CN114662098A - Attack code detection method, device, electronic device, program and storage medium - Google Patents

Attack code detection method, device, electronic device, program and storage medium Download PDF

Info

Publication number
CN114662098A
CN114662098A CN202011540159.4A CN202011540159A CN114662098A CN 114662098 A CN114662098 A CN 114662098A CN 202011540159 A CN202011540159 A CN 202011540159A CN 114662098 A CN114662098 A CN 114662098A
Authority
CN
China
Prior art keywords
function
address
attack code
stack
return address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011540159.4A
Other languages
Chinese (zh)
Inventor
徐荣维
王健
齐向东
吴云坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Original Assignee
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd, Qax Technology Group Inc filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN202011540159.4A priority Critical patent/CN114662098A/en
Publication of CN114662098A publication Critical patent/CN114662098A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种攻击代码检测方法、装置、电子设备、程序和存储介质,获取系统中进程栈范围内的调用函数的返回地址,若存在返回地址不属于用于存储系统可执行文件的系统配置地址,则确定系统存在攻击代码。通过获取调用函数的返回地址直接实现对攻击代码的检测,无需建立特征库,识别过程简单,有利于提升对攻击代码的识别效率。

Figure 202011540159

The present invention provides an attack code detection method, device, electronic device, program and storage medium for obtaining the return address of a calling function within the scope of a process stack in the system, if the return address does not belong to the system configuration for storing system executable files address, it is determined that there is attack code in the system. By obtaining the return address of the calling function, the detection of the attack code is directly realized without establishing a signature library, and the identification process is simple, which is beneficial to improve the identification efficiency of the attack code.

Figure 202011540159

Description

攻击代码检测方法、装置、电子设备、程序和存储介质Attack code detection method, device, electronic device, program and storage medium

技术领域technical field

本发明涉及信息安全防护技术领域,尤其涉及一种攻击代码检测方法、装置、电子设备、程序和存储介质。The invention relates to the technical field of information security protection, in particular to an attack code detection method, device, electronic device, program and storage medium.

背景技术Background technique

网络设备不可避免的会存在漏洞,攻击者会利用这些漏洞构造一段攻击代码对网络设备进行攻击。例如,攻击者会通过攻击代码在网络设备中实现权限提升、执行程序、连接远程机器等操作,从而达到任意控制网络设备的目的。例如,用于攻击的Linux服务器的攻击代码shellcode。Network devices inevitably have loopholes, and attackers will use these loopholes to construct a piece of attack code to attack network devices. For example, attackers will use attack codes to escalate privileges, execute programs, and connect to remote machines in network devices, so as to achieve the purpose of arbitrarily controlling network devices. For example, the attack code shellcode of the Linux server used for the attack.

现有技术中需要事先学习系统调用的调用链序列,并建立正常行为特征库,然后将系统的系统调用的序列和正常序列特征库进行匹配来识别漏洞利用行为。然而这种方法具有如下缺点:需要事先学习建立特征库,必须保证学习过程中没有漏洞利用行为;匹配逻辑较复杂,必定比较消耗过多的系统资源。可见现有的攻击代码识别的方法需要基于大量数据建立特征库,识别过程比较复杂,识别效率较低。In the prior art, the call chain sequence of the system call needs to be learned in advance, and a normal behavior feature library is established, and then the sequence of the system call of the system and the normal sequence feature library are matched to identify the exploit behavior. However, this method has the following disadvantages: it needs to learn to build a feature library in advance, and it must be ensured that there is no vulnerability exploitation behavior during the learning process; the matching logic is complicated, and it must consume too much system resources. It can be seen that the existing attack code identification methods need to establish a feature library based on a large amount of data, the identification process is relatively complicated, and the identification efficiency is low.

发明内容SUMMARY OF THE INVENTION

本发明提供一种攻击代码检测方法、装置、电子设备、程序和存储介质,用以解决可见现有的攻击代码识别的方法需要基于大量数据建立特征库,识别过程比较复杂,识别效率较低的缺陷,实现通过简单的方式识别攻击代码,提高识别效率。The invention provides an attack code detection method, device, electronic device, program and storage medium, which are used to solve the problem that the existing attack code identification method needs to establish a feature library based on a large amount of data, the identification process is relatively complicated, and the identification efficiency is low. It can identify the attack code in a simple way and improve the identification efficiency.

本发明提供一种攻击代码检测方法,包括:The present invention provides an attack code detection method, comprising:

获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;Obtain the return address of the calling function; wherein, the calling function is a function called by the target process of the system;

若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。If the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

根据本发明提供一种攻击代码检测方法,在上述基础上,在获取调用函数的返回地址之前,所述方法还包括:According to the present invention, an attack code detection method is provided. On the basis of the above, before obtaining the return address of the calling function, the method further includes:

获取监测函数是否被调用的监测信息;其中,所述监测函数根据攻击代码对函数的历史调用信息确定;Obtain the monitoring information of whether the monitoring function is called; wherein, the monitoring function is determined according to the historical calling information of the function by the attack code;

若所述监测信息为监测函数被调用,则将调用所述监测函数的进程作为所述目标进程。If the monitoring information is that a monitoring function is called, the process that calls the monitoring function is used as the target process.

根据本发明提供一种攻击代码检测方法,在上述基础上,所述获取调用函数的返回地址,包括:According to the present invention, an attack code detection method is provided. On the basis of the above, obtaining the return address of the calling function includes:

从内核中获取所述调用函数的函数栈帧,和/或从应用层获取所述调用函数的函数栈帧;Obtain the function stack frame of the calling function from the kernel, and/or obtain the function stack frame of the calling function from the application layer;

根据调用函数的函数栈帧获取所述返回地址。The return address is obtained according to the function stack frame of the calling function.

根据本发明提供一种攻击代码检测方法,在上述基础上,所述从内核中获取所述调用函数的函数栈帧,包括:According to the present invention, an attack code detection method is provided. On the basis of the above, obtaining the function stack frame of the calling function from the kernel includes:

从内核栈中获取所述目标进程陷入内核时,保存在内核栈中的用户态上下文结构;When the target process is obtained from the kernel stack and falls into the kernel, the user-mode context structure saved in the kernel stack;

根据所述用户态上下文结构确定所述目标进程栈范围内首个函数栈帧的基地址,作为第一基地址;Determine the base address of the first function stack frame within the target process stack range according to the user-mode context structure, as the first base address;

自所述第一基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the first base address, each function stack frame within the stack range of the target process is obtained to obtain the function stack frame of the calling function.

根据本发明提供一种攻击代码检测方法,在上述基础上,所述从应用层获取所述调用函数的函数栈帧,包括:According to the present invention, an attack code detection method is provided. On the basis of the above, obtaining the function stack frame of the calling function from the application layer includes:

从应用层的用户栈中获取所述目标进程栈范围内首个函数栈帧的基地址,作为第二基地址;Obtain the base address of the first function stack frame within the range of the target process stack from the user stack of the application layer, as the second base address;

自所述第二基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the second base address, each function stack frame within the stack range of the target process is acquired to obtain the function stack frame of the calling function.

根据本发明提供一种攻击代码检测方法,在上述基础上,在所述返回地址不属于系统配置地址之前,还包括:According to the present invention, an attack code detection method is provided. On the basis of the above, before the return address does not belong to the system configuration address, the method further includes:

通过内存中的虚拟内存管理结构确定所述返回地址对应的虚拟内存区块结构体,根据所述虚拟内存区块结构体中描述被映射文件的成员所指向的地址,确定所述返回地址是否属于所述系统配置地址;Determine the virtual memory block structure corresponding to the return address through the virtual memory management structure in the memory, and determine whether the return address belongs to the address pointed to by the member describing the mapped file in the virtual memory block structure the system configuration address;

和/或,从应用层获取表示内存布局的内存布局文件,从所述内存布局文件中获取所述返回地址所在的行内容,根据所述行内容中的文件路径,确定所述返回地址是否属于所述系统配置地址。And/or, obtain the memory layout file representing the memory layout from the application layer, obtain the line content where the return address is located from the memory layout file, and determine whether the return address belongs to the line content according to the file path in the line content. The system configuration address.

本发明还提供一种攻击代码检测装置,包括:The present invention also provides an attack code detection device, comprising:

获取模块,用于获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;an acquisition module for acquiring the return address of the calling function; wherein, the calling function is a function called by the target process of the system;

确定模块,用于若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。The determining module is used for if the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

本发明还提供一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如上述任一种所述攻击代码检测方法的步骤。The present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implementing the attack code detection according to any one of the above when the processor executes the program steps of the method.

本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如上述任一种所述攻击代码检测方法的步骤。The present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of any one of the above-mentioned attack code detection methods.

本发明还提供一种计算机程序,该计算机程序被处理器执行时实现如上述任一种所述攻击代码检测方法的步骤。The present invention also provides a computer program that, when executed by a processor, implements the steps of any one of the attack code detection methods described above.

本发明提供的一种攻击代码检测方法、装置、电子设备、程序和存储介质,获取系统中进程栈范围内的调用函数的返回地址,若存在返回地址不属于用于存储系统可执行文件的系统配置地址,则确定系统存在攻击代码。通过获取调用函数的返回地址直接实现对攻击代码的检测,无需建立特征库,识别过程简单,有利于提升对攻击代码的识别效率。An attack code detection method, device, electronic device, program and storage medium provided by the present invention obtain the return address of a calling function within the scope of the process stack in the system, and if the return address exists, it does not belong to the system for storing system executable files. If the address is configured, it is determined that there is attack code in the system. By obtaining the return address of the calling function, the detection of the attack code is directly realized without establishing a signature library, and the identification process is simple, which is beneficial to improve the identification efficiency of the attack code.

附图说明Description of drawings

为了更清楚地说明本发明或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are the For some embodiments of the invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.

图1是本发明提供的攻击代码检测方法的流程示意图之一;Fig. 1 is one of the schematic flow charts of the attack code detection method provided by the present invention;

图2是本发明提供的栈中栈帧的结构示意图;Fig. 2 is the structural representation of the stack frame in the stack provided by the present invention;

图3是本发明提供的通过内核获取函数调用链的过程示意图;3 is a schematic diagram of the process of obtaining a function call chain through the kernel provided by the present invention;

图4是本发明提供的通过内核进行攻击代码检测的流程示意图;4 is a schematic flowchart of the detection of attack code by the kernel provided by the present invention;

图5是本发明提供的攻击代码检测装置的结构框图之一;5 is one of the structural block diagrams of the attack code detection device provided by the present invention;

图6是本发明提供的电子设备的实体结构示意图;6 is a schematic diagram of a physical structure of an electronic device provided by the present invention;

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明中的附图,对本发明中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the technical solutions in the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention. , not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

图1为本实施例提供的攻击代码检测方法的流程示意图,该攻击代码检测方法可以由待进行攻击代码检测的设备(服务器或终端)执行,例如,该攻击代码检测方法可以由Linux服务器执行,具体由植入Linux服务器的防护驱动模块执行,参见图1,该攻击代码检测方法包括:1 is a schematic flowchart of an attack code detection method provided by the present embodiment, the attack code detection method can be executed by a device (server or terminal) to be subjected to attack code detection, for example, the attack code detection method can be executed by a Linux server, Specifically, it is executed by the protection driver module implanted in the Linux server. See Figure 1. The attack code detection method includes:

步骤101:获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数。Step 101: Obtain the return address of the calling function; wherein, the calling function is a function called by the target process of the system.

系统的进程通常通过调用系统中函数的方式完成该进程对应的任务,被进程所调用的调用函数可以从对进程创建的栈中获取函数栈帧,在函数栈帧中有调用函数的信息,这些信息包括调用函数的局部变量、上一个栈帧的地址和返回地址等等。其中,返回地址表示了函数执行完成后需要执行的代码所在的地址。The process of the system usually completes the task corresponding to the process by calling the function in the system. The calling function called by the process can obtain the function stack frame from the stack created by the process, and there is information about the calling function in the function stack frame. The information includes the local variables of the calling function, the address and return address of the previous stack frame, and so on. Among them, the return address indicates the address of the code that needs to be executed after the function execution is completed.

其中,在目标进程的栈范围内依次获取各调用函数的返回地址,并依序将这些返回地址存储在链表中,即构成了目标进程的函数调用链。因此,函数调用链实际上表示进程中函数间的调用路径。在程序执行过程中每个栈帧对应着一个未运行完的调用函数,栈帧中保存了该调用函数的返回地址、栈基地址和局部变量等等。图2为本实施例提供的栈中栈帧的结构示意图,每一栈帧对应一个调用函数,从栈帧中能够直接获取到调用函数的返回地址。调用函数的返回地址指示了被调用函数处理完成后接下来需要执行的代码所在的地址。Among them, the return addresses of the calling functions are sequentially obtained within the stack range of the target process, and these return addresses are sequentially stored in the linked list, that is, the function call chain of the target process is formed. Therefore, the function call chain actually represents the call path between functions in the process. During program execution, each stack frame corresponds to an unfinished calling function, and the stack frame stores the return address, stack base address, local variables, and so on of the calling function. FIG. 2 is a schematic structural diagram of a stack frame in a stack provided by this embodiment, each stack frame corresponds to a calling function, and the return address of the calling function can be directly obtained from the stack frame. The return address of the calling function indicates the address of the code that needs to be executed next after the called function is processed.

需要说明的是,由于每一进程运行时在应用层和内核中均会对进程分配空间,因此通过应用层和内核均能够获取到每一调用函数的函数栈帧,进而获取到调用函数的返回地址。It should be noted that since each process will allocate space to the process in the application layer and the kernel when it is running, the function stack frame of each calling function can be obtained through the application layer and the kernel, and then the return of the calling function can be obtained. address.

步骤102:若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。Step 102: If the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

由于在未受到攻击代码攻击的过程中,系统的进程执行的每一函数的返回地址均应属于为系统的可执行文件分配的系统配置地址,因此在本实施例中若检测到任一返回地址不属于系统配置地址,则认定系统中存在攻击代码。其中,系统的可执行文件依据系统而定,例如,在Linux服务器中,可执行文件为ELF文件(ELF文件实际上是Linux系统上的可执行文件和动态链接库的文件)。例如,由植入Linux服务器的防护驱动模块判断目标进程的每一调用函数的返回地址所指向的文件是否均属于ELF文件(即返回地址是否属于系统配置地址),若是,则该Linux服务器不存在攻击代码,否则,该Linux服务器存在攻击代码。系统中存在攻击代码,更为具体地说是目标进程所属的应用程序受到了攻击代码的攻击。Since in the process of not being attacked by the attack code, the return address of each function executed by the process of the system should belong to the system configuration address allocated for the executable file of the system. Therefore, in this embodiment, if any return address is detected If it does not belong to the system configuration address, it is determined that there is attack code in the system. The executable file of the system depends on the system. For example, in a Linux server, the executable file is an ELF file (the ELF file is actually an executable file and a dynamic link library file on the Linux system). For example, the protection driver module implanted in the Linux server determines whether the files pointed to by the return address of each calling function of the target process belong to the ELF file (that is, whether the return address belongs to the system configuration address). If so, the Linux server does not exist. Attack code, otherwise, there is attack code on the Linux server. There is attack code in the system, more specifically, the application program to which the target process belongs is attacked by the attack code.

本实施例一种攻击代码检测方法,获取系统中进程栈范围内的调用函数的返回地址,若存在返回地址不属于用于存储系统可执行文件的系统配置地址,则确定系统存在攻击代码。通过获取调用函数的返回地址直接实现对攻击代码的检测,无需建立特征库,识别过程简单,有利于提升对攻击代码的识别效率。In this embodiment, an attack code detection method is used to obtain the return address of a calling function within the scope of the process stack in the system. If the return address does not belong to the system configuration address used to store the system executable file, it is determined that the system has attack code. By obtaining the return address of the calling function, the detection of the attack code is directly realized without establishing a signature library, and the identification process is simple, which is beneficial to improve the identification efficiency of the attack code.

可见,相比于现有技术,本实施例提供的攻击代码检测方法具有如下优点:实现了Linux上进程的监控,不需要学习过程,开箱即用,不需要特征库,检测调用链上的所有返回地址,如果发现检测不合规就告警,适用范围更广,通过内核驱动监控所有进程的调用链,非常高效。It can be seen that, compared with the prior art, the attack code detection method provided in this embodiment has the following advantages: it realizes the monitoring of processes on Linux, does not require a learning process, can be used out of the box, does not require a feature library, and can detect attacks on the calling chain. For all return addresses, if the detection is found to be non-compliant, an alarm will be issued, and the scope of application is wider. It is very efficient to monitor the call chain of all processes through the kernel driver.

进一步地,在上述实施例的基础上,在获取调用函数的返回地址之前,所述方法还包括:Further, on the basis of the above embodiment, before obtaining the return address of the calling function, the method further includes:

获取监测函数是否被调用的监测信息;其中,所述监测函数根据攻击代码对函数的历史调用信息确定;Obtain the monitoring information of whether the monitoring function is called; wherein, the monitoring function is determined according to the historical calling information of the function by the attack code;

若所述监测信息为监测函数被调用,则将调用所述监测函数的进程作为所述目标进程。If the monitoring information is that a monitoring function is called, the process that calls the monitoring function is used as the target process.

需要说明的是,监测函数是根据攻击代码对函数的历史调用信息确定的,被攻击代码调用的可能性较高的函数。由于每一进程运行时,在内核和应用层均为进程分配了空间,因此通过内核和应用层均能实现对监测函数的调用监测,进而触发攻击代码的检测。It should be noted that the monitoring function is determined according to the historical calling information of the function by the attack code, and the function that is called by the attack code is more likely to be called. Since each process is running, space is allocated for the process in the kernel and the application layer, so the call monitoring of the monitoring function can be realized through the kernel and the application layer, and then the detection of the attack code can be triggered.

进一步地,所述获取监测函数是否被调用的监测信息,包括:Further, the acquisition of monitoring information on whether the monitoring function is called includes:

获取通过内核监测的监测函数是否被调用的监测信息,其中,通过内核监测的监测函数包括如下至少一种:execve、socketcall、bind、connect;Obtain monitoring information on whether the monitoring function monitored by the kernel is called, wherein the monitoring function monitored by the kernel includes at least one of the following: execve, socketcall, bind, connect;

和/或,获取通过应用层监测的监测函数是否被调用的监测信息,其中,通过应用层监测的监测函数包括如下至少一种:execve、execl、execlp、execle、execv、execvp、execvpe、bind、connect、system。And/or, obtain monitoring information on whether the monitoring function monitored by the application layer is called, wherein the monitoring function monitored by the application layer includes at least one of the following: execve, execl, execlp, execle, execv, execvp, execvpe, bind, connect, system.

其中,获取通过内核监测的监测函数是否被调用的监测信息,具体包括:(防护驱动模块)将通过内核监测的监测函数设置为hook点,通过hook检测hook点的监测函数是否被调用。Wherein, obtaining the monitoring information of whether the monitoring function monitored by the kernel is called, specifically includes: (protection driver module) setting the monitoring function monitored by the kernel as a hook point, and detecting whether the monitoring function of the hook point is called through the hook.

其中,获取通过应用层监测的监测函数是否被调用的监测信息,具体包括:(防护驱动模块)预先生成对监测函数是否被调用进行检查的调用检查代码,并通过LD_PRELOAD或/etc/ld.so.preload将该调用检查代码注入到进程(例如,web服务器进程)中,替换容易被攻击代码调用的监测函数。Among them, obtaining the monitoring information of whether the monitoring function monitored by the application layer is called, specifically includes: (protection driver module) pre-generate the call check code to check whether the monitoring function is called, and pass LD_PRELOAD or /etc/ld.so .preload injects this call checking code into a process (eg, a web server process), replacing monitoring functions that are easily called by attack code.

由于监测函数为极有可能被攻击代码调用的函数,因此当监测到某一进程调用了设定的监测函数后,则该进程也有较高的概率受到了攻击代码的攻击,因此可以将该进程作为目标进程,进而通过目标进程的每一调用函数的返回地址确定其是否被攻击函数攻击。Since the monitoring function is a function that is very likely to be called by the attack code, when it is detected that a process calls the set monitoring function, the process has a high probability of being attacked by the attack code, so the process can be called by the attack code. As the target process, it is further determined whether it is attacked by the attack function through the return address of each calling function of the target process.

本实施例中,通过监测函数的监测信息缩小了需要进行攻击代码检测的函数范围,提高了攻击代码检测过程的有效性,避免对系统资源的无效占用。In this embodiment, the monitoring information of the monitoring function narrows the range of functions that need to be detected for attack code, improves the effectiveness of the attack code detection process, and avoids invalid occupation of system resources.

进一步地,在上述各实施例的基础上,所述获取调用函数的返回地址,包括:Further, on the basis of the above embodiments, the obtaining the return address of the calling function includes:

从内核中获取所述调用函数的函数栈帧,和/或从应用层获取所述调用函数的函数栈帧;Obtain the function stack frame of the calling function from the kernel, and/or obtain the function stack frame of the calling function from the application layer;

根据调用函数的函数栈帧获取所述返回地址。The return address is obtained according to the function stack frame of the calling function.

由于进程运行时,在内核和应用层均为进程分配了空间,因此通过内核和应用层均能够获取进程的调用函数的函数栈帧。如图2所示,从每一栈帧中能够读取到调用函数的返回地址。Since space is allocated to the process at the kernel and the application layer when the process is running, the function stack frame of the calling function of the process can be obtained through both the kernel and the application layer. As shown in Figure 2, the return address of the calling function can be read from each stack frame.

本实施例中,通过内核和/或应用层实现了调用函数的函数栈帧的获取,进而通过调用函数的函数栈帧获取每一调用函数的返回地址,从而实现对系统是否存在攻击代码的判断。In this embodiment, the function stack frame of the calling function is obtained through the kernel and/or the application layer, and the return address of each calling function is obtained through the function stack frame of the calling function, thereby realizing the judgment of whether there is an attack code in the system .

进一步地,在上述各实施例的基础上,所述从内核中获取所述调用函数的函数栈帧,包括:Further, on the basis of the above embodiments, the obtaining the function stack frame of the calling function from the kernel includes:

从内核栈中获取所述目标进程陷入内核时,保存在内核栈中的用户态上下文结构;When the target process is obtained from the kernel stack and falls into the kernel, the user-mode context structure saved in the kernel stack;

根据所述用户态上下文结构确定所述目标进程栈范围内首个函数栈帧的基地址,作为第一基地址;Determine the base address of the first function stack frame within the target process stack range according to the user-mode context structure, as the first base address;

自所述第一基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the first base address, each function stack frame within the stack range of the target process is obtained to obtain the function stack frame of the calling function.

需要说明的是,函数栈帧的基地址表示了函数栈帧的起始位置,由于目标进程栈范围内是按照目标进程对函数的调用关系依次存储的函数栈帧,因此,自第一基地址开始依照栈本身的结构特征,即可遍历到目标进程栈范围内自栈起始地址到栈顶的每一函数栈帧。It should be noted that the base address of the function stack frame indicates the starting position of the function stack frame. Since the target process stack range is the function stack frame that is sequentially stored according to the calling relationship of the target process to the function, therefore, from the first base address According to the structural characteristics of the stack itself, you can traverse to each function stack frame from the stack start address to the top of the stack within the range of the target process stack.

进程在应用层运行时处于用户态,进程在内核态运行时处于内核态。进程运行过程中,通过系统调用陷入到内核态,当进程陷入到内核态时,会将在用户态执行时的上下文信息转入内核中,因此通过内核也能获取到进程的所有调用函数的信息。用户态执行时的上下文信息对应的用户态上下文结构中包含了进程栈范围每一函数栈帧的地址,因而通过用户态上下文结构能够获取到首个函数栈帧的基地址,进而自首个函数栈帧的基地址开始对进程栈范围内的每一函数栈帧进行遍历,即可获取到进程栈范围内的每一函数栈帧。The process is in user mode when the application layer is running, and the process is in the kernel mode when it is running in the kernel mode. During the running process of the process, it falls into the kernel state through system calls. When the process falls into the kernel state, the context information during user state execution will be transferred to the kernel, so the information of all calling functions of the process can also be obtained through the kernel. . The user-mode context structure corresponding to the context information during user-mode execution contains the address of each function stack frame in the process stack range, so the base address of the first function stack frame can be obtained through the user-mode context structure, and then the first function stack frame can be obtained from the user mode context structure. The base address of the frame starts to traverse each function stack frame within the process stack range, and each function stack frame within the process stack range can be obtained.

对于内核,(防护驱动模块)可以通过内核中的检查函数A获取目标进程栈范围内的每一函数栈帧中的返回函数,组成函数调用链,遍历所述函数调用链的每一返回地址,判断是否存在任一返回地址不属于所述系统配置地址。图3为本实施例提供的通过内核获取函数调用链的过程示意图,参见图3,该过程包括:For the kernel, the (protection driver module) can obtain the return function in each function stack frame within the scope of the target process stack through the check function A in the kernel, form a function call chain, and traverse each return address of the function call chain, Determine whether there is any return address that does not belong to the system configuration address. FIG. 3 is a schematic diagram of a process of obtaining a function call chain through a kernel provided by the present embodiment. Referring to FIG. 3 , the process includes:

从目标进程的内核栈上获取用户态上下文结构pt_regs;Get the user-mode context structure pt_regs from the kernel stack of the target process;

从pt_regs上获取当前的用户态栈帧基地址bp;Get the current user mode stack frame base address bp from pt_regs;

沿着bp向上遍历出所有的栈帧,并保存每个栈帧的返回地址到一个数组中,这个数组就是存储调用链的数据结构。Traverse all stack frames up along bp, and save the return address of each stack frame to an array, which is the data structure for storing the call chain.

具体地,对于内核,(防护驱动模块)可以通过内核中的检查函数A获取函数调用链,进而通过函数调用链获取每一调用函数的返回地址,根据每一调用函数的返回地址判断系统是否存在攻击代码。图4为本实施例提供的通过内核进行攻击代码检测的流程示意图,该流程包括:当(防护驱动模块)hook到系统调用execve、socketcall、bind、connect时,进入检查函数A。检查函数A首先从hook到的目标进程的用户态上下文里获取调用链,调用链上包含所有栈帧的返回地址,循环判断每一个返回地址是否来自ELF文件。经过判断如果发现返回地址不是来自ELF文件,那么极有可能是正在执行的shellcode代码,产生告警日志。如果所有返回地址都来自ELF文件,那么本次检查执行完毕。Specifically, for the kernel, (the protection driver module) can obtain the function call chain through the check function A in the kernel, and then obtain the return address of each calling function through the function calling chain, and judge whether the system exists according to the return address of each calling function. attack code. FIG. 4 is a schematic flowchart of attack code detection through the kernel provided in this embodiment. The process includes: when (the protection driver module) hooks the system to call execve, socketcall, bind, and connect, the inspection function A is entered. The check function A first obtains the call chain from the user mode context of the target process hooked to, and the call chain contains the return addresses of all stack frames, and loops to determine whether each return address comes from the ELF file. After judgment, if it is found that the return address is not from the ELF file, it is very likely that the shellcode code is being executed, and an alarm log is generated. If all return addresses are from the ELF file, the check is complete.

本实施例中,通过内核栈实现了每一调用函数返回地址的获取,从而根据返回地址对是否存在攻击代码进行判断,在检测到存在攻击代码时,及时产生告警,以及时处理攻击代码,保证系统安全。In this embodiment, the return address of each calling function is obtained through the kernel stack, so that whether there is an attack code is judged according to the return address, when an attack code is detected, an alarm is generated in time, and the attack code is processed in time to ensure that system security.

进一步地,在上述各实施例的基础上,所述从应用层获取所述调用函数的函数栈帧,包括:Further, on the basis of the foregoing embodiments, the obtaining the function stack frame of the calling function from the application layer includes:

从应用层的用户栈中获取所述目标进程栈范围内首个函数栈帧的基地址,作为第二基地址;Obtain the base address of the first function stack frame within the range of the target process stack from the user stack of the application layer, as the second base address;

自所述第二基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the second base address, each function stack frame within the stack range of the target process is acquired to obtain the function stack frame of the calling function.

具体地,目标进程栈范围内是按照目标进程对函数的调用关系依次存储的函数栈帧,因此,自第二基地址开始依照栈本身的结构特征,即可遍历到目标进程栈范围内自栈起始地址到栈顶的每一函数栈帧。Specifically, within the stack range of the target process are the function stack frames that are sequentially stored according to the calling relationship of the target process to the function. Therefore, starting from the second base address, according to the structural characteristics of the stack itself, it is possible to traverse to the stack within the stack range of the target process. Each function stack frame from the starting address to the top of the stack.

对于应用层,(防护驱动模块)可以通过检查函数B获取目标进程栈范围内的每一函数栈帧中的返回函数,组成函数调用链,遍历所述函数调用链的每一返回地址,判断是否存在任一返回地址不属于所述系统配置地址。其中,检查函数B为预先注入到待进行攻击代码检测的目标程序中的函数,具体来说,(防护驱动模块)通过调用检查代码监测到监测函数被调用后,通过调用监测函数的目标进程中注入的检查函数B直接读取栈帧基地址bp,自栈帧基地址bp开始遍历,得到整个函数调用链。For the application layer, (the protection driver module) can obtain the return function in each function stack frame within the target process stack range by checking the function B, form a function call chain, traverse each return address of the function call chain, and determine whether There is any return address that does not belong to the system configuration address. Among them, the inspection function B is a function that is pre-injected into the target program to be detected by the attack code. The injected check function B directly reads the base address bp of the stack frame, starts to traverse from the base address bp of the stack frame, and obtains the entire function call chain.

本实施例中,通过应用层实现了每一调用函数返回地址的获取,从而根据返回地址对是否存在攻击代码进行判断,在检测到存在攻击代码时,及时产生告警,以及时处理攻击代码,保证系统安全。In this embodiment, the application layer realizes the acquisition of the return address of each calling function, so as to determine whether there is an attack code according to the return address, and when an attack code is detected, an alarm is generated in time, and the attack code is processed in time to ensure system security.

进一步地,在上述各实施例的基础上,在所述返回地址不属于系统配置地址之前,还包括:Further, on the basis of the foregoing embodiments, before the return address does not belong to the system configuration address, the method further includes:

通过内存中的虚拟内存管理结构确定所述返回地址对应的虚拟内存区块结构体,根据所述虚拟内存区块结构体中描述被映射文件的成员所指向的地址,确定所述返回地址是否属于所述系统配置地址;Determine the virtual memory block structure corresponding to the return address through the virtual memory management structure in the memory, and determine whether the return address belongs to the address pointed to by the member describing the mapped file in the virtual memory block structure the system configuration address;

和/或,从应用层获取表示内存布局的内存布局文件,从所述内存布局文件中获取所述返回地址所在的行内容,根据所述行内容中的文件路径,确定所述返回地址是否属于所述系统配置地址。And/or, obtain the memory layout file representing the memory layout from the application layer, obtain the line content where the return address is located from the memory layout file, and determine whether the return address belongs to the line content according to the file path in the line content. The system configuration address.

当所述虚拟内存区块结构体中描述被映射文件的成员的变量指向的地址不属于系统配置地址,所述返回地址不属于系统配置地址,系统存在攻击代码。When the address pointed to by the variable describing the member of the mapped file in the virtual memory block structure does not belong to the system configuration address, and the return address does not belong to the system configuration address, there is an attack code in the system.

当所述行内容中的文件路径不包括属于系统配置地址的文件路径,则所述返回地址不属于系统配置地址,系统存在攻击代码。When the file path in the line content does not include the file path belonging to the system configuration address, the return address does not belong to the system configuration address, and there is attack code in the system.

具体地,以Linux服务器为例,对于内存可以具体通过如下方法判断返回地址是否指向系统的可执行文件:Specifically, taking a Linux server as an example, the following methods can be used to determine whether the return address points to the executable file of the system for the memory:

获取目标进程的虚拟内存管理结构mm_struct;Get the virtual memory management structure mm_struct of the target process;

遍历mm_struct上的红黑树节点,查找返回地址所在的vm_area_struct结构(即虚拟内存区块结构体);Traverse the red-black tree nodes on mm_struct to find the vm_area_struct structure (that is, the virtual memory block structure) where the return address is located;

检查该vm_area_struct结构的vm_file成员(即描述被映射文件的成员)变量是否指向一个ELF文件,如果不是说明返回地址可能来自正在执行中的shellcode。Check whether the vm_file member of the vm_area_struct structure (that is, the member describing the mapped file) variable points to an ELF file, if not, the return address may come from the shellcode being executed.

其中,红黑树节点是虚拟内存管理结构mm_struct中的二叉搜索树,通过红黑树节点能够快速查找到返回地址所在的vm_area_struct结构。Among them, the red-black tree node is a binary search tree in the virtual memory management structure mm_struct, and the vm_area_struct structure where the return address is located can be quickly found through the red-black tree node.

具体地,以Linux服务器为例,对于应用层可以具体通过如下方法判断返回地址是否指向系统的可执行文件:Specifically, taking a Linux server as an example, for the application layer, the following method can be used to determine whether the return address points to the executable file of the system:

读取/proc/self/maps文件(即内存布局文件)。Read the /proc/self/maps file (that is, the memory layout file).

解析该内存布局文件的每一行,其中,/proc/self/maps文件的每一行表示一个虚拟内存块,每一行的行内容中包括虚拟内存块的起始地址和结束地址,如果是ELF文件的内存映射,还会显示ELF文件的路径;Parse each line of the memory layout file, where each line of the /proc/self/maps file represents a virtual memory block, and the line content of each line includes the start address and end address of the virtual memory block. If it is an ELF file Memory mapping, and also displays the path to the ELF file;

判断返回地址所在的那一行中是否有对应的ELF文件路径,若没有,则说明返回地址可能来自正在执行中的shellcode。Determine whether there is a corresponding ELF file path in the line where the return address is located. If not, it means that the return address may come from the shellcode being executed.

本实施例中,从内存和应用层提供了根据返回地址判断系统是否存在攻击代码的过程,实现了攻击代码的检测,无需建模,检测过程简单,检测效率较高。In this embodiment, the process of judging whether there is an attack code in the system according to the return address is provided from the memory and application layers, which realizes the detection of the attack code without modeling, the detection process is simple, and the detection efficiency is high.

本申请采用内核驱动的方式监看进程调用链,相比其他方法性能更好;遍历调用链上的每一个返回地址并进行判断,能稳定的检测出正在执行中的shellcode代码。The present application uses the kernel-driven method to monitor the process call chain, which has better performance than other methods; traverses each return address on the call chain and makes judgments, and can stably detect the shellcode code being executed.

图5为本实施例提供的一种攻击代码检测装置的结构框图,参见图5,包括获取模块501和确定模块502;FIG. 5 is a structural block diagram of an attack code detection apparatus provided in this embodiment, referring to FIG. 5 , including an acquisition module 501 and a determination module 502;

获取模块501,用于获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;Obtaining module 501, for obtaining the return address of the calling function; wherein, the calling function is a function called by the target process of the system;

确定模块502,用于若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。The determining module 502 is configured to, if the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

本实施例提供的攻击代码检测装置适用于上述各实施例提供的攻击代码检测方法,在此不再赘述。The attack code detection apparatus provided in this embodiment is applicable to the attack code detection methods provided by the above embodiments, and details are not described herein again.

本实施例提供一种攻击代码检测装置,获取系统中进程栈范围内的调用函数的返回地址,若存在返回地址不属于用于存储系统可执行文件的系统配置地址,则确定系统存在攻击代码。通过获取调用函数的返回地址直接实现对攻击代码的检测,无需建立特征库,识别过程简单,有利于提升对攻击代码的识别效率。This embodiment provides an attack code detection device that obtains the return address of a calling function within the range of the process stack in the system. If the return address does not belong to the system configuration address used to store the system executable file, it is determined that there is attack code in the system. By obtaining the return address of the calling function, the detection of the attack code is directly realized without establishing a signature library, and the identification process is simple, which is beneficial to improve the identification efficiency of the attack code.

根据本发明提供一种攻击代码检测装置,在上述基础上,在获取调用函数的返回地址之前,所述方法还包括:An attack code detection device is provided according to the present invention. On the basis of the above, before acquiring the return address of the calling function, the method further includes:

获取监测函数是否被调用的监测信息;其中,所述监测函数根据攻击代码对函数的历史调用信息确定;Obtain the monitoring information of whether the monitoring function is called; wherein, the monitoring function is determined according to the historical calling information of the function by the attack code;

若所述监测信息为监测函数被调用,则将调用所述监测函数的进程作为所述目标进程。If the monitoring information is that a monitoring function is called, the process that calls the monitoring function is used as the target process.

根据本发明提供一种攻击代码检测装置,在上述基础上,所述获取调用函数的返回地址,包括:According to the present invention, an attack code detection device is provided. On the basis of the above, the obtaining the return address of the calling function includes:

从内核中获取所述调用函数的函数栈帧,和/或从应用层获取所述调用函数的函数栈帧;Obtain the function stack frame of the calling function from the kernel, and/or obtain the function stack frame of the calling function from the application layer;

根据调用函数的函数栈帧获取所述返回地址。The return address is obtained according to the function stack frame of the calling function.

根据本发明提供一种攻击代码检测装置,在上述基础上,所述从内核中获取所述调用函数的函数栈帧,包括:According to the present invention, an attack code detection device is provided. On the basis of the above, obtaining the function stack frame of the calling function from the kernel includes:

从内核栈中获取所述目标进程陷入内核时,保存在内核栈中的用户态上下文结构;When the target process is obtained from the kernel stack and falls into the kernel, the user-mode context structure saved in the kernel stack;

根据所述用户态上下文结构确定所述目标进程栈范围内首个函数栈帧的基地址,作为第一基地址;Determine the base address of the first function stack frame within the target process stack range according to the user-mode context structure, as the first base address;

自所述第一基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the first base address, each function stack frame within the stack range of the target process is obtained to obtain the function stack frame of the calling function.

根据本发明提供一种攻击代码检测装置,在上述基础上,所述从应用层获取所述调用函数的函数栈帧,包括:According to the present invention, an attack code detection device is provided. On the basis of the above, acquiring the function stack frame of the calling function from the application layer includes:

从应用层的用户栈中获取所述目标进程栈范围内首个函数栈帧的基地址,作为第二基地址;Obtain the base address of the first function stack frame within the range of the target process stack from the user stack of the application layer, as the second base address;

自所述第二基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the second base address, each function stack frame within the stack range of the target process is acquired to obtain the function stack frame of the calling function.

根据本发明提供一种攻击代码检测装置,在上述基础上,在所述返回地址不属于系统配置地址之前,还包括:According to the present invention, an attack code detection device is provided. On the basis of the above, before the return address does not belong to the system configuration address, the method further includes:

通过内存中的虚拟内存管理结构确定所述返回地址对应的虚拟内存区块结构体,根据所述虚拟内存区块结构体中描述被映射文件的成员所指向的地址,确定所述返回地址是否属于所述系统配置地址;Determine the virtual memory block structure corresponding to the return address through the virtual memory management structure in the memory, and determine whether the return address belongs to the address pointed to by the member describing the mapped file in the virtual memory block structure the system configuration address;

和/或,从应用层获取表示内存布局的内存布局文件,从所述内存布局文件中获取所述返回地址所在的行内容,根据所述行内容中的文件路径,确定所述返回地址是否属于所述系统配置地址。And/or, obtain the memory layout file representing the memory layout from the application layer, obtain the line content where the return address is located from the memory layout file, and determine whether the return address belongs to the line content according to the file path in the line content. The system configuration address.

图6示例了一种电子设备的实体结构示意图,如图6所示,该电子设备可以包括:处理器(processor)610、通信接口(Communications Interface)620、存储器(memory)630和通信总线640,其中,处理器610,通信接口620,存储器630通过通信总线640完成相互间的通信。处理器610可以调用存储器630中的逻辑指令,以执行攻击代码检测方法,该方法包括:FIG. 6 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 6 , the electronic device may include: a processor (processor) 610, a communication interface (Communications Interface) 620, a memory (memory) 630 and a communication bus 640, The processor 610 , the communication interface 620 , and the memory 630 communicate with each other through the communication bus 640 . The processor 610 may invoke logic instructions in the memory 630 to execute an attack code detection method, the method comprising:

获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;Obtain the return address of the calling function; wherein, the calling function is a function called by the target process of the system;

若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。If the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

此外,上述的存储器630中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the memory 630 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

另一方面,本发明还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法所提供的攻击代码检测方法,该方法包括:In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer When executed, the computer can execute the attack code detection method provided by the above methods, and the method includes:

获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;Obtain the return address of the calling function; wherein, the calling function is a function called by the target process of the system;

若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。If the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

又一方面,本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各提供的攻击代码检测方法,该方法包括:In another aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored, the computer program is implemented by a processor to execute the attack code detection methods provided above, and the method includes:

获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;Obtain the return address of the calling function; wherein, the calling function is a function called by the target process of the system;

若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。If the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1.一种攻击代码检测方法,其特征在于,包括:1. an attack code detection method, is characterized in that, comprises: 获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;Obtain the return address of the calling function; wherein, the calling function is a function called by the target process of the system; 若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。If the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process. 2.根据权利要求1所述的攻击代码检测方法,其特征在于,在获取调用函数的返回地址之前,所述方法还包括:2. attack code detection method according to claim 1, is characterized in that, before obtaining the return address of calling function, described method also comprises: 获取监测函数是否被调用的监测信息;其中,所述监测函数根据攻击代码对函数的历史调用信息确定;Obtain the monitoring information of whether the monitoring function is called; wherein, the monitoring function is determined according to the historical calling information of the function by the attack code; 若所述监测信息为监测函数被调用,则将调用所述监测函数的进程作为所述目标进程。If the monitoring information is that a monitoring function is called, the process that calls the monitoring function is used as the target process. 3.根据权利要求1所述的攻击代码检测方法,其特征在于,所述获取调用函数的返回地址,包括:3. attack code detection method according to claim 1, is characterized in that, described obtaining the return address of calling function, comprises: 从内核中获取所述调用函数的函数栈帧,和/或从应用层获取所述调用函数的函数栈帧;Obtain the function stack frame of the calling function from the kernel, and/or obtain the function stack frame of the calling function from the application layer; 根据调用函数的函数栈帧获取所述返回地址。The return address is obtained according to the function stack frame of the calling function. 4.根据权利要求3所述的攻击代码检测方法,其特征在于,所述从内核中获取所述调用函数的函数栈帧,包括:4. attack code detection method according to claim 3, is characterized in that, described acquiring the function stack frame of described calling function from kernel, comprising: 从内核栈中获取所述目标进程陷入内核时,保存在内核栈中的用户态上下文结构;When the target process is obtained from the kernel stack and falls into the kernel, the user-mode context structure saved in the kernel stack; 根据所述用户态上下文结构确定所述目标进程栈范围内首个函数栈帧的基地址,作为第一基地址;Determine the base address of the first function stack frame within the target process stack range according to the user-mode context structure, as the first base address; 自所述第一基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the first base address, each function stack frame within the stack range of the target process is obtained to obtain the function stack frame of the calling function. 5.根据权利要求3所述的攻击代码检测方法,其特征在于,所述从应用层获取所述调用函数的函数栈帧,包括:5. The attack code detection method according to claim 3, wherein the obtaining the function stack frame of the calling function from the application layer comprises: 从应用层的用户栈中获取所述目标进程栈范围内首个函数栈帧的基地址,作为第二基地址;Obtain the base address of the first function stack frame within the range of the target process stack from the user stack of the application layer, as the second base address; 自所述第二基地址开始获取所述目标进程栈范围内的每一函数栈帧,得到所述调用函数的函数栈帧。Starting from the second base address, each function stack frame within the stack range of the target process is acquired to obtain the function stack frame of the calling function. 6.根据权利要求1所述的攻击代码检测方法,其特征在于,在所述返回地址不属于系统配置地址之前,还包括:6. The attack code detection method according to claim 1, characterized in that, before the return address does not belong to the system configuration address, further comprising: 通过内存中的虚拟内存管理结构确定所述返回地址对应的虚拟内存区块结构体,根据所述虚拟内存区块结构体中描述被映射文件的成员所指向的地址,确定所述返回地址是否属于所述系统配置地址;Determine the virtual memory block structure corresponding to the return address through the virtual memory management structure in the memory, and determine whether the return address belongs to the address pointed to by the member describing the mapped file in the virtual memory block structure the system configuration address; 和/或,从应用层获取表示内存布局的内存布局文件,从所述内存布局文件中获取所述返回地址所在的行内容,根据所述行内容中的文件路径,确定所述返回地址是否属于所述系统配置地址。And/or, obtain the memory layout file representing the memory layout from the application layer, obtain the line content where the return address is located from the memory layout file, and determine whether the return address belongs to the line content according to the file path in the line content. The system configuration address. 7.一种攻击代码检测装置,其特征在于,包括:7. An attack code detection device, characterized in that, comprising: 获取模块,用于获取调用函数的返回地址;其中,所述调用函数为被系统的目标进程调用的函数;an acquisition module for acquiring the return address of the calling function; wherein, the calling function is a function called by the target process of the system; 确定模块,用于若所述返回地址不属于系统配置地址,则所述系统中存在攻击代码;所述系统配置地址为目标进程加载的可执行文件的代码段地址。The determining module is used for if the return address does not belong to the system configuration address, there is attack code in the system; the system configuration address is the code segment address of the executable file loaded by the target process. 8.一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1至6任一项所述的攻击代码检测方法的步骤。8. An electronic device comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor implements any one of claims 1 to 6 when the processor executes the program The steps of the attack code detection method described in item. 9.一种非暂态可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现如权利要求1至6任一项所述的攻击代码检测方法的步骤。9. A non-transitory readable storage medium on which a computer program is stored, wherein when the computer program is executed by a processor, the steps of the attack code detection method according to any one of claims 1 to 6 are implemented . 10.一种计算机程序,其特征在于,该计算机程序被处理器执行时实现如权利要求1至6任一项所述的攻击代码检测方法的步骤。10 . A computer program, characterized in that, when the computer program is executed by a processor, the steps of the attack code detection method according to any one of claims 1 to 6 are implemented.
CN202011540159.4A 2020-12-23 2020-12-23 Attack code detection method, device, electronic device, program and storage medium Pending CN114662098A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011540159.4A CN114662098A (en) 2020-12-23 2020-12-23 Attack code detection method, device, electronic device, program and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011540159.4A CN114662098A (en) 2020-12-23 2020-12-23 Attack code detection method, device, electronic device, program and storage medium

Publications (1)

Publication Number Publication Date
CN114662098A true CN114662098A (en) 2022-06-24

Family

ID=82025472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011540159.4A Pending CN114662098A (en) 2020-12-23 2020-12-23 Attack code detection method, device, electronic device, program and storage medium

Country Status (1)

Country Link
CN (1) CN114662098A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115543586A (en) * 2022-11-28 2022-12-30 成都安易迅科技有限公司 Method, device and equipment for starting application layer system process and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005032182A (en) * 2003-07-11 2005-02-03 Sony Corp Program, attack code extracting apparatus, and its method
JP2015141718A (en) * 2014-01-27 2015-08-03 イグルー セキュリティ,インク. Aggression detection device and method using vulnerable point of program
CN105260659A (en) * 2015-09-10 2016-01-20 西安电子科技大学 Kernel-level code reuse type attack detection method based on QEMU
CN111931166A (en) * 2020-09-24 2020-11-13 中国人民解放军国防科技大学 Application program anti-attack method and system based on code injection and behavior analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005032182A (en) * 2003-07-11 2005-02-03 Sony Corp Program, attack code extracting apparatus, and its method
JP2015141718A (en) * 2014-01-27 2015-08-03 イグルー セキュリティ,インク. Aggression detection device and method using vulnerable point of program
CN105260659A (en) * 2015-09-10 2016-01-20 西安电子科技大学 Kernel-level code reuse type attack detection method based on QEMU
CN111931166A (en) * 2020-09-24 2020-11-13 中国人民解放军国防科技大学 Application program anti-attack method and system based on code injection and behavior analysis

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115543586A (en) * 2022-11-28 2022-12-30 成都安易迅科技有限公司 Method, device and equipment for starting application layer system process and readable storage medium
CN115543586B (en) * 2022-11-28 2023-03-17 成都安易迅科技有限公司 Method, device and equipment for starting application layer system process and readable storage medium

Similar Documents

Publication Publication Date Title
CN111464355A (en) Method and device for controlling expansion capacity of Kubernetes container cluster and network equipment
CN108196940B (en) Method for deleting container and related equipment
CN113568686B (en) Asynchronous processing method and device for Lua language, computer equipment and storage medium
KR20160076534A (en) Segregating executable files exhibiting network activity
WO2018017498A1 (en) Inferential exploit attempt detection
CN112528296B (en) Vulnerability detection method and device, storage medium and electronic equipment
CN110278192A (en) Method, apparatus, computer equipment and the readable storage medium storing program for executing of extranet access Intranet
CN112181487B (en) Software compatibility processing method, device, electronic device and storage medium
CN114662098A (en) Attack code detection method, device, electronic device, program and storage medium
CN101587521A (en) Method and device for acquiring remote computer information
CN112632534B (en) A method and device for detecting malicious behavior
KR102393913B1 (en) Apparatus and method for detecting abnormal behavior and system having the same
CN117272305B (en) Process processing method and device, electronic equipment and storage medium
CN114942797B (en) System configuration method, device, equipment and storage medium based on side car mode
JP7661534B2 (en) JAVA Deserialization Exploit Attack Detection
CN116070210A (en) Method and device for determining abnormal progress and virus checking and killing method
CN115828256A (en) Unauthorized and unauthorized logic vulnerability detection method
CN115048643A (en) Data processing method and device, electronic equipment and storage medium
CN114640522A (en) Processing method, device, equipment and storage medium of firewall security policy
CN113395307B (en) Task synchronization method, device and computer equipment
CN104573519A (en) File scanning method and system
CN114900326B (en) Terminal command operation monitoring and protection method, system and storage medium
US11709937B2 (en) Inactivating basic blocks of program code to prevent code reuse attacks
CN118312958A (en) File processing method, device and storage medium
CN111931177B (en) Information processing method, apparatus, electronic device, and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Country or region after: China

Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Applicant after: QAX Technology Group Inc.

Address before: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Country or region before: China

Applicant before: QAX Technology Group Inc.

CB02 Change of applicant information