CN112580042A - Malicious program resisting method and device, storage medium and computer equipment - Google Patents
Malicious program resisting method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112580042A CN112580042A CN201910945359.9A CN201910945359A CN112580042A CN 112580042 A CN112580042 A CN 112580042A CN 201910945359 A CN201910945359 A CN 201910945359A CN 112580042 A CN112580042 A CN 112580042A
- Authority
- CN
- China
- Prior art keywords
- execution
- program
- target program
- stub
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 241000700605 Viruses Species 0.000 claims abstract description 115
- 238000004590 computer program Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 abstract description 25
- 230000006399 behavior Effects 0.000 description 26
- 239000002574 poison Substances 0.000 description 14
- 231100000614 poison Toxicity 0.000 description 14
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000010460 detection of virus Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000004659 sterilization and disinfection Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application discloses a method and a device for resisting malicious programs, a storage medium and computer equipment, wherein the method comprises the following steps: acquiring a pile function needing to be adjusted, wherein the pile function is related to execution time; and setting parameters of the stub function in the virtual machine according to a preset parameter adjustment rule so as to reduce waiting time when the target program calls the stub function in the virtual machine. According to the method and the device, the program execution maximum time threshold of the virtual machine does not need to be adjusted, and the program execution waiting time is reduced by setting the stub function parameters, so that the program execution speed is increased, more execution characteristics are exposed, virus programs taking malicious extension of the program execution waiting time as means can be effectively resisted, and the virus detection efficiency and accuracy are improved.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a malicious program countermeasure method and apparatus, a storage medium, and a computer device.
Background
With the continuous development of computer technology, computers are becoming indispensable partners of people in daily life and work, bring much convenience to work and life of people, but a discordant factor is computer virus. Aiming at the problem of computer security caused by computer viruses, almost any enterprise or person uses antivirus software at present, but most of the antivirus software at present carries out virus searching and killing based on virus characteristics included in a virus library, namely if a certain program in a computer hits the virus characteristics in the virus library, the program is judged to be a virus program, and obviously, if a novel virus or a variant virus occurs, the virus library is difficult to deal with.
Therefore, currently, it is a new scheme in the field of virus killing to implement virus searching and killing by using a virtual machine to obtain execution characteristics of files to be killed, but generally, in order to ensure virus killing efficiency, a certain execution time threshold is set for each file to be killed, and characteristics of the file cannot be obtained after the file is executed in the virtual machine and exceeds the threshold, in other words, the virtual machine only extracts the characteristics within a period of time during the file execution process. However, at present, researchers find that many virus developers use this logic to fight against, intentionally extend the execution time of the file, so that the virtual machine cannot acquire the execution features beyond the execution time threshold, which results in incomplete acquisition of the execution features of the file to be disinfected, and thus effective disinfection cannot be achieved.
How to effectively acquire the complete execution characteristics of the file against the virus files of the types is a problem to be solved urgently in the field of antivirus.
Disclosure of Invention
In view of the above, the present application provides a malicious program countermeasure method and apparatus, a storage medium, and a computer device.
According to one aspect of the application, a method for countering a malicious program is provided, which comprises the following steps:
acquiring a pile function needing to be adjusted, wherein the pile function is related to execution time;
and setting parameters of the stub function in the virtual machine according to a preset parameter adjustment rule so as to reduce waiting time when the target program calls the stub function in the virtual machine.
Specifically, the stub functions needing to be adjusted at least comprise stub functions related to the acquisition system time behavior and/or thread waiting stub functions.
Specifically, if the stub function to be adjusted includes the stub function related to the acquisition of the system time behavior, setting a parameter of the stub function in the virtual machine according to a preset parameter adjustment rule specifically includes:
and setting parameters of the stub function in the virtual machine as a target system time variable corresponding to the target program, so that the target program directly acquires the target system time when calling the stub function related to the behavior of acquiring the system time.
Specifically, if the stub function to be adjusted includes the thread wait stub function, setting a parameter of the stub function in the virtual machine according to a preset parameter adjustment rule specifically includes:
setting the parameter of the thread waiting stub function in the virtual machine to be null, so that the target program does not need to wait to directly continue execution when calling the thread waiting stub function.
Specifically, the acquiring a pile function to be adjusted specifically includes:
obtaining and executing a sample program;
and extracting the behaviors related to the execution waiting in the execution record generated by the sample program, and taking the stub function related to the behaviors related to the execution waiting as the stub function needing to be adjusted.
Specifically, the method further comprises:
and executing the target program in the virtual machine, and recording a stub function execution sequence corresponding to the target program according to the calling sequence of the stub functions in the virtual machine in the execution process of the target program.
Specifically, after recording the execution sequence of the stub function corresponding to the target program, the method further includes:
analyzing the execution characteristics of the target program according to the pile function execution sequence corresponding to the target program;
and comparing the execution characteristics of the target program with malicious execution characteristics and/or safety execution characteristics contained in a preset execution characteristic library, and performing virus analysis on the target program.
According to another aspect of the present application, there is provided a countermeasure device for a malicious program, including:
an adjustment pile function obtaining module, configured to obtain a pile function to be adjusted, where the pile function is related to execution time;
and the parameter setting module is used for setting the parameters of the stub function in the virtual machine according to a preset parameter adjustment rule so as to reduce the waiting time when the target program calls the stub function in the virtual machine.
Specifically, the stub functions needing to be adjusted at least comprise stub functions related to the acquisition system time behavior and/or thread waiting stub functions.
Specifically, the parameter setting module specifically includes:
a first parameter setting unit, configured to set, if the stub function to be adjusted includes the stub function related to the behavior of obtaining system time, a parameter of the stub function in the virtual machine as a target system time variable corresponding to the target program, so that the target program directly obtains the target system time when calling the stub function related to the behavior of obtaining system time.
Specifically, the parameter setting module specifically includes:
and a second parameter setting unit, configured to set a parameter of the thread-waiting stub function in the virtual machine to be null if the stub function to be adjusted includes the thread-waiting stub function, so that the target program does not need to wait for direct execution when calling the thread-waiting stub function.
Specifically, the adjusting pile function obtaining module specifically includes:
a sample program execution unit for acquiring and executing a sample program;
and the adjusting stub function extracting unit is used for extracting the behavior related to execution waiting in the execution record generated by the sample program, and taking the stub function related to the behavior related to execution waiting as the stub function needing to be adjusted.
Specifically, the apparatus further comprises:
and the target program execution module is used for executing the target program in the virtual machine and recording the stub function execution sequence corresponding to the target program according to the calling sequence of the stub functions in the virtual machine in the target program execution process.
Specifically, the apparatus further comprises:
the execution characteristic analysis module is used for analyzing the execution characteristics of the target program according to the stub function execution sequence corresponding to the target program after recording the stub function execution sequence corresponding to the target program;
and the virus analysis module is used for comparing the execution characteristics of the target program with malicious execution characteristics and/or safety execution characteristics contained in a preset execution characteristic library and carrying out virus analysis on the target program.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described countermeasure method for malicious programs.
According to yet another aspect of the present application, there is provided a computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the above-mentioned malicious program countermeasure method when executing the program.
By means of the technical scheme, the malicious program countermeasure method and device, the storage medium and the computer device provided by the application can reduce program execution waiting time and accelerate the execution speed of the target program when the virtual machine executes the target program to call the stub functions related to the execution time by setting the parameters of the stub functions related to the execution time in the virtual machine. According to the method and the device, the program execution maximum time threshold of the virtual machine does not need to be adjusted, and the program execution waiting time is reduced by setting the stub function parameters, so that the program execution speed is increased, more execution characteristics are exposed, virus programs taking malicious extension of the program execution waiting time as means can be effectively resisted, and the virus detection efficiency and accuracy are improved.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for countering a malicious program according to an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating another malicious program countermeasure method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram illustrating an anti-malicious program countermeasure device according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram illustrating another malicious program countermeasure apparatus according to an embodiment of the present disclosure.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a method for countering a malicious program is provided, as shown in fig. 1, the method includes:
and step 102, setting parameters of the stub function in the virtual machine according to a preset parameter adjustment rule so as to reduce waiting time when the target program calls the stub function in the virtual machine.
In the above embodiment, in order to deal with a virus program with malicious extended execution time, a stub function, that is, a stub function that needs to be adjusted, in a virtual machine related to an extended execution time operation is first obtained, that is, a stub function sleep is obtained, if a target program calls the sleep function in a real system, a current thread is allowed to wait for a period of time, if the virtual machine is completely simulated according to the real system, the current thread is also allowed to wait for a period of time when the target program calls the sleep function in the virtual machine, and when an execution feature of the target program is obtained by using the virtual machine, in order to improve efficiency, generally, one program agrees an execution time threshold in advance, only the execution feature within the execution time threshold is extracted, and a virus developer aims at the logic, in order to make the virtual machine difficult to obtain the execution feature of the virus program, the virus program is compiled so that the current thread waits for a longer time after calling the sleep function, for example, the execution time threshold is 2 seconds, and the virtual machine is instructed to wait for 5 seconds after calling the sleep function, so that the virtual machine is difficult to acquire the effective execution features of the virus program, and therefore, after acquiring the stub function to be adjusted, the parameters in the stub function can be adjusted, and the stub functions related to the execution time are not simulated according to a real system, so that when the target program calls the stub function in the virtual machine, idle time can be reduced, the waiting time of a thread can be shortened, the execution speed of the target program is increased, more execution features are exposed, and more complete execution features of the target program can be acquired, which is beneficial to improving the accuracy of judging whether the target program contains viruses, and the execution time threshold does not need to be adjusted in the embodiment of the present application, and more complete execution features can be acquired under the premise of guaranteeing unchanged execution time, the execution characteristic acquisition efficiency is improved.
By applying the technical scheme of the embodiment, the parameters of the stub functions related to the execution time in the virtual machine are set, so that when the virtual machine executes the target program and calls the stub functions related to the execution time, the program execution waiting time can be reduced, and the execution speed of the target program is accelerated. According to the method and the device, the program execution maximum time threshold of the virtual machine does not need to be adjusted, and the program execution waiting time is reduced by setting the stub function parameters, so that the program execution speed is increased, more execution characteristics are exposed, virus programs taking malicious extension of the program execution waiting time as means can be effectively resisted, and the virus detection efficiency and accuracy are improved.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully explain the specific implementation process of the embodiment, another malicious program countermeasure method is provided, as shown in fig. 2, and the method includes:
in any embodiment of the present application, specifically, the stub functions that need to be adjusted at least include the stub functions related to the acquisition system time behavior and/or the thread-waiting stub functions.
In step 201 and step 202, a large number of sample programs are executed completely by using a virtual machine that completely simulates a real system, and then according to the execution records of the sample programs in the virtual machine, which stub functions in the virtual machine are related to execution waiting are counted, and the stub functions can be used as the stub functions that need to be adjusted, so that the stub functions that need to be adjusted in the virtual machine are subjected to parameter setting. The stub function that needs to be adjusted herein may include at least a stub function related to the acquiring system time behavior and a thread waiting stub function, where the stub function related to the acquiring system time behavior may be specifically represented as a program that continues to execute only after acquiring a specific system time when calling the stub function, and the thread waiting stub function may be specifically represented as a program that continues to execute only after waiting a specific time when calling the stub function.
It should be noted that the virtual machine executing the sample program and the virtual machine that needs to adjust the stub function parameter may be the same virtual machine or different virtual machines.
In addition, in addition to extracting the stub function and the thread wait stub function related to the acquisition system time behavior from the execution record of the sample program as the stub function to be adjusted, the sample program may be subjected to feature scanning to analyze the stub function and the thread wait stub function related to the acquisition system time behavior that may be called by the sample program, or each function in the real system simulated by the virtual machine is analyzed, so as to extract the stub function and the thread wait stub function related to the acquisition system time behavior.
In the above embodiment, for the stub function related to the behavior of obtaining the system time, the stub function may be set as a specific variable, and when the stub function is called by the target program, the target system time capable of triggering the continuous execution condition corresponding to the target program is obtained through the variable, so that when the stub function is called by the target program, the target program does not obtain the real time of the system, but directly obtains the target system time, and thus the target program can be continuously executed without waiting, and the process execution speed is increased.
And step 204, if the stub function needing to be adjusted comprises a thread waiting stub function, setting the parameter of the thread waiting stub function in the virtual machine to be null, so that the target program does not need to wait to directly continue executing when calling the thread waiting stub function.
In the above embodiment, for the stub function waiting for the thread, the waiting time of the stub function may be directly set to be null, and when the target program calls the stub function, the empty function is executed equivalently, and the target program can continue to be executed without any waiting, so that the target program can continue to be executed without any waiting, and the execution speed of the process is increased, or the stub function waiting for the thread is set to be a very short time, which may also have an effect of increasing the execution speed of the process.
In steps 205 to 207, after the relevant stub function in the virtual machine is configured, the virtual machine can be used to more quickly and more completely acquire the execution characteristics of the target program, so as to perform more effective virus analysis on the target program. Specifically, when the target program is executed in the virtual machine, the execution characteristics of the target program are obtained, so that the execution characteristics of the target program are matched according to a preset execution characteristic library, and whether the target program contains a virus or not is determined. Firstly, recording a calling stub function of a target program in the execution process of the target program; secondly, analyzing the execution characteristics of the target program aiming at the recorded stub function called by the target program, wherein the process of analyzing the execution characteristics is equivalent to translating the sequence of calling the stub function into corresponding characteristics, for example, translating a series of stub function execution codes into a flow description form, and using the execution characteristics of the target program as the basis of virus detection; and finally, analyzing whether the program is a virus program or not through the execution characteristics of the target program so as to realize virus detection based on the virtual machine.
In step 207 of the embodiment of the present application, the following several implementations of virus detection may be included:
the implementation mode A is as follows:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, inquiring whether the execution characteristics of the target program belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step a3, if the execution characteristic of the target program belongs to the malicious execution characteristic, determining that the target program contains a virus.
Step A4, if the execution characteristics of the target program do not belong to the malicious execution characteristics, querying whether the execution characteristics of the target program belong to the safe execution characteristics contained in the preset execution characteristic white list;
step a5, if the execution characteristic of the target program belongs to the safe execution characteristic, determining that the target program does not contain virus.
Step a6, if the execution characteristics of the target program do not belong to the security execution characteristics, the target program is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so as to analyze whether the suspicious program contains viruses or not by using the virus management system.
In embodiment a, whether the target program is infected is determined by using a preset execution feature list, where the preset execution feature list includes a black list and a white list, malicious execution features corresponding to the virus program are pre-stored in the black list, and security execution features corresponding to the security program are pre-stored in the white list. And if the execution characteristics of the target program do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
The implementation mode B is as follows:
step B1, calculating a poison reporting detection value of the target program according to the execution characteristics of the target program and preset execution characteristic poison reporting empirical values, wherein the poison reporting detection value of the target program is the sum of preset execution characteristic poison reporting empirical values corresponding to the execution characteristics of the target program;
and step B2, determining whether the target program contains viruses according to the relationship between the virus-reporting detection value of the target program and a preset virus experience value.
For example, assuming that the execution characteristic of the target program includes A, B, C, D, and the expected execution characteristic poison test values are 0, 1, 2, and 3, respectively, the detected poison report value of the target program is 0+1+2+3 ═ 6, and the expected virus test value is [5, + ∞ ], and the detected poison report value of the target program is within the virus test value range, so that it can be determined that the program includes a virus. The preset virus experience value is obtained by analyzing a large number of virus samples and safety samples, and is used as a partition to maximally distinguish the virus reporting experience value of the virus sample from the virus reporting experience value of the safety sample.
On this basis, it may further be determined whether the target program is a safe program or a suspicious program, specifically, the preset experience value of the safe program and/or the preset experience value of the suspicious program may be defined, and the specific step B2 may be: and carrying out safety detection on the target program according to the relation between the virus reporting detection value of the target program and the preset virus empirical value, the preset safety empirical value and the preset suspicious empirical value.
In step B2, it is determined whether the target program is a virus program, a security program, or a suspicious program according to the empirical value interval in which the poison-reported detection value of the target program is located.
In addition, if the program is a suspicious program, the virus management system can be reported, so that whether the target program is infected or not is judged by the virus management system, and the preset empirical values are adaptively adjusted according to the judgment result of the virus management system, so that the accuracy and the efficiency of virus detection are improved.
In addition, a virus developer can extend execution time maliciously to compile the virus program by using an execution waiting mode, and can also delay execution time by writing a section of junk instruction to enable the virus program to execute a large number of meaningless processes, so that the execution characteristics obtained by the virtual machine contain a large number of junk characteristics, the acquisition of the meaningful execution characteristics is reduced, and the virus detection efficiency is influenced.
In order to deal with the above viruses, an embodiment of the present application further provides an execution characteristic obtaining method capable of resisting against spam instructions, and specifically, before executing step 205, the method may further include:
step 1, loading a target program by using a virtual machine, wherein the target program comprises a junk instruction and a junk instruction mark corresponding to the junk instruction;
step 2, finding the junk instruction of the target program according to the junk instruction mark, patching the junk instruction and clearing the junk instruction of the target program;
and 3, executing the target program after the garbage removing instruction in the virtual machine.
In steps 1 to 3, when a virtual machine is used to obtain execution characteristics of a target program for virus detection, in order to improve efficiency, generally, a program will agree with an execution time threshold in advance, and only extract the execution characteristics within the execution time threshold, and for such logic, in order to make it difficult for the virtual machine to obtain the execution characteristics of a virus program, the total execution duration of the program can be extended by adding a large number of garbage instructions on the basis of a certain program, while the maximum execution time of each program by the virtual machine is fixed, for a program containing a large number of garbage instructions, it is difficult to obtain effective execution characteristics, and it is difficult to achieve effective detection of viruses, therefore, when the virtual machine loads the target program in this embodiment, if the target program contains a garbage instruction mark, it should search for the garbage instructions in the target program according to the garbage instruction mark, after finding the junk instruction area in the target program, patching the area, thereby clearing the junk instruction from the target program, only keeping the content related to the execution purpose in the target program, clearing the content unrelated to the execution purpose, ensuring that the cleared target program does not influence the execution result of the original target program, finally executing the target program after clearing the junk instruction in the virtual machine, avoiding prolonging the execution time of the target program in the execution process due to the inclusion of the junk instruction by deleting the junk instruction, accelerating the execution speed of the target program, exposing more execution characteristics so as to obtain more complete execution characteristics of the target program, being beneficial to improving the accuracy of judging whether the target program contains viruses, and the embodiment of the application does not need to adjust the execution time threshold value, and can obtain more complete execution characteristics under the premise of ensuring unchanged running time, the execution characteristic acquisition efficiency is improved.
Specifically, the junk instruction is an instruction which is irrelevant to the execution purpose of the target program and does not affect the execution result after being deleted.
Before step 1 is executed, marking a junk instruction in the target program, specifically, scanning the target program by using a junk instruction scanning engine, and marking the junk instruction of the target program, wherein the junk instruction scanning engine performs feature scanning on the target program according to a preset junk instruction feature library.
In the above embodiment, some spam instruction features are pre-stored in the spam instruction feature library of the spam instruction scanning engine, and if the features of the target program hit the spam instruction features pre-stored in the spam instruction scanning engine, a spam instruction tag can be marked on an area where the spam instruction features hit, so that when the target program is loaded on the virtual machine, the corresponding spam instruction area can be found by reading the spam instruction tag, and then the corresponding spam instruction area is cleared.
Specifically, junk instruction feature recognition is carried out on the sample program through a junk instruction expert system, and a junk instruction feature library is established according to the recognized junk instruction features.
A large number of sample programs are analyzed by virus analysts or a virus analysis intelligent system, and junk instruction features in the sample programs are extracted, so that a junk instruction feature library is established.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides an apparatus for countering a malicious program, as shown in fig. 3, the apparatus includes: an adjusting pile function obtaining module 31 and a parameter setting module 32.
An adjusting pile function obtaining module 31, configured to obtain a pile function to be adjusted, where the pile function is related to execution time;
the parameter setting module 32 is configured to set a parameter of a stub function in the virtual machine according to a preset parameter adjustment rule, so that the waiting time is reduced when the target program calls the stub function in the virtual machine.
In a specific application scenario, the stub functions to be adjusted at least include a stub function related to the acquisition system time behavior and/or a thread waiting stub function.
In a specific application scenario, as shown in fig. 4, the parameter setting module 32 specifically includes: a first parameter setting unit 321.
The first parameter setting unit 321 is configured to set, if the stub function that needs to be adjusted includes a stub function related to the behavior of obtaining the system time, a parameter of the stub function in the virtual machine to a target system time variable corresponding to the target program, so that the target program directly obtains the target system time when calling the stub function related to the behavior of obtaining the system time.
In a specific application scenario, as shown in fig. 4, the parameter setting module 32 specifically includes: a second parameter setting unit 322.
A second parameter setting unit 322, configured to set a parameter of the thread-waiting stub function in the virtual machine to be null if the stub function that needs to be adjusted includes the thread-waiting stub function, so that the target program does not need to wait to directly continue execution when calling the thread-waiting stub function.
In a specific application scenario, as shown in fig. 4, the adjusting pile function obtaining module 31 specifically includes: a sample program executing unit 311 and an adjustment stub function extracting unit 312.
A sample program execution unit 311 for acquiring and executing a sample program;
an adjustment stub function extracting unit 312, configured to extract a behavior related to execution waiting in the execution record generated by the sample program, and take the stub function related to the behavior related to execution waiting as the stub function to be adjusted.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: the object program execution module 33.
And the target program executing module 33 is configured to execute the target program in the virtual machine, and record a stub function execution sequence corresponding to the target program according to a call sequence of the stub function in the virtual machine in the target program execution process.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a characteristic analysis module 34 and a virus analysis module 35 are executed.
An execution characteristic analysis module 34, configured to analyze an execution characteristic of the target program according to the stub function execution sequence corresponding to the target program after recording the stub function execution sequence corresponding to the target program;
the virus analysis module 35 is configured to compare the execution characteristics of the target program with malicious execution characteristics and/or security execution characteristics included in a preset execution characteristic library, and perform virus analysis on the target program.
Specifically, in this embodiment of the present application, the virus analysis module 35 may be further configured to implement each step in the following implementation manners:
the implementation mode A is as follows:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, inquiring whether the execution characteristics of the target program belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step a3, if the execution characteristic of the target program belongs to the malicious execution characteristic, determining that the target program contains a virus.
Step A4, if the execution characteristics of the target program do not belong to the malicious execution characteristics, querying whether the execution characteristics of the target program belong to the safe execution characteristics contained in the preset execution characteristic white list;
step a5, if the execution characteristic of the target program belongs to the safe execution characteristic, determining that the target program does not contain virus.
Step a6, if the execution characteristics of the target program do not belong to the security execution characteristics, the target program is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so as to analyze whether the suspicious program contains viruses or not by using the virus management system.
In embodiment a, whether the target program is infected is determined by using a preset execution feature list, where the preset execution feature list includes a black list and a white list, malicious execution features corresponding to the virus program are pre-stored in the black list, and security execution features corresponding to the security program are pre-stored in the white list. And if the execution characteristics of the target program do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
The implementation mode B is as follows:
step B1, calculating a poison reporting detection value of the target program according to the execution characteristics of the target program and preset execution characteristic poison reporting empirical values, wherein the poison reporting detection value of the target program is the sum of preset execution characteristic poison reporting empirical values corresponding to the execution characteristics of the target program;
and step B2, determining whether the target program contains viruses according to the relationship between the virus-reporting detection value of the target program and a preset virus experience value.
For example, assuming that the execution characteristic of the target program includes A, B, C, D, and the expected execution characteristic poison test values are 0, 1, 2, and 3, respectively, the detected poison report value of the target program is 0+1+2+3 ═ 6, and the expected virus test value is [5, + ∞ ], and the detected poison report value of the target program is within the virus test value range, so that it can be determined that the program includes a virus. The preset virus experience value is obtained by analyzing a large number of virus samples and safety samples, and is used as a partition to maximally distinguish the virus reporting experience value of the virus sample from the virus reporting experience value of the safety sample.
On this basis, it may further be determined whether the target program is a safe program or a suspicious program, specifically, the preset experience value of the safe program and/or the preset experience value of the suspicious program may be defined, and the specific step B2 may be: and carrying out safety detection on the target program according to the relation between the virus reporting detection value of the target program and the preset virus empirical value, the preset safety empirical value and the preset suspicious empirical value.
In step B2, it is determined whether the target program is a virus program, a security program, or a suspicious program according to the empirical value interval in which the poison-reported detection value of the target program is located.
In addition, if the program is a suspicious program, the virus management system can be reported, so that whether the target program is infected or not is judged by the virus management system, and the preset empirical values are adaptively adjusted according to the judgment result of the virus management system, so that the accuracy and the efficiency of virus detection are improved.
In addition, a virus developer can extend execution time maliciously to compile the virus program by using an execution waiting mode, and can also delay execution time by writing a section of junk instruction to enable the virus program to execute a large number of meaningless processes, so that the execution characteristics obtained by the virtual machine contain a large number of junk characteristics, the acquisition of the meaningful execution characteristics is reduced, and the virus detection efficiency is influenced.
In order to deal with the viruses, the countermeasure apparatus for malicious programs according to the embodiment of the present application may further be configured to implement the following steps:
step 1, loading a target program by using a virtual machine, wherein the target program comprises a junk instruction and a junk instruction mark corresponding to the junk instruction;
step 2, finding the junk instruction of the target program according to the junk instruction mark, patching the junk instruction and clearing the junk instruction of the target program;
and 3, executing the target program after the garbage removing instruction in the virtual machine.
In steps 1 to 3, when a virtual machine is used to obtain execution characteristics of a target program for virus detection, in order to improve efficiency, generally, a program will agree with an execution time threshold in advance, and only extract the execution characteristics within the execution time threshold, and for such logic, in order to make it difficult for the virtual machine to obtain the execution characteristics of a virus program, the total execution duration of the program can be extended by adding a large number of garbage instructions on the basis of a certain program, while the maximum execution time of each program by the virtual machine is fixed, for a program containing a large number of garbage instructions, it is difficult to obtain effective execution characteristics, and it is difficult to achieve effective detection of viruses, therefore, when the virtual machine loads the target program in this embodiment, if the target program contains a garbage instruction mark, it should search for the garbage instructions in the target program according to the garbage instruction mark, after finding the junk instruction area in the target program, patching the area, thereby clearing the junk instruction from the target program, only keeping the content related to the execution purpose in the target program, clearing the content unrelated to the execution purpose, ensuring that the cleared target program does not influence the execution result of the original target program, finally executing the target program after clearing the junk instruction in the virtual machine, avoiding prolonging the execution time of the target program in the execution process due to the inclusion of the junk instruction by deleting the junk instruction, accelerating the execution speed of the target program, exposing more execution characteristics so as to obtain more complete execution characteristics of the target program, being beneficial to improving the accuracy of judging whether the target program contains viruses, and the embodiment of the application does not need to adjust the execution time threshold value, and can obtain more complete execution characteristics under the premise of ensuring unchanged running time, the execution characteristic acquisition efficiency is improved.
Specifically, the junk instruction is an instruction which is irrelevant to the execution purpose of the target program and does not affect the execution result after being deleted.
Before step 1 is executed, it is necessary to label a junk instruction in a target program, and specifically, the countermeasure device for a malicious program according to the embodiment of the present application may be further configured to: and scanning the target program by utilizing a junk instruction scanning engine, and marking a junk instruction of the target program, wherein the junk instruction scanning engine is used for scanning the characteristics of the target program according to a preset junk instruction characteristic library.
In the above embodiment, some spam instruction features are pre-stored in the spam instruction feature library of the spam instruction scanning engine, and if the features of the target program hit the spam instruction features pre-stored in the spam instruction scanning engine, a spam instruction tag can be marked on an area where the spam instruction features hit, so that when the target program is loaded on the virtual machine, the corresponding spam instruction area can be found by reading the spam instruction tag, and then the corresponding spam instruction area is cleared.
Specifically, the countermeasure device for malicious programs according to the embodiment of the present application may be further configured to implement: and performing junk instruction characteristic identification on the sample program through a junk instruction expert system, and establishing a junk instruction characteristic library according to the identified junk instruction characteristics.
A large number of sample programs are analyzed by virus analysts or a virus analysis intelligent system, and junk instruction features in the sample programs are extracted, so that a junk instruction feature library is established.
It should be noted that, other corresponding descriptions of the functional units related to the countermeasure device for malicious programs provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described again here.
Based on the above method shown in fig. 1 and fig. 2, correspondingly, an embodiment of the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for countering the malicious program shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the above-described countermeasure method for malicious programs as shown in fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the above description of the embodiments, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can be implemented by hardware by setting parameters of stub functions related to execution time in a virtual machine, so that when the virtual machine executes a target program and calls the stub functions related to execution time, the program execution waiting time can be reduced, and the execution speed of the target program is accelerated. According to the method and the device, the program execution maximum time threshold of the virtual machine does not need to be adjusted, and the program execution waiting time is reduced by setting the stub function parameters, so that the program execution speed is increased, more execution characteristics are exposed, virus programs taking malicious extension of the program execution waiting time as means can be effectively resisted, and the virus detection efficiency and accuracy are improved.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A countermeasure method for a malicious program, comprising:
acquiring a pile function needing to be adjusted, wherein the pile function is related to execution time;
and setting parameters of the stub function in the virtual machine according to a preset parameter adjustment rule so as to reduce waiting time when the target program calls the stub function in the virtual machine.
2. The method according to claim 1, wherein the stub functions that need to be adjusted comprise at least stub functions and/or thread wait stub functions related to acquiring system time behavior.
3. The method according to claim 2, wherein if the stub function to be adjusted includes the stub function related to the acquisition system time behavior, setting parameters of the stub function in the virtual machine according to a preset parameter adjustment rule specifically includes:
and setting parameters of the stub function in the virtual machine as a target system time variable corresponding to the target program, so that the target program directly acquires the target system time when calling the stub function related to the behavior of acquiring the system time.
4. The method according to claim 2, wherein if the stub function to be adjusted includes the thread-waiting stub function, the setting a parameter of the stub function in the virtual machine according to a preset parameter adjustment rule specifically includes:
setting the parameter of the thread waiting stub function in the virtual machine to be null, so that the target program does not need to wait to directly continue execution when calling the thread waiting stub function.
5. The method according to any one of claims 2 to 4, wherein the obtaining of the stub function to be adjusted specifically includes:
obtaining and executing a sample program;
and extracting the behavior of execution waiting in the execution record generated by the sample program, and taking the stub function related to the behavior of execution waiting as the stub function needing to be adjusted.
6. The method according to any one of claims 1 to 4, further comprising:
and executing the target program in the virtual machine, and recording a stub function execution sequence corresponding to the target program according to the calling sequence of the stub functions in the virtual machine in the execution process of the target program.
7. The method of claim 6, wherein after recording the execution sequence of the stub function corresponding to the target program, the method further comprises:
analyzing the execution characteristics of the target program according to the pile function execution sequence corresponding to the target program;
and comparing the execution characteristics of the target program with malicious execution characteristics and/or safety execution characteristics contained in a preset execution characteristic library, and performing virus analysis on the target program.
8. An countermeasure apparatus against a malicious program, comprising:
an adjustment pile function obtaining module, configured to obtain a pile function to be adjusted, where the pile function is related to execution time;
and the parameter setting module is used for setting the parameters of the stub function in the virtual machine according to a preset parameter adjustment rule so as to reduce the waiting time when the target program calls the stub function in the virtual machine.
9. A storage medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements a countermeasure method against a malicious program according to any one of claims 1 to 7.
10. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the countermeasure method for a malicious program according to any one of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910945359.9A CN112580042B (en) | 2019-09-30 | 2019-09-30 | Method and device for combating malicious programs, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910945359.9A CN112580042B (en) | 2019-09-30 | 2019-09-30 | Method and device for combating malicious programs, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580042A true CN112580042A (en) | 2021-03-30 |
| CN112580042B CN112580042B (en) | 2024-02-02 |
Family
ID=75116697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910945359.9A Active CN112580042B (en) | 2019-09-30 | 2019-09-30 | Method and device for combating malicious programs, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580042B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110055A (en) * | 2007-08-31 | 2008-01-23 | 中兴通讯股份有限公司 | Device for implementing general use pile function in unit test and implementing method thereof |
| US7624449B1 (en) * | 2004-01-22 | 2009-11-24 | Symantec Corporation | Countering polymorphic malicious computer code through code optimization |
| US20150074810A1 (en) * | 2013-09-11 | 2015-03-12 | NSS Labs, Inc. | Malware and exploit campaign detection system and method |
| US20160232353A1 (en) * | 2015-02-09 | 2016-08-11 | Qualcomm Incorporated | Determining Model Protection Level On-Device based on Malware Detection in Similar Devices |
| CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
| CN106503558A (en) * | 2016-11-18 | 2017-03-15 | 四川大学 | A kind of Android malicious code detecting methods that is analyzed based on community structure |
| JP2017142744A (en) * | 2016-02-12 | 2017-08-17 | 日本電気株式会社 | Information processing apparatus, virus detection method, and program |
| CN108875363A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of method, apparatus, electronic equipment and storage medium accelerating virtual execution |
| CN109800569A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Program identification method and device |
| CN110210219A (en) * | 2018-05-30 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Recognition methods, device, equipment and the storage medium of virus document |
-
2019
- 2019-09-30 CN CN201910945359.9A patent/CN112580042B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7624449B1 (en) * | 2004-01-22 | 2009-11-24 | Symantec Corporation | Countering polymorphic malicious computer code through code optimization |
| CN101110055A (en) * | 2007-08-31 | 2008-01-23 | 中兴通讯股份有限公司 | Device for implementing general use pile function in unit test and implementing method thereof |
| US20150074810A1 (en) * | 2013-09-11 | 2015-03-12 | NSS Labs, Inc. | Malware and exploit campaign detection system and method |
| CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
| US20160232353A1 (en) * | 2015-02-09 | 2016-08-11 | Qualcomm Incorporated | Determining Model Protection Level On-Device based on Malware Detection in Similar Devices |
| JP2017142744A (en) * | 2016-02-12 | 2017-08-17 | 日本電気株式会社 | Information processing apparatus, virus detection method, and program |
| CN106503558A (en) * | 2016-11-18 | 2017-03-15 | 四川大学 | A kind of Android malicious code detecting methods that is analyzed based on community structure |
| CN108875363A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of method, apparatus, electronic equipment and storage medium accelerating virtual execution |
| CN110210219A (en) * | 2018-05-30 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Recognition methods, device, equipment and the storage medium of virus document |
| CN109800569A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Program identification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580042B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
| CN103839003A (en) | Malicious file detection method and device | |
| CN106709325B (en) | Method and device for monitoring program | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| CN102413142A (en) | Active defense method based on cloud platform | |
| CN110826064A (en) | Malicious file processing method and device, electronic device and storage medium | |
| JP6711000B2 (en) | Information processing apparatus, virus detection method, and program | |
| CN112632531A (en) | Malicious code identification method and device, computer equipment and medium | |
| Dai et al. | Behavior-based malware detection on mobile phone | |
| CN109800569A (en) | Program identification method and device | |
| CN112580041B (en) | Malicious program detection method and device, storage medium and computer equipment | |
| CN113468524B (en) | RASP-based machine learning model security detection method | |
| CN110532776B (en) | Android malicious software efficient detection method, system and medium based on runtime data analysis | |
| CN112580042B (en) | Method and device for combating malicious programs, storage medium and computer equipment | |
| Guerra-Manzanares et al. | Time-frame analysis of system calls behavior in machine learning-based mobile malware detection | |
| CN112580033B (en) | Method and device for combating malicious programs, storage medium and computer equipment | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN112583773B (en) | Unknown sample detection method and device, storage medium and electronic device | |
| CN112580025A (en) | Virtual machine-based poison reporting method and device, storage medium and computer equipment | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| CN112580024B (en) | Simulation method and device of virtual machine, storage medium and computer equipment | |
| CN109726548B (en) | Application program behavior processing method, server, system and storage medium | |
| Du et al. | A dynamic and static combined android malicious code detection model based on SVM | |
| CN112580043B (en) | Virtual machine-based disinfection method and device, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |