CN113407940A

CN113407940A - Script detection method and device, storage medium and computer equipment

Info

Publication number: CN113407940A
Application number: CN202110689583.3A
Authority: CN
Inventors: 李科; 卢先锋
Original assignee: Chengdu Oppo Communication Technology Co ltd
Current assignee: Chengdu Oppo Communication Technology Co ltd
Priority date: 2021-06-21
Filing date: 2021-06-21
Publication date: 2021-09-17

Abstract

The application discloses a script detection method, a script detection device, a storage medium and computer equipment, wherein the method comprises the following steps: acquiring a first main body type of a first main body calling a current process, and acquiring a first permission of a parent process of the current process; determining whether the current process is in a legal state or not based on the first main body type and the first authority; and if the current process is not in a legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process. By adopting the method and the device, when the script is executed, whether the corresponding script is the malicious script is determined according to the calling main body of the current process corresponding to the executed script, the process permission of the parent process of the current process and the process permission of the current process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved.

Description

Script detection method and device, storage medium and computer equipment

Technical Field

The present application relates to the field of computer technologies, and in particular, to a script detection method, an apparatus, a storage medium, and a computer device.

Background

Script (Script) is an executable file written according to a certain format using a specific descriptive language, and more specifically, a Script is a program that is executed by interpretation at runtime without compilation. In a Linux system framework, the file format of the script can be directly executed as long as the file format of the script is not abnormal, and in a dark gray industrial chain, a hacker can damage the security of the terminal device by executing a malicious script, such as downloading and installing a trojan virus, monitoring user data, encroaching on system resources, and the like, so that the security of the terminal device (such as a terminal device with an operating system of a Linux system, an android system, and a hongmeng system) to which the Linux system framework is applied is poor.

Disclosure of Invention

The application provides a script detection method, a terminal device, a storage medium and a computer device, which can solve the technical problem of how to improve the safety of the terminal device.

In a first aspect, an embodiment of the present application provides a script detection method, where the method includes:

acquiring a first main body type of a first main body calling a current process, and acquiring a first permission of a parent process of the current process;

determining whether the current process is in a legal state or not based on the first main body type and the first authority;

and if the current process is not in a legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process.

In a second aspect, an embodiment of the present application provides a script detection method, where the method includes:

acquiring a first main body type of a first main body calling a current process, and acquiring a second main body type of a second main body calling a parent process of the current process;

acquiring a first authority of a parent process;

and determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first permission.

In a third aspect, an embodiment of the present application provides a script detection apparatus, including:

the type obtaining module is used for obtaining a first main body type of a first main body calling the current process and obtaining a first permission of a parent process of the current process;

the state acquisition module is used for determining whether the current process is in a legal state or not based on the first main body type and the first authority;

and the determining module is used for determining whether the script corresponding to the current process is a malicious script or not based on the second permission of the current process if the current process is not in a legal state.

In a fourth aspect, an embodiment of the present application provides a script detecting apparatus, including:

the type obtaining module is used for obtaining a first main body type of a first main body calling the current process and obtaining a second main body type of a second main body calling a parent process of the current process;

the authority acquisition module is used for acquiring a first authority of the parent process;

and the determining module is used for determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first permission.

In a fifth aspect, embodiments of the present application provide a storage medium storing a computer program, the computer program being adapted to be loaded by a processor and to perform the steps of the above method.

In a sixth aspect, embodiments of the present application provide a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement the steps of the method described above.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the current process calling main body and the parent process calling main body by acquiring the current process corresponding to the executed script and the parent process calling main body of the current process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.

Fig. 1 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a process for identifying a malicious script according to an embodiment of the present disclosure;

fig. 4 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 5 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 6 is a schematic flowchart of identifying a malicious script according to an embodiment of the present disclosure;

fig. 7 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 8 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 9 is a schematic flowchart of a script detection method according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a script detection apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a script detection apparatus according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a script detection apparatus according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

In order to make the features and advantages of the present application more obvious and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims. The flow diagrams depicted in the figures are merely exemplary and need not be performed in the order of the steps shown. For example, some steps are parallel, and there is no strict sequence relationship in logic, so the actual execution sequence is variable. In addition, the terms "first", "second", "third", "fourth", "fifth", "sixth", "seventh", "eighth" are for purposes of distinction only and should not be construed as limiting the present disclosure.

The script detection method and the terminal device disclosed by the embodiment of the application can be applied to the field of information security, such as the malicious script detection process of a smart phone and the like, and can also be applied to the malicious script detection process of a Linux operating system. The terminal device may include, but is not limited to, an intelligent terminal using a Linux operating system, such as an intelligent interactive tablet, a mobile phone, a personal computer, and a notebook computer, or an intelligent terminal using a Linux framework as an operating system framework.

In the embodiment of the application, when executing the script, the terminal device may determine whether the corresponding script is the malicious script according to the current process calling main body and the parent process calling main body by obtaining the current process corresponding to the executed script and the parent process calling main body of the current process, so that when identifying the malicious script, the malicious script is prevented from being continuously executed, and the security of the terminal device is improved.

The following describes the script detection method provided in the embodiment of the present application in detail with reference to fig. 1 to 9.

Referring to fig. 1, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 1, the method may include the following steps S101 to S103.

S101, acquiring a first main body type of a first main body calling the current process, and acquiring a first permission of a parent process of the current process.

Specifically, a script is a program that can be interpreted and executed, and a process is a basic execution entity of the program, that is, a process is an instance of a running program, and it is understood that the entire script is executed by at least one process. The calling main body of the calling process can be a common user and other main bodies, and it needs to be explained that the common user can be a shell user, namely a user with shell authority, wherein the shell authority is the authority automatically acquired when the user logs in; other subjects may be applications, for example, an application in the terminal device may directly invoke a script, or when an ordinary user invokes a script, a parent process corresponding to the script invokes an application program other than the parent process, and the application program may invoke another process, so that the invoking subject of the process invoked by the application program is another subject, that is, the application program.

When detecting that a process is created, a mobile terminal takes the created process as a current process, namely an executing process, and then acquires a process structure of the current process, wherein the process structure at least comprises a process name, a PID, a UID and a PID of a parent process of the process, wherein PID (process identification) is a process identifier and has uniqueness, and it needs to be noted that after the whole process is terminated, the PID can be recovered by an operating system; UID (user identification) is a user identifier, and illustratively, if the UID is 0, the user is a super administrator, and if the UID is 2000, the user is a shell user. It should be noted that, if the UID is 0, the authority of the process corresponding to the UID is a root authority, that is, a root authority; if the UID is 2000, the authority of the process corresponding to the UID is the authority of the common user, namely the shell authority.

Determining the type of the main body of the calling main body for calling the current process according to the process name of the current process, wherein if the main body for calling the process is a common user, the process name of the process has corresponding label information, such as sh. It can be understood that, when the type of the main body of the calling main body calling the current process is obtained, the name of the current process is obtained first, then whether corresponding label information exists in the process name is determined, if label information corresponding to an ordinary user exists in the process name, the first main body type of the first main body calling the current process is the ordinary user, and if label information corresponding to the ordinary user does not exist in the process name, the first main body type of the first main body calling the current process is other main bodies. And then, determining the parent process of the current process according to the PID of the parent process, acquiring the process structure of the parent process, and acquiring the first authority of the parent process according to the UID of the parent process.

S102, determining whether the current process is in a legal state or not based on the first main body type and the first authority.

Specifically, if the current process is in a legal state, the current process has no malicious behavior, that is, the current process is a legal process, the calling process of the current process is legal, and the script corresponding to the current process is not a malicious script.

S103, if the current process is not in a legal state, determining whether the script corresponding to the current process is a malicious script or not based on the second authority of the current process.

Specifically, if the current process is not in a legal state, the current process may have malicious behaviors, that is, whether the current process is a legal process is unknown, and whether a calling process of the current process is legal or unknown, so that it cannot be determined based on the fact that whether a script corresponding to the current process is a malicious script, at this time, a second permission of the current process needs to be further acquired as a new determination basis, and it is determined based on the fact that whether the current process is a legal process, and whether the script corresponding to the current process is a malicious script.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the calling main body of the current process corresponding to the executed script, the process permission of the parent process of the current process and the process permission of the current process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved.

Referring to fig. 2, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 2, the method may include the following steps S201 to S211.

S201, if an execution instruction of the script is received, detecting the file format of the script.

Specifically, the mobile terminal receives the execution instruction, acquires an executed file corresponding to the execution instruction, and checks a file header of the executed file through a preset function to determine whether the file meets a preset format, and meanwhile, may also determine a file type corresponding to the file through the preset function, where the preset function may be do _ exec ().

S202, if the file format meets the preset format, the script is interpreted and executed through the script interpreter.

Specifically, if the executed file meets the preset format and the executed file is determined to be a script file, the script file is interpreted and executed by the script interpreter. Illustratively, when the executed file satisfies the preset format, the head of the file head of the executed file is obtained, if the file head is "#! "header start", then the executed file is a script file.

In the embodiment of the application, whether the file is a script or not is determined by detecting the file format of the file corresponding to the execution instruction, that is, whether the file corresponding to the execution instruction needs to be subjected to security detection or not is determined, so that an erroneous detection result caused by an inappropriate detection method when other files, that is, non-script files, are detected is avoided.

S203, acquiring the device state of the terminal device executing the script.

Specifically, the device states are a locked state and an unlocked state, wherein the locked state may be understood as that the terminal device is in a security protection state, and the unlocked state may be understood as that the terminal device is not in the security protection state. When the terminal equipment is in a locked state, the script detection program is in a protected state, and the program code of the script detection program cannot be modified; when the terminal equipment is in an unlocked state, the script detection program is not in a protected state, the program code of the script detection program can be modified at will, and the script correction program is unsafe at this moment, so that whether the script is malicious or not can not be judged based on the fact.

S204, if the equipment state is the locking state, acquiring a first main body type of a first main body calling the current process, and acquiring a first permission of a parent process of the current process.

Specifically, if the device state of the terminal device is the locked state, then the first main body type of the first main body calling the current process is obtained, and the first permission of the parent process of the current process is obtained. Specifically, refer to step S101, which is not described herein again.

In the embodiment of the application, whether the script is continuously detected or not is determined by acquiring the equipment state of the terminal equipment, so that useless detection processes are reduced.

S205, if the first main body type is a common user and the first authority is a root authority, determining that the current process is in a legal state.

Specifically, if the first main body type is a common user, the first permission of the parent process of the current process is a root permission, and the current process is judged to be in a legal state, the current process has no malicious behavior, that is, the current process is a legal process, the calling process of the current process is legal, and the script corresponding to the current process is not a malicious script.

S206, if the first main body type is a common user and the first authority is not the root authority, determining that the current process is not in a legal state.

Specifically, if the first main body type is a common user and the first authority of the parent process of the current process is not the root authority, it is determined that the current process is not in a legal state, that is, it cannot be determined based on the root authority whether the current process has malicious behavior, and it cannot be determined whether the calling process is legal or not, and then further detection information needs to be acquired.

S207, if the first main body type is not a common user, acquiring a second main body type of a second main body calling a parent process.

Specifically, if the first main body type is not an ordinary user, the parent process of the current process is determined according to the PID of the parent process, and the process structure of the parent process is obtained, so that the process name of the parent process is obtained according to the process structure of the parent process, whether corresponding annotation information exists in the process name is determined, if the annotation information corresponding to the ordinary user exists in the process name, the second main body type of the second main body of the parent process is called as the ordinary user, and if the annotation information corresponding to the ordinary user does not exist in the process name, the second main body type of the second main body of the current process is called as another main body.

S208, the second main body type is not a common user, the group leader process of the process group to which the current process belongs is determined, and the third main body type of the third main body calling the group leader process is obtained.

Specifically, the process structure at least includes a process name, a PID, a UID, a PID of a parent process, and a TGID of a group leader process, where the group leader process refers to a first created process when executing a script, and at the same time, creates a process group, then adds the first created process to the process group, and then each process created based on the group leader process belongs to a process group corresponding to the group leader process. Tgid (thread Group identification) is the process identifier of the Group leader process.

If the second main body type is not a common user, determining the group leader process of the current process according to the TGID of the group leader process, then obtaining a process structure of the group leader process, obtaining the process name of the group leader process, then determining whether the process name has corresponding marking information, if the process name has the marking information corresponding to the common user, calling the third main body type of the third main body of the group leader process as the common user, and if the process name does not have the marking information corresponding to the common user, calling the third main body type of the third main body of the group leader process as other main bodies.

S209, if the third main body type is a common user, determining that the current process is not in a legal state.

Specifically, if the calling subject calling the group leader process is a common user, it is determined that the current process is not in a legal state, that is, it cannot be determined based on the legal state whether the current process has a malicious behavior, and it cannot be determined whether the calling process is legal or not, and then further detection information needs to be acquired.

And S210, if the current process is not in a legal state, acquiring a second authority of the current process.

Specifically, if the current process is not in a legal state, the UID in the process structure of the current process is obtained, and the second authority of the current process is determined according to the UID.

S211, if the second authority of the current process is the authority of the common user or the authority of the root, determining that the script corresponding to the current process is a malicious script.

Specifically, if the second authority is other authorities, the detection of the current process is ended, the current process is judged to be a legal process, and the script corresponding to the current process is a legal script.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the calling main body of the current process corresponding to the executed script, the process permission of the parent process of the current process and the process permission of the current process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved. Meanwhile, whether the current process is in a legal state is determined according to the current process, the parent process of the current process and the calling main body of the group leader process of the process group to which the current process belongs so as to determine whether to continue to detect the current process, and other detection information is avoided being acquired when the current process is legal, so that the detection efficiency of the current process is improved.

Referring to fig. 3, a flow chart for identifying a malicious script is provided in the embodiment of the present application. As shown in fig. 3, the method may include the following steps S301 to S302.

S301, if the second authority of the current process is the authority of the common user, the current process is marked as a low-risk process, the process information of the current process is obtained, and a first safety event report is generated and output according to the process information.

Specifically, if the second permission is the root permission, the script corresponding to the current process is determined to be a malicious script, the running of the malicious script is intercepted, illustratively, the execution of the current process and each process corresponding to the malicious script is finished, and a running error is returned. And meanwhile, marking the current process as a high-risk process, then generating a first safety event report based on the process information of the high-risk process and the running condition of a malicious script corresponding to the high-risk process, and outputting the first safety event report.

S302, if the second authority of the current process is the root authority, the current process is marked as a high-risk process, the process information of the current process is obtained, and a second safety event report is generated and output according to the process information.

Specifically, if the second authority is the normal user authority, it is determined that the script corresponding to the current process may be a malicious script, that is, there is a certain security risk in the current process, and therefore, although it is determined that the script corresponding to the current process is a malicious script, the execution of the script corresponding to the current process is not directly intercepted, and the execution of the current process is not ended, but the current process needs to be marked as a low-risk process, and then a second security event report is generated based on the process information of the low-risk process and the running condition of the script corresponding to the low-risk process, and the second security event report is output, so that relevant detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is a malicious script.

In the embodiment of the application, whether the corresponding script is the malicious script is determined according to the process permission of the current process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, the security event report is output, and the security of the terminal equipment is improved.

Referring to fig. 4, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 4, the method may include the following steps S401 to S403.

S401, a first main body type of a first main body calling a current process is obtained, and a second main body type of a second main body calling a parent process of the current process is obtained.

Specifically, when detecting that a process is created, the terminal device takes the created process as a current process, then determines whether a calling subject of the current process is a normal user based on a process name in a process structure of the current process, and if the calling subject of the current process is the normal user, determines a parent process of the current process based on a PID of a parent process in the process structure of the current process, acquires the process name in the process structure of the parent process, and determines whether the calling subject of the parent process is the normal user based on the process name of the parent process.

S402, acquiring a first authority of the parent process.

Specifically, if the calling subject of the parent process is a common user, the process authority of the parent process is determined based on the UID in the process structure of the parent process.

S403, determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first permission.

Specifically, whether a script corresponding to the current process is a malicious script is determined based on the process permission of the parent process, and meanwhile, whether the parent process has a malicious behavior can be determined, so that whether the parent process is a malicious process is determined.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the calling main body of the current process, the calling main body of the parent process and the process permission of the parent process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved.

Referring to fig. 5, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 5, the method may include the following steps S501 to S506.

S501, if an execution instruction of the script is received, detecting the file format of the script.

Specifically, refer to step S201, which is not described herein again.

And S502, if the file format meets the preset format, interpreting and executing the script through the script interpreter.

Specifically, refer to step S202, which is not described herein again.

S503, acquiring the device state of the terminal device executing the script.

Specifically, refer to step S203, which is not described herein again.

S504, if the device state is the locking state, a first main body type of a first main body calling the current process is obtained, and a second main body type of a second main body calling a parent process of the current process is obtained.

Specifically, if the device state of the terminal device is the locked state, then the first body type of the first body calling the current process is obtained, and the second body type of the second body calling the parent process of the current process is obtained. Specifically, refer to step S401, which is not described herein again.

And S505, acquiring a first authority of the parent process.

Specifically, refer to step S402, which is not described herein again.

S506, if the first main body type is not a common user, the second main body type is a common user, and the first authority is a common user authority or a root authority, determining that the script corresponding to the current process is a malicious script.

If the first authority is other authorities, the detection of the current process is finished, the father process is judged to be a legal process, and the script corresponding to the current process is a legal script.

Referring to fig. 6, a flowchart for identifying malicious scripts is provided according to an embodiment of the present application. As shown in fig. 6, the method may include the following steps S601 to S602.

S601, if the first main body type is not a common user, the second main body type is a common user, and the first authority is a common user authority, marking the father process as a low-risk process, acquiring process information of the father process, and generating and outputting a first safety event report according to the process information.

Specifically, if the first permission is the root permission, the script corresponding to the current process is judged to be the malicious script, the running of the malicious script is intercepted, illustratively, the current process, the parent process and each process corresponding to the malicious script are executed, and a running error is returned. And meanwhile, the parent process is marked as a high-risk process, then a first safety event report is generated based on the process information of the high-risk process and the running condition of the malicious script corresponding to the high-risk process, and the first safety event report is output.

S602, if the first main body type is not a common user, the second main body type is a common user, and the first authority is a root authority, marking the father process as a high-risk process, acquiring process information of the father process, and generating and outputting a second safety event report according to the process information.

Specifically, if the first permission is a general user permission, it is determined that the script corresponding to the current process may be a malicious script, that is, there is a certain security risk in the current process, and therefore, although it is determined that the script corresponding to the current process is a malicious script, the execution of the script corresponding to the current process is not directly intercepted, and the execution of the current process is not ended, only the parent process needs to be marked as a low-risk process, and then a second security event report is generated based on the process information of the low-risk process and the running condition of the script corresponding to the low-risk process, and the second security event report is output, so that relevant detection personnel further determine the risk level of the low-risk process according to the security time report, and determine whether the script corresponding to the low-risk process is a malicious script.

In the embodiment of the application, whether the corresponding script is the malicious script is determined through the process permission of the parent process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, the security event report is output, and the security of the terminal device is improved.

Referring to fig. 7, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 7, the method may include the following steps S701 to S702.

S701, acquiring a first main body type of a first main body calling the current process, and acquiring a second main body type of a second main body calling a parent process of the current process.

When detecting that a process is created, the mobile terminal takes the created process as a current process, that is, an executing process, and then obtains a process structure of the current process, where the process structure at least includes a process name, a PID of the process, and a PID of a parent process, where PID (process identity) is a process identifier and has uniqueness, and it should be noted that, after the whole process is terminated, the PID is recycled by an operating system.

Determining the type of the main body of the calling main body for calling the current process according to the process name of the current process, wherein if the main body for calling the process is a common user, the process name of the process has corresponding label information, such as sh. It can be understood that, when the type of the main body of the calling main body calling the current process is obtained, the name of the current process is obtained first, then whether corresponding label information exists in the process name is determined, if label information corresponding to an ordinary user exists in the process name, the first main body type of the first main body calling the current process is the ordinary user, and if label information corresponding to the ordinary user does not exist in the process name, the first main body type of the first main body calling the current process is other main bodies. And then, determining the parent process of the current process according to the PID of the parent process, acquiring the process structure of the parent process, and acquiring the second main body type of the second main body calling the parent process according to the same mode.

S702, determining whether the script corresponding to the current process is a malicious script or not based on the first main body type and the second main body type.

Specifically, if neither the first main body type for calling the current process nor the second main body type for calling the parent process is an ordinary user, the current process does not detect a malicious behavior, that is, the calling process of the current process is legal, and it is determined that the script corresponding to the current process is not a malicious script. Further, since the execution process of the script corresponds to at least one process, if neither the first main body type calling the current process nor the second main body type calling the parent process is an ordinary user, it is determined that the current process is a legal process, and when the execution of the whole script is finished, if there is no illegal process in the execution process of the script, the script is not a malicious script, that is, a legal script. It can be understood that, if the current process is an illegal process, the script corresponding to the current process is a malicious script. It should be noted that, when the script is determined to be a malicious script, execution of the malicious script is immediately stopped, so as to avoid further damage to the terminal device.

Referring to fig. 8, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 8, the method may include the following steps S801 to S808.

S801, detecting the file format of the script if receiving the execution instruction of the script.

S802, if the file format meets the preset format, the script is interpreted and executed through the script interpreter.

S803, the device state of the terminal device executing the script is obtained.

S804, if the device state is the locking state, a first main body type of a first main body calling the current process is obtained, and a second main body type of a second main body calling a parent process of the current process is obtained.

Specifically, if the device state of the terminal device is the locked state, then the first body type of the first body calling the current process is obtained, and the second body type of the second body calling the parent process of the current process is obtained, which may be specifically referred to step S701, and is not described herein again.

S805, acquiring a first authority of a parent process of the current process.

Specifically, the process structure at least includes a process name, a PID, a UID, and a PID of a parent process of the process, where UID (user identification) is a user identifier, and for example, if UID is 0, the user is a super administrator, and if UID is 2000, the user is a shell user. It should be noted that, if the UID is 0, the authority of the process corresponding to the UID is a root authority, that is, a root authority; if the UID is 2000, the authority of the process corresponding to the UID is the authority of the common user, namely the shell authority.

And determining the parent process of the current process according to the PID of the parent process, then acquiring the process structure of the parent process, acquiring the UID of the parent process, and acquiring the authority of the parent process according to the UID of the parent process.

S806, determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the first permission.

Specifically, whether the authority owned by the user of the script file corresponding to the calling process is higher than or equal to the authority actually used by the process is determined based on the first main body type calling the current process, the second main body type calling the parent process, and the first authority of the parent process. It can be understood that, when the user is a general user, if the process uses the administrator permission, it means that the script corresponding to the process is a malicious script, that is, it means that the process has an increased permission through an illegal means when the process is executed. Illustratively, a terminal device has an authorization vulnerability, a section of authorization code exists in the script, and in the process of executing the script, the authorization code is executed through a process, so that the authority of the process is improved through the authorization vulnerability, and then malicious operations corresponding to the authority are executed, such as malicious operations of remotely downloading malicious files (such as trojans, worms and viruses), executing abnormal services to encroach on device resources, setting a backdoor in the terminal device, and the like. It should be noted that the super administrator permission (i.e., root permission) is higher than the normal user permission (i.e., shell permission) than the other permissions.

S807, determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body calling the group leader process;

If the first main body type calling the current process is not a common user, and the second main body type calling the father process is not a common user, determining the group leader process of the current process according to the TGID of the group leader process, then obtaining a process structure body of the group leader process, obtaining a process name of the group leader process, then determining whether the process name has corresponding marking information, if the process name has the marking information corresponding to the common user, calling the third main body type calling the third main body of the group leader process as a common user, and if the process name does not have the marking information corresponding to the common user, calling the third main body type calling the third main body of the group leader process as other main bodies.

S808, determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the third main body type.

Specifically, if the third main body type of the main body calling the group leader process is not a common user, the current process does not detect a malicious behavior, that is, the calling process of the current process is legal, and it is determined that the script corresponding to the current process is not a malicious script. Further, since the execution process of the script corresponds to at least one process, if neither the first main body type calling the current process nor the second main body type calling the parent process is an ordinary user, it is determined that the current process is a legal process, and when the execution of the whole script is finished, if there is no illegal process in the execution process of the script, the script is not a malicious script, that is, a legal script. It can be understood that, if the current process is an illegal process, the script corresponding to the current process is a malicious script. It should be noted that, when the script is determined to be a malicious script, the execution of the malicious script is immediately stopped to avoid further damage to the terminal device, and meanwhile, the malicious script can be marked out to identify the malicious script and directly intercept the execution of the malicious script when the malicious script is executed again.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is determined according to the current process corresponding to the executed script, the calling main body of the parent process of the current process, the calling main body of the group leader process of the current process and the process permission of the parent process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved.

Referring to fig. 9, a flowchart of a script detection method is provided in an embodiment of the present application. As shown in fig. 9, the method may include the following steps S901 to S908.

S901, a first main body type of a first main body calling a current process is obtained, and a second main body type of a second main body calling a parent process of the current process is obtained.

Specifically, refer to step S701, which is not described herein again.

S902, acquiring a first permission of a parent process of the current process.

Specifically, refer to step S805, which is not described herein again.

It should be noted that, if the first subject type is a common user, the first authority of the parent process of the current process is acquired; and if the first main body type is not the common user and the second main body type is the common user, the first permission of the parent process of the current process is also obtained.

And S903, if the first main body type is a common user and the first permission is not the root permission, acquiring the second permission of the current process.

Specifically, if the first authority of the parent process of the current process is the root authority, the detection of the current process is finished, that is, since the authority of the parent process is already the authority of the highest level, the current process is legal no matter what authority the current process has, and even if the authority of the current process is higher than the authority owned by the user who called the process, the process is also legal.

And if the first permission of the parent process of the current process is not the root permission, acquiring the second permission of the current process.

And S904, if the second permission is the common user permission or the root permission, determining that the script corresponding to the current process is a malicious script.

Specifically, if the second permission is the root permission, the script corresponding to the current process is determined to be a malicious script, the running of the malicious script is intercepted, illustratively, the execution of the current process and each process corresponding to the malicious script is finished, and a running error is returned. And meanwhile, marking the current process as a high-risk process, then generating a safety event report based on the high-risk process and the running condition of the malicious script corresponding to the high-risk process, and outputting the safety event report.

If the second permission is a normal user permission, it is determined that the script corresponding to the current process may be a malicious script, that is, there is a certain security risk in the current process, and therefore, although it is determined that the script corresponding to the current process is a malicious script, the execution of the script corresponding to the current process is not directly intercepted, and the execution of the current process is not finished, but the current process is marked as a low-risk process, and then a security event report is generated based on the low-risk process and the running condition of the script corresponding to the low-risk process, and the security event report is output, so that a relevant detector further determines the risk level of the low-risk process according to the security time report, and determines whether the script corresponding to the low-risk process is a malicious script.

If the second authority is other authorities, the detection of the current process is finished, and the current process is judged to be a legal process.

S905, if the first main body type is not a common user, the second main body type is a common user, and the first authority is a root authority or a common user authority, determining that the script corresponding to the current process is a malicious script.

Specifically, if the first main body type is not a common user and the second main body type is a common user, determining whether the current process and the script corresponding to the current process are legal or not according to the first authority.

If the first permission of the parent process is the root permission, the script corresponding to the current process is judged to be the malicious script, the running of the malicious script is intercepted, illustratively, the current process and each process corresponding to the malicious script are executed, and the running error is returned. And meanwhile, marking the parent process of the current process as a high-risk process, then generating a safety event report based on the high-risk process and the running condition of the malicious script corresponding to the high-risk process, and outputting the safety event report.

If the second authority of the parent process is the normal user authority, it is determined that the script corresponding to the current process may be a malicious script, that is, there is a certain security risk in the current process, and therefore, although it is determined that the script corresponding to the current process is a malicious script, the execution of the script corresponding to the current process is not directly intercepted, and the execution of the current process is not finished, only the parent process of the current process needs to be marked as a low-risk process, and then a security event report is generated based on the low-risk process and the running condition of the script corresponding to the low-risk process, and the security event report is output, so that a relevant detector further determines the risk level of the low-risk process according to the security time report, and determines whether the script corresponding to the low-risk process is a malicious script.

If the first authority is other authorities, the detection of the current process is finished, the current process is judged to be a legal process, and the script corresponding to the current process is a legal script.

S906, determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body calling the group leader process.

Specifically, refer to step S807, which is not described herein again.

It should be noted that, if the first body type is not a normal user and the second body type is not a normal user, the third body type of the third body invoking the group leader process is obtained.

And S907, if the first main body type is not the common user, the second main body type is not the common user, and the third main body type is the common user, acquiring a third permission of the current process.

Specifically, if the third main body type is not the normal user, the detection of the current process is finished, and the current process is determined to be a legal process.

And if the third main body type is a common user, acquiring a third permission of the current process.

And S908, if the third permission is a root permission or a common user permission, determining that the script corresponding to the current process is a malicious script.

Specifically, if the third permission is the root permission, the script corresponding to the current process is determined to be a malicious script, the running of the malicious script is intercepted, illustratively, the execution of the current process and each process corresponding to the malicious script is finished, and a running error is returned. And meanwhile, marking the current process as a high-risk process, then generating a safety event report based on the high-risk process and the running condition of the malicious script corresponding to the high-risk process, and outputting the safety event report.

If the third permission is a normal user permission, it is determined that the script corresponding to the current process may be a malicious script, that is, there is a certain security risk in the current process, and therefore, although it is determined that the script corresponding to the current process is a malicious script, the execution of the script corresponding to the current process is not directly intercepted, and the execution of the current process is not finished, but the current process is marked as a low-risk process, and then a security event report is generated based on the low-risk process and the running condition of the script corresponding to the low-risk process, and the security event report is output, so that a relevant detector further determines the risk level of the low-risk process according to the security time report, and determines whether the script corresponding to the low-risk process is a malicious script.

If the third authority is other authorities, the detection of the current process is finished, and the current process is judged to be a legal process.

In the embodiment of the application, when the script is executed, whether the corresponding script is a malicious script is further determined according to the current process corresponding to the executed script, the calling main body of the parent process of the current process, the calling main body of the group leader process of the current process, the process permission of the parent process and the process permission of the current process, so that when the malicious script is identified, the malicious script is prevented from being continuously executed, and the safety of the terminal device is improved.

Optionally, when the terminal device detects the execution script, script operation data stored in the preset folder may also be obtained, it should be noted that when the third-party application calls the script, the script operation data is stored in the preset folder, and the operation data may include process information, such as process permission, of each process corresponding to the execution script. And when the current process corresponding to the execution script is created, storing the process information of the current process in a preset folder. When the terminal device detects that newly added process information exists in the preset folder, the process permission in the process information is obtained, if the process permission is the root permission, the process corresponding to the root permission is judged to have malicious behavior, the script corresponding to the process is a malicious script, the running of the malicious script is intercepted, illustratively, the process and each process corresponding to the malicious script are executed, and a running error is returned. And meanwhile, the process is marked as a high-risk process, then a safety event report is generated based on the process information of the high-risk process and the running condition of the malicious script corresponding to the high-risk process, and the safety event report is output.

The following describes in detail terminal devices provided in the embodiments of the present application with reference to fig. 10 to 12. It should be noted that, fig. 10 to 12 illustrate the terminal devices for executing the method of the embodiments shown in fig. 1 to 9 of the present application, and for convenience of description, only the portions related to the embodiments of the present application are shown, and details of the specific technology are not disclosed, please refer to the embodiments shown in fig. 1 to 9 of the present application.

Please refer to fig. 10, which provides a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 10, the terminal device 1 according to the embodiment of the present application may include: an acquisition module 110 and a determination module 120.

An obtaining module 110, configured to obtain a first body type of a first body calling a current process, and obtain a second body type of a second body calling a parent process of the current process;

the determining module 120 is configured to determine whether a script corresponding to the current process is a malicious script based on the first body type and the second body type.

Optionally, the determining module 120 is specifically configured to:

acquiring a first permission of a parent process of a current process;

Optionally, the determining module 120 is specifically configured to:

if the first main body type is a common user and the first authority is not the root authority, acquiring a second authority of the current process;

if the second authority is the authority of the common user or the authority of the root, determining that the script corresponding to the current process is a malicious script;

and if the first main body type is not a common user, the second main body type is a common user, and the first authority is a root authority or a common user authority, determining that the script corresponding to the current process is a malicious script.

Optionally, the determining module 120 is specifically configured to:

determining a group leader process of a process group to which the current process belongs, and acquiring a third main body type of a third main body calling the group leader process;

and determining whether the script corresponding to the current process is a malicious script or not based on the first main body type, the second main body type and the third main body type.

Optionally, the determining module 120 is specifically configured to:

if the first main body type is not a common user, the second main body type is not a common user, and the third main body type is a common user, acquiring a third authority of the current process;

and if the third permission is the root permission or the ordinary user permission, determining that the script corresponding to the current process is a malicious script.

Optionally, the terminal device 1 may further include: a detection module 130, an interpretation module 140, and a status determination module 150.

The detection module 130 is configured to detect a file format of the script if an execution instruction of the script is received;

and the interpreting module 140 is configured to interpret the execution script through the script interpreter if the file format satisfies the preset format.

A state determining module 150, configured to obtain a device state of a terminal device executing the script;

the obtaining module 110 is further configured to, if the device status is a locked status, perform a step of obtaining the first body type of the first body calling the current process.

Please refer to fig. 11, which provides a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 11, the terminal device 2 according to the embodiment of the present application may include: a type acquisition module 210, a status acquisition module 220, and a determination module 230.

A type obtaining module 210, configured to obtain a first subject type of a first subject calling a current process, and obtain a first permission of a parent process of the current process;

a state obtaining module 220, configured to determine whether the current process is in a legal state based on the first subject type and the first permission;

the determining module 230 is configured to determine, if the current process is not in the legal state, whether a script corresponding to the current process is a malicious script based on the second permission of the current process.

Optionally, the determining module 230 is specifically configured to:

and if the second permission of the current process is the common user permission or the root permission, determining that the script corresponding to the current process is a malicious script.

Optionally, the terminal device 2 may further include: a first processing module 240 and a second processing module 250.

The first processing module 240 is configured to mark the current process as a low-risk process if the second permission of the current process is a common user permission, acquire process information of the current process, generate and output a first security event report according to the process information;

and the second processing module 250 is configured to mark the current process as a high-risk process if the second authority of the current process is the root authority, acquire process information of the current process, generate a second security event report according to the process information, and output the second security event report.

Optionally, the state obtaining module 220 is specifically configured to:

if the first main body type is a common user and the first authority is a root authority, determining that the current process is in a legal state;

and if the first main body type is a common user and the first authority is not the root authority, determining that the current process is not in a legal state.

Optionally, the state obtaining module 220 is specifically configured to:

if the first main body type is not a common user, acquiring a second main body type of a second main body calling a parent process;

the second main body type is not a common user, a group leader process of a process group to which the current process belongs is determined, and a third main body type of a third main body calling the group leader process is obtained;

and if the third main body type is a common user, determining that the current process is not in a legal state.

Optionally, the terminal device 2 may further include: a detection module 260, an interpretation module 270, and a status determination module 280.

The detection module 260 is configured to detect a file format of the script if an execution instruction of the script is received;

and the interpreting module 270 is configured to interpret the execution script through the script interpreter if the file format meets the preset format.

A status determination module 280, configured to obtain a device status of a terminal device executing the script;

the type obtaining module 210 is further configured to, if the device state is the locked state, perform a step of obtaining the first body type of the first body calling the current process.

Please refer to fig. 12, which provides a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 12, the terminal device 3 according to the embodiment of the present application may include: a type acquisition module 310, a right acquisition module 320, and a determination module 330.

A type obtaining module 310, configured to obtain a first body type of a first body calling a current process, and obtain a second body type of a second body calling a parent process of the current process;

the permission obtaining module 320 is configured to obtain a first permission of a parent process;

the determining module 330 is configured to determine whether a script corresponding to the current process is a malicious script based on the first body type, the second body type, and the first permission.

Optionally, the determining module 330 is specifically configured to:

and if the first main body type is not a common user, the second main body type is a common user, and the first authority is a common user authority or a root authority, determining that the script corresponding to the current process is a malicious script.

Optionally, the terminal device 3 may further include: a first processing module 340 and a second processing module 350.

The first processing module 340 is configured to mark the parent process as a low-risk process, acquire process information of the parent process, generate and output a first security event report according to the process information, if the first main body type is not an ordinary user, the second main body type is an ordinary user, and the first authority is an ordinary user authority;

and a second processing module 350, configured to mark the parent process as the high-risk process, obtain process information of the parent process, generate a second security event report according to the process information, and output the second security event report if the first main body type is not the normal user, the second main body type is the normal user, and the first authority is the root authority.

Optionally, the terminal device 3 may further include: a detection module 360, an interpretation module 370, and a status determination module 380.

The detection module 360 is configured to detect a file format of the script if an execution instruction of the script is received;

and the interpreting module 370 is configured to interpret the execution script through the script interpreter if the file format satisfies the preset format.

A state determining module 380, configured to obtain a device state of the terminal device that executes the script;

the type obtaining module 310 is further configured to, if the device state is the locked state, perform a step of obtaining a first right to call the first main body of the current process.

The embodiment of the present application further provides a storage medium, where the storage medium may store a plurality of program instructions, and the program instructions are suitable for being loaded by a processor and executing the method steps in the embodiments shown in fig. 1 to 9, and a specific execution process may refer to specific descriptions of the embodiments shown in fig. 1 to 9, which is not described herein again.

Referring to fig. 13, a schematic structural diagram of a computer device is provided in an embodiment of the present application. As shown in fig. 13, the computer apparatus 1000 may include: at least one processor 1001, at least one memory 1002, at least one network interface 1003, at least one input/output interface 1004, at least one communication bus 1005, and at least one display unit 1006. Processor 1001 may include one or more processing cores, among other things. Processor 1001 interfaces with various parts throughout computer device 1000 using various interfaces and lines to perform various functions of terminal 1000 and process data by executing or executing instructions, programs, code sets, or instruction sets stored in memory 1002, and invoking data stored in memory 1002. The memory 1002 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 1002 may optionally be at least one memory device located remotely from the processor 1001. The network interface 1003 may optionally include a standard wired interface or a wireless interface (e.g., WI-FI interface). A communication bus 1005 is used to enable connective communication between these components. As shown in fig. 13, the memory 1002, which is a storage medium of a terminal device, may include therein an operating system, a network communication module, an input-output interface module, and a script detection program.

In the computer device 1000 shown in fig. 13, the input/output interface 1004 is mainly used for providing an input interface for a user and an access device, and acquiring data input by the user and the access device.

In one embodiment.

The processor 1001 may be configured to invoke a script detection program stored in the memory 1002 and specifically perform the following operations:

and determining whether the script corresponding to the current process is a malicious script or not based on the first main body type and the second main body type.

Optionally, when the processor 1001 determines whether the script corresponding to the current process is a malicious script based on the first body type and the second body type, specifically perform the following operations:

acquiring a first permission of a parent process of a current process;

Optionally, when the processor 1001 determines whether the script corresponding to the current process is a malicious script based on the first body type, the second body type, and the first permission, the following operation is specifically performed:

Optionally, when the processor 1001 determines whether the script corresponding to the current process is a malicious script based on the first body type, the second body type, and the third body type, the following operations are specifically performed:

Optionally, before performing the obtaining of the first body type of the first body calling the current process, the processor 1001 further performs the following operations:

if an execution instruction of the script is received, detecting the file format of the script;

and if the file format meets the preset format, interpreting and executing the script through the script interpreter.

acquiring the equipment state of the terminal equipment executing the script;

and if the equipment state is the locking state, executing the step of acquiring the first main body type of the first main body calling the current process.

In one embodiment.

Optionally, when the processor 1001 determines whether the script corresponding to the current process is a malicious script based on the second permission of the current process, the following operations are specifically performed:

Optionally, the processor 1001 may be further configured to call a script detection program stored in the memory 1002, and specifically perform the following operations:

if the second authority of the current process is the authority of the common user, marking the current process as a low-risk process, acquiring process information of the current process, and generating and outputting a first security event report according to the process information;

and if the second authority of the current process is the root authority, marking the current process as a high-risk process, acquiring the process information of the current process, and generating and outputting a second safety event report according to the process information.

Optionally, when determining whether the current process is in a legal state based on the first subject type and the first authority, the processor 1001 specifically performs the following operations:

acquiring the equipment state of the terminal equipment executing the script;

In one embodiment.

acquiring a first authority of a parent process;

if the first main body type is not a common user, the second main body type is a common user and the first authority is a common user authority, marking the father process as a low-risk process, acquiring process information of the father process, and generating and outputting a first safety event report according to the process information;

and if the first main body type is not a common user, the second main body type is a common user and the first authority is a root authority, marking the father process as a high-risk process, acquiring process information of the father process, and generating and outputting a second safety event report according to the process information.

acquiring the equipment state of the terminal equipment executing the script;

and if the equipment state is the locking state, executing the step of acquiring the first permission of calling the first main body of the current process.

It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present application is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In view of the above description of the script detection method, the terminal device, the storage medium and the device provided by the present application, those skilled in the art will recognize that there may be variations in the embodiments and the application scope according to the ideas of the embodiments of the present application, and in summary, the contents of the present specification should not be construed as limiting the present application.

Claims

1. A script detection method, comprising:

determining whether the current process is in a legal state based on the first subject type and the first authority;

2. The method of claim 1, wherein the determining whether the script corresponding to the current process is a malicious script based on the second permission of the current process comprises:

3. The method of claim 2, further comprising:

if the second authority of the current process is the authority of a common user, marking the current process as a low-risk process, acquiring process information of the current process, and generating and outputting a first safety event report according to the process information;

4. The method of claim 1, wherein determining whether the current process is in a legal state based on the first subject type and the first permission comprises:

5. The method of claim 1, wherein determining whether the current process is in a legal state based on the first subject type and the first permission comprises:

if the first main body type is not a common user, acquiring a second main body type of a second main body calling the parent process;

6. The method of claim 1, wherein obtaining the first body type of the first body that calls the current process further comprises:

and if the file format meets the preset format, the script is interpreted and executed through a script interpreter.

7. The method of claim 1, wherein obtaining the first body type of the first body that calls the current process further comprises:

acquiring the equipment state of the terminal equipment executing the script;

and if the equipment state is a locking state, executing the step of acquiring the first main body type of the first main body calling the current process.

8. A script detection method, comprising:

acquiring a first permission of the parent process;

9. The method of claim 8, wherein the determining whether the script corresponding to the current process is a malicious script based on the first body type, the second body type, and the first permission comprises:

10. The method of claim 9, further comprising:

if the first main body type is not a common user, the second main body type is a common user and the first authority is a root authority, marking the father process as a high-risk process, acquiring process information of the father process, and generating and outputting a second safety event report according to the process information.

11. The method of claim 8, wherein obtaining the first body type of the first body that calls the current process further comprises:

12. The method of claim 8, wherein obtaining the first body type of the first body that calls the current process further comprises:

acquiring the equipment state of the terminal equipment executing the script;

and if the equipment state is a locking state, executing the step of acquiring the first permission of the first main body calling the current process.

13. A script detection apparatus, comprising:

the system comprises a type obtaining module, a first main body type calling module and a first permission obtaining module, wherein the type obtaining module is used for obtaining a first main body type of a first main body calling a current process and obtaining a first permission of a parent process of the current process;

a state obtaining module, configured to determine whether the current process is in a legal state based on the first subject type and the first permission;

14. A script detection apparatus, comprising:

15. A storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the script detection method of any one of claims 1-7 or 8-12.

16. A computer device, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the steps of the script detection method according to any one of claims 1 to 7 or 8 to 12.