CN114329446A - Operating system threat detection method and device, electronic equipment and storage medium - Google Patents

Operating system threat detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114329446A
CN114329446A CN202111333224.0A CN202111333224A CN114329446A CN 114329446 A CN114329446 A CN 114329446A CN 202111333224 A CN202111333224 A CN 202111333224A CN 114329446 A CN114329446 A CN 114329446A
Authority
CN
China
Prior art keywords
jump instruction
operating system
address
jump
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111333224.0A
Other languages
Chinese (zh)
Inventor
罗世谦
王明广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202111333224.0A priority Critical patent/CN114329446A/en
Publication of CN114329446A publication Critical patent/CN114329446A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention provides an operating system threat detection method, an operating system threat detection device, electronic equipment and a storage medium, which are applied to the electronic equipment, wherein the operating system threat detection method comprises the following steps: acquiring a jump instruction generated aiming at target operation of an operating system of the electronic equipment; comparing the jump instruction with jump instruction data in a jump instruction database of an operating system; wherein, the jump instruction database includes: jump instruction data in the operating system is extracted when the operating system is in a trusted state; and under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the threat exists in the operating system. The method and the device can detect whether the operating system has the threat, and reduce the false alarm rate on the premise of ensuring the threat detection rate.

Description

Operating system threat detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network device technologies, and in particular, to a method and an apparatus for detecting operating system threats, an electronic device, and a storage medium.
Background
As computer technology has developed, data in a system is stored in a database in a variety of ways.
In the related art, a database is created by extracting instruction jump information in a system through a related module in a static analysis system of an Interactive platform analysis (IDA), and only the instruction jump information which passes the static analysis is stored in the database, but the instruction jump information which cannot be statically analyzed is not stored in the database. When the threat exists in the detection system, the false alarm rate of detection is high. In view of this, how to improve the detection effect of the system threat is an urgent technical problem to be solved.
Disclosure of Invention
To solve the problems in the related art, embodiments of the present invention provide a method and an apparatus for detecting operating system threats, an electronic device, and a storage medium.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides an operating system threat detection method, which is applied to an electronic device, and the method includes:
acquiring a jump instruction generated aiming at target operation of an operating system of the electronic equipment;
comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state;
and under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the operating system has a threat.
Further, the jump instruction data includes at least one of:
the system comprises a jump instruction pair array, an indirect jump instruction array, a sub-function call instruction array and a return value instruction array.
Further, when the jump instruction data includes the return value instruction array, the comparing the jump instruction with the jump instruction data in the jump instruction database of the operating system includes:
comparing the starting address from address offset of the jump instruction with the return value instruction array in the jump instruction database;
under the condition that the from address offset of the jump instruction is found from the return value instruction array, matching the target address to address offset of the jump instruction with the next sub-function call instruction of the sub-function call instruction in the target stack currently used by the user;
and if not, judging that the jump instruction is not matched with the return value instruction array.
Further, the method further comprises:
and under the condition that the jump instruction is matched with a subfunction call instruction array in the jump instruction database, writing the from address offset of the jump instruction into the target stack.
Further, before comparing the jump instruction with jump instruction data in a jump instruction database of the operating system, the method further includes:
respectively shifting the from address and the to address of the jump instruction; determining that a threat exists in the operating system in the case that the from address of the jump instruction fails to be shifted or the to address of the jump instruction fails to be shifted;
under the condition that the from address and the to address of the jump instruction are respectively subjected to jump offset, searching a target module corresponding to the from address offset or the to address offset of the jump instruction in a jump instruction database of the operating system; determining that a threat exists in the operating system when a target module corresponding to a from address offset or a to address offset of the jump instruction is not found in the jump instruction database;
or, in the case that a target module corresponding to the from address offset and the to address offset of the jump instruction is found in the jump instruction database of the system, a function corresponding to the from address offset or the to address offset of the jump instruction is found in the target module of the jump instruction database; determining that a threat exists in the operating system when a function corresponding to a from address offset or a to address offset of the jump instruction is not found in the target module of the jump instruction database.
Further, before the collecting a jump instruction generated for a target operation of an operating system of the electronic device, the method further includes:
when the operating system is in a trusted state, analyzing the mirror image of the operating system by using C language, and identifying a code area of the operating system;
disassembling the code area of the operating system by using a capstone disassembling engine, and outputting a jump instruction database of the operating system.
In a second aspect, an embodiment of the present invention further provides an operating system threat detection apparatus, including:
the acquisition module is used for acquiring a jump instruction generated aiming at the target operation of an operating system of the electronic equipment;
the first comparison module is used for comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state;
and the first determining module is used for determining that the operating system has a threat under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps of the operating system threat detection method according to the first aspect.
In a fourth aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the operating system threat detection method according to the first aspect.
In a fifth aspect, the present invention further provides a computer program product, on which executable instructions are stored, and when executed by a processor, the instructions cause the processor to implement the steps of the operating system threat detection method according to the first aspect.
According to the operating system threat detection method provided by the embodiment of the invention, the jump instruction generated by the acquired target operation is compared with the jump instruction data in the jump instruction database, the jump instruction is determined to be normal jump or abnormal jump in the operating system, and whether threat exists in the operating system is detected, so that the false alarm rate is reduced on the premise of ensuring the threat detection rate.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a threat detection method for an operating system according to the present invention;
FIG. 2 is a second flowchart illustrating an operating system threat detection method according to the present invention;
FIG. 3 is a third schematic flowchart of a threat detection method for an operating system according to the present invention;
FIG. 4 is a fourth flowchart illustrating an operating system threat detection method according to the present invention;
FIG. 5 is a schematic structural diagram of an operating system threat detection apparatus provided in the present invention;
fig. 6 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of an operating system threat detection method provided by the present invention, as shown in fig. 1, the method includes steps 110 and 130:
step 110, collecting a jump instruction generated aiming at a target operation of an operating system of the electronic equipment.
It should be noted that the operating system threat detection method provided by the present invention can be applied to a threat detection scenario of an operating system, for example, detecting a threat of the operating system in a similar operating system (linux), so as to implement detection of a trusted environment. The execution subject of the operating system threat detection method provided by the invention can be an operating system threat detection device, such as a desktop computer or a server, or a control module in the operating system threat detection device for executing the operating system threat detection method.
Alternatively, the operating system may be a linux system, a windows (windows) operating system, or other operating systems. The target operation includes at least one of: file operation, network operation, process operation, and thread operation. The jump instruction includes at least one of: the system comprises a jump instruction pair array, an indirect jump instruction array, a sub-function call instruction array and a return value instruction array.
Step 120, comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein, the jump instruction database includes: jump instruction data in the operating system is fetched while the operating system is in a trusted state.
In practice, the jump instruction database is obtained by the electronic device by extracting a driver file in an operating system when the electronic device is in a trusted state, acquiring jump instructions in the driver file, and storing the jump instructions, and the jump instruction database includes the jump instructions.
Optionally, the jump instruction data comprises at least one of: the system comprises a jump instruction pair array, an indirect jump instruction array, a sub-function call instruction array and a return value instruction array.
Optionally, the address of the jump instruction generated for the target operation of the operating system is compared with the address in the jump instruction data in the jump instruction database.
And step 130, under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the threat exists in the operating system.
Optionally, when the address of the jump instruction generated by the target operation of the operating system is compared with the address in the jump instruction data in the jump instruction database, the address in the jump instruction data in the jump instruction database does not have the address corresponding to the jump instruction generated by the target operation of the operating system, so that the threat in the operating system of the system is determined. For example, threats may include hidden modules of operating system presence, unedited modules, HOOK, injection, and the like.
According to the operating system threat detection method provided by the invention, the jump instruction generated by the acquired target operation is compared with the jump instruction data in the jump instruction database, the jump instruction is determined to be normal jump or abnormal jump in the operating system, and then whether the threat exists in the operating system is detected, so that the false alarm rate is reduced on the premise of ensuring the threat detection rate.
Fig. 2 is a second flowchart of the operating system threat detection method provided by the present invention, as shown in fig. 2, the method includes steps 210-250:
step 210, collecting a jump instruction generated aiming at a target operation of an operating system of the electronic equipment.
Step 220, comparing the starting address from address offset of the jump instruction with the return value instruction array in the jump instruction database.
Optionally, the start address from address offset is obtained by subtracting a base address of a target module corresponding to the jump instruction from a from address of the jump instruction, where the base address is an address of the target module corresponding to the jump instruction before the jump.
In practice, only the start address from of the jump address is stored in the return instruction array, so that the offset of the start address from of the jump instruction can be compared with the return instruction data in the jump instruction database.
Step 230, matching the target address to address offset of the jump instruction with the next sub-function call instruction in the target stack currently used by the user under the condition that the from address offset of the jump instruction is found from the return value instruction array.
Optionally, the target address to address offset is obtained by subtracting the to address of the jump instruction from the base address of the module corresponding to the jump instruction.
Optionally, at least two sub-function call instructions are recorded in the target stack. And under the condition that the from address offset of the jump instruction is found from the return instruction array, reading whether the from address offset of the jump instruction is a call instruction, and under the condition that the from address offset of the jump instruction is the call instruction, enabling the call instruction to enter a target stack and storing the target stack. At this time, for the call instruction, there is a return value (ret) instruction corresponding to it, when the ret instruction exists, the target address to address offset of the jump instruction is compared with the next instruction address of the sub-function call instruction at the top of the stack in the target stack, and whether the instruction corresponding to the jump from address from the start address to address offset of the target address is the next address of the call instruction is compared.
And 240, if the instruction is not matched, judging that the jump instruction is not matched with the return value instruction array.
Optionally, the instruction that the target address to address offset of the jump instruction jumps to the start address from address is not the next address of the call instruction, that is, the to address offset of the jump instruction is not matched with the next sub-function call instruction address of the sub-function call instruction in the target stack, and it is determined that the jump instruction is not matched with the return value instruction array, thereby determining that there is a threat in the operating system.
And 250, under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that a threat exists in the operating system.
The operating system threat detection method provided by the invention matches the initial address from address offset of the jump instruction with the return value instruction array in the jump instruction database, further matches the target address to address offset of the jump instruction with the next sub-function call instruction address of the sub-function call instruction in the target stack, if not, judges that the jump instruction is not matched with the return value instruction array, detects that the threat exists in the operating system, and reduces the false alarm rate on the premise of ensuring the threat detection rate.
Optionally, in a case that the jump instruction matches the subfunction call instruction array in the jump instruction database, the from address offset of the jump instruction is written into the target stack.
Specifically, under the condition that the jump instruction is matched with a subfunction call instruction array in the jump instruction database, the jump instruction is determined to be a normal jump, and at the moment, the from address offset of the jump instruction can be written into a target stack and stored for threat detection of the next operating system.
Optionally, fig. 3 is a third schematic flowchart of the operating system threat detection method provided by the present invention, and as shown in fig. 3, a jump instruction generated for a target operation of an operating system of an electronic device is taken as an example, for example, the jump instruction includes a from address and a to address, and the from address and the to address of the jump instruction are respectively shifted.
Specifically, the jump offset refers to subtracting the from address and the to address of the jump instruction from the base address of the module to which the jump instruction belongs to obtain offset addresses of the from address and the to address, respectively, that is, completing the jump from address and the to address of the jump instruction. Under the condition that the from address of the jump instruction fails to be converted into the offset or the to address of the jump instruction fails to be converted into the offset, a hidden module exists in an operating system, and therefore the threat exists in the operating system; or, in the case that the from address and the to address of the jump instruction complete the jump offset, the target module corresponding to the from address offset or the to address offset of the jump instruction is looked up in a jump instruction database of the operating system.
Further, under the condition that a target module corresponding to the from address offset or the to address offset of the jump instruction is not found in the jump instruction database, determining that an unedited module exists in the operating system; or, in the case that the target module corresponding to the from address offset and the to address offset of the jump instruction can be found in the jump instruction database of the operating system, indicating that the from address offset and the to address offset of the jump instruction exist in the jump instruction database and the corresponding target module exists, finding the jump function corresponding to the from address offset or the to address offset of the jump instruction in the target module of the jump instruction database.
Further, under the condition that a jump function corresponding to the from address offset or the to address offset of the jump instruction is not found in the target module of the jump instruction database, the injection condition exists in the operating system, and the threat exists in the operating system is determined; or, in the case that the target module of the jump instruction database can find the jump function corresponding to the from address offset or to address offset of the jump instruction, matching the from address and to address of the jump instruction with the address corresponding to the jump function in the jump instruction database.
Further, under the condition that the from address and the to address of the jump instruction are not matched with the address corresponding to the jump function in the jump instruction database, determining that a HOOK threat exists in an operating system; or, under the condition that the from address and the to address of the jump instruction are matched with the address corresponding to the jump function in the jump instruction database, determining that no HOOK threat exists in the operating system, and repeatedly executing the above description on the next jump instruction of the jump instruction until all the jump instructions in the operating system are matched with the jump instructions in the jump instruction database.
Optionally, fig. 4 is a fourth schematic flowchart of the operating system threat detection method provided by the present invention, as shown in fig. 4, the method includes steps 410 and 450:
and step 410, when the operating system is in a trusted state, analyzing the mirror image of the operating system by using the C language, and identifying a code area of the operating system.
Optionally, when the operating system is in a trusted state, the operating system loads a driver file, where the driver file is a static file extracted after performing static analysis on the operating system in the trusted state. And opening the driver file by using the C language, and reading the code area of the driver file so as to identify the code area of the operating system.
And step 420, disassembling the code area of the operating system by using the capstone disassembling engine, and outputting a jump instruction database of the operating system.
Optionally, after loading the driver file into the memory of the operating system, the capstone disassembling engine disassembles all codes in the code region of the driver file, analyzes instructions corresponding to all codes in the code region, extracts ret instructions and jump instructions in the instructions, and stores the extracted ret instructions and jump instructions, thereby obtaining a jump instruction database of the operating system.
Step 430, collecting a jump instruction generated aiming at a target operation of an operating system of the electronic equipment.
Step 440, comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein, the jump instruction database includes: jump instruction data in the operating system is fetched while the operating system is in a trusted state.
And step 450, determining that the operating system has a threat under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database.
Optionally, for the description and explanation of the step 430-450, reference may be made to the description and explanation of the step 110-130, and the same technical effects can be achieved, and in order to avoid repetition, the description is omitted here.
According to the operating system threat detection method provided by the invention, the C language is used for analyzing the mirror image of the operating system, the code area of the operating system is identified, the capstone disassembling engine is used for disassembling the code area of the operating system, the jump instruction database of the operating system is output, and the instruction to be replaced can be added into the jump instruction database when the operating system runs, so that the problems of inaccurate IDA (interactive data analysis) analysis and instruction replacement during running are solved, the manufacturing efficiency of the database is improved, and the false alarm rate is reduced on the premise of ensuring the threat detection rate.
The operating system threat detection apparatus provided by the present invention is described below, and the operating system threat detection apparatus described below and the operating system threat detection method described above may be referred to in correspondence with each other.
Fig. 5 is a schematic structural diagram of an operating system threat detection apparatus provided by the present invention, and as shown in fig. 5, the operating system threat detection apparatus 500 includes: the device comprises an acquisition module 501, a first comparison module 502 and a first determination module 503; wherein the content of the first and second substances,
the acquisition module 501 is configured to acquire a jump instruction generated by a target operation of an operating system of the electronic device;
a first comparison module 502, configured to compare the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state;
a first determining module 503, configured to determine that there is a threat in the operating system if the jump instruction does not match with the jump instruction data in the jump instruction database.
According to the operating system threat detection device provided by the embodiment of the invention, the from address offset of the jump instruction generated by the target operation is compared with the jump instruction data in the jump instruction database, the jump instruction is determined to be normal jump or abnormal jump in the operating system, and whether threat exists in the operating system at present is further detected, so that the false alarm rate is reduced on the premise of ensuring the threat detection rate.
Optionally, the jump instruction data includes at least one of:
the system comprises a jump instruction pair array, an indirect jump instruction array, a sub-function call instruction array and a return value instruction array.
Optionally, the first comparison module 502 is specifically configured to:
comparing the offset of the starting address from address of the jump instruction with the return value instruction array in the jump instruction database;
under the condition that the from address offset of the jump instruction is found from the return value instruction array, matching the target address to address offset of the jump instruction with the next sub-function call instruction of the sub-function call instruction in the target stack currently used by the user;
and if not, judging that the jump instruction is not matched with the return value instruction array.
Optionally, the operating system threat detection apparatus 500 further includes:
and the second writing module is used for writing the from address offset of the jump instruction into the target stack under the condition that the jump instruction is matched with a subfunction calling instruction array in the jump instruction database.
Optionally, the operating system threat detection apparatus 500 further includes:
a third determining module, configured to shift the from address and the to address of the jump instruction respectively; determining that a threat exists in the operating system in the case that the from address of the jump instruction fails to be shifted or the to address of the jump instruction fails to be shifted;
a fourth determining module, configured to search, in a jump instruction database of the operating system, a target module corresponding to a from address offset or a to address offset of the jump instruction when the from address and the to address of the jump instruction complete jump offset, respectively; determining that a threat exists in the operating system when a target module corresponding to a from address offset or a to address offset of the jump instruction is not found in the jump instruction database;
or, in the case that a target module corresponding to a from address offset and a to address offset of the jump instruction is found in a jump instruction database of the operating system, finding a function corresponding to the from address offset or the to address offset of the jump instruction in the target module of the jump instruction database; determining that a threat exists in the operating system when a function corresponding to a from address offset or a to address offset of the jump instruction is not found in the target module of the jump instruction database.
Optionally, the operating system threat detection apparatus 500 further includes:
the identification module is used for analyzing the mirror image of the operating system by using C language and identifying the code area of the operating system when the operating system is in a credible state;
and the disassembling module is used for disassembling the code area of the operating system by using a capstone disassembling engine and outputting a jump instruction database of the operating system.
Fig. 6 is a schematic physical structure diagram of an electronic device provided in the present invention, and as shown in fig. 6, the electronic device 600 may include: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and a communication bus 640, wherein the processor 610, the communication Interface 620 and the memory 630 communicate with each other via the communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform the following operating system threat detection method: acquiring a jump instruction generated aiming at target operation of an operating system of the electronic equipment; comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state; and under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the operating system has a threat.
In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following operating system threat detection method: acquiring a jump instruction generated aiming at target operation of an operating system of the electronic equipment; comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state; and under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the operating system has a threat.
In yet another aspect, an embodiment of the present invention further provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions that, when executed by a computer, implement the following operating system threat detection method: acquiring a jump instruction generated aiming at target operation of an operating system of the electronic equipment; comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state; and under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the operating system has a threat.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An operating system threat detection method applied to an electronic device, the method comprising:
acquiring a jump instruction generated aiming at target operation of an operating system of the electronic equipment;
comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state;
and under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database, determining that the operating system has a threat.
2. The operating system threat detection method according to claim 1, wherein the jump instruction data comprises at least one of:
the system comprises a jump instruction pair array, an indirect jump instruction array, a sub-function call instruction array and a return value instruction array.
3. The operating system threat detection method according to claim 2, wherein in a case where the jump instruction data includes the return value instruction array, the comparing the jump instruction with jump instruction data in a jump instruction database of the operating system includes:
comparing the offset of the starting address from address of the jump instruction with the return value instruction array in the jump instruction database;
under the condition that the from address offset of the jump instruction is found from the return value instruction array, matching the target address to address offset of the jump instruction with the next sub-function call instruction of the sub-function call instruction in the target stack currently used by the user;
and if not, judging that the jump instruction is not matched with the return value instruction array.
4. The operating system threat detection method of claim 2, the method further comprising:
and under the condition that the jump instruction is matched with a subfunction calling instruction array in the jump instruction database, writing the from address offset of the jump instruction into a target stack.
5. The operating system threat detection method according to claim 1, wherein before comparing the jump instruction with jump instruction data in a jump instruction database of the operating system, the method further comprises:
respectively shifting the from address and the to address of the jump instruction; determining that a threat exists in the operating system in the case that the from address of the jump instruction fails to be shifted or the to address of the jump instruction fails to be shifted;
under the condition that the from address and the to address of the jump instruction are respectively subjected to jump offset, searching a target module corresponding to the from address offset or the to address offset of the jump instruction in a jump instruction database of the operating system; determining that a threat exists in the operating system when a target module corresponding to a from address offset or a to address offset of the jump instruction is not found in the jump instruction database;
or, in the case that a target module corresponding to a from address offset and a to address offset of the jump instruction is found in a jump instruction database of the operating system, finding a function corresponding to the from address offset or the to address offset of the jump instruction in the target module of the jump instruction database; determining that a threat exists in the operating system when a function corresponding to a from address offset or a to address offset of the jump instruction is not found in the target module of the jump instruction database.
6. The operating system threat detection method according to claim 1, wherein before collecting the jump instruction generated for the target operation of the operating system of the electronic device, further comprising:
when the operating system is in a trusted state, analyzing the mirror image of the operating system by using C language, and identifying a code area of the operating system;
disassembling the code area of the operating system by using a capstone disassembling engine, and outputting a jump instruction database of the operating system.
7. An operating system threat detection apparatus, comprising:
the acquisition module is used for acquiring a jump instruction generated aiming at the target operation of an operating system of the electronic equipment;
the first comparison module is used for comparing the jump instruction with jump instruction data in a jump instruction database of the operating system; wherein the jump instruction database comprises: jump instruction data in the operating system extracted while the operating system is in a trusted state;
and the first determining module is used for determining that the operating system has a threat under the condition that the jump instruction is not matched with the jump instruction data in the jump instruction database.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the operating system threat detection method according to any one of claims 1 to 6 are implemented when the program is executed by the processor.
9. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, performs the steps of the operating system threat detection method according to any one of claims 1 to 6.
10. A computer program product having executable instructions stored thereon, which instructions, when executed by a processor, cause the processor to carry out the steps of the operating system threat detection method according to any one of claims 1 to 6.
CN202111333224.0A 2021-11-11 2021-11-11 Operating system threat detection method and device, electronic equipment and storage medium Pending CN114329446A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111333224.0A CN114329446A (en) 2021-11-11 2021-11-11 Operating system threat detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111333224.0A CN114329446A (en) 2021-11-11 2021-11-11 Operating system threat detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114329446A true CN114329446A (en) 2022-04-12

Family

ID=81045119

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111333224.0A Pending CN114329446A (en) 2021-11-11 2021-11-11 Operating system threat detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114329446A (en)

Similar Documents

Publication Publication Date Title
CN108734012B (en) Malicious software identification method and device and electronic equipment
US20150310211A1 (en) Method, apparatus and system for detecting malicious process behavior
CN110213207B (en) Network security defense method and equipment based on log analysis
CN111191243A (en) Vulnerability detection method and device and storage medium
CN112738094A (en) Expandable network security vulnerability monitoring method, system, terminal and storage medium
CN111027072B (en) Kernel Rootkit detection method and device based on elf binary standard analysis under Linux
US20120246723A1 (en) Windows kernel alteration searching method
US20170116417A1 (en) Apparatus and method for detecting malicious code
CN108197475B (en) Malicious so module detection method and related device
CN114329446A (en) Operating system threat detection method and device, electronic equipment and storage medium
CN113010885B (en) Method and device for detecting kernel thread disguised with start address
CN115643044A (en) Data processing method, device, server and storage medium
CN106778276B (en) Method and system for detecting malicious codes of entity-free files
CN112685744B (en) Method and device for detecting software bugs by using stack-related registers
CN110377499B (en) Method and device for testing application program
US11783004B2 (en) Identifying a script that originates synchronous and asynchronous actions
CN110674501B (en) Malicious drive detection method, device, equipment and medium
CN114610577A (en) Target resource locking method, device, equipment and medium
CN114444087A (en) Unauthorized vulnerability detection method and device, electronic equipment and storage medium
CN112035837A (en) Malicious PDF document detection system and method based on mimicry defense
CN112395594A (en) Method, device and equipment for processing instruction execution sequence
KR100746944B1 (en) Method for preventing leakage of information and recording medium storeing program therefor
CN117540385B (en) Script file monitoring method, system and storage medium
CN114900339B (en) Intrusion detection method, intrusion detection system, intrusion detection equipment and storage medium
CN116305122B (en) Detection method and system for rootkit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination