CN117150487A - Dynamic link library file injection detection method and device - Google Patents
Dynamic link library file injection detection method and device Download PDFInfo
- Publication number
- CN117150487A CN117150487A CN202310926684.7A CN202310926684A CN117150487A CN 117150487 A CN117150487 A CN 117150487A CN 202310926684 A CN202310926684 A CN 202310926684A CN 117150487 A CN117150487 A CN 117150487A
- Authority
- CN
- China
- Prior art keywords
- thread
- dynamic link
- link library
- library file
- remote
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 98
- 239000007924 injection Substances 0.000 title claims abstract description 98
- 238000001514 detection method Methods 0.000 title claims abstract description 26
- 238000000034 method Methods 0.000 claims abstract description 228
- 230000008569 process Effects 0.000 claims abstract description 180
- 230000006870 function Effects 0.000 claims description 58
- 238000004590 computer program Methods 0.000 claims description 12
- 230000002159 abnormal effect Effects 0.000 claims description 11
- 239000000243 solution Substances 0.000 description 10
- 241000700605 Viruses Species 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 101150093240 Brd2 gene Proteins 0.000 description 1
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
Abstract
The application provides a method and a device for detecting file injection of a dynamic link library. The method comprises the following steps: under the condition that the first process is determined to inject a dynamic link library file into the second process by creating a remote thread, obtaining a thread context corresponding to the remote thread; the thread context is used for representing the position relation of the remote thread in the second process; the first process is a process which is operated by the operating system and used for triggering the creation of the remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of the remote thread in the second process; and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread. According to the method for detecting the injection of the dynamic link library file, provided by the application, the injection data of the remote thread can be rapidly detected, so that the detection efficiency and accuracy of the injection data of the remote thread are effectively improved.
Description
Technical Field
The application relates to the field of network security, in particular to a method and a device for detecting file injection of a dynamic link library. In addition, the application also relates to an electronic device and a processor readable storage medium.
Background
Currently, DLL (Dynamic Link Library ) injection techniques are widely used in the field of software security, which can perform some repair, expansion, enhancement, etc. on an original program without modifying it. However, in practical applications, some viruses use DLL injection technology to hide themselves, so as to achieve the purpose of running in legal processes, so that the viruses are difficult to detect and clear by antivirus software and security software, and in addition, the viruses can be injected into software of financial institutions such as banks, and the like, so as to steal account information of victims and other sensitive information. Aiming at the problem of virus injection by DLL, the prior art generally monitors and creates remote requests by hooking a target process CreateRemoteThread function in Ring3, but the hook is easily bypassed by virus codes, so that the actual detection precision and efficiency are poor.
Disclosure of Invention
Therefore, the application provides a method and a device for detecting the injection of the dynamic link library file, which are used for solving the defect of poor detection precision and efficiency of the dynamic link library file injection detection scheme in the prior art.
In a first aspect, the present application provides a method for detecting injection of a dynamic link library file, including:
under the condition that the first process is determined to inject a dynamic link library file into the second process by creating a remote thread, acquiring a thread context corresponding to the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process;
and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
Further, under the condition that it is determined that the first process injects the dynamic link library file into the second process by creating the remote thread, the method for obtaining the thread context corresponding to the remote thread specifically includes:
triggering a callback function of an operating system to be called under the condition that a first process is determined to inject a dynamic link library file into a second process by creating a remote thread, searching a corresponding KTRAP_FRAME data structure in the calling process of the callback function, and acquiring a thread context corresponding to the remote thread from the KTRAP_FRAME data structure;
wherein the ktrap_frame data structure is a structure filled in the thread initial stack by the operating system for saving the thread context.
Further, the thread context includes a thread start address and a thread parameter; the dynamic link library file stores an export table; the export table is used for recording export information of the dynamic link library, and the export information comprises information corresponding to thread parameters;
the determining, based on the thread context corresponding to the remote thread, the target location of the dynamic link library file injection specifically includes:
and inquiring memory information recorded by a virtual address descriptor corresponding to a thread starting address in the thread context, traversing an export table of the dynamic link library file under the condition that the memory information comprises the dynamic link library file so as to read a character string corresponding to the thread parameter, wherein the character string is used for representing an injection path of the dynamic link library file, and determining an injection target position based on the injection path corresponding to the character string.
Further, before determining that the first process injects the dynamic link library file into the second process by creating the remote thread, the method further includes:
acquiring a request for creating a thread, which is sent by the first process to the second process;
in the event that the thread requesting creation is a remote thread, it is determined that the first process is currently about to inject a dynamic link library file into the second process through the remote thread.
Further, after determining the target location of the dynamic link library file injection, the method further comprises:
and triggering to call an NtTerminateThread function to prevent the first process from injecting the dynamic link library file into the second process by creating a remote thread under the condition that the injection path of the dynamic link library file is abnormal and/or the thread starting address in the thread context is abnormal.
Further, before triggering the call-back function of the operating system, the method further comprises the steps of: registering the callback function based on a PsSetCreateThreadInf iotafRoutine function of the operating system in advance;
and triggering the remote thread to switch from a user state to a kernel state under the condition that the remote thread needs to execute and call the callback function, and storing the thread context of the user state into a KTRAP_FRAME data structure.
In a second aspect, in the case that the remote thread needs to execute and call the callback function, the present application provides a device for detecting injection of a dynamic link library file, including:
a thread context obtaining unit, configured to obtain a thread context corresponding to a remote thread when it is determined that a first process injects a dynamic link library file into a second process by creating the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process;
and the injection detection unit is used for determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
Further, the thread context obtaining unit is specifically configured to:
triggering a callback function of an operating system to be called under the condition that a first process is determined to inject a dynamic link library file into a second process by creating a remote thread, searching a corresponding KTRAP_FRAME data structure in the calling process of the callback function, and acquiring a thread context corresponding to the remote thread from the KTRAP_FRAME data structure;
wherein the ktrap_frame data structure is a structure filled in the thread initial stack by the operating system for saving the thread context.
Further, the thread context includes a thread start address and a thread parameter; the dynamic link library file stores an export table; the export table is used for recording export information of the dynamic link library, and the export information comprises information corresponding to thread parameters;
the injection detection unit is specifically configured to:
and inquiring memory information recorded by a virtual address descriptor corresponding to a thread starting address in the thread context, traversing an export table of the dynamic link library file under the condition that the memory information comprises the dynamic link library file so as to read a character string corresponding to the thread parameter, wherein the character string is used for representing an injection path of the dynamic link library file, and determining an injection target position based on the injection path corresponding to the character string.
Further, before determining that the first process injects the dynamic link library file into the second process by creating the remote thread, the method further includes:
a remote thread detection unit, configured to obtain a request for creating a thread sent by the first process to the second process; in the event that the thread requesting creation is a remote thread, it is determined that the first process is currently about to inject a dynamic link library file into the second process through the remote thread.
Further, after determining the target location of the dynamic link library file injection, the method further comprises:
and the exception handling unit is used for triggering and calling an NtTerminateThread function to prevent the first process from injecting the dynamic link library file into the second process in a mode of creating a remote thread under the condition that the injection path of the dynamic link library file is determined to be abnormal and/or the thread starting address in the thread context is determined to be abnormal.
Further, before triggering the call-back function of the operating system, the method further comprises the steps of: a callback registration unit, configured to register the callback function in advance based on a pssetcreatethreadnetrifyroutine function of the operating system;
and triggering the remote thread to switch from a user state to a kernel state under the condition that the remote thread needs to execute and call the callback function, and storing the thread context of the user state into a KTRAP_FRAME data structure.
In the event that the remote thread needs to execute the call to the callback function.
In a third aspect, the present application also provides an electronic device, including: memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the computer program implementing the steps of the method for dynamically linked library file injection detection as described in any one of the above.
In a fourth aspect, the present application also provides a processor readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method for dynamically linking library file injection detection as described in any one of the above.
According to the method for detecting the injection of the dynamic link library file, under the condition that the first process injects the dynamic link library file into the second process by creating the remote thread, the thread context corresponding to the remote thread is obtained and used for representing the position relation of the remote thread in the second process, and then the injection path of the dynamic link library file is determined based on the thread context corresponding to the remote thread, so that the injection data of the remote thread can be detected rapidly, and the detection efficiency and accuracy of the injection data of the remote thread are improved effectively.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly describe the drawings that are required to be used in the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without any inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for detecting injection of a dynamic link library file according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an application flow of a method for detecting injection of a dynamic link library file according to an embodiment of the present application;
FIG. 3 is a flow chart of remote thread injection provided by an embodiment of the present application;
FIG. 4 is a schematic flow diagram of a system call provided by an embodiment of the present application;
FIG. 5 is a schematic structural diagram of a device for detecting injection of a dynamic link library file according to an embodiment of the present application;
fig. 6 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which are derived by a person skilled in the art from the embodiments according to the application without creative efforts, fall within the protection scope of the application.
It should be noted that the terms "first," "second," and the like in the description of the present application and the above-described figures are used for distinguishing between similar users and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The following describes embodiments of the method for detecting injection of dynamic link library files according to the present application. As shown in fig. 1, a flow chart of a method for detecting injection of a dynamic link library file according to an embodiment of the present application includes the following steps:
step 101: under the condition that a first process injects a dynamic link library file into a second process in a remote thread creation mode, acquiring a thread context corresponding to the remote thread, wherein the first process is a process which is operated by an operating system and used for triggering to create a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used to represent the positional relationship of remote threads in the second process.
In an operating system, many applications are not a complete executable file, which is partitioned into relatively independent dynamically linked library files, i.e., DLL files, that are placed in the operating system. When executing a certain application program, the corresponding DLL file is called. The same application may correspond to multiple processes, and a process may involve execution of one or more applications. Wherein a thread is the execution unit of a process. A process may contain multiple threads, each of which may execute concurrently, sharing memory space and other resources of the same process. In one process (e.g., a first process), a CreateRemoteThread function is typically called (creates a remote thread) to load its own dynamically linked library file in another process (e.g., a second process) for the purpose of running its own code in the other process.
In the embodiment of the application, a request for creating a thread sent by the first process to the second process needs to be acquired in advance, and in the case that the thread requiring creation is a remote thread, it is determined that the first process is about to inject a dynamic link library (DLL, dynamic Link Library) file into the second process through the remote thread. The thread context includes a thread start address and a thread parameter. The first process may be a plurality of processes corresponding to malicious applications, and the second process may be a process corresponding to normal applications to be protected. The remote thread is a thread created by one process (e.g., a first process) in another process (e.g., a second process), and may typically be implemented by invoking a WinPE CreateRemoteThread function.
In particular, for convenience in describing the solution of the present application, a typical attacked scenario, i.e. thread injection, is provided herein. Thread injection is the process of inserting/injecting code into a running process. The injected code exists in the form of a Dynamic Link Library (DLL) file, and it is necessary to identify whether the injected code is malicious code or normal code. As shown in fig. 3, the entire thread injection flow may be divided into the following parts: firstly, opening a target process and acquiring a process handle; remotely distributing a memory; writing a Dll file (evil. Dll) path to be injected into the memory applied above; obtaining a kernel32.Dll module address; obtaining a LoadLibrary address of a derived function; creating a remote thread (which triggers a kernel thread callback function) for the target address; the thread executes LoadLibrary load evil. This portion of content is not a typical attacked scenario to provide for the creation of remote threads across processes for later detection. Aiming at the injection scene, under the condition that the first process is determined to inject the dynamic link library file into the second process by creating the remote thread, triggering and calling a callback function of the operating system, intercepting an event of creating the remote thread across processes based on the thread callback function, searching a corresponding KTRAP_FRAME data structure in the calling process of the callback function, and acquiring a thread context corresponding to the remote thread from the KTRAP_FRAME data structure. The ktrap_frame data structure is a data structure that is filled by the operating system in the thread initial stack pointed to by the initial stack pointer field of the kernel thread structure at the time of creating the remote thread to save the thread context. It should be noted that, in the process of calling the callback function by the thread, the callback function is realized by calling the pssetcreatethreadnetrifyroutin function. The PsSetCreateThreadInf-Routine function is an API provided by the open of the operating system, the driver registers a callback function with the PstCreateThreadInf-Routine function, and then the operating system calls the callback function to realize when creating a remote thread and deleting the remote thread. The thread context is the remote thread context that is to be created obtained when the callback function is called.
To explain more clearly how the thread context of the remote thread to be created is obtained in the callback function being called, as shown in fig. 4, a general flow of a system call is first provided: when a thread needs to use an operating system call, it will switch from the user state to the kernel state, in which the thread context of the user state thread is saved (the thread context structure is described by the ktrap_frame structure, saved on the current stack), the operating system call service routine will perform the required operations and return the results to the user state program, finally the thread context is restored, and the program continues to run in the user state, call flow, as shown in fig. 4 below. In the embodiment of the application, after the thread is created in the operating system, the operating system allocates a user mode stack and a kernel mode stack for the thread and switches the thread context of the remote thread to the user mode stack, so that the thread starts executing. To enable the remote thread to return correctly to the application layer and for him to execute at the target address (i.e. user-state address), the operating system will fill the user-layer address and parameters to be returned into the thread initial stack (KTHREAD- > InitialStack, structure ktrap_frame). The EAX (RCX under x 64) register stores the user state address (i.e., thread start address) of the thread to be executed, and the EBX (RDX under x 64) register stores the thread parameter (i.e., thread path parameter). The thread initial stack is a stack of user mode stacks for executing the remote thread.
Step 102: and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
Specifically, by querying memory information recorded by a virtual address descriptor corresponding to a thread start address in the thread context, and under the condition that the memory information includes a dynamic link library file, traversing an export table of the dynamic link library file to read a character string corresponding to the thread parameter. The character string is used for representing the injection path of the dynamic link library file, and determining the injection target position based on the injection path corresponding to the character string. For example: by querying a Virtual Address Descriptor (VAD) corresponding to a thread start address, obtaining whether the corresponding memory information is a kernel32.Dll module (i.e. a dynamic link library file), and then traversing the export table of the kernel32.Dll module to determine whether the function to be executed is loadlibrary yw, if so, the parameter must be a character string, and by reading the character string, the path (i.e. Dll path) to be injected into the Dll file can be determined. In addition, a malicious application program can inject a segment of shellcode into a corresponding process to execute, and key codes of the segment of shellcode are encrypted and executed by thread parameter decryption, wherein the thread parameter can provide effective information for security operation analysts. That is, when creating a thread, the operating system fills a ktrap_frame structure in the thread initial stack pointed by the KTHREAD- > InitialStack field, where the ktrap_frame structure stores a thread start address and a thread parameter pointing to the thread start location. Wherein KTHREAD is a thread control block structure in the operating system kernel for saving and managing thread related information. Each thread has a KTHREAD structure corresponding to it. The ETHREAD structure is also an important structure in the operating system kernel, which represents an external representation of the thread object. Each operating system thread has an ETHREAD object corresponding to it. The ETHREAD structure contains some information related to thread execution, such as thread state, priority, etc., and also contains some information related to processes, such as pointers to the process to which it belongs. The ETHREAD structure also contains pointers to the kernel stack and fields such as register values saved during context switch, which are important in the thread scheduling process. Both KTHREAD and ETHREAD are constructs in the operating system kernel that represent threads in execution and their associated threads of execution. The relationship between them is: the_ethread structure comprises the_kthread structure as one of its members. That is, each_ethread instance corresponds to one_kthread instance. InitialStack is used to hold the initial stack pointer for the kernel thread. Ktrap_frame is a data structure in the operating system that holds the execution state transferred to the kernel due to an interrupt or system call. Self trap (trap) refers to that when some specific events occur in the computer operating system, the processor pauses the execution of the current process, and transfers control to the operating system kernel for processing, and the processor saves the current execution site into ktrap_frame. The Dll path is used for representing a target position of dynamic link library file input. The thread start address is an address pointing to a remote thread start location. The Export Table is used for recording Export information of the dynamic link library, the Export information comprises information corresponding to thread parameters, and the main component in the Export Table (Export Table) is a Table, such as an included function name, an output ordinal number, information corresponding to the thread parameters and the like. Where ordinal is a 16-bit number that specifies a function in the DLL, unique in the DLL file pointed to.
Further, after determining the target location of injection of the dynamically linked library file, and in the event that the injection path of the dynamically linked library file is determined to be abnormal and/or the thread start address in the thread context is determined to be abnormal, a call to an ntterminatateteread function may be triggered to prevent the first process from injecting the dynamically linked library file to the second process by creating a remote thread. In addition, in the event that a thread start address in the thread context is determined to be abnormal, a call to an NtTerminateThread function is triggered to prevent the first process from injecting a dynamically linked library file into the second process by creating a remote thread. As shown in fig. 2, when a malicious application remote thread injects a DLL file into a normal application, the thread creation event may be intercepted by calling a callback (pssetcreateatthrough thread) function, and then detecting the injection of the DLL file in the context of this callback function. The method comprises the steps of analyzing the created thread by using a thread callback mechanism provided by an operating system kernel to detect the creation of a remote thread, checking a module function and a thread parameter of an execution thread starting address, and effectively preventing Trojan horse viruses from being injected into legal processes through the remote thread. The thread start address analysis of the remote thread to be created and executed can be obtained according to the application through the preset safety software (such as an arbitration engine) whether the thread path parameters of the legal module are legal or not, so that the Trojan horse virus is effectively prevented from being injected into the legal process through the remote thread, and the malicious code is prevented from spreading.
According to the method for detecting the injection of the dynamic link library file, under the condition that the first process injects the dynamic link library file into the second process by creating the remote thread, the thread context corresponding to the remote thread is obtained and used for representing the position relation of the remote thread in the second process, and then the injection path of the dynamic link library file is determined based on the thread context corresponding to the remote thread, so that the injection data of the remote thread can be detected rapidly, and the detection efficiency and accuracy of the injection data of the remote thread are improved effectively.
Corresponding to the method for detecting the injection of the dynamic link library file, the application also provides a device for detecting the injection of the dynamic link library file. Since the embodiment of the apparatus is similar to the method embodiment described above, the description is relatively simple, and the description of the embodiment of the method section described above is merely illustrative of the embodiment of the dynamically linked library file injection detection apparatus described below. Fig. 5 is a schematic structural diagram of a device for detecting file injection of a dynamic link library according to an embodiment of the present application.
The application relates to a dynamic link library file injection detection device, which specifically comprises the following parts:
a thread context obtaining unit 501, configured to obtain a thread context corresponding to a remote thread when determining that a first process injects a dynamic link library file into a second process by creating the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process;
and the injection detection unit 502 is configured to determine a target location of the injection of the dynamically linked library file based on a thread context corresponding to the remote thread.
Further, the thread context obtaining unit is specifically configured to:
triggering a callback function of an operating system to be called under the condition that a first process is determined to inject a dynamic link library file into a second process by creating a remote thread, searching a corresponding KTRAP_FRAME data structure in the calling process of the callback function, and acquiring a thread context corresponding to the remote thread from the KTRAP_FRAME data structure;
wherein the ktrap_frame data structure is a structure filled in the thread initial stack by the operating system for saving the thread context.
Further, the thread context includes a thread start address and a thread parameter; the dynamic link library file stores an export table; the export table is used for recording export information of the dynamic link library, and the export information comprises information corresponding to thread parameters;
the injection detection unit is specifically configured to:
and inquiring memory information recorded by a virtual address descriptor corresponding to a thread starting address in the thread context, traversing an export table of the dynamic link library file under the condition that the memory information comprises the dynamic link library file so as to read a character string corresponding to the thread parameter, wherein the character string is used for representing an injection path of the dynamic link library file, and determining an injection target position based on the injection path corresponding to the character string.
Further, before determining that the first process injects the dynamic link library file into the second process by creating the remote thread, the method further includes:
a remote thread detection unit, configured to obtain a request for creating a thread sent by the first process to the second process; in the event that the thread requesting creation is a remote thread, it is determined that the first process is currently about to inject a dynamic link library file into the second process through the remote thread.
Further, after determining the target location of the dynamic link library file injection, the method further comprises:
and the exception handling unit is used for triggering and calling an NtTerminateThread function to prevent the first process from injecting the dynamic link library file into the second process in a mode of creating a remote thread under the condition that the injection path of the dynamic link library file is determined to be abnormal and/or the thread starting address in the thread context is determined to be abnormal.
Further, before triggering the call-back function of the operating system, the method further comprises the steps of: a callback registration unit, configured to register the callback function in advance based on a pssetcreatethreadnetrifyroutine function of the operating system; and triggering the remote thread to switch from a user state to a kernel state under the condition that the remote thread needs to execute and call the callback function, and storing the thread context of the user state into a KTRAP_FRAME data structure.
Under the condition that the remote thread needs to execute and call the callback function, the dynamic link library file injection detection device of the embodiment of the application obtains the thread context corresponding to the remote thread under the condition that the first process injects the dynamic link library file into the second process by creating the remote thread, wherein the thread context is used for representing the position relation of the remote thread in the second process, and further determines the injection path of the dynamic link library file based on the thread context corresponding to the remote thread, so that the injection data of the remote thread can be detected rapidly, and the detection efficiency and accuracy of the injection data of the remote thread are improved effectively.
Corresponding to the method for detecting the injection of the dynamic link library file, the application also provides electronic equipment. Since the embodiments of the electronic device are similar to the method embodiments described above, the description is relatively simple, and reference should be made to the description of the method embodiments described above, and the electronic device described below is merely illustrative. Fig. 6 is a schematic diagram of the physical structure of an electronic device according to an embodiment of the present application. The electronic device may include: a processor (processor) 601, a memory (memory) 602, and a communication bus 603, wherein the processor 601, the memory 602, and the communication bus 603 are used to communicate with each other and with the outside through a communication interface 604. The processor 601 may invoke logic instructions in the memory 302 to perform a dynamically linked library file injection detection method comprising: under the condition that the first process is determined to inject a dynamic link library file into the second process by creating a remote thread, acquiring a thread context corresponding to the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process; and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
Further, the logic instructions in the memory 602 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a Memory chip, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, embodiments of the present application further provide a computer program product, where the computer program product includes a computer program stored on a storage medium readable by a processor, and the computer program includes program instructions, when the program instructions are executed by a computer, for executing the method for detecting injection of a dynamic link library file provided by the above method embodiments. The method comprises the following steps: under the condition that the first process is determined to inject a dynamic link library file into the second process by creating a remote thread, acquiring a thread context corresponding to the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process; and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
In yet another aspect, an embodiment of the present application further provides a processor readable storage medium, where a computer program is stored, where the computer program is implemented when executed by a processor to perform the method for detecting injection of a dynamic link library file provided in the foregoing embodiments. The method comprises the following steps: under the condition that the first process is determined to inject a dynamic link library file into the second process by creating a remote thread, acquiring a thread context corresponding to the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process; and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
The processor-readable storage medium may be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic storage (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical storage (e.g., CD, DVD, BD, HVD, etc.), semiconductor storage (e.g., ROM, EPROM, EEPROM, nonvolatile storage (NAND FLASH), solid State Disk (SSD)), and the like.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. The method for detecting the injection of the dynamic link library file is characterized by comprising the following steps:
under the condition that the first process is determined to inject a dynamic link library file into the second process by creating a remote thread, acquiring a thread context corresponding to the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process;
and determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
2. The method for detecting injection of a dynamic link library file according to claim 1, wherein, in the case that it is determined that the first process injects the dynamic link library file into the second process by creating a remote thread, obtaining a thread context corresponding to the remote thread specifically includes:
triggering a callback function of an operating system to be called under the condition that a first process is determined to inject a dynamic link library file into a second process by creating a remote thread, searching a corresponding KTRAP_FRAME data structure in the calling process of the callback function, and acquiring a thread context corresponding to the remote thread from the KTRAP_FRAME data structure;
wherein the ktrap_frame data structure is a structure filled in the thread initial stack by the operating system for saving the thread context.
3. The method of claim 1, wherein the thread context includes a thread start address and a thread parameter; the dynamic link library file stores an export table; the export table is used for recording export information of the dynamic link library, and the export information comprises information corresponding to thread parameters;
the determining, based on the thread context corresponding to the remote thread, the target location of the dynamic link library file injection specifically includes:
and inquiring memory information recorded by a virtual address descriptor corresponding to a thread starting address in the thread context, traversing an export table of the dynamic link library file under the condition that the memory information comprises the dynamic link library file so as to read a character string corresponding to the thread parameter, wherein the character string is used for representing an injection path of the dynamic link library file, and determining an injection target position based on the injection path corresponding to the character string.
4. The method according to claim 1, further comprising, before determining that the first process injects the dynamic link library file into the second process by creating the remote thread:
acquiring a request for creating a thread, which is sent by the first process to the second process;
in the event that the thread requesting creation is a remote thread, it is determined that the first process is currently about to inject a dynamic link library file into the second process through the remote thread.
5. The method for detecting injection of a dynamic link library file according to claim 1, further comprising, after determining a target location of the injection of the dynamic link library file:
and triggering to call an NtTerminateThread function to prevent the first process from injecting the dynamic link library file into the second process by creating a remote thread under the condition that the injection path of the dynamic link library file is abnormal and/or the thread starting address in the thread context is abnormal.
6. The method for detecting injection of dynamic link library files according to claim 2, wherein before triggering calling of the callback function of the operating system in the case that it is determined that the first process injects the dynamic link library file into the second process by creating the remote thread, the method further comprises:
registering the callback function based on a PsSetCreateThreadInf iotafRoutine function of the operating system in advance;
and triggering the remote thread to switch from a user state to a kernel state under the condition that the remote thread needs to execute and call the callback function, and storing the thread context of the user state into a KTRAP_FRAME data structure.
7. A dynamic link library file injection detection apparatus, comprising:
a thread context obtaining unit, configured to obtain a thread context corresponding to a remote thread when it is determined that a first process injects a dynamic link library file into a second process by creating the remote thread; the first process is a process which is operated by the operating system and used for triggering the creation of a remote thread request, and the second process is a process which is operated by the operating system and used for receiving the remote thread creation request; the thread context is used for representing the position relation of a remote thread in the second process;
and the injection detection unit is used for determining the target position of the dynamic link library file injection based on the thread context corresponding to the remote thread.
8. The apparatus for detecting dynamic link library file injection according to claim 7, wherein the thread context obtaining unit is specifically configured to:
triggering a callback function of an operating system to be called under the condition that a first process is determined to inject a dynamic link library file into a second process by creating a remote thread, searching a corresponding KTRAP_FRAME data structure in the calling process of the callback function, and acquiring a thread context corresponding to the remote thread from the KTRAP_FRAME data structure;
wherein the ktrap_frame data structure is a structure filled in the thread initial stack by the operating system for saving the thread context.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the dynamically linked library file injection detection method of any one of claims 1 to 6 when the computer program is executed.
10. A processor readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the dynamically linked library file injection detection method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310926684.7A CN117150487A (en) | 2023-07-26 | 2023-07-26 | Dynamic link library file injection detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310926684.7A CN117150487A (en) | 2023-07-26 | 2023-07-26 | Dynamic link library file injection detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117150487A true CN117150487A (en) | 2023-12-01 |
Family
ID=88897639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310926684.7A Pending CN117150487A (en) | 2023-07-26 | 2023-07-26 | Dynamic link library file injection detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117150487A (en) |
-
2023
- 2023-07-26 CN CN202310926684.7A patent/CN117150487A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| US10460099B2 (en) | System and method of detecting malicious code in files | |
| US7631249B2 (en) | Dynamically determining a buffer-stack overrun | |
| EP3039608B1 (en) | Hardware and software execution profiling | |
| US7631196B2 (en) | Method and apparatus for loading a trustable operating system | |
| CN107690645B (en) | Behavioral malware detection using interpreter virtual machines | |
| US9195823B1 (en) | System and method for intercepting process creation events | |
| US6550060B1 (en) | Method and system for dynamic injection of dynamic link libraries into a windowed operating system | |
| US7526516B1 (en) | System and method for file integrity monitoring using timestamps | |
| US7581089B1 (en) | Method of protecting a computer stack | |
| US7797702B1 (en) | Preventing execution of remotely injected threads | |
| US20070113291A1 (en) | Method for administrating the function access | |
| WO2015113052A1 (en) | Detecting and preventing execution of software exploits | |
| JP6370098B2 (en) | Information processing apparatus, information processing monitoring method, program, and recording medium | |
| US20080028180A1 (en) | Inappropriate access detector based on system segmentation faults | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| EP2228722A1 (en) | System and method for file integrity monitoring using timestamps | |
| CN113176926A (en) | API dynamic monitoring method and system based on virtual machine introspection technology | |
| US11847222B2 (en) | System and method for preventing unwanted bundled software installation | |
| US7784063B2 (en) | Method and apparatus for system caller authentication | |
| CN113792299B (en) | Method for protecting Linux system based on ftrace technology | |
| CN117150487A (en) | Dynamic link library file injection detection method and device | |
| EP3293660A1 (en) | System and method of detecting malicious code in files | |
| CN116775147B (en) | Executable file processing method, device, equipment and storage medium | |
| RU2700185C1 (en) | Method for detecting hidden software in a computing system operating under a posix-compatible operating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |