CN113646763A - Detection method and device of shellcode - Google Patents

Detection method and device of shellcode Download PDF

Info

Publication number
CN113646763A
CN113646763A CN201980094806.2A CN201980094806A CN113646763A CN 113646763 A CN113646763 A CN 113646763A CN 201980094806 A CN201980094806 A CN 201980094806A CN 113646763 A CN113646763 A CN 113646763A
Authority
CN
China
Prior art keywords
memory page
operation behavior
preset memory
behavior
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201980094806.2A
Other languages
Chinese (zh)
Other versions
CN113646763B (en
Inventor
徐贵斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qax Technology Group Inc
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qax Technology Group Inc, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qax Technology Group Inc
Publication of CN113646763A publication Critical patent/CN113646763A/en
Application granted granted Critical
Publication of CN113646763B publication Critical patent/CN113646763B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses a detection method and device of shellcode, computer equipment and a non-volatile readable storage medium of a computer, relates to the technical field of information network security, and can monitor an operating system kernel and a key specific memory page, detect abnormal operation behaviors in time and effectively discover execution of shellcode attack behaviors. The method comprises the following steps: monitoring the operation behavior of a preset memory page; and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs. The method is suitable for detecting the shellcode.

Description

Detection method and device of shellcode Technical Field
The present application relates to the field of information network security technologies, and in particular, to a shellcode detection method, an apparatus, a computer device, and a computer non-volatile readable storage medium.
Background
Windows operating system vulnerabilities are coming out endlessly, attacks launched by the vulnerabilities seriously threaten enterprises and user security, for example, a wave attack peak is brought by an event that a persistent blue series vulnerability propagates malicious software, a lemonade virus propagates a plurality of countries by means of the persistent blue, and a plurality of governments and enterprises stop working due to attacks, so that great economic loss is caused.
Generally, when the shellcode is executed as attack data, system APIs are used, and the APIs are derived from a specific system DLL, so that an attacker can directly fix and store the API addresses required to be used in the shellcode in a hardware coding mode, and the shellcode is simple and convenient to use. In order to prevent the system vulnerability from being exploited, various countermeasure technologies are emerging, and the ASLR technology developed by microsoft plays a significant role in resisting vulnerability attacks. The ASLR technology particularly adopts an address randomization technology, so that the loading addresses of a system kernel, a module and a DLL are not fixed and are loaded into a random memory address, the API address in an attacking computer is inconsistent with the API address in an attacked computer, and the complexity of the shellcode writing and the difficulty of an attacker are improved.
ASLR technology, while one of the most effective protection mechanisms of current operating systems, is continuously developed to bypass ASLR. However, for a technology for obtaining a system API address by bypassing an ASLR mechanism, an effective protection technology does not exist at present, so that an attack behavior executed by shellcode of an attacker is difficult to detect, and the execution of the attack behavior cannot be found in time.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting shellcode, a computer device, and a non-volatile readable storage medium for a computer, and mainly aims to monitor an operating system kernel and a key specific memory page, so as to detect abnormal operating behaviors in time and effectively discover execution of shellcode attack behaviors.
According to one aspect of the application, a detection method of shellcode is provided, which comprises the following steps:
monitoring the operation behavior of a preset memory page;
and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
According to another aspect of the present application, there is provided a shellcode detection apparatus, the apparatus comprising:
the monitoring unit is used for monitoring the operation behavior of a preset memory page;
and the judging unit is used for judging the legality of the operation behavior of the preset memory page if the operation behavior of the preset memory page occurs so as to detect whether the attack behavior executed by the shellcode occurs.
According to yet another aspect of the present application, there is provided a computer non-transitory readable storage medium having computer readable instructions stored thereon, the computer readable instructions when executed by a processor implementing the steps of: monitoring the operation behavior of a preset memory page; and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
According to yet another aspect of the present application, there is provided a computer device comprising a memory, a processor, and computer readable instructions stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer readable instructions: monitoring the operation behavior of a preset memory page; and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
By means of the technical scheme, compared with the mode of detecting the shellcode through the ASLR technology in the prior art, the shellcode needs to generate specific behavior operation on the preset memory page when generating the attack behavior, and then the specific API is searched by taking the export table. Meanwhile, when the operation behavior of the preset memory page occurs, the attack behavior executed by the shellcode at a certain time cannot be described, and whether the attack behavior executed by the shellcode occurs or not is detected by further judging the legality of the operation behavior of the preset memory page, so that the abnormal operation behavior is detected in time, and the execution of the attack behavior is effectively found.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a schematic flow chart of a detection method of shellcode provided by an embodiment of the present application;
fig. 2a illustrates a code diagram corresponding to a normal operation behavior of a preset memory page according to an embodiment of the present application;
fig. 2b illustrates a code diagram corresponding to a normal operation behavior of another preset memory page provided in the embodiment of the present application;
fig. 2c illustrates a code diagram corresponding to a normal operation behavior of another preset memory page according to an embodiment of the present application;
fig. 2d illustrates a code diagram corresponding to a normal operation behavior of another preset memory page provided in the embodiment of the present application;
fig. 3a is a schematic flowchart illustrating a process of monitoring an operation behavior of a preset memory page according to an embodiment of the present application;
fig. 3b is a schematic flowchart illustrating another process for monitoring operation behavior of a preset memory page according to an embodiment of the present application;
fig. 3c is a schematic flowchart illustrating another process for monitoring operation behavior of a preset memory page according to an embodiment of the present application;
fig. 4 is a schematic flow chart illustrating another shellcode detection method provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram illustrating a detection apparatus of shellcode according to an embodiment of the present application;
fig. 6 is a schematic structural diagram illustrating another shellcode detection apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram illustrating another shellcode detection apparatus according to an embodiment of the present disclosure;
fig. 8 shows a schematic structural diagram of another shellcode detection apparatus according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In order to solve the above technical problem, an embodiment of the present application provides a detection method for shellcode, which can detect an abnormal operation behavior in time and effectively discover execution of an attack behavior, and as shown in fig. 1, the method includes:
101. and monitoring the operation behavior of the preset memory page.
The operation behavior on the preset memory page may be an operation performed on the memory information in the preset memory page, for example, an operation behavior such as a read operation, a write operation, and an execute operation, which is not limited in the embodiment of the present application.
For the embodiment of the application, the preset memory page is generally a memory page which may be used by shellcode when executing an attack, and the attack executed by shellcode is injected by operating the preset memory page. shellcode is a piece of code (which may also be filler data) that can be executed with a software bug, typically machine code 16, because it is often the case that an attacker obtains the shell file.
102. And if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
It should be noted that the operation behavior of the preset memory page generated by the system executing normal operation is a completely different process from the operation behavior of the preset memory page generated by the attack behavior executed by the shellcode, for example, the write-in behavior of the preset memory page generated by the system executing normal operation needs to call the function a, and since the shellcode attacker does not know or have a normal way to call the function a, the write-in behavior of the preset memory page is generated in other ways to obtain the corresponding kernel base address, so as to obtain the corresponding API address.
Therefore, after the operation behavior of the preset memory page occurs, the legality of the operation behavior of the preset memory page is judged, and the normal operation behavior is excluded, so that whether the abnormal operation behavior occurs, namely the attack behavior executed by the shellcode, can be detected.
Compared with the mode of detecting the shellcode through the ASLR technology in the prior art, the shellcode needs to generate specific behavior operation on the preset memory page when generating the attack behavior, and then the export table is taken to find the specific API. Meanwhile, when the operation behavior of the preset memory page occurs, the attack behavior executed by the shellcode at a certain time cannot be described, and whether the attack behavior executed by the shellcode occurs or not is detected by further judging the legality of the operation behavior of the preset memory page, so that the abnormal operation behavior is detected in time, and the execution of the attack behavior is effectively found.
As described in the background, many anti-ASLR technologies are being developed to bypass ASLR technologies, wherein the ASLR mechanism is bypassed and the method of obtaining the system API address mainly includes, but is not limited to, the following:
1、IDT Scandown
example code one:
Figure PCTCN2019100899-APPB-000001
and a second standard code:
Figure PCTCN2019100899-APPB-000002
2、KPRCB IdleThread Scandown
example code:
Figure PCTCN2019100899-APPB-000003
3、SYSENTER_EIP_MSR Scandown
example code:
Figure PCTCN2019100899-APPB-000004
4、Known Portable Base Scandown
example code:
Figure PCTCN2019100899-APPB-000005
it is understood that the above attack techniques, although different from each other, have different principles.
For the attack behavior of the shellcode at the kernel layer, a certain address of a system kernel space can be positioned through different anchor points, then the address is scanned to a low address space according to the whole page, an identification mark corresponding to the executable file of '0 x5a4 d' is always found, the identification mark is positioned to the kernel base address, then the identification mark is positioned to the export table, and the export function address required by the export table is taken.
For the attack behavior of shellcode at the application layer, the module base address can be located through the PEB, no memory search is needed, but the identification mark corresponding to the executable file of "0 x5a4 d" still needs to be located, and then the export table is found to find out a specific API.
At present, an effective protection technology does not exist for bypassing an ASLR mechanism, so that abnormal behaviors of attackers are difficult to detect, and execution of shellcode attack behaviors cannot be found in time. Therefore, the core technical principle of the embodiment of the present application is that a stuck attacker needs to find the MZ flag of the kernel layer or the base address of the system DLL module, i.e. read "0 x5a4 d". The operation behavior of the preset memory page is monitored, namely the action of reading '0 x5a4 d' in the preset memory page is monitored, so that the shellcode is preliminarily screened.
It should be noted that, as can be known from the principle of the attack technology, the shellcode can locate the kernel base address by reading the operation behavior of "0 x5a4 d", but as long as the operation behavior of reading "0 x5a4 d" does not necessarily indicate the attack behavior of shellcode, there are two normal operation behaviors of reading "0 x5a4 d", and the first is when the system module is loaded and initialized, as shown in fig. 2 a. The second is when the function MmGetSystemRoutineAddress of the dynamic API address provided by the system is called, as shown in fig. 2 b. And the operation behavior of the system for generating the preset memory page through the normal behavior is different from the operation behavior of the shellcode for generating the preset memory page through the abnormal behavior. For example, in the kernel (R0), the system acquires the kernel base address by using psntos imagebase as a global variable, and calls the system API rtl imagentheader ex to complete the function, which locates the operation behavior of "0 x5a4 d" only for verifying the correctness of the kernel base address, and does not acquire the kernel base address by locating, as shown in fig. 2c and 2d in particular.
The kernel shellcode is not known or has no normal way to obtain the kernel base address, and the kernel shellcode has to indirectly obtain the kernel base address by positioning the '0 x5a4 d' in a memory scanning way. Therefore, in the embodiment of the present application, it is possible to distinguish whether the operation behavior of "0 x5a4 d" is a normal system behavior, that is, whether the operation behavior is from rtlmiginntheader or another operation behavior, if the operation behaviors from rtlmiginntheader are all normal behaviors, and if not, the other operation behaviors are determined as abnormal behaviors, that is, attack behaviors executed by shellcode.
In addition, the operation behavior of the preset memory page is only exemplified by the kernel behavior of the operating system, the behaviors of the preset memory page are slightly different in the application layer, but the principles are consistent, the effect and the feasibility of the technology are not affected, the read "0 x5a4 d" behavior is a behavior which occurs at a low frequency and can be clearly distinguished in any scene, and the embodiment of the application only needs to continuously add the API calling feature when a new operation behavior occurs for identification, and is not limited to identifying and reading the rtl imagenedeheaderex of "0 x5a4 d".
It can be understood that the manner of monitoring the operation behavior of the preset memory page may be any one, and the implementation process of the specific memory monitoring manner is described in the present application by way of example, but the actual application process is not limited to the following three manners of monitoring the memory, and may also be other memory monitoring manners, for example, a CPU, hardware, a virtual machine, and the like may also implement the manner of monitoring the memory.
Further, to better describe the detection process of the shellcode, as a refinement and an extension of the foregoing embodiment, as a specific implementation process of the first memory monitoring technology, as shown in fig. 3a, the specific implementation process specifically includes:
1011. and setting the preset memory page to be in a page missing state, so that the operation behavior of the preset memory page can trigger page missing interruption.
In general, memory information is recorded in a memory page, and if a preset memory page is needed to perform behavior monitoring, by modifying an attribute state of the preset memory page, when an access behavior of the preset memory page is abnormal, for example, when a read abnormality, a write abnormality, or an execution abnormality occurs, the abnormality of the preset memory page can be triggered, so as to monitor an operation behavior of the preset memory page.
Specifically, a preset memory page may be set to a page missing state, and for an access behavior of the memory page in the page missing state, the memory page is defaulted to be absent, an operating system is required to call the memory page into a main memory and then access the memory page, and a page missing interruption exception is generated, in which a page does not exist.
1012. By capturing the page fault interruption of the system, whether the page fault interruption triggered by the operation behavior of the preset memory page occurs is monitored.
Capturing page fault interruption of the system refers to checking a specified function at variable time, hooking page fault abnormal interruption by using 'copy-on-write' of the system, and actively intercepting and modifying the behavior of the memory in a specified range. The method is an active interception action and can be stopped in time before the shellcode executes an attack action.
The behavior of the page fault interrupt may not be triggered by the operation of the preset memory page, or may be triggered by the operation of a non-existent memory page, and it is necessary to further determine the memory page replaced by the page fault memory.
Specifically, by capturing the page fault interrupt of the system, when the page fault interrupt is triggered by an operation behavior of the page fault memory, in the process running process, if the page fault interrupt occurs and there is no idle physical block in the memory at this time, in order to load the page fault into the memory, the system must select a page from the memory as a page fault replacement memory and call out the page fault replacement memory to a swap area of a disk, and further, it may be determined whether the page fault replacement memory is a preset memory page, that is, a memory page corresponding to a kernel base address where "0 x5a4 d" is located, by using a memory address of the page fault replacement.
1013. And if so, determining that the operation behavior of the preset memory page occurs.
If the page-missing interrupt triggered by the operation behavior of the preset memory page occurs, it indicates that the shellcode may trigger the operation behavior of the preset memory page in the process of executing the attack behavior, and certainly, if the page-missing interrupt triggered by the operation behavior of the preset memory page does not occur, but the page-missing interrupt triggered by operating one non-existent memory page does not occur, the page-missing interrupt is released.
Further, to better describe the detection process of the shellcode, as a refinement and an extension of the foregoing embodiment, as a specific implementation process of the second memory monitoring technology, as shown in fig. 3b, the specific implementation process specifically includes:
1014. and setting the address of the preset memory page into a debugging register, so that the operation behavior of the preset memory page can trigger debugging interruption.
Specifically, the address of the preset memory page may be set in the debug registers DR0-DR7, DR7 has a function of turning on or off a breakpoint, and a breakpoint condition may be set, and when the breakpoint condition is detected, the corresponding memory address generates a debug interrupt.
1015. By capturing the debugging interruption of the system, whether the debugging interruption triggered by the operation behavior of the preset memory page occurs is monitored.
As for the operation behavior of the preset memory page set in the debug register, debug interruption occurs, and certainly, the memory page in which debug interruption occurs is not necessarily the preset memory page, but may also be a breakpoint set at a certain address, so as to debug an exception, and the memory page in which debug interruption needs to be further determined.
Specifically, by capturing the debug interrupt of the system, when the debug interrupt is triggered by the occurrence of an operation behavior on a set memory address, once the execution flow touches the memory address marked with a breakpoint, the subsequent control right is given to the debug interrupt handler, the debug interrupt handler calls a preset function to generate a corresponding abnormal signal and processes the abnormal signal, and further, whether the memory address set to the debug register is the address of the preset memory page or not can be judged, so that whether the debug interrupt triggered by the occurrence of the operation behavior on the preset memory page or not can be judged.
1016. And if so, determining that the operation behavior of the preset memory page occurs.
Further, to better describe the detection process of the shellcode, as a refinement and an extension of the foregoing embodiment, as a specific implementation process of a third memory monitoring technology, as shown in fig. 3c, the method specifically includes:
1017. the method comprises the steps that a preset memory page where an application layer key dynamic link library is located is set as a protection attribute mark, so that an operation behavior of the preset memory page can trigger an exception.
When shellcode detection is performed on an application layer, a dynamic link library is used as a part of a virtual memory and is always mapped into an address space of other application programs, the dynamic link library is used as a part of the other application programs to operate, each dynamic link library file is composed of a plurality of sections, the read-write attribute of a memory page is set according to the attribute of each section, here, only a preset memory page where a key dynamic link library is located needs to be set with a protection attribute mark, and the protection attribute mark can monitor the read behavior of the preset memory page.
In a specific application scenario, a memory page where "0 x5a4 d" of a key DLL such as ntdll.dll, kernell 32.dll and the like is located may be set as a PGEG _ GUARD attribute, and the PGEG _ GUARD is used as a protection attribute flag for access, so that an application program can obtain an exception notification when any byte in the memory page is accessed.
1018. Capturing the operation behavior of the memory page where the key dynamic link library is located, and monitoring whether the abnormality triggered by the operation behavior of the preset memory page occurs.
Due to the fact that the protection attribute mark is arranged on the key dynamic link library, exception handling can be started once operation on the preset memory page where the key dynamic link library is located occurs.
1019. And if so, determining that the operation behavior of the preset memory page occurs.
According to the present application, any one of the memory monitoring technologies in fig. 3a to 3c can be used to monitor the operation behavior of the preset memory page, and when the operation behavior of the preset memory page occurs, the validity of the operation behavior of the preset memory page is determined, so that whether an attack behavior executed by shellcode occurs can be detected.
In order to further describe a specific implementation process for performing validity determination on an operation behavior of a preset memory page to detect whether an attack behavior executed by shellcode occurs, another detection method for shellcode is provided in an embodiment of the present application, as shown in fig. 4, where the method includes:
201. and monitoring the operation behavior of the preset memory page.
202. And if the operation behavior of the preset memory page occurs, inquiring whether the normal operation behavior corresponding to the preset memory page exists from a preset behavior library.
The predetermined behavior library stores normal operation behaviors applicable to different preset memory pages, and of course, corresponding normal operation behaviors are different for different preset memory pages, for example, a function m needs to be called for the normal operation behavior of reading the memory page a, and a function n needs to be called for the normal operation behavior of writing the memory page B.
203. And if so, comparing the operation behavior of the preset memory page with the normal operation behavior in a preset behavior library.
Normally, the operation behavior of most preset memory pages corresponds to normal operation behavior, for example, the normal operation behavior existing for reading "0 x5a4 d" should be initiated by rtl imagentheader, rtl imagentheader or other API, and by comparing the operation behavior of the preset memory pages with the normal operation behavior in the predetermined behavior library, if the normal operation behavior is abnormal, it can be regarded that the attack behavior executed by the shellcode is occurring.
However, the operation behavior of some preset memory pages does not correspond to normal operation behavior, for example, a persistent blue loophole shellcode that has occurred in an actual security event writes an attack code at the address of "0 xfffffffffffffffffd 00010" of the reserved memory page of the system and executes the attack code. However, under normal conditions, there is no normal operation behavior for executing "0 xfffffffffffffffd 00010", and once the operation behavior for executing "0 xfffffffffffffffffd 00010" is monitored, it is determined that the execution of shellcode occurs. Therefore, in order to improve the detection rate of the shellcode attack behavior, after querying whether a normal operation behavior corresponding to the preset memory page exists from the preset behavior library, if the normal operation behavior does not exist, it is indicated that the normal operation corresponding to the preset memory page does not exist in the preset behavior library, and the operation behavior of the preset memory page may be directly determined as the attack behavior executed by the shellcode.
204a, judging the operation behavior of the corresponding preset memory page with the consistent comparison result as the normal operation behavior.
204b, judging the operation behavior of the preset memory page corresponding to the inconsistency of the comparison result as the attack behavior executed by the shellcode.
For the operation behaviors of the preset memory page corresponding to the comparison result is consistent, the operation behaviors of the preset memory page are normal operation behaviors; for the operation behavior of the preset memory page corresponding to the inconsistency of the comparison result, it is indicated that the operation behavior of the preset memory page is not a normal operation behavior, and may be an operation behavior that the shellcode obtains the kernel base address through the operation of the preset memory, and then it is determined that an attack behavior executed by the shellcode occurs when the operation behavior occurs.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present application provides a shellcode detection apparatus, and as shown in fig. 5, the apparatus includes: monitoring unit 31, determining unit 32.
The monitoring unit 31 may be configured to monitor an operation behavior of a preset memory page;
the determining unit 32 may be configured to, if an operation behavior of a preset memory page occurs, perform validity determination on the operation behavior of the preset memory page to detect whether an attack behavior executed by the shellcode occurs.
The application provides a shellcode's detection device, compares with the mode that carries out shellcode's detection through the ASLR technique among the prior art, because shellcode need produce specific action operation to presetting the memory page when producing the aggressive behavior, and then takes out the derivation table and look for specific API, and this application embodiment utilizes memory monitoring technology to monitor the operation action of presetting the memory page. Meanwhile, when the operation behavior of the preset memory page occurs, the attack behavior executed by the shellcode at a certain time cannot be described, and whether the attack behavior executed by the shellcode occurs or not is detected by further judging the legality of the operation behavior of the preset memory page, so that the abnormal operation behavior is detected in time, and the execution of the attack behavior is effectively found.
As a further description of the shellcode detection apparatus shown in fig. 5, fig. 6 is a schematic structural diagram of another shellcode detection apparatus according to an embodiment of the present application, and as shown in fig. 6, for an implementation process of monitoring operation behaviors of a preset memory page, the monitoring unit 31 includes:
a first setting module 311, configured to set the preset memory page to a page missing state, so that an operation behavior of the preset memory page triggers page missing interrupt;
the first monitoring module 312 may be configured to monitor whether a page fault interrupt triggered by an operation behavior on a preset memory page occurs by capturing a page fault interrupt of a system;
the first determining module 313 may be configured to determine that the operation behavior of the preset memory page occurs if a page fault interrupt triggered by the operation behavior of the preset memory page occurs.
In a specific application scenario, the first monitoring module 312 may be specifically configured to, by capturing a page fault interrupt of a system, determine whether a memory page replaced by a page fault memory is a preset memory page when the page fault interrupt is triggered due to an operation behavior on the page fault memory;
the first determining module 313 may be specifically configured to determine that a page fault interrupt triggered by an operation behavior on a preset memory page occurs if the memory page replaced by the page fault memory is the preset memory page, and determine that the operation behavior of the preset memory page occurs.
As a further description of the shellcode detection apparatus shown in fig. 5, fig. 7 is a schematic structural diagram of another shellcode detection apparatus according to an embodiment of the present application, and as shown in fig. 7, for an implementation process of another monitoring technology for monitoring operation behaviors of a preset memory page, the monitoring unit 31 includes:
a second setting module 314, configured to set an address of the preset memory page in a debug register, so that an operation behavior of the preset memory page triggers a debug interrupt;
the second monitoring module 315 may be configured to monitor whether a debug interrupt triggered by an operation behavior on a preset memory page occurs by capturing a debug interrupt of a system;
the second determining module 316 may be configured to determine that the operation behavior of the preset memory page occurs if a debug interrupt triggered by the operation behavior of the preset memory page occurs.
In a specific application scenario, the second monitoring module 315 may be specifically configured to, by capturing a debug interrupt of a system, determine whether a set memory address is an address of a preset memory page when the debug interrupt is triggered by an operation behavior on the set memory address;
the second determining module 316 may be specifically configured to, if the set memory address is an address of a preset memory page, determine that a debug interrupt triggered by an operation behavior on the preset memory page occurs, and determine that the operation behavior of the preset memory page occurs.
As a further description of the shellcode detection apparatus shown in fig. 5, fig. 8 is a schematic structural diagram of another shellcode detection apparatus according to an embodiment of the present application, and as shown in fig. 8, for another implementation process of monitoring operation behaviors of a preset memory page, the monitoring unit 31 includes:
a third setting module 317, configured to set a preset memory page where an application layer key dynamic link library is located as a protection attribute flag, so that an operation behavior of the preset memory page triggers an exception;
a third monitoring module 318, configured to capture an operation behavior on a memory page where the key dynamic link library is located, and monitor whether an exception triggered by the operation behavior on a preset memory page occurs;
the third determining module 319 may be configured to determine that the operation behavior of the preset memory page occurs if an exception triggered by the operation behavior of the preset memory page occurs.
On the basis of fig. 6 to 8, the determination unit 32 includes:
the querying module 321 may be configured to query whether a normal operation behavior corresponding to the preset memory page exists in a predetermined behavior library, where the normal operation behavior suitable for different preset memory pages is stored in the predetermined behavior library;
a comparison module 322, configured to compare, if there is a normal operation behavior corresponding to the preset memory page, the operation behavior of the preset memory page with a normal operation behavior in a predetermined behavior library;
the first determining module 323 may be configured to determine that the operation behavior of the corresponding preset memory page corresponding to the comparison result is consistent as a normal operation behavior;
the second determining module 324 may be configured to determine that an operation behavior of the preset memory page corresponding to the inconsistency of the comparison result is an attack behavior executed by the shellcode.
Further, the determination unit 32 further includes:
the third determining module 325 may be configured to, after querying whether a normal operation behavior corresponding to the preset memory page exists in the predetermined behavior library, determine, if the normal operation behavior does not exist, that the operation behavior of the preset memory page is an attack behavior executed by the shellcode.
It should be noted that other corresponding descriptions of the functional units related to the detection apparatus of shellcode provided in this embodiment may refer to the corresponding descriptions in fig. 1, fig. 3, and fig. 4, and are not described herein again. In addition, the specific implementation of the method executed by the shellcode detection device in the present application is not limited to the platform (which may be an Intel, an ARM, or the like) nor to the operating system (which may be a windows, a Linux, or the like).
Based on the methods shown in fig. 1, fig. 3 and fig. 4, correspondingly, the present embodiment further provides a nonvolatile readable storage medium, on which nonvolatile readable instructions are stored, and when the readable instructions are executed by a processor, the detection method of shellcode shown in fig. 1, fig. 3 and fig. 4 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile readable storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the implementation scenarios of the present application.
Based on the above-mentioned methods shown in fig. 1, fig. 3, and fig. 4, and the virtual device embodiments shown in fig. 5 to fig. 8, to achieve the above-mentioned object, the present application further provides a computer device, which may be specifically a personal computer, a server, a network device, and the like, where the entity device includes a non-volatile readable storage medium and a processor; a non-transitory readable storage medium for storing computer readable instructions; a processor for executing computer readable instructions to implement the shellcode detection method described above and shown in fig. 1, 3 and 4.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
Those skilled in the art will appreciate that the physical device structure for detecting shellcode provided by the present embodiment does not constitute a limitation to the physical device, and may include more or less components, or combine some components, or arrange different components.
The nonvolatile readable storage medium can also comprise an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the computer device described above, supporting the operation of information handling programs and other software and/or programs. The network communication module is used for realizing communication among components in the nonvolatile readable storage medium and communication with other hardware and software in the entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme of the application, compared with the prior art, due to the fact that specific behavior operation needs to be performed on the preset memory page when the shellcode generates the attack behavior, the export table is taken to search for the specific API, and the memory monitoring technology is utilized to monitor the operation behavior of the preset memory page in the embodiment of the application. Meanwhile, when the operation behavior of the preset memory page occurs, the attack behavior executed by the shellcode at a certain time cannot be described, and whether the attack behavior executed by the shellcode occurs or not is detected by further judging the legality of the operation behavior of the preset memory page, so that the abnormal operation behavior is detected in time, and the execution of the attack behavior is effectively found.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (19)

  1. A detection method of shellcode, comprising:
    monitoring the operation behavior of a preset memory page;
    and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
  2. The method according to claim 1, wherein the monitoring the operation behavior of the preset memory page includes:
    setting the preset memory page to be in a page missing state, so that the operation behavior of the preset memory page can trigger page missing interruption;
    monitoring whether the page fault interruption triggered by the operation behavior of a preset memory page occurs or not by capturing the page fault interruption of the system;
    and if so, determining that the operation behavior of the preset memory page occurs.
  3. The method according to claim 2, wherein the monitoring whether the page fault interrupt triggered by the operation behavior of the preset memory page occurs by capturing the page fault interrupt of the system comprises:
    by capturing page fault interruption of a system, when the page fault interruption is triggered due to the occurrence of a page fault memory operation behavior, judging whether a memory page replaced by a page fault memory is a preset memory page;
    if so, determining that an operation behavior of a preset memory page occurs, including:
    if the memory page replaced by the page-missing memory is the preset memory page, judging that page-missing interruption triggered by the operation behavior of the preset memory page occurs, and determining that the operation behavior of the preset memory page occurs.
  4. The method according to claim 1, wherein the monitoring the operation behavior of the preset memory page includes:
    setting the address of the preset memory page into a debugging register, so that the operation behavior of the preset memory page can trigger debugging interruption;
    monitoring whether debugging interruption triggered by the operation behavior of a preset memory page occurs or not by capturing the debugging interruption of a system;
    and if so, determining that the operation behavior of the preset memory page occurs.
  5. The method according to claim 4, wherein the monitoring whether the debug interrupt triggered by the operation behavior on the preset memory page occurs by capturing the debug interrupt of the system comprises:
    by capturing the debugging interruption of the system, when the debugging interruption is triggered by the operation action of the set memory address, judging whether the set memory address is the address of a preset memory page;
    if so, determining that an operation behavior of a preset memory page occurs, including:
    and if the set memory address is the address of the preset memory page, judging that debugging interruption triggered by the operation behavior of the preset memory page occurs, and determining that the operation behavior of the preset memory page occurs.
  6. The method according to claim 1, wherein the monitoring the operation behavior of the preset memory page includes:
    setting a preset memory page where an application layer key dynamic link library is located as a protection attribute mark, so that an operation behavior of the preset memory page can trigger an exception;
    capturing the operation behavior of the memory page where the key dynamic link library is located, and monitoring whether an exception triggered by the operation behavior of a preset memory page occurs;
    and if so, determining that the operation behavior of the preset memory page occurs.
  7. The method according to any one of claims 1 to 6, wherein the legality determining the operation behavior of the preset memory page to detect whether an attack behavior executed by shellcode occurs comprises:
    inquiring whether normal operation behaviors corresponding to the preset memory pages exist or not from a preset behavior library, wherein the normal operation behaviors suitable for different preset memory pages are stored in the preset behavior library;
    if the memory page exists, comparing the operation behavior of the preset memory page with the normal operation behavior in a preset behavior library;
    judging the operation behavior of the corresponding preset memory page with the consistent comparison result as a normal operation behavior;
    and judging the operation behavior of the preset memory page corresponding to the inconsistency of the comparison result as the attack behavior executed by the shellcode.
  8. An apparatus for detecting shellcode, the apparatus comprising:
    the monitoring unit is used for monitoring the operation behavior of a preset memory page;
    and the judging unit is used for judging the legality of the operation behavior of the preset memory page if the operation behavior of the preset memory page occurs so as to detect whether the attack behavior executed by the shellcode occurs.
  9. [ correction 04.11.2019 based on rules 91]
    The apparatus of claim 8, wherein the monitoring unit comprises:
    the first setting module is configured to set the preset memory page to a page missing state, so that an operation behavior of the preset memory page triggers page missing interruption;
    the first monitoring module is used for monitoring whether the page fault interruption triggered by the operation behavior of the preset memory page occurs or not by capturing the page fault interruption of the system;
    the first determining module is configured to determine that the operation behavior of the preset memory page occurs if a page fault interrupt triggered by the operation behavior of the preset memory page occurs.
  10. [ correction 04.11.2019 based on rules 91]
    The apparatus of claim 9,
    the first monitoring module is specifically configured to, by capturing a page fault interrupt of the system, determine whether a memory page replaced by a page fault memory is a preset memory page when the page fault interrupt is triggered due to an operation behavior on the page fault memory;
    the first determining module is specifically configured to determine that a page fault interrupt triggered by an operation behavior on a preset memory page occurs if a memory page replaced by the page fault memory is a preset memory page, and determine that the operation behavior of the preset memory page occurs.
  11. [ correction 04.11.2019 based on rules 91]
    The apparatus of claim 8, wherein the monitoring unit comprises:
    a second setting module, configured to set an address of the preset memory page in a debug register, so that an operation behavior of the preset memory page triggers a debug interrupt;
    the second monitoring module is used for monitoring whether debugging interruption triggered by the operation behavior of the preset memory page occurs or not by capturing the debugging interruption of the system;
    the second determining module is configured to determine that the operation behavior of the preset memory page occurs if a debug interrupt triggered by the operation behavior of the preset memory page occurs.
  12. [ correction 04.11.2019 based on rules 91]
    The apparatus of claim 11,
    the second monitoring module is specifically configured to, by capturing a debug interrupt of the system, determine whether the set memory address is an address of a preset memory page when the debug interrupt is triggered by an operation behavior on the set memory address;
    the second determining module is specifically configured to determine that a debug interrupt triggered by an operation behavior on the preset memory page occurs if the set memory address is an address of the preset memory page, and determine that the operation behavior on the preset memory page occurs.
  13. [ correction 04.11.2019 based on rules 91]
    The apparatus of claim 8, wherein the detection unit comprises:
    the third setting module is configured to set a preset memory page where the application layer key dynamic link library is located as a protection attribute flag, so that an operation behavior of the preset memory page triggers an exception;
    a third monitoring module, configured to capture an operation behavior on a memory page where the key dynamic link library is located, and monitor whether an exception triggered by the operation behavior on a preset memory page occurs;
    the third determining module is configured to determine that the operation behavior of the preset memory page occurs if an exception triggered by the operation behavior of the preset memory page occurs.
  14. [ correction 04.11.2019 based on rules 91]
    A computer non-transitory readable storage medium having computer readable instructions stored thereon, wherein the computer readable instructions, when executed by a processor, implement a shellcode detection method, comprising:
    monitoring the operation behavior of a preset memory page; and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
  15. [ correction 04.11.2019 based on rules 91]
    The computer non-transitory readable storage medium of claim 14, wherein the computer readable instructions, when executed by the processor, implement the monitoring operation behavior of the preset memory page comprises:
    setting a preset memory page where an application layer key dynamic link library is located as a protection attribute mark, so that an operation behavior of the preset memory page can trigger an exception; capturing the operation behavior of the memory page where the key dynamic link library is located, and monitoring whether an exception triggered by the operation behavior of a preset memory page occurs; and if so, determining that the operation behavior of the preset memory page occurs.
  16. [ correction 04.11.2019 based on rules 91]
    The computer non-transitory storage medium according to claim 14 or 15, wherein the computer readable instructions, when executed by a processor, implement the legality determining for the operation behavior of the preset memory page, so as to detect whether an attack behavior executed by shellcode occurs includes:
    inquiring whether normal operation behaviors corresponding to the preset memory pages exist or not from a preset behavior library, wherein the normal operation behaviors suitable for different preset memory pages are stored in the preset behavior library; if the memory page exists, comparing the operation behavior of the preset memory page with the normal operation behavior in a preset behavior library; judging the operation behavior of the corresponding preset memory page with the consistent comparison result as a normal operation behavior; and judging the operation behavior of the preset memory page corresponding to the inconsistency of the comparison result as the attack behavior executed by the shellcode.
  17. [ correction 04.11.2019 based on rules 91]
    A computer device comprising a memory, a processor, and computer readable instructions stored on the memory and executable on the processor, wherein the processor implements shellcode detection when executing the computer readable instructions, comprising:
    monitoring the operation behavior of a preset memory page; and if the operation behavior of the preset memory page occurs, carrying out validity judgment on the operation behavior of the preset memory page so as to detect whether the attack behavior executed by the shellcode occurs.
  18. [ correction 04.11.2019 based on rules 91]
    The computer device of claim 17, wherein the processor, when executing the computer readable instructions, implements the monitoring of the operation behavior of the preset memory page, comprising:
    setting a preset memory page where an application layer key dynamic link library is located as a protection attribute mark, so that an operation behavior of the preset memory page can trigger an exception; capturing the operation behavior of the memory page where the key dynamic link library is located, and monitoring whether an exception triggered by the operation behavior of a preset memory page occurs; and if so, determining that the operation behavior of the preset memory page occurs.
  19. [ correction 04.11.2019 based on rules 91]
    The computer device according to claim 17 or 18, wherein the processor, when executing the computer readable instructions, implements the validity determination on the operation behavior of the preset memory page to detect whether an attack behavior executed by shellcode occurs comprises:
    inquiring whether normal operation behaviors corresponding to the preset memory pages exist or not from a preset behavior library, wherein the normal operation behaviors suitable for different preset memory pages are stored in the preset behavior library; if the memory page exists, comparing the operation behavior of the preset memory page with the normal operation behavior in a preset behavior library; judging the operation behavior of the corresponding preset memory page with the consistent comparison result as a normal operation behavior; and judging the operation behavior of the preset memory page corresponding to the inconsistency of the comparison result as the attack behavior executed by the shellcode.
CN201980094806.2A 2019-08-15 2019-08-15 shellcode detection method and device Active CN113646763B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/100899 WO2021026938A1 (en) 2019-08-15 2019-08-15 Shellcode detection method and apparatus

Publications (2)

Publication Number Publication Date
CN113646763A true CN113646763A (en) 2021-11-12
CN113646763B CN113646763B (en) 2024-02-02

Family

ID=74570422

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980094806.2A Active CN113646763B (en) 2019-08-15 2019-08-15 shellcode detection method and device

Country Status (2)

Country Link
CN (1) CN113646763B (en)
WO (1) WO2021026938A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11681794B2 (en) * 2021-04-07 2023-06-20 Oracle International Corporation ASLR bypass

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102388368A (en) * 2011-09-20 2012-03-21 华为技术有限公司 Method and device for monitoring memory
CN102737188A (en) * 2012-06-27 2012-10-17 北京奇虎科技有限公司 Method and device for detecting malicious webpage
CN102831339A (en) * 2012-07-19 2012-12-19 北京奇虎科技有限公司 Method, device and browser for protecting webpage against malicious attack
CN104268471A (en) * 2014-09-10 2015-01-07 珠海市君天电子科技有限公司 Method and device for detecting return-oriented programming attack
CN105718374A (en) * 2016-01-26 2016-06-29 国家信息技术安全研究中心 Method and system for hotspot module instruction tracking
CN110096871A (en) * 2019-05-10 2019-08-06 南京大学 A kind of multi-core environment process kernel stack guard method based on hardware virtualization

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015055083A1 (en) * 2013-10-14 2015-04-23 International Business Machines Corporation Adaptive process for data sharing with selection of lock elision and locking
CN109784062B (en) * 2018-12-29 2021-07-20 360企业安全技术(珠海)有限公司 Vulnerability detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102388368A (en) * 2011-09-20 2012-03-21 华为技术有限公司 Method and device for monitoring memory
CN102737188A (en) * 2012-06-27 2012-10-17 北京奇虎科技有限公司 Method and device for detecting malicious webpage
CN102831339A (en) * 2012-07-19 2012-12-19 北京奇虎科技有限公司 Method, device and browser for protecting webpage against malicious attack
CN104268471A (en) * 2014-09-10 2015-01-07 珠海市君天电子科技有限公司 Method and device for detecting return-oriented programming attack
CN105718374A (en) * 2016-01-26 2016-06-29 国家信息技术安全研究中心 Method and system for hotspot module instruction tracking
CN110096871A (en) * 2019-05-10 2019-08-06 南京大学 A kind of multi-core environment process kernel stack guard method based on hardware virtualization

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
何乔;吴廖丹;张天刚;: "基于shellcode检测的缓冲区溢出攻击防御技术研究", 计算机应用, no. 05, pages 1044 - 1049 *

Also Published As

Publication number Publication date
WO2021026938A1 (en) 2021-02-18
CN113646763B (en) 2024-02-02

Similar Documents

Publication Publication Date Title
US10083294B2 (en) Systems and methods for detecting return-oriented programming (ROP) exploits
US9852295B2 (en) Computer security systems and methods using asynchronous introspection exceptions
KR101174751B1 (en) Malware auto-analysis system and method using kernel call-back mechanism
US9516056B2 (en) Detecting a malware process
Zeng et al. Resilient decentralized android application repackaging detection using logic bombs
Hsu et al. Antivirus software shield against antivirus terminators
US20190370106A1 (en) Unexpected event detection during execution of an application
Dai et al. Behavior-based malware detection on mobile phone
CN113632432A (en) Method and device for judging attack behavior and computer storage medium
Feng et al. Stealth measurements for cheat detection in on-line games
CN109784051B (en) Information security protection method, device and equipment
Hei et al. Two vulnerabilities in Android OS kernel
CN113646763B (en) shellcode detection method and device
Rauchberger et al. Longkit-A Universal Framework for BIOS/UEFI Rootkits in System Management Mode.
CN112395609B (en) Detection method and device of application layer shellcode
CN111062035A (en) Lesog software detection method and device, electronic equipment and storage medium
Grill et al. A practical approach for generic bootkit detection and prevention
Grizzard et al. Re-establishing trust in compromised systems: recovering from rootkits that trojan the system call table
CN112395610B (en) Detection method and device for kernel layer shellcode
Muthumanickam COPDA: concealed process and service discovery algorithm to reveal rootkit footprints
Zaidenberg et al. Hypervisor memory introspection and hypervisor based malware honeypot
EP3940565A1 (en) System management states
CN114282178A (en) Software self-protection method and device, electronic equipment and storage medium
Shamshirsaz et al. An Improved Process Supervision and Control Method for Malware Detection.
Anjikar Detection and Analysis of Rootkits on Android Smart Phones

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant