CN114896592B - Universal detection method, device, equipment and storage medium for WMI malicious codes - Google Patents
Universal detection method, device, equipment and storage medium for WMI malicious codes Download PDFInfo
- Publication number
- CN114896592B CN114896592B CN202210217400.2A CN202210217400A CN114896592B CN 114896592 B CN114896592 B CN 114896592B CN 202210217400 A CN202210217400 A CN 202210217400A CN 114896592 B CN114896592 B CN 114896592B
- Authority
- CN
- China
- Prior art keywords
- wmi
- function
- hook
- malicious code
- call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
According to the embodiment of the disclosure, a method, a device, equipment and a storage medium for detecting WMI malicious codes are provided, and a function table hook function of a series of functions called by WMI service in running is hooked; when the code calls a function in the function table, the function is jumped to a hook function of a function table hook, whether the call accords with the behavior characteristics of the malicious code is judged in the hook function, and the code which accords with the behavior characteristics of the malicious code is reported and intercepted. The detection mode is simple and efficient, the execution behavior of the WMI can be monitored comprehensively in real time, the effect of monitoring and intercepting malicious WMI attacks is achieved, and the detection capability of the malicious WMI utilization is provided. The compatibility is good, the detection method is invalid by the confusion escape detection technology, and the WMI performance is not influenced.
Description
Technical Field
The embodiment of the disclosure mainly relates to the technical field of information security, in particular to a universal detection method, device, equipment and storage medium for WMI malicious codes.
Background
In general, WMI can implement several functions, including providing registration, request transfer, unified programming APIs, remote management, security management, discoverability and navigability, query capabilities, powerful time publish and subscribe functions, event detection and script programming capabilities, etc., WMI provides very powerful management functions, but is therefore also vulnerable to attack by malware abuse.
Traditional WMI misuse detection methods include methods such as traversing WMI objects or monitoring execution of related processes, but this has problems with incomplete detection and the need to defrobulate confusing scripts.
Disclosure of Invention
Aiming at the problems in the prior art, the present disclosure provides a general detection method, device, equipment and storage medium for WMI malicious codes, by hooking key functions on WMI execution nodes, the execution behavior of WMI can be monitored comprehensively in real time, the effect of monitoring and intercepting malicious WMI attacks is achieved, and the detection capability for WMI malicious utilization is provided.
In order to achieve the above object, the present disclosure provides a general detection method for WMI malicious code, including:
hooking functions of a series of functions called by WMI service in running;
when the code calls a function in the function table, the function is jumped to a hook function of a function table hook, whether the call accords with the behavior characteristics of the malicious code is judged in the hook function, and the code which accords with the behavior characteristics of the malicious code is reported and intercepted.
Further, a function table hooking function of a series of functions called to WMI service, comprising:
searching a process corresponding to the WMI service;
hooking WMI service to call interface function;
after the calling port calls the interface function CoCreateInstance successfully, the NTLMLogin and WBEMLogin functions are hooked;
and after the function of the hook of the NTLMLogin and the WBEMLogin is successfully called, acquiring a function table in the output parameter IwbemServices and hooking.
Further, the calling port calls an interface function, including:
looking up the parameter rclsid value, and calling the port to call the interface function when the rclsid value is equal to the identifier of the InProcWbemLevel1Login Class.
Further, determining whether the call meets behavioral characteristics of malicious code includes:
and receiving a rule issued by the cloud, and judging the behavior meeting the rule as the behavior of the malicious code.
Further, the rule includes:
the operation of modifying the registry includes: modifying the configuration options of the WDigest protocol in the registry, and modifying the uselogo Credit value in the registry to 1; and (3) creating the process, namely remotely operating and creating the process which does not belong to the process in the white list.
A second aspect provides a generic detection device for WMI malicious code, comprising:
the WMI service hooking module hooks functions of a series of functions called by WMI service in running;
and the detection module is used for jumping to a hook function of a function table hook when the code calls a function in the function table, judging whether the call accords with the behavior characteristics of the malicious code in the hook function, and reporting and intercepting the code which accords with the behavior characteristics of the malicious code.
Further, the WMI service hooking module includes:
the searching unit searches a process corresponding to the WMI service;
a hooking unit for hooking the WMI service to call the interface function CoCreateInstance; after the calling port calls the interface function CoCreateInstance successfully, the NTLMLogin and WBEMLogin functions are hooked; and after the function of the hook of the NTLMLogin and the WBEMLogin is successfully called, acquiring a function table in the output parameter IwbemServices and hooking.
Further, the hooking unit, the calling port, calls the interface function, includes:
looking up the parameter rclsid value, and calling the port to call the interface function when the rclsid value is equal to the identifier of the InProcWbemLevel1Login Class.
Further, the detecting module, for determining whether the call meets the behavior feature of the malicious code, includes:
and receiving a rule issued by the cloud, and judging the behavior meeting the rule as the behavior of the malicious code.
Further, the rule includes:
the operation of modifying the registry includes: modifying the configuration options of the WDigest protocol in the registry and modifying the uselogo Credit value in the registry to 1;
and (3) creating the process, namely remotely operating and creating the process which does not belong to the process in the white list.
A third aspect provides an electronic device comprising a processor and a memory, the memory having stored therein a computer program, the processor being arranged to run the computer program to perform a general detection method of the WMI malicious code.
A fourth aspect provides a computer readable storage medium having a computer program stored therein, wherein the computer program is for loading and executing the general detection method of WMI malicious code by a processor.
The technical scheme disclosed by the disclosure has the following beneficial technical effects:
(1) The detection method and the detection device are simple and efficient in detection mode, can comprehensively monitor the execution behavior of the WMI in real time, achieve the effect of monitoring and intercepting malicious WMI attacks, and provide detection capability for the malicious utilization of the WMI.
(2) The detection method and the detection device have good compatibility, and the detection method is invalid through the confusion escape detection technology.
(3) The detection mode disclosed by the invention has no influence on WMI performance.
Drawings
FIG. 1 illustrates a flow chart of a detection method provided in accordance with some embodiments of the present disclosure;
FIG. 2 illustrates a function table hooking function flow diagram for a series of functions for WMI service calls provided in accordance with some embodiments of the present disclosure;
FIG. 3 illustrates a schematic diagram of a detection system provided in accordance with some embodiments of the present disclosure;
fig. 4 illustrates a schematic diagram of electronic device construction provided in accordance with some embodiments of the present disclosure.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the drawings and specific language will be used to describe the same. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
HOOK is a mechanism for implementing interrupt-like mechanism under Windows platform. By hooking, WINDOWS can be given a callback function, also called a "hook function," that will be invoked each time an event of interest occurs. Windows has two hooks, one is a thread-specific hook (Thread specific hooks) and one is a global system hook (systems hook). A particular thread hook monitors only a specified thread, while a global system hook can monitor all threads in the system. Whether a thread-specific hook or a global system hook, the hook is set by setwindowsookex ().
The core functions of WMI, which are mainly implemented in wbemcore.dll served by system Windows Management Instrumentation (Winmgmt), are an effective method by hooking key functions in wbemcore.dll and monitoring the call of these functions, and WMI commands executed here have been completely defused.
Since these key functions are not derived, a method for precisely positioning these functions must be found, and external services are provided through COM interfaces according to WMI, so that the COM interfaces of WMI are hooked first to call functions, and further to hook ntlmlogic and wbemlogic functions inside the functions, so that IWbemServices function tables can be obtained, and these functions are hooked and intercepted.
According to an embodiment of the present disclosure, a general detection method for WMI malicious code is provided, and in combination with fig. 1, the method includes the following steps:
s100, hooking functions on a function table of a series of functions called by the WMI service in running.
In one embodiment, in connection with fig. 2, a function table hooking function for a series of functions called by WMI service runtime, comprising the steps of:
s110, searching a process corresponding to the WMI service.
The process to which the Windows Management Instrumentation service corresponds is typically an svchost service container process.
S120, hooking the WMI service to call the interface function.
And injecting a process corresponding to the WMI service, and hooking a call interface of the COM, namely a CoCreateInstance function.
S130, after the calling port calls the interface function successfully, the NTLMLogin and WBEMLogin functions are hooked.
In the CoCreateInstance hook function, it is determined whether the parameter rclsid value is an identifier of InProcWbemLevel1Login Class, typically {4FA18276-912A-11D1-AD9B-00C04FD8FDFF }, if equal, indicating that this COM component, inProcWbemLevel1Login Class, is created, provides an interface that allows a user to connect to the management service of a particular space, then the addresses of the output NTLMLogin and WBEMLogin functions are retrieved from the parameters after the CoCreateInstance is successfully invoked, and these 2 functions are hooked. The ntlmlogic function provides login for administrative authentication within the local area network and the webmaster function provides login for network-based enterprise management functions.
S140, calling the function of the hook of the NTLMLogin and the WBEMLogin, and after the NTLMLogin and the WBEMLogin are successful, acquiring a function table in the output parameter Iwbem services and hooking.
The visitor accesses the WMI service using the IWbemServices interface. After the function of the hook of the NTLMLogin and the WBEMLogin is successfully called, an Iwbem services structure body output in parameters is obtained, and the structure body is a function table containing a series of functions. Including the following functions: queryInterface, addRef, release, openNamespace, cancelAsyncCall, queryObjectSink, getObject, getObjectAsync, putClass, putClassAsync, deleteClass, deleteClassAsync, createClassEnum, createClassEnumAsync, putInstance, putInstanceAsync, deleteInstance, deleteInstanceAsync, createInstanceEnum, createInstanceEnumAsync, execQuery, execQueryAsync, execNotificationQuery, execNotificationQueryAsync, execMethod, execMethodAsync. And (3) carrying out function table hooking on the functions, and calling the target functions when the WMI malicious script runs, so that the functions jump to the hook functions.
And S200, when the code calls a function in the function table, jumping to a hook function of a hook of the function table, judging whether the call accords with the behavior characteristics of the malicious code in the hook function, and reporting and intercepting the code which accords with the behavior characteristics of the malicious code.
Judging whether the call accords with the behavior characteristics of malicious codes or not, comprising:
and receiving a rule issued by the cloud, and judging the behavior meeting the rule as the behavior of the malicious code.
The WDigest protocol is a challenge/response protocol for authentication on windows systems, and the registry path is:
System\CurrentControl set\control\SecurityProviders\WDigest. Some configuration options related to the current system WDigest protocol are stored. Setting the uselogo credit value to 1 indicates that WDigest is set to store authentication credentials in memory.
Further, the rule includes:
the operation of modifying the registry, the registry path is equal to system\Current Control set\control\Security Providers\WDigest, the registry value is equal to UseLogonCredit, and the operation of modifying the value to 1 indicates that the system setting is modified, so that WDigest caches the login credentials in the memory, and further can grab the login passwords in the memory.
The operation of creating a process is considered to be attempting to remotely execute a suspicious process if the discovery is remote and the creation process does not belong to a process in the white list.
For example, when a WMI attack exists, a WMI command is remotely executed to turn on the WDigest function of the target host to facilitate further stealing of the password credentials of the target host, and when we detect that the WMI class name corresponding to the WMI method is StdRegProv, the method name is SetDwordValue, the value of sSubKeyName in the parameter table is system\currentcontrolset\control\security features\ WDigest, sValueName is uselogo, in the hook function of the execcmethod or execchodasync, we find that this belongs to a remote RPC operation, and when we find that the above characteristics are met, we can know that the remote machine is reporting and intercepting the WDigest function of the target machine through WMI commands.
Analyzing specific WMI execution behaviors in the hooking function according to the input parameters, judging whether the behaviors accord with attack characteristics of malicious WMIs, reporting risks if the behaviors accord with the attack characteristics, and intercepting if the current strategy is interception attack. Thereby achieving the purpose of monitoring and intercepting malicious WMI attacks.
According to an embodiment of the disclosure, a general detection device for WMI malicious code is provided, and in connection with fig. 3, the general detection device includes a WMI service hooking module and a detection module.
And the WMI service hooking module hooks functions of a function table of a series of functions called by the WMI service in running.
In one embodiment, the WMI service hooking module includes a lookup unit and a hooking unit.
The searching unit searches a process corresponding to the WMI service;
the hooking unit hooks the WMI service to call the interface function through the port; after the interface function is successfully called by the calling port, the NTLMLogin and WBEMLogin functions are hooked; and after the function of the hook of the NTLMLogin and the WBEMLogin is successfully called, acquiring a function table in the output parameter IwbemServices and hooking.
Further, the hooking unit, the calling port, calls the interface function, includes: and searching a parameter rclsid value, and calling a port to call an interface function when the rclsid value is equal to the interface object identifier corresponding to the WMI service call.
And the detection module is used for jumping to a hook function of a function table hook when the code calls a function in the function table, judging whether the call accords with the behavior characteristics of the malicious code in the hook function, and reporting and intercepting the code which accords with the behavior characteristics of the malicious code.
In one embodiment, the detecting module determines whether the call meets behavior characteristics of malicious code, including:
and receiving a rule issued by the cloud, and judging the behavior meeting the rule as the behavior of the malicious code.
The operation of modifying the registry, the registry path is equal to system\Current Control set\control\Security Providers\WDigest, the registry value is equal to UseLogonCredit, and the operation of modifying the value to 1 indicates that the system setting is modified, so that WDigest caches the login credentials in the memory, and further can grab the login passwords in the memory.
The operation of creating a process is considered to be attempting to remotely execute a suspicious process if the discovery is remote and the creation process does not belong to a process in the white list.
Fig. 4 illustrates an electronic device that may be used to implement embodiments of the present disclosure, comprising a processor and a memory, the memory having stored therein a computer program, the processor being arranged to run the computer program to perform the described general detection method of WMI malicious code.
Embodiments of the present disclosure provide a computer readable storage medium having a computer program stored therein, wherein the computer program is for loading and executing a general detection method of WMI malicious code as described by a processor.
The processor performs the various methods and processes described above, e.g., processes S100, S200. For example, in some embodiments, steps S100, S200 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as a memory. In some embodiments, part or all of the computer program is loaded and/or installed onto the electronic device. When the computer program is loaded into RAM and executed by the processor, the above-described steps S100, S200 may be performed.
The functions described above in this disclosure may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a load programmable logic device (CPLD), etc.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In summary, according to embodiments of the present disclosure, a method, an apparatus, a device, and a storage medium for general detection of WMI malicious code are provided, where a function table hooking function of a series of functions called by WMI service during runtime is provided; when the code calls a function in the function table, the function is jumped to a hook function of a function table hook, whether the call accords with the behavior characteristics of the malicious code is judged in the hook function, and the code which accords with the behavior characteristics of the malicious code is reported and intercepted. The detection mode is simple and efficient, the execution behavior of the WMI can be monitored comprehensively in real time, the effect of monitoring and intercepting malicious WMI attacks is achieved, and the detection capability of the malicious WMI utilization is provided. The compatibility is good, the detection method is invalid by the confusion escape detection technology, and the WMI performance is not influenced.
Moreover, although operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
It is to be understood that the above-described embodiments of the present disclosure are merely illustrative or explanatory of the principles of the disclosure and are not restrictive of the disclosure. Accordingly, any modifications, equivalent substitutions, improvements, or the like, which do not depart from the spirit and scope of the present disclosure, are intended to be included within the scope of the present disclosure. Furthermore, the appended claims of this disclosure are intended to cover all such changes and modifications that fall within the scope and boundary of the appended claims, or the equivalents of such scope and boundary.
Claims (6)
1. A universal detection method for WMI malicious code, comprising:
hooking functions of a series of functions called by WMI service in running;
when the code calls a function in the function table, jumping to a hook function of a function table hook, judging whether the call accords with the behavior characteristics of the malicious code in the hook function, and reporting and intercepting the code which accords with the behavior characteristics of the malicious code;
a function table hooking function for a series of functions called for WMI services, comprising:
searching a process corresponding to the WMI service;
hooking WMI service to call interface function;
after the calling port calls the interface function CoCreateInstance successfully, the NTLMLogin and WBEMLogin functions are hooked;
after the function of the hook of the NTLMLogin and the WBEMLogin is successfully called, a function table in the output parameter IwbemServices is acquired and hooked;
the calling port calls an interface function, including:
looking up the parameter rclsid value, and calling the port to call the interface function when the rclsid value is equal to the identifier of the InProcWbemLevel1Login Class.
2. The method for universal detection of WMI malicious code according to claim 1, wherein determining whether the call meets behavior characteristics of the malicious code comprises:
receiving a rule issued by a cloud, and judging the behavior of the rule to be the behavior of malicious code;
further, the rule includes:
the operation of modifying the registry includes: modifying the configuration options of the WDigest protocol in the registry, and modifying the uselogo Credit value in the registry to 1; and (3) creating the process, namely remotely operating and creating the process which does not belong to the process in the white list.
3. A universal detection device for WMI malicious code, comprising:
the WMI service hooking module hooks functions of a series of functions called by WMI service in running;
the detection module is used for jumping to a hook function of a function table hook when the code calls a function in the function table, judging whether the call accords with the behavior characteristics of the malicious code in the hook function, and reporting and intercepting the code which accords with the behavior characteristics of the malicious code;
the WMI service hooking module includes:
the searching unit searches a process corresponding to the WMI service;
a hooking unit for hooking the WMI service to call the interface function CoCreateInstance; after the calling port calls the interface function CoCreateInstance successfully, the NTLMLogin and WBEMLogin functions are hooked; after the function of the hook of the NTLMLogin and the WBEMLogin is successfully called, a function table in the output parameter IwbemServices is acquired and hooked;
the hook unit calls an interface function through a call port, and the hook unit comprises:
looking up the parameter rclsid value, and calling the port to call the interface function when the rclsid value is equal to the identifier of the InProcWbemLevel1Login Class.
4. A generic detection device for WMI malicious code according to claim 3, wherein said detection module for determining whether the call meets the behavioral characteristics of the malicious code comprises:
receiving a rule issued by a cloud, and judging the behavior of the rule to be the behavior of malicious code;
further, the rule includes:
the operation of modifying the registry includes: modifying the configuration options of the WDigest protocol in the registry and modifying the uselogo Credit value in the registry to 1;
and (3) creating the process, namely remotely operating and creating the process which does not belong to the process in the white list.
5. An electronic device comprising a processor and a memory, wherein the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of general detection of WMI malicious code according to any of claims 1-2.
6. A computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, wherein the computer program is used for loading and executing the universal detection method of WMI malicious code according to any one of claims 1-2 by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210217400.2A CN114896592B (en) | 2022-03-07 | 2022-03-07 | Universal detection method, device, equipment and storage medium for WMI malicious codes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210217400.2A CN114896592B (en) | 2022-03-07 | 2022-03-07 | Universal detection method, device, equipment and storage medium for WMI malicious codes |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114896592A CN114896592A (en) | 2022-08-12 |
| CN114896592B true CN114896592B (en) | 2023-05-05 |
Family
ID=82715895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210217400.2A Active CN114896592B (en) | 2022-03-07 | 2022-03-07 | Universal detection method, device, equipment and storage medium for WMI malicious codes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114896592B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115859274B (en) * | 2022-12-12 | 2023-11-21 | 安芯网盾(北京)科技有限公司 | Method and system for monitoring event log behavior of Windows process emptying system |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070113282A1 (en) * | 2005-11-17 | 2007-05-17 | Ross Robert F | Systems and methods for detecting and disabling malicious script code |
| US9171157B2 (en) * | 2006-03-28 | 2015-10-27 | Blue Coat Systems, Inc. | Method and system for tracking access to application data and preventing data exploitation by malicious programs |
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
| CN102902919B (en) * | 2012-08-30 | 2015-11-25 | 北京奇虎科技有限公司 | A kind of identifying processing methods, devices and systems of suspicious operation |
| CN105868634A (en) * | 2016-04-22 | 2016-08-17 | 北京金山安全软件有限公司 | Interception method and device |
| US11106792B2 (en) * | 2019-03-29 | 2021-08-31 | Acronis International Gmbh | Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares |
| US11238154B2 (en) * | 2019-07-05 | 2022-02-01 | Mcafee, Llc | Multi-lateral process trees for malware remediation |
| CN111191224B (en) * | 2019-07-08 | 2022-04-08 | 腾讯科技(深圳)有限公司 | Countermeasure method and device for virtual machine detection and computer readable storage medium |
| CN113391874A (en) * | 2020-03-12 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Virtual machine detection countermeasure method and device, electronic equipment and storage medium |
-
2022
- 2022-03-07 CN CN202210217400.2A patent/CN114896592B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| 基于沙箱技术的恶意代码行为检测方法;童瀛;牛博威;周宇;张旗;;西安邮电大学学报(第05期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114896592A (en) | 2022-08-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| US10642978B2 (en) | Information security techniques including detection, interdiction and/or mitigation of memory injection attacks | |
| US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| US10033745B2 (en) | Method and system for virtual security isolation | |
| US20060294592A1 (en) | Automated rootkit detector | |
| EP3502944B1 (en) | Detecting script-based malware cross reference to related applications | |
| KR20150124370A (en) | Method, apparatus and system for detecting malicious process behavior | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| US11030302B2 (en) | Restricting access to application programming interfaces (APIs) | |
| CN113051034B (en) | Container access control method and system based on kprobes | |
| CN114896592B (en) | Universal detection method, device, equipment and storage medium for WMI malicious codes | |
| CN114065196A (en) | Java memory horse detection method and device, electronic equipment and storage medium | |
| CN110851824B (en) | Detection method for malicious container | |
| CN108521425A (en) | A kind of industry control protocol filtering method and board | |
| US11314859B1 (en) | Cyber-security system and method for detecting escalation of privileges within an access token | |
| US10375576B1 (en) | Detection of malware apps that hijack app user interfaces | |
| CN109495436B (en) | Trusted cloud platform measurement system and method | |
| CN113672933B (en) | HongMong security vulnerability detection method and system | |
| US9654498B2 (en) | Detecting deviation from a data packet send-protocol in a computer system | |
| US11709937B2 (en) | Inactivating basic blocks of program code to prevent code reuse attacks | |
| CN110633568B (en) | Monitoring system for host and method thereof | |
| CN114969676A (en) | Authority management method, authority management device, storage medium and electronic equipment | |
| WO2020132876A1 (en) | Operation detection method and system, and electronic device | |
| CN115202807A (en) | Cloud desktop black and white list control method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |