CN113515743A - Identification method and device of call chain of rebound shell process and electronic device - Google Patents
Identification method and device of call chain of rebound shell process and electronic device Download PDFInfo
- Publication number
- CN113515743A CN113515743A CN202110310397.4A CN202110310397A CN113515743A CN 113515743 A CN113515743 A CN 113515743A CN 202110310397 A CN202110310397 A CN 202110310397A CN 113515743 A CN113515743 A CN 113515743A
- Authority
- CN
- China
- Prior art keywords
- shell
- detected
- chain
- legal
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 745
- 230000008569 process Effects 0.000 title claims abstract description 696
- 238000004590 computer program Methods 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The application relates to a recognition method and device of a rebound shell process call chain and an electronic device, wherein the method comprises the following steps: acquiring a shell process to be detected, and detecting whether the shell process to be detected has a terminal attribute; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses a system through a terminal; if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected; obtaining a legal process list, and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes; and identifying whether the target process calling chain is a rebounding shell process calling chain or not based on the comparison result. Through the method and the device, the problem that the call chain of the rebounding shell process cannot be traced in the related technology is solved.
Description
Technical Field
The application relates to the technical field of network security, in particular to a recognition method and device of a rebound shell process call chain and an electronic device.
Background
The bounce shell (reverse shell) is that a control end monitors a certain TCP/UDP port, a controlled end initiates a request to the port, and the input and output of a command line of the controlled end are transferred to the control end, which is essentially the role reversal of a client and a server of a network concept.
webshell is a common means for hackers to intrude on web servers. In the process of carrying out intrusion right-lifting on a Linux website server by using the webshell, if the vulnerability exploiting program is directly executed in the webshell, due to the lack of an interactive environment, commands cannot be continuously executed, and even if the right-lifting is successful, the vulnerability exploiting program cannot be used. Therefore, a hacker firstly rebounds a shell command line window to obtain an interactive operation terminal similar to legal login, then executes a vulnerability exploitation program under the shell terminal to perform privilege escalation, and escalates the privilege of the hacker from the normal user privilege to the super-privileged user privilege. After the right is successfully lifted, the follow-up attack command is continuously executed under the shell terminal by the identity of the super-privileged user, so that a plurality of network security problems can be caused, and further huge economic loss is brought to enterprises. Therefore, how to effectively identify the bounce shell is a technical problem to be solved urgently by the technical personnel in the field.
In the related art, the bounce shell process is identified by the existence of terminal attributes so as to prevent the network security problem caused by the bounce shell. However, this method does not involve the identification of the rebounding shell process itself, and the identification of the rebounding shell process only by the presence or absence of the terminal attribute is prone to misjudgment, for example, the legal process of some systems utilizes the principle of the rebounding shell to provide remote command call service. Therefore, the legal process utilizing the rebound shell technology cannot be effectively distinguished from the real rebound shell process by adopting the method. In addition, the method can only identify commands executed by the rebounding shell, and cannot backtrack the execution process of the rebounding shell, namely, the rebounding shell process call chain cannot be backtracked, so that the rebounding shell cannot be positioned.
Aiming at the problem that a call chain of a rebound shell process cannot be traced in the related technology, an effective solution is not provided at present.
Disclosure of Invention
The embodiment provides an identification method and device of a rebounding shell process call chain and an electronic device, so as to solve the problem that the rebounding shell process call chain cannot be traced back in the related technology.
In a first aspect, in this embodiment, a method for identifying a call chain of a resilient shell process is provided, the method including:
acquiring a shell process to be detected, and detecting whether the shell process to be detected has a terminal attribute; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses a system through a terminal;
if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected;
obtaining a legal process list, and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes;
and identifying whether the target process calling chain is a rebounding shell process calling chain or not based on the comparison result.
In some of these embodiments, said identifying whether the target process call chain is a bounce shell process call chain based on the comparison result comprises:
if at least one node process in the target process call chain is in the legal process list, determining that the target process call chain is a legal shell process call chain;
and if all the node processes in the target process call chain are not in the legal process list, determining that the target process call chain is a rebound shell process call chain.
In some embodiments, the obtaining a target process call chain corresponding to the shell process to be detected includes:
acquiring first process creation data corresponding to the shell process to be detected, and searching a first parent process corresponding to the shell process to be detected based on the first process creation data; the first father process represents a father process of the shell process to be detected;
acquiring second process creation data corresponding to the first parent process, and searching for a second parent process corresponding to the first parent process based on the second process creation data; the second parent process represents a parent process of the first parent process;
repeating the steps of acquiring process creation data and searching a parent process until a source process of a target process call chain corresponding to the shell process to be detected is searched;
and obtaining a target process calling chain corresponding to the shell process to be detected based on the shell process to be detected, the source process and all the found father processes.
In some of these embodiments, prior to said obtaining the list of legitimate processes, the method further comprises:
registering a plurality of legal processes without terminal attributes, and generating the legal process list based on the plurality of legal processes.
In some of these embodiments, after the determining that the target process call chain is a bounce shell process call chain, the method further comprises:
and sending alarm information to a user based on the rebounding shell process calling chain, wherein the alarm information at least comprises the rebounding shell process calling chain.
In some embodiments, the detecting whether the shell process to be detected has the terminal attribute includes:
inputting a terminal display command in the shell process to be detected, and judging whether a terminal identifier is displayed or not;
if the terminal identification is displayed, judging that the shell process to be detected has the terminal attribute;
and if the terminal identification is not displayed, judging that the shell process to be detected does not have the terminal attribute.
In a second aspect, in this embodiment, an apparatus for identifying a call chain of a resilient shell process is provided, the apparatus including:
the process detection module is used for acquiring the shell process to be detected and detecting whether the shell process to be detected has the terminal attribute; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses a system through a terminal;
a calling chain obtaining module, configured to obtain a target process calling chain corresponding to the shell process to be detected if the shell process to be detected does not have the terminal attribute;
the process comparison module is used for acquiring a legal process list and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes;
and the calling chain identification module is used for identifying whether the target process calling chain is a rebound shell process calling chain or not based on the comparison result.
In some of these embodiments, the call chain identification module comprises a first identification unit and a second identification unit, wherein:
a first identification unit, configured to determine that the target process call chain is a legal shell process call chain if at least one node process in the target process call chain is in the legal process list;
and the second identification unit is used for determining that the target process calling chain is a rebound shell process calling chain if all the node processes in the target process calling chain are not in the legal process list.
In a third aspect, in this embodiment, there is provided an electronic apparatus, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the method for identifying a call chain of a resilient shell process according to the first aspect.
In a fourth aspect, in the present embodiment, there is provided a storage medium, on which a computer program is stored, which when executed by a processor, implements the method for identifying a call chain of a resilient shell process according to the first aspect.
Compared with the related art, the identification method, the identification device and the electronic device of the call chain of the rebounding shell process provided by the embodiment have the advantages that the shell process to be detected is obtained, and whether the shell process to be detected has the terminal attribute is detected; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses the system through the terminal; if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected; obtaining a legal process list, and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes; and identifying whether the target process calling chain is a rebounding shell process calling chain or not based on the comparison result. According to the method and the device, the target process calling chain corresponding to the shell process to be detected without the terminal attribute is obtained, and the complete target process calling chain is compared with the registered legal process list, so that the illegal rebound shell process calling chain can be filtered out, and the problem that the rebound shell process calling chain cannot be traced in the related technology is solved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings.
Fig. 1 is a block diagram of a hardware structure of a terminal of the identification method of a bounce shell process call chain according to this embodiment.
Fig. 2 is a flowchart of a method for identifying a call chain of a bounce shell process according to this embodiment.
Fig. 3 is a flowchart for identifying whether the target process call chain is a bounce shell process call chain in this embodiment.
Fig. 4 is a flowchart of acquiring a target process call chain corresponding to a shell process to be detected in this embodiment.
Fig. 5 is a flowchart for detecting whether a shell process to be detected has a terminal attribute in this embodiment.
Fig. 6 is a block diagram of a structure of an apparatus for identifying a call chain of a bounce shell process according to this embodiment.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the present embodiment may be executed in a terminal, a computer, or a similar computing device. For example, when the method runs on a terminal, fig. 1 is a block diagram of a hardware structure of the terminal in the identification method of the rebounding shell process call chain in this embodiment. As shown in fig. 1, the terminal may include one or more processors 102 (only one shown in fig. 1) and a memory 104 for storing data, wherein the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. The terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the terminal described above. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the identification method of the bounce shell process call chain in the embodiment, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. The network described above includes a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Fig. 2 is a flowchart of an identification method of a call chain of a bounce shell process in this embodiment, and as shown in fig. 2, the flowchart includes the following steps.
Step S210, acquiring a shell process to be detected, and detecting whether the shell process to be detected has a terminal attribute; and if the shell process to be detected has the terminal attribute, indicating that the shell process to be detected accesses the system through the terminal.
The shell process to be detected can represent a certain shell process to be detected, and can also represent all the obtained shell processes to be detected.
It should be noted that, normally, the process accesses the system in a terminal manner, for example, through a console or an xshell tool. And the rebound shell process accesses the system in a non-terminal mode. And if the shell process to be detected has the terminal attribute, the shell process to be detected accesses the system through the terminal. Therefore, the normal process and the suspected rebounding process can be distinguished by detecting whether the shell process to be detected has the terminal attribute.
And step S220, if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected.
The call chain refers to a service call relationship in which services at both ends of a client and a server in network communication can be serially connected through three information items including a traceid (call chain tracking number), an id (local node id) and a parentid (parent node id).
Further, the process call chain may represent the various node processes involved in a call and the dependencies between the various node processes. A dependency relationship may appear as a relationship between a child node process and a parent node process. The parent node process creates an initiating process for the behavior of the process.
For example, a certain calling process includes A, B, C three node processes, node process a creates node process B, node process B creates node process C, node process a is the parent node process of node process B, and node process B is the parent node process of node process C, so these three node processes and their dependencies form the process calling chain corresponding to the calling process.
Step S230, a legal process list is obtained, and each node process in the target process calling chain is compared with the legal process list to obtain a comparison result; the legal process list includes a plurality of legal processes without terminal attributes.
Wherein, the legal process represents a user-defined process white list. The legal process can be a process with terminal attributes, and can also be a calling process for providing remote commands by utilizing the principle of the bounce shell.
And step S240, identifying whether the target process calling chain is a rebound shell process calling chain or not based on the comparison result.
Through the steps S210 to S240, the shell process to be detected is obtained, and whether the shell process to be detected has the terminal attribute is detected; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses the system through the terminal; if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected; obtaining a legal process list, and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list includes a plurality of legal processes without terminal attributes. According to the method and the device, suspected shell processes to be detected related to the rebound shell can be screened primarily by detecting whether the shell processes to be detected have the terminal attributes, the target process calling chains of the primarily screened shell processes to be detected are obtained, and then the complete target process calling chains are compared with the registered legal process list, so that illegal rebound shell process calling chains can be filtered out, and the problem that the rebound shell process calling chains can not be traced back in the related technology is solved.
In some embodiments, before step S210, the method for identifying a call chain of a resilient shell process further includes: and capturing the process creation behaviors to obtain a plurality of shell processes to be detected, and storing a process set formed by the plurality of shell processes to be detected.
In some embodiments, fig. 3 is a flowchart of identifying whether a target process call chain is a bounce shell process call chain in this embodiment, and as shown in fig. 3, the flowchart includes the following steps.
Step S310, if at least one node process in the target process calling chain is in the legal process list, determining that the target process calling chain is a legal shell process calling chain.
Step S320, if all the node processes in the target process calling chain are not in the legal process list, determining that the target process calling chain is a rebound shell process calling chain.
It should be noted that, if at least one node process in the target process call chain is in the legal process list, it is determined that the target process call chain is a call chain providing a remote command call service by using the principle of a bounce shell, and therefore it is determined that the target process call chain is a legal shell process call chain.
If all the node processes in the target process call chain are not in the legal process list, the possibility that the target process call chain is a call chain for providing remote command call service by using the principle of the bounce shell can be eliminated, so that the target process call chain is the bounce shell process call chain, namely the target process call chain is a real bounce shell process call chain.
Through the steps from S310 to S320, if at least one node process in the target process call chain is in the legal process list, determining that the target process call chain is a legal shell process call chain; and if all the node processes in the target process calling chain are not in the legal process list, determining that the target process calling chain is a rebound shell process calling chain. In the embodiment, by acquiring the legal process list and comparing each node process in the target process calling chain with the legal process list, the condition that the calling chain which provides the remote command calling service by using the principle of the bounce shell is mistakenly identified as the bounce shell process calling chain can be effectively eliminated, the legal process using the bounce shell technology and the real bounce shell process can be effectively distinguished, the identification precision of the bounce shell is improved, the false alarm rate is reduced, the bounce shell process calling chain can be traced back, and the bounce shell can be accurately positioned.
In some embodiments, fig. 4 is a flowchart of acquiring a target process call chain corresponding to a shell process to be detected in this embodiment, and as shown in fig. 4, the flowchart includes the following steps.
Step S410, acquiring first process creation data corresponding to the shell process to be detected, and searching a first parent process corresponding to the shell process to be detected based on the first process creation data; the first parent process represents a parent process of the shell process to be detected.
Specifically, a current process ID of the shell process to be detected is obtained, a child process ID is obtained as first process creation data of the current process ID, a first father process ID in the first process creation data is extracted, and a process corresponding to the first father process ID is used as a first father process corresponding to the shell process to be detected.
Step S420, acquiring second process creation data corresponding to the first parent process, and searching for a second parent process corresponding to the first parent process based on the second process creation data; the second parent process represents the parent process of the first parent process.
Specifically, a first parent process ID corresponding to a first parent process is acquired, second process creation data in which a child process ID is the first parent process ID is acquired, a second parent process ID in the second process creation data is extracted, and a process corresponding to the second parent process ID is used as a second parent process corresponding to the first parent process.
And step S430, repeating the steps of acquiring the process creation data and searching the parent process until the source process of the target process call chain corresponding to the shell process to be detected is searched.
For example, if the current process ID is 66, the first process creation data with the child process ID of 66 is searched, then the parent process ID in the first process creation data is extracted, that is, the parent process ID is 77, then the second process creation data with the child process ID of 77 is searched, and so on until the source process of the target process call chain corresponding to the current process ID is found.
And step S440, obtaining a target process calling chain corresponding to the shell process to be detected based on the shell process to be detected, the source process and all the found father processes.
Through the steps from S410 to S440, acquiring first process creation data corresponding to the shell process to be detected, and searching a first parent process corresponding to the shell process to be detected based on the first process creation data; acquiring second process creation data corresponding to the first parent process, and searching for a second parent process corresponding to the first parent process based on the second process creation data; repeating the steps of acquiring process creation data and searching a parent process until a source process of a target process call chain corresponding to the shell process to be detected is searched; and obtaining a target process calling chain corresponding to the shell process to be detected based on the shell process to be detected, the source process and all the found father processes. According to the method and the device, the parent process corresponding to the current process is searched step by step through the process creation data, so that a complete target process call chain can be restored, the execution process of the bounce shell can be traced back according to the target process call chain, the way of a hacker invading the website server by using the bounce shell is known, and a targeted defense measure is made, so that the security of the website server is improved.
In some of these embodiments, the process creation data includes a parent process path, a parent process ID, a child process path, a child process ID, a parent process command line parameter, and a child process command line parameter.
In some embodiments, the step S410 includes: the method comprises the steps of obtaining a current process ID corresponding to a shell process to be detected, obtaining first process creation data with a child process ID as the current process ID, extracting a first father process ID and a first father process path in the first process creation data, and searching a first father process corresponding to the first father process ID, namely the first father process corresponding to the shell process to be detected, based on the first father process path.
In some embodiments, the parent process command line parameter and the child process command line parameter may be used for obtaining the running purpose of the process, specifically: after the target process calling chain is determined to be the rebounding shell process calling chain, process creation data corresponding to each node process in the rebounding shell process calling chain are obtained, parent process command line parameters and child process command line parameters are extracted from the process creation data, and the execution process of the rebounding shell is determined based on the parent process command line parameters and the child process command line parameters, so that the rebounding shell execution process can be traced.
In some embodiments, before obtaining the list of legitimate processes, the method for identifying a call chain of a resilient shell process further includes: and registering a plurality of legal processes without terminal attributes, and generating a legal process list based on the plurality of legal processes.
Furthermore, a legal process list is generated based on all legal processes in the system access process, so that the perfection degree of the legal process list is improved as much as possible, and the identification precision of the rebound shell is further ensured.
The legal process represents a normal process accessing the system in a non-terminal mode. The number of the legal processes is generally small, so that the legal processes can be exhausted, namely, all the legal processes used in the system can be directly registered, the perfection degree of a legal process list can be ensured, and the identification precision of the rebound shell can be further ensured.
In some embodiments, after determining that the target process call chain is a bounce shell process call chain, the method for identifying a bounce shell process call chain further includes: and sending alarm information to the user based on the call chain of the rebounding shell process, wherein the alarm information at least comprises the call chain of the rebounding shell process.
Further, the alarm information may further include an alarm type corresponding to the call chain of the bounce shell process and an alarm signal corresponding to the alarm type, where the alarm signal includes at least one of a light signal, an acoustic signal, and a vibration signal.
Further, the alarm may be performed through short messages, mails, etc., and the embodiment does not limit the specific alarm manner and way.
Furthermore, the alarm information may further include an emergency degree parameter of a network security event corresponding to the rebound shell process call chain and a network defense measure corresponding to the emergency degree parameter, so that after receiving the alarm information, a network maintainer or a network maintenance platform executes a network protection process based on the emergency degree parameter and the corresponding network defense measure, preferentially processes the network security event with a higher emergency degree parameter, and further improves the security of the website server.
In some of the embodiments, fig. 5 is a flowchart of detecting whether a shell process to be detected has a terminal attribute in this embodiment, and as shown in fig. 5, the flowchart includes the following steps.
And step S510, inputting a terminal display command in the shell process to be detected, and judging whether the terminal identification is displayed.
Further, the terminal display command may be a tty command or other terminal display commands, which is not limited in this embodiment as long as it can be determined whether the shell process to be detected has the terminal attribute.
And step S520, if the terminal identification is displayed, judging that the shell process to be detected has the terminal attribute.
And step S530, if the terminal identification is not displayed, judging that the shell process to be detected does not have the terminal attribute.
It should be noted that if the terminal identifier is displayed, it is indicated that the shell process to be detected accesses the system in a terminal mode, so that it is determined that the shell process to be detected has the terminal attribute; and if the terminal identification is not displayed, the shell process to be detected is accessed to the system in a non-terminal mode, so that the shell process to be detected is judged not to have the terminal attribute.
Through the steps from S510 to S530, a terminal display command is input in the shell process to be detected, and whether a terminal identifier is displayed or not is judged; if the terminal identification is displayed, judging that the shell process to be detected has the terminal attribute; and if the terminal identification is not displayed, judging that the shell process to be detected does not have the terminal attribute. Whether the shell process to be detected has the terminal attribute can be simply and quickly determined by inputting the terminal display command in the shell process to be detected, so that the time is saved for the subsequent identification process of the rebounding shell, and the identification efficiency of the call chain of the rebounding shell process is improved.
The present embodiment is described and illustrated below by way of a specific embodiment, which includes the following steps.
Step 1: and registering a plurality of legal processes without terminal attributes, and generating a legal process list based on the plurality of legal processes.
Step 2: acquiring a shell process to be detected, and detecting whether the shell process to be detected has a terminal attribute; and if the shell process to be detected has the terminal attribute, indicating that the shell process to be detected accesses the system through the terminal.
And step 3: and if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected. The step of acquiring the target process call chain corresponding to the shell process to be detected comprises the following steps: acquiring first process creation data corresponding to a shell process to be detected, and searching a first parent process corresponding to the shell process to be detected based on the first process creation data; the first father process represents a father process of the shell process to be detected; acquiring second process creation data corresponding to the first parent process, and searching for a second parent process corresponding to the first parent process based on the second process creation data; the second parent process represents a parent process of the first parent process; repeating the steps of acquiring process creation data and searching a parent process until a source process of a target process call chain corresponding to the shell process to be detected is searched; and obtaining a target process calling chain corresponding to the shell process to be detected based on the shell process to be detected, the source process and all the found father processes.
And 4, step 4: obtaining a legal process list, and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list includes a plurality of legal processes without terminal attributes.
And 5: identifying whether the target process calling chain is a rebound shell process calling chain or not based on the comparison result; if at least one node process in the target process calling chain is in the legal process list, determining that the target process calling chain is a legal shell process calling chain; and if all the node processes in the target process calling chain are not in the legal process list, determining that the target process calling chain is a rebound shell process calling chain.
Step 6: and sending alarm information to the user based on the call chain of the rebounding shell process, wherein the alarm information at least comprises the call chain of the rebounding shell process.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here. For example, referring to fig. 3, the execution sequence of step S310 and step S320 may be interchanged, that is, step S310 may be executed first, and then step S320 may be executed; step S320 may be performed first, and then step S310 may be performed. For another example, in conjunction with fig. 5, the order of step S520 and step S530 may also be interchanged.
In this embodiment, a device for identifying a call chain of a resilient shell process is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and the description of the device that has been already made is omitted. The terms "module," "unit," "subunit," and the like as used below may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 6 is a block diagram illustrating a structure of an apparatus for identifying a call chain of a bounce shell process according to this embodiment, and as shown in fig. 6, the apparatus for identifying a call chain of a bounce shell process includes.
The process detection module 610 is used for acquiring the shell process to be detected and detecting whether the shell process to be detected has the terminal attribute; and if the shell process to be detected has the terminal attribute, indicating that the shell process to be detected accesses the system through the terminal.
And the call chain obtaining module 620 is configured to obtain a target process call chain corresponding to the shell process to be detected if the shell process to be detected does not have the terminal attribute.
The process comparison module is used for acquiring a legal process list and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list includes a plurality of legal processes without terminal attributes.
And the call chain identification module 630 is used for identifying whether the target process call chain is a rebound shell process call chain or not based on the comparison result.
In some of these embodiments, the call chain identification module 630 includes a first identification unit and a second identification unit.
And the first identification unit is used for determining that the target process call chain is a legal shell process call chain if at least one node process in the target process call chain is in the legal process list.
And the second identification unit is used for determining that the target process call chain is a rebound shell process call chain if all the node processes in the target process call chain are not in the legal process list.
In some embodiments, the call chain obtaining module 620 includes a first searching unit, a second searching unit, a third searching unit and a call chain obtaining unit.
The first searching unit is used for acquiring first process creation data corresponding to the shell process to be detected and searching a first parent process corresponding to the shell process to be detected based on the first process creation data; the first parent process represents a parent process of the shell process to be detected.
The second searching unit is used for acquiring second process creation data corresponding to the first parent process and searching a second parent process corresponding to the first parent process based on the second process creation data; the second parent process represents the parent process of the first parent process.
And the third searching unit is used for repeating the steps of acquiring the process creation data and searching the parent process until the source process of the target process call chain corresponding to the shell process to be detected is searched.
And the call chain obtaining unit is used for obtaining a target process call chain corresponding to the shell process to be detected based on the shell process to be detected, the source process and all the searched father processes.
In some embodiments, the apparatus for identifying a call chain of a resilient shell process further includes a legal process registration module, where the legal process registration module is configured to register a plurality of legal processes without terminal attributes, and generate a legal process list based on the plurality of legal processes.
In some embodiments, the apparatus for identifying a rebounding shell process call chain further includes a rebounding shell alarm module, where the rebounding shell alarm module is configured to send alarm information to a user based on the rebounding shell process call chain, where the alarm information at least includes the rebounding shell process call chain.
In some embodiments, the process detection module 610 includes a terminal identification detection unit, a first process detection unit, and a second process detection unit.
And the terminal identification detection unit is used for inputting a terminal display command in the shell process to be detected and judging whether the terminal identification is displayed or not.
And the first process detection unit is used for judging that the shell process to be detected has the terminal attribute if the terminal identification is displayed.
And the second process detection unit is used for judging that the shell process to be detected does not have the terminal attribute if the terminal identification is not displayed.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
There is also provided in this embodiment an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, acquiring the shell process to be detected, and detecting whether the shell process to be detected has the terminal attribute; and if the shell process to be detected has the terminal attribute, indicating that the shell process to be detected accesses the system through the terminal.
And S2, if the shell process to be detected does not have the terminal attribute, acquiring a target process call chain corresponding to the shell process to be detected.
S3, obtaining a legal process list, and comparing each node process in the target process call chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes.
S4, identifying whether the target process calling chain is a rebound shell process calling chain or not based on the comparison result.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.
In addition, in combination with the identification method of the call chain of the bounce shell process provided in the above embodiment, a storage medium may also be provided to implement the method in this embodiment. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the above embodiments of the method for identifying a call chain for a resilient shell process.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A method for identifying a call chain of a resilient shell process, the method comprising:
acquiring a shell process to be detected, and detecting whether the shell process to be detected has a terminal attribute; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses a system through a terminal;
if the shell process to be detected does not have the terminal attribute, acquiring a target process calling chain corresponding to the shell process to be detected;
obtaining a legal process list, and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes;
and identifying whether the target process calling chain is a rebounding shell process calling chain or not based on the comparison result.
2. The method of claim 1, wherein identifying whether the target process call chain is a bounce shell process call chain based on the comparison comprises:
if at least one node process in the target process call chain is in the legal process list, determining that the target process call chain is a legal shell process call chain;
and if all the node processes in the target process call chain are not in the legal process list, determining that the target process call chain is a rebound shell process call chain.
3. The method according to claim 1, wherein the obtaining of the target process call chain corresponding to the shell process to be detected comprises:
acquiring first process creation data corresponding to the shell process to be detected, and searching a first parent process corresponding to the shell process to be detected based on the first process creation data; the first father process represents a father process of the shell process to be detected;
acquiring second process creation data corresponding to the first parent process, and searching for a second parent process corresponding to the first parent process based on the second process creation data; the second parent process represents a parent process of the first parent process;
repeating the steps of acquiring process creation data and searching a parent process until a source process of a target process call chain corresponding to the shell process to be detected is searched;
and obtaining a target process calling chain corresponding to the shell process to be detected based on the shell process to be detected, the source process and all the found father processes.
4. The method of claim 1, wherein prior to said obtaining the list of legitimate processes, the method further comprises:
registering a plurality of legal processes without terminal attributes, and generating the legal process list based on the plurality of legal processes.
5. The method of claim 2, wherein after the determining that the target process call chain is an bounce shell process call chain, the method further comprises:
and sending alarm information to a user based on the rebounding shell process calling chain, wherein the alarm information at least comprises the rebounding shell process calling chain.
6. The method according to claim 1, wherein the detecting whether the shell process to be detected has the terminal attribute comprises:
inputting a terminal display command in the shell process to be detected, and judging whether a terminal identifier is displayed or not;
if the terminal identification is displayed, judging that the shell process to be detected has the terminal attribute;
and if the terminal identification is not displayed, judging that the shell process to be detected does not have the terminal attribute.
7. An apparatus for identifying a call chain for a resilient shell process, the apparatus comprising:
the process detection module is used for acquiring the shell process to be detected and detecting whether the shell process to be detected has the terminal attribute; if the shell process to be detected has the terminal attribute, the shell process to be detected accesses a system through a terminal;
a calling chain obtaining module, configured to obtain a target process calling chain corresponding to the shell process to be detected if the shell process to be detected does not have the terminal attribute;
the process comparison module is used for acquiring a legal process list and comparing each node process in the target process calling chain with the legal process list to obtain a comparison result; the legal process list comprises a plurality of legal processes without terminal attributes;
and the calling chain identification module is used for identifying whether the target process calling chain is a rebound shell process calling chain or not based on the comparison result.
8. The apparatus of claim 7, wherein the call chain identification module comprises a first identification unit and a second identification unit, wherein:
a first identification unit, configured to determine that the target process call chain is a legal shell process call chain if at least one node process in the target process call chain is in the legal process list;
and the second identification unit is used for determining that the target process calling chain is a rebound shell process calling chain if all the node processes in the target process calling chain are not in the legal process list.
9. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is configured to execute the computer program to perform the method of identifying a rebounding shell process call chain of any of claims 1 to 6.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for identification of a chain of resilient shell process calls of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110310397.4A CN113515743B (en) | 2021-03-23 | 2021-03-23 | Identification method and device for rebound shell process call chain and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110310397.4A CN113515743B (en) | 2021-03-23 | 2021-03-23 | Identification method and device for rebound shell process call chain and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113515743A true CN113515743A (en) | 2021-10-19 |
| CN113515743B CN113515743B (en) | 2024-03-19 |
Family
ID=78062014
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110310397.4A Active CN113515743B (en) | 2021-03-23 | 2021-03-23 | Identification method and device for rebound shell process call chain and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113515743B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170339166A1 (en) * | 2016-05-18 | 2017-11-23 | Salesforce.Com, Inc. | Reverse shell network intrusion detection |
| CN110138727A (en) * | 2019-03-28 | 2019-08-16 | 江苏通付盾信息安全技术有限公司 | The information searching method and device that the shell that rebounds is connected to the network |
| CN110166420A (en) * | 2019-03-28 | 2019-08-23 | 江苏通付盾信息安全技术有限公司 | Rebound shell blocking-up method and device |
| CN112165469A (en) * | 2020-09-18 | 2021-01-01 | 中国船舶重工集团公司第七一四研究所 | Method for detecting deformed shell |
| CN112257065A (en) * | 2020-09-28 | 2021-01-22 | 网宿科技股份有限公司 | Process event processing method and device |
-
2021
- 2021-03-23 CN CN202110310397.4A patent/CN113515743B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170339166A1 (en) * | 2016-05-18 | 2017-11-23 | Salesforce.Com, Inc. | Reverse shell network intrusion detection |
| CN110138727A (en) * | 2019-03-28 | 2019-08-16 | 江苏通付盾信息安全技术有限公司 | The information searching method and device that the shell that rebounds is connected to the network |
| CN110166420A (en) * | 2019-03-28 | 2019-08-23 | 江苏通付盾信息安全技术有限公司 | Rebound shell blocking-up method and device |
| CN112165469A (en) * | 2020-09-18 | 2021-01-01 | 中国船舶重工集团公司第七一四研究所 | Method for detecting deformed shell |
| CN112257065A (en) * | 2020-09-28 | 2021-01-22 | 网宿科技股份有限公司 | Process event processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113515743B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| CN1771709B (en) | Network attack signature generation method and apparatus | |
| US9369476B2 (en) | System for detection of mobile applications network behavior-netwise | |
| CN110417778B (en) | Access request processing method and device | |
| US9361461B2 (en) | Method and apparatus for detecting malware and recording medium thereof | |
| CN109711171A (en) | Localization method and device, system, storage medium, the electronic device of software vulnerability | |
| CN111400722B (en) | Method, apparatus, computer device and storage medium for scanning small program | |
| US10257222B2 (en) | Cloud checking and killing method, device and system for combating anti-antivirus test | |
| CN106790291B (en) | Intrusion detection prompting method and device | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN113542227A (en) | Account security protection method and device, electronic device and storage medium | |
| CN113422759B (en) | Vulnerability scanning method, electronic device and storage medium | |
| CN112671605B (en) | Test method and device and electronic equipment | |
| CN110839025A (en) | Centralized web penetration detection honeypot method, device and system and electronic equipment | |
| El Attar et al. | A Gaussian mixture model for dynamic detection of abnormal behavior in smartphone applications | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| KR101657667B1 (en) | Malicious app categorization apparatus and malicious app categorization method | |
| CN113515743A (en) | Identification method and device of call chain of rebound shell process and electronic device | |
| CN110321287A (en) | A kind of detection method of server capability, device and electronic equipment | |
| CN113438225B (en) | Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium | |
| CN114091030A (en) | Method and device for automatically verifying system vulnerability, electronic device and storage medium | |
| CN111079144B (en) | Virus propagation behavior detection method and device | |
| CN113595797A (en) | Alarm information processing method and device, electronic equipment and storage medium | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |