CN113868655A - Trojan searching and killing method and device, electronic equipment and computer readable storage medium - Google Patents
Trojan searching and killing method and device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN113868655A CN113868655A CN202111152178.4A CN202111152178A CN113868655A CN 113868655 A CN113868655 A CN 113868655A CN 202111152178 A CN202111152178 A CN 202111152178A CN 113868655 A CN113868655 A CN 113868655A
- Authority
- CN
- China
- Prior art keywords
- trojan
- target
- killing
- searching
- horse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a Trojan horse searching and killing method, a Trojan horse searching and killing device, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: executing one or more trojans processed in a specified manner in a disinfection environment; acquiring a target Trojan of target Trojan which is not searched and killed in the one or more Trojan; performing decompiling processing on the target Trojan horse to determine a functional data address of the target Trojan horse; determining a decryption algorithm and a first key of the functional data according to the functional data address; decrypting the encrypted target Trojan according to the decryption algorithm and the first secret key; and searching and killing the decrypted target Trojan. The ability of searching and killing trojan horses can be improved.
Description
Technical Field
The application relates to the technical field of computer security, in particular to a Trojan horse searching and killing method and device, electronic equipment and a computer readable storage medium.
Background
Trojan is a computer malware that affects computer security. However, some existing trojans can be killed in a mode of adding shells or storing plaintext binary data of the trojans in a local variable form, so that the killed trojans can be killed by some means, but some trojans cannot be positioned and killed.
Disclosure of Invention
The application aims to provide a Trojan horse searching and killing method, a Trojan horse searching and killing device, electronic equipment and a computer readable storage medium, which can improve the searching and killing capability of a non-killed Trojan horse.
In a first aspect, an embodiment of the present application provides a Trojan horse searching and killing method, including:
acquiring target trojans which are not searched and killed;
performing decompiling processing on the target Trojan horse to determine a functional data address of the target Trojan horse;
determining a decryption algorithm and a first key of the functional data according to the functional data address;
decrypting the encrypted target Trojan according to the decryption algorithm and the first secret key;
and searching and killing the decrypted target Trojan.
In an optional implementation manner, the decompiling the target trojan to determine a functional data address of the target trojan includes:
performing decompiling processing on the target Trojan horse to determine a loading method of a file of the target Trojan horse;
and determining the functional data address of the target Trojan according to the loading method.
In an optional implementation manner, the method for decompiling the target trojan to determine a loading method of a file of the target trojan includes:
performing decompiling processing on the target Trojan horse to determine an entry point method of the target Trojan horse;
and determining a loading method of the file of the target Trojan according to the entry point method.
In the above embodiment, the entry point method is found in a decompilation manner to further determine a loading method of the file of the target trojan horse, so that more accurate positioning of the trojan horse can be realized.
In an optional implementation manner, the decrypting the encrypted target trojan according to the decryption algorithm and the first key includes:
determining the storage position of the encrypted target Trojan according to the decryption algorithm and the first key operation data source;
acquiring an encrypted trojan in the storage location;
decrypting the encrypted trojan using the decryption algorithm and the first key.
In an optional embodiment, the obtaining the target Trojan horse which is not killed comprises:
executing one or more trojans processed in a specified manner in a disinfection environment;
and acquiring the target Trojan which is not searched and killed in the one or more Trojan horses.
In the above embodiment, the Trojan horse processed in the designated manner can be operated in the antivirus environment, so that the Trojan horse with high antivirus ability can be screened out, and the decompilation process is reused for the Trojan horse with high antivirus ability, so that more accurate searching and killing can be realized.
In an alternative embodiment, the target trojan is constructed by:
obtaining a plaintext Trojan horse;
acquiring a target encryption algorithm from a preset encryption algorithm, and encrypting the plaintext Trojan by using the target encryption algorithm and a second key to obtain a ciphertext Trojan;
and storing the ciphertext Trojan, the decryption algorithm corresponding to the target encryption algorithm and the second secret key into a template file so as to determine a target Trojan file.
In the above embodiment, the Trojan horse killing-free means is actively designed, so as to further design the corresponding counter measure based on the killing-free means, thereby further improving the static scanning capability and the static scanning capability of the antivirus software.
In an optional embodiment, the method further comprises:
and updating the current antivirus software according to the searching and killing process of the target Trojan.
In the implementation mode, the antivirus software is updated, so that the searching and killing capacity of the antivirus software can be gradually improved, and the safety of a computer protected by the antivirus software is further improved.
In a second aspect, an embodiment of the present application provides a Trojan horse searching and killing device, including:
the acquisition module is used for acquiring the target Trojan which is not searched and killed;
the first determining module is used for performing decompiling processing on the target Trojan horse to determine a functional data address of the target Trojan horse;
the second determining module is used for determining a decryption algorithm and a first key of the functional data according to the functional data address;
the decryption module is used for decrypting the encrypted target Trojan according to the decryption algorithm and the first secret key;
and the searching and killing module is used for searching and killing the decrypted target Trojan horse.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory storing machine-readable instructions executable by the processor, the machine-readable instructions being executable by the processor to perform the steps of the method described above when the electronic device is run.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps of the above-mentioned method.
The beneficial effects of the embodiment of the application are that: through decompiling the Trojan, reversely deducing the hidden means of the Trojan based on the execution flow of the Trojan, and analyzing the decryption algorithm used by the Trojan and the information such as the position of the encrypted Trojan, the encrypted Trojan is decrypted, the positioning and killing of the Trojan are realized, and the safety of a computer and the killing capacity of the computer can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a Trojan horse searching and killing method provided in an embodiment of the present application;
fig. 3 is another partial flowchart of a Trojan horse searching and killing method provided in an embodiment of the present application;
fig. 4 is a schematic view of functional modules of a Trojan horse searching and killing device provided in the embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
NET is a free, cross-platform, open-source developer platform for building many different types of applications. At present, more and more trojans are written by NET, and in view of the fact that NET programs are easily decompiled as source codes, antivirus software can easily find characteristics of the trojans by using the decompiled codes so as to identify the trojans.
Based on the above-mentioned current situation, the present inventors have studied to understand that some means have been used to treat existing trojans in an attempt to protect them from killing. One of the means is to protect and protect trojan horses from killing by adopting a shell adding mode. For example, NET Trojan is protected by adopting an open-source Confuserex shell adding program, and codes in the NET Trojan can be mixed, so that the purpose of avoiding Trojan killing is achieved. The other method is that binary files of the NET trojans are stored in an array in a local variable mode, and data in the array are loaded by adopting a reflection technology in the NET, so that the purpose of killing is achieved.
The Trojan horse killing-free realized by the two means can be realized by the following modes: aiming at the method for using the shell adding tool to kill the NET Trojan in a non-killing way, the virus killing software generally has a shell checking function and can identify a used shell, and because the protection modes such as the used flow confusion and the like are relatively fixed, the NET Trojan restored by the corresponding anti-confusion tool can be developed, so that the static killing is realized. For the purpose of storing plaintext binary data of the NET Trojan in an array in a local variable form, the data in the local variable array can be extracted by analyzing a killed file and analyzing a code part of the binary data loaded by reflection, so that original data of the NET Trojan is restored, and static killing is realized.
However, the Trojan horse killing-free means may be updated continuously, and the embodiment of the application provides a means for actively designing a Trojan horse killing-free way which may lead to Trojan horse killing-free, so as to provide a counter measure aiming at the actively researched Trojan horse killing-free way, thereby improving the static analysis capability of the antivirus software. The Trojan horse killing method provided by the application is described by several examples.
To facilitate understanding of the present embodiment, first, an electronic device for executing the Trojan horse searching and killing method disclosed in the embodiments of the present application will be described in detail.
As shown in fig. 1, is a block schematic diagram of an electronic device. The electronic device 100 may include a memory 111, a processor 113. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely exemplary and is not intended to limit the structure of the electronic device 100. For example, electronic device 100 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The above-mentioned components of the memory 111 and the processor 113 are directly or indirectly electrically connected to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The processor 113 is used to execute the executable modules stored in the memory.
The Memory 111 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 111 is configured to store a program, and the processor 113 executes the program after receiving an execution instruction, and the method executed by the electronic device 100 defined by the process disclosed in any embodiment of the present application may be applied to the processor 113, or implemented by the processor 113.
The processor 113 may be an integrated circuit chip having signal processing capability. The Processor 113 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Alternatively, the electronic device 100 may be a terminal device, for example, a Personal Computer (PC), a tablet computer, a smart phone, a Personal Digital Assistant (PDA), or the like. The electronic device 100 may also be a server, which may be a web server or the like.
The electronic device 100 in this embodiment may be configured to perform each step in each method provided in this embodiment. The implementation process of the Trojan horse searching and killing method is described in detail by several embodiments.
Please refer to fig. 2, which is a flowchart illustrating a Trojan horse searching and killing method according to an embodiment of the present application. The specific process shown in fig. 2 will be described in detail below.
And step 210, acquiring the target Trojan which is not killed.
In this embodiment, the target Trojan that is not killed by the user may be a Trojan that is different from the aforesaid sabotage Trojan or a Trojan that stores binary data of the Trojan with a local variable.
Illustratively, the target trojan described above may be a trojan encrypted using an encryption algorithm.
The encryption algorithm may be a symmetric encryption algorithm or an asymmetric encryption algorithm.
Illustratively, the Trojan horse searching and killing method in the embodiment of the application is used for debugging and training antivirus software, determining the Trojan horse which cannot be searched and killed currently by designing various types of Trojan horses to run in an antivirus environment, and then further searching and killing the Trojan horse which cannot be searched and killed to achieve the antivirus capability of training the antivirus software.
When the Trojan horse checking and killing method in the embodiment is used in the debugging and training phase of antivirus software, step 210 may include step 211 and step 212.
Step 211, executing one or more trojans processed in a designated manner in a disinfection environment.
For example, the above-mentioned specified processing manner may be to encrypt the original trojan horse by an encryption algorithm; NET trojans can also be protected by an open-source Confuserex shell adding program; the binary file of the NET trojan may also be stored in an array in the form of local variables.
And 212, acquiring the target Trojan which is not checked and killed in the one or more Trojan horses.
If a Trojan horse is not killed, the killing-free means used by the Trojan horse is different from the existing known killing-free means, and a new killing-free means is required to be adopted for killing.
Illustratively, the functional data address may be a binary data address of the target trojan.
In this embodiment, the entry point method may be determined by compiling to further determine the method acting on the binary data address.
In this embodiment, decompiling may be performed on the target trojan to determine a loading method of a file of the target trojan; and determining the functional data address of the target Trojan according to the loading method.
By way of example, the loading method described above may be obtained in the following manner: firstly, performing decompiling processing on the target Trojan horse to determine an entry point method of the target Trojan horse; and determining a loading method of the file of the target Trojan according to the entry point method.
Illustratively, a method of calling a dynamically loaded assembly may be determined from the entry point method. For example, the method that calls the dynamic loader set may be the Load method of Assembly.
And step 230, determining a decryption algorithm and a first key of the functional data according to the functional data address.
Illustratively, after determining the functional data address, a decryption algorithm and a first key for operating the functional data in the functional data address may be determined by decompilation.
The decryption algorithm may be an RSA decryption algorithm, an AES (Advanced Encryption Standard, chinese called: Advanced Encryption Standard) decryption algorithm, an exclusive-or decryption algorithm, an RC4 decryption algorithm, etc.
Illustratively, the first key may be a key that encrypts a target trojan in plaintext.
And 240, decrypting the encrypted target Trojan according to the decryption algorithm and the first key.
Illustratively, the step 240 may include: determining the storage position of the encrypted target Trojan according to the decryption algorithm and the first key operation data source; acquiring an encrypted trojan in the storage location; decrypting the encrypted trojan using the decryption algorithm and the first key.
In one example, a getmanifesterresourcestream function may be determined according to an address of input data of a decryption algorithm; further, the storage location of the encrypted target trojan can be found through the getmanifesterresourcestream function.
In another example, a GetField function may be determined according to an address of input data of a decryption algorithm, and further, a storage location of the encrypted target trojan may be found through the GetField function.
And step 250, searching and killing the decrypted target trojan.
Through the process, the Trojan is decompiled, the hidden means of the Trojan is reversely deduced based on the execution process of the Trojan, the encrypted Trojan is decrypted by analyzing the information such as the encryption algorithm used by the Trojan and the position of the encrypted Trojan, the Trojan is positioned and killed, and the safety of a computer and the killing capability of the computer can be improved.
In this embodiment, a possible Trojan horse non-killing mode can be actively designed, and a means for searching and killing antivirus software is researched based on the designed Trojan horse subjected to non-killing treatment.
In this embodiment, as shown in fig. 3, the target trojan horse may be constructed in the following manner.
In step 310, a plaintext trojan is obtained.
And 320, acquiring a target encryption algorithm from a preset encryption algorithm, and encrypting the plaintext Trojan by using the target encryption algorithm and a second key to obtain a ciphertext Trojan.
In order to store the plaintext trojan, the plaintext trojan can be encrypted through an encryption algorithm so as to hide the trojan. Furthermore, in order to improve the difficulty of searching and killing Trojan, various encryption algorithms for encrypting plaintext Trojan are designed, so that the killing-free capability of the designed Trojan is improved. By improving the killing-free capability of the Trojan horse, a countermeasure can be designed based on the Trojan horse with high killing-free capability so as to further improve the killing capability of the antivirus software.
Illustratively, the preset encryption algorithm may be a symmetric encryption algorithm or an asymmetric encryption algorithm.
Optionally, the preset encryption algorithm may include one or more encryption algorithms. The preset Encryption algorithm may be one or more of an RSA Encryption algorithm, an AES (Advanced Encryption Standard, chinese called: Advanced Encryption Standard) Encryption algorithm, an exclusive-or Encryption algorithm, and an RC4 Encryption algorithm.
If the preset encryption algorithm comprises multiple encryption algorithms, one of the multiple preset encryption algorithms can be randomly selected to encrypt the plaintext password when the target encryption algorithm is determined.
If the preset encryption algorithm comprises a plurality of encryption algorithms, a specified number of target encryption algorithms can be determined from the plurality of encryption algorithms. The specified number may be 1, 2, 3, etc. When the specified number is greater than one, multiple rounds of encryption may be performed on the plaintext trojan horse in order.
Illustratively, the second key may be a randomly generated key. Optionally, the length of the second key may be 256 bits, and may also be 128 bits. The key may also be one byte in length.
Wherein the second key may be the same as the first key. Further, the target Trojan can be searched and killed only when the first key is the same as the second key.
And 330, storing the ciphertext Trojan, the decryption algorithm corresponding to the target encryption algorithm and the second secret key into a template file so as to determine a target Trojan file.
Illustratively, the storage location of the ciphertext Trojan may be a managed resource, a field in a class, or the like.
When the target Trojan needs to be operated, the target Trojan file can be read through the operation program, the secret key in the target Trojan file is obtained, the ciphertext Trojan is decrypted through the secret key to obtain the plaintext Trojan, and then the plaintext Trojan is executed.
Illustratively, the plaintext trojan may be executed in a reflective manner.
Through the design mode, the killing-free capability of the Trojan horse can be higher, so that the killing-searching capability of the antivirus software can be higher based on the killing-searching design of the Trojan horse with higher killing-free capability.
The killing-free process of the Trojan horse provided by the embodiment of the present application, and the operation and killing process of the Trojan horse after the killing-free treatment are described below by using several specific examples.
In one example, the target Trojan may be a KeyBase Trojan that uses a launch folder or registry launch to implement persistence. The KeyBase Trojan horse has the functions of key information stealing, clipboard information stealing, screen shot, mailbox information stealing, browser information stealing, FTP client information stealing and the like, and uploads the stolen information to a related server.
The steps for killing the KeyBase Trojan horse are as follows: reading a KeyBase Trojan file; selecting an AES encryption algorithm for encrypting the KeyBase Trojan horse file from preset encryption algorithms; generating a random encryption key; encrypting the KeyBase Trojan horse file by using the encryption key by using an AES (advanced encryption standard) encryption algorithm; and finally, reading the template file, writing the AES decryption algorithm and the encryption key into the template, injecting the encryption key into the template file, and storing the encrypted trojan into the template file. For example, the storage location of the encrypted trojan may be a managed resource.
The kill-free treated KeyBase horses may be performed using the following steps: the program set execution module reads an encryption key in the template file; reading the encrypted trojan from the escrow resource, and decrypting the encrypted trojan by using a decryption algorithm corresponding to the current encryption algorithm; calling an Assembly Load method to Load the decrypted Trojan; and acquiring an entry point method of the loaded program set, and calling an Invoke function of the entry point method to execute the KeyBase Trojan.
For the KeyBase Trojan horse treated by the killing-free process, the following process can be adopted to realize killing: reading KeyBase Trojan horses which are not checked and killed; decompiling the KeyBase Trojan; finding an entry point method, and finding the Load method of the Assembly near the Load method of the Assembly found at the entry point; finding a loaded binary data address according to an Assembly Load method; according to the binary data loading address, determining a decryption algorithm and a key for operating the binary data of the binary data address; according to the input data address of the decryption algorithm, a GetManifestResourceStream function can be determined, and therefore the storage position of the encrypted Trojan horse can be found; then, reading the encrypted KeyBase Trojan horse in the managed resource; finally, the KeyBase Trojan is decrypted by using a decryption algorithm and a secret key; and storing the decrypted trojan into a file before encryption, thereby realizing static checking and killing.
In another example, the target Trojan may be a Prodecryptor Trojan, which is a Lesoh software.
The steps for killing a Prodecryptor mare are as follows: reading a Prodecryptor Trojan file; screening an exclusive or encryption algorithm from preset encryption algorithms; generating a random key; encrypting the Prodecryptor Trojan file by using an XOR algorithm; reading a template file, injecting an XOR algorithm into the template file, injecting an encryption key into the template file, and storing the encrypted trojan into the template file; wherein the encrypted trojan may be stored in a field in the class.
The encrypted provyptor Trojan execution flow can be as follows: reading a key; reading the encrypted Prodecryptor Trojan from a field in the class; the Prodecryptor Trojan after being encrypted by an exclusive-or decryption algorithm; calling an Assembly Load method to Load the decrypted Prodecryptor Trojan; and acquiring an entry point method of the loaded program set, and calling an Invoke function of the entry point method to execute the decrypted Prodecryptor Trojan.
For the Prodecryptor Trojan processed by the killing-free process, the following process can be adopted to realize killing: reading a Prodecryptor Trojan after killing is avoided; decompiling Prodecryptor Trojan; determining an entry point method, and determining a Load method of Assembly according to the entry point method; finding a loaded binary data address according to an Assembly Load method; finding an XOR decryption algorithm and a key according to the address of the loaded binary data; according to the input data address of the XOR algorithm, continuously finding a GetField function, and thus finding the storage position of the encrypted Prodecryptor Trojan; reading encrypted Prodecryptor Trojan everywhere from the field; decrypting the encrypted Prodecryptor Trojan by using an XOR decryption algorithm and a secret key; and storing the decrypted encrypted Prodecryptor Trojan into a file before encryption, thereby realizing static searching and killing.
The Trojan horse searching and killing method in the embodiment can further comprise the following steps: and step 260, updating the current antivirus software according to the checking and killing process of the target Trojan.
For example, the current antivirus software may be updated according to the antivirus software antivirus process determined in steps 210 to 250.
The method in this embodiment may be applied to a server that provides a server related to antivirus software, where the server may send an update prompt message to a terminal device in communication with the server after updating the antivirus software, so that after receiving an update request of the terminal device, the updated antivirus software is sent to the terminal device, so that the terminal device updates the antivirus software.
For example, the Trojan horse searching and killing method in the embodiment of the application can also be used in the use stage of antivirus software in a computer, and is used for searching and killing the existing Trojan horse of the computer.
By the method in the embodiment of the application, when the killing-free Trojan is designed, one encryption algorithm can be selected to encrypt the NET Trojan, the difficulty of writing a general decryption tool can be increased, further, when the killing-free Trojan is designed, the encrypted Trojan can be stored in storage positions of managed resources, fields in classes and the like in the NET program, the difficulty of extracting encrypted data is increased, and the antivirus software is designed based on the killing-free Trojan with higher difficulty, so that the antivirus capability of the antivirus software can be improved.
Furthermore, in the embodiment of the application, the decryption algorithm and the key for operating the binary data are further found according to the dynamically loaded binary data address, and the storage position of the encrypted Trojan horse is further found according to the decryption algorithm and the key, the data source of the operation, so that the Trojan horse with high killing-free capability can be killed.
Based on the same application concept, a Trojan horse searching and killing device corresponding to the Trojan horse searching and killing method is further provided in the embodiment of the present application, and as the principle of solving the problem of the device in the embodiment of the present application is similar to that of the embodiment of the Trojan horse searching and killing method, the implementation of the device in the embodiment of the present application can be referred to the description in the embodiment of the method, and repeated details are not repeated.
Please refer to fig. 4, which is a schematic diagram of a functional module of a Trojan horse searching and killing apparatus according to an embodiment of the present application. Each module in the Trojan horse checking and killing device in the embodiment is used for executing each step in the method embodiment. Trojan searching and killing device includes: an acquisition module 310, a first determination module 320, a second determination module 330, a decryption module 340, and a killing module 350. The contents of the individual modules are as follows:
an obtaining module 310, configured to obtain a target trojan that is not killed;
a first determining module 320, configured to perform decompiling processing on the target trojan to determine a functional data address of the target trojan;
a second determining module 330, configured to determine, according to the functional data address, a decryption algorithm and a first key of the functional data;
the decryption module 340 is configured to decrypt the encrypted target trojan according to the decryption algorithm and the first key;
and the searching and killing module 350 is used for searching and killing the decrypted target trojan.
In one possible implementation, the first determining module 320 includes a method determining unit and an address determining unit.
The method determination unit is used for performing decompiling processing on the target Trojan horse to determine a loading method of a file of the target Trojan horse;
and the address determining unit is used for determining the functional data address of the target Trojan according to the loading method.
In one possible embodiment, the method determination unit is configured to:
performing decompiling processing on the target Trojan horse to determine an entry point method of the target Trojan horse;
and determining a loading method of the file of the target Trojan according to the entry point method.
In one possible embodiment, the decryption module is configured to:
determining the storage position of the encrypted target Trojan according to the decryption algorithm and the first key operation data source;
acquiring an encrypted trojan in the storage location;
decrypting the encrypted trojan using the decryption algorithm and the first key.
In a possible embodiment, the searching and killing module is configured to:
executing one or more trojans processed in a specified manner in a disinfection environment;
and acquiring the target Trojan which is not searched and killed in the one or more Trojan horses.
In a possible embodiment, the target trojan is constructed by:
obtaining a plaintext Trojan horse;
acquiring a target encryption algorithm from a preset encryption algorithm, and encrypting the plaintext Trojan by using the target encryption algorithm and a second key to obtain a ciphertext Trojan;
and storing the ciphertext Trojan, the decryption algorithm corresponding to the target encryption algorithm and the second secret key into a template file so as to determine a target Trojan file.
In a possible implementation manner, the Trojan horse searching and killing device provided in the embodiment of the present application may further include:
and the updating module is used for updating the current antivirus software according to the checking and killing process of the target Trojan.
In addition, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the Trojan horse searching and killing method in the foregoing method embodiment are executed.
The computer program product of the Trojan horse searching and killing method provided in the embodiment of the present application includes a computer readable storage medium storing a program code, where instructions included in the program code may be used to execute the steps of the Trojan horse searching and killing method described in the above method embodiment, which may be referred to in the above method embodiment specifically, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A Trojan horse searching and killing method is characterized by comprising the following steps:
acquiring target trojans which are not searched and killed;
performing decompiling processing on the target Trojan horse to determine a functional data address of the target Trojan horse;
determining a decryption algorithm and a first key of the functional data according to the functional data address;
decrypting the encrypted target Trojan according to the decryption algorithm and the first secret key;
and searching and killing the decrypted target Trojan.
2. The method of claim 1, wherein decompiling the target trojan to determine the functional data address of the target trojan comprises:
performing decompiling processing on the target Trojan horse to determine a loading method of a file of the target Trojan horse;
and determining the functional data address of the target Trojan according to the loading method.
3. The method of claim 2, wherein the decompiling the target trojan to determine a loading method of the file of the target trojan comprises:
performing decompiling processing on the target Trojan horse to determine an entry point method of the target Trojan horse;
and determining a loading method of the file of the target Trojan according to the entry point method.
4. The method according to claim 1, wherein decrypting the encrypted target trojan according to the decryption algorithm and the first key comprises:
determining the storage position of the encrypted target Trojan according to the decryption algorithm and the first key operation data source;
acquiring an encrypted trojan in the storage location;
decrypting the encrypted trojan using the decryption algorithm and the first key.
5. The method of claim 1, wherein said obtaining a target Trojan horse that has not been killed comprises:
executing one or more trojans processed in a specified manner in a disinfection environment;
and acquiring the target Trojan which is not searched and killed in the one or more Trojan horses.
6. The method of claim 5, wherein the target trojan is constructed by:
obtaining a plaintext Trojan horse;
acquiring a target encryption algorithm from a preset encryption algorithm, and encrypting the plaintext Trojan by using the target encryption algorithm and a second key to obtain a ciphertext Trojan;
and storing the ciphertext Trojan, the decryption algorithm corresponding to the target encryption algorithm and the second secret key into a template file so as to determine a target Trojan file.
7. The method according to any one of claims 1-6, further comprising:
and updating the current antivirus software according to the searching and killing process of the target Trojan.
8. A Trojan horse searching and killing device is characterized by comprising:
the acquisition module is used for acquiring the target Trojan which is not searched and killed;
the first determining module is used for performing decompiling processing on the target Trojan horse to determine a functional data address of the target Trojan horse;
the second determining module is used for determining a decryption algorithm and a first key of the functional data according to the functional data address;
the decryption module is used for decrypting the encrypted target Trojan according to the decryption algorithm and the first secret key;
and the searching and killing module is used for searching and killing the decrypted target Trojan horse.
9. An electronic device, comprising: a processor, a memory storing machine-readable instructions executable by the processor, the machine-readable instructions when executed by the processor performing the steps of the method of any of claims 1 to 7 when the electronic device is run.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, is adapted to carry out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152178.4A CN113868655A (en) | 2021-09-29 | 2021-09-29 | Trojan searching and killing method and device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152178.4A CN113868655A (en) | 2021-09-29 | 2021-09-29 | Trojan searching and killing method and device, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113868655A true CN113868655A (en) | 2021-12-31 |
Family
ID=79000553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111152178.4A Pending CN113868655A (en) | 2021-09-29 | 2021-09-29 | Trojan searching and killing method and device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113868655A (en) |
-
2021
- 2021-09-29 CN CN202111152178.4A patent/CN113868655A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Maiorca et al. | Stealth attacks: An extended insight into the obfuscation effects on android malware | |
| US7975308B1 (en) | Method and apparatus to secure user confidential data from untrusted browser extensions | |
| EP3387813B1 (en) | Mobile device having trusted execution environment | |
| Hsiao et al. | The static analysis of WannaCry ransomware | |
| US10586026B2 (en) | Simple obfuscation of text data in binary files | |
| CN107430650B (en) | Securing computer programs against reverse engineering | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| EP3924848A1 (en) | Securing virtual-machine software applications | |
| Suarez-Tangil et al. | Stegomalware: Playing hide and seek with malicious components in smartphone apps | |
| CN104298932A (en) | Method and device for calling SO file | |
| CN110855433B (en) | Data encryption method and device based on encryption algorithm and computer equipment | |
| Martín et al. | An in-depth study of the jisut family of android ransomware | |
| Haigh et al. | If i had a million cryptos: Cryptowallet application analysis and a trojan proof-of-concept | |
| Kim et al. | Attack detection application with attack tree for mobile system using log analysis | |
| Cicala et al. | Analysis of encryption key generation in modern crypto ransomware | |
| Singh et al. | A context-aware trigger mechanism for ransomware forensics | |
| CN110135154B (en) | Injection attack detection system and method for application program | |
| US10521613B1 (en) | Adaptive standalone secure software | |
| US7779269B2 (en) | Technique for preventing illegal invocation of software programs | |
| CN111475168A (en) | Code compiling method and device | |
| CN115964681A (en) | Generation method of certificate file of target application program | |
| CN113868655A (en) | Trojan searching and killing method and device, electronic equipment and computer readable storage medium | |
| Abozeid et al. | A Software Security Optimization Architecture (SoSOA) and its Adaptation for Mobile Applications. | |
| Kalogranis | Antivirus software evasion: an evaluation of the av evasion tools | |
| CN114139117A (en) | Application program reinforcing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |