CN112395593A - Instruction execution sequence monitoring method and device, storage medium and computer equipment - Google Patents
Instruction execution sequence monitoring method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112395593A CN112395593A CN201910755846.9A CN201910755846A CN112395593A CN 112395593 A CN112395593 A CN 112395593A CN 201910755846 A CN201910755846 A CN 201910755846A CN 112395593 A CN112395593 A CN 112395593A
- Authority
- CN
- China
- Prior art keywords
- instruction execution
- execution sequence
- thread
- path
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 238000012544 monitoring process Methods 0.000 title claims abstract description 70
- 230000008569 process Effects 0.000 claims description 33
- 230000006870 function Effects 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 15
- 239000008186 active pharmaceutical agent Substances 0.000 description 84
- 230000003068 static effect Effects 0.000 description 19
- 230000006399 behavior Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000008901 benefit Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
The invention discloses a method and a device for monitoring an instruction execution sequence, a storage medium and computer equipment, relates to the technical field of network security, and mainly aims to solve the problem that potential safety hazards existing in each instruction execution sequence cannot be monitored through the operation behavior of the instruction execution sequence. The method comprises the following steps: when the fact that the key API is called is monitored, suspending calling of a thread corresponding to the key API; judging whether an instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different operation states; and if the instruction execution sequence is a dangerous instruction execution sequence, outputting the key API.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for monitoring an instruction execution sequence, a storage medium, and a computer device.
Background
With the rapid development of network security technology, the monitoring objects of a new generation of vulnerability protection system have been converted into instruction execution sequences, for example, a white list of dynamic and static instruction execution sequences is monitored by using a kernel system call API as a key monitoring point, so as to establish a security protection engine.
At present, the existing establishment of a protection system for an instruction execution sequence is only monitored by determining whether an operation behavior of the instruction execution sequence is a definition specification rule in a program execution process, but a potential safety hazard existing in each instruction execution sequence cannot be monitored through a behavior of the instruction execution sequence, that is, a vulnerability attack cannot be determined through the behavior of the program execution sequence, some malicious instruction features of the instruction execution sequence in a process can be missed, so that a process vulnerability cannot be discovered in time, and thus the monitoring efficiency of the instruction execution sequence is reduced.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for monitoring an instruction execution sequence, a storage medium, and a computer device, and mainly aims to solve the problem that a potential safety hazard existing in each instruction execution sequence cannot be monitored through a behavior of an instruction execution sequence running.
According to an aspect of the present invention, there is provided a method for monitoring an instruction execution sequence, comprising:
when the fact that the key API is called is monitored, suspending calling of a thread corresponding to the key API;
judging whether an instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different operation states;
and if the instruction execution sequence is a dangerous instruction execution sequence, outputting the key API.
Further, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification includes:
calling an execution path of the instruction execution sequence in the binary file;
and judging whether the instruction execution sequence is called by a standard execution path or not according to the execution path.
Further, the determining, according to the execution path, whether the instruction execution sequence is called by an abnormal path includes:
and judging whether the execution path exists in a preset safety path library, wherein the preset safety path library stores a standard execution path in which the instruction execution sequence in all binary files is called in advance.
Further, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification includes:
collecting an executing sequence of instructions;
and judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
Further, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification includes:
collecting a first instruction execution sequence which is being executed, judging whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, calling an execution path of a second instruction execution sequence in a binary file, and judging whether the second instruction execution sequence is called by a standard execution path according to the execution path.
Further, when it is monitored that the key API is called, suspending calling of the thread corresponding to the key API includes:
when the fact that the key API is called is monitored, whether a thread calling the key API is a key process is judged, and if the thread is the key process, a hook function is used for suspending the thread.
Further, if the instruction execution sequence is a secure instruction execution sequence, the critical API is released.
Further, the key API includes driver loading, disk reading and writing, process creation, file opening, registry writing, module loading, memory setting, and DCOM local call.
According to an aspect of the present invention, there is provided an apparatus for monitoring an instruction execution sequence, comprising:
the suspending module is used for suspending and calling the thread corresponding to the key API when the fact that the key API is called is monitored;
the judging module is used for judging whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states;
and the output module is used for outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
Further, the judging module comprises:
the calling unit is used for calling an execution path of the instruction execution sequence in the binary file when the monitoring mode is determined to be a static instruction execution sequence monitoring mode;
and the first judging unit is used for judging whether the instruction execution sequence is called by a standard execution path or not according to the execution path.
Further, the determining unit is specifically configured to determine whether the execution path exists in a preset security path library, where a standard execution path in which instruction execution sequences in all binary files are called is stored in advance in the preset security path library.
Further, the determining module further includes:
a collecting unit for collecting the executing instruction execution sequence when the monitoring mode is determined as a dynamic instruction execution sequence monitoring mode;
and the second judging unit is used for judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
Further, the determining module is specifically configured to collect a first instruction execution sequence being executed, determine whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, call an execution path of a second instruction execution sequence located in a binary file, and determine whether the second instruction execution sequence is called by a canonical execution path according to the execution path.
Further, the suspending module is specifically configured to, when it is monitored that a key API is called, determine whether a thread calling the key API is a key process, and suspend the thread using a hook function if the thread is the key process.
Further, the apparatus further comprises:
and the releasing module is used for releasing the key API if the instruction execution sequence is a safe instruction execution sequence.
Further, the key API includes driver loading, disk reading and writing, process creation, file opening, registry writing, module loading, memory setting, and DCOM local call.
According to another aspect of the present invention, there is provided a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the monitoring method as described above.
According to still another aspect of the present invention, there is provided a computer apparatus including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the monitoring method of the instruction execution sequence.
By the technical scheme, the technical scheme provided by the embodiment of the invention at least has the following advantages:
the invention provides a method and a device for monitoring an instruction execution sequence, a storage medium and computer equipment, compared with the existing method for monitoring the establishment of a protection system of the instruction execution sequence by only judging whether the characteristics of the instruction execution sequence in the program execution process are defined standard rules, the embodiment of the invention suspends the thread corresponding to the key API by monitoring the calling condition of the key API, judges whether the executed instruction execution sequence is a safe instruction execution sequence according to the preset instruction execution sequence standard, outputs the key API if the executed instruction execution sequence is a dangerous instruction execution sequence, realizes the aim of protecting and judging the key API according to the instruction execution sequence, increases the protection range of the potential safety hazard of the operation of the instruction execution sequence, reduces the omission of a malicious instruction execution sequence and finds out the vulnerability of the process corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a method for monitoring an instruction execution sequence according to an embodiment of the present invention;
FIG. 2 is a flow diagram illustrating a sequence of monitoring instruction execution according to an embodiment of the present invention;
FIG. 3 is a flow chart of another method for monitoring instruction execution sequences according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a key API call object provided by an embodiment of the present invention;
FIG. 5 is a diagram illustrating a critical API monitor instruction execution sequence for performing allocation/modification of a writable memory configuration according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating an execution sequence of a load monitor instruction of a DLL module according to an embodiment of the present invention:
FIG. 7 is a block diagram of an apparatus for monitoring instruction execution sequences according to an embodiment of the present invention;
FIG. 8 is a block diagram of an alternative apparatus for monitoring instruction execution sequences provided by embodiments of the present invention;
fig. 9 is a schematic diagram illustrating a terminal structure according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for monitoring an instruction execution sequence, as shown in fig. 1, where the method includes:
101. and when the fact that the key API is called is monitored, suspending calling of a thread corresponding to the key API.
Because a new thread is usually started to execute when the key API is called by the system, when it is detected that the key API is called, the thread corresponding to the calling key API is suspended. The suspending method is to suspend by using a hook function, prepare a plurality of hook functions in advance, and register the hook functions so as to suspend a thread by using the hook function when it is monitored that the key API is called. In addition, the key API includes driver loading, disk reading and writing, process creation, file opening, registry writing, module loading, memory setting, and DCOM local call, which is not specifically limited in the embodiments of the present invention.
102. And judging whether the instruction execution sequence executed in the thread is a safe instruction execution sequence or not according to a preset instruction execution sequence specification.
The preset instruction execution sequence specification includes monitoring specifications corresponding to instruction execution sequences in different operation states, and the instruction execution sequence in an operation state includes a static instruction execution sequence and a dynamic instruction execution sequence, which respectively correspond to different monitoring specifications. The determination method of the safety instruction execution sequence may be implemented by comparing the instruction execution sequence with a preset safety instruction execution sequence, and if the instruction execution sequence is the same as the safety instruction execution sequence, the instruction execution sequence is white, and if the instruction execution sequence is not the same as the safety instruction execution sequence, the instruction execution sequence is black.
In the embodiment of the present invention, the dynamic instruction execution sequence refers to an instruction execution sequence based on an executing script program, and the static instruction execution sequence refers to an instruction execution sequence based on a binary file, so the instruction execution sequences in different operating states are determined by a scenario for executing the instruction execution sequence and a protection requirement of the instruction execution sequence. The scenario of executing the instruction execution sequence is a software environment in which the instruction execution sequence is executed in a system kernel, the protection requirement of the instruction execution sequence is a requirement corresponding to a protection point of different key APIs, for example, the dynamic instruction execution sequence needs to be monitored in a dynamic instruction execution sequence mode, the static instruction execution sequence needs to be monitored in a static instruction execution sequence mode, and the dynamic instruction execution sequence and the static instruction execution sequence need to be monitored in a dynamic instruction execution sequence and static instruction execution sequence mode, which is not specifically limited in the embodiment of the present invention. In addition, the system in the embodiment of the present invention may be a client system or a server system, and is not particularly limited.
103. And if the instruction execution sequence is a dangerous instruction execution sequence, outputting the key API.
In order to timely protect dangerous instruction execution sequences existing in the instruction execution sequences and serve as protection initial stages of bottom layer technologies such as a protection script module and API calling, when the instruction execution sequences are judged to be dangerous instruction execution sequences, the key API is output so that the application layer can judge again.
In contrast, if the instruction execution sequence is a secure instruction execution sequence, the critical API is directly released, as shown in fig. 2.
Compared with the existing method for monitoring the establishment of a protection system of the instruction execution sequence by only judging whether the characteristics of the instruction execution sequence in the program execution process are defined standard rules, the method for monitoring the instruction execution sequence suspends the thread corresponding to the calling key API by monitoring the calling condition of the key API, judging whether the executed instruction execution sequence is a safe instruction execution sequence or not according to a preset instruction execution sequence specification, if so, and outputting the key API to achieve the purpose of protecting and judging the key API according to the instruction execution sequence, increasing the protection range of the potential safety hazard of operating the instruction execution sequence, reducing the omission of the malicious instruction execution sequence, and finding the vulnerability of the process corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
An embodiment of the present invention provides another method for monitoring an instruction execution sequence, as shown in fig. 3, where the method includes:
201. when the fact that the key API is called is monitored, whether a thread calling the key API is a key process is judged, and if the thread is the key process, a hook function is used for suspending the thread.
This step is the same as step 101 shown in fig. 1, and is not described herein again.
It should be noted that all monitoring points in the embodiment of the present invention are implemented in a kernel layer of the system, for example, the key API includes drive loading, disk reading and writing, process creation, file opening, registry writing, a loading module, memory setting, and DCOM local invocation, and a behavior event executed by the application layer is converted into a kernel nt layer after being invoked by the system key API, so as to implement monitoring of an instruction execution sequence in the kernel layer, as shown in fig. 4.
In addition, when the key API is called, in order to perform protection monitoring aiming at an instruction execution sequence, a hook function NtAlpcSendWaitReceivePort is utilized; ntrequestwaitpropylport suspends the thread that called the critical API to fetch the corresponding instruction execution sequence from this thread. When the key API monitoring of the setting of the distribution/modification writable memory is carried out, the executable memory is distributed through a function VirtualAllocEx, and then a kernel function NtAllocateVirtualMemory is called; modifying the executable memory through a function VirtualProtect; and then, after a kernel function NtProtectVirtualMemory is called, and a hook function suspends a thread calling a key API, and after the thread is judged to be a key process, matching judgment of an instruction execution sequence is performed, if the matching is a white instruction execution sequence, the next thread is suspended, and if the matching is not matched with the instruction execution sequence, the next thread is output to an application layer by using a callback function, as shown in fig. 5. The key thread is a preset thread under the processes of a browser, a text, a download and the like which need to be monitored, and the embodiment of the invention is not particularly limited.
202a, calling an execution path of the instruction execution sequence in the binary file.
For the embodiment of the invention, in order to monitor the static instruction execution sequence, when the static instruction execution sequence is determined according to the scene and the protection requirement, the execution path of the instruction execution sequence in the running process is called for the instruction execution sequence in the binary file. The binary file stores static instruction execution sequences, and an execution path of the instruction execution sequences is called in order to monitor whether the static instruction execution sequences have potential safety hazard behaviors such as being attacked or polluted.
203a, judging whether the instruction execution sequence is called by a standard execution path according to the execution path.
For the embodiment of the present invention, because the static instruction execution sequences exist in the binary file, for the attacked or polluted security hidden behavior, the abnormal execution path is used to call the instruction execution sequences, and therefore, in order to perform security protection, it is necessary to determine whether the instruction execution sequences are called by the normal execution path, so as to increase the strength of the protection mechanism.
In the embodiment of the present invention, for further definition and refinement, step 203a may specifically be: and judging whether the execution path exists in a preset safe path library or not.
The method comprises the steps of storing a standard execution path in which instruction execution sequences in all binary files are called in a preset safety path library in advance, and judging whether the instruction execution sequences to be monitored are safe according to the standard execution path stored in the preset safety path library.
And for the step, if the instruction execution sequence is a dangerous instruction execution sequence, outputting the specific refinement 204a of the key API, and if the instruction execution sequence is not called by a standard execution path, outputting the key API.
For the embodiment of the present invention, in order to monitor the execution instruction sequence that is abnormally called again to determine whether to intercept the thread of the current execution instruction execution sequence, when the execution path does not exist in the preset secure path library, that is, is not called by the canonical execution path, the key API is output to the protection layer for monitoring, so that interception or release is performed according to the output returned result.
For embodiments of the present invention, parallel to steps 202a-204a, step 202b collects the instruction execution sequence being executed.
For the embodiment of the present invention, in order to monitor a dynamic instruction execution sequence, when it is determined that a monitoring mode is a dynamic instruction execution sequence monitoring mode according to a scene and protection requirements, because the dynamic instruction execution sequence is each sequence in an executing program script, the executing instruction execution sequence in the system is collected, so as to monitor whether a security risk behavior such as an attack or a pollution occurs in the executing execution sequence.
203b, judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
For the embodiment of the invention, after the dynamically executed instruction execution sequences are collected, whether the script module executed by each instruction execution sequence is a maliciously loaded module is judged, and when the script module executed by the instruction execution sequences exists in a preset maliciously loaded module library, a key API is output so as to intercept or release the returned result according to the output. The preset malicious loading module library is pre-stored with script modules which are maliciously loaded by all instruction execution sequences, and the maliciously loaded script modules are determined by technicians according to protection requirements and network attack experiences.
And for the step, if the instruction execution sequence is a dangerous instruction execution sequence, outputting the specific refinement 204b of the key API, and if the instruction execution sequence does not exist in a preset malicious loading module library, outputting the key API.
For the embodiment of the present invention, step 202c, which is parallel to steps 202a to 204a, collects the executing first instruction execution sequence, and determines whether the script module executed by the first instruction execution sequence exists in the preset malicious load module library, and calls the execution path of the second instruction execution sequence located in the binary file, and determines whether the second instruction execution sequence is called by the canonical execution path according to the execution path.
For the embodiment of the invention, in order to perform safety protection on both a dynamic instruction execution sequence and a static instruction execution sequence, a dynamic and static instruction execution sequence combination mode is used for monitoring, a first instruction execution sequence which is being executed is collected, whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library or not is judged, an execution path of a second instruction execution sequence in a binary file is called, and whether the second instruction execution sequence is called by a standard execution path or not is judged according to the execution path, so that a more accurate instruction execution sequence monitoring mode is realized, and the instruction execution sequence monitoring accuracy is improved. The first instruction execution sequence is a dynamic instruction execution sequence, the second instruction execution sequence is a static instruction execution sequence, and the first instruction execution sequence and the second instruction execution sequence may be the same instruction execution sequence or different instruction execution sequences.
And for the step, if the instruction execution sequence is a dangerous instruction execution sequence, outputting a specific refinement 203c of the key API, and if the script module executed by the first instruction execution sequence exists in a preset malicious loading module library and/or the second instruction execution sequence is not used by a standard execution path, outputting the key API.
Specifically, the key API needs to be output if only one of the dynamic instruction execution sequence and the static instruction execution sequence is dangerous, and the key API is released only if both the dynamic instruction execution sequence and the static instruction execution sequence are safe.
For further definition and explanation of the embodiments of the present invention, the instruction execution sequence runs in the scenario of DLL module load protection, as shown in fig. 6: when the fact that a DLL module is loaded by using a key API is monitored, whether the DLL module is a key process is judged, if the DLL module is the key process, whether the instruction execution sequence exists in a preset sequence matching library is judged, if the instruction execution sequence does not exist in the preset sequence matching library, the instruction execution sequence and DLL parameters are sent to an application layer to be processed, so that the application layer can conduct interception or release processing, and if the instruction execution sequence exists in the preset sequence matching library, the instruction execution sequence and the DLL parameters are released.
In the embodiment of the present invention, in step 205, which is parallel to steps 204a, 204b, and 204c, if the instruction execution sequence is a secure instruction execution sequence, the critical API is released.
The invention provides another method for monitoring an instruction execution sequence, which comprises the steps of monitoring the calling condition of a key API, suspending a thread corresponding to the key API, judging whether an executed instruction execution sequence is a safe instruction execution sequence according to a preset instruction execution sequence specification, and outputting the key API if the executed instruction execution sequence is a dangerous instruction execution sequence, so that the purpose of protecting and judging the key API according to the instruction execution sequence is achieved, the protection range of potential safety hazards in running the instruction execution sequence is enlarged, omission of malicious instruction execution sequences is reduced, and the vulnerability of a process corresponding to the instruction execution sequence is discovered in time, so that the monitoring efficiency of the instruction execution sequence is improved.
Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides an apparatus for monitoring an instruction execution sequence, as shown in fig. 7, where the apparatus includes: a suspending module 31, a judging module 32 and an output module 33.
The suspending module 31 is configured to suspend, when it is monitored that the key API is called, a thread corresponding to the key API;
a determining module 32, configured to determine whether an instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, where the preset instruction execution sequence specification includes monitoring specifications corresponding to instruction execution sequences in different operating states;
an output module 33, configured to output the key API if the instruction execution sequence is a dangerous instruction execution sequence
Compared with the existing monitoring device for establishing a protection system of the instruction execution sequence by only judging whether the characteristics of the instruction execution sequence in the program execution process are defined standard rules, the monitoring device provided by the invention suspends the thread corresponding to the key API by monitoring the calling condition of the key API, judging whether the executed instruction execution sequence is a safe instruction execution sequence or not according to a preset instruction execution sequence specification, if so, and outputting the key API to achieve the purpose of protecting and judging the key API according to the instruction execution sequence, increasing the protection range of the potential safety hazard of operating the instruction execution sequence, reducing the omission of the malicious instruction execution sequence, and finding the vulnerability of the process corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
Further, as an implementation of the method shown in fig. 3, another apparatus for monitoring an instruction execution sequence is provided in an embodiment of the present invention, as shown in fig. 8, where the apparatus includes: a hanging module 41, a judging module 42, an output module 43 and a releasing module 44.
The suspending module 41 is configured to suspend, when it is monitored that the key API is called, a thread corresponding to the key API;
a determining module 42, configured to determine whether an instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, where the preset instruction execution sequence specification includes monitoring specifications corresponding to instruction execution sequences in different operating states;
an output module 43, configured to output the key API if the instruction execution sequence is a dangerous instruction execution sequence.
Further, the determining module 42 includes:
a calling unit 4201, configured to, when the monitoring mode is determined to be a static instruction execution sequence monitoring mode, call an execution path of the instruction execution sequence located in a binary file;
a first determining unit 4202, configured to determine whether the instruction execution sequence is called by a canonical execution path according to the execution path.
Further, the determining unit 4202 is specifically configured to determine whether the execution path exists in a preset security path library, where a canonical execution path in which instruction execution sequences in all binary files are invoked is stored in advance in the preset security path library.
Further, the determining module 42 further includes:
a collecting unit 4203, configured to collect an executing instruction execution sequence when the monitoring mode is determined to be a dynamic instruction execution sequence monitoring mode;
a second determining unit 4204, configured to determine whether the script module executed by the instruction execution sequence exists in a preset malicious load module library.
Further, the determining module 42 is specifically configured to collect a first instruction execution sequence being executed, determine whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, call an execution path of a second instruction execution sequence located in a binary file, and determine whether the second instruction execution sequence is called by a canonical execution path according to the execution path.
Further, the suspending module 41 is specifically configured to, when it is monitored that the key API is called, determine whether a thread calling the key API is a key process, and if the thread is the key process, suspend the thread by using a hook function.
Further, the apparatus further comprises:
a releasing module 44, configured to release the key API if the instruction execution sequence is a secure instruction execution sequence.
Further, the key API includes driver loading, disk reading and writing, process creation, file opening, registry writing, module loading, memory setting, and DCOM local call.
The invention provides another monitoring device for an instruction execution sequence, the embodiment of the invention suspends the thread corresponding to the calling key API by monitoring the calling condition of the key API, judges whether the executed instruction execution sequence is a safe instruction execution sequence according to the preset instruction execution sequence specification, and outputs the key API if the executed instruction execution sequence is a dangerous instruction execution sequence, so as to achieve the purpose of protecting and judging the key API according to the instruction execution sequence, enlarge the protection range of potential safety hazards for operating the instruction execution sequence, reduce the omission of malicious instruction execution sequence, and discover the vulnerability of the process corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
According to an embodiment of the present invention, a storage medium is provided, where at least one executable instruction is stored, and the computer executable instruction can execute the method for monitoring the instruction execution sequence in any of the above method embodiments.
Fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computer device.
As shown in fig. 9, the computer apparatus may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502, configured to execute the program 510, may specifically perform relevant steps in the above embodiments of the method for monitoring an execution sequence of instructions.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computer device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
when the fact that the key API is called is monitored, suspending calling of a thread corresponding to the key API;
judging whether an instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different operation states;
and if the instruction execution sequence is a dangerous instruction execution sequence, outputting the key API.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the asset data management method and apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (10)
1. A method for monitoring instruction execution sequences, comprising:
when the fact that the key API is called is monitored, suspending calling of a thread corresponding to the key API;
judging whether an instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different operation states;
and if the instruction execution sequence is a dangerous instruction execution sequence, outputting the key API.
2. The method of claim 1, wherein determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a predetermined instruction execution sequence specification comprises:
calling an execution path of the instruction execution sequence in the binary file;
and judging whether the instruction execution sequence is called by a standard execution path or not according to the execution path.
3. The method of claim 2, wherein determining whether the instruction execution sequence is invoked by an exception path according to the execution path comprises:
and judging whether the execution path exists in a preset safety path library, wherein the preset safety path library stores a standard execution path in which the instruction execution sequence in all binary files is called in advance.
4. The method of claim 1, wherein determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a predetermined instruction execution sequence specification comprises:
collecting an executing sequence of instructions;
and judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
5. The method of claim 1, wherein determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a predetermined instruction execution sequence specification comprises:
collecting a first instruction execution sequence which is being executed, judging whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, calling an execution path of a second instruction execution sequence in a binary file, and judging whether the second instruction execution sequence is called by a standard execution path according to the execution path.
6. The method of claim 5, wherein when it is monitored that a key API is called, suspending calling a thread corresponding to the key API comprises:
when the fact that the key API is called is monitored, whether a thread calling the key API is a key process is judged, and if the thread is the key process, a hook function is used for suspending the thread.
7. The method according to any one of claims 1-6, further comprising:
and if the instruction execution sequence is a safe instruction execution sequence, releasing the key API.
8. An apparatus for monitoring instruction execution sequences, comprising:
the suspending module is used for suspending and calling the thread corresponding to the key API when the fact that the key API is called is monitored;
the judging module is used for judging whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states;
and the output module is used for outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
9. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of monitoring an execution sequence of instructions of any one of claims 1-7.
10. A computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the monitoring method of the instruction execution sequence of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755846.9A CN112395593B (en) | 2019-08-15 | 2019-08-15 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755846.9A CN112395593B (en) | 2019-08-15 | 2019-08-15 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395593A true CN112395593A (en) | 2021-02-23 |
| CN112395593B CN112395593B (en) | 2024-03-29 |
Family
ID=74601792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755846.9A Active CN112395593B (en) | 2019-08-15 | 2019-08-15 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395593B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022100660A1 (en) * | 2020-11-13 | 2022-05-19 | 奇安信科技集团股份有限公司 | Behavior control method, apparatus, electronic device, and storage medium |
| CN114640507A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | WebShell detection method and device and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| WO2016095673A1 (en) * | 2014-12-16 | 2016-06-23 | 北京奇虎科技有限公司 | Application-based behavior processing method and device |
| CN106326732A (en) * | 2015-07-03 | 2017-01-11 | 阿里巴巴集团控股有限公司 | Application programming interface (API) protection method and device |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN108255585A (en) * | 2016-12-28 | 2018-07-06 | 北京奇虎科技有限公司 | SDK exception controls and application program operation method, device and its equipment |
| CN108399332A (en) * | 2017-02-08 | 2018-08-14 | 卡巴斯基实验室股份制公司 | The malicious system and method analyzed file are directed in virtual machine |
| CN109800571A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Event-handling method and device and storage medium and electronic device |
| CN109829270A (en) * | 2018-12-27 | 2019-05-31 | 北京奇安信科技有限公司 | Application program means of defence and device |
-
2019
- 2019-08-15 CN CN201910755846.9A patent/CN112395593B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| WO2016095673A1 (en) * | 2014-12-16 | 2016-06-23 | 北京奇虎科技有限公司 | Application-based behavior processing method and device |
| CN106326732A (en) * | 2015-07-03 | 2017-01-11 | 阿里巴巴集团控股有限公司 | Application programming interface (API) protection method and device |
| CN108255585A (en) * | 2016-12-28 | 2018-07-06 | 北京奇虎科技有限公司 | SDK exception controls and application program operation method, device and its equipment |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN108399332A (en) * | 2017-02-08 | 2018-08-14 | 卡巴斯基实验室股份制公司 | The malicious system and method analyzed file are directed in virtual machine |
| CN109829270A (en) * | 2018-12-27 | 2019-05-31 | 北京奇安信科技有限公司 | Application program means of defence and device |
| CN109800571A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Event-handling method and device and storage medium and electronic device |
Non-Patent Citations (2)
| Title |
|---|
| 张焕国等: "《可信计算》", pages: 257 - 258 * |
| 谢静: "恶意代码行为监测分析系统的设计与实现", 《北京交通大学》, 15 January 2019 (2019-01-15), pages 257 - 258 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022100660A1 (en) * | 2020-11-13 | 2022-05-19 | 奇安信科技集团股份有限公司 | Behavior control method, apparatus, electronic device, and storage medium |
| CN114640507A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | WebShell detection method and device and storage medium |
| CN114640507B (en) * | 2022-02-28 | 2024-03-12 | 天翼安全科技有限公司 | WebShell detection method, webShell detection device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395593B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101880375B1 (en) | Segregating executable files exhibiting network activity | |
| US8161552B1 (en) | White list creation in behavior monitoring system | |
| CN109583202B (en) | System and method for detecting malicious code in address space of process | |
| US9910983B2 (en) | Malware detection | |
| JP6176622B2 (en) | Malware detection method | |
| CN114676424B (en) | Container escape detection and blocking method, device, equipment and storage medium | |
| US9779251B2 (en) | System, method, and computer program product for monitoring an execution flow of a function | |
| CN101599113A (en) | Driven malware defence method and device | |
| CN112395593B (en) | Method and device for monitoring instruction execution sequence, storage medium and computer equipment | |
| US9787699B2 (en) | Malware detection | |
| US8627305B1 (en) | System, method, and computer program product for hooking code inserted into an address space of a new process | |
| JP2015082325A (en) | Exploit detection/prevention | |
| CN113395242A (en) | Packet capturing method and device for application data packet and computing equipment | |
| CN112307469A (en) | Kernel intrusion prevention method and device, computing equipment and computer storage medium | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| CN112395603A (en) | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment | |
| CN111259392B (en) | Kernel module-based malicious software interception method and device | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| CN114564720A (en) | Program file auditing method and device, electronic equipment and storage medium | |
| CN113760393A (en) | Protection method, device, equipment and medium for dynamic link library | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| CN112395595B (en) | Method and device for monitoring instruction execution sequence, storage medium and computer equipment | |
| CN112395149B (en) | Script behavior identification method and device, storage medium and computer equipment | |
| CN107608339B (en) | Interface protection method and device for automobile machine | |
| CN112307470A (en) | Method and device for detecting intrusion kernel, computing equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |