CN117725577A - Method and device for breaking through malicious software protection through memory management unit - Google Patents
Method and device for breaking through malicious software protection through memory management unit Download PDFInfo
- Publication number
- CN117725577A CN117725577A CN202311640794.3A CN202311640794A CN117725577A CN 117725577 A CN117725577 A CN 117725577A CN 202311640794 A CN202311640794 A CN 202311640794A CN 117725577 A CN117725577 A CN 117725577A
- Authority
- CN
- China
- Prior art keywords
- file
- name
- array
- preset
- task
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 153
- 230000008569 process Effects 0.000 claims abstract description 102
- 230000007246 mechanism Effects 0.000 claims abstract description 33
- 238000001914 filtration Methods 0.000 claims abstract description 28
- 238000001514 detection method Methods 0.000 claims abstract description 24
- 238000012544 monitoring process Methods 0.000 claims abstract description 11
- 230000006870 function Effects 0.000 claims description 33
- 238000003491 array Methods 0.000 claims description 4
- 230000001680 brushing effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 9
- 244000035744 Hura crepitans Species 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 241001522296 Erithacus rubecula Species 0.000 description 1
- 241000282326 Felis catus Species 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for breaking through malicious software protection through a memory management unit, wherein the method comprises the following steps: determining a process filtering mechanism according to the malicious software characteristics, generating an image file according to the process filtering mechanism, and inputting the image file into a terminal image; monitoring file characteristics of key detection codes in target applications based on the image files; when the occurrence of the file characteristics is monitored, the processes in the target application are filtered through a process filtering mechanism. The invention solves the problem that the protection mechanism of malicious software is difficult to break through effectively.
Description
Technical Field
The present invention relates to the field of mobile security, and in particular, to a method and apparatus for breaking through protection of malicious software by using a memory management unit.
Background
With the widespread use of mobile devices and the rapid development of the mobile internet, mobile security issues are increasingly receiving attention. Malware has become a major factor threatening the security of mobile devices, with some advanced malware having a self-protection mechanism to avoid software detection and analysis by security personnel.
Researchers and security analysts often use debugging techniques in order to gain insight into the internal behavior of malware. The debugger may help an analyst examine and modify the program at runtime to reveal malware behavior and attack techniques. However, advanced malware is often provided with anti-debugging techniques that aim to detect, prevent, or mislead debuggers, making analysis more difficult.
Traditional security analysts Pass the detection point of the malicious software through dynamic debugging tools such as ida, and the 'Pass' represents that the detection point successfully bypasses the monitoring of the malicious software. Common detection methods include, but are not limited to, detecting specific processes of the debugger, modifying code in memory to introduce exceptions, detecting debug flags, and calling specific APIs to determine if the program is being debugged, among others, port detection (detecting ports of the dynamic debugger), thread detection (traversing file content of proc/self/task, looking up character features), directory detection (for/data/local/tmp), real file detection (by custom syscall, e.g., open/read/close), etc. Furthermore, with the evolution of mobile operating systems such as Android and iOS, these systems have also introduced a range of security mechanisms such as code signing, application sandboxes and hardware and security features, which have made debugging and analysis of malware more complex.
Disclosure of Invention
The invention provides a method and a device for breaking through malicious software protection through a memory management unit, which solve the problem that a protection mechanism of the malicious software is difficult to break through effectively.
A method of breaking through malware protection by a memory management unit, comprising:
determining a process filtering mechanism according to the malicious software characteristics, generating an image file according to the process filtering mechanism, and inputting the image file into a terminal image;
based on the image file, monitoring file characteristics of key detection codes in the target application;
and when the occurrence of the file characteristics is monitored, the process in the target application is filtered through the process filtering mechanism.
In one embodiment of the present invention, the determining a process filtering mechanism according to the malware features specifically includes: writing the name of the specific task into a preset sequence file; acquiring a process name in the sequence file, storing the process name in a preset array, and detecting whether a specific character string exists in the preset array; if a specific character string exists, replacing the original process name in the preset array; writing the process names in the preset array after the names are replaced into the sequence file; and determining an image file based on the sequence file reconstruction kernel, and brushing the image file into a terminal.
In an embodiment of the present invention, writing the name of the specific task into a preset sequence file specifically includes: calling a task_name function to write the name of a specific task into a preset sequence file; the task_name function accepts two parameters: a sequence file pointer and a task structure pointer; in the task_name function, several character arrays are defined for storing copies of the process names and converting to lower case versions of the process names.
In one embodiment of the present invention, the process name in the obtained sequence file is stored in a preset array, and whether a specific character string exists in the preset array is detected; if a specific character string exists, replacing the original process name in the preset array, wherein the method specifically comprises the following steps: calling a get_task_comm function to acquire a process name of a current process and storing the process name into a preset tcomm array; converting each character in the tcomm array into a lowercase character through circulation, and storing the lowercase character into the my_comm array; checking whether the my_comm array contains a specific character string or not through an if-else statement; if the specific character string is determined to be contained, the strcpy function is called to replace the original process name of the corresponding position in tcomm with the target process name or null character.
In one embodiment of the present invention, after replacing the original process name in the preset array, the method further includes: and calling a seq_puts function to write a 'Name:' character string into a sequence file, and writing a modified process Name into the sequence file.
In one embodiment of the invention, the method further comprises, prior to writing: the string_escape_str function is called to escape the string.
In one embodiment of the present invention, determining an image file based on the sequence file reconstruction kernel specifically includes: reconstructing the kernel through a reconstruction command to generate an image file; the mirror is flushed to the end mirror by the Export target_pre_key command.
An apparatus for breaking through malware protection by a memory management unit, comprising:
the configuration module is used for determining a process filtering mechanism according to the malicious software characteristics, generating an image file according to the process filtering mechanism, and inputting the image file into a terminal image;
the monitoring module is used for monitoring file characteristics of key detection codes in the target application based on the image file;
and the protection module is used for filtering the process in the target application through the process filtering mechanism when the occurrence of the file characteristic is monitored.
An apparatus for breaking through malware protection by a memory management unit, comprising:
at least one processor; and a memory communicatively coupled to the at least one processor via a bus; wherein the memory stores instructions executable by the at least one processor to implement the method of any of the embodiments described above.
A non-volatile storage medium storing computer executable instructions for execution by a processor to implement a method as in any one of the embodiments above.
The invention provides a method and a device for breaking through malicious software protection through a memory management unit, which at least comprise the following beneficial effects: the method provided by the invention improves the detection accuracy of the mobile security software, can effectively identify and fight against complex malicious software behaviors, reduces information leakage and financial loss caused by the malicious software, and enhances the trust degree and the use experience of a user on the mobile equipment; in addition, through deeply analyzing the behavior of the malicious software, security researchers and developers can be better helped to analyze codes of the malicious application of the mobile terminal and conduct effective evidence collection analysis, future security threats can be better predicted and handled, and long-term benefits are provided for the whole mobile security ecological system.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a diagram illustrating a comparison of the modes of running code in kernel mode and user mode according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an Android system architecture provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a process loading process in a memory according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a mapping process between virtual memory and physical memory managed by an MMU according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of steps of a method for breaking through malware protection by a memory management unit according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a memory map of a process according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of an apparatus for breaking through malware protection through a memory management unit according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an apparatus for breaking through malware protection through a memory management unit according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be clearly and completely described in connection with the following specific embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that those skilled in the art explicitly and implicitly understand that the described embodiments of the invention can be combined with other embodiments without conflict. Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs. The terms "a," "an," "the," and similar referents in the context of the invention are not to be construed as limiting the quantity, but rather as singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; the terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
Some concepts related to the present application are explained below.
Sandboxes (sandbox) are a security technology that allows applications to run in isolated environments to protect other programs and data of a computer from potentially malicious activity.
Mirror (Mirroring) is a form of file storage, a type of redundancy, where data on one disk has an identical copy on another disk, i.e., a mirror. A common image file format is ISO, BIN, IMG, TAO, DAO, CIF, FCD. A "good image" is a pre-configured and packaged operating system image that can be used to create a virtual machine or container, etc. running environment.
Virtual memory space (Virtual Memory Area, VMA) is a technique for computer system memory management that allows an application to assume that it has continuously available memory (a continuous complete address space), while in practice, physical memory is divided into multiple physical memory fragments, portions of which are temporarily stored on external disk storage, and data is exchanged when needed. Most operating systems use virtual memory, such as "virtual memory" of the Windows family, "swap space" of Linux, etc.
The memory management unit (Memory Management Unit, MMU) is a piece of computer hardware responsible for handling memory access requests of a Central Processing Unit (CPU). Its functions include virtual to physical address translation (i.e., virtual memory management), memory protection, control of the central processor cache, etc. MMU is an important component in modern computer operating systems, which can improve system stability and security.
A process identifier (Process Identification, PID) creates a process ID, i.e., PID, for each program opened in the operating system.
Kernel code: the core part of the operating system is responsible for managing hardware resources, executing system calls, and implementing other key functions.
Sequence file: a special type of file may be used to store a series of data items. These data items may be a series of numbers, lines of text, or anything else.
Task structure: the data structure in the kernel representing the process. In the Linux kernel, this structure is commonly referred to as task_struct. It contains all the information about the process, such as its state, priority, address of the code being executed, etc.
In view of the increasing protection capability of malicious software and complex anti-debugging technology, the technical field faces an urgent problem: how to effectively break through the protection mechanisms and deeply analyze the internal behaviors of the malicious software, thereby providing more accurate threat detection and defense strategies. The core for solving the problem is to develop a method or technology which can bypass the anti-debugging strategy of malicious software and can be compatible and adapt to the increasingly updated security mechanism of the mobile operating system.
If the malware detection features are superimposed together, resulting in longer analysis times for malware, the features can be removed by custom kernel-based detection, and we can effectively filter regardless of the detection mode through which the malware passes.
Therefore, the invention provides a method and a device for breaking through the protection of malicious software through a memory management unit. The method can break through a protection mechanism of malicious software, effectively analyze the internal behaviors of the malicious software, and has important significance for improving the safety of mobile equipment.
The feature superposition detection mode requires security personnel to analyze, has low accuracy and low efficiency of detection effect, and needs to be changed along with the feature change of malicious software frequently, so that the invention has no such defects.
The following is a detailed description.
The malicious software is developed by a developer, so that the design and implementation of application layer codes cannot be overcome, the application layer codes can be developed by using c/c++ or java and other high-level languages, and also can be developed by using an inline assembly, a certain security can be improved by using an assembly language of a bottom layer, the codes of a user are operated in a user state space, the kernel codes are operated in a kernel state, and the two modes are mutually independent, as shown in figure 1. Some anti-debug anti-test must be performed by loading the features of the virtual address memory at some point in memory when the code is executed.
Secondly, the Android system architecture consists of 5 parts, namely: linux Kernel, android Runtime, libraries, application Framework and Applications, the structure of which is shown in FIG. 2. The upper layer of the architecture cannot be directly changed by a malicious developer, mainly the code development or the environment of the reflection application and the environment detection of the bottom layer are carried out in the application layer, the running process of the code written by the malicious developer is loaded in the memory as shown in fig. 3, and the malicious application on the android platform increases the strength of reverse engineering, tampering and debugging. In order to deal with preventing security researchers from analyzing, many malicious applications and libraries use obfuscation, encryption and anti-debug techniques or methods using svc calls, making it difficult for researchers to locate detection points. According to the scheme, a special sandbox is built by modifying the bottom Linux Kernel code and injecting an executable file, so that the monitoring and modification of the target application are realized.
Malicious developers can perform anti-debugging by reading the characteristics and process names of the maps file, they can either interval the reading of debugging content by running threads or starting processes by a function in the libc of the application layer or directly execute code by svc instructions, we modify the underlying Linux Kernel code, when a malicious process tries to access an address in its virtual address space, the operating system uses the VMA to determine if this address is valid, what its rights are, and if it has been mapped into physical memory. If the address has been mapped to physical memory, the MMU will use its page table to translate the virtual address to a physical address. If the address is unmapped (e.g., the desired page is currently on disk instead of in RAM), the MMU may trigger a page fault that the operating system may handle, possibly by loading the page from disk into RAM. The operating system uses the VMA in handling virtual address space and page faults, while the MMU provides hardware support to translate virtual addresses to physical addresses, making this process efficient. When a file is associated with a VMA in the MMU (e.g., when the file is mapped to memory), information related to the file is extracted from the VMA. To filter the characteristics of common anti-debug processes or threads and the process characteristics of filtering own executable files, MMU is a key component in modern computer hardware responsible for managing the mapping between virtual memory and physical memory, as shown in fig. 4.
Fig. 5 is a schematic diagram of steps of a method for breaking through malware protection by a memory management unit according to an embodiment of the present invention, which may include the following steps:
s510: and determining a process filtering mechanism according to the malicious software characteristics, generating an image file according to the process filtering mechanism, and inputting the image file into a terminal image.
S520: based on the image file, file characteristics of key detection codes in the target application are monitored.
S530: when the occurrence of the file characteristics is monitored, the processes in the target application are filtered through a process filtering mechanism.
Specifically, when the cat/proc/< PID >/maps command is run on Linux (where < PID > is the PID of the process), the code in the kernel is used to display the memory map of the process, as shown in FIG. 6. The code that shows maps in the kernel is modified by a specific monitoring mechanism that monitors key instrumentation code files (such as frida, xposed and commonly used file system directories/data/local/tmp/etc.) using str functions. To avoid displaying VMAs associated with certain specific files or libraries (e.g., fridas), the file features jump to custom functions for filtering if they occur.
In one embodiment of the invention, the process filtering mechanism is determined according to the characteristics of the malicious software, and specifically comprises the following steps: writing the name of the specific task into a preset sequence file; acquiring a process name in a sequence file, storing the process name in a preset array, and detecting whether a specific character string exists in the preset array; if the specific character string exists, replacing the original process name in the preset array; writing the process names in the preset array after the names are replaced into a sequence file; and determining an image file based on the sequence file reconstruction kernel, and brushing the customized image file into a terminal (such as a mobile phone).
In one embodiment of the present invention, writing the name of the specific task into a preset sequence file specifically includes: calling a task_name function to write the name of a specific task into a preset sequence file; the task_name function accepts two parameters: a sequence file pointer and a task structure pointer; in the task_name function, several character arrays are defined for storing copies of the process names and converting to lower case versions of the process names.
Specifically, the name of a specific task (process) is written into a given sequence file for modifying kernel codes, a custom task_name function accepts a sequence file pointer m and a task structure pointer p as parameters, and several character arrays are defined for storing copies of the process name and characters converted into lower case versions.
In one embodiment of the invention, the process names in the acquired sequence file are stored in a preset array, and whether specific character strings exist in the preset array is detected; if a specific character string exists, replacing an original process name in a preset array, wherein the method specifically comprises the following steps: calling a get_task_comm function to acquire a process name of a current process and storing the process name into a preset tcomm array; converting each character in the tcomm array into a lowercase character through circulation, and storing the lowercase character in the my_comm array; checking whether the my_comm array contains a specific character string or not through an if-else statement; if the specific character string is determined to be contained, the strcpy function is called to replace the original process name of the corresponding position in tcomm with the target process name or null character.
Specifically, the name of the task is obtained using a custom get_task_comm function and stored into a defined tcomm array. Each character in tcomm is converted to a lowercase character in a round robin fashion and the lowercase character is saved to the my_comm array. Through a series of if-else statements, the function checks whether my_comm contains a particular string (e.g. "linjector", "frida", etc.), and if found, replaces the original process name in tcomm with the strcpy function.
In one embodiment of the invention, after the original process Name in the preset array is replaced, the seq_pus function is called to write the 'Name:' character string into the sequence file, and the modified process Name is written into the sequence file.
In one embodiment of the invention, the string_escape_str function is called to escape the string prior to writing.
Specifically, the custom seq_puts function is used to write the "Name:" string into the sequence file, and then the modified tcomm process Name is written into the sequence file. String_escape_str is used to escape the string before writing.
The display/proc/< pid >/maps by command in the kernel is performed by a show_map_vma function, in particular by vma- > vm_file; the return parameter determines whether the VMA is associated with a file. If so, it takes the path of the file and checks whether the path contains some specific strings (e.g.,/data/local/tmp/, frada or frada-gadget). If these strings are included, the function adds a new line in the seq_file structure and jumps to the custom tag and returns empty.
In one embodiment of the present invention, the determining the image file based on the sequence file reconstruction kernel specifically includes: reconstructing the kernel through a reconstruction command to generate an image file; the mirror is flushed to the terminal (e.g., handset) mirror via the Export target_pre_key command.
Specifically, when the above steps are completed, the KERNEL is reconstructed, and the reconstructed KERNEL uses a command build/build.sh, and the ordered mirror image is brushed into the mobile phone mirror image by using ExportTARGET_PREBULTKERNEL=/home/xxx/out/android-msm-pixel-4.9/dist/image.lz4.
The invention completes detection of the sandbox by modifying the kernel code, and the tool enables a reverse security engineer to analyze software in the sandbox environment more easily without worrying about that the software can prevent security personnel from analyzing malicious software through various confusion and anti-debugging. In addition, by knowing how the software detects sandboxes, reverse engineers can better understand the security mechanisms and policies of the software, thereby making security assessments and studies more efficient.
The above method for breaking through malware protection by a memory management unit according to the embodiment of the present invention further provides a corresponding device for breaking through malware protection by a memory management unit based on the same inventive concept, as shown in fig. 7, including:
the configuration module 702 is configured to determine a process filtering mechanism according to the malware characteristics, generate an image file according to the process filtering mechanism, and input the image file into a terminal image;
a monitoring module 704, configured to monitor file features of key detection codes in the target application based on the image file;
the protection module 706 is configured to, when it is detected that the file feature appears, filter a process in the target application through a process filtering mechanism.
The embodiment of the invention also provides a corresponding device for breaking through the protection of malicious software through the memory management unit, as shown in fig. 8, which comprises:
at least one processor 802 (processor), a communication interface 804 (Communications Interface), a memory 806 (memory), and a communication bus 808; the processor 802, the communication interface 804 and the memory 806 perform communication with each other through the communication bus 808; the processor 802 may invoke logic instructions stored in the memory 806 to cause at least one processor 802 to perform the steps of the embodiments described above.
Based on the same thought, some embodiments of the present invention also provide a medium corresponding to the above method.
Some embodiments of the invention provide a storage medium storing computer-executable instructions for execution by a processor to perform the steps of the embodiments described above.
The embodiments of the present invention are described in a progressive manner, and the same and similar parts of the embodiments are all referred to each other, and each embodiment is mainly described in the differences from the other embodiments. In particular, for the apparatus and medium embodiments, the description is relatively simple, as it is substantially similar to the method embodiments, with reference to the section of the method embodiments being relevant.
In another aspect, embodiments of the present application further provide a computer program product, where the computer program product includes a computer program, where the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer is capable of executing the steps of a method for breaking through malware protection through a memory management unit provided in the foregoing embodiments.
The devices and media provided in the embodiments of the present invention are in one-to-one correspondence with the methods, so that the devices and media also have similar beneficial technical effects as the corresponding methods, and since the beneficial technical effects of the methods have been described in detail above, the beneficial technical effects of the devices and media are not repeated here.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process article or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process article or method. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process method article or method comprising the element.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. While the invention has been described in detail in the foregoing general description and with reference to specific embodiments thereof, it will be apparent to one skilled in the art that modifications and improvements can be made thereto. Accordingly, such modifications or improvements may be made without departing from the spirit of the invention and are intended to be within the scope of the invention as claimed.
Claims (10)
1. A method for breaking through malware protection by a memory management unit, comprising:
determining a process filtering mechanism according to the malicious software characteristics, generating an image file according to the process filtering mechanism, and inputting the image file into a terminal image;
based on the image file, monitoring file characteristics of key detection codes in the target application;
and when the occurrence of the file characteristics is monitored, the process in the target application is filtered through the process filtering mechanism.
2. The method according to claim 1, wherein the determining a process filtering mechanism according to the malware characteristics specifically comprises:
writing the name of the specific task into a preset sequence file;
acquiring a process name in the sequence file, storing the process name in a preset array, and detecting whether a specific character string exists in the preset array;
if a specific character string exists, replacing the original process name in the preset array;
writing the process names in the preset array after the names are replaced into the sequence file;
and determining an image file based on the sequence file reconstruction kernel, and brushing the image file into the terminal.
3. The method according to claim 2, wherein the writing the name of the specific task into the preset sequence file specifically includes:
calling a task_name function to write the name of a specific task into a preset sequence file;
the task_name function accepts two parameters: a sequence file pointer and a task structure pointer;
in the task_name function, several character arrays are defined for storing copies of the process names and converting to lower case versions of the process names.
4. The method according to claim 2, wherein the process names in the sequence file are obtained and stored in a preset array, and whether a specific character string exists in the preset array is detected; if a specific character string exists, replacing the original process name in the preset array, wherein the method specifically comprises the following steps:
calling a get_task_comm function to acquire a process name of a current process and storing the process name into a preset tcomm array;
converting each character in the tcomm array into a lowercase character through circulation, and storing the lowercase character into the my_comm array;
checking whether the my_comm array contains a specific character string or not through an if-else statement;
if the specific character string is determined to be contained, the strcpy function is called to replace the original process name of the corresponding position in tcomm with the target process name or null character.
5. The method of claim 2, wherein after replacing the original process name in the preset array, the method further comprises:
and calling a seq_puts function to write a 'Name:' character string into a sequence file, and writing a modified process Name into the sequence file.
6. The method of claim 5, wherein prior to writing, the method further comprises:
the string_escape_str function is called to escape the string.
7. The method according to claim 2, wherein determining an image file based on the sequence file reconstruction kernel comprises:
reconstructing the kernel through a reconstruction command to generate an image file;
the mirror is flushed to the end mirror by the Export target_pre_key command.
8. An apparatus for breaking through malware protection through a memory management unit, comprising:
the configuration module is used for determining a process filtering mechanism according to the malicious software characteristics, generating an image file according to the process filtering mechanism, and inputting the image file into a terminal image;
the monitoring module is used for monitoring file characteristics of key detection codes in the target application based on the image file;
and the protection module is used for filtering the process in the target application through the process filtering mechanism when the occurrence of the file characteristic is monitored.
9. An apparatus for breaking through malware protection by a memory management unit, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor via a bus; wherein,
the memory stores instructions executable by the at least one processor to implement the method of any one of claims 1-7.
10. A non-volatile storage medium storing computer executable instructions for execution by a processor to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311640794.3A CN117725577A (en) | 2023-12-01 | 2023-12-01 | Method and device for breaking through malicious software protection through memory management unit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311640794.3A CN117725577A (en) | 2023-12-01 | 2023-12-01 | Method and device for breaking through malicious software protection through memory management unit |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117725577A true CN117725577A (en) | 2024-03-19 |
Family
ID=90204417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311640794.3A Pending CN117725577A (en) | 2023-12-01 | 2023-12-01 | Method and device for breaking through malicious software protection through memory management unit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117725577A (en) |
-
2023
- 2023-12-01 CN CN202311640794.3A patent/CN117725577A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10810309B2 (en) | Method and system for detecting kernel corruption exploits | |
| Rodler et al. | Sereum: Protecting existing smart contracts against re-entrancy attacks | |
| Balasubramanian et al. | System programming in rust: Beyond safety | |
| US20060095895A1 (en) | Method and apparatus for inserting code | |
| Huang et al. | Software crash analysis for automatic exploit generation on binary programs | |
| Avijit et al. | TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. | |
| TW201941049A (en) | Systems and methods for transforming instructions for metadata processing | |
| US9582418B2 (en) | Confirming the sensitivity of a data object in a managed object heap | |
| CN109359487A (en) | A kind of expansible safe shadow storage and label management method based on hardware isolated | |
| US20220374415A1 (en) | Systems and methods for updating metadata | |
| JP5382450B2 (en) | Access control apparatus, method and information recording medium | |
| US20140317742A1 (en) | Hypervisor-based buffer overflow detection and prevention | |
| CN104715202A (en) | Hidden process detecting method and hidden process detecting device in virtual machine | |
| Palutke et al. | Hiding process memory via anti-forensic techniques | |
| CN107463513B (en) | System and method for transferring control between storage locations | |
| Huang et al. | Safecheck: Safety enhancement of Java unsafe API | |
| JP7349437B2 (en) | Controlling protection tag checking on memory accesses | |
| CN117725577A (en) | Method and device for breaking through malicious software protection through memory management unit | |
| US8321668B2 (en) | Control of data access by dynamically verifying legal references | |
| Durães et al. | A methodology for the automated identification of buffer overflow vulnerabilities in executable software without source-code | |
| CN114266036A (en) | Intel CET mechanism-based method for protecting integrity of universal memory | |
| Cole et al. | Simplex: Repurposing Intel memory protection extensions for information hiding | |
| González | Taxi: Defeating code reuse attacks with tagged memory | |
| CN104615935A (en) | Hiding method geared to Xen virtualization platform | |
| Cole et al. | Simplex: Repurposing Intel Memory Protection Extensions for Secure Storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |