do not have actual meanings. A data table comprising common software names can be established in advance, relevant information (including but not limited to software names, software version numbers, software installation directories, software publishers, complete paths of main programs, complete paths of uninstalled exes and the like) of computer software is screened out from a first file according to the software names in the data table, and the relevant information is stored in a second file.
And thirdly, analyzing the second file to obtain the software name, the version number and the installation directory of the target software. For example, the purpose of this embodiment is to perform vulnerability scanning on the "Google Chrome" software (the software registration information is shown in fig. 3), and then find out the corresponding Version number ("Version") and the installation directory ("InstallLocation") from the second file according to the software name.
And fourthly, calling a pre-established and real-time updated vulnerability library according to the software name and the version number, accessing a software installation directory, and scanning vulnerability of related software related data. If a security breach is found, patching can be performed to maintain the safe running of the software. Of course, for software that cannot be repaired, the software may be isolated according to the acquired information of the registry related to the software, or even unloaded.
As described above, the software information obtained by the embodiment of the present invention is more accurate, which is beneficial to more accurately discovering and calculating bugs existing in software, performing remedial measures such as patching in time, preventing from being utilized by illegal actions, and improving the security of the system.
Those skilled in the art will appreciate that all or part of the steps in the method according to the above embodiments may be implemented by a program, which is stored in a computer-readable storage medium, and the program may be configured to: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles disclosed herein.

Claims (10)

1. The vulnerability scanning method based on the registry is characterized by comprising the following steps:
searching a specific registry path, acquiring all registry information under each path, and writing the registry information into a first file;
reading the first file, screening out software information in the first file, and storing the software information in a second file;
analyzing the second file to obtain a software name, a version number and an installation directory of the target software;
and starting a leakage scanning system, calling a preset leakage library, and scanning the target software for leaks.
2. The vulnerability scanning method of claim 1, wherein the specific registry path comprises at least one of:
Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall;
Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall;
Software\\Microsoft\\Internet Explorer。
3. the vulnerability scanning method of claim 2, wherein obtaining registry information from the specific registry path and filtering out software information therefrom comprises filtering out: the software installation method comprises the following steps of software name, software version number, software installation directory, software release manufacturer, complete path of a main program and complete path of uninstalled exe.
4. The vulnerability scanning method of claim 2, wherein before searching for the specific registry path, the method comprises determining whether the target system has a weak password by weak password guessing, and if the target system has a weak password, logging in the target system to obtain the registry authority by further using the guessed user name and password.
5. The vulnerability scanning method of claim 4, wherein the weak password guessing comprises concurrently reading and combining username and password dictionary information of the built-in dictionary and/or the built-in dictionary to initiate a login attempt to determine whether a weak password exists in the target system.
6. The vulnerability scanning method of claim 2, wherein obtaining all registry information under each path comprises: and remotely connecting a Python Winreg module to a target system, respectively acquiring all registry information under a path by accessing the specific path, and storing the key and the value of each registry item to the first file in an enumeration manner.
7. The vulnerability scanning method according to claim 1, characterized in that a preset vulnerability rule base is called to perform vulnerability scanning on the target software; and when the loophole is scanned, confirming and automatically repairing the loophole.
8. A vulnerability scanning apparatus, comprising:
the registry information searching module is used for searching a specific registry path and acquiring all registry information under each path;
the file storage module is used for storing a first file and a second file, wherein the first file comprises all registry information under a specific path, and the second file comprises screened software information;
the file analysis module is used for screening out software information from the first file, writing the software information into a second file, and analyzing target software information to be scanned from the second file;
and the vulnerability scanning module is used for scanning the vulnerability of the target software.
9. The vulnerability scanning apparatus of claim 8, further comprising a weak password guessing module for concurrently reading and combining username and password dictionary information of the built-in dictionary and/or the built-in dictionary, initiating a login attempt to the target system to determine whether the target system has a weak password;
if the target system has weak password, the guessed user name and password are used for logging in the target system, and the registry information searching module acquires the registry information of the specific path.
10. The vulnerability scanning device of claim 9, further comprising a vulnerability library module having a vulnerability rule library for being invoked by a vulnerability scanning engine to perform vulnerability scanning on the target software.
CN202010433055.7A 2020-05-21 2020-05-21 Vulnerability scanning method and device based on registry Pending CN111898125A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010433055.7A CN111898125A (en) 2020-05-21 2020-05-21 Vulnerability scanning method and device based on registry

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010433055.7A CN111898125A (en) 2020-05-21 2020-05-21 Vulnerability scanning method and device based on registry

Publications (1)

Publication Number Publication Date
CN111898125A true CN111898125A (en) 2020-11-06

Family

ID=73207510

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010433055.7A Pending CN111898125A (en) 2020-05-21 2020-05-21 Vulnerability scanning method and device based on registry

Country Status (1)

Country Link
CN (1) CN111898125A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114021144A (en) * 2021-11-08 2022-02-08 安天科技集团股份有限公司 Software vulnerability detection method and device, computer equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114021144A (en) * 2021-11-08 2022-02-08 安天科技集团股份有限公司 Software vulnerability detection method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US20220284094A1 (en) Methods and apparatus for malware threat research
Zhauniarovich et al. Stadyna: Addressing the problem of dynamic code updates in the security analysis of android applications
RU2451326C2 (en) System analysis and control
US9158919B2 (en) Threat level assessment of applications
US8800042B2 (en) Secure web application development and execution environment
Mercaldo et al. Download malware? no, thanks: how formal methods can block update attacks
US20070094654A1 (en) Updating rescue software
CN102902919A (en) Method, device and system for identifying and processing suspicious practices
KR20150134679A (en) Analysis system and method for patch file
Gasparis et al. Detecting android root exploits by learning from root providers
Koishybayev et al. Characterizing the security of github {CI} workflows
Duarte et al. An empirical study of docker vulnerabilities and of static code analysis applicability
US20230185921A1 (en) Prioritizing vulnerabilities
Fleck et al. Pytrigger: A system to trigger & extract user-activated malware behavior
Sayar et al. An in-depth study of java deserialization remote-code execution exploits and vulnerabilities
CN111898125A (en) Vulnerability scanning method and device based on registry
US11620129B1 (en) Agent-based detection of fuzzing activity associated with a target program
Tunde-Onadele et al. Understanding software security vulnerabilities in cloud server systems
Verbowski et al. LiveOps: Systems Management as a Service.
Svensson Improving vulnerability assessment through multiple vulnerability sources
Anand et al. Malware Exposed: An In-Depth Analysis of its Behavior and Threats
Thompson et al. Vulnerability management
Zhou et al. Detecting prototype pollution for node. js: Vulnerability review and new fuzzing inputs
Happe et al. Got Root? A Linux Priv-Esc Benchmark
Boldt et al. Software Vulnerability Assessment Version Extraction and Verification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination