CN114095236A - Key searching method and device, computing equipment and storage medium - Google Patents
Key searching method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN114095236A CN114095236A CN202111362126.XA CN202111362126A CN114095236A CN 114095236 A CN114095236 A CN 114095236A CN 202111362126 A CN202111362126 A CN 202111362126A CN 114095236 A CN114095236 A CN 114095236A
- Authority
- CN
- China
- Prior art keywords
- file
- target
- key
- memory
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 104
- 230000008569 process Effects 0.000 claims abstract description 66
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 35
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 10
- 235000015122 lemonade Nutrition 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/0223—User address space allocation, e.g. contiguous or non contiguous base addressing
- G06F12/023—Free address space management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Virology (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a key searching method, a key searching device, computing equipment and a storage medium, wherein the method comprises the following steps: when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment; determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software; searching a plurality of potential keys matched with the characteristic values in a memory; and determining a correct key from the plurality of potential keys according to the target file and the original file. According to the scheme, the key can be found quickly, and user experience is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of decryption, in particular to a key searching method, a key searching device, a computing device and a storage medium.
Background
Luxo software is a malicious software that encrypts a user's file to prevent the user from accessing his file, and then requires the user to pay redemption to decrypt the encrypted file, thereby allowing the user to regain file access. In recent years, the luxo software attack is changing and evolving, and the luxo attack event has become one of the most active threats in the field of network security. Network security companies are constantly issuing decryption tools to assist users in decrypting files encrypted by their extortion software.
In the prior art, after a lemonade attack event occurs, a network security company analyzes the lemonade attack event and then issues a decryption tool to decrypt the lemonade attack event. Therefore, the time period from the encryption of the user file by the Lexus software to the decryption of the file is long, and the user experience is influenced.
Disclosure of Invention
Based on the problem that the user experience is affected by a long time period for encrypting a user file in the prior art, the embodiment of the invention provides a key searching method, a key searching device, computing equipment and a storage medium, which can quickly search a key and improve the user experience.
In a first aspect, an embodiment of the present invention provides a key lookup method, including:
when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment;
determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
searching a plurality of potential keys matched with the characteristic values in a memory;
and determining a correct key from the plurality of potential keys according to the target file and the original file.
Preferably, the acquiring the target file encrypted by the lasso software and the original file before the target file is encrypted includes:
determining an original file which is not encrypted;
and transmitting the original file to equipment infected by the lasso software, and encrypting the original file by the lasso software to obtain the target file.
Preferably, the acquiring the target file encrypted by the lasso software and the original file before the target file is encrypted includes:
and determining any system file with a backup file in all system files encrypted by the Lesoware as the target file, and determining the backup file corresponding to the target file as the original file.
Preferably, before the finding of the plurality of potential keys matching the feature value in the internal memory, the method further includes:
executing a suspend operation on a process of the lasso software;
and acquiring a target memory corresponding to the process of the lasso software in a device memory infected by the lasso software, and executing the plurality of potential keys matched with the characteristic values in the target memory.
Preferably, the obtaining of the target memory corresponding to the process of the lasso software includes:
and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the funeral software by using the memory dump tool to obtain a dumped target memory.
Preferably, the determining a correct key from the plurality of potential keys according to the target file and the original file includes:
and respectively decrypting the target file by using each potential key, comparing whether the file obtained after decryption is the same as the original file or not, and determining the potential key with the same comparison result as a correct key.
Preferably, before comparing whether the decrypted file is the same as the original file, the method further includes:
judging whether the size of the file obtained after decryption is the same as that of the original file or not;
and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
In a second aspect, an embodiment of the present invention further provides a key lookup apparatus, including:
a file acquisition unit configured to acquire a target file encrypted by the ransom software and an original file before the target file is encrypted, when it is determined that a device infected by the ransom software satisfies a set condition; the set condition comprises that the process is not finished after the lasso software infects the equipment;
the characteristic value determining unit is used for determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
the potential key searching unit is used for searching a plurality of potential keys matched with the characteristic values in the memory;
and the correct key determining unit is used for determining a correct key from the plurality of potential keys according to the target file and the original file.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor, when executing the computer program, implements the method described in any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a key searching method, a key searching device, computing equipment and a storage medium, wherein if equipment infected by extware does not execute memory cleaning operation after being infected by the extware, a key used by the extware for encrypting a file also exists in a memory, a potential key which is possibly a correct key can be searched in the memory based on a characteristic value of an encryption algorithm adopted by the extware, and then a correct key in the potential key can be determined based on a decryption process of each potential key by utilizing a target file encrypted by the extware and an original file before the target file is encrypted. Therefore, according to the scheme, the key for decryption can be quickly found after the equipment is infected by the lasso software, and the user waiting time is short, so that the user experience can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a key lookup method according to an embodiment of the present invention;
FIG. 2 is a diagram of a hardware architecture of a computing device according to an embodiment of the present invention;
fig. 3 is a block diagram of a key lookup apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of another key lookup apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As mentioned above, the related art of decryption is generally that after occurrence of a leson attack event, a network security company analyzes the leson attack event and then issues a decryption tool to decrypt the leson attack event. Therefore, the time period from the encryption of the user file by the Lexus software to the decryption of the file is long, and the user cannot perform any work related to the encrypted file during waiting for the decryption, so that the user experience is influenced.
It is considered that some legend software does not delete the key used to encrypt the file in the memory after encrypting the user file. Based on this, after the user file is encrypted by the lasso software, if the lasso software is in the process state all the time, that is, the process of the lasso software is not finished, it indicates that the memory corresponding to the lasso software process is not cleaned, and it may be considered to search a possible key in the memory. In addition, in order to be able to find the correct key among the possible keys, it is also necessary to use the file encrypted by the lasso software and the original file of the file that was not encrypted. Therefore, the scheme provides a key searching method, which can quickly search the correct key after the user file is encrypted by the lasso software, so as to decrypt the encrypted file.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a key lookup method, where the method includes:
And 102, determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software.
And 106, determining a correct key from the plurality of potential keys according to the target file and the original file.
In the embodiment of the invention, because the device infected by the lasso software does not execute the memory cleaning operation after the lasso software is infected, the key of the lasso software used for encrypting the file also exists in the memory, the potential key which is possibly the correct key can be found in the memory based on the characteristic value of the encryption algorithm adopted by the lasso software, then the correct key in the potential keys can be determined by utilizing the target file encrypted by the lasso software and the original file before the target file is encrypted based on the decryption process of each potential key. Therefore, according to the scheme, the key for decryption can be quickly found after the equipment is infected by the lasso software, and the user waiting time is short, so that the user experience can be improved.
The manner in which the various steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, when determining that equipment infected by the lasso software meets set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment.
The lasso attacker may not delete the key in memory that encrypts the file after encrypting the system file. If the key needs to be found in the memory, the following setting conditions need to be satisfied: the process is not finished after the lemonade infects the device (noted as condition one).
The setting of the setting conditions is based on consideration of: if the lasso software finishes the process, the memory occupied by the process of the lasso software can be released or damaged, and the key searching result is influenced; if the lasso software restarts the process after the process is finished, the memory of the original process is released or damaged, and after the process is restarted, the key used by the lasso software may be different from the key used by the original process. Therefore, it is necessary to satisfy the condition that the process is not ended after the lemonade infects the device.
In the embodiment of the present invention, determining whether the device infected by the lasso software satisfies the set condition may be determined by checking the log to see whether the log has ended the process of the lasso software in a time period between the time when the device is infected by the lasso software and the current time point. For example, it is checked whether there is a device restart operation, a process interrupt operation, or the like between the time periods.
In order to find the key in the memory, in addition to the above condition one, a condition two needs to be satisfied: there is a file encrypted by the legend software and the original file before the file was encrypted.
In order to satisfy the second condition, the embodiment of the present invention can be implemented in at least two ways:
in the first mode, all the encrypted system files have no backup files.
In the second mode, the encrypted system file has a backup file.
The following describes the manner of acquiring the target file and the original file in this step with respect to the above two manners.
In the first mode, since all encrypted system files have no backup file, in an embodiment of the present invention, the mode of acquiring the target file and the original file in this step may include: determining an original file which is not encrypted; and transmitting the original file to equipment infected by the lasso software, and encrypting the original file by the lasso software to obtain the target file.
Wherein the original file that is not encrypted may be a file external to the infected device.
After determining the original file, the original file may be transmitted to the device infected by the lasso software by means of usb disk transmission, bluetooth transmission, network transmission, or the like. Since the process of the lasso software is not finished, after the original file is transmitted to the device infected by the lasso software, the original file is encrypted by the lasso software, and the encrypted file is determined as the target file.
In the first mode, the external original file is transmitted to the equipment infected by the Lexus software, so that the position of the target file of the original file after being encrypted can be accurately determined, and the accurate original file and the target file are provided for the process of decrypting and searching for the correct key, thereby improving the accuracy of the search result and the search speed.
In the second mode, because the encrypted system file has a backup file, in an embodiment of the present invention, the mode of acquiring the target file and the original file in this step may include: and determining any system file with a backup file in all system files encrypted by the Lesoware as the target file, and determining the backup file corresponding to the target file as the original file.
In the second mode, because the encrypted system file has the backup file, the original file and the target file can be obtained without transferring the file from the outside to the equipment infected by the lasso software, the obtaining speed of the target file and the original file can be improved, and the situation that the source end equipment of the external file is indirectly infected in the process of transferring the external file to the infected equipment can be avoided, so that the safety of the whole system is ensured.
Whether the first mode or the second mode is utilized, the target file and the original file can be obtained, so that the scheme meets the second condition, and the subsequent key searching process can be continued.
Then, in step 102, a feature value corresponding to an encryption algorithm adopted by the lasso software is determined.
The encryption algorithm may include: DES, RSA, SHA, AES, ECC, etc. Different encryption algorithms correspond to different characteristic values, and the characteristic value corresponding to each encryption algorithm can determine a calculation mode and a calculation parameter of the corresponding characteristic value based on an explanatory document provided by an encryption algorithm publisher, so as to calculate the characteristic value corresponding to the encryption algorithm.
For example, for the AES256 encryption algorithm, it is illustrated that the document includes the following partial contents:
from the description of the key _ data _ s structure in the description document, it is known that alg is 0x00006610, keysize is 0x00000020, and flags is 0x1, and then the characteristic value is 1066000001000000200000000 can be calculated based on the above.
In an embodiment of the present invention, in step 102, the feature value corresponding to the encryption algorithm adopted by the lasso software may be determined by using the following two ways:
and the mode A is determined based on the target file and the original file.
And B, determining the characteristic values respectively corresponding to all the encryption algorithms as the characteristic values of the encryption algorithm adopted by the Lesso software.
The following describes the above two modes, respectively.
In the method a, since the target file is an encrypted file of the original file, in order to determine an encryption algorithm for encrypting the original file, at least three sample pairs need to be obtained, where each sample pair includes the target file and the corresponding original file.
Aiming at each known encryption algorithm, encrypting the target file in each sample pair by using the encryption algorithm, and calculating the difference value between the hash value of the encrypted file and the hash value of the corresponding original file; and determining the encryption algorithm with the minimum difference-mean value in all the sample pairs as the encryption algorithm adopted by the Lesson software.
After the encryption algorithm is determined, a characteristic value of the encryption algorithm may be determined.
By means of the method a, the characteristic value of the encryption algorithm can be determined, and then only the potential key matched with the characteristic value needs to be found in the subsequent step 104, compared with the method B, the number of the potential keys is smaller, and therefore the determination speed of the correct key can be improved.
In the method B, the feature values corresponding to all the encryption algorithms may be determined as the feature values of the encryption algorithm adopted by the lasso software, so that the step 104 may be performed for each feature value to find out all possible potential keys.
In the method B, although the number of the determined potential keys is larger than that in the method a, when the correct key is determined by using the potential keys, the probability that the correct key exists in the potential keys is higher, so that the determination probability of the correct key can be improved.
In addition to the above-described mode a and mode B, the characteristic value may be determined based on an encryption algorithm used by common leso software.
Next, in step 104, a number of potential keys matching the characteristic values are found in the memory.
In the embodiment of the present invention, when the potential key matching the feature value is searched in the memory, the potential key can be searched in the whole memory. In order to increase the search speed, before this step, the range of the search memory may be narrowed, specifically, the method may include: executing a suspend operation on a process of the lasso software; and acquiring a target memory corresponding to the process of the lasso software in a device memory infected by the lasso software, and executing the plurality of potential keys matched with the characteristic values in the target memory.
When the lasso software is in a process state, the target memory corresponding to the process of the lasso software is locked and cannot be accessed, and the target memory is released or damaged after the lasso software finishes the process, so that the target memory can be obtained by suspending the process of the lasso software.
In the embodiment of the present invention, when the target memory corresponding to the process of the lasso software is obtained, the determination may be performed in the following manner: and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the funeral software by using the memory dump tool to obtain a dumped target memory.
And running cmd through the identity of an administrator, calling a memory dump tool by utilizing a cmd command, for example, the memory dump tool is a procump, and inputting the process ID of the Lego software in the memory dump tool, so that the memory position corresponding to the process of the Lego software is positioned by utilizing the memory dump tool, the file at the memory position is obtained, and the target memory is stored to the specified position. And calling a memory dump tool by using the cmd command, so that the target memory corresponding to the lasso software process can be accurately and quickly acquired.
It should be noted that, in addition to the foregoing manners, the target memory may also be obtained in other manners, for example, a memory mapping condition of an address space of the lasso software process may be obtained through/proc/pid/maps, and then a physical address of a virtual address corresponding to the lasso software process is determined according to the memory mapping condition, so that the target memory is determined and obtained according to the physical address.
In this embodiment, after the target memory is obtained, the target memory may be stored in the directory of the decryption tool, so that the decryption tool is used to search for the potential key based on the target memory.
In one embodiment of the present invention, after the target memory is determined, a number of potential keys matching the characteristic values may be found in the target memory.
When a potential key matched with the characteristic value is searched, whether the data meets the characteristic value or not can be determined by traversing each datum in the memory, and if so, the datum is determined as the potential key.
Taking 256 encryption algorithm as an example, the key is 16 bits, the feature value of the encryption algorithm is that the key is 16 bits, and every 4 bits are a segment, each segment has a corresponding feature, and when matching, if the data is 16 bits and each segment satisfies the feature of the corresponding segment, the data can be determined as a potential key.
It should be noted that, when the manner of determining the feature value in step 102 is not determined based on the target file and the original file, the sequence of the step (denoted as the file obtaining step) of obtaining the target file encrypted by the lasso software and the original file before the target file is encrypted in step 100 and step 102 and step 104 may not be limited, for example, the step 102 and step 104 are performed first, or the steps are performed simultaneously.
Finally, in step 106, a correct key is determined from the plurality of potential keys based on the target file and the original file.
In an embodiment of the present invention, this step may be implemented by using a command line parameter, and when implemented by using the command line parameter, the name of the original file and the name of the target file need to be determined, then the name of the target file is divided to obtain the name and the suffix of the target file, and the suffix of the target file is modified to the same suffix as that of the original file, so that the decryption process can be implemented quickly by using the command line.
In the embodiment of the present invention, the step may include: and respectively decrypting the target file by using each potential key, comparing whether the file obtained after decryption is the same as the original file or not, and determining the potential key with the same comparison result as a correct key.
In the specific implementation process, after each potential key is used for decryption, the file obtained after decryption is compared with the original file, if the potential key is the same as the original file, the potential key can be directly determined to be the correct key, and if the potential key is not the same as the original file, the decryption comparison process is continuously implemented by using the next potential key until the correct key is determined.
In an embodiment of the present invention, in a process of decrypting a target file by using a potential key, there may be data written accidentally in the decrypted file, and the decryption process may include: the protection handle is obtained, then the target file and the designated file are opened, the target file is decrypted by using the potential key, the decrypted data is written into the designated file, then the hash object is released, the potential key is released, the protection handle is released, and the designated file is the decrypted file. Therefore, in order to ensure the correctness of the comparison result, before comparing whether the file obtained after decryption is the same as the original file, whether the size of the file obtained after decryption is the same as the size of the original file can be judged; and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
Specifically, when the decrypted file is subjected to truncation processing, the block at the head end or the tail end of the decrypted file may be deleted according to the size of the original file, so that the size of the deleted file is the same as the size of the original file.
After the correct key is determined in this step, all encrypted system files in the device infected with the lasso software may be decrypted using the correct key.
When decrypting an encrypted system file by using a decryption tool, a path of the encrypted system file, a path of a decrypted file, and a key path need to be input, and then the decryption tool decrypts the whole system file.
The scheme can be realized through a system command line, so that the used tools belong to light-weight tools, and the light-weight tools can not occupy a system memory, so that normal use is not influenced.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides a key lookup apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, for a hardware architecture diagram of a computing device in which a key lookup apparatus according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the computing device in which the apparatus is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 3, as a logical apparatus, a CPU of a computing device in which the apparatus is located reads a corresponding computer program in a non-volatile memory into a memory to run. The key searching device provided by the embodiment comprises:
a file acquisition unit 301 configured to acquire a target file encrypted by the ransom software and an original file before the target file is encrypted, when it is determined that a device infected by the ransom software satisfies a set condition; the set condition comprises that the process is not finished after the lasso software infects the equipment;
a characteristic value determining unit 302, configured to determine a characteristic value corresponding to an encryption algorithm used by the lasso software;
a potential key searching unit 303, configured to search a plurality of potential keys that match the feature values in a memory;
a correct key determining unit 304, configured to determine a correct key from the plurality of potential keys according to the target file and the original file.
In an embodiment of the present invention, the file obtaining unit 301 is specifically configured to determine an original file that is not encrypted; and transmitting the original file to equipment infected by the lasso software, and encrypting the original file by the lasso software to obtain the target file.
In an embodiment of the present invention, the file obtaining unit 301 is specifically configured to determine, as the target file, any system file having a backup file in all system files encrypted by the lasso software, and determine, as the original file, the backup file corresponding to the target file.
In an embodiment of the present invention, referring to fig. 4, the key lookup apparatus may further include:
a target memory obtaining unit 305, configured to perform a suspend operation on a process of the lasso software; in the device memory infected by the lasso software, a target memory corresponding to the process of the lasso software is obtained to trigger the potential key searching unit 303 to execute the search for a plurality of potential keys matching the characteristic values in the target memory.
In an embodiment of the present invention, when acquiring the target memory corresponding to the process of the ransom software, the target memory acquiring unit 305 is specifically configured to call a memory dump tool based on a cmd command, and perform a memory dump on the process of the ransom software by using the memory dump tool to obtain a dumped target memory.
In an embodiment of the present invention, the correct key determining unit 304 is specifically configured to decrypt the target file with each potential key, compare whether the file obtained after decryption is the same as the original file, and determine the potential key with the same comparison result as the correct key.
In an embodiment of the present invention, the correct key determining unit 304 is further configured to determine whether the size of the file obtained after decryption is the same as that of the original file; and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to a key lookup apparatus. In other embodiments of the invention a key lookup apparatus may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to realize the key searching method in any embodiment of the invention.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a key lookup method in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in an embodiment of the present invention, since the device infected by the lasso software does not perform the memory cleaning operation after being infected by the lasso software, the key used by the lasso software to encrypt the file also exists in the memory, based on the characteristic value of the encryption algorithm adopted by the lasso software, the potential key that may be the correct key can be found in the memory, and then the correct key in the potential keys can be determined based on the decryption process of each potential key by using the target file encrypted by the lasso software and the original file before the target file is encrypted. Therefore, according to the scheme, the key for decryption can be quickly found after the equipment is infected by the lasso software, and the user waiting time is short, so that the user experience can be improved.
2. In one embodiment of the invention, the external original file is transmitted to the equipment infected by the Lesso software, so that the position of the target file of the original file after being encrypted can be accurately determined, and the accurate original file and the target file are provided for the process of decrypting and searching for the correct key, thereby improving the accuracy of the searching result and the searching speed.
3. In an embodiment of the present invention, because the encrypted system file has the backup file, the original file and the target file can be obtained without transferring the file from the outside to the device infected by the lasso software, the obtaining speed of the target file and the original file can be increased, and the occurrence of the situation that the source device of the external file is indirectly infected during the process of transferring the external file to the infected device can be avoided, thereby ensuring the security of the entire system.
4. In an embodiment of the present invention, the characteristic values respectively corresponding to all the encryption algorithms are determined as the characteristic values of the encryption algorithm adopted by the leso software, so that a possible potential key can be found for each characteristic value, the potential keys determined by the method are richer, and the probability of the existence of the correct key is higher, thereby improving the determination probability of the correct key.
5. In an embodiment of the present invention, in order to avoid an influence of accidentally written data on a comparison result in a decryption process, after the target file is decrypted, the file truncation obtained after decryption may be processed to be the same size as the original file, so that the correctness of the comparison result may be ensured.
6. In one embodiment of the invention, because the scheme can be realized through a system command line, all the used tools belong to light-weight tools, and the light-weight tools can not occupy the system memory, so that the normal use is not influenced.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A key lookup method, comprising:
when determining that the equipment infected by the lasso software meets the set conditions, acquiring a target file encrypted by the lasso software and an original file of the target file before encryption; the set condition comprises that the process is not finished after the lasso software infects the equipment;
determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
searching a plurality of potential keys matched with the characteristic values in a memory;
and determining a correct key from the plurality of potential keys according to the target file and the original file.
2. The method according to claim 1, wherein said obtaining the target file encrypted by the lasso software and the original file before the target file is encrypted comprises:
determining an original file which is not encrypted;
and transmitting the original file to equipment infected by the lasso software, so that the lasso software encrypts the original file to obtain the target file.
3. The method according to claim 1, wherein said obtaining the target file encrypted by the lasso software and the original file before the target file is encrypted comprises:
and determining any system file with a backup file in all system files encrypted by the Lesoware as the target file, and determining the backup file corresponding to the target file as the original file.
4. The method of claim 1, wherein prior to finding the number of potential keys in the memory that match the eigenvalues, further comprising:
executing a suspend operation on a process of the lasso software;
and acquiring a target memory corresponding to the process of the lasso software in a device memory infected by the lasso software, and executing the plurality of potential keys matched with the characteristic values in the target memory.
5. The method of claim 4, wherein obtaining the target memory corresponding to the process of the lasso software comprises:
and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the funeral software by using the memory dump tool to obtain a dumped target memory.
6. The method according to any of claims 1-5, wherein said determining a correct key from the plurality of potential keys based on the target document and the original document comprises:
and respectively decrypting the target file by using each potential key, comparing whether the file obtained after decryption is the same as the original file or not, and determining the potential key with the same comparison result as a correct key.
7. The method according to claim 6, wherein before comparing whether the decrypted file is the same as the original file, further comprising:
judging whether the size of the file obtained after decryption is the same as that of the original file or not;
and if the two files are different, performing truncation processing on the file obtained after decryption so as to enable the size of the file after truncation processing to be the same as that of the original file.
8. A key lookup apparatus, comprising:
a file acquisition unit configured to acquire a target file encrypted by the ransom software and an original file before the target file is encrypted, when it is determined that a device infected by the ransom software satisfies a set condition; the set condition comprises that the process is not finished after the lasso software infects the equipment;
the characteristic value determining unit is used for determining a characteristic value corresponding to an encryption algorithm adopted by the lasso software;
the potential key searching unit is used for searching a plurality of potential keys matched with the characteristic values in the memory;
and the correct key determining unit is used for determining a correct key from the plurality of potential keys according to the target file and the original file.
9. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111362126.XA CN114095236B (en) | 2021-11-17 | 2021-11-17 | Key searching method, device, computing equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111362126.XA CN114095236B (en) | 2021-11-17 | 2021-11-17 | Key searching method, device, computing equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114095236A true CN114095236A (en) | 2022-02-25 |
CN114095236B CN114095236B (en) | 2023-11-10 |
Family
ID=80301301
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111362126.XA Active CN114095236B (en) | 2021-11-17 | 2021-11-17 | Key searching method, device, computing equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114095236B (en) |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110126024A1 (en) * | 2004-06-14 | 2011-05-26 | Rodney Beatson | Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device |
US20180114020A1 (en) * | 2016-10-26 | 2018-04-26 | Cisco Technology, Inc. | Ransomware key extractor and recovery system |
US20180248896A1 (en) * | 2017-02-24 | 2018-08-30 | Zitovault Software, Inc. | System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning |
US20190018961A1 (en) * | 2017-07-12 | 2019-01-17 | Acronis International Gmbh | Method for decrypting data encrypted by ransomware |
CN109347620A (en) * | 2018-08-10 | 2019-02-15 | 深圳前海微众银行股份有限公司 | Sample alignment schemes, system and computer readable storage medium |
US20190228148A1 (en) * | 2018-01-22 | 2019-07-25 | International Business Machines Corporation | Ransomware resetter |
US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
CN110851833A (en) * | 2019-11-18 | 2020-02-28 | 深信服科技股份有限公司 | Lesovirus detection method, device and related equipment |
CN110851472A (en) * | 2019-11-19 | 2020-02-28 | 深圳前海微众银行股份有限公司 | Sample matching method, device and readable storage medium |
US20200082074A1 (en) * | 2018-09-06 | 2020-03-12 | International Business Machines Corporation | Proactive ransomware defense |
WO2021098968A1 (en) * | 2019-11-22 | 2021-05-27 | Huawei Technologies Co., Ltd. | Device and method for ransomware decryption |
-
2021
- 2021-11-17 CN CN202111362126.XA patent/CN114095236B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110126024A1 (en) * | 2004-06-14 | 2011-05-26 | Rodney Beatson | Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device |
US20180114020A1 (en) * | 2016-10-26 | 2018-04-26 | Cisco Technology, Inc. | Ransomware key extractor and recovery system |
US20180248896A1 (en) * | 2017-02-24 | 2018-08-30 | Zitovault Software, Inc. | System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning |
US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
US20190018961A1 (en) * | 2017-07-12 | 2019-01-17 | Acronis International Gmbh | Method for decrypting data encrypted by ransomware |
US20190228148A1 (en) * | 2018-01-22 | 2019-07-25 | International Business Machines Corporation | Ransomware resetter |
CN109347620A (en) * | 2018-08-10 | 2019-02-15 | 深圳前海微众银行股份有限公司 | Sample alignment schemes, system and computer readable storage medium |
US20200082074A1 (en) * | 2018-09-06 | 2020-03-12 | International Business Machines Corporation | Proactive ransomware defense |
CN110851833A (en) * | 2019-11-18 | 2020-02-28 | 深信服科技股份有限公司 | Lesovirus detection method, device and related equipment |
CN110851472A (en) * | 2019-11-19 | 2020-02-28 | 深圳前海微众银行股份有限公司 | Sample matching method, device and readable storage medium |
WO2021098968A1 (en) * | 2019-11-22 | 2021-05-27 | Huawei Technologies Co., Ltd. | Device and method for ransomware decryption |
CN113228016A (en) * | 2019-11-22 | 2021-08-06 | 华为技术有限公司 | Apparatus and method for luxo software decryption |
Non-Patent Citations (1)
Title |
---|
古兰精: "从nodejs的AES加密解密之后文件大小不一致的问题谈谈AES加密中的补位", Retrieved from the Internet <URL:cnblogs.com/goloving/p/13405369.html> * |
Also Published As
Publication number | Publication date |
---|---|
CN114095236B (en) | 2023-11-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9740639B2 (en) | Map-based rapid data encryption policy compliance | |
US10387648B2 (en) | Ransomware key extractor and recovery system | |
US10375086B2 (en) | System and method for detection of malicious data encryption programs | |
CN112637166B (en) | Data transmission method, device, terminal and storage medium | |
US10235539B2 (en) | Server device, recording medium, and concealed search system | |
US8683208B2 (en) | Information processing device, program developing device, program verifying method, and program product | |
EP2751735B1 (en) | Encrypted chunk-based rapid data encryption policy compliance | |
US11658978B2 (en) | Authentication using blockchains | |
US20090208002A1 (en) | Preventing replay attacks in encrypted file systems | |
CN110221990B (en) | Data storage method and device, storage medium and computer equipment | |
CN108881261B (en) | Service authentication method and system based on block chain technology in container environment | |
CN110990829B (en) | Method, device and equipment for training GBDT model in trusted execution environment | |
CN111753312B (en) | Data processing method, device, equipment and system | |
CN114095236B (en) | Key searching method, device, computing equipment and storage medium | |
JP6672451B2 (en) | Encrypted search index merge server, encrypted search index merge system, and encrypted search index merge method | |
US11455404B2 (en) | Deduplication in a trusted execution environment | |
CN111091197B (en) | Method, device and equipment for training GBDT model in trusted execution environment | |
JPWO2017209228A1 (en) | Encrypted information verification device, encrypted information verification method, and encrypted information verification program | |
JP6381861B2 (en) | Registration destination determination device, registration device, secret search system, registration destination determination method, and registration destination determination program | |
KR102618922B1 (en) | Apparatus and method for Preventing SW reverse engineering of embedded system | |
CN117874789A (en) | Dynamic privacy data encryption method and system | |
JP2007334767A (en) | Software behavior modeling apparatus and software behavior modeling method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |