CN113391874A - Virtual machine detection countermeasure method and device, electronic equipment and storage medium - Google Patents
Virtual machine detection countermeasure method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113391874A CN113391874A CN202010171002.2A CN202010171002A CN113391874A CN 113391874 A CN113391874 A CN 113391874A CN 202010171002 A CN202010171002 A CN 202010171002A CN 113391874 A CN113391874 A CN 113391874A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- query
- characteristic value
- function
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Abstract
The application discloses a virtual machine detection countermeasure method, a virtual machine detection countermeasure device, electronic equipment and a storage medium, wherein the method comprises the steps of operating a sample to be detected; when an inquiry instruction sent by a sample to be detected is received, operating an inquiry function corresponding to the inquiry instruction, and replacing a virtual machine characteristic value obtained by the inquiry function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the inquiry function; obtaining a query result according to the characteristic value of the non-virtual machine by using a query function; and returning the query result to the sample to be detected; according to the method, the modification program corresponding to the query function is utilized, the virtual machine characteristic value obtained by the query function is replaced by the non-virtual machine characteristic value, so that the sample to be detected cannot determine that the current operation environment is the virtual machine environment according to the received query result, the virtual machine detection in the malicious sample can be effectively resisted, and the situation that the malicious sample is omitted due to the fact that the current operation environment is identified is avoided.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting and confronting a virtual machine, an electronic device, and a storage medium.
Background
The information technology and the internet technology are rapidly developed, and meanwhile, a huge challenge is brought to network security. The presence of malicious samples can cause serious damage to user data and network security. In order to quickly and timely identify malicious situations of a large number of samples appearing on a network, a static feature scan is usually combined with a dynamic identification system to identify malicious samples.
At present, in order to avoid being captured by a dynamic identification system, a malicious sample is often added with virtual machine detection code by an author. If the malicious sample finds that the current running environment is the virtual machine environment when the virtual machine detection code is run, some false actions are executed or the malicious sample directly exits. Thereby avoiding being identified as a malicious sample and avoiding subsequent interception of the malicious sample by the system. Therefore, in order to avoid missing the capturing of the malicious sample, effective countermeasures for virtual machine detection in the malicious sample are required.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, an electronic device, and a storage medium for detecting and countering a virtual machine, in which a modification program is used to replace a virtual machine feature value obtained by a query function with a non-virtual machine feature value, so that a sample to be detected cannot obtain a conclusion that a current operating environment is a virtual machine environment according to a received query result, virtual machine detection in a countering malicious sample can be effectively implemented, and a situation that the malicious sample is omitted due to identification of the current operating environment is avoided.
To achieve the above object, in one aspect, the present application provides a virtual machine detection countermeasure method, including:
running a sample to be detected;
when an inquiry instruction sent by the sample to be detected is received, operating an inquiry function corresponding to the inquiry instruction, and replacing a virtual machine characteristic value obtained by the inquiry function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the inquiry function;
and acquiring a query result according to the characteristic value of the non-virtual machine by using the query function, and returning the query result to the sample to be detected.
In a possible implementation manner, before the running the sample to be detected, the method further includes:
injecting the modifying program in the query function.
In another possible implementation manner, the injecting the modification program in the query function includes:
acquiring the address of the query function;
and hooking the modifying program into the query function according to the address.
In another possible implementation manner, when the query function is a query function of a retrieval object, replacing, by the corresponding modification program, a virtual machine feature value obtained by the query function with a non-virtual machine feature value includes:
judging whether the query instruction received by the retrieval object query function has the virtual machine characteristic value or not by using the modifying program;
and if the virtual machine characteristic value exists, generating a replacement character string different from the virtual machine characteristic value as the non-virtual machine characteristic value to replace the virtual machine characteristic value.
In another possible implementation manner, when the query function is an enumeration result retrieval function, replacing, by the corresponding modification program, the virtual machine feature value obtained by the query function with a non-virtual machine feature value includes:
acquiring an attribute field corresponding to an attribute value parameter in the process information obtained by the enumeration result retrieval function by using the modification program, and judging whether a preset attribute field exists in the attribute field;
if the preset attribute field exists, acquiring an attribute value corresponding to the preset attribute field;
judging whether the attribute value is the characteristic value of the virtual machine;
and if the characteristic value is the virtual machine characteristic value, generating a replacement character string different from the virtual machine characteristic value as the non-virtual machine characteristic value to replace the virtual machine characteristic value.
In yet another possible implementation manner, the generating a replacement string different from the virtual machine characteristic value as the non-virtual machine characteristic value includes:
generating, as the non-virtual machine characteristic value, a replacement string that is different in prefix and the same in suffix from the virtual machine characteristic value.
In another aspect, the present application provides a virtual machine detection countermeasure apparatus, including:
the sample operation module is used for operating a sample to be detected;
the query function operation module is used for operating a query function corresponding to the query instruction when receiving the query instruction sent by the sample to be detected, replacing the virtual machine characteristic value obtained by the query function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the query function, and obtaining a query result by using the query function according to the non-virtual machine characteristic value;
and the query result returning module is used for returning the query result to the sample to be detected.
In another aspect, the present application further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the virtual machine detection countermeasure method of any of the embodiments of the present application when executing the computer program.
In yet another aspect, the present application further provides a storage medium having stored therein computer-executable instructions, which when loaded and executed by a processor, implement the virtual machine detection countermeasure method according to any embodiment of the present application.
Therefore, in the embodiment of the application, the virtual machine characteristic values related to the query function started by the sample to be detected in the query process are replaced by the non-virtual machine characteristic values by using the modification program, so that no data information capable of representing the current operating environment as the virtual machine environment exists in the query result finally obtained by the query function. And then the sample to be detected can not obtain the conclusion that the current operation environment is the virtual machine environment according to the received query result, thereby bypassing the virtual machine detection of the malicious sample and achieving the purpose of hiding the real identity of the current system. Namely, the method can effectively realize the virtual machine detection against the malicious samples, provide reliable guarantee for the subsequent identification of the malicious samples, and avoid the occurrence of the condition of malicious sample omission caused by the identification of the current operating environment.
Accordingly, the embodiment of the present application further provides a virtual machine detection countermeasure device, an electronic device, and a storage medium corresponding to the virtual machine detection countermeasure method, which have the above technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on the provided drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating a hardware composition framework to which a virtual machine detection countermeasure method according to an embodiment of the present application is applied;
FIG. 2 is a diagram illustrating a hardware composition framework to which another exemplary embodiment of the present invention is applied;
fig. 3 is a flowchart illustrating a virtual machine detection countermeasure method according to an embodiment of the present application;
FIG. 4 is a flow chart illustrating another exemplary method of detecting a countermeasure in a virtual machine according to an embodiment of the present disclosure;
FIG. 5 is a flow chart illustrating a further exemplary method for detecting a countermeasure in a virtual machine according to an embodiment of the present disclosure;
fig. 6 is a schematic diagram illustrating a detection result of a virtual machine according to an embodiment of the present application;
FIG. 7 is a diagram illustrating a prior art virtual machine detection result corresponding to FIG. 6;
FIG. 8 is a schematic diagram illustrating another exemplary virtual machine detection result according to the embodiment of the present application;
FIG. 9 is a diagram illustrating a prior art virtual machine detection result corresponding to FIG. 8;
FIG. 10 is a block diagram illustrating an exemplary configuration of an embodiment of a virtual machine detection countermeasure apparatus according to an embodiment of the present application;
fig. 11 is a block diagram showing a configuration of another embodiment of the virtual machine detection countermeasure apparatus according to the embodiment of the present application.
Detailed Description
The existence of malicious samples can pose serious threats to user data security and network security. At present, in order to quickly and timely identify malicious situations of a large number of samples appearing on a network, besides common static feature scanning, the results of a dynamic identification system are often combined. The dynamic identification system simulates a real system environment through a sandbox environment, namely a virtual machine environment is formed, a sample to be detected runs in the simulated system environment, the dynamic behavior of the sample generated by the running of the sample is captured, and whether the sample is a malicious sample or not and the corresponding malicious situation are judged according to the dynamic behavior of the sample.
Currently, in order to avoid capturing a written malicious sample by a dynamic identification system, an author of the malicious sample often adopts a virtual machine detection technology, that is, a virtual machine detection code is added to the malicious sample, and if the malicious sample finds that a current running environment is a virtual machine environment when running the virtual machine detection code, some false actions are executed, or the malicious sample directly exits. Therefore, the real behaviors of the samples are prevented from being captured by the dynamic identification system, or the sandbox environment, and further identified as the malicious samples, and the subsequent interception of the malicious samples by the system is avoided. In order to solve the technical problem, the embodiment of the application can replace the virtual machine characteristic value obtained by the query function to be the non-virtual machine characteristic value, so that the virtual machine environment of the system is hidden, the virtual machine detection process in the malicious sample is effectively resisted, and the situation that the malicious sample is omitted due to the fact that the current operation environment is identified is avoided.
The sandbox environment may refer to a virtual machine environment, which is created by using a virtual machine technology (e.g., VMware (providing a solution based on a virtual machine)/VirtualBox (an open source virtual machine software), and the like), so that a sample (e.g., an executable file EXE) normally runs in the simulation environment as in a real system, and after the sample runs, the simulation environment may be directly restored without affecting the real system of a user or affecting the real user environment. The samples to be detected may refer to executable files of platforms such as Windows, Linux, Android, or the like, or executable scripts, and daily common files (such as DOCX files, PPT files, XLS files, EML files), or the like. The sample dynamic behavior may refer to the behavior that the sample generates after running on the operating system, and the behavior may be: creating files, deleting files, encrypting files, creating processes, ending processes, accessing a network, downloading other samples, modifying registries, stealing files, stealing system information, and the like. The virtual machine detection technology may refer to a technology for detecting whether a current operating environment is a virtual machine environment, and is often used by a malware developer to detect a system operating environment.
For convenience of understanding, a hardware composition framework to which the scheme corresponding to the virtual machine detection countermeasure method of the present application is applied is described first. Reference may be made to fig. 1 to fig. 2, where fig. 1 is a schematic diagram illustrating a hardware composition framework to which a virtual machine detection countermeasure method according to the present application is applicable.
As can be seen from fig. 1, the hardware composition framework may include: the electronic device 10, wherein the electronic device 10 may include: a processor 11, a memory 12, a communication interface 13, an input unit 14 and a display 15 and a communication bus 16.
The processor 11, the memory 12, the communication interface 13, the input unit 14 and the display 15 all communicate with each other through a communication bus 16.
In the embodiment of the present application, the processor 11 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, an off-the-shelf programmable gate array, or other programmable logic device. The processor may call a program stored in the memory 12. Specifically, the processor may perform operations performed on the electronic device side in the following embodiments of the virtual machine detection countermeasure method.
The memory 12 is used for storing one or more programs, which may include program codes including computer operation instructions, and in this embodiment, the memory stores at least the programs for implementing the following functions:
running a sample to be detected;
when an inquiry instruction sent by a sample to be detected is received, operating an inquiry function corresponding to the inquiry instruction, and replacing a virtual machine characteristic value obtained by the inquiry function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the inquiry function;
and obtaining a query result by using the query function according to the characteristic value of the non-virtual machine, and returning the query result to the sample to be detected.
In one possible implementation, the memory 12 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a data processing function, etc.), and the like; the storage data area may store data created according to the use of the computer.
In addition, the memory 12 may also include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 13 may be an interface of a communication module, such as an interface of a GSM module.
The present application may also include a display 14 and an input unit 15, and the like.
Of course, the structure of the computer device shown in fig. 1 is not limited to the computer device in the embodiment of the present application, and in practical applications, the computer device may include more or less components than those shown in fig. 1, or some components in combination.
The electronic device 10 in fig. 1 may be a terminal (e.g., a mobile terminal such as a mobile phone and a tablet computer, or a fixed terminal such as a PC), and a server.
In the embodiment of the present application, the electronic device 10 may receive, by using a network, a sample to be detected sent by other external devices according to the communication interface 13; the sample to be tested can also be obtained through its own input unit 14 (e.g. keyboard, touch screen, voice input device, etc.).
Accordingly, the processor 11 in the electronic device 10 may receive the sample to be detected from the communication interface 13 or the input unit 14 through the communication bus 16, and call the program stored in the memory 12 to run the sample to be detected.
It is to be understood that, in the embodiment of the present application, the number of the electronic devices is not limited, and for example, it may be that two electronic devices cooperate together to complete the virtual machine detection countermeasure function. In one possible scenario, please refer to fig. 2. As can be seen from fig. 2, the hardware composition framework may include: a first electronic device 1 and a second electronic device 2. The first electronic device 1 and the second electronic device 2 are connected in communication through a network 3.
In this embodiment of the application, the hardware structures of the first electronic device 1 and the second electronic device 2 may refer to the electronic device 10 in fig. 1, and it can be understood that in this embodiment, two electronic devices 10 are provided, and perform data interaction between the two electronic devices to implement a virtual machine detection countermeasure function. Further, the form of the network 3 is not limited in this embodiment, for example, the network 3 may be a wireless network (e.g., WIFI, bluetooth, mobile communication network, etc.), or may be a wired network; either a wide area network or a local area network may be used as circumstances warrant.
The first electronic device 1 and the second electronic device 2 may be the same electronic device, for example, both the first electronic device 1 and the second electronic device 2 are terminals (e.g., PCs); or different types of electronic devices, e.g. the first electronic device 1 may be a terminal and the second electronic device 2 may be a server.
The implementation process of the virtual machine detection countermeasure method in the system described with reference to fig. 2 may be: after the first electronic device obtains the sample to be detected, the sample to be detected is sent to the second electronic device through the network. After receiving a sample to be detected, the second electronic device runs the sample to be detected in an established sandbox environment (namely a virtual machine environment), further runs a query function corresponding to the query instruction when receiving the query instruction sent by the sample to be detected, replaces a virtual machine characteristic value obtained by the query function with a non-virtual machine characteristic value by using a corresponding modification program in the process of running the query function, and obtains a query result according to the non-virtual machine characteristic value by using the query function; and returning the query result to the sample to be detected. And then the sample to be detected can not obtain the conclusion that the current operation environment is the virtual machine environment according to the received query result, thereby bypassing the virtual machine detection of the malicious sample and achieving the purpose of hiding the real identity of the current system.
With the above generality, referring to fig. 3, which shows a flowchart of an embodiment of a method for detecting a countermeasure for a virtual machine according to the present application, the method of the present embodiment may include:
and S101, operating the sample to be detected.
It should be noted that, in the embodiment of the present application, the execution subject of the virtual machine detection countermeasure method is not limited, and may be any electronic device capable of constructing a virtual machine environment. For example, the electronic device may be a terminal (e.g., a PC) or a server. According to the embodiment of the application, a real system environment (namely a virtual machine environment) can be simulated in the electronic equipment through the sandbox environment to serve as a dynamic identification system, and the sample to be detected runs in the simulated system environment. Of course, the embodiment of the present application is not limited to the manner of constructing the virtual machine environment in the electronic device, for example, a secure virtual machine environment may be constructed through virtual machine technology.
It is understood that the embodiment of the present application also does not limit the manner of obtaining the sample to be detected. For example, a sample sent by other electronic equipment can be directly received as a sample to be detected; or receiving a sample transmitted by a user through an input device (such as a USB flash disk) as a sample to be detected; or obtaining a sample to be detected through a sample database; or the electronic device may use a sample obtained by analyzing the network traffic data as a sample to be detected. Of course, the number of samples to be detected is not limited in the embodiments of the present application, and the number may be determined according to an actual application scenario.
The specific content of the sample to be detected is not limited in the embodiment of the application, and the sample to be detected may refer to executable files or executable scripts of platforms such as Windows, Linux, Android, and the like, and daily common files (such as DOCX files, PPT files, XLS files, EML files), and the like.
S102, when an inquiry instruction sent by a sample to be detected is received, operating an inquiry function corresponding to the inquiry instruction, and replacing the virtual machine characteristic value obtained by the inquiry function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the inquiry function.
According to the embodiment of the application, the sample to be detected is operated in the constructed virtual machine environment, and some information data, namely the query result, of the current operation environment can be acquired by calling the API provided by the system in the operation process of the sample to be detected according to the self requirement. For example, in the running process of the sample to be detected, the API provided by the system can be called through the virtual machine detection related code to traverse the process list, the file list, the registry and the like of the current system, and then according to the returned query result, whether the current environment of the sample to be detected is a simulated environment (i.e., a virtual machine environment) or a physical machine environment is determined. If the malicious sample in the sample to be detected is determined to be the virtual machine environment through the method, the malicious sample is captured by the dynamic identification system or the sandbox environment in order to avoid the real behavior of the malicious sample, and then the malicious sample is identified as the malicious sample. The malicious sample may then perform some false action or exit directly so that it cannot be captured by the dynamic authentication system. In the embodiment of the present application, to avoid the situation, it is necessary that no data information capable of representing that the current operating environment is the virtual machine environment exists in the query result obtained by the sample to be detected. And further, the sample to be detected can not obtain the conclusion that the current running environment is the virtual machine environment according to the received query result. Namely, the embodiment of the application can bypass the virtual machine detection of the malicious sample, and can achieve the purpose of hiding the real identity of the current system. The virtual machine detection in the malicious sample can be effectively resisted, reliable guarantee is provided for subsequent identification of the malicious sample, and the condition that the malicious sample is omitted due to identification of the current operating environment is avoided.
The API is an abbreviation for Application Programming Interface, also called Application Programming Interface, and is a convention for linking different components of a software system. A virtual machine environment may refer to a secure emulated simulation environment built through virtual machine technology. A physical machine environment may refer to a current system running on a real physical device, rather than an emulated environment virtualized through virtualization techniques.
It should be noted that, the embodiments of the present application do not limit the specific content of the query command sent by the sample to be detected. The specific content of the query instruction is related to the specific API called by the sample to be detected and the target object to be queried. Typically, the query instruction contains a query parameter or is a query object. The API called by the sample to be detected is not limited in the embodiments of the present application, and may be a system file query API (such as a Windows file query API), a system process query API (such as a Windows process query API), or a system management specification interface (such as a WMI interface). For example, when the sample to be detected sends a query instruction by calling the WMI interface, the content of the query instruction may be the name of the object to be retrieved, i.e. the query parameter, or the query object to be enumerated (e.g. all processes currently running in the system)
The WMI (Windows Management Instrumentation, Windows Management Specification) interface is composed of a series of extensions to Windows Driver Model, provides information and notification through instrument components, and provides an interface of an operating system. WMI is an implementation of microsoft's Web-based enterprise management class (WBEM) and Common Information Model (CIM) standards for the distributed management working group (DMTF). WMI allows scripting languages (e.g., VBScript or Windows PowerShell) to manage Microsoft Windows personal computers and servers locally or remotely. Support for system management from command line interfaces and command script execution may also be provided by WMIC (an extended tool for WMI).
When the system receives the query instruction sent by the sample to be detected, the query function corresponding to the query instruction is operated, that is, the query function corresponding to the query instruction can be determined according to the parameter content required to be queried by the query instruction. For example, the currently received query instruction is: execute query ("select from win32 process"), then its corresponding query function is the IEnumWbemClassObject:: Next function (i.e., enumeration result retrieval function) under WMI interface. The meaning of the query instruction is to call a function under the WMI interface to query and return all process information in the current system. For another example, the currently received query instruction is: according to the technical scheme, the query function is an IWbemServices function under the WMI interface (namely, a search object query function). The meaning of the query instruction is to call a function under a WMI interface to query and return process information with a process name of vmtools. Exe process is a process existing only in a virtual machine environment, and does not exist in a normal physical machine. Thus, by this feature, the virtual machine environment can be detected.
The embodiment of the application avoids the problem that the query function returns data information capable of representing the current operating environment as a virtual machine environment to the sample to be detected as a query result in the query process. Therefore, in the process of running the query function, the modification program corresponding to the query function is used to replace the virtual machine feature value obtained by the query function with the non-virtual machine feature value, so that the query function obtains the query result according to the non-virtual machine feature value, and the query result does not have any data information capable of representing that the current running environment is the virtual machine environment. And further, the sample to be detected can not obtain the conclusion that the current running environment is the virtual machine environment according to the received query result. Namely, the embodiment of the application can bypass the virtual machine detection of the malicious sample, achieve the purpose of hiding the real identity of the current system, and effectively realize the virtual machine detection against the malicious sample.
It should be noted that, in the embodiment of the present application, the content of the virtual machine characteristic value is not limited, and any data information that can represent that the current operating environment is a virtual machine environment, or data information that only exists in the virtual machine environment is a virtual machine characteristic value. For example, the virtual machine characteristic values may include: vmtools.exe, vmacthlp.exe, vboxservice.exe, vboxtrack.exe, virtualbox.exe, vmware.exe, vvmvss.exe, vmtools.exe, vgauthservice.exe, and the like. Therefore, the process of the modification program determining whether the virtual machine feature value exists in the content acquired by the query function may be: and the modifying program matches all the virtual machine characteristic values with the contents acquired by the query function, further determines whether the contents acquired by the query function have the virtual machine characteristic values, and replaces the virtual machine characteristic values acquired by the query function determined by the matching result with the non-virtual machine characteristic values.
According to the embodiment of the application, the characteristic value of the virtual machine is replaced by inquiring the modification program corresponding to the function. That is, the query function and the modification program have a one-to-one correspondence relationship in the embodiment of the present application. In the embodiment of the present application, the number of the query functions that can be called by the sample to be detected is not limited, and the virtual machine detection countermeasure process may be executed only for one query function or may be executed for all of the plurality of query functions. That is, the embodiments of the present application also do not limit the number of the modification programs included in the present application, and the modification programs are in one-to-one correspondence with the query functions, that is, each query function included in the embodiments of the present application has one modification program corresponding to it.
It can be understood that the main function of the modification program provided in the embodiment of the present application is to replace the virtual machine feature value obtained by the query function with the non-virtual machine feature value, so that the query function obtains the query result according to the non-virtual machine feature value, and further, the sample to be detected is prevented from determining that the current system environment is the virtual machine environment according to the query result. Of course, the embodiment of the present application does not limit the specific content of the modification program, and corresponds to the query mode of the corresponding query function.
For example, when the query function is to search for a search object, modifying the content of the program is to determine whether the search object containing the feature value of the virtual machine exists in the query instruction received by the query function; if the retrieval object containing the characteristic value of the virtual machine does not exist, the query process does not have the content needing to be modified by the modification program, the query process does not expose that the current running environment of the system is the virtual machine environment, and the query function is normally executed and returns the query result. If a retrieval object containing the characteristic value of the virtual machine exists, in order to avoid the query function from finding the retrieval object, the characteristic value of the virtual machine contained in the retrieval object needs to be replaced by the characteristic value of the non-virtual machine, so that the query function queries according to the characteristic value of the non-virtual machine to obtain a query result. Obviously, the query result does not necessarily show that the retrieval object containing the characteristic value of the virtual machine exists in the current system, because the retrieval object queried by the query function is changed. For example, if the current query function is IWbemServices:: ExecQuery function, the current retrieval object is vmtools. Then when IWbemServices:: the ExecQuery function receives vmtools, exe, the modifier modifies vmtools, exe to a non-virtual machine eigenvalue search object (e.g., 0x9mjy1.exe) that is not present in the system. It can be seen that IWbemServices:, the actual query object of the ExecQuery function is not vmtools. exe, but 0X9MjY1. exe. Of course, in the embodiment of the present application, the generation manner of 0x9mjy1.exe is not limited, and may be, for example, random generation.
For another example, when the query function is an enumeration result, that is, the query result is obtained by traversing the current system, then the content of the modification program is to determine whether the query result obtained by the query function has a query result related to the characteristic value of the virtual machine; if the query result containing the characteristic value of the virtual machine does not exist, the query process does not have the content needing to be modified by the modification program, the current running environment of the system cannot be exposed in the query process, namely the environment of the virtual machine is the environment, the query function is normally executed, and the query result is returned. If the query result containing the virtual machine characteristic value exists, in order to avoid the query function from returning the query result containing the virtual machine characteristic value to the sample to be detected, the program needs to be modified to replace the content of the virtual machine characteristic value contained in the query result with the non-virtual machine characteristic value, so that the query function returns the modified query result to the sample to be detected. Obviously, the final query result obtained by the sample to be detected does not necessarily have the query result containing the characteristic value of the virtual machine in the current system. For example, if the current query function is IEnumWbemClassObject:: Next function, the current search object is all the process information in the current system. Then, the modification program needs to acquire an attribute field corresponding to the wszName parameter (namely the attribute value parameter) in the process information acquired by the Next function, and judge whether a preset attribute field exists in the attribute field; if the preset attribute field does not exist, all process information obtained by traversing the query function is proved not to contain process information capable of proving that the current system is a virtual machine system. If the preset attribute field exists, all process information obtained by traversing the proving query function may contain process information capable of proving that the current system is a virtual machine system. Therefore, it is necessary to determine again whether all the process information obtained by traversing the query function contains process information that can prove that the current system is a virtual machine system. Correspondingly, the modification program needs to acquire an attribute value corresponding to the preset attribute field; judging whether the attribute value is a virtual machine characteristic value or not; if the current system is not the virtual machine system, all process information obtained by traversing the query function is proved to not contain process information capable of proving that the current system is the virtual machine system. If the process information obtained by traversing the query function contains the process information capable of proving that the current system is the virtual machine system, a replacement character string different from the virtual machine characteristic value is required to be generated as a non-virtual machine characteristic value to replace the virtual machine characteristic value, so that the query result finally returned to the sample to be detected does not have the query result containing the virtual machine characteristic value in the current system. Of course, the current retrieval object may also be other information in the current system that needs to traverse the query.
In the embodiment of the present application, the setting position of the modifying program is not limited, as long as the modifying program corresponding to the query function can be run simultaneously in the running process of the query function. For example, the modifier may be injected into the query function. Optionally, the embodiment of the present application may inject the modifying program into the query function before running the sample to be detected. So that the modifying program in the query function is in a runnable state when the sample to be tested starts to run. Of course, the embodiment of the present application is not limited to the specific way of injecting the modification program into the query function. For example, the process that may be injecting the modifier in the query function may include: acquiring the address of a query function; and hooking the modifying program into the query function according to the address.
In the embodiment of the present application, a specific manner of obtaining the address of the query function is not limited, and is related to a specific situation of the query function. For example, when the query function is IWbemServices:: ExecQuery function under WMI interface, the corresponding process of obtaining the address of IWbemServices:: ExecQuery function may include: firstly, acquiring an address of an IWbemLocator object (namely an initial namespace pointer acquisition interface object); then, the address of the IWbemLocator object is used to obtain the address of the IWbemServices object (namely the WMI service access interface object); and finally, acquiring the IWbemServices:: the address of the ExecQuery function according to the address of the IWbemServices object.
In the embodiment of the present application, a specific manner of hooking the modifying program into the query function is not limited, and for example, an application programming interface hooking method, that is, an API HOOK (API hooking) method, may be used to implement an operation of hooking the modifying program into the query function. The API HOOK method is a software development technology, and achieves the purpose of modifying the system API result by hooking own codes into the system API codes.
It should be noted that, in the embodiment of the present application, a generation manner of the non-virtual machine feature value is not limited, as long as the non-virtual machine feature value can be obtained. For example, the non-virtual machine feature value may be obtained by generating a random character string, or by generating a character string different from a query object as the non-virtual machine feature value after traversing the query object existing in the current system, or by modifying a value of a character in the virtual machine feature value. Of course, the embodiment of the present application also does not limit the specific content of the replaced non-virtual machine eigenvalue, as long as the replaced content can not reflect that the current running system is a virtual machine environment. For example, the character strings corresponding to the non-virtual machine feature values may all be composed of numbers, may all be composed of letters, or may be composed of a mixture of numbers, letters, and symbols.
Furthermore, in order to improve the reliability of the generated non-virtual machine characteristic value, the reliability of the system hiding the virtual machine environment is further improved. When the non-virtual machine characteristic value is generated, the non-virtual machine characteristic value can have the same suffix content as the virtual machine characteristic value needing to be replaced. That is, a replacement character string different in prefix and the same in suffix from the virtual machine feature value is generated as the non-virtual machine feature value. For example, the virtual machine eigenvalue is vmtools.exe, while the generated non-virtual machine eigenvalue is 0x9mjy1.exe, both having the same suffix exe.
S103, obtaining a query result according to the characteristic value of the non-virtual machine by using a query function, and returning the query result to the sample to be detected.
According to the embodiment of the application, the query result obtained by the query function according to the characteristic value of the non-virtual machine is returned to the sample to be detected, and any data information representing that the current operating environment is the virtual machine environment does not exist in the query result. And further, the sample to be detected can not obtain the conclusion that the running environment is the virtual machine environment according to the received query result, so that the virtual machine detection of the malicious sample is bypassed, and the real identity of the current system is hidden. Therefore, the identification capability of the dynamic identification system is improved, and the subsequent virus identification capability based on malicious samples can also be improved.
In the embodiment of the application, when the running sample to be detected is determined whether the current running environment is the virtual machine environment by determining whether the obtained related environment information has the virtual machine characteristic value, the application replaces the virtual machine characteristic value related to the query function started by the query instruction in the query process with the non-virtual machine characteristic value, so that the query function obtains the query result according to the non-virtual machine characteristic value, and the natural query function obtains the query result without any data information representing that the current running environment is the virtual machine environment. And the sample to be detected can not obtain the conclusion that the running environment is the virtual machine environment according to the received query result, so that the virtual machine detection of the malicious sample is bypassed, the real identity of the current system is hidden, and the virtual machine detection in the malicious sample is effectively resisted. The method can provide reliable guarantee for the identification of subsequent malicious samples, and avoid the omission of the malicious samples caused by the identification of the current operating environment.
Based on the above embodiments, developers of malicious samples further update the virtual machine detection technology due to the continuous development of information technology. At present, a large number of malicious samples exist on a network, information such as a process list, a file list, a hardware information list and the like is inquired by calling a WMI interface, and then returned inquiry results are compared, so that whether the current running environment of the network is a real physical machine or a virtual machine environment is judged. Aiming at the possible situation, the embodiment of the application provides two processes for resisting virtual machine detection based on WMI interface interception mode; referring to fig. 4 and 5, the query function in fig. 4 is a query function (IWbemServices:: ExecQuery function) of a retrieval object under a WMI interface, and the specific execution flow is as follows:
s401, running the sample to be detected.
For details of this step, reference may be made to step S101 in the foregoing embodiment, which is not described herein again.
S402, when a query instruction sent by a sample to be detected is received, operating a retrieval object query function corresponding to the query instruction; the retrieval object query function obtains a query instruction.
In the embodiment of the application, the query function of the retrieval object determines the query object according to the specific content in the query instruction. For example, when the query instruction is: obj wmiservice. execquery ("select from win32_ process name") whose determined query object is vmtools.
S403, judging whether a virtual machine characteristic value exists in the query instruction received by the retrieval object query function by using the modification program; if yes, go to step S404, and if yes, go to step S406.
According to the method and the device, whether the virtual machine characteristic value exists in the query instruction is judged by modifying the program, and the process can be that the character string corresponding to the query object in the query instruction is matched with all preset virtual machine characteristic values, so that whether the virtual machine characteristic value exists in the query instruction received by the query function of the retrieval object is determined. The second parameter strQuery (representing WMI query statement) in the ExecQuery function definition contains the query parameter in the obtained query instruction, namely the query object. Thus, the process may be: and respectively matching the query parameters in the strQuery with all the characteristic values of the virtual machines by using a modifying program so as to determine whether the characteristic values of the virtual machines exist in the query instruction received by the query function of the retrieval object.
It should be noted that, when the sample to be detected calls the WMI interface to perform object query, it is substantially implemented by calling the IWbemServices:, ExecQuery function. Therefore, when the virtual machine detection for resisting the sample to be detected is to be realized, the code corresponding to the modification program needs to be hooked to the function, and then the modification program modifies the query parameters in the query instruction according to the actual requirements to realize the resisting. That is, in the embodiment of the present application, a corresponding modification program may be injected in the search object query function. The process may be: acquiring an address of a retrieval object query function; and according to the address, hooking the modifying program into a search object query function.
The process of obtaining the address of the query function of the retrieval object may be:
obtaining an address of an IWbemLocator object (i.e., an initial namespace pointer obtaining interface object);
acquiring the address of an IWbemServices object (namely a WMI service access interface object) by using the address of the IWbemLocator object;
and acquiring the address of the IWbemServices function according to the address of the IWbemServices object.
It can be understood that, in order to hook the modifying program to the search object query function in the embodiment of the present application, an address of the search object query function needs to be obtained. When the address of the query function of the search object is obtained, the address of the iwbemlocartor object needs to be obtained first, and the embodiment of the present application does not limit the obtaining manner of the address of the iwbemlocartor object. For example, the address of the iwbemlocartor object may be obtained by transferring a specific parameter to call a CoCreateInstance function or a CoCreateInstance ex function. Wherein, CoCreateInstance and CoCreateInstanceEx are function names, and a Com object can be created by using the specified class identifier. The interface of the two functions is defined as follows:
the address acquisition method of the IWbemLocator object is specifically described below by taking the coccreateinstance function as an example. Since the CoCreateInstance function is a standard function of the Windows system, the function address can be directly obtained through the function name. Specifically, the CoCreateInstance function may be hooked by using the API HOOK method, and when a first parameter rclsid (the rclsid parameter is a unique identifier and is used to indicate an address of a Com component object that needs to be obtained) is equal to {0x4590f811,0x1d3a,0x11d0, {0x89,0x1f,0x00,0xaa,0x00,0x4b,0x2e,0x24}, it indicates that the function is successfully executed, and a return value of the last parameter LPVOID ppv may be obtained, where the return value is an address of an IWbemLocator object. Among them, the COM component (COM component) is a new software development technology developed by microsoft corporation for software production in computer industry to better conform to human behavior.
Then, using the address of the IWbemLocator object, the address of the IWbemServers object is obtained by calling the function IWbemLocator of the IWbemLocator:: ConnectServer (connection of WMI namespace on the specified computer). The specifically obtained pseudo code may be as follows: wherein, the last parameter stores the address of the IWbemServices object.
Finally, according to the address of the IWbemServices object, the address of the member function IWbemServices:::::, ExecQuery of the object can be directly obtained, and then the modifying program corresponding to the function can be hooked on the IWbemServices::::::, ExecQuery function.
S404, generating a replacing character string different from the characteristic value of the virtual machine as the characteristic value of the non-virtual machine to replace the characteristic value of the virtual machine.
S405, obtaining a query result according to the characteristic value of the non-virtual machine by using a retrieval object query function, and returning the query result to the sample to be detected.
When the characteristic value of the virtual machine exists, the sample to be detected is indicated to be subjected to virtual machine environment detection, in order to achieve countermeasure, a replacement character string different from the characteristic value of the virtual machine can be generated to serve as the characteristic value of the non-virtual machine to replace the characteristic value of the virtual machine, and the query result obtained by the query function of the retrieval object according to the characteristic value of the non-virtual machine is empty, so that the purpose of countermeasure virtual machine detection is achieved.
And S406, acquiring a query result according to the query instruction by using the retrieval object query function, and returning the query result to the sample to be detected.
The embodiment of the application can still realize the normal query function through the step S406, so that the embodiment of the application can basically realize the original calling function of the WMI interface without influencing the normal operation of the sample to be detected.
The query function in fig. 5 is an enumeration result retrieval function (i.e., ienumwbemalasobject:: Next) under the WMI interface, and the specific execution flow is as follows:
s501, running the sample to be detected.
For details of this step, reference may be made to step S101 in the foregoing embodiment, which is not described herein again.
S502, when a query instruction sent by the sample to be detected is received, running an enumeration result retrieval function corresponding to the query instruction, and acquiring process information.
According to the embodiment of the application, all retrieval objects existing in the current system can be obtained through the enumeration result retrieval function. For example, when the query instruction includes a "select" from win32_ process "statement, the enumeration result retrieval function can obtain all the process information of the current system.
S503, acquiring the attribute field corresponding to the attribute value parameter in the process information by using the modifying program.
It should be noted that, when the sample to be detected calls the WMI interface to perform the enumeration result search query, it is substantially implemented by calling the ienumwbemalasobject function. Therefore, when the virtual machine detection for resisting the sample to be detected is to be realized, the code corresponding to the modification program needs to be hooked to the function, and then the query result is modified by the modification program according to the actual requirement to realize the resisting. That is, in the embodiment of the present application, a corresponding modification program may be injected into the enumeration result retrieval function. The process may be: acquiring an address of an enumeration result retrieval function; and according to the address, hooking the modifying program into an enumeration result retrieval function.
The process of obtaining the address of the enumeration result retrieval function may be: obtaining the address of an IEnumWbemClassObject object by calling IWbemServices as the ExecQuery function; according to the address of the IEnumWbemClassObject object, the address of the IEnumWbemClassObject function is obtained.
It can be understood that in the embodiment of the present application, IWbemServices:: the address of the ExecQuery function may refer to the above description. After obtaining the address of IWbemServices:ExecQueryfunction, the IWbemServices:ExecQueryfunction can be called to obtain the address of IEnumWbemClassObject object (i.e. common information model object enumeration interface). The specifically obtained pseudo code may be as follows: the last parameter stores the address of the IEnumWbemClassObject object.
Finally, according to the address of the IEnumWbemClassObject object, the address of the member function IEnumWbemClassObject:: Next of the object can be directly obtained, and then the modifying program corresponding to the function can be hooked to the IEnumWbemClassObject:: Next function.
S504, judging whether the attribute field has a preset attribute field; if yes, step S505 is executed, and if yes, step S508 is executed.
According to the embodiment of the application, the attribute fields are matched with all the preset attribute fields through the modifying program, and whether the preset attribute fields exist in the attribute fields is further determined. Of course, in the embodiment of the present application, the number and content of the preset attribute fields are not limited, and all attribute fields whose attribute values are corresponding to the virtual machine feature values may be used as the preset attribute fields. For example, the preset attribute field may include: name, title, CommandLine, Description, executable Path, ProcessName, Path, SMBIOS Domain, SerialNumber.
And S505, acquiring an attribute value corresponding to the preset attribute field.
S506, judging whether the attribute value is a virtual machine characteristic value; if yes, go to step S507, otherwise go to step S508.
In the embodiment of the application, the modifying program acquires the attribute value corresponding to the preset attribute field and judges whether the attribute value is the characteristic value of the virtual machine. The process may be to match the attribute values with all preset virtual machine feature values, and further determine whether the attribute values have virtual machine feature values. Of course, the embodiment of the present application does not limit the way in which the modification program obtains the attribute value. The first parameter wszName (namely, the attribute value parameter, which represents the attribute value to be acquired) in the definition of the IWbemClassObject, wherein the IWbemClassObject indicates that the Get is a specific attribute value acquisition function. Therefore, in the embodiment of the present application, the modification program may obtain the corresponding attribute field in the process information through the wszName parameter. Therefore, in the embodiment of the application, the modification program can determine each attribute field by using the wszName parameter in the IWbemClassObject, acquire the corresponding attribute value through the wszName parameter, match the attribute value with all preset virtual machine characteristic values, and further determine whether the attribute value has the virtual machine characteristic value.
And S507, generating a replacement character string different from the characteristic value of the virtual machine as a non-virtual machine characteristic value to replace the characteristic value of the virtual machine, and sending the replaced process information as a query result to the sample to be detected by using an enumeration result retrieval function.
When the virtual machine characteristic value exists, the to-be-detected sample is indicated to be subjected to virtual machine environment detection, and in order to realize countermeasures, a replacement character string different from the virtual machine characteristic value can be generated to serve as a non-virtual machine characteristic value to replace the virtual machine characteristic value. The embodiments of the present application do not limit the alternative modes. For example, the modifier may replace the virtual machine characteristic values with non-virtual machine characteristic values using the IWbemClassObject:: Put function. Wherein, the IWbemClassObject indicates that the Put function is a function for updating or creating a specific attribute value.
And S508, sending the process information acquired in the S502 as a query result to the sample to be detected by using an enumeration result retrieval function.
In the embodiment of the present application, the normal query function can still be implemented through step S508, and therefore, the embodiment of the present application can achieve the effect of basically not affecting the original call function of the WMI interface, and does not affect the normal operation of the sample to be detected.
In the embodiment of the application, the virtual machine detection countermeasure can be realized by using the WMI interface, so that the query function does not have any data information representing that the current running environment is the virtual machine environment in the query result. And the sample to be detected can not obtain the conclusion that the running environment is the virtual machine environment according to the received query result, so that the virtual machine detection of the malicious sample is bypassed, the real identity of the current system is hidden, and the virtual machine detection in the malicious sample is effectively resisted. The method can provide reliable guarantee for the identification of subsequent malicious samples, and avoid the omission of the malicious samples caused by the identification of the current operating environment. The method greatly increases the concealment of the virtual machine environment and improves the identification capability of the dynamic identification system.
For convenience of understanding, an application scenario of the present solution is introduced, and a dynamic authentication system on a server is taken as an application scenario in the following. The virtual machine detection countermeasure method provided by the embodiment of the application is specifically described. After receiving the sample to be detected, the dynamic identification system constructed in the server puts the sample to be detected into a virtual machine environment to run all the samples to be detected, captures the dynamic behavior of the sample generated in the running process of the sample, and judges the malicious degree of the sample according to the captured dynamic behavior of the sample. The virtual machine detection countermeasure method provided in the embodiment of the application can be included in a monitoring module in the dynamic identification system, and aims to hide a virtual machine environment used by the dynamic identification system as much as possible, so that a situation that a running environment detected when a malicious sample runs is a virtual machine environment instead of a real physical machine environment is prevented from being avoided, and capture by the dynamic identification system is avoided.
The first condition is as follows:
when a virtual machine detection code existing in a running sample to be detected needs to call IWbemServices through a WMI interface, wherein an ExecQuery function is used for inquiring whether a current running system has a vmtools. obj wmiservice. execquery ("select from win32_ process name ═ vmtools. exe'"). When the system receives the query instruction, the IWbemServices:: ExecQuery function is operated, but at the moment, because the modification program is hooked to the IWbemServices:: ExecQuery function, when the IWbemServices:: ExecQuery function receives the query instruction, the modification program immediately judges that a virtual machine characteristic value vmwood.exe exists in the query instruction received by the search object query function. Therefore, the modifying program randomly generates a replacing character string which is different from the prefix of the characteristic value of the virtual machine and has the same suffix as the characteristic value of the non-virtual machine, so that IWbemServices obtains a query result according to the characteristic value of the non-virtual machine and returns the query result to the sample to be detected. Please refer to fig. 6 for the query result obtained from the sample to be detected. Referring to fig. 7, a query result obtained by running the same process in a virtual machine system that does not include a modifying program.
Case two:
when a running virtual machine detection code in a sample to be detected calls an IEnumWbemClassObject through a WMI interface, a Next function is required to inquire whether a current running system is a virtual machine environment, and a query instruction is required to be sent through the WMI interface: obswmiservice. execquery ("select from win32 process"). When the system receives the query instruction, the system runs the IEnumWbemClassObject:: Next function, but at this time, the application hooks the modifying program to the IEnumWbemClassObject:: Next function, so that when the IEnumWbemClassObject:: Next function obtains the query result, the modifying program immediately judges that the query result has the virtual machine characteristic value vmtonolsd. Therefore, the modifying program randomly generates a replacing character string which has a prefix different from that of the virtual machine characteristic value and has the same suffix as the prefix of the virtual machine characteristic value as the non-virtual machine characteristic value, and replaces vmtools. And finally, the IEnumWbemClassObject shows that the Next function sends the replaced process information as a query result to the sample to be detected. Please refer to fig. 8 for the query result obtained from the sample to be detected. Referring to fig. 9, a query result obtained by the same process running in a virtual machine system that does not include a modifying program is shown.
It can be seen from the two practical examples that after the function is modified by hooking in the system, the sample to be detected is run in the virtual machine environment, and even if the virtual machine detection code exists in the sample to be detected, the current running environment cannot be successfully detected as the virtual machine environment. Successful countermeasure against virtual machine detection is achieved. Finally, by modifying the log input by the program, it can be queried that, in case one, vmtools.exe is replaced by a string of randomly generated characters 0 x9mjy1.exe. In case two, vmtools.exe is replaced by a string of randomly generated characters 0 wtssamsn.exe. The virtual machine detection countermeasure method provided by the embodiment of the application can be proved to be capable of resisting the virtual machine detection process in the sample and resisting the virtual machine detection process based on the WMI interface.
On the other hand, the embodiment of the application also provides a virtual machine detection countermeasure device. For example, referring to fig. 10, which shows a schematic structural diagram of a virtual machine detection countermeasure apparatus according to an embodiment of the present application, the apparatus of the present embodiment may be applied to a terminal as in the above embodiment, and the apparatus may include:
a sample operation module 110, configured to operate a sample to be detected;
the query function operating module 120 is configured to, when receiving a query instruction sent by a sample to be detected, operate a query function corresponding to the query instruction, replace, by using a corresponding modification program, a virtual machine feature value obtained by the query function with a non-virtual machine feature value in the process of operating the query function, and obtain a query result according to the non-virtual machine feature value by using the query function;
and the query result returning module 130 is used for returning the query result to the sample to be detected.
Optionally, referring to fig. 11, an embodiment of the present application further provides another virtual machine detection countermeasure apparatus, where the apparatus may further include:
an injection module 140 for injecting the modification program in the query function.
Optionally, the injection module 140 may include:
an address acquisition unit for acquiring an address of the query function;
and the hooking unit is used for hooking the modifying program into the query function according to the address.
Optionally, the query function execution module 120 may include:
the first replacing unit is used for judging whether a virtual machine characteristic value exists in a query instruction received by the retrieval object query function or not by utilizing the modifying program when the query function is the retrieval object query function; and when the virtual machine characteristic value exists in the query instruction, generating a replacement character string different from the virtual machine characteristic value as a non-virtual machine characteristic value to replace the virtual machine characteristic value.
Optionally, the query function execution module 120 may include:
the second replacing unit is used for acquiring the attribute field corresponding to the attribute value parameter in the process information obtained by the enumeration result retrieval function by using the modifying program when the query function is the enumeration result retrieval function, and judging whether the attribute field has a preset attribute field; if the preset attribute field exists in the attribute field, acquiring an attribute value corresponding to the preset attribute field; judging whether the attribute value is a virtual machine characteristic value; and when the attribute value is the virtual machine characteristic value, generating a replacement character string different from the virtual machine characteristic value as a non-virtual machine characteristic value to replace the virtual machine characteristic value.
Optionally, the first replacement unit and/or the second replacement unit may include:
and the non-virtual machine characteristic value generating subunit is used for generating a replacing character string which is different from the prefix of the virtual machine characteristic value and has the same suffix as the prefix of the virtual machine characteristic value as the non-virtual machine characteristic value.
It should be noted that each module or unit and sub-unit in the virtual machine detection countermeasure apparatus provided in the embodiments of the present application may be applied to the electronic device described above.
In another aspect, an embodiment of the present application further provides an electronic device, which may include a processor and a memory. The relationship between the processor and the memory in the electronic device can be referred to fig. 1.
Wherein the processor of the electronic device is configured to execute the program stored in the memory;
the memory of the electronic device is for storing a program for at least:
running a sample to be detected;
when an inquiry instruction sent by a sample to be detected is received, operating an inquiry function corresponding to the inquiry instruction, and replacing a virtual machine characteristic value obtained by the inquiry function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the inquiry function;
and obtaining a query result by using the query function according to the characteristic value of the non-virtual machine, and returning the query result to the sample to be detected.
Of course, the electronic device may further include a communication interface, a display unit, an input device, and the like, which is not limited herein.
On the other hand, the present application further provides a storage medium, in which a computer program is stored, and when the computer program is loaded and executed by a processor, the computer program is used to implement the virtual machine detection countermeasure method described in any one of the above embodiments.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (10)
1. A virtual machine detection countermeasure method, comprising:
running a sample to be detected;
when an inquiry instruction sent by the sample to be detected is received, operating an inquiry function corresponding to the inquiry instruction, and replacing a virtual machine characteristic value obtained by the inquiry function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the inquiry function;
and acquiring a query result according to the characteristic value of the non-virtual machine by using the query function, and returning the query result to the sample to be detected.
2. The virtual machine detection countermeasure method of claim 1, further comprising, before the running the sample to be detected:
injecting the modifying program in the query function.
3. The vm detection countermeasure method of claim 2, wherein the injecting the modifier in the query function includes:
acquiring the address of the query function;
and hooking the modifying program into the query function according to the address.
4. The method according to claim 1, wherein, when the query function is a query function for search objects, replacing the virtual machine feature value obtained by the query function with a non-virtual machine feature value by using a corresponding modification program comprises:
judging whether the query instruction received by the retrieval object query function has the virtual machine characteristic value or not by using the modifying program;
and if the virtual machine characteristic value exists, generating a replacement character string different from the virtual machine characteristic value as the non-virtual machine characteristic value to replace the virtual machine characteristic value.
5. The method according to claim 1, wherein, when the query function is an enumeration result retrieval function, replacing the virtual machine feature value obtained by the query function with a non-virtual machine feature value by using a corresponding modification program includes:
acquiring an attribute field corresponding to an attribute value parameter in the process information obtained by the enumeration result retrieval function by using the modification program, and judging whether a preset attribute field exists in the attribute field;
if the preset attribute field exists, acquiring an attribute value corresponding to the preset attribute field;
judging whether the attribute value is the characteristic value of the virtual machine;
and if the characteristic value is the virtual machine characteristic value, generating a replacement character string different from the virtual machine characteristic value as the non-virtual machine characteristic value to replace the virtual machine characteristic value.
6. The virtual machine detection countermeasure method according to claim 4 or 5, wherein the generating a replacement string different from the virtual machine characteristic value as the non-virtual machine characteristic value includes:
generating, as the non-virtual machine characteristic value, a replacement string that is different in prefix and the same in suffix from the virtual machine characteristic value.
7. A virtual machine detection countermeasure apparatus, comprising:
the sample operation module is used for operating a sample to be detected;
the query function operation module is used for operating a query function corresponding to the query instruction when receiving the query instruction sent by the sample to be detected, replacing the virtual machine characteristic value obtained by the query function with a non-virtual machine characteristic value by using a corresponding modification program in the process of operating the query function, and obtaining a query result by using the query function according to the non-virtual machine characteristic value;
and the query result returning module is used for returning the query result to the sample to be detected.
8. The virtual machine detection countermeasure apparatus of claim 7, further comprising:
an injection module for injecting the modification program in the query function.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the virtual machine detection countermeasure method of any of claims 1 to 6 when executing the computer program.
10. A storage medium having stored thereon computer-executable instructions that, when loaded and executed by a processor, implement a virtual machine detection countermeasure method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010171002.2A CN113391874A (en) | 2020-03-12 | 2020-03-12 | Virtual machine detection countermeasure method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010171002.2A CN113391874A (en) | 2020-03-12 | 2020-03-12 | Virtual machine detection countermeasure method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113391874A true CN113391874A (en) | 2021-09-14 |
Family
ID=77616618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010171002.2A Pending CN113391874A (en) | 2020-03-12 | 2020-03-12 | Virtual machine detection countermeasure method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113391874A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244795A (en) * | 2021-12-16 | 2022-03-25 | 北京百度网讯科技有限公司 | Information pushing method, device, equipment and medium |
| CN114417323A (en) * | 2022-01-21 | 2022-04-29 | 北京飞书科技有限公司 | Data reference method, device, equipment and medium |
| CN114896592A (en) * | 2022-03-07 | 2022-08-12 | 安芯网盾(北京)科技有限公司 | General detection method, device, equipment and storage medium for WMI malicious code |
-
2020
- 2020-03-12 CN CN202010171002.2A patent/CN113391874A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244795A (en) * | 2021-12-16 | 2022-03-25 | 北京百度网讯科技有限公司 | Information pushing method, device, equipment and medium |
| CN114244795B (en) * | 2021-12-16 | 2024-02-09 | 北京百度网讯科技有限公司 | Information pushing method, device, equipment and medium |
| CN114417323A (en) * | 2022-01-21 | 2022-04-29 | 北京飞书科技有限公司 | Data reference method, device, equipment and medium |
| CN114417323B (en) * | 2022-01-21 | 2023-02-28 | 北京飞书科技有限公司 | Data reference method, device, equipment and medium |
| CN114896592A (en) * | 2022-03-07 | 2022-08-12 | 安芯网盾(北京)科技有限公司 | General detection method, device, equipment and storage medium for WMI malicious code |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
| US11687645B2 (en) | Security control method and computer system | |
| US10528735B2 (en) | Malicious code protection for computer systems based on process modification | |
| US11822654B2 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
| US20050108562A1 (en) | Technique for detecting executable malicious code using a combination of static and dynamic analyses | |
| RU2632163C2 (en) | General unpacking of applications for detecting malicious programs | |
| CN108229148B (en) | Sandbox unshelling method and sandbox unshelling system based on Android virtual machine | |
| WO2019072008A1 (en) | Security scanning method and apparatus for mini program, and electronic device | |
| Shahriar et al. | Testing of memory leak in android applications | |
| CN113391874A (en) | Virtual machine detection countermeasure method and device, electronic equipment and storage medium | |
| US11176247B2 (en) | System and method for container assessment using sandboxing | |
| CN109558207B (en) | System and method for forming log for anti-virus scanning of file in virtual machine | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN113569246A (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| Uroz et al. | Characteristics and detectability of Windows auto-start extensibility points in memory forensics | |
| US10275595B2 (en) | System and method for characterizing malware | |
| Kim et al. | {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing | |
| CN111625296B (en) | Method for protecting program by constructing code copy | |
| CN113821297A (en) | Simulator and simulation method | |
| US20190102279A1 (en) | Generating an instrumented software package and executing an instance thereof | |
| WO2016126206A1 (en) | Method for obfuscation of code using return oriented programming | |
| US11914711B2 (en) | Systems and methods for automatically generating malware countermeasures | |
| Baird et al. | Automated dynamic detection of self-hiding behavior | |
| EP4310707A1 (en) | System and method for detecting malicious code by an interpreter in a computing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |