CN117744082A - Method and device for detecting malicious software in operating system and storage medium - Google Patents

Method and device for detecting malicious software in operating system and storage medium Download PDF

Info

Publication number
CN117744082A
CN117744082A CN202311776386.0A CN202311776386A CN117744082A CN 117744082 A CN117744082 A CN 117744082A CN 202311776386 A CN202311776386 A CN 202311776386A CN 117744082 A CN117744082 A CN 117744082A
Authority
CN
China
Prior art keywords
kernel
operating system
function
address
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311776386.0A
Other languages
Chinese (zh)
Inventor
渠海峡
赵家辉
朝乐蒙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN202311776386.0A priority Critical patent/CN117744082A/en
Publication of CN117744082A publication Critical patent/CN117744082A/en
Pending legal-status Critical Current

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The application discloses a method and device for detecting malicious software in an operating system and a storage medium. The method comprises the following steps: determining the kernel of the operating system according to the operating system to be detected; determining an address interval corresponding to codes in the kernel; acquiring N functions in a kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer; and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in a kernel of the operating system. According to the method and the device, the problem that in the related art, when whether malicious software exists in the kernel of the operating system or not is solved, the detection range is smaller.

Description

Method and device for detecting malicious software in operating system and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for detecting malware in an operating system, and a storage medium.
Background
Currently, rootkits are a collective term for a group of computer software and are often malicious. Its purpose is to maintain the highest authority of the system to access the computer under unauthorized conditions. Unlike viruses or Trojan horses, the Rootkit attempts to prevent victims from finding by hiding processes, files and network ports of the attacker, thereby achieving the purpose of long-term utilization of the victimized host. And the main functions of the Rootkit include: hidden processes, hidden files, hidden network connections, etc.
Moreover, rootkits can be technically divided into two main categories: user-state Rootkit and kernel-state Rootkit. Furthermore, user-state rootkits are typically implemented by overlaying system binary files or library files. Kernel mode Rootkit generally loads malicious codes into the kernel directly through a kernel module, is more concealed and is more difficult to detect. In addition, the kernel-mode Rootkit can be expressed for hiding purposes by replacing system calls. And the necessary place for the user program to access the system data is the system call, and in the replaced malicious code of the system call, an attacker filters information such as a specific port, thereby realizing the purpose that the connection victim of the characteristic network port is invisible.
In addition, in the related art, when kernel-level Rootkit in an operating system is detected, whether an abnormal system call mode exists is generally detected by monitoring a system call mode, so that the activity of Rootkit malicious software is discovered. However, in the related art, the detection of the kernel-level Rootkit only detects the system call, which results in a smaller detection range for detecting the kernel-level Rootkit in the operating system.
Aiming at the problem that in the related art, when detecting whether malicious software exists in the kernel of an operating system, the detection range is smaller, no effective solution is proposed at present.
Disclosure of Invention
The main purpose of the application is to provide a method and a device for detecting malicious software in an operating system and a storage medium, so as to solve the problem that in the related art, when detecting whether the malicious software exists in a kernel of the operating system, the detection range is smaller.
In order to achieve the above object, according to one aspect of the present application, a method for detecting malware in an operating system is provided. The method comprises the following steps: determining the kernel of an operating system according to the operating system to be detected; determining an address interval corresponding to codes in the kernel; acquiring N functions in the kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer; and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system.
Further, determining a detection result of the operating system based on the address interval and the N function addresses includes: judging whether each function address is in the address interval; if each function address is in the address interval, determining that the detection result is that the malicious software does not exist in the kernel of the operating system; and if at least one function address is not in the address interval, determining that the detection result is that the malicious software exists in the kernel of the operating system.
Further, after determining a detection result for the operating system based on the address interval and the N function addresses, the method further includes: determining an objective function in the N functions under the condition that the detection result is that the malicious software exists in the kernel of the operating system, wherein the objective function is a function with a function address not in the address interval; acquiring address information of the target function, and determining a target module with the malicious software in the kernel according to the address information of the target function; and cleaning the malicious software in the target module.
Further, the cleaning processing of the malware in the target module includes: judging whether the target module can restore the original function if the malicious software in the target module is cleared; if the target module can recover the original function, the malware in the target module is directly cleared; and if the target module cannot recover the original function when the malicious software in the target module is cleared, sending reminding information to a target object, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
Further, obtaining the N functions in the kernel includes: obtaining a target table in the kernel, wherein the target table is at least one of the following: the system call table is used for recording system call information of the operating system, the interrupt vector table is used for storing interrupt vectors in the kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs; and acquiring the N functions in the kernel from the target table.
Further, obtaining the N functions in the kernel includes: determining a target space for storing codes in the kernel; based on the target space, M code segments in the kernel are acquired, wherein M is a positive integer; and acquiring the functions in each code segment to obtain the N functions.
Further, after determining a detection result for the operating system based on the address interval and the N function addresses, the method further includes: according to a preset detection period, obtaining the address of a kernel function in the kernel in the current detection period; and detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
In order to achieve the above object, according to another aspect of the present application, there is provided a device for detecting malware in an operating system. The device comprises: the first determining module is used for determining the kernel of the operating system according to the operating system to be detected; the second determining module is used for determining an address interval corresponding to codes in the kernel; the first acquisition module is used for acquiring N functions in the kernel and acquiring the function address of each function to obtain N function addresses, wherein N is a positive integer; and the third determining module is used for determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system.
Further, the third determining module includes: a first judging unit for judging whether each function address is in the address interval; the first determining unit is used for determining that the malicious software does not exist in the kernel of the operating system according to the detection result if each function address is in the address interval; and the second determining unit is used for determining that the malicious software exists in the kernel of the operating system according to the detection result if at least one function address is not in the address interval.
Further, the apparatus further comprises: a fourth determining module, configured to determine, after determining a detection result of the operating system based on the address interval and the N function addresses, an objective function of the N functions if the detection result is that the malware exists in the kernel of the operating system, where the objective function is a function whose function address is not in the address interval; the second acquisition module is used for acquiring the address information of the target function and determining the target module with the malicious software in the kernel according to the address information of the target function; and the first processing module is used for removing the malicious software in the target module.
Further, the first processing module includes: the second judging unit is used for judging whether the target module can restore the original function if the malicious software in the target module is subjected to cleaning treatment; the first processing unit is used for directly removing the malicious software in the target module if the target module can recover the original function; the first sending unit is used for sending reminding information to a target object if the target module cannot recover the original function when the malicious software in the target module is cleared, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
Further, the first acquisition module includes: a first obtaining unit, configured to obtain a target table in the kernel, where the target table is at least one of the following: the system call table is used for recording system call information of the operating system, the interrupt vector table is used for storing interrupt vectors in the kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs; and the second acquisition unit is used for acquiring the N functions in the kernel from the target table.
Further, the first acquisition module includes: a third determining unit, configured to determine a target space in the kernel for storing a code; a third obtaining unit, configured to obtain M code segments in the kernel based on the target space, where M is a positive integer; and a fourth obtaining unit, configured to obtain the functions in each code segment, thereby obtaining the N functions.
Further, the apparatus further comprises: the third acquisition module is used for acquiring the address of the kernel function in the kernel in the current detection time period according to a preset detection period after determining the detection result of the operating system based on the address interval and the N function addresses; the first detection module is used for detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
In order to achieve the above object, according to still another aspect of the present application, there is provided a computer-readable storage medium storing a program, wherein the program performs the method for detecting malware in an operating system described in any one of the above.
In order to achieve the above object, according to still another aspect of the present application, there is provided an electronic device including a processor, a memory, and a program stored in the memory and executable on the processor, where the processor executes the method for detecting malware in an operating system according to any one of the above when the processor executes the program.
Through the application, the following steps are adopted: determining the kernel of the operating system according to the operating system to be detected; determining an address interval corresponding to codes in the kernel; acquiring N functions in a kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer; and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system, and the problem that the detection range is smaller when the malicious software exists in the kernel of the operating system is solved in the related art. According to the method, the device and the system, the address interval corresponding to the codes in the kernel of the operating system is obtained, then the function address of each function in the multiple functions in the kernel is obtained, and then whether the malicious software exists in the kernel of the operating system is detected based on the address interval and the function address of each function.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application, illustrate and explain the application and are not to be construed as limiting the application. In the drawings:
FIG. 1 is a flowchart of a method for detecting malware in an operating system according to an embodiment of the present application;
FIG. 2 is a second flowchart of a method for detecting malware in an operating system according to an embodiment of the present application;
FIG. 3 is a flowchart III of a method for detecting malware in an operating system provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a device for detecting malware in an operating system provided according to an embodiment of the present application;
fig. 5 is a schematic diagram of an electronic device provided according to an embodiment of the present application.
Detailed Description
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the present application described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, related information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for presentation, analyzed data, etc.) related to the present disclosure are information and data authorized by a user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
For convenience of description, the following will describe some terms or terms related to the embodiments of the present application:
system call table: the system call table (System call Table) is a table composed of function pointers to kernel functions implementing various system calls, and can be indexed based on the system call number to locate the function address and complete the system call.
Interrupt vector table: the first address of the interrupt service routine may be stored as an identification of the interrupt source.
Jump table: a jump table is a data structure in the kernel subsystem that stores and manages the addresses of functions or methods in the system.
Module_kset is a module for the Linux kernel that is used to manage and manipulate the collection of Kobjects in the kernel. Kobject is a representation of a kernel object, and Kset is a mechanism for managing a collection of Kobjects. The module_kset type module provides functions for the creation, management and manipulation of Kset, enabling a kernel developer to more conveniently manage the collection of kernel objects.
The disclosure mainly uses a linux operating system as an example to describe a method for detecting malicious software in the operating system provided by the disclosure, but it can be understood that the method for detecting malicious software is also applicable to Unix operating systems, other Unix-like operating systems, and other operating systems.
The present invention is described below in connection with preferred implementation steps, and fig. 1 is a flowchart of a method for detecting malware in an operating system according to an embodiment of the present application, as shown in fig. 1, where the method includes the following steps:
step S101, determining the kernel of the operating system according to the operating system to be detected.
For example, the operating system to be detected may be a linux operating system, and a kernel of the linux operating system may be determined.
Step S102, determining an address interval corresponding to codes in the kernel.
For example, after the linux operating system to be detected is started, a kernel code area (the address interval described above) may be established. Furthermore, the code in the kernel is one segment, and each segment of code can correspond to one address interval, so the code area can be the address interval corresponding to the code in the kernel.
Step S103, obtaining N functions in the kernel, and obtaining the function address of each function to obtain N function addresses, wherein N is a positive integer.
For example, the N functions may be kernel functions, and the N function addresses may be addresses of kernel functions. Address information of each kernel function in the kernel can be acquired.
Step S104, determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in a kernel of the operating system.
For example, the malware may be Rootkit. Moreover, when the linux operating system is running, it may be compared whether the address of each kernel function is in the code region (the address region described above), and if any one of the addresses of the kernel functions is not in the code region (the address region described above), it indicates that a malicious function exists in the kernel, that is, that a Rootkit exists in the kernel of the operating system; conversely, if each kernel function address in the kernel is within the code region (address region described above), it indicates that no malicious function is present in the kernel, i.e., that no Rootkit is present in the kernel of the operating system.
Through the steps S101 to S104, the address interval corresponding to the code in the kernel of the operating system is obtained, then the function address of each function in the plurality of functions in the kernel is obtained, and then whether the malicious software exists in the kernel of the operating system is detected based on the address interval and the function address of each function.
Optionally, in the method for detecting malware in an operating system provided in the embodiment of the present application, obtaining N functions in a kernel includes: obtaining a target table in the kernel, wherein the target table is at least one of the following: the system call table is used for recording system call information of an operating system, the interrupt vector table is used for storing interrupt vectors in a kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs; n functions in the kernel are obtained from the target table.
For example, after the trusted zone (the above address interval) is established, and when detecting the address of the kernel function in the linux operating system kernel, in order to quickly detect the system injectable point, the system kernel function may be acquired from the system call table sys_call_table, the interrupt vector table idt_table and the skip table of the linux operating system, and a plurality of kernel functions acquired from the system call table sys_call_table, the interrupt vector table idt_table and the skip table may be used as the above N functions.
Through the scheme, the kernel function can be quickly and accurately obtained from the system call table, the interrupt vector table and the jump table.
Optionally, in the method for detecting malware in an operating system provided in the embodiment of the present application, obtaining N functions in a kernel includes: determining a target space for storing codes in a kernel; based on a target space, M code segments in a kernel are acquired, wherein M is a positive integer; and acquiring the functions in each code segment to obtain N functions.
For example, after the trusted zone (address interval described above) is established, and when detecting the full address of the kernel function in the linux operating system kernel, the code segment in the ELF (Executable and Linkable Format, a file format for executable files, shared libraries, and core dump files) mapping area may be traversed in the kernel address space, and the functions therein may be identified, and then the plurality of kernel functions identified from the code segment may be taken as the N functions described above.
Through the scheme, the function address of each kernel function in the kernel can be quickly and accurately acquired.
Fig. 2 is a second flowchart of a method for detecting malware in an operating system according to an embodiment of the present application, as shown in fig. 2, in the method for detecting malware in an operating system according to an embodiment of the present application, determining, based on an address interval and N function addresses, a detection result of the operating system includes:
Step S201, judging whether each function address is in an address interval;
step S202, if each function address is in an address interval, determining that no malicious software exists in the kernel of the operating system as a detection result;
step S203, if at least one function address is not in the address range, determining that the detection result is that malware exists in the kernel of the operating system.
For example, in detecting the address of a kernel function in the linux operating system kernel, a malicious function may be identified by comparing whether the kernel function address is within a trusted zone (the address zone described above). And specifically, whether each kernel function address is in a trusted area (the address interval) can be checked in sequence, if each kernel function address in the kernel is in a code area (the address interval), a malicious function is not existed in the kernel, that is, a Rootkit is not existed in the kernel of the operating system; if any one of the plurality of kernel function addresses is present, it is not within the code region (address region described above), it indicates that a malicious function is present in the kernel, that is, that a Rootkit is present in the kernel of the operating system.
Through the scheme, whether malicious software exists in the kernel of the operating system can be judged rapidly and accurately.
Fig. 3 is a flowchart III of a method for detecting malware in an operating system according to an embodiment of the present application, as shown in fig. 3, in the method for detecting malware in an operating system according to an embodiment of the present application, after determining a detection result of an operating system based on an address interval and N function addresses, the method further includes:
step S301, determining an objective function in N functions under the condition that the detection result is that malicious software exists in a kernel of an operating system, wherein the objective function is a function with a function address not in an address interval;
step S302, obtaining address information of an objective function, and determining an objective module with malicious software in a kernel according to the address information of the objective function;
step S303, cleaning up the malicious software in the target module.
For example, when checking whether each kernel function address is in the trusted area (the address interval described above) in turn, an address that is not in the trusted area may be marked as a malicious address, and the location in the memory where the malicious address is located may be recorded, and then a hidden module (the target module described above) in which a Rootkit exists in the kernel may be found according to the malicious address.
Through the scheme, the module with the malicious software in the kernel of the operating system can be rapidly and accurately determined.
Optionally, in the method for detecting malware in an operating system provided in the embodiment of the present application, the removing processing of the malware in the target module includes: judging whether the target module can restore the original function if the malicious software in the target module is cleared; if the malicious software in the target module is cleared, the target module can restore the original function, and the malicious software in the target module is cleared directly; if the target module cannot recover the original function when the malicious software in the target module is cleared, sending reminding information to the target object, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
For example, when the Rootkit in the hidden module (the target module described above) in which the Rootkit exists in the kernel is cleared, the clearing may be performed in two ways, for example, in an automatic clearing way, and when the clearing cannot be performed automatically, the clearing may be performed in a manual intervention way. In addition, when the Rootkit is cleared, it may be specifically determined whether the hidden module can restore the original function after the Rootkit in the hidden module in the kernel is cleared, and if the hidden module can restore the original function after the Rootkit in the hidden module in the kernel is cleared, the hidden module may be cleared in an automatic clearing manner; if the hidden module in the kernel cannot restore the original function after the Rootkit is cleared, then the hidden module may not be automatically cleared at this time, and the module name of the Rootkit may be reported to the user at this time, and further system restart or manual intervention may be performed.
Through the scheme, the malicious software in the hidden module with the malicious software in the kernel can be rapidly and accurately cleared.
Optionally, in the method for detecting malware in an operating system provided in the embodiment of the present application, after determining a detection result of the operating system based on an address interval and N function addresses, the method further includes: according to a preset detection period, obtaining an address of a kernel function in the kernel in a current detection time period; and detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
For example, there may be cases where the test is incomplete, the module is loaded, and there may be cases where the system has been infected by a Rootkit before the test module is installed, since the test is performed while the kernel module is loaded. Thus, the periodic detection module may be responsible for performing detection tasks at various occasions. For example, the above-mentioned preset detection period may be detected once for 5 minutes, that is, after detecting whether a Rootkit exists in the kernel of the operating system for the first time, it may be compared whether the address of each kernel function is in the code region (the above-mentioned address region) and whether a Rootkit exists in the kernel of the operating system may be detected at a timing in a detection period of once for 5 minutes.
Through the scheme, the malicious software in the kernel of the operating system can be periodically detected, so that the safety of the kernel of the operating system can be ensured.
For example, by the method provided by the embodiment of the present application, the defects of the scheme in the related art can be solved, and the following is implemented: the baseline is less in data storage and occupies less memory; the detection range is wide, and the system code area can be detected indiscriminately; and (3) running the loading time of the kernel module in the detected machine, and periodically detecting.
In some examples, the method provided by the embodiments of the present application may be divided into the following 5 parts:
(1) Trusted zone (i.e., address space in the previous embodiment) baseline establishment;
(2) The system can detect the injection point;
(3) A hidden module (i.e., the target module in the previous embodiment) search;
(4) Rootkit (i.e., malware in the previous embodiments) clean up;
(5) And a periodicity detection module.
After the system is started, a trusted memory area baseline (i.e. the address interval in the foregoing embodiment) may be established first, and when running, by comparing whether the kernel function address identifies a malicious function in the trusted area, further, the hidden kernel module is found by the malicious function address, and the hidden kernel module is the Rootkit, and further, measures are taken to clear the Rootkit.
(1) Trusted zone (i.e., address space in the previous embodiment) baseline establishment
After the system is started, a kernel self code region [ core_base, core_base+size ] can be established, a visible kernel module can be identified through lsmod (system command for displaying a currently loaded kernel module list), then the starting code address and the size of each module can be analyzed, a trusted record [ modx_base, modx_base+size ] can be formed, and then all the trusted regions are combined together to form a trusted region baseline (namely the address region in the previous embodiment). Moreover, since the Rootkit conceals itself, it does not appear in the lsmod result.
(2) System injectable point detection
1) And (3) rapid detection:
checking a system call table sys_call_table, an interrupt vector table idt_table, a jump table in a subsystem of a kernel, and a kernel function entry address (i.e., a function address in the foregoing embodiment) of a kernel function (the entry point is used for processing system call and interrupt), judging whether the address is in a trusted zone [ base, size ] (i.e., an address zone in the foregoing embodiment), finding a malicious address not in the trusted zone, and recording the location of the malicious address.
2) Full address detection:
code segments in the ELF (Executable and Linkable Format, a file format for executable files, shared libraries, and core dump files) mapping area are traversed in the kernel address space, the function addresses therein (i.e., the function addresses in the foregoing embodiments) are identified, and each address is checked in turn for being within the trusted zone baseline (i.e., the address interval in the foregoing embodiments). Addresses that are not in the trusted region (i.e., the address space in the foregoing embodiments) are malicious addresses, and the locations in the memory where the malicious addresses are located are recorded. Furthermore, the position in the memory where the malicious address is recorded can be used in the subsequent clearing.
(3) Hidden module (i.e., object module in the previous embodiment) lookup
According to the address of the malicious address, traversing a kset of a module_kset type in a kernel kset, finding that [ base, base+size ] of the kset contains the kset of the malicious address, and further obtaining a module name (module name) which is a hidden Rootkit (namely the malicious software in the embodiment).
(4) Cleaning Rootkit (i.e., malware in the foregoing embodiments)
And (3) releasing relevant resources according to the kset detected in the step (3), and deleting the kset to achieve the purpose of clearing the Rootkit.
1) Case of automatic clearing:
when the malicious address is injected and utilized as a entry address of a field (the field is a NOP instruction reserved by a kernel at a function entry at compile time for convenient debugging), the malicious address found at the time of detection may be replaced with a meta NOP instruction (the NOP instruction is a special machine instruction representing "no operation", i.e. no operation is performed), and then the Rootkit may be deleted.
2) Cases where automatic clearance is impossible:
since the malicious address in the Rootkit is in use, it may not be cleared, at which point the module name of the Rootkit is reported to the user for further system restart or manual intervention.
(5) Periodicity detection module
Since the execution of the detection at the time of loading of the kernel module may have incomplete detection, the module is loaded completely, and there is also a case where the system is already infected by the Rootkit before the detection module is installed. Therefore, the periodic detection module is responsible for executing detection tasks at each occasion, and the running occasions have the following places:
1. and (3) running the actions (1), (2), (3) and (4) just after the system is started.
2. And (3) when the kernel module is loaded, the actions (1), (2), (3) and (4) are operated.
3. And (3) periodically running the actions (1), (2), (3) and (4) by driving a timer.
For example, the present embodiment proposes a solution for detecting a Rootkit in kernel mode on Linux, which can be applied to each kernel version of Linux, and is not limited to a specific Linux release. Moreover, the detection range is improved through brand new trusted interval establishment and kernel check point detection; meanwhile, the method can directly run on the detected host without depending on a virtual machine to run suspicious samples, and the detection convenience is improved.
In addition, the method provided by the embodiment of the application can solve the problem that the conventional common kernel-mode Rootkit detection only detects a system call table, can detect Rootkit of any hook of a kernel (interception or modification of any hook in an operating system kernel) by using the technologies such as ftrace (ftrace is a tracking tool in a Linux kernel, can be used for tracking function call, event and performance data of the kernel and a user space) and the like, can run detection under the condition of not affecting the use of a user, and has wide detection range and high efficiency.
In addition, the embodiment reduces the data to be stored by introducing the trusted interval of the kernel function address, and can perform detection in a larger range while reducing the memory overhead; and through associating the invisible malicious address with whether the kernel module is visible or not to identify whether the hidden behavior exists or not, the Rootkit is detected according to the hidden behavior, and the malicious code hidden at any position in the kernel can be detected.
In summary, according to the method for detecting malicious software in the operating system provided by the embodiment of the application, the kernel of the operating system is determined according to the operating system to be detected; determining an address interval corresponding to codes in the kernel; acquiring N functions in a kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer; and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system, and the problem that the detection range is smaller when the malicious software exists in the kernel of the operating system is solved in the related art. According to the method, the device and the system, the address interval corresponding to the codes in the kernel of the operating system is obtained, then the function address of each function in the multiple functions in the kernel is obtained, and then whether the malicious software exists in the kernel of the operating system is detected based on the address interval and the function address of each function.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application also provides a device for detecting the malicious software in the operating system, and it is to be noted that the device for detecting the malicious software in the operating system in the embodiment of the application can be used for executing the method for detecting the malicious software in the operating system provided in the embodiment of the application. The following describes a device for detecting malicious software in an operating system provided by an embodiment of the present application.
Fig. 4 is a schematic diagram of a device for detecting malware in an operating system according to an embodiment of the present application. As shown in fig. 4, the apparatus includes: a first determination module 401, a second determination module 402, a first acquisition module 403, and a third determination module 404.
Specifically, the first determining module 401 is configured to determine, according to an operating system to be detected, a kernel of the operating system;
a second determining module 402, configured to determine an address interval corresponding to a code in the kernel;
A first obtaining module 403, configured to obtain N functions in a kernel, and obtain a function address of each function, to obtain N function addresses, where N is a positive integer;
a third determining module 404, configured to determine a detection result of the operating system based on the address interval and the N function addresses, where the detection result is used to indicate whether malware exists in a kernel of the operating system.
In summary, according to the detection device for malicious software in the operating system provided by the embodiment of the present application, the first determining module 401 determines, according to the operating system to be detected, the kernel of the operating system; the second determining module 402 determines an address interval corresponding to a code in the kernel; the first obtaining module 403 obtains N functions in the kernel, and obtains a function address of each function, to obtain N function addresses, where N is a positive integer; the third determining module 404 determines a detection result of the operating system based on the address interval and the N function addresses, where the detection result is used to indicate whether malware exists in a kernel of the operating system, which solves the problem that in the related art, when detecting whether malware exists in the kernel of the operating system, the detection range is smaller. According to the method, the device and the system, the address interval corresponding to the codes in the kernel of the operating system is obtained, then the function address of each function in the multiple functions in the kernel is obtained, and then whether the malicious software exists in the kernel of the operating system is detected based on the address interval and the function address of each function.
Optionally, in the device for detecting malware in an operating system provided in the embodiment of the present application, the third determining module includes: the first judging unit is used for judging whether each function address is in an address interval; the first determining unit is used for determining that the detection result is that no malicious software exists in the kernel of the operating system if each function address is in the address interval; and the second determining unit is used for determining that the malicious software exists in the kernel of the operating system as a detection result if at least one function address is not in the address interval.
For example, in detecting the address of a kernel function in the linux operating system kernel, a malicious function may be identified by comparing whether the kernel function address is within a trusted zone (the address zone described above). And specifically, whether each kernel function address is in a trusted area (the address interval) can be checked in sequence, if each kernel function address in the kernel is in a code area (the address interval), a malicious function is not existed in the kernel, that is, a Rootkit is not existed in the kernel of the operating system; if any one of the plurality of kernel function addresses is present, it is not within the code region (address region described above), it indicates that a malicious function is present in the kernel, that is, that a Rootkit is present in the kernel of the operating system.
In summary, it can be quickly and accurately determined whether malware exists in the kernel of the operating system.
Optionally, in the device for detecting malware in an operating system provided in the embodiment of the present application, the device further includes: a fourth determining module, configured to determine, after determining a detection result of the operating system based on the address interval and the N function addresses, an objective function of the N functions if the detection result is that malware exists in a kernel of the operating system, where the objective function is a function whose function address is not in the address interval; the second acquisition module is used for acquiring the address information of the target function and determining the target module with the malicious software in the kernel according to the address information of the target function; the first processing module is used for removing the malicious software in the target module.
For example, when checking whether each kernel function address is in the trusted area (the address interval described above) in turn, an address that is not in the trusted area may be marked as a malicious address, and the location in the memory where the malicious address is located may be recorded, and then a hidden module (the target module described above) in which a Rootkit exists in the kernel may be found according to the malicious address.
In summary, it is possible to quickly and accurately determine a module in which malware exists in the kernel of the operating system.
Optionally, in the device for detecting malware in an operating system provided in the embodiment of the present application, the first processing module includes: the second judging unit is used for judging whether the target module can restore the original function if the malicious software in the target module is cleared; the first processing unit is used for directly removing the malicious software in the target module if the target module can restore the original function; the first sending unit is used for sending reminding information to the target object if the target module cannot recover the original function when the malicious software in the target module is cleared, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
For example, when the Rootkit in the hidden module (the target module described above) in which the Rootkit exists in the kernel is cleared, the clearing may be performed in two ways, for example, in an automatic clearing way, and when the clearing cannot be performed automatically, the clearing may be performed in a manual intervention way. In addition, when the Rootkit is cleared, it may be specifically determined whether the hidden module can restore the original function after the Rootkit in the hidden module in the kernel is cleared, and if the hidden module can restore the original function after the Rootkit in the hidden module in the kernel is cleared, the hidden module may be cleared in an automatic clearing manner; if the hidden module in the kernel cannot restore the original function after the Rootkit is cleared, then the hidden module may not be automatically cleared at this time, and the module name of the Rootkit may be reported to the user at this time, and further system restart or manual intervention may be performed.
In summary, the method and the device can quickly and accurately remove the malicious software in the hidden module with the malicious software in the kernel.
Optionally, in the device for detecting malware in an operating system provided in the embodiment of the present application, the first obtaining module includes: the first acquisition unit is used for acquiring a target table in the kernel, wherein the target table is at least one of the following: the system call table is used for recording system call information of an operating system, the interrupt vector table is used for storing interrupt vectors in a kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs; and the second acquisition unit is used for acquiring N functions in the kernel from the target table.
For example, after the trusted zone (the above address interval) is established, and when detecting the address of the kernel function in the linux operating system kernel, in order to quickly detect the system injectable point, the system kernel function may be acquired from the system call table sys_call_table, the interrupt vector table idt_table and the skip table of the linux operating system, and a plurality of kernel functions acquired from the system call table sys_call_table, the interrupt vector table idt_table and the skip table may be used as the above N functions.
In summary, the kernel function can be quickly and accurately obtained from the system call table, the interrupt vector table and the jump table.
Optionally, in the device for detecting malware in an operating system provided in the embodiment of the present application, the first obtaining module includes: a third determining unit configured to determine a target space in the kernel for storing the code; a third obtaining unit, configured to obtain M code segments in a kernel based on a target space, where M is a positive integer; and the fourth acquisition unit is used for acquiring the functions in each code segment to obtain N functions.
For example, after the trusted zone (address interval described above) is established, and when detecting the full address of the kernel function in the linux operating system kernel, the code segment in the ELF (Executable and Linkable Format, a file format for executable files, shared libraries, and core dump files) mapping area may be traversed in the kernel address space, and the functions therein may be identified, and then the plurality of kernel functions identified from the code segment may be taken as the N functions described above.
In summary, the function address of each kernel function in the kernel can be quickly and accurately obtained.
Optionally, in the device for detecting malware in an operating system provided in the embodiment of the present application, the device further includes: the third acquisition module is used for acquiring the address of the kernel function in the kernel in the current detection time period according to the preset detection period after determining the detection result of the operating system based on the address interval and the N function addresses; the first detection module is used for detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
For example, there may be cases where the test is incomplete, the module is loaded, and there may be cases where the system has been infected by a Rootkit before the test module is installed, since the test is performed while the kernel module is loaded. Thus, the periodic detection module may be responsible for performing detection tasks at various occasions. For example, the above-mentioned preset detection period may be detected once for 5 minutes, that is, after detecting whether a Rootkit exists in the kernel of the operating system for the first time, it may be compared whether the address of each kernel function is in the code region (the above-mentioned address region) and whether a Rootkit exists in the kernel of the operating system may be detected at a timing in a detection period of once for 5 minutes.
In summary, the method and the device can periodically detect the malicious software in the kernel of the operating system, so that the security of the kernel of the operating system can be ensured.
The specific manner in which the respective modules perform the operations in the detection apparatus for malware in the operating system in the above embodiment has been described in detail in the embodiments related to the method, and will not be described in detail herein.
The detection device for the malicious software in the operating system comprises a processor and a memory, wherein the first determining module 401, the second determining module 402, the first obtaining module 403, the third determining module 404 and the like are all stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel may set one or more kernel parameters to increase the detection range for detecting whether malware is present in the kernel of the operating system.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
The embodiment of the invention provides a computer readable storage medium, wherein a program is stored on the computer readable storage medium, and the program is executed by a processor to realize a method for detecting malicious software in an operating system.
The embodiment of the invention provides a processor which is used for running a program, wherein the program runs to execute a method for detecting malicious software in an operating system.
As shown in fig. 5, an embodiment of the present invention provides an electronic device, where the device includes a processor, a memory, and a program stored in the memory and executable on the processor, and when the processor executes the program, the following steps are implemented: determining the kernel of an operating system according to the operating system to be detected; determining an address interval corresponding to codes in the kernel; acquiring N functions in the kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer; and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system.
The processor also realizes the following steps when executing the program: based on the address interval and the N function addresses, determining a detection result of the operating system includes: judging whether each function address is in the address interval; if each function address is in the address interval, determining that the detection result is that the malicious software does not exist in the kernel of the operating system; and if at least one function address is not in the address interval, determining that the detection result is that the malicious software exists in the kernel of the operating system.
The processor also realizes the following steps when executing the program: after determining a detection result for the operating system based on the address interval and the N function addresses, the method further includes: determining an objective function in the N functions under the condition that the detection result is that the malicious software exists in the kernel of the operating system, wherein the objective function is a function with a function address not in the address interval; acquiring address information of the target function, and determining a target module with the malicious software in the kernel according to the address information of the target function; and cleaning the malicious software in the target module.
The processor also realizes the following steps when executing the program: the cleaning processing of the malicious software in the target module comprises the following steps: judging whether the target module can restore the original function if the malicious software in the target module is cleared; if the target module can recover the original function, the malware in the target module is directly cleared; and if the target module cannot recover the original function when the malicious software in the target module is cleared, sending reminding information to a target object, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
The processor also realizes the following steps when executing the program: acquiring the N functions in the kernel comprises: obtaining a target table in the kernel, wherein the target table is at least one of the following: the system call table is used for recording system call information of the operating system, the interrupt vector table is used for storing interrupt vectors in the kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs; and acquiring the N functions in the kernel from the target table.
The processor also realizes the following steps when executing the program: acquiring the N functions in the kernel comprises: determining a target space for storing codes in the kernel; based on the target space, M code segments in the kernel are acquired, wherein M is a positive integer; and acquiring the functions in each code segment to obtain the N functions.
The processor also realizes the following steps when executing the program: after determining a detection result for the operating system based on the address interval and the N function addresses, the method further includes: according to a preset detection period, obtaining the address of a kernel function in the kernel in the current detection period; and detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
The device herein may be a server, PC, PAD, cell phone, etc.
The present application also provides a computer program product adapted to perform, when executed on a data processing device, a program initialized with the method steps of: determining the kernel of an operating system according to the operating system to be detected; determining an address interval corresponding to codes in the kernel; acquiring N functions in the kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer; and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: based on the address interval and the N function addresses, determining a detection result of the operating system includes: judging whether each function address is in the address interval; if each function address is in the address interval, determining that the detection result is that the malicious software does not exist in the kernel of the operating system; and if at least one function address is not in the address interval, determining that the detection result is that the malicious software exists in the kernel of the operating system.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: after determining a detection result for the operating system based on the address interval and the N function addresses, the method further includes: determining an objective function in the N functions under the condition that the detection result is that the malicious software exists in the kernel of the operating system, wherein the objective function is a function with a function address not in the address interval; acquiring address information of the target function, and determining a target module with the malicious software in the kernel according to the address information of the target function; and cleaning the malicious software in the target module.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: the cleaning processing of the malicious software in the target module comprises the following steps: judging whether the target module can restore the original function if the malicious software in the target module is cleared; if the target module can recover the original function, the malware in the target module is directly cleared; and if the target module cannot recover the original function when the malicious software in the target module is cleared, sending reminding information to a target object, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: acquiring the N functions in the kernel comprises: obtaining a target table in the kernel, wherein the target table is at least one of the following: the system call table is used for recording system call information of the operating system, the interrupt vector table is used for storing interrupt vectors in the kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs; and acquiring the N functions in the kernel from the target table.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: acquiring the N functions in the kernel comprises: determining a target space for storing codes in the kernel; based on the target space, M code segments in the kernel are acquired, wherein M is a positive integer; and acquiring the functions in each code segment to obtain the N functions.
When executed on a data processing device, is further adapted to carry out a program initialized with the method steps of: after determining a detection result for the operating system based on the address interval and the N function addresses, the method further includes: according to a preset detection period, obtaining the address of a kernel function in the kernel in the current detection period; and detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (10)

1. A method for detecting malware in an operating system, comprising:
determining the kernel of an operating system according to the operating system to be detected;
determining an address interval corresponding to codes in the kernel;
acquiring N functions in the kernel, and acquiring a function address of each function to obtain N function addresses, wherein N is a positive integer;
and determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system.
2. The method of claim 1, wherein determining a detection result for the operating system based on the address interval and the N function addresses comprises:
judging whether each function address is in the address interval;
if each function address is in the address interval, determining that the detection result is that the malicious software does not exist in the kernel of the operating system;
and if at least one function address is not in the address interval, determining that the detection result is that the malicious software exists in the kernel of the operating system.
3. The method of claim 1, wherein after determining a detection result for the operating system based on the address interval and the N function addresses, the method further comprises:
determining an objective function in the N functions under the condition that the detection result is that the malicious software exists in the kernel of the operating system, wherein the objective function is a function with a function address not in the address interval;
acquiring address information of the target function, and determining a target module with the malicious software in the kernel according to the address information of the target function;
and cleaning the malicious software in the target module.
4. The method of claim 3, wherein the cleaning the malware in the target module comprises:
judging whether the target module can restore the original function if the malicious software in the target module is cleared;
if the target module can recover the original function, the malware in the target module is directly cleared;
And if the target module cannot recover the original function when the malicious software in the target module is cleared, sending reminding information to a target object, wherein the reminding information is used for reminding the target object of clearing the malicious software in the target module of the kernel.
5. The method of claim 1, wherein obtaining N functions in the kernel comprises:
obtaining a target table in the kernel, wherein the target table is at least one of the following: the system call table is used for recording system call information of the operating system, the interrupt vector table is used for storing interrupt vectors in the kernel, and the jump table is used for storing entry addresses of system call and interrupt processing programs;
and acquiring the N functions in the kernel from the target table.
6. The method of claim 1, wherein obtaining N functions in the kernel comprises:
determining a target space for storing codes in the kernel;
based on the target space, M code segments in the kernel are acquired, wherein M is a positive integer;
And acquiring the functions in each code segment to obtain the N functions.
7. The method of claim 1, wherein after determining a detection result for the operating system based on the address interval and the N function addresses, the method further comprises:
according to a preset detection period, obtaining the address of a kernel function in the kernel in the current detection period;
and detecting whether malicious software exists in the kernel of the operating system based on the address interval and the address of the kernel function, and obtaining a detection result of the operating system in the current detection time period.
8. A device for detecting malware in an operating system, comprising:
the first determining module is used for determining the kernel of the operating system according to the operating system to be detected;
the second determining module is used for determining an address interval corresponding to codes in the kernel;
the first acquisition module is used for acquiring N functions in the kernel and acquiring the function address of each function to obtain N function addresses, wherein N is a positive integer;
and the third determining module is used for determining a detection result of the operating system based on the address interval and the N function addresses, wherein the detection result is used for indicating whether malicious software exists in the kernel of the operating system.
9. A computer-readable storage medium storing a program, wherein the program executes the method for detecting malware in an operating system according to any one of claims 1 to 7.
10. An electronic device comprising a processor, a memory, and a program stored on the memory and executable on the processor, the processor executing the method for detecting malware in an operating system according to any one of claims 1 to 7 when the program is executed.
CN202311776386.0A 2023-12-21 2023-12-21 Method and device for detecting malicious software in operating system and storage medium Pending CN117744082A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311776386.0A CN117744082A (en) 2023-12-21 2023-12-21 Method and device for detecting malicious software in operating system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311776386.0A CN117744082A (en) 2023-12-21 2023-12-21 Method and device for detecting malicious software in operating system and storage medium

Publications (1)

Publication Number Publication Date
CN117744082A true CN117744082A (en) 2024-03-22

Family

ID=90277211

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311776386.0A Pending CN117744082A (en) 2023-12-21 2023-12-21 Method and device for detecting malicious software in operating system and storage medium

Country Status (1)

Country Link
CN (1) CN117744082A (en)

Similar Documents

Publication Publication Date Title
KR101174751B1 (en) Malware auto-analysis system and method using kernel call-back mechanism
KR101759008B1 (en) Profiling code execution
US8434151B1 (en) Detecting malicious software
US10235520B2 (en) System and method for analyzing patch file
US7971258B1 (en) Methods and arrangement for efficiently detecting and removing malware
CN109471697B (en) Method, device and storage medium for monitoring system call in virtual machine
KR101064164B1 (en) Kernel integrity inspection and the recovery method on linux kernel based smart platform
US10121004B2 (en) Apparatus and method for monitoring virtual machine based on hypervisor
JP2019521400A (en) Detecting speculative exploit attempts
CN108898012B (en) Method and apparatus for detecting illegal program
EP3652667B1 (en) System and method for detecting malware injected into memory of a computing device
CN116611066B (en) Lesovirus identification method, device, equipment and storage medium
CN114021115A (en) Malicious application detection method and device, storage medium and processor
KR100745639B1 (en) Method for protecting file system and registry and apparatus thereof
KR101503827B1 (en) A detect system against malicious processes by using the full path of access files
CN111428240B (en) Method and device for detecting illegal access of memory of software
CN103514402A (en) Intrusion detection method and device
CN108197041B (en) Method, device and storage medium for determining parent process of child process
CN117744082A (en) Method and device for detecting malicious software in operating system and storage medium
CN114282219A (en) Sample detection method and device
CN106971112B (en) File read/write method and device
KR101306656B1 (en) Apparatus and method for providing dynamic analysis information of malignant code
CN113688384A (en) Program detection method, device, electronic equipment and medium
RU2700185C1 (en) Method for detecting hidden software in a computing system operating under a posix-compatible operating system
US20240095351A1 (en) Hypervisor-assisted data backup and recovery for next generation anti-virus (ngav) systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination