CN113254147B - Virtual machine behavior monitoring method and system based on physical address trapping - Google Patents

Virtual machine behavior monitoring method and system based on physical address trapping Download PDF

Info

Publication number
CN113254147B
CN113254147B CN202110473606.7A CN202110473606A CN113254147B CN 113254147 B CN113254147 B CN 113254147B CN 202110473606 A CN202110473606 A CN 202110473606A CN 113254147 B CN113254147 B CN 113254147B
Authority
CN
China
Prior art keywords
api
gpa
event
function
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110473606.7A
Other languages
Chinese (zh)
Other versions
CN113254147A (en
Inventor
屈天恒
郝志宇
丁振全
程丰
李大辉
陈宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202110473606.7A priority Critical patent/CN113254147B/en
Publication of CN113254147A publication Critical patent/CN113254147A/en
Application granted granted Critical
Publication of CN113254147B publication Critical patent/CN113254147B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/301Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3055Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Abstract

The invention discloses a virtual machine behavior monitoring method and system based on physical address trapping. The method comprises the following steps: 1) The GPA addressing module acquires a client physical address GPA corresponding to an API to be monitored; 2) If the GFN corresponding to the GPA is marked, writing the corresponding relation between the GAP and the API into a function lookup hash table, otherwise, setting the GFN corresponding to the GPA into an inaccessible state, and then writing the corresponding relation between the GAP and the API into the function lookup hash table; 3) When the virtual machine calls an API to be monitored, the current CPU register value is saved, and an event is formed and put into an event buffer area to wait for processing; 4) Finding out a corresponding API according to the GPA field in the event, restoring the API parameters and storing the API parameters into a database; 5) And reading function call data of a process from the database to generate a call sequence of the process, matching the call sequence with the high-risk sequence, and determining the safety state of the virtual machine.

Description

Virtual machine behavior monitoring method and system based on physical address trapping
Technical Field
The invention belongs to the field of virtualized security monitoring, and particularly relates to a virtual machine behavior monitoring method and system based on physical address trapping.
Background
Infrastructure as a service (Infrastructure as a Service, iaaS) is one type of cloud computing that provides infrastructure services for a variety of internet applications. As a technical cornerstone of IaaS, virtualization technology has been widely applied to a large number of data centers and server clusters. As an important component in the virtualization platform, a virtual machine monitor (Hypervisor or VMM layer for short) is an intermediate software layer running between a physical server and an operating system, maintains and controls physical resources such as CPU, memory and I/O, and can allow multiple operating systems and applications to share a set of basic physical hardware. The architecture of the virtualization platform provides new challenges for behavior monitoring and brings a brand new monitoring thought. As a relatively closed network environment, a virtual network constructed by using a virtualization technology is widely applied to numerous front-edge applications such as protocol analysis, simulation verification, and warrior countermeasure by researchers, and is expected to comprehensively acquire various behaviors inside the virtual network so as to comprehensively analyze behavior data and improve analysis accuracy. Virtualization behavior monitoring has been a research hotspot pursued by researchers since virtualization technology was widely applied, especially host behavior monitoring analysis. The present invention therefore focuses on fine-grained interception and analysis of host behavior inside a VM.
The behavior monitoring of the virtualized platform is divided into an internal acquisition mode and an external acquisition mode according to the behavior action acquisition position. The internal acquisition mode is to deploy behavior acquisition into the VM, and intercept and acquire various behavior actions in the VM through HOOK and other technologies; and the external acquisition mode is to acquire and analyze the behavior action inside the VM outside the VM. The internal acquisition mode is easy to find and kill by an invader or a killing tool because the behavior acquisition is placed in the VM, so that the capability of behavior acquisition is lost. Compared with the internal acquisition, the external acquisition mode has the characteristics of behavior acquisition concealment and the like, is not easy to tamper with or shield by invaders and internal checking and killing tools, and is a mainstream research direction at present.
The external acquisition mode can be divided into an active information acquisition mode and a passive information acquisition mode according to the VM behavior acquisition mode. The active acquisition mode is that a user acquires semantic information in the VM in a scanning or polling mode, and a snapshot technology or a timing trigger is adopted in most cases; the passive acquisition mode is to set an event trigger, and only when a corresponding event occurs in the VM, the event trigger is triggered to acquire the related information inside the VM. The active acquisition mode has larger monitoring granularity, can not acquire the behavior in the interval of two acquisitions, and simultaneously reduces the interval time by adopting modes of reducing the polling time or increasing the scanning frequency, and the like, so that the physical server and VM resources can be consumed to a certain extent, and the performances of the physical server and VM are affected. The passive acquisition mode adopts a trigger structure, so that more concerned behavior data can be acquired more timely and accurately.
The common method for monitoring and analyzing the behavior of the VM host at the present stage is as follows: 1) The monitoring means is completely deployed in a VM operating system or in a VM kernel mode by utilizing a traditional monitoring mode; 2) Based on trap, breakpoint or rollback modes, a Hooks hook is arranged in the VM to the Hypervisor, and the Hypervisor operates the Hooks to acquire the behavior action of the VM; 3) Monitoring was performed entirely based on hypervisors. The method 1) the monitoring means is completely placed in the virtual machine, so that the monitoring means is easy to tamper with malicious software or search and kill by a search and kill tool, and the method has great potential safety hazard; the method 2) protects the monitoring tool to a certain extent, but the potential safety hazard still exists because part of the content is still inside the virtual machine; the method 3) is the behavior monitoring with the highest security level, but has no association with the virtual machine, so the monitoring difficulty is high, and the monitoring content is incomplete (generally, the system call can only be captured).
Disclosure of Invention
Aiming at the problems of the prior methods, the invention aims to provide a virtual machine behavior monitoring system based on physical address trapping. Considering that the virtual machine monitor completely controls the access of all virtual machines running on the virtual machine monitor to hardware resources, the invention realizes the monitoring of the calling behavior of the user layer API function which cannot be perceived by the interior of the virtual machine; in the face of limitations in the presently disclosed research background, the invention can acquire API function call information of a user layer in the virtual machine in a passive acquisition mode, completely disposes a behavior collection means in a monitor layer of the virtual machine, acquires detailed host behavior data in the virtual machine in an out-of-band monitoring mode, compensates the problem of incomplete out-of-band monitoring data, transmits the collected behavior data to a privileged domain through an event channel mechanism, and completes data analysis of host behavior by a behavior analysis means of the privileged domain, thereby reducing the influence on the performance of the virtual machine, ensuring that the monitoring data cannot be tampered, and improving the accuracy and reliability of behavior analysis.
The invention discloses a virtual machine behavior monitoring system based on GPA (client physical address) trapping, which is shown in figure 1, and comprises a GPA addressing module, a strategy updating module, a data acquisition module, a behavior analysis module and a security analysis module; the GPA addressing module is responsible for finding the physical address of the API function to be monitored in the memory, the strategy updating module is mainly responsible for establishing and dynamically maintaining two hash tables, one table is used for storing the marked physical address in the system, and the other table is used for storing each GPA (client physical address) and the corresponding API function name; the data acquisition module is mainly responsible for placing the triggered API event into a buffer zone in the module to wait for system analysis and processing; the behavior analysis module mainly takes out events from the buffer area and analyzes the calling behavior information according to the event data; the security analysis module extracts the analyzed calling behavior information to generate a calling sequence, and then compares the calling sequence with sequence data in a high-risk library, so that the security state of the virtual machine can be evaluated.
The technical scheme of the invention is as follows:
a virtual machine behavior monitoring method based on physical address trapping includes the steps:
1) The GPA addressing module acquires an internal process structure body of the virtual machine, traverses all dynamic libraries of the corresponding process according to the process structure body, acquires a head address of each dynamic library loaded in a memory, adds the head address of the dynamic library and an offset address of an API to be monitored, acquires a client physical address GPA corresponding to the API to be monitored, and sends the client physical address GPA to the policy updating module;
2) The strategy updating module finds a corresponding client page frame number GFN according to the received GPA, searches a marked hash table according to the GFN, if the GFN is marked, writes the corresponding relation between the GAP and the API into a function searching hash table, otherwise, sets the GFN corresponding to the GPA into an inaccessible state, and then writes the corresponding relation between the GAP and the API into the function searching hash table;
3) When the virtual machine calls an API to be monitored, the virtual machine is trapped in the VMM layer, and the data acquisition module stores the current CPU register value at the moment to form an event which is put into an event buffer zone to wait for processing;
4) The behavior analysis module reads an event from the event buffer, finds a corresponding API from the function lookup hash table according to GPA fields of the event content, and restores the API parameters by analyzing the register values and stores the API parameters into the database;
5) The security analysis module reads function call data of a process from the database, generates a call sequence of the process according to the read data, matches the call sequence with a set high-risk sequence, and determines the security state of the virtual machine according to a matching result.
Further, the API function to be monitored is intercepted at the VMM layer; the behavior analysis module and the security analysis module are operated on an application layer.
Further, the policy updating module intercepts call of the corresponding API function by setting a memory page of an execution inlet address of the API function to be monitored to be inaccessible, and extracts call information from the call.
Further, the calling behavior information includes: API call parameters, return values, process information, thread information, call addresses, and dynamic libraries where the APIs reside.
Further, the method for the GPA addressing module to obtain the physical address GPA of the client corresponding to the API to be monitored is as follows:
11 The GPA addressing module reads the configuration file to obtain a registration process and a registration dynamic library name;
12 The GPA addressing module traverses a process list of the monitoring VM, matches the process list with the registration process, and enters step 13 if the matching is successful;
13 According to the EPROCESS value of the successful process, matching the process offset of the operating system, finding a dynamic library linked list to which the process structure belongs, traversing the dynamic library linked list, matching the list with the read registered dynamic library name, and entering step 14 if the matching is successful;
14 Adding the current successfully matched dynamic library head address and the API offset address to obtain a corresponding API virtual address, calling a va_to_pa interface to convert the API virtual address into a physical address, and obtaining the GPA address corresponding to the API.
Further, the processing flow of the behavior analysis module is as follows:
21 The behavior analysis main thread monitors the data of the event buffer, creates a new behavior analysis thread when the event buffer has data, takes out an event from the event buffer to start analysis, and pauses the virtual machine at the same time;
22 If the event is triggered by the function call callback function, turning to step 23), and if the event is triggered by the return value callback function, turning to step 25);
23 Acquiring calling parameters of the obtained API, restoring the calling parameters, and storing original parameters into an event buffer area;
24 Reading a register RSP field value, calling a strategy updating module to mark the RSP field value, binding a callback function of the current event as a return value calling function, and writing the corresponding relation between the current GAP and the API in a function searching hash table;
25 According to the current GPA value, the matching function searches the hash table, reads the corresponding parameters and the return value of the current GPA and stores the parameters and the return value into the database.
Further, the event buffer area is a ring-shaped event buffer area; if the remaining space of the ring-shaped event buffer area is smaller than the data space required by the data to be stored, dynamically applying for a section of memory, adding the section of memory into the ring-shaped event buffer area, and then storing the current data to be stored into the ring-shaped event buffer area; when an event reading request of the behavior analysis module is received, searching corresponding data content in the annular event buffer according to the content of the GPA field of the event data, returning corresponding data content if corresponding data exists, cleaning corresponding data in the annular event buffer and setting the corresponding data space to be available.
The virtual machine behavior monitoring system based on physical address trapping is characterized by comprising a GPA addressing module, a strategy updating module, a data acquisition module, a behavior analysis module and a security analysis module; wherein the method comprises the steps of
The GPA addressing module is used for acquiring the client physical address GPA corresponding to the API to be monitored and sending the client physical address GPA to the policy updating module;
the strategy updating module is used for establishing and dynamically maintaining two hash tables, the marked hash tables are used for storing marked physical addresses in the system, and the function searching hash tables are used for storing each client physical address GPA and corresponding API function names; when GPA is received, finding a corresponding client page frame number GFN according to the received GPA, searching a marked hash table according to the GFN, if the GFN is marked, writing the corresponding relation between the GAP and the API into a function searching hash table, otherwise, setting the GFN corresponding to the GPA into an inaccessible state, and then writing the corresponding relation between the GAP and the API into the function searching hash table;
the data acquisition module is used for placing the triggered API event into a buffer area;
the behavior analysis module is used for taking out events from the buffer area and analyzing calling behavior information according to event data;
the security analysis module is used for extracting the analyzed calling behavior information to generate a calling sequence of the process, comparing the calling sequence with the set high-risk sequence data, and evaluating the security state of the virtual machine according to the comparison result.
The main content of the invention comprises:
(1) Host behavior interception analysis at user layer
The method has the API function call behavior interception function of the user layer, finds the target dynamic base address by traversing the dynamic base list of each process, can calculate the physical address of the API according to the dynamic base address and the AIP offset address, and performs access authority control on the address so as to achieve the function call interception function of the API. Such as call interception of any function in a dynamic library such as user32.dll, advapi32.dll, netapi32.dll, etc. The strategy updating module intercepts call of the corresponding API function by setting a memory page of an execution inlet address of the API function to be monitored as inaccessible, extracts call information of the time from the call information, and further completes call information analysis of the function.
(2) Fine-grained call information resolution
The invention can analyze the function calling behavior in detail, acquire API calling parameters and return values through analyzing data in events, and dynamically acquire process related information, thread related information, calling addresses and calling modules (dynamic libraries), wherein the calling modules refer to a series of fine-granularity calling behavior information such as ntdll of a kernel module, kernel32, user32 and the like of a user module.
(3) Efficient interception mechanism
According to the invention, the name and the number of the API can be intercepted by the GPA addressing module in a self-defined way, the API concerned by the user is intercepted, and other APIs can be normally executed, so that the influence of the monitoring system on the running efficiency of the virtual machine is reduced, and the running efficiency of the virtual machine is ensured.
(4) Dynamic data analysis and processing
The invention establishes a virtual machine security state analysis model, and performs cooperative processing on the monitoring behavior data, thereby obtaining the current security state of the virtual machine. According to the invention, security state analysis can be established for each monitored virtual machine in the Hypervisor layer, and the data obtained by monitoring is compared with the data in the high-risk API library, so that the current security state of the virtual machine is obtained.
The specific steps of the system operation are as follows:
(1) After the system is started, the GPA addressing module acquires a process structure body in the virtual machine, traverses all dynamic libraries of the corresponding process according to the process structure body, acquires the head address of each dynamic library loaded in the memory, adds the head address of the dynamic library and the API offset address to be monitored, and then acquires the GPA address corresponding to the API to be monitored. The first address+api offset address=virtual address of the API in the memory, and calling address translation technology finally converts the virtual address into physical address, and then finds the physical address of the API in the memory.
(2) The policy updating module receives the GPA address, finds the GFN (client page frame number) corresponding to the GPA through conversion, searches the marked hash table, if the GFN is marked, only writes the corresponding relation between the GAP and the API into the function searching hash table, if the GFN is not marked, firstly sets the GFN corresponding to the GPA into an inaccessible state, and then writes the corresponding relation between the GAP and the API into the function searching hash table.
(3) When the virtual machine calls a certain monitored API, the API address is found to be absent, and then the API address is trapped in a VMM (virtual machine performance monitor), at the moment, the data acquisition module can save the current CPU register value, and an event is formed and put into an event buffer area to wait for processing.
(4) The behavior analysis module continuously reads the event from the event buffer, finds the corresponding API by searching the function hash table established before according to the GPA field of the event content, and can obtain the related information about the process of the call by reading the CR3 register value and matching with the process structure information, such as: the process name, the process ID, the process father ID and the like can sequentially read the numerical value of each parameter by reading the RIP and the RCX register value, finally finish restoring the API parameter by combining the parameter type, and finally store the data in a database.
(5) The security analysis module reads the function call data of a process in the database, generates a call sequence of the process, matches the function call sequence with a sequence in the high-risk library, marks the process data with red after hit, and finally evaluates the security state of the virtual machine.
The system dynamically receives the detection requirement of the user on the host behavior, asynchronously acquires and analyzes the event information of the host behavior, and has the following advantages compared with the disclosed method:
1) Based on host behavior interception analysis of a user layer, the monitored API function type is improved from a kernel layer to the user layer, the range of monitoring the API function is expanded, the problem of incomplete out-of-band monitoring content is solved, and user layer API call reproduction is realized;
2) Based on fine-grained calling behavior information analysis, a series of fine-grained calling behavior information acquisition such as calling process related information, thread related information, calling addresses, calling modules and the like is provided;
3) The efficient monitoring mechanism is adopted, the functions required by monitoring are customized, no change is caused to the execution of the functions which are not concerned, and the influence on the efficiency of the virtual machine is reduced to the maximum extent;
4) By adopting a behavior interception and behavior analysis separation mechanism (interception processing is carried out at a VMM layer and data analysis is carried out at an application layer), GPA addressing and strategy updating are already marked in the figure 1, and a data acquisition module ensures high safety and reliability at a VMM layer, reduces complexity of behavior analysis and improves behavior analysis efficiency; in addition, due to the design of a kvm virtual machine system, the authority of a VMM layer is larger than that of the virtual machine, so that the virtual machine cannot find itself to be monitored;
5) And comparing the intercepted data with the high-risk API library through analysis, so that the safety state of the virtual machine is obtained through analysis.
Drawings
FIG. 1 is a diagram of a virtual machine behavior monitoring system framework based on physical address trapping;
FIG. 2 is a flow chart of GAP addressing;
FIG. 3 is a flowchart of a policy update method;
FIG. 4 is a flow chart of ring event buffer storage;
FIG. 5 is a flow chart of a behavior analysis method;
FIG. 6 is a flow chart of a security analysis method.
Detailed Description
The present invention will be described in detail with reference to specific examples.
The invention discloses a virtual machine behavior monitoring system based on GPA trapping, which mainly comprises 5 parts, namely a GPA addressing module, a strategy updating module, a data acquisition module, a behavior analysis module, a security analysis module and the like.
FIG. 2 shows a flowchart of GPA addressing, and the specific implementation steps of the addressing method are as follows:
(1) The GPA addressing module firstly reads the configuration file of the program to obtain the registration process and the registration dynamic library name.
(2) Traversing a process list of the monitoring VM by utilizing Libvmi, matching the process list with the read registration process, and entering a step 3 if the matching is successful;
(3) Finding a dynamic library linked list to which a process structure belongs according to the EPROCESS value of the successful process and the process offset of the operating system, traversing the dynamic library linked list, matching the list with the read registered dynamic library name, and entering step 4 if the matching is successful;
(4) And adding the current successfully matched dynamic library head address and the API offset address to obtain a corresponding API virtual address, and calling a va_to_pa interface to convert the API virtual address into a physical address to obtain a GPA address corresponding to the API.
FIG. 3 is a flowchart of a policy update module, and the policy update method is implemented as follows:
(1) According to the GPA address of the found API, calling find GFN function, and finding the corresponding GPA page number GFN;
(2) Judging whether the page is marked, if so, turning to the step (3), otherwise, turning to the step (4);
(3) If the current page frame number is marked, writing the API and the corresponding GPA into a hash table for callback use;
(4) And calling an access protection function, setting the page table to be in an inaccessible state, calling the callback function for the function by the callback function binding the event, and adding the page into a marked hash table to indicate that the page is marked. And then step (3) is invoked.
Fig. 4 shows a flowchart of a method for storing a ring event buffer, and the method for storing a ring event buffer is implemented as follows:
(1) Monitoring the annular event buffer area in real time;
(2) Judging whether a data request exists, if so, turning to the step 3, otherwise, turning to the step 1;
(3) Judging the type of the data request, if the event is the data storage, turning to the step 4, otherwise turning to the step 7;
(4) Comparing the residual space of the ring-shaped event buffer area with the data space required by the data to be stored, if the residual space is smaller than the required space, turning to the step 5, otherwise turning to the step 6;
(5) Dynamically applying for a section of memory, adding the memory into a ring-shaped event buffer area, increasing the space of the buffer area, and storing the event data;
(6) Analyzing data fields according to the data storage requirement of the ring-shaped event buffer area, storing the data fields into the buffer area, and turning to the step 1;
(7) Searching corresponding data content in the ring-shaped event buffer area according to the content of the GPA field of the event data, and turning to the step 8 if the corresponding data exists; otherwise, returning a data request error, and turning to the step 1;
(8) And returning corresponding data content, cleaning the buffer area, and setting a corresponding data space to be available so as to be capable of continuously storing data, recycling the buffer area, and turning to the step 1.
FIG. 5 is a flowchart showing the operation of the behavior analysis module, which is implemented as follows:
(1) The behavior analysis main thread is responsible for monitoring event buffer data, creating a new behavior analysis thread when the buffer has data, taking out an event from the event buffer to start analysis, and suspending the virtual machine;
(2) If the event is triggered by the current time, the function calls a callback function to turn to the step 3, and if the event is triggered by the return value callback function, the step 5 is turned to;
(3) According to the field values of registers RIP, RCX and the like, taking out the current API call parameters, calling a libvmi library to finish the restoration of the original parameters of the API call, opening up a buffer zone to store the original parameters, and waiting for callback triggering;
(4) Reading the RSP field value of a register (the value of the RSP field is the physical address where the return value is located, reading the rsP register value can obtain the return value), calling a strategy updating module to mark the RSP field value, binding a callback function of the event as a return value calling function, and writing a corresponding relation in a function searching hash table;
(5) According to the GPA value, a matching function searches a hash table, reads corresponding parameters of the current GPA and a return value to form a json string, and stores the json string into a database, and finally releases the content of the buffer area;
(6) And after the behavior analysis thread is analyzed, the behavior analysis thread directly exits, and the main thread continues to monitor the data buffer to wait for the arrival of an event.
Fig. 6 shows a flow chart of the operation of the security analysis module, which is implemented by the following steps:
(1) Reading all call function information of a certain process from a database in real time, and generating a function call sequence of the process;
(2) Comparing the generated function call sequence with call sequences in a high-risk API library;
(3) If the matching is successful, the virtual machine is considered to have potential safety hazard;
(4) If the matching is unsuccessful, the sequence is temporarily stored in a buffer area, when new call data of the process arrives, call information is extracted, and the matching is performed again after the call information is added.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and enhancements can be made to the present invention by those of ordinary skill in the art without departing from the principles of the present invention, and that various substitutions, alterations and modifications are possible without departing from the spirit and scope of the present invention. The invention should not be limited to the embodiments of the present description and the disclosure of the drawings, but the scope of the invention is defined by the claims.

Claims (10)

1. A virtual machine behavior monitoring method based on physical address trapping includes the steps:
1) The GPA addressing module acquires an internal process structure body of the virtual machine, traverses all dynamic libraries of the corresponding process according to the process structure body, acquires a head address of each dynamic library loaded in a memory, adds the head address of the dynamic library and an offset address of an API to be monitored, acquires a client physical address GPA corresponding to the API to be monitored, and sends the client physical address GPA to the policy updating module;
2) The strategy updating module finds a corresponding client page frame number GFN according to the received GPA, searches a marked hash table according to the GFN, writes the corresponding relation between the GPA and the API into the function searching hash table if the GFN is marked, otherwise sets the GFN corresponding to the GPA into an inaccessible state, and writes the corresponding relation between the GPA and the API into the function searching hash table;
3) When the virtual machine calls an API to be monitored, the virtual machine is trapped in the VMM layer, and the data acquisition module stores the current CPU register value at the moment to form an event which is put into an event buffer zone to wait for processing;
4) The behavior analysis module reads an event from the event buffer, finds a corresponding API from the function lookup hash table according to GPA fields of the event content, and restores the API parameters by analyzing the register values and stores the API parameters into the database;
5) The security analysis module reads function call data of a process from the database, generates a call sequence of the process according to the read data, matches the call sequence with a set high-risk sequence, and determines the security state of the virtual machine according to a matching result.
2. The method of claim 1, wherein the API function to be monitored is intercepted at a VMM layer; the behavior analysis module and the security analysis module are operated on an application layer.
3. A method as claimed in claim 1 or 2, wherein the policy update module intercepts calls to corresponding API functions by setting the memory page of the execution entry address of the API function to be monitored inaccessible and extracts call behaviour information therefrom.
4. The method of claim 3, wherein the calling behavior information comprises: API call parameters, return values, process information, thread information, call addresses, and dynamic libraries where the APIs reside.
5. The method of claim 1, wherein the method for the GPA addressing module to obtain the client physical address GPA corresponding to the API to be monitored is:
11 The GPA addressing module reads the configuration file to obtain a registration process and a registration dynamic library name;
12 The GPA addressing module traverses a process list of the monitoring VM, matches the process list with the registration process, and enters step 13 if the matching is successful;
13 According to the EPROCESS value of the successful process, matching the process offset of the operating system, finding a dynamic library linked list to which the process structure belongs, traversing the dynamic library linked list, matching the list with the read registered dynamic library name, and entering step 14 if the matching is successful;
14 Adding the current successfully matched dynamic library head address and the API offset address to obtain a corresponding API virtual address, calling a va_to_pa interface to convert the API virtual address into a physical address, and obtaining the GPA address corresponding to the API.
6. The method according to claim 1 or 5, wherein the process flow of the behavior analysis module is:
21 The behavior analysis main thread monitors the data of the event buffer, creates a new behavior analysis thread when the event buffer has data, takes out an event from the event buffer to start analysis, and pauses the virtual machine at the same time;
22 If the event is triggered by the function call callback function, turning to step 23), and if the event is triggered by the return value callback function, turning to step 25);
23 Acquiring calling parameters of the obtained API, restoring the calling parameters, and storing original parameters into an event buffer area;
24 Reading a register RSP field value, calling a strategy updating module to mark the RSP field value, binding a callback function of the current event as a return value calling function, and writing the corresponding relation between the current GPA and the API in a function searching hash table;
25 According to the current GPA value, the matching function searches the hash table, reads the corresponding parameters and the return value of the current GPA and stores the parameters and the return value into the database.
7. The method of claim 1, wherein the event buffer is a ring event buffer; if the remaining space of the ring-shaped event buffer area is smaller than the data space required by the data to be stored, dynamically applying for a section of memory, adding the section of memory into the ring-shaped event buffer area, and then storing the current data to be stored into the ring-shaped event buffer area; when an event reading request of the behavior analysis module is received, searching corresponding data content in the annular event buffer according to the content of the GPA field of the event data, returning corresponding data content if corresponding data exists, cleaning corresponding data in the annular event buffer and setting the corresponding data space to be available.
8. The virtual machine behavior monitoring system based on physical address trapping is characterized by comprising a GPA addressing module, a strategy updating module, a data acquisition module, a behavior analysis module and a security analysis module; wherein the method comprises the steps of
The GPA addressing module is used for acquiring the client physical address GPA corresponding to the API to be monitored and sending the client physical address GPA to the policy updating module;
the strategy updating module is used for establishing and dynamically maintaining two hash tables, the marked hash tables are used for storing marked physical addresses in the system, and the function searching hash tables are used for storing each client physical address GPA and corresponding API function names; when GPA is received, finding a corresponding client page frame number GFN according to the received GPA, searching a marked hash table according to the GFN, if the GFN is marked, writing the corresponding relation between the GPA and the API into the function searching hash table, otherwise, setting the GFN corresponding to the GPA into an inaccessible state, and then writing the corresponding relation between the GPA and the API into the function searching hash table;
the data acquisition module is used for placing the triggered API event into a buffer area;
the behavior analysis module is used for taking out events from the buffer area and analyzing calling behavior information according to event data;
the security analysis module is used for extracting the analyzed calling behavior information to generate a calling sequence of the process, comparing the calling sequence with the set high-risk sequence data, and evaluating the security state of the virtual machine according to the comparison result.
9. The system of claim 8, wherein the policy update module intercepts calls of corresponding API functions by setting a memory page of an execution entry address of the API function to be monitored to be inaccessible and extracts call behavior information therefrom; intercepting an API function to be monitored at a VMM layer; the behavior analysis module and the security analysis module are operated on an application layer.
10. The system of claim 8 or 9, wherein the call behavior information comprises: API call parameters, return values, process information, thread information, call addresses, and dynamic libraries where the APIs reside.
CN202110473606.7A 2021-04-29 2021-04-29 Virtual machine behavior monitoring method and system based on physical address trapping Active CN113254147B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110473606.7A CN113254147B (en) 2021-04-29 2021-04-29 Virtual machine behavior monitoring method and system based on physical address trapping

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110473606.7A CN113254147B (en) 2021-04-29 2021-04-29 Virtual machine behavior monitoring method and system based on physical address trapping

Publications (2)

Publication Number Publication Date
CN113254147A CN113254147A (en) 2021-08-13
CN113254147B true CN113254147B (en) 2024-01-16

Family

ID=77223478

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110473606.7A Active CN113254147B (en) 2021-04-29 2021-04-29 Virtual machine behavior monitoring method and system based on physical address trapping

Country Status (1)

Country Link
CN (1) CN113254147B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012122796A1 (en) * 2011-03-15 2012-09-20 华为技术有限公司 Method for creating virtual machine, virtual machine monitor and virtual machine system
CN103077071A (en) * 2012-12-31 2013-05-01 北京启明星辰信息技术股份有限公司 Method and system for acquiring process information of KVM (Kernel-based Virtual Machine)
CN104598303A (en) * 2013-10-31 2015-05-06 中国电信股份有限公司 KVM (Kernel-based Virtual Machine)-based on-line virtual-to-virtual migration method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9183157B2 (en) * 2011-03-15 2015-11-10 Huawei Technologies Co., Ltd. Method for creating virtual machine, a virtual machine monitor, and a virtual machine system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012122796A1 (en) * 2011-03-15 2012-09-20 华为技术有限公司 Method for creating virtual machine, virtual machine monitor and virtual machine system
CN103077071A (en) * 2012-12-31 2013-05-01 北京启明星辰信息技术股份有限公司 Method and system for acquiring process information of KVM (Kernel-based Virtual Machine)
CN104598303A (en) * 2013-10-31 2015-05-06 中国电信股份有限公司 KVM (Kernel-based Virtual Machine)-based on-line virtual-to-virtual migration method and device

Also Published As

Publication number Publication date
CN113254147A (en) 2021-08-13

Similar Documents

Publication Publication Date Title
US10581879B1 (en) Enhanced malware detection for generated objects
US10896253B2 (en) Processor trace-based enforcement of control flow integrity of a computer system
Hizver et al. Real-time deep virtual machine introspection and its applications
US11176247B2 (en) System and method for container assessment using sandboxing
Kumara et al. Automated multi-level malware detection system based on reconstructed semantic view of executables using machine learning techniques at VMM
CN109597675B (en) Method and system for detecting malicious software behaviors of virtual machine
Deng et al. Introlib: Efficient and transparent library call introspection for malware forensics
Dai et al. Behavior-based malware detection on mobile phone
CN103310152A (en) Kernel mode Rootkit detection method based on system virtualization technology
Wu et al. Exception beyond Exception: Crashing Android System by Trapping in" Uncaught Exception"
CN110737888B (en) Method for detecting attack behavior of kernel data of operating system of virtualization platform
CN113176926B (en) API dynamic monitoring method and system based on virtual machine introspection technology
Webster et al. Fast and Service-preserving Recovery from Malware Infections Using {CRIU}
US10601867B2 (en) Attack content analysis program, attack content analysis method, and attack content analysis apparatus
Xuan et al. Toward revealing kernel malware behavior in virtual execution environments
US8819822B1 (en) Security method for detecting intrusions that exploit misinterpretation of supplied data
CN106096455A (en) A kind of main frame kernel data reduction protection method
CN113254147B (en) Virtual machine behavior monitoring method and system based on physical address trapping
Mahapatra et al. An online cross view difference and behavior based kernel rootkit detector
Lamps et al. WinWizard: Expanding Xen with a LibVMI intrusion detection tool
US11914711B2 (en) Systems and methods for automatically generating malware countermeasures
CN113138835A (en) IPT and virtual machine introspection-based API call monitoring method and system
Ding et al. A high-efficiency and comprehensive dynamic behavior analysis system for malware based on hardware virtualization
Baiardi et al. PsycoTrace: virtual and transparent monitoring of a process self
Zhang et al. Assessing the trustworthiness of drivers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant