CN114662098A - Attack code detection method, apparatus, electronic device, program, and storage medium - Google Patents
Attack code detection method, apparatus, electronic device, program, and storage medium Download PDFInfo
- Publication number
- CN114662098A CN114662098A CN202011540159.4A CN202011540159A CN114662098A CN 114662098 A CN114662098 A CN 114662098A CN 202011540159 A CN202011540159 A CN 202011540159A CN 114662098 A CN114662098 A CN 114662098A
- Authority
- CN
- China
- Prior art keywords
- function
- address
- attack code
- calling
- stack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 58
- 230000006870 function Effects 0.000 claims abstract description 225
- 238000000034 method Methods 0.000 claims abstract description 141
- 238000012544 monitoring process Methods 0.000 claims description 49
- 238000004590 computer program Methods 0.000 claims description 12
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an attack code detection method, an attack code detection device, electronic equipment, a program and a storage medium, wherein a return address of a calling function in a process stack range in a system is obtained, and if the return address does not belong to a system configuration address for storing an executable file of the system, the attack code of the system is determined. The attack codes are directly detected by obtaining the return addresses of the calling functions, a feature library does not need to be established, the identification process is simple, and the efficiency of identifying the attack codes is improved.
Description
Technical Field
The present invention relates to the field of information security protection technologies, and in particular, to an attack code detection method, apparatus, electronic device, program, and storage medium.
Background
The network device inevitably has bugs, and an attacker constructs a section of attack code to attack the network device by using the bugs. For example, an attacker can implement operations such as authority promotion, program execution, remote machine connection and the like in the network device through the attack code, thereby achieving the purpose of arbitrarily controlling the network device. For example, shellcode, an attack code for a Linux server for an attack.
In the prior art, a call chain sequence of system call needs to be learned in advance, a normal behavior feature library is established, and then the sequence of system call of the system is matched with the normal sequence feature library to identify the vulnerability exploitation behavior. However, this method has the following disadvantages: the method includes the steps that a feature library is required to be learned and established in advance, and it is necessary to guarantee that no loophole utilization behaviors exist in the learning process; the matching logic is complex and consumes excessive system resources. Therefore, the existing method for identifying the attack codes needs to establish a feature library based on a large amount of data, the identification process is complex, and the identification efficiency is low.
Disclosure of Invention
The invention provides an attack code detection method, an attack code detection device, electronic equipment, a program and a storage medium, which are used for overcoming the defects that the existing attack code identification method needs to establish a feature library based on a large amount of data, the identification process is relatively complex and the identification efficiency is relatively low, realizing the identification of an attack code through a simple mode and improving the identification efficiency.
The invention provides an attack code detection method, which comprises the following steps:
acquiring a return address of a calling function; the calling function is a function called by a target process of the system;
if the return address does not belong to a system configuration address, an attack code exists in the system; the system configuration address is a code segment address of an executable file loaded by a target process.
According to the attack code detection method provided by the invention, on the basis, before the return address of the calling function is acquired, the method further comprises the following steps:
acquiring monitoring information whether a monitoring function is called or not; the monitoring function is determined according to historical calling information of the attack code to the function;
and if the monitoring information is that a monitoring function is called, taking the process calling the monitoring function as the target process.
The invention provides an attack code detection method, on the basis, the obtaining of the return address of the call function comprises the following steps:
acquiring a function stack frame of the calling function from a kernel, and/or acquiring a function stack frame of the calling function from an application layer;
and acquiring the return address according to the function stack frame of the calling function.
According to the attack code detection method provided by the invention, on the basis, the acquiring of the function stack frame of the calling function from the kernel comprises the following steps:
acquiring a user state context structure stored in a kernel stack when the target process is trapped in the kernel from the kernel stack;
determining a base address of a first function stack frame in the target process stack range according to the user state context structure, wherein the base address is used as a first base address;
and starting to acquire each function stack frame in the target process stack range from the first base address to obtain the function stack frame of the calling function.
According to the attack code detection method provided by the invention, on the basis, the function stack frame of the calling function is obtained from the application layer, and the method comprises the following steps:
acquiring a base address of a first function stack frame in the range of the target process stack from a user stack of an application layer as a second base address;
and starting to acquire each function stack frame in the target process stack range from the second base address to acquire the function stack frame of the calling function.
The invention provides an attack code detection method, on the basis, before the return address does not belong to the system configuration address, the method further comprises the following steps:
determining a virtual memory block structure body corresponding to the return address through a virtual memory management structure in a memory, and determining whether the return address belongs to the system configuration address according to an address pointed by a member describing a mapped file in the virtual memory block structure body;
and/or acquiring a memory layout file representing memory layout from an application layer, acquiring the row content of the return address from the memory layout file, and determining whether the return address belongs to the system configuration address according to a file path in the row content.
The present invention also provides an attack code detection apparatus, including:
the obtaining module is used for obtaining a return address of the calling function; the calling function is a function called by a target process of the system;
the determining module is used for determining that an attack code exists in the system if the return address does not belong to a system configuration address; the system configuration address is a code segment address of an executable file loaded by a target process.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the attack code detection method.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the attack code detection method as described in any one of the above.
The present invention also provides a computer program which, when executed by a processor, implements the steps of the attack code detection method as described in any one of the above.
The attack code detection method, the attack code detection device, the electronic equipment, the program and the storage medium acquire the return address of the call function in the range of the process stack in the system, and determine that the attack code exists in the system if the return address does not belong to the system configuration address for storing the executable file of the system. The attack code is directly detected by acquiring the return address of the call function, a feature library does not need to be established, the identification process is simple, and the efficiency of identifying the attack code is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an attack code detection method provided by the present invention;
FIG. 2 is a diagram illustrating a structure of a stack frame in a stack according to the present invention;
FIG. 3 is a schematic diagram of a process for obtaining a function call chain by a kernel according to the present invention;
FIG. 4 is a schematic flowchart of attack code detection by a kernel according to the present invention;
FIG. 5 is a block diagram of an attack code detection apparatus according to the present invention;
FIG. 6 is a schematic physical structure diagram of an electronic device provided by the present invention;
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Fig. 1 is a schematic flow diagram of an attack code detection method provided in this embodiment, where the attack code detection method may be executed by a device (server or terminal) to be subjected to attack code detection, for example, the attack code detection method may be executed by a Linux server, and specifically, by a protection driver module implanted in the Linux server, referring to fig. 1, the attack code detection method includes:
step 101: acquiring a return address of a calling function; the calling function is a function called by a target process of the system.
The process of the system usually completes the task corresponding to the process by calling the function in the system, the calling function called by the process can acquire a function stack frame from the stack created for the process, and the function stack frame has information of the calling function, which includes the local variable of the calling function, the address and return address of the previous stack frame, and the like. The return address indicates an address of a code to be executed after the function is executed.
The return addresses of the calling functions are sequentially acquired in the stack range of the target process, and the return addresses are sequentially stored in a linked list, so that the function calling chain of the target process is formed. Thus, the function call chain actually represents the call path between functions in the process. In the program execution process, each stack frame corresponds to a calling function which is not run completely, and the return address, the stack base address, the local variable and the like of the calling function are stored in the stack frame. Fig. 2 is a schematic structural diagram of stack frames in a stack provided in this embodiment, where each stack frame corresponds to a call function, and a return address of the call function can be directly obtained from the stack frame. The return address of the calling function indicates the address of the code to be executed next after the called function completes processing.
It should be noted that, since each process allocates space to the process in the application layer and the kernel when running, the application layer and the kernel can both obtain the function stack frame of each calling function, and further obtain the return address of the calling function.
Step 102: if the return address does not belong to a system configuration address, an attack code exists in the system; the system configuration address is a code segment address of an executable file loaded by a target process.
In the process of not being attacked by the attack code, the return address of each function executed by the process of the system should belong to the system configuration address allocated to the executable file of the system, so in this embodiment, if it is detected that any return address does not belong to the system configuration address, it is determined that the attack code exists in the system. The executable file of the system depends on the system, for example, in the Linux server, the executable file is an ELF file (the ELF file is actually the executable file and the file of the dynamic link library on the Linux system). For example, the protection driver module implanted in the Linux server determines whether the files pointed by the return addresses of each of the call functions of the target process all belong to ELF files (i.e., whether the return addresses belong to the system configuration address), if so, the Linux server does not have the attack codes, and otherwise, the Linux server has the attack codes. Attack codes exist in the system, and more particularly, an application program to which a target process belongs is attacked by the attack codes.
The method for detecting the attack code obtains a return address of a call function in a process stack range in a system, and determines that the attack code exists in the system if the return address does not belong to a system configuration address for storing an executable file of the system. The attack code is directly detected by acquiring the return address of the call function, a feature library does not need to be established, the identification process is simple, and the efficiency of identifying the attack code is improved.
Therefore, compared with the prior art, the attack code detection method provided by the embodiment has the following advantages: the method has the advantages that the process monitoring on the Linux is realized, the learning process is not needed, the Linux can be used after being unpacked, the feature library is not needed, all return addresses on a calling chain are detected, if the condition that the detection is not compliant is found, an alarm is given, the application range is wider, the calling chain of all the processes is monitored through the kernel drive, and the method is very efficient.
Further, on the basis of the above embodiment, before acquiring the return address of the calling function, the method further includes:
acquiring monitoring information whether a monitoring function is called or not; the monitoring function is determined according to historical calling information of the attack code to the function;
and if the monitoring information is that a monitoring function is called, taking the process calling the monitoring function as the target process.
It should be noted that the monitoring function is determined according to the historical call information of the attack code to the function, and the function is highly likely to be called by the attack code. Because each process runs, the kernel and the application layer are processes and space is allocated, the kernel and the application layer can realize calling monitoring of the monitoring function, and further trigger detection of the attack code.
Further, the acquiring monitoring information whether the monitoring function is called includes:
acquiring monitoring information of whether a monitoring function monitored by a kernel is called, wherein the monitoring function monitored by the kernel comprises at least one of the following: exeve, socketcall, bind, connect;
and/or acquiring monitoring information whether a monitoring function monitored by an application layer is called, wherein the monitoring function monitored by the application layer comprises at least one of the following: exeve, execl, execlp, exele, execv, execvp, execvpe, bind, connect, system.
The acquiring of the monitoring information of whether the monitoring function monitored by the kernel is called specifically includes: and (the protection driving module) sets the monitoring function monitored by the kernel as a hook point, and detects whether the monitoring function of the hook point is called or not through the hook.
The acquiring of the monitoring information whether the monitoring function monitored by the application layer is called specifically includes: a call check code for checking whether the monitoring function is called is generated in advance and injected into a process (e.g., a web server process) through LD _ load or/etc/ld.so.
Since the monitoring function is a function which is most likely to be called by the attack code, when it is monitored that a certain process calls the set monitoring function, the process is attacked by the attack code with high probability, so that the process can be used as a target process, and whether the process is attacked by the attack function is determined by the return address of each calling function of the target process.
In the embodiment, the function range needing attack code detection is narrowed through monitoring information of the function, the effectiveness of the attack code detection process is improved, and invalid occupation of system resources is avoided.
Further, on the basis of the foregoing embodiments, the obtaining a return address of the calling function includes:
acquiring a function stack frame of the calling function from a kernel, and/or acquiring the function stack frame of the calling function from an application layer;
and acquiring the return address according to the function stack frame of the calling function.
When the process runs, the kernel and the application layer are both processes and are allocated with spaces, so that the kernel and the application layer can both obtain the function stack frame of the calling function of the process. As shown in FIG. 2, the return address of the calling function can be read from each stack frame.
In this embodiment, the function stack frame of the calling function is obtained through the kernel and/or the application layer, and then the return address of each calling function is obtained through the function stack frame of the calling function, so that whether the attack code exists in the system is judged.
Further, on the basis of the foregoing embodiments, the obtaining a function stack frame of the calling function from the kernel includes:
acquiring a user state context structure stored in a kernel stack when the target process is trapped in the kernel from the kernel stack;
determining a base address of a first function stack frame in the target process stack range according to the user-mode context structure, wherein the base address is used as a first base address;
and starting to acquire each function stack frame in the target process stack range from the first base address to obtain the function stack frame of the calling function.
It should be noted that the base address of the function stack frame indicates the start position of the function stack frame, and since the function stack frames stored in sequence according to the call relationship of the target process to the function are in the target process stack range, each function stack frame from the stack start address to the stack top in the target process stack range can be traversed from the first base address according to the structural features of the stack itself.
The process is in a user state when the application layer runs, and the process is in a kernel state when the kernel state runs. In the process of running the process, the system call is trapped in a kernel state, and when the process is trapped in the kernel state, the context information in the process of executing the user state is transferred into the kernel, so that the information of all calling functions of the process can be acquired through the kernel. The user state context structure corresponding to the context information during user state execution comprises the address of each function stack frame in the process stack range, so that the base address of the first function stack frame can be acquired through the user state context structure, and each function stack frame in the process stack range is traversed from the base address of the first function stack frame, so that each function stack frame in the process stack range can be acquired.
For the kernel, the (protection driver module) can obtain the return function in each function stack frame in the target process stack range through the check function a in the kernel to form a function call chain, traverse each return address of the function call chain, and judge whether any return address does not belong to the system configuration address. Fig. 3 is a schematic diagram of a process of obtaining a function call chain by a kernel according to this embodiment, and referring to fig. 3, the process includes:
acquiring a user mode context structure pt _ regs from a kernel stack of a target process;
acquiring a base address bp of a current user state stack frame from pt _ regs;
all stack frames are traversed up bp and the return address of each stack frame is saved to an array, which is the data structure storing the call chain.
Specifically, for the kernel, the (protection driver module) may obtain the function call chain through the check function a in the kernel, further obtain the return address of each call function through the function call chain, and determine whether the system has an attack code according to the return address of each call function. Fig. 4 is a schematic flowchart of a process of detecting an attack code by a kernel according to this embodiment, where the process includes: when the (protection driver module) hook calls exeve, socket call, bind, connect, the check function a is entered. The check function A firstly obtains a call chain from the user mode context of the target process from hook, the call chain comprises return addresses of all stack frames, and the loop judges whether each return address is from an ELF file. If the return address is found not to be from the ELF file, it is highly likely that the shellcode code is executing, and an alarm log is generated. If all return addresses are from the ELF file, then this check is done.
In the embodiment, the return address of each calling function is acquired through the kernel stack, so that whether the attack code exists is judged according to the return address, when the attack code exists is detected, an alarm is generated in time, the attack code is processed in time, and the system safety is ensured.
Further, on the basis of the foregoing embodiments, the acquiring, from the application layer, the function stack frame of the calling function includes:
acquiring a base address of a first function stack frame in the target process stack range from a user stack of an application layer as a second base address;
and starting to acquire each function stack frame in the target process stack range from the second base address to obtain the function stack frame of the calling function.
Specifically, function stack frames are sequentially stored in the target process stack range according to the calling relation of the target process to the function, so that each function stack frame from the stack start address to the stack top in the target process stack range can be traversed from the second base address according to the structural characteristics of the stack.
For the application layer, the (protection driving module) can acquire the return function in each function stack frame in the target process stack range by checking the function B to form a function call chain, traverse each return address of the function call chain, and judge whether any return address does not belong to the system configuration address. Specifically, after monitoring that the monitoring function is called by calling the check code, the protection driving module directly reads the base address bp of the stack frame by calling the check function B injected in the target process of the monitoring function, and traverses from the base address bp of the stack frame to obtain the whole function calling chain.
In the embodiment, the return address of each calling function is acquired through the application layer, so that whether the attack code exists is judged according to the return address, when the attack code exists is detected, an alarm is generated in time, the attack code is processed in time, and the system safety is ensured.
Further, on the basis of the foregoing embodiments, before the return address does not belong to the system configuration address, the method further includes:
determining a virtual memory block structure body corresponding to the return address through a virtual memory management structure in a memory, and determining whether the return address belongs to the system configuration address according to an address pointed by a member describing a mapped file in the virtual memory block structure body;
and/or acquiring a memory layout file representing memory layout from an application layer, acquiring the row content of the return address from the memory layout file, and determining whether the return address belongs to the system configuration address according to a file path in the row content.
When the address pointed by the variable describing the members of the mapped file in the virtual memory block structure does not belong to the system configuration address, the return address does not belong to the system configuration address, and the system has an attack code.
And when the file path in the row content does not comprise a file path belonging to a system configuration address, the return address does not belong to the system configuration address, and the system has an attack code.
Specifically, taking a Linux server as an example, the memory may specifically determine whether the return address points to the executable file of the system by the following method:
acquiring a virtual memory management structure mm _ struct of a target process;
traversing the nodes of the red and black trees on the mm _ struct, and searching a vm _ area _ struct structure (namely a virtual memory block structure) where the return address is located;
it is checked whether the vm _ file member (i.e., the member describing the mapped file) variable of the vm _ area _ struct structure points to an ELF file, if not to say that the return address may come from the executing shellcode.
The red and black tree nodes are binary search trees in the mm _ struct of the virtual memory management structure, and the vm _ area _ struct structure where the return address is located can be quickly found through the red and black tree nodes.
Specifically, taking Linux server as an example, the application layer may specifically determine whether the return address points to the executable file of the system by the following method:
read/proc/self/maps file (i.e. memory layout file).
Analyzing each line of the memory layout file, wherein each line of the/proc/self/maps file represents a virtual memory block, the line content of each line comprises a starting address and an ending address of the virtual memory block, and if the line content is the memory mapping of the ELF file, the path of the ELF file can be displayed;
and judging whether the line where the return address is positioned has a corresponding ELF file path or not, and if not, indicating that the return address possibly comes from the executing shellcode.
In the embodiment, a process of judging whether the system has the attack code or not according to the return address is provided from the memory and the application layer, so that the detection of the attack code is realized, modeling is not required, the detection process is simple, and the detection efficiency is higher.
The method adopts a kernel-driven mode to monitor the process call chain, and has better performance compared with other methods; each return address on the calling chain is traversed and judged, and the shellcode code in execution can be stably detected.
Fig. 5 is a block diagram of a structure of an attack code detection apparatus provided in this embodiment, referring to fig. 5, including an obtaining module 501 and a determining module 502;
an obtaining module 501, configured to obtain a return address of a call function; the calling function is a function called by a target process of the system;
a determining module 502, configured to determine that an attack code exists in the system if the return address does not belong to a system configuration address; the system configuration address is a code segment address of an executable file loaded by a target process.
The attack code detection device provided in this embodiment is suitable for the attack code detection method provided in each of the above embodiments, and is not described herein again.
The embodiment provides an attack code detection device, which is used for acquiring a return address of a calling function in a process stack range in a system, and determining that an attack code exists in the system if the return address does not belong to a system configuration address for storing an executable file of the system. The attack codes are directly detected by obtaining the return addresses of the calling functions, a feature library does not need to be established, the identification process is simple, and the efficiency of identifying the attack codes is improved.
According to the attack code detection device provided by the invention, on the basis, before the return address of the calling function is obtained, the method further comprises the following steps:
acquiring monitoring information whether a monitoring function is called or not; the monitoring function is determined according to historical calling information of the attack code to the function;
and if the monitoring information is that a monitoring function is called, taking the process calling the monitoring function as the target process.
According to the attack code detection device provided by the invention, on the basis, the obtaining of the return address of the calling function comprises the following steps:
acquiring a function stack frame of the calling function from a kernel, and/or acquiring a function stack frame of the calling function from an application layer;
and acquiring the return address according to the function stack frame of the calling function.
According to the attack code detection device provided by the invention, on the basis, the acquiring of the function stack frame of the call function from the kernel comprises the following steps:
acquiring a user state context structure stored in a kernel stack when the target process is trapped in the kernel from the kernel stack;
determining a base address of a first function stack frame in the target process stack range according to the user-mode context structure, wherein the base address is used as a first base address;
and starting to acquire each function stack frame in the target process stack range from the first base address to obtain the function stack frame of the calling function.
According to the attack code detection device provided by the invention, on the basis, the acquiring of the function stack frame of the call function from the application layer comprises the following steps:
acquiring a base address of a first function stack frame in the range of the target process stack from a user stack of an application layer as a second base address;
and starting to acquire each function stack frame in the target process stack range from the second base address to obtain the function stack frame of the calling function.
According to the attack code detection device provided by the invention, on the basis, before the return address does not belong to the system configuration address, the attack code detection device further comprises:
determining a virtual memory block structure body corresponding to the return address through a virtual memory management structure in a memory, and determining whether the return address belongs to the system configuration address according to an address pointed by a member describing a mapped file in the virtual memory block structure body;
and/or acquiring a memory layout file representing memory layout from an application layer, acquiring the row content of the return address from the memory layout file, and determining whether the return address belongs to the system configuration address according to a file path in the row content.
Fig. 6 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 6: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and a communication bus 640, wherein the processor 610, the communication Interface 620 and the memory 630 communicate with each other via the communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform an attack code detection method comprising:
acquiring a return address of a calling function; the calling function is a function called by a target process of the system;
if the return address does not belong to a system configuration address, an attack code exists in the system; the system configuration address is a code segment address of an executable file loaded by a target process.
In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, which when executed by a computer, enable the computer to perform the attack code detection method provided by the above methods, the method comprising:
acquiring a return address of a calling function; the calling function is a function called by a target process of the system;
if the return address does not belong to a system configuration address, an attack code exists in the system; the system configuration address is a code segment address of an executable file loaded by a target process.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the attack code detection methods provided above, the method comprising:
acquiring a return address of a calling function; the calling function is a function called by a target process of the system;
if the return address does not belong to a system configuration address, an attack code exists in the system; the system configuration address is a code segment address of an executable file loaded by a target process.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An attack code detection method, comprising:
acquiring a return address of a calling function; the calling function is a function called by a target process of the system;
if the return address does not belong to a system configuration address, an attack code exists in the system; the system configuration address is a code segment address of an executable file loaded by a target process.
2. The attack code detection method according to claim 1, wherein before obtaining the return address of the calling function, the method further comprises:
acquiring monitoring information whether a monitoring function is called or not; the monitoring function is determined according to historical calling information of the attack code to the function;
and if the monitoring information is that a monitoring function is called, taking the process calling the monitoring function as the target process.
3. The attack code detection method according to claim 1, wherein the obtaining a return address of the calling function includes:
acquiring a function stack frame of the calling function from a kernel, and/or acquiring a function stack frame of the calling function from an application layer;
and acquiring the return address according to the function stack frame of the calling function.
4. The attack code detection method according to claim 3, wherein the obtaining the function stack frame of the calling function from the kernel comprises:
acquiring a user state context structure stored in a kernel stack when the target process is trapped in the kernel from the kernel stack;
determining a base address of a first function stack frame in the target process stack range according to the user-mode context structure, wherein the base address is used as a first base address;
and starting to acquire each function stack frame in the target process stack range from the first base address to obtain the function stack frame of the calling function.
5. The attack code detection method according to claim 3, wherein the obtaining of the function stack frame of the calling function from the application layer includes:
acquiring a base address of a first function stack frame in the target process stack range from a user stack of an application layer as a second base address;
and starting to acquire each function stack frame in the target process stack range from the second base address to acquire the function stack frame of the calling function.
6. The attack code detection method according to claim 1, further comprising, before the return address does not belong to a system configuration address:
determining a virtual memory block structure corresponding to the return address through a virtual memory management structure in a memory, and determining whether the return address belongs to the system configuration address according to an address pointed by a member describing a mapped file in the virtual memory block structure;
and/or acquiring a memory layout file representing memory layout from an application layer, acquiring the row content of the return address from the memory layout file, and determining whether the return address belongs to the system configuration address according to a file path in the row content.
7. An attack code detection apparatus, comprising:
the obtaining module is used for obtaining a return address of the calling function; the calling function is a function called by a target process of the system;
the determining module is used for determining that an attack code exists in the system if the return address does not belong to a system configuration address; the system configuration address is a code segment address of an executable file loaded by a target process.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the attack code detection method according to any one of claims 1 to 6 are implemented when the processor executes the program.
9. A non-transitory readable storage medium having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the attack code detection method according to any one of claims 1 to 6.
10. A computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the attack code detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011540159.4A CN114662098A (en) | 2020-12-23 | 2020-12-23 | Attack code detection method, apparatus, electronic device, program, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011540159.4A CN114662098A (en) | 2020-12-23 | 2020-12-23 | Attack code detection method, apparatus, electronic device, program, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114662098A true CN114662098A (en) | 2022-06-24 |
Family
ID=82025472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011540159.4A Pending CN114662098A (en) | 2020-12-23 | 2020-12-23 | Attack code detection method, apparatus, electronic device, program, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114662098A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115543586A (en) * | 2022-11-28 | 2022-12-30 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
-
2020
- 2020-12-23 CN CN202011540159.4A patent/CN114662098A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115543586A (en) * | 2022-11-28 | 2022-12-30 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
| CN115543586B (en) * | 2022-11-28 | 2023-03-17 | 成都安易迅科技有限公司 | Method, device and equipment for starting application layer system process and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8099472B2 (en) | System and method for a mobile cross-platform software system | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| CN106709325B (en) | Method and device for monitoring program | |
| KR20160076534A (en) | Segregating executable files exhibiting network activity | |
| CN109189496B (en) | Dynamic library information acquisition method and device for application program | |
| CN113177001A (en) | Vulnerability detection method and device for open source component | |
| CN112738094B (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
| CN114091031A (en) | Class loading protection method and device based on white rule | |
| CN101599113A (en) | Driven malware defence method and device | |
| CN112181487A (en) | Software compatibility processing method and device, electronic equipment and storage medium | |
| CN114662098A (en) | Attack code detection method, apparatus, electronic device, program, and storage medium | |
| CN111723374B (en) | Vulnerability scanning method and device | |
| CN113010885B (en) | Method and device for detecting kernel thread disguised with start address | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium | |
| CN114936368A (en) | Java memory Trojan detection method, terminal device and storage medium | |
| CN114444071A (en) | Powershell script monitoring method and device, electronic equipment, medium and product | |
| CN118260750B (en) | Attack behavior detection method and device, and attack behavior blocking method and device | |
| CN117272305B (en) | Process processing method and device, electronic equipment and storage medium | |
| CN116842505B (en) | Method, device and storage medium for constructing process trusted domain based on windows operating system | |
| US20230069035A1 (en) | Inactivating basic blocks of program code to prevent code reuse attacks | |
| CN113691518B (en) | Information analysis method, device, equipment and storage medium | |
| CN113094714B (en) | Method and device for detecting storage isolation of virtualization platform | |
| US20240283814A1 (en) | Detection and prevention of sideloaded attack chains via cloud and fuzzy hashing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Country or region before: China Applicant before: QAX Technology Group Inc. |
|
| CB02 | Change of applicant information |