CN114462026A - Ciphertext process monitoring method, device and equipment and computer readable storage medium - Google Patents
Ciphertext process monitoring method, device and equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114462026A CN114462026A CN202111680683.6A CN202111680683A CN114462026A CN 114462026 A CN114462026 A CN 114462026A CN 202111680683 A CN202111680683 A CN 202111680683A CN 114462026 A CN114462026 A CN 114462026A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- function
- ftrace
- file
- target function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, a device and equipment for monitoring a ciphertext process and a computer readable storage medium, wherein the method for monitoring the ciphertext process comprises the following steps: acquiring a configuration strategy of a ciphertext process, and configuring the configuration strategy in an ftrace mechanism; and acquiring a current process, and if the current process is a ciphertext process, executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism. The method and the device configure the ciphertext configuration strategy by using the ftrace mechanism of the linux, realize the monitoring of the ciphertext process in the linux system, do not have the problem that a memory write protection mechanism needs to be bypassed in the method for directly modifying the system call list in the traditional hook technology, eliminate the adverse effect on the safety and stability in the method for directly modifying the system call list in the traditional method, and greatly improve the stability of the system.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for monitoring a ciphertext process.
Background
The Linux system is a set of open-source Unix-like operating systems, in the field of information security, software running on an operating system generally needs to be monitored, in order to monitor the software running on the operating system, behavior interception can be performed on a software program through a hook technology, a kernel layer hook only needs to perform hook on a system call table in a Linux kernel, when a transparent encryption product in the Linux system is monitored, a file which is required to be opened by a ciphertext process is generally stored in a ciphertext form, the purpose is achieved by using a traditional kernel layer hook mode, the system call table is generally directly modified, but a memory area where the system call table is located has write protection, and the write protection needs to be removed firstly and then modified. The method for monitoring the ciphertext process by using hook is complex, and frequent modification has adverse effect on the safety and stability of the system.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, a device and equipment for monitoring a ciphertext process and a computer readable storage medium, and aims to solve the technical problem that the security and the stability of a system are low due to the fact that a system call table in a Linux system is directly modified.
In order to achieve the above object, the present invention provides a ciphertext process monitoring method, which comprises:
acquiring a configuration strategy of a ciphertext process, and configuring the configuration strategy in an ftrace mechanism;
acquiring a current process, and judging whether the current process is a ciphertext process;
and if the current process is a ciphertext process, executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism.
Optionally, the step of configuring the configuration policy in the ftrace mechanism includes:
determining a target function corresponding to the configuration strategy in a system call table;
acquiring the name of the target function, and determining the address of the target function according to the name of the target function;
inputting the address of the target function into the ftrace mechanism.
Optionally, the step of inputting the address of the target function into the ftrace mechanism comprises:
inputting an address of the target function in a construct field of the ftrace mechanism;
and replacing the target function in the ftrace mechanism to obtain a specified function.
Optionally, the step of performing corresponding operation on the file in the current process according to the ftrace mechanism includes:
and acquiring the ciphertext file in the current process, and calling the specified function to execute corresponding operation on the ciphertext file.
Optionally, the step of calling the designated function to perform a corresponding operation on the file in the current process includes:
if the target function is a closing function, calling the specified function to encrypt the file in the current process;
and closing the encrypted file according to the specified function, and closing the ftrace mechanism.
Optionally, after the step of determining whether the current process is a ciphertext process, the method includes:
if the current process is not a ciphertext process, calling a target function corresponding to the configuration strategy;
and executing corresponding operation on the plaintext file in the current process according to the target function.
Optionally, the step of executing a corresponding operation on the plaintext file in the current process according to the objective function includes:
and if the target function is a closing function, calling the closing function to close the plaintext file.
In addition, to achieve the above object, the present invention further provides a ciphertext process monitoring apparatus, including:
the strategy configuration module is used for acquiring a configuration strategy of a ciphertext process and configuring the configuration strategy in an ftrace mechanism;
the process judgment module is used for acquiring a current process and judging whether the current process is a ciphertext process;
and the process execution module is used for executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism if the current process is a ciphertext process.
In addition, in order to achieve the above object, the present invention further provides a ciphertext process monitoring apparatus, where the ciphertext process monitoring apparatus includes a memory, a processor, and a ciphertext process monitoring program that is stored in the memory and is executable on the processor, and the ciphertext process monitoring program implements the steps of the ciphertext process monitoring method when executed by the processor.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, in which a ciphertext process monitoring program is stored, and when the ciphertext process monitoring program is executed by a processor, the method implements the steps of the above ciphertext process monitoring method.
The invention provides a method, a device, equipment and a computer readable storage medium for monitoring a ciphertext process, which configure a configuration strategy of the ciphertext process in an ftrace mechanism by acquiring the configuration strategy of the ciphertext process, acquire a current process, judge whether the current process is the ciphertext process, execute corresponding operation on a file in the current process according to the configuration strategy in the ftrace mechanism when the current process is the ciphertext process, utilize the ftrace mechanism carried by linux, monitor the ciphertext process in the linux system by the ftrace mechanism, configure the ciphertext configuration strategy, execute corresponding operation on the file in the current process by the ciphertext configuration strategy configured in the ftrace mechanism when the current process is the ciphertext process, and have no problem that a memory write protection mechanism needs to be bypassed in a method for directly modifying a system call table in the traditional hook technology, the adverse effect on the safety stability in the traditional method of directly modifying the system call table is eliminated, and the stability of the system is greatly improved.
Drawings
FIG. 1 is a schematic diagram of an apparatus in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a ciphertext process monitoring method according to a first embodiment of the present invention;
FIG. 3 is a schematic flow chart of an application scenario according to an embodiment of the present invention;
fig. 4 is a schematic diagram of the device structure of the ciphertext process monitoring apparatus of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The device of the embodiment of the present invention may be a Personal Computer (PC), a portable computer, a server, or other terminal device.
As shown in fig. 1, the ciphertext process monitoring apparatus may include: a processor 1001, such as a CPU (Central Processing Unit), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used to implement connection communication among these components. The user interface 1003 may include a Display (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., WIreless-FIdelity (WI-FI).) and the Memory 1005 may be a high-speed Random Access Memory (RAM) Memory, a Non-Volatile Memory (NVM) such as a disk Memory, or a storage device independent of the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a cryptogram process monitoring program.
In the device shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to call the screen projection control program stored in the memory 1005 and perform the following operations:
acquiring a configuration strategy of a ciphertext process, and configuring the configuration strategy in an ftrace mechanism;
acquiring a current process, and judging whether the current process is a ciphertext process;
and if the current process is a ciphertext process, executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism.
Based on the hardware structure, the invention provides various embodiments of the ciphertext process monitoring method.
An embodiment of the present invention provides a ciphertext process monitoring method, and referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of the ciphertext process monitoring method according to the present invention.
In this embodiment, the ciphertext process monitoring method includes:
step S10, obtaining a configuration strategy of the ciphertext process, and configuring the configuration strategy in an ftrace mechanism;
in this embodiment, monitoring of a ciphertext process running in the linux system is achieved through an ftrace mechanism, in a transparent encryption product, a file opened by the ciphertext process is required to be stored in a ciphertext form, and a file opened by a plaintext process is required to be stored in a plaintext form. In this embodiment, a configuration policy of a ciphertext process is obtained, where the configuration policy of the ciphertext process is that a file in the ciphertext process is stored in a ciphertext form, and then the configuration policy of the ciphertext process is configured in an ftrace mechanism, the ftrace mechanism is an ftrace monitoring mechanism carried by a linux system, and the ciphertext process may be a process of reading a file, writing a file, opening a file, or closing a file.
Step S20, acquiring a current process, and judging whether the current process is a ciphertext process;
and step S30, when the current process is a ciphertext process, executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism.
In this embodiment, after the configuration policy of the ciphertext process is configured in the ftrace mechanism, the current process is acquired, whether the current process is the ciphertext process is determined, then, according to the configuration policy in the ftrace mechanism, a corresponding operation is performed on a file in the current process, a process of determining whether the current process is the ciphertext process may be acquiring a ciphertext identifier in the ciphertext process, and whether the current process is the ciphertext process is determined by the ciphertext identifier.
In the embodiment, the configuration strategy of the ciphertext process is configured in the ftrace mechanism by acquiring the configuration strategy of the ciphertext process, the ciphertext strategy is configured in the ftrace mechanism by utilizing the self-carried ftrace mechanism of linux, the current process is acquired, whether the current process is the ciphertext process or not is judged, when the current process is the ciphertext process, the corresponding operation is executed on the file in the current process according to the configuration strategy in the ftrace mechanism, the ciphertext process in the linux system is monitored by the ftrace mechanism in the mode, when the current process is the ciphertext process, the corresponding operation is executed on the file in the current process by the ciphertext strategy configured in the ftrace mechanism, the problem that a memory write protection mechanism needs to be bypassed in a method for directly modifying a system call table in the traditional hook technology is solved, and the adverse effect on the security stability in the traditional method for directly modifying the system call table is eliminated, the stability of the system is greatly improved.
Further, in the step S10, the step of configuring the configuration policy in the ftrace mechanism includes:
step A, determining a target function corresponding to the configuration strategy in a system call table;
step B, acquiring the name of the target function, and determining the address of the target function according to the name of the target function;
and step C, inputting the address of the target function into the ftrace mechanism.
In this embodiment, the source mechanism is a mechanism for monitoring that all files open a read-write operation function stack in a Linux system, the system call table is a data structure in a Linux kernel, and the system call table is finally searched in a kernel mode in a system call process, so as to locate an address of a corresponding system service function. In this embodiment, a target function corresponding to a configuration policy in a system call table is determined, the configuration policy in this embodiment is a configuration policy of a ciphertext process, the configuration policy of the ciphertext process may include a function that needs to be concerned in configuration policies such as a close function, an open function, a read function, a write function, and the like, after the target function corresponding to the configuration policy in the system call table is determined, a name of the target function is obtained, an address of the target function is determined according to the name of the target function, specifically, a derivation function kallsyms _ lookup _ name of Linux itself may be called, the derivation function is used to receive a name of a string format kernel function, return the address of the kernel function, find a target function that needs to be concerned specifically in the system call table according to the name of the target function by a derivation function method, such as a request for monitoring read, obtain a name of the read function, and finding the address of the read function according to the name of the read function. As another embodiment, the address of the target function may be obtained by reading a system.map file, or may be obtained by traversing and searching a system call header address, and then the address of the target function is input into the ftrace mechanism.
In this embodiment, a target function to be monitored is determined, an address of the target function can be found according to the name of the target function, and the address of the target function is input into a trace mechanism to configure a configuration policy of a ciphertext process.
Further, in the step C, the step of inputting the address of the target function into the ftrace mechanism comprises:
step c1, inputting the address of the target function in a construction field of an ftrace mechanism;
and c2, replacing the target function in the ftrace mechanism to obtain a specified function.
In this embodiment, the specific process of inputting the address of the target function into the Ftrace mechanism may be inputting the address of the target function in a configuration field of the Ftrace mechanism, where the configuration field is a preset field in the Ftrace mechanism and is used for inputting the address of the function, for example, a field func, replacing the target function in the Ftrace mechanism to obtain a specified function, and the specific process of replacing the target function may be registering the target function through a registration interface register _ Ftrace _ function () in the Ftrace mechanism, that is, calling a callback function to a Ftrace authority, configuring a kernel function hook, and enabling Ftrace to change a registration state after exiting the callback. In this embodiment, when an kernel is compiled, a plurality of bytes are reserved at each function entry, and then when ftrace is used, the reserved bytes are replaced with a required instruction, for example, a jump is made to a code required to execute a probing operation, and a target function is replaced in an ftrace mechanism to obtain a specified function, where the specified function is a function required by a ciphertext configuration policy. Firstly, a ko kernel module for hook is loaded, an address of a target function is searched by a derived function, a structure body of an ftrace mechanism is initialized, a configuration field and a flag bit of the target function are set, the flag bit of the target function is flag, the flag bit of the target function is used for informing the ftrace save and restore register (so as to modify the register), the content (RIP) of the register can be modified in a callback function, the address of the target function is input in the configuration field func, the flag bit of the target function is set, for example, the flag bit of the target function is set to monitor or not monitor, etc., a function interface using an instruction pointer opens the ftrace mechanism for the target function, the ftrace _ set filter _ ip () function is used for modifying a current ip instruction pointer, for example, the instruction pointer to be executed points to the address of the target function, a registration function is called to register the target function, namely, the registration state of the target function is changed to replace the target function with a specified function, after the registration is completed, the ftrace mechanism is closed. In this embodiment, after the ftrace mechanism is opened, all files in the linux system are monitored, the target function is registered and replaced, after the replacement is completed, the ftrace mechanism is closed, only the target function is monitored, for example, the ftrace mechanism is opened, the target function is replaced with a specified function, the ftrace mechanism is closed, only the target function is monitored, and processes of other functions are not changed. Opening a ftrace utility program for a required target function through a filtering function interface ftrace _ set _ filter _ ip (), opening a kernel configuration option related to ftrace, registering the target function through a registration interface register _ ftrace _ function (), namely calling a callback function for ftrace permission, configuring a kernel function hook, and changing a registration state after the ftrace exits the callback. The function performed by the processor may be changed by changing a pointer in a register to the next instruction to be executed. The processor may be forced to unconditionally jump from the current objective function to the specified function and take over control. In this embodiment, it may be understood that the target function is a hook function, the specified function may be a hook function, and is used to replace the hook function, the pointer points to a place where the address of the hook function is stored, the specified function is to be executed instead of the hook function, the address of the hook function is searched, the structure body is initialized, the configuration field and the flag bit of the target function are set, hook is started, after that, ftrace is opened for the hook function by using ftrace _ set _ filter _ ip (), and then register _ ftrace _ function () is called to register the hook function. After ftrace is closed by ftrace _ set _ filter _ ip (), the hook function is prevented from being executed elsewhere.
The linux operating system is generally divided into a user space and a kernel space, the user space is independent in process and inaccessible to each other, the kernel space is shared in process, only one kernel space is arranged in the operating system, a Hook function is a code segment for processing messages, the Hook function can Hook an objective function, the objective function is not operated first if other functions send messages to the objective function, the Hook function is operated first, in the operation process of the Hook function, the messages transmitted to the objective function can be processed and then transmitted to the objective function, the messages can be directly transmitted to the objective function, and the transmission of the messages can be forcibly ended.
In the embodiment, hook is realized through a linux-carried ftrace monitoring mechanism, a third-party library is not introduced, the system overhead is greatly reduced, the code realization is simple, the complexity of the hook step of the traditional kernel layer is eliminated, and the error probability and the instability are greatly reduced.
Further, based on the first embodiment, a second embodiment of the ciphertext process monitoring method according to the present invention is provided, in this embodiment, in step S30, the refining step of performing, according to a configuration policy in the source mechanism, a corresponding operation on the file in the current process includes:
step D, acquiring the file in the current process, and calling the designated function to execute corresponding operation on the file in the current process;
in this embodiment, if the current process is a ciphertext process, corresponding operations are performed on a file in the current process according to a configuration policy in an ftrace mechanism, and the file in the current process is first obtained, where the current process is the ciphertext process, the ciphertext process needs to be decrypted when the ciphertext process is a file in the opening ciphertext process, and a file form stored after the file is opened and the file is referred to, edited, and the like, is a ciphertext form, so that a specified function after a target function is replaced in the ftrace mechanism is determined, and the specified function is called to perform corresponding operations on the file in the current process, that is, the target function needs to be modified and replaced at this time, so as to perform corresponding processing on the file in the ciphertext process. In this embodiment, if the current process is a ciphertext process, the whole logic should be to edit and store a ciphertext file in the current process, the file should be stored in a ciphertext state after the editing is completed, and if the ciphertext process is a plaintext process, the file should be stored in a plaintext state after the editing is completed, for example: in the system, 2 types of files a are encrypted files, b are plaintext files, a notepad is used for opening a ciphertext file, if the ciphertext file is required to normally display contents, the ciphertext file needs to be decrypted when opened, the opened ciphertext file needs to be encrypted and stored on a disk when closed, and a ciphertext process is a process for reading and writing the file. The system has different types of software and file formats, for example, the file format of the word may include doc format and docx format, in this embodiment, encryption or decryption is performed on one file type in the ciphertext process, the others all maintain plaintext, the current process is the ciphertext process, the ciphertext file in the current ciphertext process can be decrypted normally when the ciphertext file in the current ciphertext process is opened, and the ciphertext file in the current ciphertext process can be encrypted normally when the ciphertext file in the current ciphertext process is closed. In the embodiment, the target function in the configuration strategy of the ciphertext process is replaced by the specified function through the ftrace mechanism, the surface vehicle is realized through the specified function, and the system call table does not need to be modified, so that the stability of the system is improved.
Further, in the step D, the step of calling the specified function to perform the corresponding operation on the ciphertext file in the current process includes:
step d1, if the target function is a closing function, calling the specified function to encrypt the ciphertext file;
and d2, closing the encrypted file according to the specified function, and closing the ftrace mechanism.
In this embodiment, the target function may be a function that needs to be concerned by a configuration policy, such as a close function, an open function, a read function, and a write function, and if the current process is a ciphertext process, a ciphertext file in the current process is acquired, if the target function is a close function, the close function is registered in an ftrace mechanism, a registration state of the close function is changed to be a specified function, the specified function is called to encrypt the ciphertext file in the current process, the encrypted file is closed according to the specified function, and finally the ftrace mechanism is closed. In the embodiment, when the current process is judged to be the ciphertext process, the ciphertext file in the ciphertext process is encrypted, the original system calling method is called to close the file after encryption, and as another embodiment, when the current process is judged to be the ciphertext process, the ciphertext file in the ciphertext process is decrypted and encrypted, and the original system calling method is called to open the file after decryption.
In the embodiment, when the current process is judged to be the ciphertext process, the ciphertext file in the ciphertext process is encrypted, the original system calling method is called to close the file after encryption, hook on the closing function in the ciphertext process strategy is realized through the ftrace monitoring mechanism carried by linux, namely the file opened by the ciphertext process is stored in the form of the ciphertext without introducing a third-party library, and the file opened by the plaintext process is stored in the form of the plaintext.
Further, after the step of determining whether the current process is a ciphertext process in the step S20, the method includes:
step E, if the current process is not a ciphertext process, calling a target function corresponding to the configuration strategy;
and F, executing corresponding operation on the file in the current process according to the target function.
In this embodiment, if the current process is not a ciphertext process, a target function corresponding to the configuration policy is called, and a corresponding operation is performed on the file in the current process according to the target function, that is, if the current process is not a ciphertext process, it is indicated that decryption is not required when the file in the current process is opened, and encryption is not required after the file is opened, for example, if the current process is a plaintext process, the file in the plaintext process does not need to be encrypted or decrypted, and at this time, the target function in the configuration policy is directly called to perform the corresponding operation on the file in the current process.
Further, in the step F, the step of executing the corresponding operation on the file in the current process according to the objective function includes:
step f1, if the target function is a close function, calling the close function to close the file in the current process.
In this embodiment, if the current process is not a ciphertext process, a target function corresponding to the configuration policy is called, and if the target function is a close function, a close function corresponding to the configuration policy is directly called to close a file in the current process. Referring to fig. 3, first obtaining a ciphertext process configuration policy, and further determining a target function in the configuration policy, where the target function is a sys _ close function in fig. 3, loading a ko kernel module for hook, finding an address of a sys _ close function called by the system through a kallsyms _ lookup _ name (export function), initializing an ftrace _ ops structure, setting necessary fields, func and flags, opening ftrace for the sys _ close function using ftrace _ set _ file _ ip (), registering the sys _ close function by calling register _ ftrace _ function, completing an ok action, and further determining whether a current process is a ciphertext process, if the current process is a ciphertext process, encrypting the ciphertext file at the time of closing, if the process is not a ciphertext process, such as the current process is a plaintext process, calling the original sys _ close process, that is a plaintext file closing method, and if the process is not a ciphertext process, and closing ftrace for the system call sys _ close function by using ftrace _ set _ filter _ ip (), and finishing the hook.
In the embodiment, hook is realized through the ftrace monitoring mechanism of the linux source, a third-party library is not introduced, unsafe factors are not introduced, the problem that a memory write protection mechanism needs to be bypassed in a method for directly modifying a system call table in the traditional hook technology is solved, the adverse effect on safety and stability in the method for directly modifying the system call table is eliminated, and the stability is greatly improved. The system overhead is small, the traditional method directly modifies the system call table, because of the protection mechanism of the system call table, the memory area where the system call table is located has write protection, normally, the read only can not be modified in the area, if the system call table is modified, the write protection also needs to be bypassed, the read only property is changed into writable, if the modification is too frequent or the code quality is poor, the stability and the performance of the whole system can be influenced, the code is simple to realize, the complexity of the traditional kernel layer hook step is eliminated, and the error probability and the instability are greatly reduced.
The present invention also provides a ciphertext process monitoring apparatus, as shown in fig. 4, the ciphertext process monitoring apparatus includes: the policy configuration module A10 is used for acquiring a configuration policy of a ciphertext process and configuring the configuration policy in an ftrace mechanism; the process judgment module A20 is used for acquiring a current process and judging whether the current process is a ciphertext process; and a process execution module A30, configured to, if the current process is a ciphertext process, execute a corresponding operation on a file in the current process according to a configuration policy in the ftrace mechanism. The specific embodiment of the cryptogram process monitoring device of the present invention is basically the same as the embodiments of the above cryptogram process monitoring method, and is not described herein again.
The invention also provides ciphertext process monitoring equipment, which comprises a memory, a processor and a ciphertext process monitoring program, wherein the ciphertext process monitoring program is stored on the memory and can run on the processor, and when being executed by the processor, the ciphertext process monitoring program realizes the steps of the ciphertext process monitoring method in any embodiment. The specific embodiment of the cryptogram process monitoring device of the present invention is basically the same as the embodiments of the above cryptogram process monitoring method, and is not described herein again.
The present invention also provides a computer-readable storage medium, on which a ciphertext process monitor is stored, which, when executed by a processor, implements the steps of the ciphertext process monitoring method as described in any of the above embodiments. The specific embodiment of the computer-readable storage medium of the present invention is substantially the same as the embodiments of the above-mentioned ciphertext process monitoring method, and will not be described herein again.
It is to be understood that throughout the description of the present specification, reference to the term "one embodiment", "another embodiment", "other embodiments", or "first through nth embodiments", etc., is intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A ciphertext process monitoring method, characterized by comprising the steps of:
acquiring a configuration strategy of a ciphertext process, and configuring the configuration strategy in an ftrace mechanism;
acquiring a current process, and judging whether the current process is a ciphertext process;
and if the current process is a ciphertext process, executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism.
2. The ciphertext process monitoring method of claim 1, wherein configuring the configuration policy in an ftrace mechanism comprises:
determining a target function corresponding to the configuration strategy in a system call table;
acquiring the name of the target function, and determining the address of the target function according to the name of the target function;
inputting the address of the target function into the ftrace mechanism.
3. The ciphertext process monitoring method of claim 2, wherein the inputting the address of the target function into the ftrace mechanism comprises:
inputting an address of the target function in a construct field of the ftrace mechanism;
and replacing the target function in the ftrace mechanism to obtain a specified function.
4. The ciphertext process monitoring method of claim 3, wherein the step of performing the corresponding operation on the file in the current process according to the ftrace mechanism comprises:
and acquiring the ciphertext file in the current process, and calling the specified function to execute corresponding operation on the ciphertext file.
5. The ciphertext process monitoring method of claim 4, wherein the step of invoking the designated function to perform the corresponding operation on the ciphertext file comprises:
if the target function is a closing function, calling the specified function to encrypt the ciphertext file;
and closing the encrypted file according to the specified function, and closing the ftrace mechanism.
6. The ciphertext process monitoring method of claim 5, wherein the step of determining whether the current process is a ciphertext process comprises, after:
if the current process is not a ciphertext process, calling a target function corresponding to the configuration strategy;
and executing corresponding operation on the plaintext file in the current process according to the target function.
7. The ciphertext process monitoring method of claim 6, wherein the step of performing the corresponding operation on the plaintext file in the current process according to the objective function comprises:
and if the target function is a closing function, calling the closing function to close the plaintext file.
8. A cryptogram process monitoring apparatus, comprising:
the strategy configuration module is used for acquiring a configuration strategy of a ciphertext process and configuring the configuration strategy in an ftrace mechanism;
the process judgment module is used for acquiring a current process and judging whether the current process is a ciphertext process;
and the process execution module is used for executing corresponding operation on the file in the current process according to a configuration strategy in the ftrace mechanism if the current process is a ciphertext process.
9. A ciphertext process monitoring apparatus, comprising a memory, a processor, and a ciphertext process monitoring program stored on the memory and executable on the processor, the ciphertext process monitoring program being configured to implement the steps of the ciphertext process monitoring method of any of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a cryptogram process monitor program, which when executed by a processor, implements the steps of the cryptogram process monitoring method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111680683.6A CN114462026B (en) | 2021-12-31 | 2021-12-31 | Ciphertext process monitoring method, device and equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111680683.6A CN114462026B (en) | 2021-12-31 | 2021-12-31 | Ciphertext process monitoring method, device and equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114462026A true CN114462026A (en) | 2022-05-10 |
| CN114462026B CN114462026B (en) | 2022-11-18 |
Family
ID=81407442
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111680683.6A Active CN114462026B (en) | 2021-12-31 | 2021-12-31 | Ciphertext process monitoring method, device and equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114462026B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN106648815A (en) * | 2016-11-16 | 2017-05-10 | 公安部物证鉴定中心 | Similar kernel-based mobile phone dynamic memory extraction method |
| CN110750346A (en) * | 2019-10-17 | 2020-02-04 | Oppo(重庆)智能科技有限公司 | Task operation optimization method, device, terminal and storage medium |
| CN113792299A (en) * | 2021-11-15 | 2021-12-14 | 南京鼎岩信息科技有限公司 | Method for protecting Linux system based on ftrace technology |
-
2021
- 2021-12-31 CN CN202111680683.6A patent/CN114462026B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN106648815A (en) * | 2016-11-16 | 2017-05-10 | 公安部物证鉴定中心 | Similar kernel-based mobile phone dynamic memory extraction method |
| CN110750346A (en) * | 2019-10-17 | 2020-02-04 | Oppo(重庆)智能科技有限公司 | Task operation optimization method, device, terminal and storage medium |
| CN113792299A (en) * | 2021-11-15 | 2021-12-14 | 南京鼎岩信息科技有限公司 | Method for protecting Linux system based on ftrace technology |
Non-Patent Citations (1)
| Title |
|---|
| 陈鹏: "基于Linux虚拟化的内核级Rootkit的攻击检测研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114462026B (en) | 2022-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2727521C (en) | Computer application packages with customizations | |
| EP2339466B1 (en) | Data control device, data control method, and program | |
| US9679130B2 (en) | Pervasive package identifiers | |
| US20060117178A1 (en) | Information leakage prevention method and apparatus and program for the same | |
| US10114932B2 (en) | Adapting a mobile application to a partitioned environment | |
| GB2398408A (en) | Applying a data handling policy to system calls | |
| US20110231378A1 (en) | Method and system for security of file input and output of application programs | |
| US20210306304A1 (en) | Method and apparatus for distributing confidential execution software | |
| CN108121594A (en) | A kind of process management method and device | |
| CN110162328B (en) | Method and device for upgrading intelligent card operating system | |
| CN109923547B (en) | Program behavior monitoring device, distributed object generation management device, storage medium, and program behavior monitoring system | |
| GB2398656A (en) | Operating system data management | |
| CN113544675A (en) | Secure execution of client owner environment control symbols | |
| JP6670318B2 (en) | Classification and IRM implementation in software applications | |
| CN113239386A (en) | API (application program interface) permission control method and device | |
| CN110807191B (en) | Safe operation method and device of application program | |
| JP2020502699A (en) | Architecture, method and apparatus for implementing collection and display of computer file metadata | |
| US20210311740A1 (en) | Circular shadow stack in audit mode | |
| EP3779747B1 (en) | Methods and systems to identify a compromised device through active testing | |
| CN114462026B (en) | Ciphertext process monitoring method, device and equipment and computer readable storage medium | |
| CN112965760A (en) | Method and device for modifying root directory, electronic equipment and readable storage medium | |
| CN116702126A (en) | Application access control method and device, computing device and readable storage medium | |
| CN112612833A (en) | Rule package updating method, device, equipment and storage medium | |
| CN108021801B (en) | Virtual desktop-based anti-leakage method, server and storage medium | |
| CN106506163A (en) | ROM packet processing methods and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |