CN114297655A - Linux system based process dynamic injection method and device and storage medium - Google Patents
Linux system based process dynamic injection method and device and storage medium Download PDFInfo
- Publication number
- CN114297655A CN114297655A CN202111670897.5A CN202111670897A CN114297655A CN 114297655 A CN114297655 A CN 114297655A CN 202111670897 A CN202111670897 A CN 202111670897A CN 114297655 A CN114297655 A CN 114297655A
- Authority
- CN
- China
- Prior art keywords
- target process
- injection
- injector
- linux system
- interrupt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a process dynamic injection method, a device and a storage medium based on a Linux system, which comprises the following steps: (1) installing a kernel driving module to hijack the process information of the target process; (2) the running application layer manager receives the hijacked process information from the kernel driver module; (3) starting an injector and transmitting process information to the injector; (4) the injector injects, modifies the entry address of the target process as an interrupt instruction, so that the target process generates an interrupt after finishing initialization operation, and performs subsequent injection operation after the interrupt is generated and when the entry address is entered again; (5) an implant operation is performed. Compared with the dynamic injection technology of the existing Linux system, the method and the system can accurately finish the injection operation at the first time when the target process is started, cannot generate a blank period because the target program is operated firstly and then injected, avoid the escape detection and analysis of the malicious program by utilizing the time, and enable the injection of the malicious program to be more accurate and stable.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a dynamic process injection method and device based on a Linux system and a storage medium.
Background
With the rapid development of computer science, people enjoy the great convenience brought by computers on one hand and are attacked and threatened by malicious programs on the other hand. A large amount of security software exists in a windows system to protect computers and reduce harm caused by malicious programs, and the Linux system does not have such a rich ecological environment. With the continuous development and the use of the Linux system in the server field, the security of the Linux system needs to be further improved. In the method for dynamically detecting malicious programs, dynamic injection is one of the important methods.
At present, the dynamic injection technology of the Linux system is not developed rapidly, most of the dynamic injection technology is usually performed by using an API function (such as ptrace function) provided by a Linux kernel for conventional injection, so that malicious programs can easily avoid the injection failure, in addition, the dynamic injection causes injection failure due to inconsistent environment before and after the target process is injected, inaccurate injection time and the like, and the injection success rate cannot be guaranteed.
Disclosure of Invention
The invention aims to provide a method, a device and a storage medium for dynamically injecting a process based on a Linux system, so as to solve the problems of the existing dynamic injection technology of the Linux system.
The invention provides a process dynamic injection method based on a Linux system, which comprises the following steps:
(1) installing a kernel driving module to hijack the process information of the target process;
(2) the running application layer manager receives the hijacked process information from the kernel driver module;
(3) starting an injector and transmitting process information to the injector;
(4) the injector injects, modifies the entry address of the target process as an interrupt instruction, so that the target process generates an interrupt after finishing initialization operation, and performs subsequent injection operation after the interrupt is generated and when the entry address is entered again;
(5) an implant operation is performed.
Further, the method for hijacking the process information of the target process in the step (1) comprises the following steps: and acquiring the process information of the target process through a creating function for hijacking the target process.
Further, the method for injecting by the injector in the step (4) is as follows: the injector injects according to the information classification of the application layer manager.
Further, in step (4), it is necessary to determine whether the target process is a new program start or a fork sub-process when the injector performs injection:
if the target process is started by a new program, modifying the entry address of the target process into an interrupt instruction, enabling the target process to generate an interrupt after finishing initialization operation, and performing subsequent injection operation after the interrupt is generated and when the target process enters the entry address again;
if the target process is a fork child process, then no entry address exists, and the subsequent injection operation is directly performed.
Further, the method for performing the injection operation in step (5) is as follows:
(51) acquiring an idle section of memory space of a target process;
(52) writing a shellcode code in the idle memory space;
(53) setting corresponding hardware registers as malloc and dlopen function addresses;
(54) executing shellcode code allocation space;
(55) copying the dynamic library address into the allocated space;
(56) performing dlopen to load the dynamic library;
(57) setting a hardware register to execute a dynamic library entry function to initialize a dynamic library;
(58) and after the dynamic library finishes the initialization operation, restoring the memory space of the target process by the injector.
The invention also provides a storage medium, wherein a computer program is stored on the storage medium, and the computer program executes the process dynamic injection method based on the Linux system when running.
The invention also provides a process dynamic injection device based on the Linux system, which comprises:
a storage medium for storing a computer program;
a processor for running the computer program; and the computer program executes the process dynamic injection method based on the Linux system when running.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
compared with the dynamic injection technology of the existing Linux system, the method and the system can accurately finish the injection operation at the first time when the target process is started, cannot generate a blank period because the target program is operated firstly and then injected, avoid the escape detection and analysis of the malicious program by utilizing the time, and enable the injection of the malicious program to be more accurate and stable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention, and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a flowchart of a process dynamic injection method based on a Linux system in embodiment 1 of the present invention.
Fig. 2 is an exemplary illustration of a function created by hijacking a target process by a kernel driver module according to embodiment 1 of the present invention.
Fig. 3 is a flowchart of performing an injection operation according to embodiment 1 of the present invention.
Fig. 4 is a diagram illustrating an example memory space state of a target process before injection according to embodiment 1 of the present invention.
Fig. 5 is a diagram illustrating an example memory space state of a target process after injection according to embodiment 1 of the present invention.
Fig. 6 is a flowchart of a process dynamic injection method based on the Linux system in embodiment 2 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1, the present embodiment provides a process dynamic injection method based on a Linux system, including the following steps:
(1) installing a kernel driving module to hijack the process information of the target process; in this embodiment, the method for hijacking the process information of the target process includes: acquiring process information of a target process through a creating function of a hijack target process; an example presentation diagram of a kernel driver module hijacking a target process creation function is shown in fig. 2;
(2) the running application layer manager receives the hijacked process information from the kernel driver module;
(3) starting an injector and transmitting process information to the injector;
(4) the injector injects, modifies the entry address of the target process as an interrupt instruction, so that the target process generates an interrupt after finishing initialization operation, and performs subsequent injection operation after the interrupt is generated and when the entry address is entered again; in this embodiment, the method for injecting by the injector is as follows: the injector performs injection according to the information classification of the application layer manager;
(5) an implant operation is performed. In this embodiment, as shown in fig. 3, the method for performing the implantation operation includes:
(51) obtaining an idle memory space of the target process, and showing an example of the memory space state of the target process before injection as shown in fig. 4;
(52) writing a shellcode code in the idle memory space;
(53) setting corresponding hardware registers as malloc and dlopen function addresses;
(54) executing shellcode code allocation space;
(55) copying the dynamic library address into the allocated space;
(56) performing dlopen to load the dynamic library;
(57) setting a hardware register to execute a dynamic library entry function to initialize a dynamic library;
(58) after the dynamic library completes the initialization operation, the injector recovers the memory space of the target process, and an exemplary display diagram of the memory space state of the target process after injection is shown in fig. 5.
The key of the invention lies in how to know the accurate time when the target process is just initialized, the invention finishes the first injection by the injector by loading the kernel drive module to hijack the process information, modifies the target process entrance address as the interrupt instruction to finish the initialization operation, generates the interrupt to enter the entrance address again after the initialization is finished, and the injector continues the subsequent injection operation again to ensure the success of the injection. Therefore, compared with the dynamic injection technology of the existing Linux system, the method and the system can accurately finish the injection operation at the first time when the target process is started, cannot generate a blank period because the target program is operated firstly and then injected, avoid the escape detection and analysis of the malicious program by utilizing the period of time, and enable the injection of the malicious program to be more accurate and stable.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
Therefore, the present embodiment also provides a storage medium, where a computer program is stored on the storage medium, and the computer program executes the above process dynamic injection method based on the Linux system when running.
From the above, the present embodiment further provides a process dynamic injection apparatus based on the Linux system, including:
a storage medium for storing a computer program;
a processor for running the computer program; and the computer program executes the process dynamic injection method based on the Linux system when running.
Example 2
Unlike embodiment 1, in step (4), it is necessary to determine whether the target process is a new program start or a fork sub-process when the injector performs injection:
if the target process is started by a new program, modifying the entry address of the target process into an interrupt instruction, enabling the target process to generate an interrupt after finishing initialization operation, and performing subsequent injection operation after the interrupt is generated and when the target process enters the entry address again;
if the target process is a fork child process, then no entry address exists, and the subsequent injection operation is directly performed.
Therefore, the present embodiment provides a process dynamic injection method based on a Linux system, and referring to fig. 6, the method includes the following steps:
(1) installing a kernel driving module to hijack the process information of the target process;
(2) the running application layer manager receives the hijacked process information from the kernel driver module;
(3) starting an injector and transmitting process information to the injector;
(4) the injector injects to judge whether the target process is a new program start or a fork sub-process:
if the target process is started by a new program, modifying the entry address of the target process into an interrupt instruction, enabling the target process to generate an interrupt after finishing initialization operation, and performing subsequent injection operation after the interrupt is generated and when the target process enters the entry address again;
if the target process is a fork-out sub-process, no entry address exists, and subsequent injection operation is directly carried out;
(5) an implant operation is performed. In this embodiment, the method for performing the injection operation includes:
(51) acquiring an idle section of memory space of a target process;
(52) writing a shellcode code in the idle memory space;
(53) setting corresponding hardware registers as malloc and dlopen function addresses;
(54) executing shellcode code allocation space;
(55) copying the dynamic library address into the allocated space;
(56) performing dlopen to load the dynamic library;
(57) setting a hardware register to execute a dynamic library entry function to initialize a dynamic library;
(58) and after the dynamic library finishes the initialization operation, restoring the memory space of the target process by the injector.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. A process dynamic injection method based on a Linux system is characterized by comprising the following steps:
(1) installing a kernel driving module to hijack the process information of the target process;
(2) the running application layer manager receives the hijacked process information from the kernel driver module;
(3) starting an injector and transmitting process information to the injector;
(4) the injector injects, modifies the entry address of the target process as an interrupt instruction, so that the target process generates an interrupt after finishing initialization operation, and performs subsequent injection operation after the interrupt is generated and when the entry address is entered again;
(5) an implant operation is performed.
2. The method for dynamically injecting processes based on a Linux system as claimed in claim 1, wherein the method for hijacking the process information of the target process in step (1) comprises the following steps: and acquiring the process information of the target process through a creating function for hijacking the target process.
3. The Linux system-based process dynamic injection method of claim 1, wherein the injector in the step (4) performs injection by: the injector injects according to the information classification of the application layer manager.
4. The method according to claim 1, wherein the step (4) is performed by determining whether the target process is a new program start or a fork sub-process when the injector injects:
if the target process is started by a new program, modifying the entry address of the target process into an interrupt instruction, enabling the target process to generate an interrupt after finishing initialization operation, and performing subsequent injection operation after the interrupt is generated and when the target process enters the entry address again;
if the target process is a fork child process, then no entry address exists, and the subsequent injection operation is directly performed.
5. The Linux system-based process dynamic injection method of claim 4, wherein the injection operation in step (5) is performed by:
(51) acquiring an idle section of memory space of a target process;
(52) writing a shellcode code in the idle memory space;
(53) setting corresponding hardware registers as malloc and dlopen function addresses;
(54) executing shellcode code allocation space;
(55) copying the dynamic library address into the allocated space;
(56) performing dlopen to load the dynamic library;
(57) setting a hardware register to execute a dynamic library entry function to initialize a dynamic library;
(58) and after the dynamic library finishes the initialization operation, restoring the memory space of the target process by the injector.
6. A storage medium, wherein the storage medium stores thereon a computer program, and the computer program executes the method for dynamically injecting the processes according to any one of claims 1 to 5.
7. A process dynamic injection device based on a Linux system is characterized by comprising:
a storage medium for storing a computer program;
a processor for running the computer program; the computer program executes the process dynamic injection method based on the Linux system according to any one of claims 1 to 5 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670897.5A CN114297655A (en) | 2021-12-31 | 2021-12-31 | Linux system based process dynamic injection method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111670897.5A CN114297655A (en) | 2021-12-31 | 2021-12-31 | Linux system based process dynamic injection method and device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114297655A true CN114297655A (en) | 2022-04-08 |
Family
ID=80974395
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111670897.5A Pending CN114297655A (en) | 2021-12-31 | 2021-12-31 | Linux system based process dynamic injection method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114297655A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116775147A (en) * | 2023-06-08 | 2023-09-19 | 北京天融信网络安全技术有限公司 | Executable file processing method, device, equipment and storage medium |
| CN116861413A (en) * | 2023-06-21 | 2023-10-10 | 云袭网络技术河北有限公司 | Method and system for injecting kernel protection process |
-
2021
- 2021-12-31 CN CN202111670897.5A patent/CN114297655A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116775147A (en) * | 2023-06-08 | 2023-09-19 | 北京天融信网络安全技术有限公司 | Executable file processing method, device, equipment and storage medium |
| CN116775147B (en) * | 2023-06-08 | 2024-03-15 | 北京天融信网络安全技术有限公司 | Executable file processing method, device, equipment and storage medium |
| CN116861413A (en) * | 2023-06-21 | 2023-10-10 | 云袭网络技术河北有限公司 | Method and system for injecting kernel protection process |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687645B2 (en) | Security control method and computer system | |
| EP2950203B1 (en) | Application scenario identification method, power consumption management method and apparatus and terminal device | |
| CN114297655A (en) | Linux system based process dynamic injection method and device and storage medium | |
| CN104657639B (en) | A kind of method of testing and system of operating system identity authentication scheme | |
| CN102339371A (en) | Method, device and virtual machine for detecting rogue program | |
| CN101432752A (en) | Trusted platform field upgrade system and method | |
| US10007785B2 (en) | Method and apparatus for implementing virtual machine introspection | |
| US11928489B2 (en) | Extension application mechanisms through intra-process operation systems | |
| CN113268684A (en) | Data processing method, device, terminal equipment and storage medium | |
| US20230153439A1 (en) | Early filtering of clean file using dynamic analysis | |
| CN112231198B (en) | Malicious process debugging method and device, electronic equipment and medium | |
| CN110888628A (en) | Method, device, equipment and storage medium for generating control tool | |
| CN111813693B (en) | Software compatibility detection method, intelligent terminal and storage medium | |
| CN112835639A (en) | Hook implementation method, device, equipment, medium and product | |
| US9141803B2 (en) | Self-healing of operating system components | |
| US20040078497A1 (en) | Method and apparatus for detecting configuration change | |
| CN110442380B (en) | Data preheating method and computing equipment | |
| CN114641769A (en) | Safety measuring device and method for processor | |
| CN114003421B (en) | Virtual machine timeout mechanism testing method, system, terminal and storage medium | |
| CN111611580B (en) | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system | |
| CN114489698A (en) | Application program installation method and device | |
| CN108196886B (en) | Card reader service implementation method and card reader | |
| CN111443907A (en) | Method and device for calling SDK function | |
| CN111124935B (en) | Physical memory data leakage detection method and device based on virtualization platform | |
| CN115314258B (en) | Method and device for detecting weak password, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |