CN112395594A - Method, device and equipment for processing instruction execution sequence - Google Patents
Method, device and equipment for processing instruction execution sequence Download PDFInfo
- Publication number
- CN112395594A CN112395594A CN201910755857.7A CN201910755857A CN112395594A CN 112395594 A CN112395594 A CN 112395594A CN 201910755857 A CN201910755857 A CN 201910755857A CN 112395594 A CN112395594 A CN 112395594A
- Authority
- CN
- China
- Prior art keywords
- execution sequence
- instruction execution
- instruction
- storage address
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012544 monitoring process Methods 0.000 claims abstract description 25
- 238000004590 computer program Methods 0.000 claims description 7
- 238000003672 processing method Methods 0.000 claims description 7
- 230000002159 abnormal effect Effects 0.000 abstract description 8
- 238000001514 detection method Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 239000000470 constituent Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method, a device and equipment for processing an instruction execution sequence, relates to the technical field of network security, and can effectively identify and repair an incomplete instruction execution sequence and solve the problem that the instruction execution sequence cannot be completely acquired under abnormal conditions. The method comprises the following steps: when the instruction execution sequence of the monitoring point event is incomplete, acquiring the earliest instruction point in the instruction execution sequence; retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space, and respectively carrying out validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence; and if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check, repairing the incomplete instruction execution sequence according to the valid target storage address. The method and the device are suitable for identification and repair processing of the instruction execution sequence.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for processing an instruction execution sequence.
Background
In the current generation of the internet with advanced informatization, network hacking events are more and more, and hacking means are continuously evolving. Hackers can use vulnerabilities to enable software processes to implement some attack events, and therefore, in order to better constrain the execution of legitimate events of software processes, the events that can be executed by software processes can be limited in a manner of defining sets of permissions.
Currently, an instruction execution sequence corresponding to a monitoring point (such as creating a process, reading and writing a file/registry, and the like) may be matched with an instruction execution sequence of a preset normal behavior of the monitoring point, so as to find out whether an attack event exists in time. Specifically, stack backtracking may be performed through an Application Programming Interface (API) provided by the system, so as to obtain an instruction execution sequence corresponding to the monitoring point.
However, in this way, there is a possibility that the fetched instruction execution sequence may not be fully fetched. The reason for this problem is many-sided, and there are normal program optimization, and malicious code destruction, etc. Therefore, the complete instruction execution sequence cannot be extracted for matching, and the accuracy of the security detection is affected.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a device for processing an instruction execution sequence, and mainly aims to solve the technical problem that under an abnormal condition, an acquired instruction execution sequence cannot be extracted completely to match, which may cause an influence on accuracy of security detection.
According to one aspect of the present application, there is provided a method for processing an instruction execution sequence, the method comprising:
when the instruction execution sequence of the monitoring point event is incomplete, acquiring the earliest instruction point in the instruction execution sequence;
retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space, and respectively performing validity check on the retrieved storage address and a next stack base address corresponding to the storage address according to a stack memory space range corresponding to an incomplete instruction execution sequence;
and if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check, repairing the incomplete instruction execution sequence according to the valid target storage address.
Optionally, the repairing the incomplete instruction execution sequence according to the valid target storage address specifically includes:
and repairing the incomplete instruction execution sequence by utilizing the effective instruction information stored in the target storage address.
Optionally, the performing validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence specifically includes:
if the retrieved target storage address is within the stack memory space range and the next stack base address corresponding to the target storage address is also within the stack memory space range, determining that the retrieved target storage address and the next stack base address corresponding to the target storage address respectively pass validity check;
and if the retrieved storage address is out of the range of the stack memory space or the next stack base address corresponding to the storage address is out of the range of the stack memory space, respectively performing validity check on the next storage address of the storage address in the instruction execution sequence storage space and the next stack base address corresponding to the next storage address, and checking the storage addresses one by one in the same way until the retrieved target storage address and the next stack base address corresponding to the target storage address are determined to respectively pass the validity check.
Optionally, after the repairing the incomplete instruction execution sequence according to the valid target storage address, the method further comprises:
if the instruction execution sequence after the first repair is not complete, repeatedly executing retrieval and validity check operations in the instruction execution sequence storage space according to the earliest instruction point in the instruction execution sequence after the first repair so as to continuously repair the incomplete instruction execution sequence according to another valid target storage address.
Optionally, the method further includes:
and acquiring the stack memory space range according to the current stack base address and the stack top pointer of the monitoring point event.
Optionally, the method further includes:
and determining whether the instruction execution sequence of the monitoring point event is complete or not by judging whether the instruction at the bottommost layer of the instruction execution sequence is a thread initialization instruction or not.
Optionally, the obtaining an earliest instruction point in the instruction execution sequence specifically includes:
and acquiring the lowest layer instruction point in the incomplete instruction execution sequence as the earliest instruction point.
Optionally, the method further includes:
and after the instruction execution sequence is completely repaired, performing feature matching by using the completely repaired instruction execution sequence so as to perform security detection.
According to another aspect of the present application, there is provided an apparatus for processing an instruction execution sequence, the apparatus comprising:
the acquisition module is used for acquiring the earliest instruction point in the instruction execution sequence when the instruction execution sequence of the monitoring point event is incomplete;
the retrieval module is used for retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space and respectively carrying out validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence;
and the repairing module is used for repairing the incomplete instruction execution sequence according to the effective target storage address if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check.
Optionally, the repair module is specifically configured to repair the incomplete instruction execution sequence by using the instruction information stored in the valid target storage address.
Optionally, the retrieving module is specifically configured to determine that the retrieved target storage address and the next stack base address corresponding to the retrieved target storage address respectively pass validity checks if the retrieved target storage address is within the stack memory space range and the next stack base address corresponding to the target storage address is also within the stack memory space range;
and if the retrieved storage address is out of the range of the stack memory space or the next stack base address corresponding to the storage address is out of the range of the stack memory space, respectively performing validity check on the next storage address of the storage address in the instruction execution sequence storage space and the next stack base address corresponding to the next storage address, and checking the storage addresses one by one in the same way until the retrieved target storage address and the next stack base address corresponding to the target storage address are determined to respectively pass the validity check.
Optionally, the repair module is further configured to, if the instruction execution sequence after the one-time repair is incomplete, repeatedly perform, according to an earliest instruction point in the instruction execution sequence after the one-time repair, the operations of retrieving and checking validity in the instruction execution sequence storage space, so as to continue to repair the instruction execution sequence that is incomplete according to another valid target storage address.
Optionally, the obtaining module is further configured to obtain the stack memory space range according to the current stack base address of the monitoring point event and the stack top pointer.
Optionally, the apparatus further comprises:
and the determining module is used for determining whether the instruction execution sequence of the monitoring point event is complete by judging whether the instruction at the bottommost layer of the instruction execution sequence is a thread initialization instruction.
Optionally, the obtaining module is specifically configured to obtain a bottommost instruction point in the incomplete instruction execution sequence as the earliest instruction point.
Optionally, the apparatus further comprises:
and the matching module is used for performing feature matching by using the complete repaired instruction execution sequence after the instruction execution sequence is completely repaired so as to perform security detection.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements a method of processing an execution sequence of the above-described instructions.
According to still another aspect of the present application, there is provided a physical device for processing an instruction execution sequence, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements a processing method of the instruction execution sequence when executing the program.
By means of the technical scheme, the method, the device and the equipment for processing the instruction execution sequence have the advantages that when the instruction execution sequence of the monitoring point event is incomplete, the instruction address of the earliest instruction point in the instruction execution sequence can be retrieved in the instruction execution sequence storage space, and validity check is respectively carried out on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence. And then finding out an effective target storage address, and repairing the incomplete instruction execution sequence according to the effective target storage address. Therefore, the incomplete instruction execution sequence can be effectively identified and repaired, and the problem that the instruction execution sequence cannot be completely acquired under the abnormal condition is solved. Therefore, a complete instruction execution sequence can be extracted for matching subsequently, and the accuracy of safety detection is improved.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a processing method of an instruction execution sequence according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating another method for processing an instruction execution sequence according to an embodiment of the present disclosure;
FIG. 3 illustrates an example schematic provided by an embodiment of the present application;
fig. 4 shows a schematic structural diagram of a processing apparatus for executing a sequence of instructions according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The method solves the technical problem that under abnormal conditions, the acquired instruction execution sequence is not fully acquired, so that the complete instruction execution sequence cannot be extracted for matching, and the accuracy of safety detection is influenced. The embodiment provides a processing method of an instruction execution sequence, as shown in fig. 1, the method includes:
101. when the instruction execution sequence of the monitor point event is incomplete, the earliest instruction point in the instruction execution sequence is acquired.
The monitoring point event can be an event of creating a process, loading a module, reading and writing a file, reading and writing a registry, loading a driver, and the like. The instruction execution sequence of the checkpoint event is traced back from the checkpoint, so that the first level of instructions in the instruction execution sequence corresponds to the checkpoint, the second level is the instruction point that invokes the checkpoint, the third level is the instruction point that invokes the previous level of instruction point …, and so on. The earliest instruction point in the instruction execution sequence is the last layer of instruction point traced back layer by layer, and when the instruction execution sequence is incomplete, the earliest instruction point cannot trace back to the corresponding instruction point later.
The execution subject of the embodiment may be an instruction execution sequence identification and repair processing device or apparatus, and may be configured on the client side, or may be configured on the server side according to actual requirements. The method and the device can be particularly used for effectively identifying and repairing the incomplete instruction execution sequence. I.e. the process shown in steps 102 to 103 is performed.
102. And retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space, and respectively carrying out validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence.
In this embodiment, the instruction execution sequence memory space may be obtained by Extending Base Pointer (EBP). The storage space of the instruction execution sequence is used for storing the storage addresses of the constituent points of the instruction execution sequence, and the storage space of the instruction execution sequence is not changed due to abnormal conditions, so that the incomplete instruction execution sequence can be repaired by using the storage space of the instruction execution sequence.
103. And if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check, repairing the incomplete instruction execution sequence according to the valid target storage address.
For example, a storage address a corresponding to the instruction address of the earliest instruction point in the instruction execution sequence storage space (i.e., the next stack base address corresponding to the instruction address) may be obtained, whether this storage address a is in the stack memory space range corresponding to the instruction execution sequence is determined, if so, it is continuously determined whether the next stack base address corresponding to the storage address a (i.e., the storage address B corresponding to the next instruction point) is in the stack memory space range corresponding to the instruction execution sequence, and if so, it is determined that the storage address a is the valid target storage address. The instruction information stored at this valid memory address a may be used to complement the instruction execution sequence to obtain the complement.
By applying the processing method for the instruction execution sequence, compared with the prior art, in this embodiment, when the instruction execution sequence of the monitoring point event is incomplete, the instruction address of the earliest instruction point in the instruction execution sequence can be retrieved in the instruction execution sequence storage space, and validity check is performed on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence. And then finding out an effective target storage address, and repairing the incomplete instruction execution sequence according to the effective target storage address. Therefore, the incomplete instruction execution sequence can be effectively identified and repaired, and the problem that the instruction execution sequence cannot be completely acquired under the abnormal condition is solved. Therefore, a complete instruction execution sequence can be extracted for matching subsequently, and the accuracy of safety detection is improved.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully illustrate the implementation process of the embodiment, another processing method of an instruction execution sequence is provided, as shown in fig. 2, the method includes:
201. and determining whether the instruction execution sequence of the monitoring point event is complete or not by judging whether the instruction at the bottommost layer of the instruction execution sequence is a thread initialization instruction or not.
For the embodiment, the instruction execution sequence is traced back from the monitoring point, and the bottom layer instruction of the complete instruction execution sequence should be the thread initialization instruction. Thus, in the present embodiment, if the lowest level instruction of the instruction execution sequence is not a thread initialization instruction, it may be determined that the instruction execution sequence of the watchpoint event is incomplete. Whether the instruction execution sequence of the monitoring point event is complete or not can be accurately judged by the method.
202. And when the instruction execution sequence of the monitoring point event is incomplete, acquiring the bottommost instruction point in the incomplete instruction execution sequence as the earliest instruction point.
In this embodiment, the instruction points below the bottommost instruction point in the incomplete instruction execution sequence may be the instruction points actually needed to be repaired, and the complete instruction execution sequence can be obtained by completing the instruction points.
203. And retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space, and respectively carrying out validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence.
As an optional way, in order to accurately obtain the stack memory space range corresponding to the incomplete instruction execution sequence, the stack memory space range corresponding to the instruction execution sequence may be obtained according to the current stack base address and the stack top pointer of the monitoring point event in this embodiment. The stack memory space range is determined, for example, based on the start address and end address of the thread stack. For a normal and complete instruction execution sequence, the storage address of each corresponding instruction point in the instruction execution sequence storage space should be within the stack memory space range.
Optionally, the performing validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence specifically includes: if the retrieved target storage address is within the stack memory space range and the next stack base address corresponding to the target storage address is also within the stack memory space range, it is determined that the retrieved target storage address and the next stack base address corresponding to the retrieved target storage address respectively pass validity checks.
If the retrieved storage address is out of the range of the stack memory space or the next stack base address corresponding to the storage address is out of the range of the stack memory space, respectively performing validity check on the next storage address of the storage address in the instruction execution sequence storage space and the next stack base address corresponding to the next storage address, and checking the storage addresses one by one in the same way until the retrieved target storage address and the next stack base address corresponding to the target storage address are determined to respectively pass the validity check.
For this embodiment, if the storage address only satisfies one of the above conditions, or both of the above conditions are not satisfied, it is indicated that the storage address found at this time is not valid, and the instruction information stored in the storage address cannot be used for repairing, because the instruction execution sequence obtained by such repairing does not satisfy the requirement of the stack memory space range. Therefore, the storage addresses need to be checked one by one until an effective target storage address which can simultaneously satisfy the two conditions is found, so that the actual condition can not be satisfied, and the wrong instruction execution sequence is prevented from being obtained by repairing.
204. And if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check, restoring the incomplete instruction execution sequence by using the instruction information stored in the valid target storage address.
For example, the instruction information stored in the target storage address can be used to repair the next layer of instruction points of the lowest layer of instruction points in the incomplete instruction execution sequence, so as to obtain an instruction execution sequence of a further layer.
Based on the above solution, to illustrate the implementation process of the present embodiment, the following is a simple example:
for example, as shown in fig. 3, the instruction execution sequence memory space obtained by EBP is shown, wherein one column of addresses on the right side in the figure is the respectively corresponding next stack base address. The instruction execution sequence A is incomplete, and the corresponding stack memory space range is {0x001, 0x501 }; the instruction address of the instruction point at the bottom layer in the instruction execution sequence A is found to be 0x201, the corresponding next stack base address in the instruction execution sequence storage space is 0, and the next address search is continued because 0 is not in the range of {0x001, 0x501 }. That is, the next stack base address corresponding to 0x202, specifically 0x301, is searched, and the value is in the range of {0x001, 0x501}, then it is determined whether the next stack base address of 0x301 is also in this range, and it is determined that the next stack base address of 0x301, 0x401, is also in the range of {0x001, 0x501}, so that it can be stated that the storage address of 0x301 is valid, and the instruction information stored in 0x301 can be obtained to repair the instruction execution sequence a, so as to obtain instruction execution sequences of more layers.
Further, in order to obtain a more complete instruction execution sequence for repair, optionally, if the instruction execution sequence after one repair is not complete, the retrieving and validity checking operations in the instruction execution sequence storage space as shown in steps 203 and 204 are repeatedly performed according to the earliest instruction point in the instruction execution sequence after one repair (i.e. the instruction point repaired last time), so as to continue to repair the instruction execution sequence that is not complete yet according to the valid another target storage address.
By the method, the next layer of instruction points can be repaired to obtain a more complete instruction execution sequence, and if the instruction execution sequence is still incomplete, the retrieval and validity check operation can be continuously and repeatedly executed by the earliest instruction point in the secondarily repaired instruction execution sequence until the instruction execution sequence is completely repaired.
205. And after the instruction execution sequence is completely repaired, performing feature matching by using the completely repaired instruction execution sequence so as to perform security detection.
For example, matching the repaired complete instruction execution sequence with an instruction execution sequence of a preset normal behavior of the monitoring point, and if the matching is inconsistent, determining that an exception exists and giving an alarm.
By applying the scheme of the embodiment, the incomplete instruction execution sequence can be effectively identified and repaired, and the problem that the instruction execution sequence cannot be completely acquired under the abnormal condition is solved. Therefore, a complete instruction execution sequence can be extracted for matching subsequently, and the accuracy of safety detection is improved.
Further, as a specific implementation of the method shown in fig. 1 and fig. 2, the present embodiment provides a processing apparatus for an instruction execution sequence, as shown in fig. 4, the apparatus includes: an acquisition module 31, a retrieval module 32, and a repair module 33.
An obtaining module 31, configured to obtain an earliest instruction point in an instruction execution sequence when the instruction execution sequence of a monitoring point event is incomplete;
a retrieving module 32, configured to retrieve the instruction address of the earliest instruction point in an instruction execution sequence storage space, and perform validity check on the retrieved storage address and a next stack base address corresponding to the storage address according to a stack memory space range corresponding to the incomplete instruction execution sequence;
the repairing module 33 is configured to repair the incomplete instruction execution sequence according to the valid target storage address if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity checks.
In a specific application scenario, the repair module 33 is specifically configured to repair the incomplete instruction execution sequence by using the valid instruction information stored in the target storage address.
In a specific application scenario, the retrieving module 32 is specifically configured to determine that the retrieved target storage address and the next stack base address corresponding to the target storage address respectively pass validity checks if the retrieved target storage address is within the stack memory space range and the next stack base address corresponding to the target storage address is also within the stack memory space range; and if the retrieved storage address is out of the range of the stack memory space or the next stack base address corresponding to the storage address is out of the range of the stack memory space, respectively performing validity check on the next storage address of the storage address in the instruction execution sequence storage space and the next stack base address corresponding to the next storage address, and checking the storage addresses one by one in the same way until the retrieved target storage address and the next stack base address corresponding to the target storage address are determined to respectively pass the validity check.
In a specific application scenario, the repairing module 33 is further configured to, if the instruction execution sequence after one repairing is incomplete, repeatedly perform the retrieving and validity checking operations in the instruction execution sequence storage space according to an earliest instruction point in the instruction execution sequence after one repairing, so as to continue repairing the instruction execution sequence that is not complete yet according to another valid target storage address.
In a specific application scenario, the obtaining module 31 may be further configured to obtain the stack memory space range according to the current stack base address of the monitoring point event and the stack top pointer.
In a specific application scenario, the apparatus further comprises: a determination module 34;
the determining module 34 is configured to determine whether the instruction execution sequence of the watchpoint event is complete by determining whether a bottom-most instruction of the instruction execution sequence is a thread initialization instruction.
In a specific application scenario, the obtaining module 31 is specifically configured to obtain a bottommost instruction point in the incomplete instruction execution sequence as the earliest instruction point.
In a specific application scenario, the apparatus further comprises: a matching module 35;
and the matching module 35 is configured to perform feature matching by using the complete repaired instruction execution sequence after the instruction execution sequence is completely repaired, so as to perform security detection.
It should be noted that other corresponding descriptions of the functional units involved in the processing apparatus for an instruction execution sequence provided in this embodiment may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, and the program, when executed by a processor, implements the processing method of the instruction execution sequence shown in fig. 1 and fig. 2.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, and the software product to be identified may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, or the like), and include several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 4, in order to achieve the above object, this embodiment further provides an entity device for executing sequence processing by using instructions, which may specifically be a personal computer, a server, a smart phone, a tablet computer, or other network devices, and the entity device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing the computer program to implement the above-mentioned methods as shown in fig. 1 and fig. 2.
Optionally, the entity device may further include a user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
Those skilled in the art will appreciate that the physical device structure provided by the present embodiment for executing the sequence processing by the instructions does not constitute a limitation to the physical device, and may include more or less components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program for managing the hardware of the above-mentioned entity device and the software resources to be identified, and supports the operation of the information processing program and other software and/or programs to be identified. The network communication module is used for realizing communication among components in the storage medium and communication with other hardware and software in the information processing entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme, the incomplete instruction execution sequence can be effectively identified and repaired, and the problem that the complete instruction execution sequence cannot be acquired under the abnormal condition is solved. Therefore, a complete instruction execution sequence can be extracted for matching subsequently, and the accuracy of safety detection is improved.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A method for processing an instruction execution sequence, comprising:
when the instruction execution sequence of the monitoring point event is incomplete, acquiring the earliest instruction point in the instruction execution sequence;
retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space, and respectively performing validity check on the retrieved storage address and a next stack base address corresponding to the storage address according to a stack memory space range corresponding to an incomplete instruction execution sequence;
and if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check, repairing the incomplete instruction execution sequence according to the valid target storage address.
2. The method of claim 1, wherein repairing the incomplete instruction execution sequence based on the valid target storage address comprises:
and repairing the incomplete instruction execution sequence by utilizing the effective instruction information stored in the target storage address.
3. The method according to claim 1, wherein the performing validity checks on the retrieved storage address and a next stack base address corresponding to the storage address according to a stack memory space range corresponding to the incomplete instruction execution sequence includes:
if the retrieved target storage address is within the stack memory space range and the next stack base address corresponding to the target storage address is also within the stack memory space range, determining that the retrieved target storage address and the next stack base address corresponding to the target storage address respectively pass validity check;
and if the retrieved storage address is out of the range of the stack memory space or the next stack base address corresponding to the storage address is out of the range of the stack memory space, respectively performing validity check on the next storage address of the storage address in the instruction execution sequence storage space and the next stack base address corresponding to the next storage address, and checking the storage addresses one by one in the same way until the retrieved target storage address and the next stack base address corresponding to the target storage address are determined to respectively pass the validity check.
4. The method of claim 3, wherein after the repairing an incomplete sequence of instruction execution from the valid target storage addresses, the method further comprises:
if the instruction execution sequence after the first repair is not complete, repeatedly executing retrieval and validity check operations in the instruction execution sequence storage space according to the earliest instruction point in the instruction execution sequence after the first repair so as to continuously repair the incomplete instruction execution sequence according to another valid target storage address.
5. The method of claim 1, further comprising:
and acquiring the stack memory space range according to the current stack base address and the stack top pointer of the monitoring point event.
6. The method of claim 1, further comprising:
and determining whether the instruction execution sequence of the monitoring point event is complete or not by judging whether the instruction at the bottommost layer of the instruction execution sequence is a thread initialization instruction or not.
7. The method of claim 1, wherein said fetching an earliest instruction point in the instruction execution sequence comprises:
and acquiring the lowest layer instruction point in the incomplete instruction execution sequence as the earliest instruction point.
8. An apparatus for processing a sequence of instruction executions, comprising:
the acquisition module is used for acquiring the earliest instruction point in the instruction execution sequence when the instruction execution sequence of the monitoring point event is incomplete;
the retrieval module is used for retrieving the instruction address of the earliest instruction point in an instruction execution sequence storage space and respectively carrying out validity check on the retrieved storage address and the next stack base address corresponding to the storage address according to the stack memory space range corresponding to the incomplete instruction execution sequence;
and the repairing module is used for repairing the incomplete instruction execution sequence according to the effective target storage address if the target storage address and the next stack base address corresponding to the target storage address respectively pass validity check.
9. A storage medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the processing method of the execution sequence of instructions of any one of claims 1 to 7.
10. A processing apparatus for executing a sequence of instructions, comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, characterized in that the processor implements a method for processing the sequence of instructions according to any one of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755857.7A CN112395594B (en) | 2019-08-15 | 2019-08-15 | Method, device and equipment for processing instruction execution sequence |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755857.7A CN112395594B (en) | 2019-08-15 | 2019-08-15 | Method, device and equipment for processing instruction execution sequence |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395594A true CN112395594A (en) | 2021-02-23 |
| CN112395594B CN112395594B (en) | 2023-12-12 |
Family
ID=74601789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755857.7A Active CN112395594B (en) | 2019-08-15 | 2019-08-15 | Method, device and equipment for processing instruction execution sequence |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395594B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114357028A (en) * | 2021-12-31 | 2022-04-15 | 宁波舜宇智能科技有限公司 | Abnormal state detection method and device for state machine, electronic device and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7287166B1 (en) * | 1999-09-03 | 2007-10-23 | Purdue Research Foundation | Guards for application in software tamperproofing |
| US20090187741A1 (en) * | 2008-01-23 | 2009-07-23 | Arm. Limited | Data processing apparatus and method for handling instructions to be executed by processing circuitry |
| US20130227343A1 (en) * | 2012-02-28 | 2013-08-29 | O2Micro, Inc. | Circuits and Methods for Replacing Defective Instructions |
| US20130326193A1 (en) * | 2012-05-31 | 2013-12-05 | Daniel M. McCarthy | Processor resource and execution protection methods and apparatus |
| CN103632087A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for protecting process |
| CN103677769A (en) * | 2012-09-06 | 2014-03-26 | 北京中天安泰信息科技有限公司 | Instruction recombining method and device |
| CN103677746A (en) * | 2012-09-06 | 2014-03-26 | 北京中天安泰信息科技有限公司 | Instruction recombining method and device |
| CN103679039A (en) * | 2012-09-06 | 2014-03-26 | 北京中天安泰信息科技有限公司 | Data security storage method and device |
| EP3035228A1 (en) * | 2014-12-16 | 2016-06-22 | Nxp B.V. | Code integrity protection by computing target addresses from checksums |
| CN107122164A (en) * | 2017-03-31 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Function address obtains and applied its method, device, equipment and storage medium |
| WO2017166997A1 (en) * | 2016-03-30 | 2017-10-05 | 中兴通讯股份有限公司 | Inic-side exception handling method and device |
| CN107665169A (en) * | 2016-07-29 | 2018-02-06 | 龙芯中科技术有限公司 | The method of testing and device of processor program |
| CN109753789A (en) * | 2017-11-06 | 2019-05-14 | 中天安泰(北京)信息技术有限公司 | Prevent the method and device of stack overflow |
-
2019
- 2019-08-15 CN CN201910755857.7A patent/CN112395594B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7287166B1 (en) * | 1999-09-03 | 2007-10-23 | Purdue Research Foundation | Guards for application in software tamperproofing |
| US20090187741A1 (en) * | 2008-01-23 | 2009-07-23 | Arm. Limited | Data processing apparatus and method for handling instructions to be executed by processing circuitry |
| US20130227343A1 (en) * | 2012-02-28 | 2013-08-29 | O2Micro, Inc. | Circuits and Methods for Replacing Defective Instructions |
| US20130326193A1 (en) * | 2012-05-31 | 2013-12-05 | Daniel M. McCarthy | Processor resource and execution protection methods and apparatus |
| CN103632087A (en) * | 2012-08-21 | 2014-03-12 | 腾讯科技(深圳)有限公司 | Method and device for protecting process |
| CN103677746A (en) * | 2012-09-06 | 2014-03-26 | 北京中天安泰信息科技有限公司 | Instruction recombining method and device |
| CN103677769A (en) * | 2012-09-06 | 2014-03-26 | 北京中天安泰信息科技有限公司 | Instruction recombining method and device |
| CN103679039A (en) * | 2012-09-06 | 2014-03-26 | 北京中天安泰信息科技有限公司 | Data security storage method and device |
| EP3035228A1 (en) * | 2014-12-16 | 2016-06-22 | Nxp B.V. | Code integrity protection by computing target addresses from checksums |
| WO2017166997A1 (en) * | 2016-03-30 | 2017-10-05 | 中兴通讯股份有限公司 | Inic-side exception handling method and device |
| CN107665169A (en) * | 2016-07-29 | 2018-02-06 | 龙芯中科技术有限公司 | The method of testing and device of processor program |
| CN107122164A (en) * | 2017-03-31 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Function address obtains and applied its method, device, equipment and storage medium |
| CN109753789A (en) * | 2017-11-06 | 2019-05-14 | 中天安泰(北京)信息技术有限公司 | Prevent the method and device of stack overflow |
Non-Patent Citations (1)
| Title |
|---|
| 庄铮: "基于二进制重用的内存取证系统设计与实现", 《社会科学Ⅰ辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114357028A (en) * | 2021-12-31 | 2022-04-15 | 宁波舜宇智能科技有限公司 | Abnormal state detection method and device for state machine, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395594B (en) | 2023-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107025174B (en) | Method, device and readable storage medium for user interface anomaly test of equipment | |
| CN112395616B (en) | Vulnerability processing method and device and computer equipment | |
| US10019581B2 (en) | Identifying stored security vulnerabilities in computer software applications | |
| CN108776595B (en) | Method, device, equipment and medium for identifying display card of GPU (graphics processing Unit) server | |
| CN104866770B (en) | Sensitive data scanning method and system | |
| CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
| US20200314135A1 (en) | Method for determining duplication of security vulnerability and analysis apparatus using same | |
| US10366226B2 (en) | Malicious code analysis device and method based on external device connected via USB cable | |
| CN112395594B (en) | Method, device and equipment for processing instruction execution sequence | |
| CN109446011A (en) | A kind of firmware safety detecting method, device and the storage medium of hard disk | |
| WO2017054731A1 (en) | Method and device for processing hijacked browser | |
| CN112579330A (en) | Method, device and equipment for processing abnormal data of operating system | |
| US10931693B2 (en) | Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence | |
| CN115130114B (en) | Gateway secure starting method and device, electronic equipment and storage medium | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN108959879A (en) | Data capture method, device, electronic equipment and the server of application program | |
| CN111813617B (en) | Method and device for testing and scheduling functions of main board device | |
| CN108875363B (en) | Method and device for accelerating virtual execution, electronic equipment and storage medium | |
| CN110377499B (en) | Method and device for testing application program | |
| CN113646763B (en) | shellcode detection method and device | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN107122164B (en) | Method, device, equipment and storage medium for acquiring function address and applying function address | |
| CN112395598B (en) | Protection method, device and equipment for damaged instruction execution sequence | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| CN112395610B (en) | Detection method and device for kernel layer shellcode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |