CN114065204A - File-free Trojan horse searching and killing method and device - Google Patents

File-free Trojan horse searching and killing method and device Download PDF

Info

Publication number
CN114065204A
CN114065204A CN202111431280.8A CN202111431280A CN114065204A CN 114065204 A CN114065204 A CN 114065204A CN 202111431280 A CN202111431280 A CN 202111431280A CN 114065204 A CN114065204 A CN 114065204A
Authority
CN
China
Prior art keywords
file
class
killing
free
searching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111431280.8A
Other languages
Chinese (zh)
Inventor
钱维正
旷亚和
叶红
苏建明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111431280.8A priority Critical patent/CN114065204A/en
Publication of CN114065204A publication Critical patent/CN114065204A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides a method and a device for checking and killing a file-free trojan horse, relates to the field of information safety, can also be used in the field of finance, and comprises the following steps: running a Java Agent engine and acquiring stack call logs and class bytecode information of a called program in a Web server application program; determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information; and determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files. The method and the device can realize automatic detection and searching and killing of the file-free Trojan horse and protect safe operation of Web application.

Description

File-free Trojan horse searching and killing method and device
Technical Field
The application relates to the field of information security, can be used in the field of finance, and particularly relates to a file-free Trojan horse searching and killing method and device.
Background
A file-free attack is an attack strategy that avoids storing malicious files on a disk to escape conventional security software detection. The file-free trojan (also called memory horse) is a common technical means of file-free attack, and means that malicious codes such as backdoor or trojan are written in a memory and executed to achieve the purpose of remotely controlling a Web server. Because the traditional Web shell is designed based on file types, an attacker can upload Trojan with files through tools or by utilizing vulnerabilities, and complete Trojan implantation aiming at an Internet open website or application in an enterprise. Compared with the traditional Trojan horse implantation mode, the file-free Trojan horse is implanted by using the process of the middleware to execute malicious codes, and no file falls to the ground.
With the development of network security technology in recent years, the file-free trojan horse gradually becomes a favored attack means by virtue of the advantage that the file-free trojan horse can effectively avoid the detection of traditional security software, and brings great challenges to enterprise security protection. At present, no effective searching and killing method can realize accurate positioning searching and killing of the file-free Trojan horse.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a file-free Trojan horse searching and killing method and device, which can realize automatic detection and searching and killing of file-free Trojan horses and protect safe operation of Web application.
In order to solve the technical problem, the application provides the following technical scheme:
in a first aspect, the present application provides a file-free Trojan horse searching and killing method, including:
running a Java Agent engine and acquiring stack call logs and class bytecode information of a called program in a Web server application program;
determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information;
and determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files.
Further, running the Java Agent engine and obtaining a stack call log of a called program in the Web server application program includes:
hanging the Java Agent engine to the Web server application program for running;
searching a called program in the Web server application program and a stack list when the called program is called from a server memory by using an interface in the Java Agent engine;
and generating the stack call log of the called program according to the stack list.
Further, the class bytecode information includes: class byte codes and characteristic information of the class byte codes; the method comprises the following steps of running a Java Agent engine and acquiring class bytecode information of a called program in a Web server application program, wherein the steps comprise:
hanging the Java Agent engine to the Web server application program for running;
and reading the class bytecode and the characteristic information of the class bytecode from a server memory by using an interface in the Java Agent engine.
Further, the determining the risk level of the called program according to the preset detection rule, the stack call log, the class bytecode, and the feature information includes:
determining the number of the detection rules hit by the called program according to the stack call log, the class bytecode and the feature information;
and determining the risk level according to the mapping relation between the quantity and the risk level.
Further, the determining a class containing a file-free trojan in the called program according to a preset searching and killing strategy and the risk level and searching and killing the file-free trojan in the class file includes:
determining the class of the file-free Trojan horse to be checked and killed in the called program according to a preset checking and killing strategy and the risk level;
positioning a corresponding class file in the server memory according to the class name;
and covering the class files by adopting a Java byte code enhancement technology to block the execution of Trojan horses without files in the class files and finish searching and killing.
In a second aspect, the present application provides a device for checking and killing a trojan without a file, comprising:
the log byte code determining unit is used for operating a Java Agent engine and acquiring stack call logs and class byte code information of a called program in a Web server application program;
the risk level determining unit is used for determining the risk level of the called program according to a preset detection rule, the stack call log and the class bytecode information;
and the checking and killing unit is used for determining class files containing the file-free trojans in the called program according to a preset checking and killing strategy and the risk level and checking and killing the file-free trojans in the class files.
Further, the log class bytecode determining unit includes:
the hooking module is used for hooking the Java Agent engine to the Web server application program for running;
the calling and searching module is used for searching a called program in the Web server application program and a stack list when the called program is called from a server memory by using an interface in the Java Agent engine;
and the log generation module is used for generating the stack call log of the called program according to the stack list.
Further, the class bytecode information includes: class byte codes and characteristic information of the class byte codes; the log class bytecode determining unit includes:
the hooking module is used for hooking the Java Agent engine to the Web server application program for running;
and the class bytecode reading module is used for reading the class bytecode and the characteristic information of the class bytecode from a server memory by using an interface in the Java Agent engine.
Further, the risk level determination unit includes:
the quantity determining module is used for determining the quantity of the called program hitting the detection rule according to the stack call log, the class bytecode and the feature information;
and the risk grade determining module is used for determining the risk grade according to the mapping relation between the quantity and the risk grade.
Further, the searching and killing unit comprises:
the class determination module is used for determining a class of the file-free Trojan horse to be checked and killed in the called program according to a preset checking and killing strategy and the risk level;
the class file positioning module is used for positioning a corresponding class file in the server memory according to the name of the class;
and the searching and killing module is used for covering the class files by adopting a Java byte code enhancement technology so as to block the execution of the Trojan without the file in the class files and finish searching and killing.
In a third aspect, the present application provides an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the file-free Trojan horse searching and killing method when executing the program.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the file-free Trojan horse searching and killing method.
Aiming at the problems in the prior art, the method and the device for checking and killing the file-free Trojan horse can realize the detection and the checking and killing of the file-free Trojan horse, make up the defect that the traditional file-based safety detection software cannot check and kill the Trojan horse, and ensure the running safety of an application system; meanwhile, dynamic execution information and static characteristic analysis are combined, so that the accuracy of the detection result of the memory horse is greatly improved; by adopting the byte code enhancement technology, the accurate striking is realized under the condition of not changing the source code, and the efficiency of searching and killing the file-free Trojan horse is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a file-free Trojan horse searching and killing method in the embodiment of the application;
FIG. 2 is a flowchart of log acquisition in an embodiment of the present application;
FIG. 3 is a flowchart illustrating an embodiment of obtaining class bytecode information in the present application;
FIG. 4 is a flow chart of determining a risk level in an embodiment of the present application;
FIG. 5 is a flowchart illustrating an embodiment of the present application for checking and killing a Trojan without a file;
FIG. 6 is a structural diagram of a device for checking and killing Trojan without files in the embodiment of the application;
FIG. 7 is a diagram illustrating one of the structures of a bytecode determination unit of a log class according to an embodiment of the present application;
FIG. 8 is a second block diagram of a log type bytecode determining unit in the embodiment of the present application;
FIG. 9 is a block diagram of a log class bytecode determining unit in an embodiment of the present application;
FIG. 10 is a structural diagram of a checking and killing unit in the embodiment of the present application;
fig. 11 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 12 is an application scenario diagram in the embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the method and the device for checking and killing the trojan without the file provided by the application can be used in the financial field and can also be used in any field except the financial field, and the application field of the method and the device for checking and killing the trojan without the file provided by the application is not limited.
In an embodiment, referring to fig. 1, in order to implement automatic detection and killing of a file-free trojan and protect the safe operation of a Web application, the present application provides a file-free trojan killing method, including:
s101: running a Java Agent engine and acquiring stack call logs and class bytecode information of a called program in a Web server application program;
s102: determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information;
s103: and determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files.
It can be understood that, in order to solve the problem that the traditional security detection software cannot detect the file-free trojan, the application provides a file-free trojan searching and killing method based on the byte code enhancement technology, and the method can automatically detect, locate and search and kill the file-free trojan of the Web application, so that an attacker is prevented from attacking the Web server in a manner of remotely injecting malicious codes, and the protection capability of the Web application system on the problems is improved.
Specifically, referring to fig. 12, by running the Java Agent engine, the stack call log and class bytecode information of the callee in the Web server application can be acquired. The byte code information at least comprises: class bytecode and its feature information. In order to better meet the searching and killing requirements, a detection rule can be preset. The detection rule includes a risk level assessment rule. And determining the risk level of the called program according to a preset detection rule, a stack call log and class bytecode information. Finally, a killing strategy is set, wherein the killing strategy comprises the killing operation required to be carried out under each risk level. And determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files.
In summary, the method of the application can combine dynamic execution information with static type feature analysis to realize searching and killing of the file-free Trojan horse. Wherein the dynamic execution information corresponds to at least the stack log and the static class characteristics correspond to at least the class bytecode.
From the above description, the file-free Trojan horse searching and killing method provided by the application can realize the detection and searching and killing of the file-free Trojan horse, makes up the defect that the traditional file-based safety detection software cannot search and kill the Trojan horse, and ensures the running safety of an application system; meanwhile, dynamic execution information and static characteristic analysis are combined, so that the accuracy of the file-free Trojan horse detection result is greatly improved; by adopting the byte code enhancement technology, the accurate striking is realized under the condition of not changing the source code, and the efficiency of searching and killing the file-free Trojan horse is improved.
In one embodiment, referring to fig. 2, running a Java Agent engine and obtaining a stack call log of a called program in a Web server application includes:
s201: hanging the Java Agent engine to the Web server application program for running;
s202: searching a called program in the Web server application program and a stack list when the called program is called from a server memory by using an interface in the Java Agent engine;
s203: and generating the stack call log of the called program according to the stack list.
It can be understood that, in the embodiment of the present application, a Class dump operation needs to be performed first to obtain all Class bytecodes in the memory of the Web server, then dynamic instrumentation is performed on key system functions in the memory of the Web server, and finally, file-free trojan horse detection and killing are performed according to a result of the Class dump and a result of the dynamic instrumentation.
(ii) Class dump operation: the operation is realized through a JVM (Java virtual machine) interface, a Java Agent engine is started, the Java Agent engine is hung on a Web server application program to run, and all class bytecodes loaded into the memory by the Web application to be tested can be output at regular time by using the function of the Java Agent engine.
Secondly, dynamic pile inserting operation: this operation enables instrumentation of critical system functions. The system functions include, but are not limited to, executing command functions, file read-write functions, database read-write functions and the like, so that the calling condition of the system key functions is monitored in real time. When the monitored system function is called, call stack information is recorded, including a stack call log.
It should be noted that the dynamic instrumentation operation specifically includes bytecode enhancement and logging. The former mainly realizes the instrumentation of the key functions of the system so as to conveniently detect and record the called conditions of the system in real time. The latter realizes the generation of the called log of the system key function. When the fact that the key function of the system is called is monitored, the call stack of the related function is recorded, and a key function call log is generated.
The dynamic instrumentation is performed at least because when searching a called program in a Web server application program and a stack list thereof during calling from a server memory by using an interface in a Java Agent engine, the method specifically includes the following steps:
firstly, searching a called program in the Web server application program from a server memory by using an interface in a Java Agent engine as a system key function;
secondly, performing instrumentation operation on the system key function;
and thirdly, running a system key function, and simultaneously recording a stack list when the system key function is called according to the result of the instrumentation operation.
Checking operation of the file-free trojan horse: since the Class dump operation has already obtained a Class list, also called Class list, the dynamic instrumentation operation has also collected the critical system function execution stack. The file-free Trojan horse detection operation can be performed according to a Class list and a key system function, the content of each Class file is matched with the characteristics of the file-free Trojan horse, and if the strategy is missed, the file-free Trojan horse detection operation is normally performed; and if the strategy is hit, performing risk grade classification recording on the Class according to the quantity and the risk grade of the hit rules. Additionally, if a Class marked as suspect exists in the execution stack of the critical system function, its risk level may be set to a higher level. And finally generating a suspicious Class risk level list as a parameter for use in file-free Trojan horse searching and killing. The policy is preset by a system maintenance technician according to actual needs, and the present application is not limited thereto.
Fourthly, file-free Trojan searching and killing operation: the operation can be combined with the Class risk level determined in the previous step and a searching and killing strategy set by a user to alarm and kill the file-free Trojan horse. For confirming the file-free Trojan horse to be checked and killed, a byte code enhancement technology is adopted to modify class logic or simulate middleware injection and cancellation, the execution flow is damaged, and the purpose of clearing the file-free Trojan horse is achieved. See in particular the description in the examples of Filter-type dockless mumps scrutine described below. The searching and killing strategy is preset by a system maintenance technician according to actual needs, and the application is not limited to this.
Before file-free Trojan horse searching and killing, the device needs to be deployed on an application server, and a searching and killing engine is accessed to application services in a preloading or hot loading mode. A system maintenance technician can customize the checking and killing strategy through a browser and check the checking and killing result of the file-free Trojan horse.
From the above description, the file-free Trojan horse searching and killing method provided by the application can run a Java Agent engine and acquire the stack call log of the called program in the Web server application program.
In one embodiment, referring to fig. 3, the class bytecode information includes: class byte codes and characteristic information of the class byte codes; the method comprises the following steps of running a Java Agent engine and acquiring class bytecode information of a called program in a Web server application program, wherein the steps comprise:
s301: hanging the Java Agent engine to the Web server application program for running;
s302: and reading the class bytecode and the characteristic information of the class bytecode from a server memory by using an interface in the Java Agent engine.
It can be understood that, in the embodiment of the present application, in order to obtain the Class bytecode and the feature information thereof in the server memory, the Java Agent needs to be hooked first, and then the Class bytecode and the feature information thereof are obtained through a Class dump operation.
Carrying out Java Agent hooking operation: and after the Web application to be tested is operated, the Java Agent engine is hung on the operated application process. Java Agent hooking can be realized by two modes of adding Agent parameters or adding processes during starting.
Class dump operation: the full amount of Class byte codes loaded in the dump memory are also called Class byte codes; acquiring the characteristic information of the byte code. These feature information includes, but is not limited to, class name, parent class inherited, class loader affiliated, function body content, and the like.
From the above description, the file-free Trojan horse searching and killing method provided by the application can run a Java Agent engine and acquire class bytecode information of a called program in a Web server application program.
In an embodiment, referring to fig. 4, the determining the risk level of the called program according to the preset detection rule, the stack call log, the class bytecode, and the feature information includes:
s401: determining the number of the detection rules hit by the called program according to the stack call log, the class bytecode and the feature information;
s402: and determining the risk level according to the mapping relation between the quantity and the risk level.
It is understood that the preset detection rule in the embodiment of the present application may include several pieces, and a larger number of hits indicates a higher risk degree of containing the file-free trojan. The rules can be set according to actual needs, and the application is not limited to this.
In specific implementation, first, the full class information of the dump in the memory and the stack log of the key function call are obtained. And then, realizing the automatic identification of the file-free Trojan horse according to the information. Namely, by defining a file-free Trojan horse characteristic rule, setting an identification strategy of the file-free Trojan horse, such as: the Class name contains keywords such as shell or random number, no related Class exists in a corresponding configuration file of a web, no entity Class file exists under a corresponding Class loading path or a special Class loader is used for loading, the key function execution stack contains the Class, and the like. Transmitting the class information hitting more than one rule into the next processing link for evaluation and recording; the class of the miss policy may execute normally. And finally, carrying out statistical recording on the class names of the hit strategies according to preset risk grade classification, generating a class risk grade list as a parameter and transmitting the class risk grade list to the next processing link.
As can be seen from the above description, the file-free Trojan horse searching and killing method provided by the present application can determine the risk level of the called program according to the preset detection rule, the stack call log, the class bytecode, and the feature information.
In an embodiment, referring to fig. 5, the determining, according to a preset checking and killing policy and the risk level, a class containing a file-free trojan in the called program, and checking and killing the file-free trojan in the class file includes:
s501: determining the class of the file-free Trojan horse to be checked and killed in the called program according to a preset checking and killing strategy and the risk level;
s502: positioning a corresponding class file in the server memory according to the class name;
s503: and covering the class files by adopting a Java byte code enhancement technology to block the execution of Trojan horses without files in the class files and finish searching and killing.
It can be understood that, in the embodiment of the present application, the class risk level list is received first, and the memory trojan function to be searched and killed is located by combining with the searching and killing policy set by the user. And then, the memory Trojan horse is cleared by adopting a Java byte code enhancement technology, so that the execution of malicious codes is prevented. The cleaning can be carried out by directly modifying malicious codes or adopting a sales class mode.
In order to more clearly illustrate the feasibility of the method, the working process of the method is shown by taking a Filter type file-free Trojan horse searching and killing scene as an example. It should be noted that the method described in this application is not limited to killing Filter type fileless trojan horse, and this embodiment is only for illustration.
Starting the application to be tested on the Web application server.
And secondly, hanging the Java Agent engine to the running application process.
And thirdly, Dump outputs the full-size byte codes in the application memory.
And fourthly, performing decompiling on the class byte codes to obtain all class information.
Fifthly, instrumentation is carried out on the key functions of the system, if: and executing a command function, a file read-write function, a database read-write function and the like, and monitoring the called condition of the functions in real time.
And sixthly, in the detection process, when the key function of the system is called, recording a calling stack corresponding to the function, and dynamically generating a key function calling log.
And seventhly, traversing the file table, acquiring one element in the list each time, and identifying the file-free trojan.
And transmitting the class to be detected into a feature matching unit, and judging whether the class accords with the feature of the file-free Trojan one by one. The detection strategy comprises the following steps: the name of the Filter contains keywords such as shell and the like, no Filter configuration exists in the web.xml, and a specific classloader such as a template insert and a byte loads the classloader, and malicious codes such as invoke and getRuntime exist in the Filter class which is corresponding to the classloader directory and is not a class file and is output by dump. If the strategy is hit, subsequent risk level evaluation and searching and killing are carried out; otherwise, executing normally.
Ninthly, according to the number and the characteristics of the hit strategies, carrying out grading recording on the risk classes. Aiming at 5 detection strategies of a Filter type file-free Trojan horse, hit 4 or more are high-risk, 3 or 2 are medium-risk, and 1 is low-risk. And determining the file-free Trojan horse to be killed according to a killing strategy set by a user, and transmitting the class name of the file-free Trojan horse to a next module as a parameter.
The method comprises the steps that (1) for the file-free Trojan (Trojan horse) confirmed to be searched and killed, a class file to be searched and killed is located in a memory according to a class name, and the class file is a malicious byte code segment needing to be modified; directly covering malicious byte codes in the DoFilter method of the files to be checked and killed by adopting a Java byte code enhancement technology, preventing Trojan horses without files from executing, and finishing checking and killing; and generating a file-free Trojan detection, searching and killing report, including strategy hit conditions and searching and killing results, and displaying the strategy hit conditions and the searching and killing results to a user through a browser.
As can be seen from the above description, the file-free Trojan horse searching and killing method provided by the present application can determine the class containing the file-free Trojan horse in the called program according to the preset searching and killing strategy and the risk level, and search and kill the file-free Trojan horse in the class file.
In summary, the present application provides a method and an apparatus for searching and killing a Web application file-free trojan horse based on a bytecode-enhanced technology. Aiming at the problem that the file-free trojan without a landing file is not easy to be searched and killed by traditional safety detection software, a full-amount byte code in a dump memory is firstly compiled, a file-free trojan feature matching identification method is carried out, a system key function call log obtained by pile insertion is combined, information of the file-free trojan is analyzed and confirmed, and searching and killing are carried out according to a searching and killing strategy configured by a user. And covering or canceling the file-free Trojan horse which is confirmed to be killed by using a Java byte code enhancement technology, and preventing the file-free Trojan horse from being executed, thereby finishing the removal of the malicious Trojan horse.
The beneficial effects and advantages of this application include at least:
1. the method and the device realize the detection and the searching and killing of the file-free Trojan, solve the problem that the traditional file-based safety detection software cannot search and kill the Trojan, and ensure the safety of an application system.
2. The dynamic execution information and the static characteristic analysis can be combined, and the accuracy of the file-free Trojan horse detection result is greatly improved; meanwhile, a configuration function is provided, and a searching and killing strategy is set according to the configuration of a user, so that the phenomenon of mistaken killing is avoided as much as possible.
3. By adopting the byte code enhancement technology, the accurate striking is realized under the condition of not changing the source code, and the efficiency of searching and killing the file-free Trojan horse is improved.
Based on the same inventive concept, the embodiment of the present application further provides a file-free Trojan horse searching and killing device, which can be used for implementing the method described in the above embodiment, as described in the following embodiment. Because the principle of solving the problem of the file-free Trojan horse searching and killing device is similar to that of the file-free Trojan horse searching and killing method, the implementation of the file-free Trojan horse searching and killing device can refer to the implementation of a software performance reference determination method, and repeated parts are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
In an embodiment, referring to fig. 6, in order to implement automatic detection and killing of a file-free trojan and protect the safe operation of a Web application, the present application provides a file-free trojan killing apparatus, including: a log class bytecode determining unit 601, a risk level determining unit 602, and a searching and killing unit 603.
A log byte code determination unit 601, configured to run a Java Agent engine and obtain a stack call log and class byte code information of a called program in a Web server application;
a risk level determining unit 602, configured to determine a risk level of the called program according to a preset detection rule, the stack call log, and class bytecode information;
and the searching and killing unit 603 is configured to determine a class file containing a file-free trojan in the called program according to a preset searching and killing strategy and the risk level, and search and kill the file-free trojan in the class file.
In an embodiment, referring to fig. 7, the log class bytecode determining unit 601 includes: an attach module 701, a call search module 702, and a log generation module 703.
A hooking module 701, configured to hook the Java Agent engine to the Web server application program for running;
a calling and searching module 702, configured to search a called program in the Web server application program and a stack list of the called program from a server memory by using an interface in the Java Agent engine;
a log generating module 703, configured to generate the stack call log of the called program according to the stack list.
In one embodiment, referring to fig. 8, the class bytecode information includes: class byte codes and characteristic information of the class byte codes; the log class bytecode determining unit 601 includes: an attach module 701 and a class bytecode reading module 802.
A hooking module 701, configured to hook the Java Agent engine to the Web server application program for running;
a class bytecode reading module 802, configured to read the class bytecode and the feature information of the class bytecode from a server memory by using an interface in the Java Agent engine.
In an embodiment, referring to fig. 9, the risk level determining unit 602 includes: a quantity determination module 901 and a risk level determination module 902.
A quantity determining module 901, configured to determine, according to the stack call log, the class bytecode, and the feature information, a quantity of the called program hitting the detection rule;
a risk level determining module 902, configured to determine the risk level according to a mapping relationship between the number and the risk level.
In an embodiment, referring to fig. 10, the checking and killing unit 603 includes: a class determination module 1001, a class file positioning module 1002 and a searching and killing module 1003.
The class determination module 1001 is configured to determine a class of the file-free trojan to be checked and killed in the called program according to a preset checking and killing policy and the risk level;
a class file positioning module 1002, configured to position a corresponding class file in the server memory according to the name of the class;
and the searching and killing module 1003 is configured to cover the class file by using a Java bytecode enhancement technology to block execution of the trojans without files in the class file, so as to complete searching and killing.
In order to realize automatic detection and searching and killing of a file-free Trojan horse and protect the safe operation of Web application, the application provides an embodiment of an electronic device for realizing all or part of contents in the file-free Trojan horse searching and killing method, and the electronic device specifically comprises the following contents:
a Processor (Processor), a Memory (Memory), a communication Interface (Communications Interface) and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the communication interface is used for realizing information transmission between the file-free Trojan horse searching and killing device and relevant equipment such as a core service system, a user terminal, a relevant database and the like; the logic controller may be a desktop computer, a tablet computer, a mobile terminal, and the like, but the embodiment is not limited thereto. In this embodiment, the logic controller may be implemented with reference to the embodiments of the file-free Trojan horse searching and killing method and the embodiments of the file-free Trojan horse searching and killing device in the embodiments, and the contents thereof are incorporated herein, and repeated details are not repeated herein.
It is understood that the user terminal may include a smart phone, a tablet electronic device, a network set-top box, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), an in-vehicle device, a smart wearable device, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..
In practical applications, part of the file-free Trojan horse searching and killing method may be performed on the electronic device side as described above, or all operations may be performed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. The client device may further include a processor if all operations are performed in the client device.
The client device may have a communication module (i.e., a communication unit), and may be in communication connection with a remote server to implement data transmission with the server. The server may include a server on the side of the task scheduling center, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
Fig. 11 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 11, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this FIG. 11 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one embodiment, the file-free Trojan horse searching and killing method function can be integrated into the central processor 9100. The central processor 9100 may be configured to control as follows:
s101: running a Java Agent engine and acquiring stack call logs and class bytecode information of a called program in a Web server application program;
s102: determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information;
s103: and determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files.
From the above description, the file-free Trojan horse searching and killing method and device provided by the application can realize the detection and searching and killing of the file-free Trojan horse, make up the defect that the traditional file-based safety detection software cannot search and kill the Trojan horse, and ensure the running safety of an application system; meanwhile, dynamic execution information and static characteristic analysis are combined, so that the accuracy of the file-free Trojan horse detection result is greatly improved; by adopting the byte code enhancement technology, the accurate striking is realized under the condition of not changing the source code, and the efficiency of searching and killing the file-free Trojan horse is improved.
In another embodiment, the file-free trojan horse searching and killing device may be configured separately from the central processing unit 9100, for example, the file-free trojan horse searching and killing device of the data composite transmission device may be configured as a chip connected to the central processing unit 9100, and the function of the file-free trojan horse searching and killing method may be implemented by the control of the central processing unit.
As shown in fig. 11, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 11; in addition, the electronic device 9600 may further include components not shown in fig. 11, which may be referred to in the prior art.
As shown in fig. 11, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.
The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. Power supply 9170 is used to provide power to electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.
The memory 9140 can be a solid state memory, e.g., Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 9140 could also be some other type of device. Memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.
The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless lan module, may be disposed in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132, thereby implementing ordinary telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.
An embodiment of the present application further provides a computer-readable storage medium capable of implementing all steps in the file-free Trojan horse searching and killing method with a server or a client as an execution subject in the foregoing embodiment, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements all steps of the file-free Trojan horse searching and killing method with a server or a client as an execution subject in the foregoing embodiment, for example, when the processor executes the computer program, the processor implements the following steps:
s101: running a Java Agent engine and acquiring stack call logs and class bytecode information of a called program in a Web server application program;
s102: determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information;
s103: and determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files.
From the above description, the file-free Trojan horse searching and killing method and device provided by the application can realize the detection and searching and killing of the file-free Trojan horse, make up the defect that the traditional file-based safety detection software cannot search and kill the Trojan horse, and ensure the running safety of an application system; meanwhile, dynamic execution information and static characteristic analysis are combined, so that the accuracy of the file-free Trojan horse detection result is greatly improved; by adopting the byte code enhancement technology, the accurate striking is realized under the condition of not changing the source code, and the efficiency of searching and killing the file-free Trojan horse is improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A file-free Trojan horse searching and killing method is characterized by comprising the following steps:
acquiring stack call logs and class bytecode information of a called program in a Web server application program;
determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information;
and determining class files containing the file-free Trojan horse in the called program according to a preset checking and killing strategy and the risk level, and checking and killing the file-free Trojan horse in the class files.
2. The method for searching and killing the file-free Trojan horse according to claim 1, wherein the step of determining the class file containing the file-free Trojan horse in the called program according to a preset searching and killing strategy and the risk level and searching and killing the file-free Trojan horse in the class file comprises the following steps:
determining the class of the file-free Trojan horse to be checked and killed in the called program according to the checking and killing strategy and the risk level;
positioning a corresponding class file in a server memory according to the class name;
and covering the class files by adopting a Java byte code enhancement technology to block the execution of Trojan horses without files in the class files and finish searching and killing.
3. The method according to claim 2, wherein obtaining a stack call log of a called program in a Web server application program comprises:
hanging a Java Agent engine to the Web server application program for running;
searching the called program in the Web server application program and a stack list when the called program is called from the server memory by using an interface in the Java Agent engine;
and generating the stack call log of the called program according to the stack list.
4. The method according to claim 3, wherein the searching for the called program in the Web server application program and the stack list thereof when called from the server memory by using the interface in the Java Agent engine comprises:
searching a called program in the Web server application program from the server memory by using an interface in the Java Agent engine as a system key function;
performing instrumentation operation on the system key function;
and running the system key function, and recording a stack list when the system key function is called according to the result of the instrumentation operation.
5. The method according to claim 3, wherein the class bytecode information includes: class byte codes and characteristic information of the class byte codes; the method for acquiring the class bytecode information of the called program in the Web server application program comprises the following steps:
hanging the Java Agent engine to the Web server application program for running;
and reading the class bytecode and the characteristic information of the class bytecode from the server memory by using an interface in the Java Agent engine.
6. The method for searching and killing the file-free trojan horse according to claim 1, wherein the step of determining the risk level of the called program according to a preset detection rule, the stack call log and class bytecode information comprises the following steps:
determining the number of the detection rules hit by the called program according to the stack call log, the class bytecode and the feature information;
and determining the risk level according to the mapping relation between the quantity and the risk level.
7. A device is killed to no file Trojan horse looks for which characterized in that includes:
the log byte code determining unit is used for acquiring stack call logs and class byte code information of a called program in a Web server application program;
the risk level determining unit is used for determining the risk level of the called program according to a preset detection rule, the stack call log and the class bytecode information;
and the checking and killing unit is used for determining class files containing the file-free trojans in the called program according to a preset checking and killing strategy and the risk level and checking and killing the file-free trojans in the class files.
8. The device for searching and killing the file-free trojan horse according to claim 7, wherein the searching and killing unit comprises:
the class determination module is used for determining a class of the file-free Trojan horse to be checked and killed in the called program according to a preset checking and killing strategy and the risk level;
the class file positioning module is used for positioning a corresponding class file in the server memory according to the name of the class;
and the searching and killing module is used for covering the class files by adopting a Java byte code enhancement technology so as to block the execution of the Trojan without the file in the class files and finish searching and killing.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the file-free Trojan horse searching and killing method according to any one of claims 1 to 6 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the file-free trojan horse searching and killing method according to any one of claims 1 to 6.
CN202111431280.8A 2021-11-29 2021-11-29 File-free Trojan horse searching and killing method and device Pending CN114065204A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111431280.8A CN114065204A (en) 2021-11-29 2021-11-29 File-free Trojan horse searching and killing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111431280.8A CN114065204A (en) 2021-11-29 2021-11-29 File-free Trojan horse searching and killing method and device

Publications (1)

Publication Number Publication Date
CN114065204A true CN114065204A (en) 2022-02-18

Family

ID=80277137

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111431280.8A Pending CN114065204A (en) 2021-11-29 2021-11-29 File-free Trojan horse searching and killing method and device

Country Status (1)

Country Link
CN (1) CN114065204A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114692153A (en) * 2022-04-11 2022-07-01 北京中睿天下信息技术有限公司 Malicious code detection method, equipment and storage medium based on JAVA program
CN115270126A (en) * 2022-09-29 2022-11-01 北京微步在线科技有限公司 Method and device for detecting Java memory horse, electronic equipment and storage medium
CN115688106A (en) * 2022-11-16 2023-02-03 安芯网盾(北京)科技有限公司 Method and device for detecting Java agent non-file-injection memory horse
CN115795444A (en) * 2023-01-31 2023-03-14 北京微步在线科技有限公司 Detection method and device for MSSQL backdoor
CN115935361A (en) * 2023-01-09 2023-04-07 北京微步在线科技有限公司 Java memory horse detection method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110933060A (en) * 2019-11-22 2020-03-27 上海交通大学 Excavation Trojan detection system based on flow analysis
CN111753301A (en) * 2020-07-01 2020-10-09 深信服科技股份有限公司 File-free attack detection method and device, electronic equipment and medium
CN112422581A (en) * 2020-11-30 2021-02-26 杭州安恒信息技术股份有限公司 Webshell webpage detection method, device and equipment in JVM (Java virtual machine)
KR20210084032A (en) * 2019-12-27 2021-07-07 주식회사 안랩 Detection device and detection method for fileless malignant code
CN113312624A (en) * 2021-06-21 2021-08-27 厦门服云信息科技有限公司 Java Web application memory Trojan detection method, terminal device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110933060A (en) * 2019-11-22 2020-03-27 上海交通大学 Excavation Trojan detection system based on flow analysis
KR20210084032A (en) * 2019-12-27 2021-07-07 주식회사 안랩 Detection device and detection method for fileless malignant code
CN111753301A (en) * 2020-07-01 2020-10-09 深信服科技股份有限公司 File-free attack detection method and device, electronic equipment and medium
CN112422581A (en) * 2020-11-30 2021-02-26 杭州安恒信息技术股份有限公司 Webshell webpage detection method, device and equipment in JVM (Java virtual machine)
CN113312624A (en) * 2021-06-21 2021-08-27 厦门服云信息科技有限公司 Java Web application memory Trojan detection method, terminal device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"解密无文件攻击的各种姿势及最新监测方法", Retrieved from the Internet <URL:https://www.sohu.com/a/399624173_589332> *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114692153A (en) * 2022-04-11 2022-07-01 北京中睿天下信息技术有限公司 Malicious code detection method, equipment and storage medium based on JAVA program
CN114692153B (en) * 2022-04-11 2024-05-14 北京中睿天下信息技术有限公司 Malicious code detection method, device and storage medium based on JAVA program
CN115270126A (en) * 2022-09-29 2022-11-01 北京微步在线科技有限公司 Method and device for detecting Java memory horse, electronic equipment and storage medium
CN115270126B (en) * 2022-09-29 2022-12-16 北京微步在线科技有限公司 Method and device for detecting Java memory horse, electronic equipment and storage medium
CN115688106A (en) * 2022-11-16 2023-02-03 安芯网盾(北京)科技有限公司 Method and device for detecting Java agent non-file-injection memory horse
CN115935361A (en) * 2023-01-09 2023-04-07 北京微步在线科技有限公司 Java memory horse detection method and device
CN115795444A (en) * 2023-01-31 2023-03-14 北京微步在线科技有限公司 Detection method and device for MSSQL backdoor

Similar Documents

Publication Publication Date Title
CN114065204A (en) File-free Trojan horse searching and killing method and device
Dunham Mobile malware attacks and defense
CN106709325B (en) Method and device for monitoring program
US20130247198A1 (en) Emulator updating system and method
CN101959193A (en) Information safety detection method and a mobile terminal
US12039034B2 (en) Undetectable sandbox for malware
US8640233B2 (en) Environmental imaging
CN112685737A (en) APP detection method, device, equipment and storage medium
CN104517054A (en) Method, device, client and server for detecting malicious APK
CN107463841B (en) System and method for detecting malicious computer systems
KR102180098B1 (en) A malware detecting system performing monitoring of malware and controlling a device of user
US10726124B2 (en) Computer device and method of identifying whether container behavior thereof is abnormal
CN103761478A (en) Judging method and device of malicious files
CN115859274B (en) Method and system for monitoring event log behavior of Windows process emptying system
CN107330328A (en) Defend method, device and the server of virus attack
CN105631335A (en) Dynamic decompression method, device and apparatus
CN112214267A (en) Android shelling acceleration method and device, storage medium and computer equipment
CN105868625A (en) Method and device for intercepting restart deletion of file
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
CN105787302B (en) A kind of processing method of application program, device and electronic equipment
EP3252645A1 (en) System and method of detecting malicious computer systems
CN114640484A (en) Network security countermeasure method and device and electronic equipment
CN113364766A (en) APT attack detection method and device
US11763004B1 (en) System and method for bootkit detection
CN113139179A (en) Web attack-based analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination