CN112395593B - Method and device for monitoring instruction execution sequence, storage medium and computer equipment - Google Patents
Method and device for monitoring instruction execution sequence, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112395593B CN112395593B CN201910755846.9A CN201910755846A CN112395593B CN 112395593 B CN112395593 B CN 112395593B CN 201910755846 A CN201910755846 A CN 201910755846A CN 112395593 B CN112395593 B CN 112395593B
- Authority
- CN
- China
- Prior art keywords
- instruction execution
- execution sequence
- sequence
- preset
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000012544 monitoring process Methods 0.000 title claims abstract description 75
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 100
- 230000008569 process Effects 0.000 claims description 40
- 230000003068 static effect Effects 0.000 claims description 28
- 230000006870 function Effects 0.000 claims description 18
- 238000004891 communication Methods 0.000 claims description 16
- 239000000725 suspension Substances 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 230000008901 benefit Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
The invention discloses a method and a device for monitoring an instruction execution sequence, a storage medium and computer equipment, relates to the technical field of network security, and mainly aims to solve the problem that potential safety hazards in each existing instruction execution sequence cannot be monitored through the operation of the instruction execution sequence. Comprising the following steps: when the key API is monitored to be called, suspending the thread corresponding to the key API; judging whether an instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states; and outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for monitoring an instruction execution sequence, a storage medium, and a computer device.
Background
With the rapid development of network security technology, the monitoring object of the new generation of vulnerability protection system has been converted into an instruction execution sequence, for example, a white list of dynamic and static instruction execution sequences is monitored by taking a kernel system call API as a key monitoring point, so as to establish a security protection engine.
At present, the existing protection system for the instruction execution sequences is established by only judging whether the running behavior of the instruction execution sequences in the program execution process is a defined standard rule or not for monitoring, however, potential safety hazards existing in each instruction execution sequence cannot be monitored through the running behavior of the instruction execution sequences, namely, the loophole attack cannot be judged through the program execution behaviors, some malicious instruction features of the instruction execution sequences in the process can be missed, so that process loopholes cannot be found in time, and the monitoring efficiency of the instruction execution sequences is reduced.
Disclosure of Invention
In view of this, the present invention provides a method and apparatus for monitoring an instruction execution sequence, a storage medium, and a computer device, and aims to solve the problem that the potential safety hazard existing in each existing instruction execution sequence cannot be monitored by the operation of the instruction execution sequence.
According to one aspect of the present invention, there is provided a method for monitoring an instruction execution sequence, comprising:
when the key API is monitored to be called, suspending the thread corresponding to the key API;
judging whether an instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states;
and outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
Further, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification includes:
calling an execution path of the instruction execution sequence in the binary file;
and judging whether the instruction execution sequence is called by a standard execution path according to the execution path.
Further, the determining whether the instruction execution sequence is called by an abnormal path according to the execution path includes:
judging whether the execution path exists in a preset safety path library, wherein the preset safety path library is pre-stored with standard execution paths of which all binary files indicate that the execution sequences of the instructions are called.
Further, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification includes:
collecting an executing instruction execution sequence;
and judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
Further, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification includes:
and collecting a first instruction execution sequence which is being executed, judging whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, calling an execution path of a second instruction execution sequence in a binary file, and judging whether the second instruction execution sequence is called by a standard execution path according to the execution path.
Further, when it is detected that the key API is called, suspending the calling of the thread corresponding to the key API includes:
when the key API is monitored to be called, judging whether a thread calling the key API is a key process, and if the thread is the key process, suspending the thread by using a hook function.
Further, if the instruction execution sequence is a secure instruction execution sequence, the critical API is released.
Further, the key API comprises a drive load, a disk read-write, a creation process, a creation file, an opening file, a registry write operation, a load module, a memory setting, and a DCOM local call.
According to one aspect of the present invention, there is provided a monitoring apparatus for an instruction execution sequence, comprising:
the suspension module is used for suspending the thread corresponding to the key API when the key API is monitored to be called;
the judging module is used for judging whether the instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to the instruction execution sequences in different running states;
and the output module is used for outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
Further, the judging module includes:
the calling unit is used for calling the execution path of the instruction execution sequence in the binary file when the monitoring mode is determined to be a static instruction execution sequence monitoring mode;
and the first judging unit is used for judging whether the instruction execution sequence is called by the standard execution path according to the execution path.
Further, the judging unit is specifically configured to judge whether the execution path exists in a preset secure path library, where the preset secure path library stores in advance a canonical execution path in which all execution sequences in binary files are called.
Further, the judging module further includes:
a collecting unit, configured to collect an instruction execution sequence being executed when the monitoring mode is determined to be a dynamic instruction execution sequence monitoring mode;
and the second judging unit is used for judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
Further, the judging module is specifically further configured to collect a first instruction execution sequence being executed, judge whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, call an execution path of a second instruction execution sequence located in a binary file, and judge whether the second instruction execution sequence is called by a standard execution path according to the execution path.
Further, the suspension module is specifically configured to determine whether a thread calling the key API is a key process when it is detected that the key API is called, and if so, suspend the thread using a hook function.
Further, the apparatus further comprises:
and the release module is used for releasing the key API if the instruction execution sequence is a safe instruction execution sequence.
Further, the key API comprises a drive load, a disk read-write, a creation process, a creation file, an opening file, a registry write operation, a load module, a memory setting, and a DCOM local call.
According to still another aspect of the present invention, there is provided a storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of monitoring an execution sequence of instructions as described above.
According to still another aspect of the present invention, there is provided a computer apparatus including: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the monitoring method of the instruction execution sequence.
By means of the technical scheme, the technical scheme provided by the embodiment of the invention has at least the following advantages:
compared with the existing method for establishing a protection system of an instruction execution sequence by judging whether the characteristic of the instruction execution sequence is a definition standard rule or not in the program execution process, the method and the device for monitoring the instruction execution sequence, the storage medium and the computer equipment, according to the embodiment of the invention, monitor the calling condition of a key API, suspend a thread corresponding to the calling key API, judge whether the executed instruction execution sequence is a safety instruction execution sequence according to the preset instruction execution sequence specification, and if the executed instruction execution sequence is a dangerous instruction execution sequence, output the key API so as to realize the purpose of protecting and judging the key API according to the instruction execution sequence, increase the protection range of potential safety hazards for operating the instruction execution sequence, reduce the leak of a malicious instruction execution sequence and discover the leak of a process corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 is a flow chart of a method for monitoring an instruction execution sequence according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a monitoring instruction execution sequence provided by an embodiment of the present invention;
FIG. 3 is a flowchart of another method for monitoring an instruction execution sequence according to an embodiment of the present invention;
FIG. 4 illustrates a key API call object diagram provided by an embodiment of the present invention;
FIG. 5 is a schematic diagram of a critical API monitoring instruction execution sequence for performing allocation/modification of writable memory settings according to an embodiment of the present invention;
fig. 6 shows a schematic diagram of a DLL module load monitor instruction execution sequence according to an embodiment of the present invention:
FIG. 7 is a block diagram of a monitoring device for instruction execution sequences according to an embodiment of the present invention;
FIG. 8 is a block diagram of another monitor apparatus for instruction execution sequences according to an embodiment of the present invention;
fig. 9 shows a schematic diagram of a terminal structure according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for monitoring an instruction execution sequence, as shown in fig. 1, where the method includes:
101. when the key API is monitored to be called, a thread corresponding to the key API is suspended.
Since a new thread is usually started to execute when the key API is called by the system, when the key API is monitored to be called, the thread corresponding to the key API is suspended. The suspension method is to use the hook function to suspend, prepare a plurality of hook functions in advance, and register the hook functions so as to suspend the thread until the hook function is used when the key API is monitored to be called. In addition, the key API includes a driver load, a disk read-write, a process creation, a file opening, a registry write operation, a load module, a memory setting, and a DCOM local call, which is not specifically limited in the embodiment of the present invention.
102. And judging whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to a preset instruction execution sequence specification.
The preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states, the instruction execution sequences in the running states comprise static instruction execution sequences and dynamic instruction execution sequences, and the instruction execution sequences respectively correspond to the different monitoring specifications, and the embodiment of the invention is not particularly limited. The method for judging the safety instruction execution sequence can be achieved by comparing the instruction execution sequence with a preset safety instruction execution sequence, if the safety instruction execution sequence is the same as the safety instruction execution sequence, the safety instruction execution sequence is white, and if the safety instruction execution sequence is different from the safety instruction execution sequence, the safety instruction execution sequence is black.
In the embodiment of the invention, the dynamic instruction execution sequence is based on the instruction execution sequence in the executing script program, and the static instruction execution sequence is based on the instruction execution sequence in the binary file, so that the instruction execution sequences in different running states are determined by the scene of the execution instruction execution sequence and the protection requirement of the instruction execution sequence. The scenario of the execution instruction execution sequence is a software environment in which the instruction execution sequence is executed in a system kernel, and the protection requirement of the instruction execution sequence is a requirement corresponding to a protection point of different key APIs, for example, the dynamic instruction execution sequence needs to be monitored in a dynamic instruction execution sequence mode, the static instruction execution sequence needs to be monitored in a static instruction execution sequence mode, and the dynamic instruction execution sequence and the static instruction execution sequence need to be monitored in a dynamic instruction execution sequence combined with the static instruction execution sequence mode. In addition, the system in the embodiment of the present invention may be a client system or a server system, which is not limited specifically.
103. And outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
In order to timely protect dangerous instruction execution sequences existing in the instruction execution sequences, and serve as a protection initial stage of bottom technologies such as a protection script module, an API call and the like, when the instruction execution sequences are judged to be dangerous instruction execution sequences, the key API is output so that the application layer can judge again.
In contrast, if the instruction execution sequence is a secure instruction execution sequence, the critical API is directly released, as shown in fig. 2.
Compared with the existing method for establishing a protection system of an instruction execution sequence, which only monitors whether the characteristic of the instruction execution sequence is a definition standard rule in the program execution process, the method for monitoring the instruction execution sequence, provided by the embodiment of the invention, has the advantages that the calling condition of a key API is monitored, the thread corresponding to the calling key API is suspended, whether the executed instruction execution sequence is a safety instruction execution sequence is judged according to the preset instruction execution sequence specification, if the executed instruction execution sequence is a dangerous instruction execution sequence, the key API is output, so that the purpose of protecting and judging the key API according to the instruction execution sequence is realized, the protection range of potential safety hazards for operating the instruction execution sequence is enlarged, the omission of the malicious instruction execution sequence is reduced, and the vulnerability of a process corresponding to the instruction execution sequence is discovered in time, thereby improving the monitoring efficiency of the instruction execution sequence.
An embodiment of the present invention provides another method for monitoring an instruction execution sequence, as shown in fig. 3, where the method includes:
201. when the key API is monitored to be called, judging whether a thread calling the key API is a key process, and if the thread is the key process, suspending the thread by using a hook function.
The method of this step is the same as the method of step 101 shown in fig. 1, and will not be described here again.
It should be noted that all monitoring points in the embodiment of the present invention are implemented in a kernel layer of the system, for example, the key APIs include driving loading, disk reading and writing, process creation, file opening, registry writing operation, loading module, memory setting, and DCOM local call, and the behavior events executed by the application layer are converted into kernel nt layer after being called by the key APIs of the system, so as to implement monitoring of instruction execution sequences in the kernel layer, as shown in fig. 4.
In addition, when the key API is monitored to be called, in order to carry out protection monitoring on the instruction execution sequence, a hook function NtAlpcSendWaitReceivePort is utilized; the ntrequest waitreplyport suspends the thread executed by the call key API to obtain the corresponding instruction execution sequence from this thread. When the key API monitoring of the allocation/modification writable memory setting is carried out, the allocation executable memory is accessed through a function virtual allocex so as to call a kernel function NtAllocate virtual memory; modifying the executable memory by a function VirtualProtect; and further, after the kernel function ntprotectvirtual memory is called and the hook function suspends the thread calling the key API, after judging that the thread is the key process, performing matching judgment on the instruction execution sequence, if the matching is a white instruction execution sequence, suspending the next thread, and if the matching is not the non-instruction execution sequence, outputting the next thread to an application layer by using a callback function, as shown in fig. 5. The key thread is a thread under a preset process such as a browser, text, download and the like which need to be monitored, and the embodiment of the invention is not particularly limited.
202a, invoking an execution path of the instruction execution sequence in the binary file.
For the embodiment of the invention, in order to monitor the static instruction execution sequence, when the static instruction execution sequence is determined according to the scene and the protection requirement, the execution path of the instruction execution sequence in the running time is called for the instruction execution sequence in the binary file. The binary file stores an instruction execution sequence belonging to a static state, and in order to monitor whether the instruction execution sequence belonging to the static state has potential safety hazard behaviors such as being attacked or polluted, an execution path of the instruction execution sequence is called.
203a, judging whether the instruction execution sequence is called by a standard execution path according to the execution path.
For the embodiment of the invention, because the static instruction execution sequences exist in the binary file, the instruction execution sequences are called by utilizing the abnormal execution path for the attacked or polluted safety hidden trouble behaviors, so that whether the instruction execution sequences are called by the standard execution path is required to be judged for safety protection, thereby increasing the strength of a protection mechanism.
In the embodiment of the present invention, for further defining and refining, step 203a may specifically be: and judging whether the execution path exists in a preset safety path library.
The method includes that whether the instruction execution sequence to be monitored is safe or not is judged according to the standard execution path stored in the preset safety path library, and whether the execution path of the instruction execution sequence is identical to the standard execution path stored in the preset safety path library or not is judged.
And outputting the concrete refinement 204a of the key API if the instruction execution sequence is a dangerous instruction execution sequence and outputting the key API if the instruction execution sequence is not called by the standard execution path.
For the embodiment of the invention, in order to monitor the execution instruction sequence which is called abnormally again to determine whether to intercept the thread of the execution instruction execution sequence currently, when the execution path does not exist in the preset safety path library, namely is not called by the standard execution path, the key API is output to the protection layer for monitoring, so that the thread is intercepted or released according to the output returned result.
For embodiments of the present invention, step 202b, in parallel with steps 202a-204a, gathers the executing instruction execution sequence.
For the embodiment of the invention, in order to monitor the dynamic instruction execution sequence, when the monitoring mode is determined to be the dynamic instruction execution sequence monitoring mode according to the scene and the protection requirement, since the dynamic instruction execution sequence is each sequence in the executing program script, the executing instruction execution sequence in the system is collected so as to monitor whether the executing execution sequence is attacked or polluted.
203b, judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
For the embodiment of the invention, after the dynamically executed instruction execution sequences are collected, whether the script module executed by each instruction execution sequence is a maliciously loaded module is judged, and when the script module executed by the instruction execution sequences exists in a preset maliciously loaded module library, a key API is output so as to intercept or release according to the output returned result. The preset malicious loading module library is pre-stored with script modules for malicious loading of all instruction execution sequences, the script modules for malicious loading are script modules determined by technicians according to protection requirements and network attack experience, and the embodiment of the invention is not particularly limited.
And outputting the specific refinement 204b of the key API if the instruction execution sequence is a dangerous instruction execution sequence and outputting the key API if the specific refinement is not in a preset malicious loading module library.
For the embodiment of the present invention, step 202c, which is parallel to steps 202a-204a, collects the executing first instruction execution sequence, determines whether the script module executed by the first instruction execution sequence exists in the preset malicious loading module library, invokes the execution path of the second instruction execution sequence in the binary file, and determines whether the second instruction execution sequence is invoked by the canonical execution path according to the execution path.
For the embodiment of the invention, in order to carry out safety protection on a dynamic instruction execution sequence and a static instruction execution sequence, a combination mode of the dynamic and static instruction execution sequences is utilized to monitor, collect a first instruction execution sequence being executed, judge whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, call an execution path of a second instruction execution sequence in a binary file, judge whether the second instruction execution sequence is called by a standard execution path according to the execution path, thereby realizing a more accurate monitoring mode of the instruction execution sequence and improving the monitoring accuracy of the instruction execution sequence. The first instruction execution sequence is a dynamic instruction execution sequence, the second instruction execution sequence is a static instruction execution sequence, the first instruction execution sequence and the second instruction execution sequence may be the same instruction execution sequence or different instruction execution sequences, and the embodiment of the invention is not limited specifically.
Outputting the concrete refinement 203c of the key API if the instruction execution sequence is a dangerous instruction execution sequence, and outputting the key API if the script module executed by the first instruction execution sequence exists in a preset malicious loading module library and/or the second instruction execution sequence is not used by a standard execution path strip.
Specifically, if only one of the dynamic instruction execution sequence and the static instruction execution sequence is dangerous, the key API needs to be output, and if only the dynamic instruction execution sequence and the static instruction execution sequence are both safe, the key API is released.
For further definition and explanation of embodiments of the present invention, for instruction execution sequences to run in the context of DLL module load protection, as shown in FIG. 6: when the DLL module is loaded by using the key API, judging whether the process is a key process, if the process is the key process, judging whether the instruction execution sequence exists in a preset sequence matching library, if the process is not the preset sequence matching library, sending the instruction execution sequence and DLL parameters to an application layer for processing, so that the application layer can intercept or release the process, and if the process is the preset sequence matching library, releasing the process.
In the embodiment of the present invention, step 205, in which steps 204a, 204b, 204c are parallel, releases the key API if the instruction execution sequence is a secure instruction execution sequence.
The embodiment of the invention suspends the thread corresponding to the key API by monitoring the calling condition of the key API, judges whether the executed instruction execution sequence is a safety instruction execution sequence according to the preset instruction execution sequence specification, and outputs the key API if the executed instruction execution sequence is a dangerous instruction execution sequence so as to realize the purpose of protecting and judging the key API according to the instruction execution sequence, increase the protection range of potential safety hazards for operating the instruction execution sequence, reduce the omission of malicious instruction execution sequences and discover the loopholes of processes corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides a device for monitoring an instruction execution sequence, as shown in fig. 7, where the device includes: a suspending module 31, a judging module 32 and an output module 33.
A suspension module 31, configured to suspend, when it is monitored that a key API is called, a thread corresponding to the key API;
the judging module 32 is configured to judge whether an instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, where the preset instruction execution sequence specification includes monitoring specifications corresponding to instruction execution sequences in different running states;
an output module 33 for outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence
Compared with the existing method that whether the characteristic of the instruction execution sequence is a definition standard rule or not in the program execution process is judged to monitor the protection system of the instruction execution sequence, the method provided by the embodiment of the invention has the advantages that the calling condition of the key API is monitored, the thread corresponding to the calling key API is suspended, whether the executed instruction execution sequence is a safety instruction execution sequence is judged according to the preset instruction execution sequence specification, if the executed instruction execution sequence is a dangerous instruction execution sequence, the key API is output, the purpose of protecting and judging the key API according to the instruction execution sequence is realized, the protection range of potential safety hazards for operating the instruction execution sequence is enlarged, the omission of the malicious instruction execution sequence is reduced, and the vulnerability of the process corresponding to the instruction execution sequence is found in time, so that the monitoring efficiency of the instruction execution sequence is improved.
Further, as an implementation of the method shown in fig. 3, another monitoring apparatus for an instruction execution sequence is provided according to an embodiment of the present invention, as shown in fig. 8, where the apparatus includes: a suspension module 41, a judgment module 42, an output module 43, and a release module 44.
A suspension module 41, configured to suspend, when it is monitored that a key API is called, a thread corresponding to the key API;
the judging module 42 is configured to judge whether an instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, where the preset instruction execution sequence specification includes monitoring specifications corresponding to instruction execution sequences in different running states;
and the output module 43 is configured to output the key API if the instruction execution sequence is a dangerous instruction execution sequence.
Further, the judging module 42 includes:
a fetch unit 4201, configured to, when the monitoring mode is determined to be a static instruction execution sequence monitoring mode, fetch an execution path of the instruction execution sequence in the binary file;
a first determining unit 4202, configured to determine whether the instruction execution sequence is called by a canonical execution path according to the execution path.
Further, the determining unit 4202 is specifically configured to determine whether the execution path exists in a preset secure path library, where all the canonical execution paths in the binary file, for which the instruction execution sequence is called, are stored in advance.
Further, the judging module 42 further includes:
a collecting unit 4203 for collecting an instruction execution sequence being executed when the monitoring mode is determined to be a dynamic instruction execution sequence monitoring mode;
a second determining unit 4204, configured to determine whether a script module executed by the instruction execution sequence exists in a preset malicious loading module library.
Further, the determining module 42 is specifically further configured to collect a first instruction execution sequence being executed, determine whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, call an execution path of a second instruction execution sequence located in a binary file, and determine whether the second instruction execution sequence is called by a canonical execution path according to the execution path.
Further, the suspension module 41 is specifically configured to determine, when it is detected that the key API is called, whether a thread calling the key API is a key process, and if the thread is a key process, suspend the thread by using a hook function.
Further, the apparatus further comprises:
and a release module 44, configured to release the key API if the instruction execution sequence is a secure instruction execution sequence.
Further, the key API comprises a drive load, a disk read-write, a creation process, a creation file, an opening file, a registry write operation, a load module, a memory setting, and a DCOM local call.
The embodiment of the invention suspends the thread corresponding to the key API by monitoring the calling condition of the key API, judges whether the executed instruction execution sequence is a safety instruction execution sequence according to the preset instruction execution sequence specification, and outputs the key API if the executed instruction execution sequence is a dangerous instruction execution sequence so as to realize the purpose of protecting and judging the key API according to the instruction execution sequence, increase the protection range of potential safety hazards for operating the instruction execution sequence, reduce the omission of malicious instruction execution sequences and discover the loopholes of processes corresponding to the instruction execution sequence in time, thereby improving the monitoring efficiency of the instruction execution sequence.
According to one embodiment of the present invention, there is provided a storage medium storing at least one executable instruction for performing the method of monitoring an instruction execution sequence in any of the above method embodiments.
Fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the specific embodiment of the present invention is not limited to the specific implementation of the computer device.
As shown in fig. 9, the computer device may include: a processor 502, a communication interface (Communications Interface) 504, a memory 506, and a communication bus 508.
Wherein: processor 502, communication interface 504, and memory 506 communicate with each other via communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically perform relevant steps in an embodiment of a monitoring method of the above-mentioned instruction execution sequence.
In particular, program 510 may include program code including computer-operating instructions.
The processor 502 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the computer device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
A memory 506 for storing a program 510. Memory 506 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may be specifically operable to cause the processor 502 to:
when the key API is monitored to be called, suspending the thread corresponding to the key API;
judging whether an instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states;
and outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in the asset data management methods and apparatus according to embodiments of the invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Claims (16)
1. A method for monitoring an instruction execution sequence, comprising:
when the key API is monitored to be called, suspending the thread corresponding to the key API;
judging whether an instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to instruction execution sequences in different running states;
outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence;
the instruction execution sequences in different running states comprise static instruction execution sequences and dynamic instruction execution sequences, and the preset instruction execution sequence specifications comprise dynamic instruction execution sequence monitoring specifications, static instruction execution sequence monitoring specifications and monitoring specifications combining the dynamic instruction execution sequences and the static instruction execution sequences; the dynamic instruction execution sequence is based on the instruction execution sequence in the executing script program, and the static instruction execution sequence is based on the instruction execution sequence in the binary file;
when the preset instruction execution sequence is a monitoring specification combining a dynamic instruction execution sequence and a shot instruction execution sequence, the determining whether the instruction execution sequence executed in the thread is a safe instruction execution sequence according to the preset instruction execution sequence specification includes:
and collecting a first instruction execution sequence which is being executed, judging whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, calling an execution path of a second instruction execution sequence in a binary file, and judging whether the second instruction execution sequence is called by a standard execution path according to the execution path.
2. The method of claim 1, wherein determining whether the instruction execution sequence executed in the thread is a secure instruction execution sequence according to a preset instruction execution sequence specification comprises:
calling an execution path of the instruction execution sequence in the binary file;
and judging whether the instruction execution sequence is called by a standard execution path according to the execution path.
3. The method of claim 2, wherein said determining from the execution path whether the sequence of instruction execution is invoked by a canonical execution path comprises:
judging whether the execution path exists in a preset safety path library, wherein the preset safety path library is pre-stored with standard execution paths of which all binary files indicate that the execution sequences of the instructions are called.
4. The method of claim 1, wherein determining whether the instruction execution sequence executed in the thread is a secure instruction execution sequence according to a preset instruction execution sequence specification comprises:
collecting an executing instruction execution sequence;
and judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
5. The method of claim 1, wherein suspending the calling of the thread corresponding to the critical API when the critical API is monitored to be called comprises:
when the key API is monitored to be called, judging whether a thread calling the key API is a key process, and if the thread is the key process, suspending the thread by using a hook function.
6. The method according to any one of claims 1-5, further comprising:
and if the instruction execution sequence is a safe instruction execution sequence, releasing the key API.
7. The method of claim 6, wherein the critical APIs include drive loads, disk reads and writes, creation processes, creation files, open files, registry writes, load modules, memory settings, DCOM local calls.
8. A device for monitoring an instruction execution sequence, comprising:
the suspension module is used for suspending the thread corresponding to the key API when the key API is monitored to be called;
the judging module is used for judging whether the instruction execution sequence executed in the thread is a safety instruction execution sequence according to a preset instruction execution sequence specification, wherein the preset instruction execution sequence specification comprises monitoring specifications corresponding to the instruction execution sequences in different running states;
the output module is used for outputting the key API if the instruction execution sequence is a dangerous instruction execution sequence;
the instruction execution sequences in different running states comprise static instruction execution sequences and dynamic instruction execution sequences, and the preset instruction execution sequence specifications comprise dynamic instruction execution sequence monitoring specifications, static instruction execution sequence monitoring specifications and monitoring specifications combining the dynamic instruction execution sequences and the static instruction execution sequences; the dynamic instruction execution sequence is based on the instruction execution sequence in the executing script program, and the static instruction execution sequence is based on the instruction execution sequence in the binary file;
the judging module is specifically configured to collect a first instruction execution sequence being executed when the preset instruction execution sequence is a monitoring specification combining a dynamic instruction execution sequence and a lens instruction execution sequence, judge whether a script module executed by the first instruction execution sequence exists in a preset malicious loading module library, and call an execution path of a second instruction execution sequence in a binary file, and judge whether the second instruction execution sequence is called by the specification execution path according to the execution path.
9. The apparatus of claim 8, wherein the determining module comprises:
the calling unit is used for calling the execution path of the instruction execution sequence in the binary file when the monitoring mode is determined to be a static instruction execution sequence monitoring mode;
and the first judging unit is used for judging whether the instruction execution sequence is called by the standard execution path according to the execution path.
10. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the judging unit is specifically configured to judge whether the execution path exists in a preset secure path library, where the preset secure path library stores in advance a canonical execution path in which all instruction execution sequences in the binary file are called.
11. The apparatus of claim 10, wherein the determining module further comprises:
a collecting unit, configured to collect an instruction execution sequence being executed when the monitoring mode is determined to be a dynamic instruction execution sequence monitoring mode;
and the second judging unit is used for judging whether the script module executed by the instruction execution sequence exists in a preset malicious loading module library.
12. The apparatus of claim 8, wherein the device comprises a plurality of sensors,
the suspension module is specifically configured to determine whether a thread calling the key API is a key process when it is detected that the key API is called, and if so, suspend the thread using a hook function.
13. The apparatus according to any one of claims 8-12, wherein the apparatus further comprises:
and the release module is used for releasing the key API if the instruction execution sequence is a safe instruction execution sequence.
14. The apparatus of claim 13, wherein the critical APIs include drive loads, disk reads and writes, creation processes, creation files, open files, registry writes, load modules, memory settings, DCOM local calls.
15. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of monitoring an execution sequence of instructions of any one of claims 1-7.
16. A computer device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction, where the executable instruction causes the processor to perform operations corresponding to the method for monitoring an instruction execution sequence according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755846.9A CN112395593B (en) | 2019-08-15 | 2019-08-15 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755846.9A CN112395593B (en) | 2019-08-15 | 2019-08-15 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395593A CN112395593A (en) | 2021-02-23 |
| CN112395593B true CN112395593B (en) | 2024-03-29 |
Family
ID=74601792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755846.9A Active CN112395593B (en) | 2019-08-15 | 2019-08-15 | Method and device for monitoring instruction execution sequence, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395593B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491506A (en) * | 2020-11-13 | 2022-05-13 | 奇安信科技集团股份有限公司 | Behavior control method and device, electronic equipment and storage medium |
| CN114640507B (en) * | 2022-02-28 | 2024-03-12 | 天翼安全科技有限公司 | WebShell detection method, webShell detection device and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| WO2016095673A1 (en) * | 2014-12-16 | 2016-06-23 | 北京奇虎科技有限公司 | Application-based behavior processing method and device |
| CN106326732A (en) * | 2015-07-03 | 2017-01-11 | 阿里巴巴集团控股有限公司 | Application programming interface (API) protection method and device |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN108255585A (en) * | 2016-12-28 | 2018-07-06 | 北京奇虎科技有限公司 | SDK exception controls and application program operation method, device and its equipment |
| CN108399332A (en) * | 2017-02-08 | 2018-08-14 | 卡巴斯基实验室股份制公司 | The malicious system and method analyzed file are directed in virtual machine |
| CN109800571A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Event-handling method and device and storage medium and electronic device |
| CN109829270A (en) * | 2018-12-27 | 2019-05-31 | 北京奇安信科技有限公司 | Application program means of defence and device |
-
2019
- 2019-08-15 CN CN201910755846.9A patent/CN112395593B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| WO2016095673A1 (en) * | 2014-12-16 | 2016-06-23 | 北京奇虎科技有限公司 | Application-based behavior processing method and device |
| CN106326732A (en) * | 2015-07-03 | 2017-01-11 | 阿里巴巴集团控股有限公司 | Application programming interface (API) protection method and device |
| CN108255585A (en) * | 2016-12-28 | 2018-07-06 | 北京奇虎科技有限公司 | SDK exception controls and application program operation method, device and its equipment |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN108399332A (en) * | 2017-02-08 | 2018-08-14 | 卡巴斯基实验室股份制公司 | The malicious system and method analyzed file are directed in virtual machine |
| CN109829270A (en) * | 2018-12-27 | 2019-05-31 | 北京奇安信科技有限公司 | Application program means of defence and device |
| CN109800571A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Event-handling method and device and storage medium and electronic device |
Non-Patent Citations (2)
| Title |
|---|
| 张焕国等.《可信计算》.2011,第257-258页. * |
| 恶意代码行为监测分析系统的设计与实现;谢静;《北京交通大学》;20190115;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395593A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101880375B1 (en) | Segregating executable files exhibiting network activity | |
| US10691800B2 (en) | System and method for detection of malicious code in the address space of processes | |
| US8943592B1 (en) | Methods of detection of software exploitation | |
| US8645923B1 (en) | Enforcing expected control flow in program execution | |
| WO2015119522A2 (en) | Systems and methods for detecting return-oriented programming (rop) exploits | |
| EP3502944B1 (en) | Detecting script-based malware cross reference to related applications | |
| CN112395593B (en) | Method and device for monitoring instruction execution sequence, storage medium and computer equipment | |
| CN114676424B (en) | Container escape detection and blocking method, device, equipment and storage medium | |
| US11397812B2 (en) | System and method for categorization of .NET applications | |
| US9787699B2 (en) | Malware detection | |
| CN111259392B (en) | Kernel module-based malicious software interception method and device | |
| KR20110057297A (en) | Dynamic analyzing system for malicious bot and methods therefore | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| CN114564720A (en) | Program file auditing method and device, electronic equipment and storage medium | |
| AU2017201880A1 (en) | User-mode component injection techniques | |
| CN112395595B (en) | Method and device for monitoring instruction execution sequence, storage medium and computer equipment | |
| US8863159B2 (en) | System, method and computer program product for inserting an emulation layer in association with a COM server DLL | |
| CN112395149B (en) | Script behavior identification method and device, storage medium and computer equipment | |
| CN115935341B (en) | Vulnerability defense method, vulnerability defense system, vulnerability defense server and storage medium | |
| CN115168072A (en) | Method and device for identifying risk operation based on pipeline | |
| CN116628694A (en) | Anti-serialization 0day security risk defense method, device and equipment | |
| CN117272298A (en) | File-free attack detection method, device, equipment and storage medium | |
| CN116738425A (en) | Method and device for detecting interface hijacking attack of application program and readable medium | |
| CN114417341A (en) | Non-invasive system safety protection method and safety protection device | |
| CN115292707A (en) | Credibility judgment method and device based on dynamic class calling sequence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |