CN114095236B - Key searching method, device, computing equipment and storage medium - Google Patents
Key searching method, device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN114095236B CN114095236B CN202111362126.XA CN202111362126A CN114095236B CN 114095236 B CN114095236 B CN 114095236B CN 202111362126 A CN202111362126 A CN 202111362126A CN 114095236 B CN114095236 B CN 114095236B
- Authority
- CN
- China
- Prior art keywords
- file
- software
- target
- memory
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 230000008569 process Effects 0.000 claims abstract description 70
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 48
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/0223—User address space allocation, e.g. contiguous or non contiguous base addressing
- G06F12/023—Free address space management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Virology (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a key searching method, a device, computing equipment and a storage medium, wherein the method comprises the following steps: when the equipment infected by the luxury software meets the set conditions, acquiring a target file encrypted by the luxury software and an original file before the target file is encrypted; the setting condition comprises that the process is not ended after the equipment is infected by the lux software; determining a characteristic value corresponding to an encryption algorithm adopted by the lux software; searching a plurality of potential keys matched with the characteristic values in a memory; and determining a correct key from the plurality of potential keys according to the target file and the original file. According to the scheme, the secret key can be quickly found, and the user experience is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of decryption, in particular to a key searching method, a device, computing equipment and a storage medium.
Background
The le software is a malware that encrypts a user's file to prevent the user from accessing its file, and then requires the user to pay a redemption to decrypt the encrypted file, thereby allowing the user to regain access to the file. In recent years, the lux software attack is continuously changed and evolved, and the lux attack event is one of the most active threats in the network security field. Network security companies continue to release decryption tools to assist users in decrypting their files encrypted by the luxury software.
In the prior art, after the lux attack event occurs, the network security company analyzes the lux attack event and then issues a decryption tool for decryption. It can be seen that the user file has a longer period from when it is encrypted by the luxury software to when it is decrypted, affecting the user experience.
Disclosure of Invention
Based on the problem that in the prior art, the user experience is affected due to the fact that the encrypted time period of the user file is long, the embodiment of the invention provides a key searching method, a device, computing equipment and a storage medium, which can quickly search a key and improve the user experience.
In a first aspect, an embodiment of the present invention provides a key searching method, including:
when the equipment infected by the luxury software meets the set conditions, acquiring a target file encrypted by the luxury software and an original file before the target file is encrypted; the setting condition comprises that the process is not ended after the equipment is infected by the lux software;
determining a characteristic value corresponding to an encryption algorithm adopted by the lux software;
searching a plurality of potential keys matched with the characteristic values in a memory;
and determining a correct key from the plurality of potential keys according to the target file and the original file.
Preferably, the obtaining the target file encrypted by the luxury software and the original file before the target file is encrypted includes:
determining an original file which is not encrypted;
and transmitting the original file to equipment infected by the luxury software, wherein the luxury software encrypts the original file to obtain the target file.
Preferably, the obtaining the target file encrypted by the luxury software and the original file before the target file is encrypted includes:
and determining any system file with backup files in all system files encrypted by the luxury software as the target file, and determining the backup file corresponding to the target file as the original file.
Preferably, before the searching the number of potential keys matching the feature value in the memory, the method further includes:
executing a suspending operation on the process of the luxo software;
and acquiring a target memory corresponding to the process of the luxo software in the equipment memory infected by the luxo software, and executing the search of a plurality of potential keys matched with the characteristic values in the target memory.
Preferably, the obtaining the target memory corresponding to the process of the lux software includes:
and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the le-cable software by using the memory dump tool to obtain a dumped target memory.
Preferably, said determining a correct key from said plurality of potential keys based on said target file and said original file includes:
and decrypting the target file by utilizing each potential key respectively, comparing whether the decrypted file is identical to the original file, and determining the potential key with the identical comparison result as a correct key.
Preferably, before comparing whether the decrypted file is identical to the original file, the method further comprises:
judging whether the decrypted file and the original file have the same size;
if the file size is different, the file obtained after decryption is cut off, so that the file size after cut off is the same as the original file size.
In a second aspect, an embodiment of the present invention further provides a key searching apparatus, including:
a file obtaining unit, configured to obtain, when it is determined that a device infected by the luxury software meets a set condition, a target file encrypted by the luxury software and an original file before the target file is encrypted; the setting condition comprises that the process is not ended after the equipment is infected by the lux software;
the characteristic value determining unit is used for determining a characteristic value corresponding to an encryption algorithm adopted by the lux software;
the potential key searching unit is used for searching a plurality of potential keys matched with the characteristic values in the memory;
and the correct key determining unit is used for determining a correct key from the plurality of potential keys according to the target file and the original file.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method according to any embodiment of the present specification when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a key searching method, a device, a computing device and a storage medium, wherein if a device infected by luxury software does not execute memory cleaning operation after being infected by luxury software, the luxury software is used for encrypting a key of a file and is still stored in a memory, a potential key which is possibly a correct key can be searched in the memory based on a characteristic value of an encryption algorithm adopted by the luxury software, and then a target file encrypted by the luxury software and an original file before the target file is encrypted are utilized, so that the correct key in the potential key can be determined based on a decryption process of each potential key. Therefore, the key for decryption can be quickly found after the equipment is infected by the luxury software, and the waiting time of the user is short, so that the user experience can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a key lookup method according to an embodiment of the present invention;
FIG. 2 is a hardware architecture diagram of a computing device according to one embodiment of the present invention;
FIG. 3 is a block diagram of a key lookup apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of another key searching apparatus according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As mentioned above, the prior art related to decryption generally analyzes the lux attack event by the network security company after the lux attack event occurs, and then issues a decryption tool to decrypt. It can be seen that the time period from when the user file is encrypted by the luxury software to when the file is decrypted is long, and the user cannot perform any work related to the encrypted file during waiting for decryption, thereby affecting the user experience.
It is contemplated that some luxury software does not delete the key in memory that encrypts the file after encrypting the user file. Based on the above, after the user file is encrypted by the luxury software, if the luxury software is in a process state all the time, that is, the process of the luxury software is not finished, it is indicated that the memory corresponding to the luxury software process is not cleaned, and possible secret keys can be considered to be searched in the memory. In addition, in order to be able to find the correct key among the possible keys, it is also necessary to use the file encrypted by the luxury software and the original file of the file that is not encrypted. Therefore, the key searching method can quickly find the correct key after the user file is encrypted by the luxury software, so that the encrypted file is decrypted.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a key searching method, which includes:
step 100, when it is determined that the equipment infected by the luxury software meets the set condition, acquiring a target file encrypted by the luxury software and an original file before the target file is encrypted; the set condition includes an unfinished process after the lux software infects the device.
Step 102, determining a characteristic value corresponding to an encryption algorithm adopted by the lux software.
Step 104, searching a plurality of potential keys matched with the characteristic values in the memory.
And 106, determining a correct key from the plurality of potential keys according to the target file and the original file.
In the embodiment of the invention, since the device infected by the luxury software does not execute the memory cleaning operation after being infected by the luxury software, the key of the luxury software for encrypting the file is also stored in the memory, the potential key which is possibly the correct key can be found in the memory based on the characteristic value of the encryption algorithm adopted by the luxury software, and then the correct key in the potential key can be determined based on the decryption process of each potential key by utilizing the target file encrypted by the luxury software and the original file before the target file is encrypted. Therefore, the key for decryption can be quickly found after the equipment is infected by the luxury software, and the waiting time of the user is short, so that the user experience can be improved.
The manner in which the individual steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, when the equipment infected by the luxury software is determined to meet the set condition, acquiring a target file encrypted by the luxury software and an original file before the target file is encrypted; the set condition includes an unfinished process after the lux software infects the device.
After encrypting the system file, the luxury software attacker may not delete the key in memory that encrypted the file. If the key needs to be found in the memory, the following setting conditions need to be satisfied: the process is not ended after the lux software infects the device (condition one).
The setting of the setting conditions is based on the following consideration: if the process is finished by the lux software, the memory occupied by the process of the lux software is released or destroyed, and the key searching result is affected; if the process is restarted after the process is finished, the memory of the original process is released or destroyed, and the key used by the process is different from the key used by the original process after the process is restarted. Thus, there is a need to meet the condition of unfinished processes after a lux software infection of a device.
In the embodiment of the invention, whether the equipment infected by the luxury software meets the set condition can be determined by checking the log, so as to check whether the log is finished in the time period from the infection of the luxury software to the current time point of the equipment. For example, it is checked whether there is a device restart operation, whether there is a process interrupt operation, or the like between the time periods.
In order to be able to find the key in the memory, in addition to the above condition one, a condition two needs to be satisfied: there is one file encrypted by the luxury software and the original file before the file is encrypted.
In order to meet the second condition, in the embodiment of the present invention, at least two ways may be implemented:
in the first mode, all encrypted system files have no backup files.
And in the second mode, the encrypted system file is provided with a backup file.
The following describes the manner of acquiring the target file and the original file in this step, respectively, with respect to the two modes.
In one embodiment of the present invention, since all the encrypted system files have no backup files, the method for obtaining the target file and the original file in this step may include: determining an original file which is not encrypted; and transmitting the original file to equipment infected by the luxury software, wherein the luxury software encrypts the original file to obtain the target file.
Wherein the unencrypted original file may be a file external to the infected device.
After determining the original file, the original file may be transferred to the device infected by the luxury software by means of usb transmission, bluetooth transmission, network transmission, etc. Since the process of the luxury software is not finished, after the original file is transferred to the device infected by the luxury software, the original file is encrypted by the luxury software, and the encrypted file is determined as the target file.
In the first mode, the position of the target file after the original file is encrypted can be accurately determined by transmitting the external original file to the equipment infected by the luxury software, and the accurate original file and the target file are provided for the process of decrypting and searching the correct key, so that the accuracy of the searching result and the searching speed are improved.
In the second mode, since the backup file exists in the encrypted system file, in one embodiment of the present invention, the mode of obtaining the target file and the original file in this step may include: and determining any system file with backup files in all system files encrypted by the luxury software as the target file, and determining the backup file corresponding to the target file as the original file.
In the second mode, since the backup file exists in the encrypted system file, the original file and the target file can be acquired without transmitting the file from the outside into the device infected by the luxury software, the acquisition speed of the target file and the original file can be improved, and the situation that the source device of the external file is indirectly infected in the process of transmitting the external file to the infected device can be avoided, thereby ensuring the safety of the whole system.
The target file and the original file can be obtained in either the first mode or the second mode, so that the scheme satisfies the second condition, and the subsequent key searching process can be continued.
Then, for step 102, a feature value corresponding to an encryption algorithm adopted by the lux software is determined.
The encryption algorithm may include: DES, RSA, SHA, AES, ECC, etc. Different encryption algorithms correspond to different characteristic values, and the characteristic value corresponding to each encryption algorithm can determine the calculation mode and calculation parameters of the corresponding characteristic value based on the description document provided by the issuer of the encryption algorithm, so as to calculate the characteristic value corresponding to the encryption algorithm.
For example, for the AES256 encryption algorithm, it is illustrated that the document includes the following parts:
from the description of the key_data_s structure in the description document, it can be known that alg=0x00006610, keyze=0x00000020, and flag=0x1, and then a characteristic value 1066000001000000200000000 can be calculated based on the above.
In one embodiment of the present invention, in step 102, the following two ways may be used to determine the feature value corresponding to the encryption algorithm adopted by the le su software:
mode A, determining based on the target file and the original file.
And B, determining the characteristic values corresponding to all the encryption algorithms as the characteristic values of the encryption algorithm adopted by the Lesu software.
The two modes are respectively described below.
In the mode a, since the target file is an encrypted file of the original file, in order to determine an encryption algorithm for encrypting the original file, at least three sample pairs need to be obtained, and each sample pair includes the target file and the corresponding original file.
Encrypting the target file in each sample pair by utilizing the encryption algorithm aiming at each known encryption algorithm, and calculating the difference value between the hash value of the encrypted file and the hash value of the corresponding original file; and determining the minimum difference value mean value encryption algorithm in all the sample pairs as the encryption algorithm adopted by the Lesu software.
After the encryption algorithm is determined, a characteristic value of the encryption algorithm may be determined.
In the manner a, the feature value of the encryption algorithm may be determined, and then only the potential key matching with the feature value may be found in the subsequent step 104, which is smaller than the number of the potential keys in the manner B, so that the determination speed of the correct key may be improved.
In the mode B, the feature values corresponding to all the encryption algorithms respectively may be determined as the feature values of the encryption algorithm adopted by the lux software, so step 104 may be performed for each feature value to find all possible potential keys.
In the method B, although the number of potential keys determined is larger than that in the method a, when the correct key is determined using these potential keys, the probability of the correct key being present in the potential keys is greater, and thus the probability of determining the correct key can be improved.
In addition to the above-described modes a and B, the feature value may be determined based on an encryption algorithm used by common lux software.
Next, for step 104, a number of potential keys matching the feature value are found in the memory.
In the embodiment of the invention, when the potential key matched with the characteristic value is searched in the memory, the potential key can be searched in the whole memory. In order to increase the searching speed, the range of the searching memory can be reduced before the step, and specifically, the method can include: executing a suspending operation on the process of the luxo software; and acquiring a target memory corresponding to the process of the luxo software in the equipment memory infected by the luxo software, and executing the search of a plurality of potential keys matched with the characteristic values in the target memory.
When the lux software is in a process state, a target memory corresponding to the lux software process is locked, the target memory cannot be accessed, and after the lux software finishes the process, the target memory can be released or destroyed, so that the lux software process can be suspended to acquire the target memory.
In the embodiment of the invention, when the target memory corresponding to the process of the lux software is acquired, the target memory can be determined by the following manner: and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the le-cable software by using the memory dump tool to obtain a dumped target memory.
And running cmd by using the identity of the manager, calling a memory dump tool by using the cmd command, for example, the memory dump tool is a proccdump, inputting the process ID of the lux software in the memory dump tool, positioning the memory position corresponding to the process of the lux software by using the memory dump tool, acquiring a file at the memory position, and storing the target memory at the appointed position. The cmd command is utilized to call a memory dump tool, so that the target memory corresponding to the lux software process can be accurately and rapidly acquired.
It should be noted that, other ways may be used to obtain the target memory besides the above way, for example, the memory mapping condition of the address space of the le-su software process may be obtained through/proc/pid/maps, and then the physical address of the virtual address corresponding to the le-su software process is determined according to the memory mapping condition, so that the target memory is determined according to the physical address.
In this embodiment, after the target memory is obtained, the target memory may be stored in the directory of the decryption tool, so that the decryption tool is used to search the potential key based on the target memory.
In one embodiment of the present invention, after determining the target memory, a plurality of potential keys matched with the feature values may be found in the target memory.
When searching for the potential key matched with the characteristic value, whether the data meets the characteristic value or not can be determined by traversing each piece of data in the memory, and if so, the data is determined to be the potential key.
Taking 256 encryption algorithm as an example, the key is 16 bits, the characteristic value of the encryption algorithm is expressed as 16 bits of the key, each 4 bits are one segment, each segment has corresponding characteristics, and when matching, if the data is 16 bits and each segment meets the characteristics of the corresponding segment, the data can be determined as a potential key.
It should be noted that, when the manner of determining the feature value in step 102 is not determined based on the target file and the original file, the step of obtaining the target file encrypted by the luxury software and the original file before the target file is encrypted (referred to as a file obtaining step) in step 100 may not be limited to the steps 102-104, for example, the steps 102-104 may be performed first, or the steps may be performed simultaneously.
Finally, for step 106, a correct key is determined from the plurality of potential keys according to the target file and the original file.
In one embodiment of the present invention, this step may be implemented by means of a command line parameter, where when implementing using the command line parameter, it is necessary to determine the name of the original file and the name of the target file, then divide the name of the target file to obtain the name and the suffix of the target file, and modify the suffix of the target file to be the same suffix as the original file, so that the decryption process may be implemented quickly using the command line.
In the embodiment of the invention, the steps can include: and decrypting the target file by utilizing each potential key respectively, comparing whether the decrypted file is identical to the original file, and determining the potential key with the identical comparison result as a correct key.
In the specific implementation process, after each potential key is used for decryption, the decrypted file and the original file are compared, if the potential key is the correct key, and if the potential key is not the same, the next potential key is used for executing the decryption comparison process until the correct key is determined.
In one embodiment of the present invention, in the process of decrypting the target file by using the potential key, there may be accidentally written data in the decrypted file, and the decryption process may include: the method comprises the steps of obtaining a protection handle, opening a target file and a designated file, decrypting the target file by using a potential key, writing decrypted data into the designated file, then releasing a hash object, releasing the potential key and releasing the protection handle, wherein the designated file is the decrypted file. Therefore, in order to ensure the correctness of the comparison result, whether the decrypted file is identical to the original file in size can be judged before the decrypted file is compared with the original file; if the file size is different, the file obtained after decryption is cut off, so that the file size after cut off is the same as the original file size.
Specifically, when the file obtained after decryption is subjected to truncation processing, a block at the head end or the tail end of the file obtained after decryption can be deleted according to the size of the original file, so that the size of the file after deletion is the same as the size of the original file.
After the correct key is determined in this step, all encrypted system files in the device infected by the luxury software may be decrypted using the correct key.
In decrypting an encrypted system file with a decryption tool, it is necessary to input a path of the encrypted system file, a path of the decrypted file, and a key path, and then decrypt the entire system file with the decryption tool.
The scheme can be realized through a system command line, so that the used tools belong to light tools, and the light tools can not occupy the system memory, so that normal use is not affected.
As shown in fig. 2 and 3, the embodiment of the invention provides a key searching device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 2, a hardware architecture diagram of a computing device where a key lookup apparatus is provided in an embodiment of the present invention, in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 2, the computing device where the apparatus is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. Taking a software implementation as an example, as shown in fig. 3, as a device in a logic sense, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of a computing device where the device is located. The key searching device provided in this embodiment includes:
a file obtaining unit 301, configured to obtain, when it is determined that a device infected by the luxury software meets a set condition, a target file encrypted by the luxury software and an original file before the target file is encrypted; the setting condition comprises that the process is not ended after the equipment is infected by the lux software;
a feature value determining unit 302, configured to determine a feature value corresponding to an encryption algorithm adopted by the lux software;
a potential key searching unit 303, configured to find a plurality of potential keys matched with the feature value in the memory;
a correct key determining unit 304, configured to determine a correct key from the plurality of potential keys according to the target file and the original file.
In one embodiment of the present invention, the file obtaining unit 301 is specifically configured to determine an original file that is not encrypted; and transmitting the original file to equipment infected by the luxury software, wherein the luxury software encrypts the original file to obtain the target file.
In one embodiment of the present invention, the file obtaining unit 301 is specifically configured to determine, as the target file, any system file having a backup file in all system files encrypted by the le file, and determine, as the original file, a backup file corresponding to the target file.
In one embodiment of the present invention, referring to fig. 4, the key searching apparatus may further include:
a target memory obtaining unit 305, configured to execute a suspension operation on the process of the halyard software; and acquiring a target memory corresponding to a process of the luxo software in the equipment memory infected by the luxo software, so as to trigger the potential key searching unit 303 to execute the searching of the plurality of potential keys matched with the characteristic values in the target memory.
In one embodiment of the present invention, when the target memory obtaining unit 305 obtains the target memory corresponding to the process of the le-su software, the target memory obtaining unit is specifically configured to call a memory dump tool based on a cmd command, and perform memory dump on the process of the le-su software by using the memory dump tool, so as to obtain the dumped target memory.
In one embodiment of the present invention, the correct key determining unit 304 is specifically configured to decrypt the target file by using each potential key, compare whether the decrypted file is identical to the original file, and determine the potential key with the identical comparison result as the correct key.
In one embodiment of the present invention, the correct key determining unit 304 is further configured to determine whether the size of the decrypted file is the same as the size of the original file; if the file size is different, the file obtained after decryption is cut off, so that the file size after cut off is the same as the original file size.
It should be understood that the structure illustrated in the embodiments of the present invention does not constitute a specific limitation on a key searching apparatus. In other embodiments of the invention, a key lookup device may include more or fewer components than shown, or may combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the key searching method in any embodiment of the invention when executing the computer program.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored thereon, which when executed by a processor causes the processor to perform a key lookup method according to any of the embodiments of the present invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in one embodiment of the present invention, since the device infected by the luxury software does not perform the memory cleaning operation after being infected by the luxury software, the key of the luxury software for encrypting the file is also stored in the memory, the potential key which may be the correct key can be found in the memory based on the characteristic value of the encryption algorithm adopted by the luxury software, and then the correct key in the potential key can be determined based on the decryption process of each potential key by using the target file encrypted by the luxury software and the original file before the target file is encrypted. Therefore, the key for decryption can be quickly found after the equipment is infected by the luxury software, and the waiting time of the user is short, so that the user experience can be improved.
2. In one embodiment of the invention, the position of the target file after the original file is encrypted can be accurately determined by transmitting the external original file to the equipment infected by the luxury software, and the accurate original file and the target file are provided for the process of decrypting and searching the correct key, so that the accuracy of the searching result and the searching speed are improved.
3. In one embodiment of the invention, since the backup file exists in the encrypted system file, the original file and the target file can be obtained without transmitting the file into the equipment infected by the luxury software from the outside, the obtaining speed of the target file and the original file can be improved, and the situation that the source equipment of the external file is indirectly infected in the process of transmitting the external file to the infected equipment can be avoided, thereby ensuring the safety of the whole system.
4. In one embodiment of the invention, the possible potential keys can be searched for according to each characteristic value by determining the characteristic value corresponding to each encryption algorithm as the characteristic value of the encryption algorithm adopted by the Lesu software.
5. In one embodiment of the invention, in order to avoid the influence of accidentally written data on the result caused by comparison in the decryption process, after the target file is decrypted, the file cut-off obtained after the decryption can be processed to be the same size as the original file, so that the correctness of the comparison result can be ensured.
6. In one embodiment of the present invention, the tools used in the present invention are all lightweight tools, and the lightweight tools can not occupy the system memory, so that normal use is not affected.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of additional identical elements in a process, method, article or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (16)
1. A key lookup method, comprising:
when the equipment infected by the luxury software meets the set conditions, acquiring a target file encrypted by the luxury software and an original file before the target file is encrypted; the setting condition comprises that the process is not ended after the equipment is infected by the lux software;
determining a characteristic value corresponding to an encryption algorithm adopted by the lux software;
searching a plurality of potential keys matched with the characteristic values in a memory;
determining a correct key from the plurality of potential keys according to the target file and the original file;
the determining the characteristic value corresponding to the encryption algorithm adopted by the lux software comprises the following steps: acquiring at least three sample pairs, wherein each sample pair comprises a target file and a corresponding original file; for each known encryption algorithm, decrypting the target file in each sample pair by utilizing the encryption algorithm, and calculating the difference value between the hash value of the decrypted file and the hash value of the corresponding original file; determining an encryption algorithm with the minimum interpolation mean value in all the sample pairs as an encryption algorithm adopted by the Lesu software; and determining a calculation mode and calculation parameters of the corresponding characteristic values based on the description document provided by the issuer of the encryption algorithm so as to calculate the characteristic values corresponding to the encryption algorithm.
2. The method of claim 1, wherein the obtaining the target file encrypted by the le sos software and the original file before the target file is encrypted comprises:
determining an original file which is not encrypted;
and transmitting the original file to equipment infected by the luxury software, and encrypting the original file by the luxury software to obtain the target file.
3. The method of claim 1, wherein the obtaining the target file encrypted by the le sos software and the original file before the target file is encrypted comprises:
and determining any system file with backup files in all system files encrypted by the luxury software as the target file, and determining the backup file corresponding to the target file as the original file.
4. The method of claim 1, further comprising, prior to said locating in memory a number of potential keys that match said feature value:
executing a suspending operation on the process of the luxo software;
and acquiring a target memory corresponding to the process of the luxo software in the equipment memory infected by the luxo software, and executing the search of a plurality of potential keys matched with the characteristic values in the target memory.
5. The method of claim 4, wherein the obtaining the target memory corresponding to the process of the halyard software comprises:
and calling a memory dump tool based on the cmd command, and performing memory dump on the process of the le-cable software by using the memory dump tool to obtain a dumped target memory.
6. The method according to any one of claims 1-5, wherein said determining a correct key from said number of potential keys based on said target file and said original file comprises:
and decrypting the target file by utilizing each potential key respectively, comparing whether the decrypted file is identical to the original file, and determining the potential key with the identical comparison result as a correct key.
7. The method of claim 6, further comprising, prior to comparing whether the decrypted file is identical to the original file:
judging whether the decrypted file and the original file have the same size;
if the file size is different, the file obtained after decryption is cut off, so that the file size after cut off is the same as the original file size.
8. A key lookup apparatus, comprising:
a file obtaining unit, configured to obtain, when it is determined that a device infected by the luxury software meets a set condition, a target file encrypted by the luxury software and an original file before the target file is encrypted; the setting condition comprises that the process is not ended after the equipment is infected by the lux software;
the characteristic value determining unit is used for determining a characteristic value corresponding to an encryption algorithm adopted by the lux software;
the potential key searching unit is used for searching a plurality of potential keys matched with the characteristic values in the memory;
the correct key determining unit is used for determining a correct key from the plurality of potential keys according to the target file and the original file;
the characteristic value determining unit specifically includes: acquiring at least three sample pairs, wherein each sample pair comprises a target file and a corresponding original file; for each known encryption algorithm, decrypting the target file in each sample pair by utilizing the encryption algorithm, and calculating the difference value between the hash value of the decrypted file and the hash value of the corresponding original file; determining an encryption algorithm with the minimum interpolation mean value in all the sample pairs as an encryption algorithm adopted by the Lesu software; and determining a calculation mode and calculation parameters of the corresponding characteristic values based on the description document provided by the issuer of the encryption algorithm so as to calculate the characteristic values corresponding to the encryption algorithm.
9. The apparatus according to claim 8, wherein the file acquisition unit is specifically configured to determine an original file that is not encrypted; and transmitting the original file to equipment infected by the luxury software, wherein the luxury software encrypts the original file to obtain the target file.
10. The apparatus according to claim 8, wherein the file obtaining unit is specifically configured to determine, as the target file, any system file having a backup file among all system files encrypted by the luxury software, and determine, as the original file, a backup file corresponding to the target file.
11. The apparatus of claim 8, wherein the apparatus further comprises:
the target memory acquisition unit is used for executing a suspending operation on the process of the lux software; and acquiring a target memory corresponding to a process of the luxo software in the equipment memory infected by the luxo software, so as to trigger the potential key searching unit to execute the searching of a plurality of potential keys matched with the characteristic values in the target memory.
12. The apparatus of claim 11, wherein the target memory obtaining unit is specifically configured to invoke a memory dump tool based on a cmd command when obtaining a target memory corresponding to a process of the le-su software, and to perform memory dump on the process of the le-su software by using the memory dump tool to obtain a dumped target memory.
13. The apparatus according to any one of claims 8-12, wherein the correct key determining unit is specifically configured to decrypt the target file with each potential key, compare whether the decrypted file is identical to the original file, and determine the potential key with the identical comparison result as the correct key.
14. The apparatus according to claim 13, wherein the correct key determining unit is further configured to determine whether a file obtained after decryption is the same size as the original file; if the file size is different, the file obtained after decryption is cut off, so that the file size after cut off is the same as the original file size.
15. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-7 when the computer program is executed.
16. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111362126.XA CN114095236B (en) | 2021-11-17 | 2021-11-17 | Key searching method, device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111362126.XA CN114095236B (en) | 2021-11-17 | 2021-11-17 | Key searching method, device, computing equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114095236A CN114095236A (en) | 2022-02-25 |
| CN114095236B true CN114095236B (en) | 2023-11-10 |
Family
ID=80301301
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111362126.XA Active CN114095236B (en) | 2021-11-17 | 2021-11-17 | Key searching method, device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095236B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109347620A (en) * | 2018-08-10 | 2019-02-15 | 深圳前海微众银行股份有限公司 | Sample alignment schemes, system and computer readable storage medium |
| US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
| CN110851833A (en) * | 2019-11-18 | 2020-02-28 | 深信服科技股份有限公司 | Lesovirus detection method, device and related equipment |
| CN110851472A (en) * | 2019-11-19 | 2020-02-28 | 深圳前海微众银行股份有限公司 | Sample matching method, device and readable storage medium |
| WO2021098968A1 (en) * | 2019-11-22 | 2021-05-27 | Huawei Technologies Co., Ltd. | Device and method for ransomware decryption |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8842887B2 (en) * | 2004-06-14 | 2014-09-23 | Rodney Beatson | Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device |
| US10387648B2 (en) * | 2016-10-26 | 2019-08-20 | Cisco Technology, Inc. | Ransomware key extractor and recovery system |
| US20180248896A1 (en) * | 2017-02-24 | 2018-08-30 | Zitovault Software, Inc. | System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning |
| US11126718B2 (en) * | 2017-07-12 | 2021-09-21 | Acronis International Gmbh | Method for decrypting data encrypted by ransomware |
| US10839072B2 (en) * | 2018-01-22 | 2020-11-17 | International Business Machines Corporation | Ransomware resetter |
| US10956569B2 (en) * | 2018-09-06 | 2021-03-23 | International Business Machiness Corporation | Proactive ransomware defense |
-
2021
- 2021-11-17 CN CN202111362126.XA patent/CN114095236B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10554688B1 (en) * | 2017-05-30 | 2020-02-04 | Ca, Inc. | Ransomware locked data decryption through ransomware key transposition |
| CN109347620A (en) * | 2018-08-10 | 2019-02-15 | 深圳前海微众银行股份有限公司 | Sample alignment schemes, system and computer readable storage medium |
| CN110851833A (en) * | 2019-11-18 | 2020-02-28 | 深信服科技股份有限公司 | Lesovirus detection method, device and related equipment |
| CN110851472A (en) * | 2019-11-19 | 2020-02-28 | 深圳前海微众银行股份有限公司 | Sample matching method, device and readable storage medium |
| WO2021098968A1 (en) * | 2019-11-22 | 2021-05-27 | Huawei Technologies Co., Ltd. | Device and method for ransomware decryption |
| CN113228016A (en) * | 2019-11-22 | 2021-08-06 | 华为技术有限公司 | Apparatus and method for luxo software decryption |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114095236A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10375086B2 (en) | System and method for detection of malicious data encryption programs | |
| US10387648B2 (en) | Ransomware key extractor and recovery system | |
| JP6670907B2 (en) | System and method for blocking script execution | |
| US11693962B2 (en) | Malware clustering based on function call graph similarity | |
| EP2751734B1 (en) | Sector map-based rapid data encryption policy compliance | |
| US11170128B2 (en) | Information security using blockchains | |
| EP3103048B1 (en) | Content item encryption on mobile devices | |
| US11586735B2 (en) | Malware clustering based on analysis of execution-behavior reports | |
| US11658978B2 (en) | Authentication using blockchains | |
| US10534933B1 (en) | Encrypting and decrypting sensitive files on a network device | |
| CN108334754B (en) | Encryption and decryption method and system for embedded system program | |
| CN110990829B (en) | Method, device and equipment for training GBDT model in trusted execution environment | |
| US9218296B2 (en) | Low-latency, low-overhead hybrid encryption scheme | |
| CN116663005B (en) | Method, device, equipment and storage medium for defending composite Lesu virus | |
| CN114095236B (en) | Key searching method, device, computing equipment and storage medium | |
| JP6672451B2 (en) | Encrypted search index merge server, encrypted search index merge system, and encrypted search index merge method | |
| JP7166969B2 (en) | Router attack detection device, router attack detection program, and router attack detection method | |
| US11455404B2 (en) | Deduplication in a trusted execution environment | |
| KR102618922B1 (en) | Apparatus and method for Preventing SW reverse engineering of embedded system | |
| CN109154970B (en) | Registration destination determining device, registration device, confidential search system, registration destination determining method, and computer-readable storage medium | |
| CN111091197A (en) | Method, device and equipment for training GBDT model in trusted execution environment | |
| US11438364B2 (en) | Threat analysis for information security | |
| US11308231B2 (en) | Security control management for information security | |
| US11886584B2 (en) | System and method for detecting potentially malicious changes in applications | |
| EP4095727A1 (en) | System and method for detecting potentially malicious changes in applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |