CN114912113A - Method for judging harmful program based on process token - Google Patents
Method for judging harmful program based on process token Download PDFInfo
- Publication number
- CN114912113A CN114912113A CN202210489168.8A CN202210489168A CN114912113A CN 114912113 A CN114912113 A CN 114912113A CN 202210489168 A CN202210489168 A CN 202210489168A CN 114912113 A CN114912113 A CN 114912113A
- Authority
- CN
- China
- Prior art keywords
- token
- authority
- latest
- program based
- process token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses a method for judging a harmful program based on a process token, which is realized by installing a process creation callback function and comprises the following steps of S1: recording process file information, completing process initialization, and acquiring initial process token authority; s2, the process runs: when malicious operation exists, the process token authority is modified, and the latest process token authority is obtained at regular time; s3, the process is ended: when the latest process token authority is received, the process is ended; s4, monitoring token: and comparing the initial process token permission with the latest process token permission, and if the tokens are different, indicating that the attack based on the tokens occurs. The method can effectively monitor the change of the process token and judge in time according to the change, thereby discovering the attack activity of the malicious program based on the token, establishing a multidimensional program behavior analysis system, combining dynamic and static states, realizing the discrimination of the harmful program and reducing the probability of false alarm.
Description
Technical Field
The invention relates to the technical field of system protection, in particular to a method for judging a harmful program based on a process token.
Background
With the continuous development of windows systems, the security mechanism and the protection system of the windows system are further improved, the range of common attack activities is narrower and narrower, and the occurrence frequency is lower and lower. UAC (user access control) is an access control mechanism in a windows system, and strictly controls the scope of a process accessing system resources. However, in the advanced attack of apt (advanced persist triple), a malicious program can bypass the restriction of the UAC by means of token of a 0day bug tampering process, so as to perform more destructive activities.
Due to the unknown property of the 0day bug, the 0day bug is difficult to take corresponding measures to prevent in advance, and is usually used for attacking high-value targets, and the success rate is often higher. A method for improving the process permission by tampering the process token often appears in an attack chain, and the threat of a malicious program is amplified after the permission is improved, so that the whole operating system is controlled.
No effective strategy for dealing with such threats has been found in the currently mainstream windows10, windows11 system. This operation is very difficult to predict and prevent by tampering with the process token for local delegation by a 0day exploit. Since the method and attack point of the local privilege elevation exploit existing in the operating system components or third-party programs are unknown, the protection work of the operating system itself and the antivirus software is left alone, which results in the inevitable occurrence of local privilege elevation.
Disclosure of Invention
The invention provides a method for judging a harmful program based on a process token, which aims to solve the problems in the background technology.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for judging a harmful program based on a process token is realized by installing a process and creating a callback function, and comprises the following steps:
s1, the process creates: recording process file information, completing process initialization, and acquiring initial process token authority;
s2, the process runs: when malicious operation exists, the process token authority is modified, and the latest process token authority is obtained at regular time;
s3, the process is ended: when the latest process token authority is received, the process is ended;
s4, monitoring token: and comparing the initial process token permission with the latest process token permission, and if the tokens are different, indicating that the attack based on the tokens occurs.
As a further improvement scheme of the technical scheme: when a process is created, by command line: whoami/priv checks their token rights.
As a further improvement scheme of the technical scheme: and the time ends of process creation and process termination can count programs which are active in the system, and further determine the scope of subsequent attack tracing.
As a further improvement scheme of the technical scheme: in S4, the process difference specifically refers to the latest process token authority level elevation.
As a further improvement scheme of the technical scheme: monitoring the token at S4 further includes alarming in time when the token-based attack is monitored.
The embodiment of the present invention further provides a terminal device, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor implements any one of the above methods for determining a harmful program based on a process token when executing the computer program.
The embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program, and when the computer program runs, the apparatus where the computer-readable storage medium is located is controlled to execute any one of the above methods for determining a harmful program based on a process token.
Compared with the prior art, the invention has the beneficial effects that:
the method can effectively monitor the change of the process token and judge in time according to the change, thereby discovering the attack activity of the malicious program based on the token, establishing a multidimensional program behavior analysis system, combining the dynamic state and the static state, realizing the discrimination of the harmful program and further reducing the probability of false alarm.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings. The detailed description of the present invention is given in detail by the following examples and the accompanying drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart illustrating a method for determining a harmful program based on a process token according to the present invention;
fig. 2 is a schematic structural diagram of a preferred embodiment of a terminal device provided in the present invention;
FIG. 3 provides a method for the present invention by command lines: whomami/priv view a schematic diagram of their token rights;
fig. 4 is a schematic diagram of a token modified to a high level of authority according to the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention. The invention is described in more detail in the following paragraphs by way of example with reference to the accompanying drawings. Advantages and features of the present invention will become apparent from the following description and from the claims. It is to be noted that the drawings are in a very simplified form and are not to precise scale, which is merely for the purpose of facilitating and distinctly claiming the embodiments of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
Referring to fig. 1 to 4, in an embodiment of the present invention, a method for determining a harmful program based on a process token is implemented by installing a process to create a callback function, and includes the following steps:
s1, the process creates: recording process file information, completing process initialization, and acquiring initial process token authority;
s2, the process runs: when malicious operation exists, the process token authority is modified, and the latest process token authority is obtained regularly;
s3, the process is ended: when the latest process token authority is received, the process is ended;
s4, monitoring token: and comparing the initial process token permission with the latest process token permission, and if the tokens are different, indicating that the attack based on the tokens occurs.
Specifically, when a process is created, by command line: whoami/priv checks their token rights.
Specifically, the time ends of process creation and process termination can count programs that have moved in the system, and further determine the scope of subsequent attack tracing.
Specifically, in S4, the process difference specifically refers to the latest process token authority level elevation.
Specifically, S4, monitoring the token further includes performing a timely alarm when it is monitored that a token-based attack has occurred.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a terminal device according to a preferred embodiment of the present invention. The terminal device comprises a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, wherein the processor implements the method for determining a harmful program based on a process token according to any one of the embodiments when executing the computer program.
Preferably, the computer program may be divided into one or more modules/units (e.g., computer program 1, computer program 2, … …) that are stored in the memory and executed by the processor to implement the invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used for describing the execution process of the computer program in the terminal device.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, etc., the general purpose Processor may be a microprocessor, or the Processor may be any conventional Processor, the Processor is a control center of the terminal device, and various interfaces and lines are used to connect various parts of the terminal device.
The memory mainly includes a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like, and the data storage area may store related data and the like. In addition, the memory may be a high speed random access memory, may also be a non-volatile memory, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card), and the like, or may also be other volatile solid state memory devices.
It should be noted that the terminal device may include, but is not limited to, a processor and a memory, and those skilled in the art will understand that the structural diagram of fig. 2 is only an example of the terminal device and does not constitute a limitation of the terminal device, and may include more or less components than those shown, or combine some components, or different components.
The embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a stored computer program, and when the computer program runs, a device where the computer-readable storage medium is located is controlled to execute the method for determining a harmful program based on a process token according to any of the above embodiments.
The working principle of the invention is as follows:
and a strict authority management mechanism is arranged in the windows operating system. Generally, when a process is created, its token is fixed, and it can only access a certain range of resources; therefore, under normal conditions, the token of the process should not change during the running process; the token represents the identity and privilege level of the process. In popular terms, common authority levels include common authority, administrator authority and system level authority. In order to break through the authority management mechanism of the system, the attack program usually performs a local authority-raising operation only when starting, so that the current process can have higher authority and can access more and more important resources in the system.
Typically, when a process is created, through the command line: whoami/priv checks the token authority of the process as shown in fig. 3, when a token-based attack occurs, the token is modified to be of a higher authority as shown in fig. 4, and if the token is found to be different in the running process of the process as the token generated when the process is created (the process token level is raised) through monitoring the process token, the token-based attack occurs.
The foregoing is merely a preferred embodiment of the invention and is not intended to limit the invention in any manner; the present invention may be readily implemented by those of ordinary skill in the art as illustrated in the accompanying drawings and described above; however, those skilled in the art should appreciate that they can readily use the disclosed conception and specific embodiments as a basis for designing or modifying other structures for carrying out the same purposes of the present invention without departing from the scope of the invention; meanwhile, any changes, modifications, and evolutions of the equivalent changes of the above embodiments according to the actual techniques of the present invention are still within the protection scope of the technical solution of the present invention.
Claims (7)
1. A method for judging a harmful program based on a process token is realized by establishing a callback function through an installation process, and comprises the following steps:
s1, the process creates: recording process file information, completing process initialization, and acquiring initial process token authority;
s2, the process runs: when malicious operation exists, the process token authority is modified, and the latest process token authority is obtained at regular time;
s3, the process is ended: when the latest process token authority is received, the process is ended;
s4, monitoring token: and comparing the initial process token permission with the latest process token permission, and if the tokens are different, indicating that the attack based on the tokens occurs.
2. The method for determining a harmful program based on the process token of claim 1, wherein when the process is created, by the command line: whoami/priv looks at its token authority.
3. The method for determining the harmful program based on the process token of claim 1, wherein the time ends of the process creation and the process termination can count the programs that have been active in the system, so as to determine the scope of the follow-up attack tracing.
4. The method as claimed in claim 1, wherein in S4, the process difference is specifically the latest process token authority level elevation.
5. The method for determining a harmful program based on a process token of claim 1, wherein the step of monitoring the token at S4 further comprises alarming in time when the token-based attack is monitored.
6. A terminal device comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the method for determining a harmful program based on a process token according to any one of claims 1 to 5 when executing the computer program.
7. A computer-readable storage medium, comprising a stored computer program, wherein the computer program, when executed, controls an apparatus in which the computer-readable storage medium is located to perform the method for determining a harmful program based on a process token according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210489168.8A CN114912113A (en) | 2022-05-06 | 2022-05-06 | Method for judging harmful program based on process token |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210489168.8A CN114912113A (en) | 2022-05-06 | 2022-05-06 | Method for judging harmful program based on process token |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114912113A true CN114912113A (en) | 2022-08-16 |
Family
ID=82766646
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210489168.8A Pending CN114912113A (en) | 2022-05-06 | 2022-05-06 | Method for judging harmful program based on process token |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114912113A (en) |
-
2022
- 2022-05-06 CN CN202210489168.8A patent/CN114912113A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| US9858411B2 (en) | Execution profiling mechanism | |
| US10824725B2 (en) | Automatic detection of software that performs unauthorized privilege escalation | |
| US8272059B2 (en) | System and method for identification and blocking of malicious code for web browser script engines | |
| US10474813B1 (en) | Code injection technique for remediation at an endpoint of a network | |
| JP6829718B2 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US7673137B2 (en) | System and method for the managed security control of processes on a computer system | |
| JP6680437B2 (en) | System and method for detecting unknown vulnerabilities in a computing process | |
| US10642986B2 (en) | Detecting unknown software vulnerabilities and system compromises | |
| KR102534334B1 (en) | Detection of software attacks on processes in computing devices | |
| JP2016149131A (en) | Method, apparatus and tangible computer readable storage medium for security event detection through virtual machine introspection | |
| US9542557B2 (en) | Snoop-based kernel integrity monitoring apparatus and method thereof | |
| US9946879B1 (en) | Establishing risk profiles for software packages | |
| CN109376530B (en) | Process mandatory behavior control method and system based on mark | |
| US11449618B2 (en) | Active testing of access control policy | |
| US9965618B1 (en) | Reducing privileges for imported software packages | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN114912113A (en) | Method for judging harmful program based on process token | |
| EP2881883B1 (en) | System and method for reducing load on an operating system when executing antivirus operations | |
| US20190213323A1 (en) | Systems and methods for detecting and mitigating code injection attacks | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| US20220138311A1 (en) | Systems and methods for detecting and mitigating code injection attacks | |
| EP3819799B1 (en) | Method of threat detection | |
| KR20190020523A (en) | Apparatus and method for detecting attack by using log analysis | |
| KR102036847B1 (en) | Method of profiling runtime feature |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |