CN116305122B - Detection method and system for rootkit - Google Patents
Detection method and system for rootkit Download PDFInfo
- Publication number
- CN116305122B CN116305122B CN202310189733.3A CN202310189733A CN116305122B CN 116305122 B CN116305122 B CN 116305122B CN 202310189733 A CN202310189733 A CN 202310189733A CN 116305122 B CN116305122 B CN 116305122B
- Authority
- CN
- China
- Prior art keywords
- rootkit
- identification
- uid
- range
- gid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000004590 computer program Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 abstract description 11
- 230000007547 defect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 241001144666 Jynx Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a detection method and a detection system for rootkit. The method comprises the following steps: invoking and storing the appointed information of the system to be protected; setting a rootkit identification range, traversing the rootkit identification range, and judging whether the identification of a system to be protected exceeds the rootkit identification range; if the identification of the system to be protected is in the rootkit identification range, the appointed information of the system to be protected is called again, and compared with the stored appointed information, if the two information are different, the system is judged to be infected by the rootkit; if the rootkit identification range is traversed, the identification of the system to be protected exceeds the rootkit identification range, and the system is judged not to be infected by the rootkit. The system comprises a calling module, an identification detection module, a specified information comparison module and a judgment module. The detection process is simple, convenient and rapid, can be completed only in an application layer, has no influence on a system and no potential safety hazard, is certainly detectable for a specific rootkit using a magic id mark technology, and ensures the accuracy.
Description
Technical Field
The invention relates to the field of rootkit detection and counting, in particular to a rootkit detection method and a rootkit detection system.
Background
Rootkits on Linux platforms can be mainly divided into several major classes of dynamic link library hijacking technology, binary program replacement (user space rootkit) and LKM kernel pluggable module technology (kernel space rootkit), but a certain number of rootkits use a magic id technology as identification in the several classes.
In short, for an intruder, when the rootkit hook system is called to hide itself and an intrusion trace, the first information of various types obtained when the intruder does not want to use the system by himself is also hidden, and the second information is hoped to select files, processes, connections and the like to be hidden through some identifiers so as to realize hiding. For the first point, if the rootkit is selected to be temporarily deactivated or unloaded at the time of intrusion, the risk of being discovered will necessarily increase; for the second point, conventional identification by name may accidentally hide the normal file processes, etc. of normal system users, but increase the risk of being discovered. Thus, many rootkit developers will choose the identification technique of the magic id when the hook system calls: for a user using the system, the magic id decides whether to return system real information; for files, processes, network connections, a magic id is used to decide whether to hide them. When an attacker executes malicious operations in an infected system, the attacker sets the user's user/gid to a value which is not available in the current system and cannot be used normally, namely, a magic user/gid, and in the system call logic of the rootkit hook, the user's user/gid is preferentially judged, and when the user's user/gid is matched with the magic user/gid, the user/gid returns to the real condition of the system, so that the attacker can use the system normally. By the method, an attacker can hide specific malicious files, processes, network connection and files, and when a normal user tries to access the files, the system call returns a hidden result through judging id, so that the attacker can realize hiding and self-protection. Rootkits on Linux platforms such as Jynx, umbreon, etc. all use this identification method.
The existing rootkit detection technology under the Linux platform mainly comprises the following methods:
(1) For the dynamic link library hijacking class rootkit, the system information can be acquired by using a statically compiled binary file, and compared with the dynamically linked program result, if the dynamic link library hijacking class rootkit is different, the dynamic link library hijacking attack is possibly suffered. When the rootkit modifies the system call, the result of the static file is unreliable, and false information may be acquired, so that many rootkits can avoid this detection mode.
(2) The detection thinking pursues the detection rate of the kernel space rootkit, acquires the memory information for analysis, and changes the kernel and system call layers to judge whether the kernel space rootkit exists. Because the method is greatly changed in kernel and system call, the influence on the system is correspondingly larger, and other potential safety hazards can be brought by probability on the Linux system. Moreover, even so, these techniques are difficult to find in the face of some rootkits that are sufficiently concealed, powerful enough, and smart enough in design.
(3) The rootkit detection mode judges the trace left by the rootkit, such as checking the trace of the loading kernel module, checking the trace of the log system, checking the trace of the network mode and the like. This detection mode is basically impossible to detect as long as the rootkit is processed for hiding and trace cleaning.
Disclosure of Invention
In view of the above, an object of the embodiments of the present invention is to provide a method and a system for detecting a rootkit, in which the detection process is simple and rapid, and can be completed only in an application layer, without any influence on the system, without potential safety hazard, and the specific rootkit using a magic id mark technology must be detected, the accuracy is ensured, and there is almost no false alarm.
In a first aspect, an embodiment of the present invention provides a detection method for rootkit, where the detection method includes:
and calling the designated information of the system to be protected and storing the designated information.
Setting a rootkit identification range according to a user uid/gid value range, traversing the rootkit identification range, and judging whether the identification of a system to be protected exceeds the rootkit identification range, wherein the rootkit identification adopts a magic id, and the magic id adopts a magic uid/gid.
If the identification of the system to be protected is located in the rootkit identification range, the appointed information of the system to be protected is called again, compared with the stored appointed information, if the two information are different, the logic id utilized by an attacker when the attacker executes malicious operation in the infected system is found, and the system is judged to be infected by the rootkit.
If the rootkit identification range is traversed, the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is not found yet, namely the identification of the system to be protected exceeds the rootkit identification range, and the system is judged not to be infected by the rootkit.
The magic id adopts a magic uid/gid, and sets the uid/gid to a value which is not available in the current system and cannot be used under normal conditions when an attacker executes malicious operation.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the implementation manner includes:
the rootkit identification adopts a magic id.
The magic id includes a uid or a gid.
With reference to the first aspect, the embodiment of the present invention provides a second possible implementation manner of the first aspect, where the setting a rootkit identification range includes:
and collecting the value range of the uid or gid of the user.
The uid of the first level user takes a value of 0.
The user of the second level has a uid range of 1 to 499 or 1 to 999.
The third level user's uid range is 500-65535 or 1000-65535.
The authority level of the first-level user is higher than that of the second-level user, and the authority level of the second-level user is higher than that of the third-level user.
And setting a rootkit identification range according to the value range of the user uid or gid.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the setting a rootkit identifier range according to a value range of a user uid or gid as a starting value includes:
the value range of uid is increased upwards from uid+1 of the third level user as a start value.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where in the rootkit identification range, a maximum value of uid is 2 32 -1。
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the setting a rootkit identifier range according to a value range of a user uid or gid as a starting value includes:
gid ranges from 0 as a starting value, and increases upward.
With reference to the first aspect, the embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where in the rootkit identification range, a maximum value of gid is 2 32 -1。
In a second aspect, an embodiment of the present invention further provides a detection system for rootkit, including:
and the calling module is used for calling and storing the appointed information of the system to be protected.
The identification detection module is used for setting a rootkit identification range according to the uid/gid value range of the user, traversing the rootkit identification range, and judging whether the identification of the system to be protected exceeds the rootkit identification range, wherein the rootkit identification adopts a magic id.
And the appointed information comparison module is used for calling the appointed information of the system to be protected again if the identification of the system to be protected is positioned in the rootkit identification range, comparing the appointed information with the stored appointed information, and judging that the system is infected by the rootkit if the two times of information are different, namely the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is found.
And the judging module is used for judging that the system is not infected by the rootkit if the rootkit identification range is traversed and the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is not found, namely the identification of the system to be protected exceeds the rootkit identification range.
The magic id adopts a magic uid/gid, and sets the uid/gid to a value which is not available in the current system and cannot be used under normal conditions when an attacker executes malicious operation.
In a third aspect, an embodiment of the present invention further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements a method for detecting a rootkit as described above when the processor executes the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a detection method for rootkit as described above.
The embodiment of the invention has the beneficial effects that:
the invention only detects and judges the rootkit using the technique by utilizing the MAgic id identification technique widely used in the rootkit, and can detect whether the rootkit is old and new, the scale and the complexity or not by utilizing the defect of the MAgic id method. Moreover, the technical design is relatively very simple, the program is light and portable, the program can be completed only in an application layer, no influence is caused on the system, and other potential safety hazards are avoided.
In the detection mode provided by the invention, iteration uid/gid executes system call in a file system which can be hidden in the system, and whether a return value is different is judged, so that whether the system is infected by the rootkit is judged.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a detection method for rootkit of the present invention;
fig. 2 is a flow chart of the detection method for rootkit of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein can be arranged and designed in a wide variety of different configurations.
The Magic id recognition mechanism refers to that for a user using the system, the Magic id decides whether to return the system real information; for files, processes, network connections, a magic id is used to decide whether to hide them. When an attacker executes malicious operations in an infected system, the attacker sets the user's user/gid to a value which is not available in the current system and cannot be used normally, namely, a magic user/gid, and in the system call logic of the rootkit hook, the user's user/gid is preferentially judged, and when the user's user/gid is matched with the user/gid, the user/gid returns to the real condition of the system, so that the attacker can use the system normally. By the method, an attacker can hide specific malicious files, processes, network connection and files, and when a normal user tries to access the files, the system call returns a hidden result through judging id, so that the attacker can realize hiding and self-protection.
In the Linux system, according to the different kernel versions, the uid and the gid have different legal ranges, so that the magic id of the rootkit can only be set in the range, which means that the magic id identification can be enumerated and exhausted, and only the uid/gid needs to be changed continuously and iteratively, and whether the characteristics of the magic id are met or not is judged. For a system infected by the rootkit, in a specific file system, such as a proc file system, if a hidden process exists, when the program calls the system with a magic id, the hidden process is normally displayed and is not hidden any more, so that whether the uid/gid of the program is the magic id can be effectively judged.
Referring to fig. 1, a first embodiment of the present invention provides a detection method for rootkit, which includes:
s100, invoking and storing the specified information of the system to be protected, wherein the specified information is a file to be detected or a directory to be detected in the system to be protected.
S200, setting a rootkit identification range according to a user uid/gid value range, traversing the rootkit identification range, and judging whether the identification of a system to be protected exceeds the rootkit identification range, wherein the rootkit identification adopts a magic id.
Specifically, the traversal completion method uid/gid still does not find the magic id utilized by the rootkit, and the system to be protected is not infected by the rootkit.
S300, if the identification of the system to be protected is located in the rootkit identification range, the appointed information of the system to be protected is called again, compared with the stored appointed information, if the two information are different, the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is found, and the system is judged to be infected by the rootkit.
S400, if the rootkit identification range is traversed, the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is not found yet, namely the identification of the system to be protected exceeds the rootkit identification range, and the system is judged not to be infected by the rootkit.
Specifically, when calling readdir or readdir64 to read a specified directory, if a file hidden by a rootkit exists in the directory, its uid/gid is located in the rootkit identification range, the read result is different from the read result in the normal user environment, the file will not be hidden any more, and it is determined that the system is infected by the rootkit.
Specifically, the rootkit identifier adopts a magic id.
The magic id adopts a magic uid/gid, which is a value that the current system that will set uid/gid when an attacker performs malicious operations does not exist and cannot be used under normal conditions.
Specifically, the setting a rootkit identification range includes:
and collecting the value range of the uid or gid of the user.
The uid of the first level user takes a value of 0.
The user of the second level has a uid range of 1 to 499 or 1 to 999.
The third level user's uid range is 500-65535 or 1000-65535.
The authority level of the first-level user is higher than that of the second-level user, and the authority level of the second-level user is higher than that of the third-level user.
The first-level users are super users, the second-level users are system users, and the third-level users are common users.
And setting a rootkit identification range according to the value range of the user uid or gid.
Specifically, the setting the rootkit identification range according to the user's uid or gid value range as a starting value includes:
the value range of uid is increased upwards from uid+1 of the third level user as a start value.
Specifically, in the rootkit identification range, the maximum value of uid is 2 32 -1。
The maximum value of uid supported by most kernels today is2 32 -1 (kernel version 2.6.X and its subsequent versions). Many rootkits take directly values that the average user will never use, and thus take this as the start value and maximum value.
Specifically, it takes a long time to traverse all the uids in their entirety (10-20 seconds is taken to read a directory of 5-10 files 1 hundred million times via a test call readdir system call). However, the value of the Rootkit to the magic_uid is generally large, so that the maximum value of the Rootkit can be 2 32 -1 is decremented for the start value, in systems infected with such rootkit, the decision can be obtained in most cases faster than incrementing.
Can also be 2 31 For the start value, increment up and decrement down simultaneously to find the magic_uid. Or based on the rule of obtaining the sample value after analyzing a certain number of samples, for example, the rootkit frequently takes a decimal, 8-9-bit random number on the uid value, and preferentially traverses and judges the value in 10000000-999999999.
The traversal range of the identification detection program can be freely changed, and the traversal range is set to be different ranges according to different conditions.
Specifically, the setting the rootkit identification range according to the user's uid or gid value range includes:
gid ranges from 0 as a starting value, and increases upward.
Specifically, in the rootkit identification range, the maximum value of gid is 2 32 -1。
Referring to fig. 2, a second embodiment of the present invention provides a detection system for rootkit, which includes:
and the calling module is used for calling and storing the appointed information of the system to be protected.
The identification detection module is used for setting a rootkit identification range according to the uid/gid value range of the user, traversing the rootkit identification range, and judging whether the identification of the system to be protected exceeds the rootkit identification range, wherein the rootkit identification adopts a magic id.
And the appointed information comparison module is used for calling the appointed information of the system to be protected again if the identification of the system to be protected is positioned in the rootkit identification range, comparing the appointed information with the stored appointed information, and judging that the system is infected by the rootkit if the two times of information are different, namely the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is found.
And the judging module is used for judging that the system is not infected by the rootkit if the rootkit identification range is traversed and the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is not found, namely the identification of the system to be protected exceeds the rootkit identification range.
The magic id adopts a magic uid/gid, and sets the uid/gid to a value which is not available in the current system and cannot be used under normal conditions when an attacker executes malicious operation.
A third embodiment of the invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a detection method for rootkit as described above when executing the computer program.
A fourth embodiment of the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a detection method for rootkits as described above.
The embodiment of the invention aims to protect a detection method and a detection system aiming at rootkit, and has the following effects:
1. the invention only detects and judges the rootkit using the technique by utilizing the MAgic id identification technique widely used in the rootkit, and can detect whether the rootkit is old and new, the scale and the complexity or not by utilizing the defect of the MAgic id method. Moreover, the technical design is relatively very simple, the program is light and convenient, and the program can be finished only in an application layer, so that the system is not affected and has no other potential safety hazards, and the safety is greatly enhanced.
2. The detection method and the detection system for the rootkit are simple and universal to realize, and can complete the detection program through any linux-supported programming language based on the existing thought.
3. In the detection mode provided by the invention, iteration uid/gid executes system call in a file system which can be hidden in the system, and whether a return value is different is judged, so that whether the system is infected by the rootkit is judged.
The computer program product of the method and apparatus for rootkit detection provided by the embodiments of the present invention includes a computer readable storage medium storing program codes, and instructions included in the program codes may be used to execute the method in the foregoing method embodiment, and specific implementation may refer to the method embodiment and will not be described herein.
Specifically, the storage medium can be a general storage medium, such as a mobile disk, a hard disk, and the like, and when the computer program on the storage medium is run, the detection method for the rootkit can be executed, so that the detection process can be simply, conveniently and rapidly completed only at an application layer, no influence is caused to a system, no potential safety hazard is caused, and the accuracy is high.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A detection method for rootkit, comprising:
invoking and storing the appointed information of the system to be protected;
setting a rootkit identification range according to a user uid/gid value range, traversing the rootkit identification range, and judging whether the identification of a system to be protected exceeds the rootkit identification range, wherein the rootkit identification adopts a magic id;
if the identification of the system to be protected is in the rootkit identification range, the appointed information of the system to be protected is called again, compared with the stored appointed information, if the two information are different, the logic id utilized by an attacker when the attacker executes malicious operation in the infected system is found, and the system is judged to be infected by the rootkit;
if the rootkit identification range is traversed, the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is not found yet, namely the identification of the system to be protected exceeds the rootkit identification range, and the system is judged not to be infected by the rootkit;
the magic id adopts a magic uid/gid, and sets the uid/gid to a value which is not available in the current system and cannot be used under normal conditions when an attacker executes malicious operation.
2. The detection method for rootkit according to claim 1, wherein said setting rootkit identification range comprises:
collecting a user uid or gid value range;
the uid value of the first-level user is 0;
the user of the second level has a uid range of 1-499 or 1-999;
the user of the third level has a uid range of 500-65535 or 1000-65535;
the authority level of the first-level user is higher than that of the second-level user, and the authority level of the second-level user is higher than that of the third-level user;
and setting a rootkit identification range according to the value range of the user uid or gid.
3. The method for detecting a rootkit according to claim 2, wherein the setting a rootkit identification range according to a user's uid or gid value range as a start value comprises:
the value range of uid is increased upwards from uid+1 of the third level user as a start value.
4. A method of detection for rootkit according to claim 3, characterized in that in the rootkit identification range, the maximum value of uid is 2 32 -1。
5. The method for detecting a rootkit according to claim 2, wherein the setting a rootkit identification range according to a user's uid or gid value range as a start value comprises:
gid ranges from 0 as a starting value, and increases upward.
6. The method for detecting rootkit according to claim 5, wherein the maximum value of gid in the rootkit identification range is 2 32 -1。
7. A detection system for rootkits, comprising:
the calling module is used for calling and storing the appointed information of the system to be protected;
the identification detection module is used for setting a rootkit identification range according to the uid/gid value range of a user, traversing the rootkit identification range, and judging whether the identification of a system to be protected exceeds the rootkit identification range, wherein the rootkit identification adopts a magic id;
the appointed information comparison module is used for calling the appointed information of the system to be protected again if the identification of the system to be protected is located in the rootkit identification range, comparing the appointed information with the stored appointed information, and judging that the system is infected by the rootkit if the two times of information are different, namely, the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is found;
the judging module is used for judging that the system is not infected by the rootkit if the rootkit identification range is traversed and the magic id utilized by an attacker when the attacker executes malicious operation in the infected system is not found, namely the identification of the system to be protected exceeds the rootkit identification range;
the magic id adopts a magic uid/gid, and sets the uid/gid to a value which is not available in the current system and cannot be used under normal conditions when an attacker executes malicious operation.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a detection method for rootkit according to any of claims 1 to 6 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements a detection method for rootkit according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310189733.3A CN116305122B (en) | 2023-02-23 | 2023-02-23 | Detection method and system for rootkit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310189733.3A CN116305122B (en) | 2023-02-23 | 2023-02-23 | Detection method and system for rootkit |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116305122A CN116305122A (en) | 2023-06-23 |
| CN116305122B true CN116305122B (en) | 2023-10-24 |
Family
ID=86780887
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310189733.3A Active CN116305122B (en) | 2023-02-23 | 2023-02-23 | Detection method and system for rootkit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116305122B (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7647636B2 (en) * | 2005-08-24 | 2010-01-12 | Microsoft Corporation | Generic RootKit detector |
| US20080016571A1 (en) * | 2006-07-11 | 2008-01-17 | Larry Chung Yao Chang | Rootkit detection system and method |
-
2023
- 2023-02-23 CN CN202310189733.3A patent/CN116305122B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN116305122A (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5265061B1 (en) | Malicious file inspection apparatus and method | |
| US20090038011A1 (en) | System and method of identifying and removing malware on a computer system | |
| CN108734012B (en) | Malicious software identification method and device and electronic equipment | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| JP5738283B2 (en) | False alarm detection for malware scanning | |
| EP2701092A1 (en) | Method for identifying malicious executables | |
| US9804948B2 (en) | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing | |
| KR20230002436A (en) | Machine learning systems and methods for reducing false positive malware detection rates | |
| CN113946825B (en) | Memory horse processing method and system | |
| US20180285565A1 (en) | Malware detection in applications based on presence of computer generated strings | |
| JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
| KR100745639B1 (en) | Method for protecting file system and registry and apparatus thereof | |
| JP6714112B2 (en) | Mitigating malicious behavior associated with graphical user interface elements | |
| US8938807B1 (en) | Malware removal without virus pattern | |
| CN114139154A (en) | Malicious code detection method and device, computer and readable storage medium | |
| CN116611066B (en) | Lesovirus identification method, device, equipment and storage medium | |
| CN116305122B (en) | Detection method and system for rootkit | |
| KR101311367B1 (en) | Method and apparatus for diagnosing attack that bypass the memory protection | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| KR102292844B1 (en) | Apparatus and method for detecting malicious code | |
| CN111625825B (en) | Virus detection method, device, equipment and storage medium | |
| KR100937010B1 (en) | Malwareuseless process dectect/blocking and prevent recrudescence method | |
| CN106203076B (en) | Method for judging malicious file by utilizing EBP (electronic book protocol) | |
| CN113688393B (en) | Malicious software type detection method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |