JP2017134574A - Program, information processing device and information processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a program, an information processing device and an information processing method capable of reliably and effectively preventing an attack by malware.SOLUTION: In an information processing method, a mutex value that malware uses is registered in an operating system and a process which uses the mutex value is always remained in the operating system. Also, a process which has a process name identical to an analytical tool of the operating system is activated and the process which has the process name is always remained in the operating system.SELECTED DRAWING: Figure 5

Description

  The present invention relates to a program, an information processing apparatus, and an information processing method.

  In recent years, cases in which personal information and confidential information are leaked due to execution of illegal program codes in various information processing apparatuses such as computers have become a social problem. Such malicious software for performing illegal and harmful operations is also called malware (unauthorized software, illegal program).

As a method of improving the detection accuracy of unauthorized access by malware, a call to a predetermined function is detected, and when a function is detected, a return address stored in the stack area is acquired, and the detected function is A function that assigns an executable attribute to a specified address range area in memory, and if the previous instruction pointed to by the return address is not a function call instruction, the address range is stored in the address range storage unit. A method is known in which it is determined that an unauthorized access has been made when the return address of the stored and detected function is within the address range stored in the address range storage unit (see Patent Document 1).
In the Android (registered trademark) mobile operating system, the APK file has an information processing device as a program that enables detection of malware by a simple method, and provides information related to the APK file to the operation system. A manifest analysis unit that reads a manifest file and a program that functions as a parameter analysis engine that analyzes the malware likeness of an APK file based on use permission information of each function described in the manifest file are known (see Patent Document 2). .

Japanese Patent No. 4927231 JP 2013-222422 A

  However, it has been difficult for conventional methods to effectively prevent malware attacks.

  An object of the present invention is to provide a program, an information processing apparatus, and an information processing method that can effectively prevent an attack by malware.

  A program according to an aspect of the present invention causes a computer to function as a registration unit that registers a mutex value used by malware in an operating system and a resident unit that makes a process that uses the mutex value resident. To do.

  In the above-described program, the registration unit may hook the execution of a function for creating a mutex value by software, and register the mutex value to be created by the function in the operating system.

  In the above-described program, the computer is further caused to function as a determination unit that determines whether or not the software to be started is malware, and the registration unit is a mutex of software that is determined to be malware by the determination unit. The value may be registered with the operating system.

  A program according to an aspect of the present invention causes a computer to function as an activation unit that starts a process having the same process name as an analysis tool of an operating system and a resident unit that makes the process with the process name resident. To do.

  In the above-described program, the activation unit may activate the process having the other process name by changing the process copy to another process name and activating the copy.

  An information processing apparatus according to an aspect of the present invention includes a registration unit that registers a mutex value used by malware in an operating system, and a resident unit that makes a process that uses the mutex value resident.

  An information processing apparatus according to an aspect of the present invention includes an activation unit that activates a process having the same process name as an analysis tool of an operating system, and a resident unit that makes the process with the process name resident.

  An information processing method according to an aspect of the present invention is characterized in that a mutex value used by malware is registered in an operating system, and a process that uses the mutex value is made resident.

  An information processing method according to an aspect of the present invention is characterized in that a process having the same process name as an analysis tool of an operating system is started and the process having the process name is made resident.

  As described above, according to the present invention, the computer functions as a registration unit that registers a mutex value used by malware in an operating system and a resident unit that makes a process that uses the mutex value resident. Therefore, it is possible to effectively prevent malware attacks.

It is a block diagram which shows a general information processing apparatus. It is explanatory drawing (the 1) which shows operation | movement of a computer program in relation to the hardware of a computer. It is explanatory drawing (the 2) which shows operation | movement of a computer program in relation to the hardware of a computer. It is explanatory drawing which shows the principle of a mutex. It is explanatory drawing which shows the principle of this invention using the function of a mutex. It is explanatory drawing which shows the principle of analysis environment detection. It is explanatory drawing which shows the principle of this invention using the function of analysis environment detection. It is explanatory drawing (the 1) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 2) explaining the program, information processing apparatus, and information processing method by 1st Embodiment of this invention. It is explanatory drawing (the 1) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 2) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 3) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 4) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 5) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 6) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 7) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 8) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 9) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 10) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 11) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 12) explaining the program, information processing apparatus, and information processing method by 2nd Embodiment of this invention. It is explanatory drawing (the 1) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 2) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 3) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 4) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 5) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 6) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 7) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention. It is explanatory drawing (the 8) explaining the program, information processing apparatus, and information processing method by 3rd Embodiment of this invention.

[Information processing device]
A general information processing apparatus to which the present invention is applied and its operation will be described with reference to FIGS.

  FIG. 1 is a block diagram showing a general information processing apparatus.

  The information processing apparatus 10 in a standard stand-alone environment includes a computer (PC) 20 and an external peripheral device 30.

  The computer (PC) 20 includes a CPU 21 for executing instructions, a hard disk 22 for storing data and programs, a memory 23 for the CPU 21 to read data and programs, and input / output such as a mouse and a keyboard for receiving user operations. The apparatus 24 is configured by a display 25 and the like for displaying operation contents, processing results, and the like.

  The external peripheral device 30 includes a printer 31 for printing processing results and the like, an external storage device 32 such as a USB memory, and the like.

  Next, with reference to FIG. 2 and FIG. 3, a series of operations in the case where a computer program, that is, a processing procedure to be performed by a computer written according to a predetermined format (program language) is executed in the computer 20 will be described. The description will be made in relation to hardware such as the CPU 21, the hard disk 22, and the memory 23.

  Before the computer 20 is started, OS data including programs and data of operation software (OS), programs to be executed by the computer 20, user data such as documents and drawings, and the like are stored in the hard disk 22 as files ( FIG. 2 (a)). In the memory 23, no program or data is developed.

  When the computer 20 is activated and the CPU 21 executes an instruction to load the OS data stored in the hard disk 22 into the memory 23, the OS data is expanded as a process on the memory 23 (FIG. 2B).

  Next, the CPU 21 executes an OS data process on the memory 23 to access a program stored in the hard disk 22 and read the program (FIG. 2C). The program stored in the hard disk 22 is loaded into the memory 23 and developed as a process on the memory 23 (FIG. 3A).

  Next, the CPU 21 executes a program process on the memory 23 to access user data stored in the hard disk 22 and read / write data from / to the hard disk 22 (FIG. 3B).

  In this way, operations among the CPU 21, the hard disk 22, and the memory 23 are performed by operation software and programs.

[Principle of the Invention]
The principle of the present invention will be described.

  In recent years, the majority of attackers who use malware are exploiting money and confidential information, and these attacks often use systematically developed malware creation tools.

  Inventors of the present application recognize that multiple malware created with these tools recognizes the multiple activation status and performs its own operation in order to prevent conflicts in processing due to multiple activation of malware and unexpected operation stoppage. I noticed that it has a function to stop the operation and to hide the feature from the malware analysis side when it detects that it is operating in the analysis environment. .

  In order for the program to recognize the multiple activation state, Microsoft Windows (registered trademark), which is a Microsoft operating system, is provided with a function called a mutex. A mutex value, which is the name of the activated program, is registered in the OS system.

  The principle of the mutex will be described with reference to the conceptual diagram of FIG.

  In the case of FIG. 4A, the mutex values of Mutex001, Mutex002, and Mutex003 are already registered in the operating system.

  In this state, when the malware A that uses the mutex function is activated, as shown in FIG. 4A, a mutex value called Mutex004 is created and registered in the operating system. Since the mutex value of Mutex004 is not registered in the operating system, as shown in FIG. 4B, the Mutex004 is successfully registered, and the operation of the malware A is continued.

  In this state, when the malware A that uses the mutex function is double-launched, as shown in FIG. 4C, it creates a mutex value called Mutex004 and tries to register it in the operating system. Since the mutex value of Mutex004 is already registered in the operating system, as shown in FIG. 4 (c), the registration of Mutex004 fails and double activation of malware A is prevented.

  In the present invention, this function is used to prevent the operation of malware. The principle of the present invention will be described with reference to the conceptual diagram of FIG.

  In the case of FIG. 5A, the mutex values of Mutex001, Mutex002, and Mutex003 are already registered in the operating system.

  In this state, the program of the present invention is started, and a mutex value called Mutex004 is created and registered in the operating system as shown in FIG. Since the mutex value of Mutex004 is not registered in the operating system, as shown in FIG. 5B, the mutex004 is successfully registered, and the program of the present invention is in a standby state as it is.

  In this state, the malware A that uses the mutex function tries to start up, and as shown in FIG. 5C, creates a mutex value called Mutex004 and tries to register it in the operating system. Since the mutex value of Mutex004 is already registered in the operating system, as shown in FIG. 5C, the registration of Mutex004 fails and the activation of the malware A is prevented.

  Mutexes are one of the exclusive control mechanisms in computers that generally allow only one process or thread to access a resource at the same time, and prevent multiple activations in normal programs that are not malware. It may be used for purposes such as However, many of these normal Windows programs allow multiple activations of their own, and malware that makes it difficult to perform the intended unauthorized operation by multiple activations is more frequently used for exclusive control by this mutex. Tend to.

  Further, the inventors of the present application have a function for detecting whether the operating system is operating in the analysis environment, and stopping the operation of the malware itself when operating in the analysis environment. I noticed that there is.

  In order to detect the situation where the operating system is operating in the analysis environment, the malware maintains a list of process names of widely-known analysis tools in advance, and the contents of this list and the system are operating during operation. Compare process names to see if there is a match. If it matches, the malware stops working.

  The principle of analysis environment detection will be described with reference to FIG.

  The operating process name is registered in the operating system. In FIG. 6, notepad.exe, calc.exe, analyzer.exe,... Are registered. In this operating system, analyzer.exe, which is the process name of the analysis program, is registered, and it can be seen that it is in the analysis environment.

  In this state, when the malware B is activated, it is detected in advance whether its own operating environment is on the analysis environment. Malware B has a list of process names of commonly used survey tools. 6 includes a list of process names such as debugger.exe, analyzer.exe, monitor.exe,. The malware B sequentially compares the list it owns with the name of the process that is currently operating in the operating system, and if they match, determines that it is in the analysis environment and stops its operation. In FIG. 6, since the process name of analyzer.exe in the list matches the process name registered in the system, its operation is stopped at that stage.

  In the present invention, this function is used to prevent the operation of malware. The principle of the present invention will be described with reference to the conceptual diagram of FIG.

  The program of the present invention is activated, and a process name of a frequently used investigation tool is registered in the operating system in advance. In FIG. 7, a list of process names such as debugger.exe, monitor.exe, analyzer.exe,... Is registered.

  In this state, when the malware B is activated, it is detected in advance whether its own operating environment is on the analysis environment. Malware B has a list of process names of commonly used survey tools. 7 includes a list of process names such as debugger.exe, analyzer.exe, monitor.exe,. The malware B sequentially compares the list it owns with the name of the process that is currently operating in the operating system, and if they match, determines that it is in the analysis environment and stops its operation. In FIG. 7, since the process name of debugger.exe in the list matches the process name registered in the system, the operation is stopped at that stage. In this way, the operation of the malware B can be stopped.

[First Embodiment]
The program, information processing apparatus, and information processing method according to the first embodiment of the present invention will be described with reference to FIGS.

  In the present embodiment, a program that uses a known mutex value used for malware is made resident to prevent execution of the malware.

  The program according to the present embodiment (the program of the present invention) includes an instruction CreateMutex for registering a known mutex value used for malware in a mutex value list in the memory 23.

  The program of the present invention is stored in the hard disk 22 in the same manner as the programs in FIGS. 2 and 3, expanded in the memory 23 by a command from the CPU 21, and executed by a command from the CPU 21.

  The program of the present invention may be executed at any time before entering a state where there is a risk that malware will be introduced, but it is desirable that the program is started as a startup program when the computer 20 is started up. Thereby, the computer 20 can always be protected from malware immediately after starting.

  The mutex value registered by the program of the present invention will be described.

  Many of the mutex values used for known malware are posted as part of malware analysis information published on the Internet. For example, the first generation of malware called ZBOT used in online banking malware uses a mutex value of “_AVIRA_2108”, “_AVIRA_2109”, or “__SYSTEM__64AD0625__” as a fixed value. In addition, when malware analysis is performed even for new types of malware, in most cases, mutex information is also released along with the analysis information from each anti-malware vendor.

  In the present invention program, for example, all or any of the following mutex values are registered.

  25cbfc4f-Mutex, 470a1245-Mutex, 894133bf-Mutex, aMD6qt7lWb1N3TNBSe4N, b845ef76-Mutex, bcd8f464-Mutex, beta100-Mutex, bfbd401b-Mutex, DC_MUTEX-B2FTUQ77-052 f5399233-Mutex, faebec4a-Mutex, fuckareyoulookin, IrcPeru-Mutex, KyUffThOkYwRRtg, lyhrsugiwwnvnn, Microsoft-Windows-LDAP32xClient, Prowin32Mutex, Rapid Antivirus_AppManager_server_mutex, s5rBKCUVfY8XLVxSP12

  Malware protection methods that rely on pattern files and hash values that are commonly used as security measures often cannot respond if the malware binary changes even a little, but in the case of mutex values, multiple variants (of the same type) The malware group) often has the same mutex value, and it is possible to protect against a plurality of unknown malware by a single mutex value.

  When generating general malware, it is rare to develop it from the beginning, and it is often created using a builder that is a tool for automatically generating malware or modifying the source code of the leaked malware. In such leaked source code and automatically generated tools, there are not many cases where the mutex is intentionally changed. As a result, multiple malware with a fixed mutex value, that is, a variant of malware, is created.

  Note that the binary feature points captured by hash values and general pattern files inevitably change at the time the binary is generated, so it is difficult to capture multiple items with a single piece of information. is there.

  This information is collected in advance, and a database of known malware mutex value lists is created. In the program of the present invention, a mutex value of known malware stored in a database is generated and registered.

  It is desirable to constantly update the database of malware mutex values and generate and register all mutex values registered in the database when the program of the present invention is started.

  Next, a mechanism for preventing the execution of malware while the program of the present invention is executed will be described.

  As shown in FIG. 8, a mutex value list area is provided at a predetermined position in the operating system data of the memory 23. In FIG. 8, mutexes values AAAA, BBBBB, CCCCC,... Are registered in the mutex value list area. The registered mutex value is a mutex value of known malware stored in a database.

  A series of processing flow when attempting to execute malware in this state will be described with reference to FIG.

  First, when the malware executable file is activated, the image data of the executable file is arranged on the memory 23 (FIG. 9A).

  Next, when the malware tries to register the mutex value “EEEEEEEE” in the system, the CreateMutex function of the operating system on the memory 23 is called from the malware via the CPU 21 with the argument “EEEEEEEE” (FIG. 9B). )).

  Next, when the CreateMutex function is called, the operating system accesses the mutex list existing on the memory 23 and checks whether or not the mutex value “EEEEEEEE” passed as an argument exists in the mutex list ( FIG. 9 (c)).

  When a mutex value “EEEEEEEE” exists in the mutex list, the operating system returns a null value to the malware as a return value of the CreateMutex function (FIG. 9D).

  Malware confirms that the return value of the function is a null value, so that the mutex registration by the CreateMutex function has failed, that is, the same malware process as itself or the process of its own replication is started on the operating system. Recognize that Upon recognizing that, the malware stops further processing itself. Thereby, it is possible to prevent unauthorized operation of malware.

  If a mutex value "EEEEEEEE" does not exist in the mutex list, the operating system adds the passed value "EEEEEEEE" to the mutex list, and then returns a non-null value to the malware as the return value of the CreateMutex function. A response is made (FIG. 9 (e)).

  By confirming that the return value of the function is not a null value, the malware has successfully registered the mutex using the CreateMutex function, that is, the same malware process as itself or the process of its replication is started on the operating system. Recognize that you are not. If this is recognized, the subsequent malware processing is continued. In this case, malware execution cannot be prevented.

[Second Embodiment]
A program, an information processing apparatus, and an information processing method according to a second embodiment of the present invention will be described with reference to FIGS.

  In this embodiment, even if the mutex value used by the malware is unknown, the execution of the function that the malware tries to create the mutex value is hooked and pre-registered and registered in the mutex value list in advance. It tries to prevent the execution of malware.

  The program of the present invention may be executed at any time before entering a state where there is a risk that malware will be introduced, but it is desirable that the program is started as a startup program when the computer 20 is started up. Thereby, the computer 20 can always be protected from malware immediately after startup.

  FIG. 10 shows the state of the memory 23 immediately after the computer 20 is activated. In the memory 23, the program of the present invention and other startup programs are developed and arranged together with the operating system.

  The program of the present invention first checks the information of all processes that are started after it is started, and determines whether it is a process of a suspicious program. In the following description, such a suspicious program is referred to as “malware” or “suspicious program” for convenience.

  When the malware starts, as shown in FIG. 11, the malware is deployed on the memory 23 together with the operating system, the program of the present invention, and other startup programs, and the malware process operation is started.

  Next, as shown in FIG. 12, the program of the present invention is a suspicious program that acquires malware process information developed on the memory 23 and confirms the malware executable file stored on the hard disk 22. Determine whether or not.

Specific examples of such criteria are as follows.
(A) It is determined whether or not a normal digital signature is given.
(B) It is determined whether or not property information such as a developer exists.
(C) It is determined whether or not it matches the exclusion list set by the user.
(D) It is determined whether or not the process execution file is performing icon disguise.
(E) It is determined whether the extension is camouflaged.
(F) It is determined whether or not known illegal information is held in the file.
(G) It is determined whether or not the process is executed from the temporary area of the user.
(H) It is determined whether it is registered in the automatic start entry of the OS.
(I) It is determined whether or not it belongs to a known illegal and non-invalid hash value.

  If it is determined to be suspicious by such criteria, the program hooks and intercepts the execution of the function that creates the mutex value and registers it in the mutex value list in advance. To prevent execution.

  When the Windows program is activated, it is arranged in a virtual memory called a process space (memory space). Each process space has an item called IAT (Import Address Table). A list of functions used by the program and a memory address corresponding to the list are recorded in the IAT. This is information for the operating system to know what function is read into which address when the program operates.

  FIG. 13 shows a state in which a function called CreateMutex is arranged at a memory address 45000000 in the process space of malware developed on the memory 23.

  Details of the method of performing the hook control in this state will be described.

  First, embed a fake CreateMutex function, for example, the FakeCreateMutex function, in the malware process space.

  In order to inject code into another process space other than itself, a WindowsAPI called VirtualAllocEx function is used in the memory space of the process, and a memory area of a certain size is secured in an area not yet used (see FIG. 14). ).

  Next, using the Windows API called WriteProcessMemory in the reserved memory area, the code to be executed, that is, the FakeCreateMutex function main body and the function A for incorporating the FakeCreateMutex function into the malware IAT are written (see FIG. 15). The specific address of the secured memory area can be obtained by checking the return value of VirtualAllocEx.

  Next, by calling a Windows API called CreateRemoteThread to execute the written code (function A), the arbitrary code is executed on the malware process space (see FIG. 16). Here, when attention is paid only to the process space of the suspicious program, it is as shown in FIG.

  Next, when the function A is executed by CreateRemoteThread, the address of the regular CreateMutex function, for example, 45000000, in the IAT of the process space of the suspicious program is rewritten to the address of the fake FakeCreateMutex function, for example, 48.500000 ( (See FIGS. 18A and 18B). This completes the hook pre-processing.

  To find out which function is expanded to which address, that is, the address corresponding to that function in IAT, pass the function name to the Windows API argument GetProcAddress, and the specified function will be in the process space. You can know if it is associated with an address.

  Next, it is assumed that the suspicious program tries to register a mutex name such as “MAL123” in the system. In that case, when the CreateMutex function is called, as a result of referring to the malware IAT, the system passes the parameter "MAL123" to the fake FakeCreateMutex function prepared in advance instead of the regular CreateMutex function (Fig. 19).

  Next, inside the FakeCreateMutex function, processing is performed to pass information that “the suspicious program is about to create a mutex named“ MAL123 ”” to the present invention program. The present invention program that has received the information can register the mutex prior to the suspicious program (see FIG. 20).

  At this point, the suspicious program is not resident yet, but the mutex registered when the suspicious program resides is registered in the system.

  In addition, for the caller of the CreateMutex function of the suspicious program, the function failed as a result of the call, that is, by returning the result that the mutex "MAL123" has already been registered in the system, it is false for the suspicious program. As a result, it is possible to prevent the subsequent operation from continuing (see FIG. 20).

  The process shown in FIG. 20 is equivalent to the process shown in FIG. 21 as a result, and the program of the present invention always returns a value of failure.

  In this way, in the present embodiment, even if the mutex value used by the malware is unknown, the execution of the function that the malware tries to create the mutex value is hooked and pre-registered in the mutex value list in advance. By doing so, malware execution can be prevented.

[Third Embodiment]
A program, an information processing apparatus, and an information processing method according to the second embodiment of the present invention will be described with reference to FIGS.

  In this embodiment, the process name of a frequently used investigation tool is registered in the operating system in advance, and the malware is executed using the function of stopping its operation when it is determined that the malware is in the analysis environment. It is something to try to stop.

  The realization of the situation operating in the analysis environment is solved by operating a process having a process name of a widely known analysis tool on the computer 20 in advance. This process does not have to be an actual analysis tool process, and any actual process may be used as long as the process name is the same as the analysis tool, and it is desirable that the process has a low load on the computer 20.

  Examples of the process name of the analysis tool that checks the presence of malware in the analysis environment include WireShark (process name: Wireshark.exe), which is a network investigation tool, and OllyDbg (process, which is a dynamic analysis tool). Name: ollydbg.exe), Process Monitor (process name: procmon.exe), a process monitoring tool, IDA Pro (process name: idaq.exe), a static analysis tool, Process Explorer (process name), a process management tool : Procexp.exe).

  In this embodiment, for example, all or any of the following process names are operated.

  360Tray.exe, ashWebSv.exe, avcenter.exe, avguard.exe, avp.exe, ccSvcHst.exe, ekrn.exe, idag.exe, idaq.exe, idaq64.exe, ImmunityDebugger.exe, InstallRite.exe, kissvc. exe, Mcshield.exe, NTRTSCAN.exe, ollydbg.exe, outpost.exe, ProccessHacker.exe, Regshot.exe, SbieCtrl.exe, Smc.exe, tcpdump.exe, tcpview.exe, tmproxy.exe, VBoxService.exe, VBoxTray.exe, vmtoolsd.exe, VPTray.exe, windbg.exe, wireshark.exe.

  It is assumed that the execution of the program of the present invention has little influence on a normal program. Exceptionally, some PC games etc. may not work when an analysis is detected. In that case, such normal PC operation can be performed by setting a file or folder to be excluded from detection in the exclusion list in advance. The above inconvenience can be avoided.

  Some malware does not stop its operation when it matches a list, but stops the process of the matching analysis tool. For such malware, hook the “TerminateProcess” function to stop the process in the memory 23 where the malware code is placed in advance, and if you want to terminate the analysis tool, Change to stop. That is, when the argument of TerminateProcess called by the malware indicates the process of the development tool, the argument is changed to the process information of the malware itself.

  The process for hooking the function for stopping the process may be performed in the same way as the hook for the CreateMutex function in the second embodiment.

  In this embodiment, a process having an arbitrary process name is started as follows.

  For example, if you want to start a process named "OllyDbg.exe", the program "MyProgram.exe" of the present invention creates a copy of its executable file in the temporary area with the file name "OllyDbg.exe". Start up.

  As a result, two parent processes called “MyProgram.exe” and a child process called “OllyDbg.exe” (a copy of “MyProgram.exe”) are running on the operating system. . When viewed from other processes such as a task manager that is not so conscious of the parent-child relationship of the activated processes, each process appears to be activated independently in the system process list (see FIG. 22).

  By repeating this operation, that is, the operation of changing the copy of itself to an arbitrary file name and starting it, a plurality of arbitrary processes are started simultaneously (see FIG. 23). The state of the Windows system at that time is as shown in FIG.

  When the above operation to create multiple copies and use them to start multiple processes is performed, a copy of the executable file "MyProgram.exe" that is the same as each process name in the temporary area folder, As many processes exist as the number of processes started. If only the process “MyProgram.exe” is terminated in this state, the remaining processes are started in isolation, and a plurality of created executable files, that is, copies of the executable file “MyProgram.exe” are stored on the hard disk 22. It will remain on top, leaving a load on the Windows system.

  In the program of the present invention, in order to avoid such a situation, when the process "MyProgram.exe" ends, a plurality of created executable files, that is, copies of the executable file "MyProgram.exe" and the process thereof are unnecessary. In the following way, all related child processes are terminated together, and the executable file is also deleted. Details of the operation will be described.

  The created child processes, that is, “OllyDbg.exs”, “Wireshark.exe”, and the like constantly monitor whether their parent process is activated (see FIG. 25).

  There are the following specific methods for the child process to monitor the parent process.

  First, when starting a child process that is a copy of itself, the parent process is called with the process ID of itself (parent) passed as an execution argument. Next, when the called process determines that it has started up with the process ID assigned to the execution argument, it is a “child” and the process having the argument process ID is the “parent”. To understand the parent-child relationship of the process.

  If the process ID is known, it is possible to determine whether the process having the specified process ID is currently activated by combining the CreateAPIhelp32SnapShot function, Process32First function, and Process32Next function that are Windows APIs.

  If it is determined that the parent process is terminated, the child process performs an operation of terminating and deleting itself.

  While the process is running, it is basically impossible in the operating system to delete the executable file that is the substance of the process. In other words, to delete the actual executable file, the process must be terminated. For this reason, it is impossible to realize the operation of deleting the own executable file and ending the process, or vice versa, with a single program.

  Therefore, the process itself is terminated and the execution file that is the substance of the process is substantially deleted as follows.

  For example, assuming that the execution file name and its process are “AAAAA.exe”, the process AAAAA.exe temporarily creates a batch file (Batch File) for deletion. In the batch file, an instruction code is written that repeatedly sleeps until the AAAA.exe process disappears, and deletes the executable file AAAAA.exe when the AAAAA.exe process disappears.

  The process AAAAA.exe that called the batch file then terminates its process. Then, the batch file that has confirmed that the AAAA.exe process no longer exists deletes the execution file AAAAA.exe that is the entity of the process AAAAA.exe (see FIG. 26).

  Next, in order to delete the batch file which is itself, the batch file itself is executed by passing a command for deleting itself to the command prompt with the DEL command, and the batch file itself is terminated. Thereafter, the command prompt is terminated after deleting the batch file with the DEL command (see FIG. 27). Since the command prompt has an operation to terminate itself (process of the command prompt itself) when all the passed processing is completed, it is used.

  The above is the method for the program to terminate and delete itself, but all the child processes that started this method perform it simultaneously.

  When "MyProgram.exe" ends in this way, each process that is a copy and the file that is the entity are deleted, and the environment state before "MyProgram.exe" is activated can be set.

  The program of the present invention also includes a malware attack detection function as one of the functions.

  In general, when it is determined that the process of the analysis tool or the anti-malware product is activated, most of the malware performs an operation of terminating itself. On the other hand, there is also a type of malware that tries to terminate the other party rather than terminating itself. If an analysis tool process has been started, exiting the analysis tool may interfere with the user's operation and prevent the user from being analyzed.

  In the program of the present invention, the parent process monitors whether or not its own child process has been terminated, thereby detecting the attack (see FIG. 28).

  For example, when the malware forcibly terminates “WireShark.exe”, the program of the present invention determines that the program has been forcibly terminated by the malware because one child process does not exist (see FIGS. 29A to 29C). ).

  When a program forcibly terminates a process, it is usually realized by calling a Windows API called TerminateProcess. "TerminateProcess" is also called when a process is forcibly terminated by a program called Task Manager, which is standard on Windows.

  If a user accidentally terminates a child process by a user operation from the task manager, there is a possibility that the child process is erroneously detected as being terminated by a malware attack. Therefore, the program of the present invention prevents the erroneous detection from occurring.

  When a general process forcibly terminates another process using the TerminateProcess function, the procedure is as follows.

  For the WindowsAPI function OpenProcess, the process ID of the process to be forcibly terminated is opened as the third argument and the access right "PROCESS_TERMINATE" is assigned as the first argument. Successful calls to the OpenProcess function with this argument passed mean that you have obtained the right to handle the process with the given access right, here PROCESS_TERMINATE, that is, the forced termination right.

  Next, if the above OpenProcess succeeds, a process handle (an object that handles the process) is returned as a return value. By passing the process handle as an argument of TerminateProcess, the corresponding process can be forcibly terminated. Become.

  In other words, if the OpenProcess function can fail to open its own process with the access right “PROCESS_TERMINATE”, it is possible to cause the forced termination (call of TerminateProcess) from another program to fail as a result.

  To make OpenProcess fail with the specified access right, when creating a process that you want to protect from forced termination from TerminateProcess, specifically when creating a process using CreateProcess, security information to be given to that process, that is, , By removing the access right of "PROCESS_TERMINATE" from the security descriptor of the third argument when calling CreateProcess, that is, the access right to allow forced termination from another process, the forced termination from another general process You can create a process with access rights that do not allow access.

  In the program of the present invention, this method makes it possible to block a general forced termination of the parent process and the child process, that is, forced termination by a user operation from a task manager or the like, thereby preventing erroneous detection.

  In addition, it is possible to block the behavior of the type of malware that is forced to terminate at the user operation level, and as a result, it is possible to prevent the operation of such malware from continuing.

  On the other hand, some types of malware can forcibly terminate the target even if TerminateProcess is blocked by the above method. Specifically, by using the SeDebugPrivilege function to raise itself to the same privileged state as the debugger, it is possible to forcibly operate by ignoring the access right set by the other party, and forcibly terminate it.

  The forced termination detection of the program of the present invention can detect that such a type of malware has forcibly terminated the child process, and can detect that such malware is present in the computer.

[Modified Embodiment]
The present invention is not limited to the above embodiment, and various modifications can be made.

  For example, in the above embodiment, the present invention is applied to Microsoft Windows, which is a Microsoft operating system, but Android, BSD, iOS, Linux, OS X, Windows Phone, IBM z / OS (all registered trademarks). The present invention may be applied to other operating systems. It is possible to reliably and effectively prevent malware attacks on each operating system.

10 ... Information processing device 20 ... Computer (PC)
30 ... External peripheral device 21 ... CPU
22 ... Hard disk 23 ... Memory 24 ... Input / output device 25 ... Display 31 ... Printer 32 ... External storage device

Claims (9)

Computer
A registration unit that registers the mutex value used by the malware in the operating system;
A resident part that makes a process that uses the mutex value resident, and
Program to make it function. The program according to claim 1,
The registration unit hooks execution of a function for creating a mutex value by software, and registers the mutex value to be created by the function in the operating system.
program. The program according to claim 2,
Causing the computer to further function as a determination unit that determines whether the software to be started is malware;
The registration unit registers a mutex value of software determined to be malware by the determination unit in the operating system. Computer
A launcher that launches a process with the same process name as the operating system analysis tool;
A resident part for resident the process having the process name;
Program to make it function. The program according to claim 4, wherein
The activation unit activates a process having the other process name by changing a copy of the process to another process name and activating the copy. A registration unit that registers the mutex value used by the malware in the operating system;
A resident part that makes a process that uses the mutex value resident, and
An information processing apparatus. A launcher that launches a process with the same process name as the operating system analysis tool;
A resident part for resident the process having the process name;
An information processing apparatus. Register the mutex value used by the malware in the operating system,
An information processing method in which a process using the mutex value is made resident. Start a process with the same process name as the operating system analysis tool,
An information processing method for causing a process having the process name to reside.

Images