200919251 九、發明說明: 【發明所屬之技術領域】 種軟體方法,來輔助調查潛伏 本發明係有關於一種輔助方法,尤指— 程式案件。 【先前技術】 所謂潛伏程式(lurking pro卿)是指_種惡意程式(祕c職 Pn^anO,它被植入並潛伏於受害者的電腦系統中,接受骇客的操控指令, 以進行非合紐_ (unauth隨ed) _。_潛絲式的非法行 其目的可分為數種.·⑴偷取使用者的按鍵資料,如麟;⑵偷取 個人資料 '卡號、帳號或槽案;(3)劫持觀器,強迫使用者廣告 =網站;⑷植人其它惡意程式’以進行更多的非法活動或甚至作為攻 擊其它電腦的中間跳板’如stepping stQne ;⑸與其它受害電腦的潛伏 程式連結,㈣成-個更大的攻軸路,如舰網(耐耐)。 潛伏程式除了會伺機或受令進行非法行為之外,通常也具有數種實質 ^特色(e纖tial ch臟teristlcs):⑴自動啟動:當電腦系統啟動 時’或當使用者的播案總管或瀏覽器(Web br_r)啟動,或甚至常用類 型=標案(如· txt、. jpg、被開啟時’它會自動啟動執行而不須 =罪別人啟動它;⑺賴隱藏;為了避免被受害者發覺或被受害者的電 腦系統的防護軟體(如掃毒軟體、防,骸客軟體等)侧到,它會有意隱藏 它的行跡;(3)對外通訊:它會嘗試與其它電腦通訊,尤其是^於^網 路的電腦’赠轉鮮給它敝耗令,或是將由受害者的電腦系統中 所竊取的情資或檔案偷偷摸摸的傳回給駭客。 目前潛伏程式十分盛行’上網的電腦很容緖植人潛伏程式,造成個 人隱私資料或重要·被偷竊,甚至被#作網路犯罪的人侵跳板,被牵連 捲入非法餅巾。親終純章舰得知,各種潛條式餅不斷發生 從使用者_人資料被偷用,到營業公司的t料庫遭人侵,甚至政府機關 200919251 的公務機密遭竊取。 面對,曰伏知式所弓丨發的資安問題,目前資安產掌有_插 潛伏程式的”行=Γ1誠赃)觸並峨潛伏程式,⑵_ 件並控制災害,分別說明於下述段落。 ⑶《潛伙程式的案 、辨識潛倾式的料槪係 特徵碼’以作為以後辨識它的依據。此處 式额^ ,、要差異在於製作程式特徵碼時所採用的方法。 去 案製作數位簽章(diffifa1 m d的作法有對程式槽 葙M r · ge)、檢查碼(checks咖)’或摘取小b 程式碼(Pieces Of code)等,分析說明如下: 賴取J、片段 1.數位簽章:由於數絲章係娜鹤學的單向雜凑函數 ^mfUnGt而)所計算得來,以它所計算得到的程式特 徵碼具有唯-性,但計算過程複雜、耗時。 2·小片段程式碼:摘取程式片段的計算過程單純、快速, 確保其唯一性,需事先1集大量的程式檔案,以作為與程式片 段比對的程式庫,並需設計數種替代的摘取方法,以解決 (code collision )問題。 3.檢查碼··將程式檔案視為位元組串流(_伽挪)、雙位元 組串流(wd st_)或多字元組串流(multipie w〇rd st_)’以類似通訊協定檢查碼的計算方法計算該擋案的檢查 碼。此類檢查碼在唯一性與計算速度方面介於數位簽 - 段程式碼方法之間。 〜 目前辨識潛絲式_财法皆被叙_在:#安絲上彡年, 程式特徵觸的侧方法概,程式__法的準確轉常高,但僅 用於已知的潛伏程式,況且對被加殼過的(packed)潛伏程式同樣也無法 "ί貞測。 二、制潛伏程式的異常行為或行為特徵係針對潛伏程式的實質特色 200919251 /=11·、進行_。根據前文對潛伏程式的實質特色的分析,潛伏程式 二色=麵非法行為之外’也會具有自動啟動、意圖隱藏、對外通訊等 進’即使有這些行树徵可侧斷,此侧方法_辱轉確 领W遍不高,其原因如下: 、 L異常行為偵測(anomalydetecti〇n)的本質難度:在入侵偵測 的領域上,異常行為偵測早已被學術界及資安產業公認為偵測 率與準確率不高’這是屬於此技術領域的本質問題。 2.潛伏程式的行為特徵缺乏唯—性1前有三大類程式普遍具有 自動啟動與對外通訊的功能’即:⑴作業系統峽的服務程 式’如網域服務(DNS)、對時服務(NTP)、網路芳臨(Netbi〇s)、 網路檔案系統(NFS)等,(2)應用軟體的代理程式(agent), 如自動更新、資料庫伺服群組相戶詢問、偷連回官方網站等,(3) 刷覽網頁日才所需下載安裝的Activex控制元件。這些程式數量繁 多,在行為特徵缺乏唯一性的前提下,準確偵測潛伏程式具有 先天的難度。面對此問題,程式認證機制被寄予重望。然而, 目前網際網路環境對可執行程式的出版來源與安全性缺乏一個 普及的認證機制,以致於在大部份的情況下,是由防護工具產 生跳出視窗,去詢問使用者是否同意讓某支正在進行類似潛伏 私式行為的程式繼續執行(請參閱圖1),或者需要由使用者事 先s又疋疋否要劉覽器接受網站所下載的Activex控制元件(請參 閱圖2)。但是絕大部份的使用者並無足夠的資安研判能力,即 使是資安專家在缺乏該程式的相關佐證資料的前提下,也無從 當下立即作出正確的決S,判定該程式是安全、是否讓它繼 續執行。 3.潛伏程式偵測容易被干擾、被迴避:潛伏程式可被設計、安裝 成系統或常用軟體的一個擴充單元,藉此可冒用被植入程式的 名義來掩飾其行為,干擾偵測。另一方面,潛伏程式的設計技 200919251 術多樣化且快速_,造成既有_測方法容易被新出現的行 為特徵迴避掉。 4. 程式的隱藏意圖並不適合以程式來判斷:研判行為的意圖涉及 人的認知(recognit腦),_工具無法取代人的認知思考, 不適合判斷程式的隱藏意圖。目前大部份的侦測工具在偵測到 此現象時,會產生跳出視窗,去詢問使用者作出判斷,如圖(, 此現象佐證了此觀察。 5. 潛伏程式侧受到計算資源與即時性的限制:許多潛伏程式並 不會-啟動或網路聯通時,就立即表現出所有的非法行為或典 型的行為’這是它與生具來的潛伏或隱藏特色所致。但侦财 法通常是線上即時_,為了避免因偵測造成太大的系統負 擔,通常不適合分析太多資料或記錄過多的程式行為,此限制 影響到它的前後關聯能力,再加上潛伏程式的非針、非外顯 的行為特色,導致影響到偵測率與準確率。 主^據ί述分析’行為侧法所遭遇的侧率與準確率皆不高的原因, 要疋仃為伽版術躺的本„題及潛伏程摘㈣所 :在應用是採用兩線相搭配,以形成互補。目前資安市場上不= ^的潛伏料之伽谈體’但潛伏程式案件還是不斷發生此絲可佐说, 特徵碼偵測法與行為侧法兩者仍然不足以摘測大部份的潛伏程式。因也 如何藉由調查潛伏程式案件來改善問題及控制炎害是—健重要的議 三、調查潛伏程式的案件通常有三個可能的切人點,即:⑴ =貧安稽健而發現、魅潛錄讀件,⑵由其它餅進而發現丁 =伏«案件’⑶直紐·伏程式錢—頻麵雜式案件。= 產生這些差異是_潛伏程摘_隱藏行·特色自齡導致受^ 易立即發覺它的存在及遭侵害的事項。在實務上常會發生因為公司的 貪訊或機雜被㈣或曝光後,進而懷疑、f力的追查到該公司的網頁词 8 200919251 服器後,才發覺在數则㈣早就舰场伏程式。但不論是由哪個切入 點者=調查潛絲式案件,調麵目的在於了解災害的麵與嚴錄,以 工!災。》了達成此目的,案件調查需要查清下述重要高階關鍵資訊: 1. 何時被植入潛伏程式,以表示 2. :伏私式有那些私式標案及安褒隱藏於何處,以^职卜她表 示 3. 潛伏程式如何被植入到系統,以H〇w_lnf〇表示 4. 潛伏程式有哪些功能及作過哪些非法行為,以如賢㈤◦表示 針對上文對潛伏程式三種處理模式的分析說明,綜整其主要特色 缺點於下: 〃 1. 以程式特徵辨識並攔截潛伏程式 A. 主要特色·可在潛伏程式未執行或儲存於職系統之前予以 攔截,防止潛伏程式案件的發生 B·優缺點:偵_準確率非常高,但僅對已知且未加殼處理的 潛伏程式有效 2. 偵測潛伏程式的異常行為或行為特徵並纖潛伏程式 A·主要特色.可在潛絲式在執行之巾侧及纖,阻止潛伏 程式案件的持續進行 B. 優缺點.偵測程式行為而不受限於程式特徵的不足,但摘測 率與準確率皆不高 ' 3. 調查潛伏程式的案件並控制災害 A. 主要特色:可在潛伏程式案件發生之中或之後調查 B. 優缺點:可彌補前兩種侦測方法的不足,澄清案件發的原因 及控制災害 …調查清楚潛伏程式案件的目的係在了解何時被植人⑽⑼―脇)、機 密資料是否遭竊取(Action-Info) ’並葱集潛伏程式的檔案 (Target-Inf。),以及了解該潛伏程式的功能與行為(如阶脇、 9 200919251200919251 IX. INSTRUCTIONS: [Technical field to which the invention pertains] A software method to assist in investigating latency. The present invention relates to an auxiliary method, particularly a program case. [Prior Art] The so-called lurking pro (lurking pro) refers to a kind of malware (Pn^anO, which is implanted and lurking in the victim's computer system, accepting the hacker's manipulation instructions to perform non-合纽_ (unauth with ed) _._Underlined illegal purposes can be divided into several kinds. (1) stealing user's button information, such as Lin; (2) stealing personal information 'card number, account number or slot case; (3) hijacking viewers, forcing users to advertise = website; (4) implanting other malicious programs 'for more illegal activities or even as an intermediate springboard for attacking other computers' such as stepping stQne; (5) lurking programs with other victim computers Link, (4) into a larger attacking path, such as the ship network (resistant). In addition to waiting for an opportunity or being ordered to carry out illegal activities, the latent program usually has several kinds of essence ^ characteristics (e-fiber tial ch dirty teristlcs ): (1) Autostart: When the computer system starts up~ or when the user's broadcast master or browser (Web br_r) starts, or even the common type = standard (such as · txt, .jpg, when opened) Automatically start execution without having to = sin others Start it; (7) lie hidden; in order to avoid being detected by the victim or being protected by the victim's computer system's protective software (such as anti-virus software, anti-virus, hacker software, etc.), it intentionally hides its trail; (3) External communication: It will try to communicate with other computers, especially the computer that is connected to the network, and will send it back to the consumer’s computer system for stealing the sentiment or file stolen from the victim’s computer system. For the hackers. The current latent program is very popular. 'The computer on the Internet is very portable. It creates personal privacy information or is important to be stolen. It is even invaded by people who are cybercriminals. It is involved in illegal cakes. The pro-final pure Zhang Ship learned that all kinds of submerged strip cakes were constantly stolen from the user_person data, and the t-library of the operating company was invaded, and even the official secret of the government agency 200919251 was stolen. The security problem of the squatting knowledge is that the current security product has the _ 潜 潜 程式 的 行 行 赃 赃 赃 赃 赃 赃 赃 触 触 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨 峨(3) "Dive tactics The case, identify the submersible material system feature code 'as the basis for later identification. The formula ^, the difference is the method used in the production of the program signature. To make a digital signature (diffifa1) The md method has a program slot 葙M r · ge), a check code (checks coffee) or a small code (Pieces Of code), and the analysis is as follows: Take J, fragment 1. Digital signature: Because the number of silk chapters is Naha's one-way hash function ^mfUnGt), the program signature calculated by it is unique, but the calculation process is complicated and time-consuming. Code: The calculation process of extracting program fragments is simple and fast, ensuring its uniqueness. It requires a large number of program files in advance to be used as a library for comparing with program fragments, and several alternative extraction methods need to be designed to Solve the problem. 3. Check the code · Think of the program file as a byte stream (_ gamma), double byte stream (wd st_) or multi-word tuple stream (multipie w〇rd st_)' to similar communication The calculation method of the agreement check code calculates the check code of the file. Such check codes are between the unique sign-and-segment code method in terms of uniqueness and speed of calculation. ~ At present, the identification of the submerged silk type _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Moreover, the packaged latent program is also unable to measure. Second, the abnormal behavior or behavioral characteristics of the latent program are the essential features of the latent program. 200919251 /=11·, _. According to the analysis of the substantive characteristics of the latent program, the latent program two colors = face illegal behavior will also have automatic start, intentional concealment, external communication, etc. Even if these line trees can be broken, this side method _ The reasons for the insults are not as high as the following: The fundamental difficulty of L abnormal behavior detection (anomalydetecti〇n): In the field of intrusion detection, abnormal behavior detection has long been recognized by academic circles and the Zi'an industry. Detection rate and accuracy are not high' This is an essential issue in this technical field. 2. The behavioral characteristics of the latent program lacks the uniqueness. There are three major types of programs that generally have the functions of automatic startup and external communication. That is: (1) The service program of the operating system gorge, such as domain service (DNS) and time service (NTP). , Netfangs (Netbi〇s), Network File System (NFS), etc., (2) application software agent, such as automatic update, database server group contact inquiry, stealing back to the official website Etc., (3) It is necessary to download and install the ActiveX control component on the web page. These programs are numerous and it is inherently difficult to accurately detect latent programs without the uniqueness of behavioral characteristics. Faced with this problem, the program authentication mechanism is placed on the list. However, the current Internet environment lacks a universal authentication mechanism for the publishing source and security of executable programs, so that in most cases, the protection tool generates a pop-up window to ask the user whether to agree to let The program that is undergoing similar latent private behavior continues to execute (see Figure 1), or the user is required to accept the Activex control component downloaded by the website (see Figure 2). However, the vast majority of users do not have sufficient capacity to conduct judgments. Even if the security experts lack the relevant supporting materials for the program, they cannot immediately make a correct decision to determine that the program is safe. Whether to let it continue to execute. 3. Latent program detection is easily disturbed and avoided: the latent program can be designed and installed as an expansion unit of the system or common software, so that the behavior of the implanted program can be used to cover up its behavior and interfere with detection. On the other hand, the design technique of the latent program 200919251 is diversified and fast, which makes the existing method easy to be avoided by the emerging behavior. 4. The hidden intention of the program is not suitable for judging by the program: the intention of the judgment behavior involves human cognition (recognit brain), the _tool cannot replace the cognitive thinking of the person, and is not suitable for judging the hidden intention of the program. At present, most of the detection tools will generate a pop-up window when they detect this phenomenon, and ask the user to make a judgment, as shown in the figure. (This phenomenon supports this observation. 5. The latency side is subject to computing resources and immediacy. Restrictions: Many lurking programs don't - when they start or network, they immediately show all illegal behavior or typical behavior 'This is caused by the latent or hidden features of it and the birth tool. But the detective method is usually online. _, in order to avoid too much system burden caused by detection, it is usually not suitable for analyzing too much data or recording too much program behavior. This limitation affects its related and related ability, plus the non-needle and non-external of the latent program. Behavioral characteristics, which affect the detection rate and accuracy. The main reason is that the side rate and accuracy rate of the behavioral side method are not high, and it should be reduced to the problem of the gaze. Latent process picking (4): In the application is to use two lines to match, in order to form a complementary. At present, the Zi'an market does not = ^ the stagnation of the latent material's but the latent program case is still happening. Both the signature detection method and the behavioral side method are still not enough to extract most of the latent programs. How to improve the problem and control the inflammation by investigating the latent program cases is an important discussion. The case usually has three possible points of cut, namely: (1) = found in poor and healthy, recorded in the sneak sneak, (2) found in other cakes, Ding = volt «cases' (3) straight new volts - money Miscellaneous cases. = These differences are caused by _ latent _ hidden lines · characteristics of self-age caused by the easy to detect its existence and infringement. In practice, it often happens because the company's greed or miscellaneous (4) Or after the exposure, and then suspected that the company’s webpage 8 200919251 server was traced, it was discovered that the number of (4) ships had been used in the ship. But no matter which entry point = surveying the submerged wire case The purpose of the adjustment is to understand the face of the disaster and the strict record, to work! Disaster." To achieve this goal, the case investigation needs to find out the following important high-level key information: 1. When is the latent program implanted to indicate 2. Volunteer private patents And where the ampoule is hidden, she said that 3. How is the latent program implanted into the system, expressed by H〇w_lnf〇 4. What functions of the latent program and what illegal activities have been done, such as Xianxian (5)◦ It expresses the above analysis of the three processing modes of the latent program. The main features of the latent program are as follows: 〃 1. Identify and intercept the latent program by program features. A. Main features: Can be executed in the latent program or stored in the job system Intercepted before, to prevent the occurrence of latent program cases B. Advantages and disadvantages: Detecting _ accuracy rate is very high, but only effective for latent programs that are known and unpacked. 2. Detect abnormal behavior or behavioral characteristics of latent programs The latent program A·main features. It can be used in the side of the towel and the fiber to prevent the continuation of the latent program. B. Advantages and disadvantages. Detecting program behavior without being limited by the lack of program features, but the rate of measurement And the accuracy rate is not high' 3. Investigate the case of the latent program and control the disaster A. Main features: Can be investigated during or after the latent program case B. Advantages and Disadvantages: Can make up for the first two detection methods Insufficient, clarify the cause of the case and control the disaster... investigate the purpose of the latent program case is to know when the person is implanted (10) (9) - threat, whether the confidential information is stolen (Action-Info) and the file of the lurking program (Target -Inf. ), as well as understanding the functions and behavior of the latent program (such as the Threshold, 9 200919251
How-Info),並可因而了解受災範圍與危害程度^據案件調 貧訊,可據以加強個人電腦與觀器的安全設定,以減少不告的 並可採掘潛伏程式檔案的程式特徵碼與行為特徵 ^ =二 與行為侧法應用,進而持續改善兩者的不足。 特徵碼债測法 調查潛絲式詩_難在於如峨縣三項倾,即:恥 Target-脇、_—她,至於第四韻訊(Acti〇n , = 觀察得知。在實務上,在獲得料的k价inf 式 =安繼賴健,邮__故梅= 款後,可了解其功能’觀察到它可能會作哪些非 可在其它f Ifl讀獲得。 ^cti〇n-inf〇 總之,事後_潛伏程式詩必轉所賴與記軸 =活動日綠有效的_分析。由於—部電職統的可執彳亍 ΧΡ純在未絲其它應職H 仃式)並且會因新安裝軟體或上賴覽而不斷增多 f無法___查,_射_助^= 階關^執的;讀广並關聯、萃取出調查潛伏程式案件的高 階關鍵貝 When-Info、Target-InfQ、Hqw—Inf〇。 目前在潛伏程式案件調查的倾裡,f知的_ 到的問題與缺失,可歸納如下: 賊所返遇 •-、灯程與系統資源的監控方法缺乏效用:目前習知技術以低階 =cr〇 step)且沒聚焦(unf〇cus)的觀點來監控可執行程式的所有低階 =乍及系=資源的所有存取動作,並產生日諸資料(請參閱圖3、圖4)。―這 j階的流水日鮮料或許對程式除錯有幫忙,但對辅助潛伏程式的案件 二-部無賴’魏S1分析綱如後。從技術可行性的觀點來看,欲提供 ,可執行程柄When-論(即:何時被節_巾)、化哪卜咖 即.程式檔案的名稱、被安裝的路逕、註冊於何處)、H⑽_丨 動它被安裝的程式及啟動它執行的程式),該技術必暇 . 200919251 ion awareness。換吕之,該技術必須在第一時 ==絲?入到系統中,並產出安裝的相關資訊。 Μ =二;低階且沒聚焦的觀點來記錄所有低_程式動 =系=源的存取動作;並且f知技術必須長時間記錄_以上的低階 ;料;f,以從中萃取出這三項高階關鍵資訊(When-Inf0、Target一Inf〇、 在缺乏installatlGn—_的情況下,它所產出的日認資料極 夕,Ά二項尚階關鍵資訊有關的所有低階日誌詩 設定儲存,即雜了,也彳峨雜抑„職碰^者王數 -、無益日私料過多並浪費系統資源:現代的作業系統皆提供許多 :系、、,先服務魏及共㈣⑽資源,這些功能特色皆會造成極頻繁且大量的 =程式動作及系統資源的存取動作,例如,㈣哪系統的每個視窗皆會 =到糸驗心所產生的相關事件通知,齡總管(e物耽㈤必須 ,續且密集的接收來自槽案系統、週邊裝置、網路的異動事件並更新主動 ^的物件’編靖資料庫吨咖)更是不斷、密集的被 1=行程躲由於$知技術是以低階峨點來記錄所有低階的程式動作 …統貝—源的存轉作’因此會產生且記錄了極頻繁且大量的日誌資料。 如圖3所示’在沒連上碟鴨的前題τn知技術監滿nd㈣料統 的仃程狀態’在脚Μ發财28793料低階程絲作,而且仍稍的 下去。此外請再參閱圖4 ’同樣在沒連上網際網路的前題下,以習知技術監 控WuidowsXP系統的系統註冊資料庫,在_、内發現有期筆的存取動作皿 而且賺的仍不斷的持續下去。可是這些f料未必能用來萃取出案件調杳 所需的糾請鍵資訊’但系統資源卻被大量佔用、浪費。 〃三、、使用習知技術的電腦會被佔用掉大量的系統資源:習知的行程與 糸統資源·控方法為了收集這些日鮮料並保持完整,每部電腦必須 續不斷的保持啟用這些監控工具,但大量的系統資源卻因而被消耗掉。 四、對案件調查的輔助效率低:即使免強使用f知的行程與系統資源 的監控方法來輔助調查案件,調查者仍必須以人工或其它方法來關聯其曰 200919251 諸資料。既費時又費 所獲得的輔助效率低未月b關聯出案件調查所需的高階關鍵資訊, 【發明内容】 續監::二::之―,在於提供-種調查潛伏程式案件之輔助方法,持 1控!腦系統所執行之複數行程及一系统 助万法持 =华二式之高_«訊’應財 = 程:_曰",一 丄旦心 月確的佐”枓,辅助潛伏程式案件之調查卫作,節省 大里的低階日諸的t集與分析工作的時間與人力成本。 対目的,本發明係為—種調查潛伏程式案件之辅助方法, “方法係先持、,監控—電腦魏所執行之複數行程 ^在該行程出生時與結束時各產生—筆該行程的行程啟動關==;丁 時t觸監控該電腦⑽之—錢註冊龍庫,t有—個程式被註冊加 入八中-個自啟_程式註冊區時,針對該程式註冊區產生一筆自啟動杜 冊資料’當得到該行程啟動關係資料及該自啟動註冊資料時,關聯該行程 啟動關係資料與該自啟動註冊資料,以萃取出—疑似潛伏程式之高階關鍵 資訊並錄於-疑似潛伏程式之高階關鍵資訊資料庫,以及;產生一行程 啟動關係日§志,並記錄於一行程啟動關係日誌資料庫。 【實施方式】 茲為使責審查委員對本發明之結構特徵及所達成之功效有更進—步 之瞭解與認識,謹佐以較佳之實施例及配合詳細之說明,說明如後: 從理論的觀點,對一部受害的電腦系統而言,一潛伏程式是一外來程 式,在它危害該電腦系統之前,它必須先被安裝在該電腦系統上,因此它 必須包s個程式模組’稱之為潛伏程式的植入器(lurking」nstaller ), 12 200919251 負責將該潛伏«安裝在該受㈣電腦減上。爾魏潛伏程式必須要能 夠以該受害電腦純内既有的機制自動啟動,伺機進行非法行為。通常該 被安裝的程式模組,依角色尚可再細分為潛伏程式的载入器 (Ming—l〇ader)與潛伏程式的主體(】urkingJ>〇dy)。潛伏程式的載入 器負責自祕動階段_工作,該工作主要以建立所需的環境為主,之後 再啟動潛伏程式的主體,由潛伏程式的主體負責進行非法行為。在實務上, 這三個程賴組可以有三個可能的程式模型。請參_ 5,⑴這三個程式 模組被設計、整合成-個可執行程式⑽),⑵潛伏程式職入器被設 計、自成-個可執行程式(E52)’另潛伏程式的載入器與潛伏程式的主體 被設計、整合成另-個可執行程式⑽),⑶這三個程式模組皆各別被 設計成-個可執行程式(E54、E55、E56)。上述程式模型與本研究荒集與 分析許多潛伏程式所獲得的觀察一致。 根據圖5所示的程式模型’請再參晒6所示的潛伏程式的安裝階段 的資料流程示賴。當潛伏程式被安裝時,必須有另—支程式來啟動潛伏 程式的載入器,稱為第-線啟動程式(fr〇nt」nv〇ker) (E61)。在第一線 啟動程式⑽)啟動潛伏程式_人器⑽)之後,該潛伏程式的植入 器⑽)必然至少要作兩件事,否則它無法完成安裝的工作。一為註冊潛 伏程式的載人ϋ到系統註冊資料庫(G61),另—為絲潛伏程式的載入器 與主體到檔案系統(〇62),但該兩件事的執行順序不影響最後的結果。最 後’該潛錄式碰人器⑽2)有可能啟動該潛伏程式的載入器 (lurkingjoader) (Ε63) ’讓§玄潛伏程式開始執行,以刪除該潛伏程式的 植入器(E62),以避免被使用者發現程式槽案。然而,該最後步驟不一定 在安裝階段作’有可能断驗·作(圖7),端視該驗程式的設計而 定。若該最後轉移萌峨段才作,該條仍相同,故不在圖7重複表 示。 請參關7所示的潛伏程式的潛伏階段,當潛伏程式安裝完成後,往 後受害電齡統_某-支特定程式會自動啟動它,稱補定程式為第二 13 200919251 線啟動程式(hind_in讀er) (E7i)。該潛伏程式的安裝註冊方式會決定該 第二線啟動程式(E71)是誰’說明如後。⑴若它安裝註冊成系統服務項 目…則该第二線啟動程式(肪)為系統服務管理程式(辦丨咖.⑽);(2) 右匕女襄§主冊成登錄後執行,則該第二線啟動程式⑽)為構案總管 (explorer. exe) ; (3)若它安裝紐賴覽器的擴紐組 為_器;⑷若它安裝註冊成檔案總管的擴充模組了則該 j啟動&式(E71)為職總管。因此,當該第二線啟動程式⑽) 執行時’它會根據系統註冊f料庫⑽)_潛伏程式的註冊資料自動啟 =該註冊_伏程式賴人器⑽)。該潛絲式賴人^ _執行後, ^據系躲冊㈣庫⑽)_潛伏程式的註冊㈣啟動餘冊的潛伏 程^,Ming_b吻)(叫此時該潛伏程式以潛伏的方式_ 订非法行為。 本™所示, 發H触潛伏輯案狀輔财法,係包含三链要處理模 處理模組⑽),係監控行程(prccess)的出一 一处她(E82) ’係監控程式的自啟動註冊;及三 職⑽)__物^=所 有灯程的出生與結束,並攔截使用者的電腦系統的行程建立、行程 行程刪除等系統呼叫函式。當該第一處理模組(E81)攔截到任一麵些系 生"仃程的仃程啟動關係資料(081);之後,該第 ==統呼叫函式。由於現代的作業系統皆有提供㈣』: ^函式”其烟文件,故可根據本步驟方法明麵進行 该第-處理模組⑽)負責監控該電腦系統内的所有程 冊動作’並峨該電腦系統的系統註冊資料庫 動5主 叫函式。當該第二處理模組⑽)攔截到任 統冊:^^ 查該註冊動作是否屬雜-該些自啟_程式註冊區。^=3 14 200919251 :該被纖⑽斯叫函式的參數取組崎路歸料; 伏程式案件不重要,可予以忽略,之不錢續記錄對調查潛 若該註冊鍵路徑有通過其中一個自啟動的程式註冊區,則產啟(動3) 犧剛’該資料成員的内容值係利用其它系統呼叫查詢= =他ID及* %時間4麟’再由該被攔截㈣統呼叫函式的袁數轉換 獲仔註冊鍵賴(包含-註冊鍵的完整名稱、—註冊 、 值包含該自啟動程式的完整檔宰名摇),w4“ 亥》主冊鍵 从 子田茶名稱),以及由該被攔截的系統呼叫函式的 作用對應雜職態(即·__线呼叫函式是屬騎建或寫的^的 用’則該註冊狀態標示成「註冊」,否則標示成「移除註冊」),之後再 該被攔截的系統呼叫函式。該些自啟_程式註冊區係包含:⑴系統服 務註冊區;⑵登纖執行註職;⑶觀㈣擴充池崎區; 檔案總管的擴充模組註冊區。 該第三處理模組⑽)負責接收來自該處理模組Ε81所產生的行程啟 動關係資料(081)及來自該處理模組哪所生產的自啟動註冊資料⑽), 再經過分析後’若資料蚊哺成立,败錄糊聯處理的資制活動中 的订程啟動關係日諸區(〇85>若該行程正要結束(包含行程結束、行程 刪除),則將該行程的資料由該活動中的行程啟動關係日諸區⑽)轉錄 到行程啟動關係日誌、資料庫(〇83),再從中萃取出疑似潛伏程式之高階關 鍵資訊’並記錄職似潛伏程式之高階關鍵資訊資料庫⑽4)。該第三處 理模組(Ε83)的詳細說明請參閱圖9的說明。 4參閱圖9’係本發明之一較佳實施例之關聯分析的處理流程示意圖, 以5兒明圖8之第三處理模組(Ε83)的詳細處理步驟。首先該第三處理模組 (Ε83)需在一個queue等待’以讀取輸入資料(S91),若讀到行程啟動關 係資料,則判斷該行程是否已結束(S96);若讀到自啟動註冊資料,則比 對資料(S92)。 步驟S92係在比對讀到的該自啟動註冊資料是否與記錄在活動中的行 15 200919251 私啟動關係日誌、區(圖8中的 相匹配,兩者資料相匹配的條 二活動中的行程啟動關係資料 該:啟動註冊資料的事件時間 的事件時間與該行程結束的事件時間之間 ^^内。即m王出生 動關係資料與該自啟動註冊:#料的行 卜仃祕件.該行程啟 該自啟動註冊資料的註冊狀態 °/及(3)滿足註冊條件: , 而為°主冊」。右比對的结果异”.力讲ίι丨” 則進行步驟S93,否騎行步驟S94。 ㈣,。果疋/又找到, 步驟S93係在補記錄註冊者的 關係資料,產生一筆該行程之活動中的行程之 活動中的行程啟動關係日諸區(圖 貝科麵录在 模謂早執行,故尚議、該處理 的行程資料,接著再進行步驟S94。的出生狀況,此時需補記錄註冊者 步驟S94係根據S91所讀到的該自啟動註冊資料,來更 :找到或在步驟S93所產生的該活動中的行程啟動關係資料,佩更改的 為註冊鍵值與註冊狀態。更改後,需要再進行步驟娜,以記錄該 嶋輪糊綱庫,脉_,再 狀兄根侧物咖彳激_峨,_該行程的 練騎粒的行程,需魏行步驟 乂絲仃減生-雜動巾的行微_係日財料,並記錄在活動 娜區(圖8中的085) ’之後再回到步驟娜。若步驟 的4為疋,則表不該行程將要結束或被刪除,需要再進行步驟娜。 〜步=S98 ?根據該仃程的行程ID到活動中的行程啟動關係日諸區找該 擁的貝料%又找到’則表示該行程係比該處理模組剛、該處理模組 哪、該處理模組E83早執行,且尚未監控記錄到它的出生狀況或自啟動註 冊=貝料’目此不記錄該行程,接著回到步驟S91,再讀取下—筆輸入資料。 16 200919251 若步驟S98的結果是有找到,表示曾監控記錄 、^ ^ ^ 動註冊資料’需再進行步驟S99。 订程的出生狀况或自啟 —值與註冊動二 ==係a _是否已經有設定 作過自一故™ 若有,則進行步驟S910。 〇㈣退订步驟S912。 =觀係在刪除該行㈣活射的行程啟糊係嘴料,之後回 到步驟S91,再讀取下一筆輸入資料。 ' 步驟S91G係在萃取並記錄高階關鍵資訊,由 動關係資料萃取綠㈣也、、“_=== 助的關鍵資訊,並將所萃取的該高_鍵銳記錄舰 關鍵資訊庫(圖8之㈣),之麟妨_911。該三項^之^ 及,換作法如後.⑴When-Inf。:包含下述資料項目:&被安裝到系统中 的《•設定為該行程啟動關係曰諸資料的該行程註冊的時間;⑵ T哪卜脇:包含下述㈣項目:a•疑似潛伏程式的植人㈣完整標案名 稱:設定為該行程啟動關係日誌、資料的該行程的完整檔案名稱;b j似潛 伏程式的載人H的完整觀名稱:設定為該行程啟細係日辦料的註冊 鍵值;α註冊紐:設定為該行程啟_係日誌㈣_註職的完敫名 稱;(3)How-Info:包含下述資料項目:a.疑似潛伏程式的植入器的启^動 者:設定為該行程啟動關係日諸資料的父行程的完整標案名稱;b.疑似潛 伏程式的載人⑽啟動者:根據該行程啟義係日絲料的註冊鍵的完整 名稱所屬的自啟躺程式註丽而設定啟鱗的完整觀名稱,該設定啟 動者的作法與在圖7決定誰是該第二線啟動程式(E71)的作法相同。 ,步驟S911係將該行程的活動中的行程啟動關係資料記錄到行程啟動關 係日誌資料庫(圖8之083 ),並進行步驟S912 ^步驟S912係刪除該行程 的活動中的行程啟動關係資料,之後回到步驟S91,再讀取下—筆輸入資料。 請參閱圖10,係應用本發明之一較佳實施例之一個處理結果,以說明 17 200919251 本發明確實可以解決目前習知技術的缺點,並可輔助潛伏程式之案件調 查。該實驗係由使用者由網路下載、啟用了某商用軟體的序號產生器 (ke卿.⑽),目而被安裝了某潛伏程式(netshellexe)於系統服務區。 如圖10所示,係期本發财法所產生的各觀料,分別說明如後。⑴ 因行程啟動所產生的行程啟動關係日諸資料(_),⑵因自啟動註冊所 產生的行程啟_係日鮮料⑽2),(3)因行程結束所產生的行程啟動 關係日諸資料⑽3),⑷高階關鍵資訊⑽4)包含:^η—Ιηί〇_4Α)、How-Info), and thus understand the extent of the disaster and the extent of the hazard. According to the case, the poverty alleviation news can be used to strengthen the security settings of the personal computer and the viewer, so as to reduce the program code of the hidden program file. Behavioral characteristics ^ = two and behavioral side method application, and continue to improve the shortcomings of both. The characteristic code debt test method investigates the latent silk poetry _ The difficulty lies in the three items of the county, namely: shame Target-threat, _-her, as for the fourth rhyme (Acti〇n, = Observed. In practice, After obtaining the k-price inf formula = An Ji Lai Jian, post __ 故梅 = money, you can understand its function 'observed what it might do can be read in other f Ifl. ^cti〇n-inf In short, after the event _ latent program poetry must turn to rely on the record axis = active day green effective _ analysis. Because - the Ministry of the Ministry of Electric Affairs can be executed in the other line of other job H 仃) and will be Newly installed software or on the list and constantly increasing f can not ___ check, _ shoot _ help ^ = step Guan ^ hold; read and associate, extract the high-end key case of the investigation of latent program case When-Info, Target- InfQ, Hqw—Inf〇. At present, in the investigation of latent program cases, the problems and deficiencies of _ _ can be summarized as follows: The thief returns •-, the light path and system resources monitoring methods lack utility: the current technology is low-order = Cr〇step) and no focus (unf〇cus) view to monitor all access operations of all low-level = 乍 and system = resources of the executable program, and generate daily data (see Figure 3, Figure 4). ― This j-order water fresh material may help the program debugging, but the case of the auxiliary latent program is the second-part rogue's Wei S1 analysis. From the point of view of technical feasibility, if you want to provide, the executable handle When- (that is: when is the section _ towel), which café, the name of the program file, the path to be installed, where to register) , H (10) _ 丨 它 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 被 2009 2009 2009 2009 2009 In the case of Lu, the technology must be entered into the system at the first time and output information about the installation. Μ = two; low-order and unfocused views to record all low-station = system = source access actions; and f know technology must record _ above the lower order; material; f, to extract this from Three high-level key information (When-Inf0, Target-Inf〇, in the absence of installatlGn-_, the daily recognition data it produces, all the low-level log poetry settings related to the two key information Storage, that is, miscellaneous, also noisy, suppressing the number of users, and the number of non-profits and waste of system resources: modern operating systems provide many: Department,, first service Wei and total (four) (10) resources, These features will cause extremely frequent and a large number of = program actions and access to system resources, for example, (4) which window of each system will be = to the relevant event notification generated by the test, the age of the main body (e thing耽 (5) must, continue and intensively receive the event from the slot system, peripheral devices, the network and update the active object's 'compilation database ton coffee' is more and more intensive, 1 = trip hides due to know Technology records all with low-order defects The program action of the order...the same as the source-to-source storage, so it will generate and record very frequent and large amount of log data. As shown in Figure 3, 'the pre-question τn knows the technical supervision nd (four) The state of the process is 'in the ankles, the 28793 is made of low-order wire, and it is still going down. Please refer to Figure 4 again. Also, under the premise of not connecting to the Internet, it is monitored by conventional technology. WuudowsXP system's system registration database, found in the _, there are a period of access to the pen and the profit continues to continue. However, these f materials may not be used to extract the information of the request key for the case investigation' However, system resources are heavily occupied and wasted. Third, computers using traditional technology will be occupied with a large amount of system resources: the conventional itinerary and the resources and control methods in order to collect these fresh materials and keep them intact. Each computer must continue to enable these monitoring tools, but a large amount of system resources are consumed. Fourth, the auxiliary efficiency of the case investigation is low: even if you do not use the knowledge of the itinerary and system resources monitoring methods In order to investigate the case, the investigator must still use the manual or other methods to correlate the information of the 200919251. The time-consuming and cost-effective auxiliary efficiency is low, and the high-level key information required for the case investigation is associated with the case. [Abstract] Continued Supervisor:: 2:: ―, is to provide - an auxiliary method for investigating latent program cases, holding 1 control! The multiple itinerary executed by the brain system and one system helping the law to hold = the height of the Chinese style _«讯' Finance = Cheng: _ 曰 quot , , , 心 心 心 心 心 心 心 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓 枓The present invention is an auxiliary method for investigating a latent program case, "the method is first held, and the monitoring - the multiple trips executed by the computer Wei ^ are generated at the time of birth and the end of the trip - the stroke of the trip is started ==; Ding Shi t touches the computer (10) - money to register the dragon library, t has a program registered to join the eight-in-one self-starting program registration area, for the program registration area to generate a self-starting information 'When getting the line Initiating the relationship data and the self-starting registration data, associating the trip initiation relationship data with the self-starting registration data to extract high-level key information of the suspected latent program and recording it in a high-level key information database of the suspected latent program, and Generate a trip start relationship day § 志, and record in a trip start relationship log database. [Embodiment] In order to make the reviewer's understanding and understanding of the structural features and the effects achieved by the reviewer, the preferred embodiment and the detailed description are as follows: From the theoretical Point of view, for a victim computer system, a latent program is an external program. Before it jeopardizes the computer system, it must be installed on the computer system, so it must be packaged with a program module. For the latent program implanter (lurking "nstaller), 12 200919251 is responsible for the installation of the latent «installed on the computer (four). The Wei Wei latency program must be able to automatically start with the existing mechanism of the victim computer, and wait for an illegal behavior. Usually, the installed program module can be further subdivided into the loader (Ming_l〇ader) of the latent program and the main body of the latent program (]urkingJ>〇dy). The loader of the latent program is responsible for the self-mystery phase _ work, which mainly focuses on establishing the required environment, and then starts the main body of the latent program, and the subject of the latent program is responsible for illegal behavior. In practice, these three Cheng Lai groups can have three possible program models. Please refer to _ 5, (1) these three program modules are designed and integrated into an executable program (10)), (2) the latent program loader is designed, self-contained - an executable program (E52)'s another latent program The main body of the intrusion program and the latent program are designed and integrated into another executable program (10). (3) Each of the three program modules is designed as an executable program (E54, E55, E56). The above program model is consistent with the observations obtained by this study and the analysis of many latent programs. According to the program model shown in Figure 5, please refer to the data flow of the installation stage of the latent program shown in Figure 6. When the latent program is installed, there must be another program to start the loader of the latent program, called the line-start program (fr〇nt) nv〇ker) (E61). After the first line startup program (10) starts the latent program _human (10), the latent program's implanter (10) must have at least two things to do, otherwise it will not be able to complete the installation work. One is to register the latent program's manned to the system registration database (G61), and the other is to load the program and the main body to the file system (〇62), but the order of execution of the two things does not affect the final result. Finally, the sneak hitter (10) 2) may start the lurkingjoader (Ε63) 'Let the § 潜 潜 程式 program start to delete the latent program's implanter (E62) to Avoid being caught by the user. However, this final step does not necessarily have to be done during the installation phase (Figure 7), depending on the design of the test program. If the last transfer is made, the bar is still the same, so it is not repeated in Figure 7. Please refer to the latent stage of the latent program shown in Figure 7. When the installation of the latent program is completed, the victim-aged age system will automatically start it, saying that the patch is the second 13 200919251 line startup program ( Hind_in reads er) (E7i). The installation registration method of the latent program determines who the second line startup program (E71) is. (1) If it is installed as a system service project... then the second line startup program (fat) is the system service management program (do 丨 .. (10)); (2) the right 匕 襄 襄 主 主 主 主 主 主 主 主 主 主The second line startup program (10) is the configuration manager (explorer.exe); (3) if it installs the extension of the New Lai browser is _ device; (4) if it installs the expansion module registered as the file manager, then j Start & (E71) is the NTUC. Therefore, when the second line startup program (10) is executed, it will automatically start according to the registration data of the system registration library (10)_latency program = the registration_volt program (10). The submerged silk type of people ^ _ after execution, ^ according to the system (four) library (10)) _ lurking program registration (four) start the submission of the book ^, Ming_b kiss) (called the latent program at this time in a latent way _ order Illegal behavior. As shown in this TM, the H-touch latent case case auxiliary method, including the three-chain processing module (10), is the monitoring trip (prccess) one by one (E82) 'monitoring The program's self-start registration; and three positions (10)) __ material ^ = the birth and end of all the light process, and intercept the user's computer system's itinerary establishment, travel itinerary and other system call functions. When the first processing module (E81) intercepts the process start relationship data (081) of any of the "systems", the first == system call function. Since the modern operating system provides (4) ":" function of its smoke file, the first processing module (10) can be used to monitor all the program actions in the computer system according to this step method. The system registration database of the computer system moves 5 caller functions. When the second processing module (10) intercepts the book: ^^ check whether the registration action is a miscellaneous - the self-starting program registration area. ^ =3 14 200919251 : The parameter of the function of the fiber (10) is called the group returning; the case of the volt is not important, can be ignored, and the money is not recorded. The investigation is hidden. The registration key path has passed through one of the self-starting The program registration area, then production start (moving 3) Xiang Gang 'the content value of the data member is using other system call query = = his ID and * % time 4 Lin ' and then by the intercepted (four) unified call function of the Yuan The number conversion is obtained by registering the key (including the full name of the registration key, the registration, the value containing the full file name of the self-starting program, the w4 "Hai" main volume key from the name of the child tea), and by The role of the intercepted system call function corresponds to the miscellaneous status ( That is, the __ line call function is a call for building or writing ^, and the registration status is marked as "registration", otherwise it is marked as "removed registration", and then the intercepted system call function. The self-starting program registration area includes: (1) system service registration area; (2) boarding execution; (3) view (4) expansion of Chisaki area; file manager's expansion module registration area. The third processing module (10) is responsible for receiving the trip initiation relationship data (081) generated by the processing module Ε81 and the self-starting registration data (10) generated from the processing module, and then analyzing the data. Mosquito feeding is established, and the scheduled start-up relationship in the asset-management activities of the record-breaking process is 日85> If the trip is about to end (including the end of the trip, the trip is deleted), the information of the trip is from the event. In the trip initiation relationship, the districts (10) are transcribed into the trip initiation relationship log, database (〇83), and then extract the high-level key information of the suspected latent program' and record the high-level key information database of the job-like latency program (10) 4) . For a detailed description of the third processing module (Ε83), please refer to the description of FIG. 4 is a schematic diagram showing the processing flow of the correlation analysis according to a preferred embodiment of the present invention, and the detailed processing steps of the third processing module (Ε83) of FIG. 8 are shown. First, the third processing module (Ε83) needs to wait in a queue to read the input data (S91), and if the trip initiation relationship data is read, it is judged whether the trip has ended (S96); if the self-start registration is read For the data, compare the data (S92). Step S92 is to compare whether the self-starting registration data read by the pair is recorded in the active start relationship log, the area (matching in FIG. 8 and the data matching the two items) recorded in the active line 15 200919251 Start relationship data: between the event time of the event time at which the registration data is started and the event time at the end of the trip. That is, the m king birth relationship data and the self-start registration: #料的仃仃秘件. The itinerary starts the registration status of the self-starting registration data °/ and (3) meets the registration condition: , and is the main menu. The result of the right comparison is different. The force is ίι丨, then step S93 is performed, and the step S94 is not taken. (4), . 疋 / / find, step S93 is to supplement the record of the registrant's relationship data, generate a trip to the trip in the activity of the trip, the start of the relationship relationship area (Figure Bebeco in the model Execution early, so the schedule information of the processing, and then the step S94. The birth status, at this time, the record registration step S94 is based on the self-start registration data read by S91. In step S93 The generated trip initiation relationship information in the activity is changed to the registration key value and the registration status. After the change, the step Na is required to record the 嶋 糊 糊 , , , , , , , , , , , , , , , , , , , , ,彳 峨 峨 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 'After that, go back to Step Na. If step 4 is 疋, then the table will not end or be deleted, and you need to go through the steps again. ~Step=S98? Start according to the itinerary ID to the active itinerary In the relationship day, the districts find the % of the shellfish and find it again, indicating that the trip is performed earlier than the processing module, the processing module, the processing module E83, and has not monitored the birth status or The self-start registration = bedding material does not record the trip, and then returns to step S91, and then reads the next-pen input data. 16 200919251 If the result of step S98 is found, it indicates that the record has been monitored, and ^^^ is registered. The data 'requires step S99. The birth status of the order or self-starting - Value and Registration 2 == System a _ Is there any setting already made? If yes, proceed to step S910. 〇 (4) Unsubscribe step S912. = View is deleted in the line (4) The nozzle material is returned to step S91, and the next input data is read. 'Step S91G is to extract and record high-level key information, and extract the key information of green (4), and "_=== help from the dynamic relationship data. And the extracted high _ key sharp record ship key information library (Fig. 8 (4)), the nucleus _911. The three items ^ and ^, replaced by the following. (1) When-Inf.: contains the following information Project: & Installed into the system "• Set the time for the itinerary to start the registration of the trip; (2) T. threat: Contains the following (4) items: a • Suspected lurking program (4) complete The name of the standard file: set as the complete file name of the itinerary of the trip initiation relationship log and data; the complete view name of the manned H of the bj-like latent program: set as the registration key value of the day-to-day registration of the itinerary; Registration New: Set as the itinerary _ system log (four) _ end of the job title (3) How-Info: Contains the following data items: a. The initiator of the implanter suspected of being a latent program: the full name of the parent of the parent's itinerary set to the date of the trip; b. Suspected latent program manned (10) starter: According to the full name of the registration key of the itinerary Japanese silk material, the full name of the scale is set, and the setting initiator's practice and Figure 7 determines who is the second line starter (E71). Step S911 is to record the trip initiation relationship data in the activity of the trip to the trip initiation relationship log database (083 of FIG. 8), and perform step S912. Step S912 is to delete the trip initiation relationship data in the activity of the trip. Then, returning to step S91, the next-pen input data is read. Referring to Fig. 10, a processing result of a preferred embodiment of the present invention is applied to illustrate that 17 200919251 the present invention can indeed solve the shortcomings of the prior art and can assist in the investigation of the case of the latent program. The experiment was performed by the user to download and activate a serial number generator of a commercial software (ke Qing. (10)), and a hidden program (netshellexe) was installed in the system service area. As shown in Figure 10, the various observations produced by the current method of financing are explained as follows. (1) The information related to the start of the trip due to the start of the trip (_), (2) the trip from the start of the registration, the daily information (10) 2), and (3) the start of the trip due to the end of the trip. (10) 3), (4) High-level key information (10) 4) contains: ^η—Ιηί〇_4Α),
Target-InfG(01_)、How-InfoCGlGC)。嫉本發财法係從雜程式安 裝的觀點來監控系統,故所產生的日諸資料(如麵、麵、麵所示) 及高階關鍵資訊(如_4所示)皆相當精確、高階。 一此外’應用本發明方法所產生的日諸資料(如刪、麵、⑽3所示) 及高階關鍵資訊(如⑽4所示)的數量皆相當的少,因此可避免習知技術 的缺點’但又僅使用少量的系統資源。分析如後:⑴每個行程從出生到 、、、。束最多僅會產生2筆行程啟動關係日諸資料(如⑽1、所示),⑵ 每個行程註冊於自啟動註冊區—次最多僅會產生丨筆行程啟動關係日認資 料(如0102所示)及1筆高階關鍵資訊(如〇1〇4所示)。 口/平時每辦、統服務行程皆會在開機時啟動,*在_前結束,故最多 〜頁為每個系、統服務行程記錄兩筆行程啟動關係日誌、資料。此外,登錄後 啟動的行程以及由使用者主動啟動的行程,其數量—般皆相當少。例如, 使用者上__頁’—般僅級動—瓣m||行程,即使他開啟了許多 劉覽器視窗’該系統仍只啟動—個種器行程而已。總之,使用者從開機 到關機,-部電腦系統會開啟的行程數量相當有限,通常介於至觸之 間,因此應用本發明方法所產生的日該、資料的筆數,介於5〇至棚之間。 而平時每部電腦系統註冊於自啟動註冊區的數量更不常發生。 、以本案例為例,共有1〇個系統服務被啟動、有3個登錄後啟動的應用 程式、3個顧程式被使用者啟動、以及—鶴伏程幻皮安裝註冊,故應用 本發明方法總共產生⑴26筆因行程啟動或因行程結束所產生的行程啟動 18 200919251 關係日諸資料(2) 1筆因自啟動s主冊所產生的行程啟動關係日誌資料及j 筆高階關鍵資訊。 相對的,以習知技術監控Windows系統的行程狀態(如圖3所示)及系 統註冊資料庫(如圖4所示)’在60秒内的期間,兩者共產生175431筆曰誌、 資料(175431= 28793x6 + 2673) ’而且還會持續、大量的產生低階日誌。 最後,分析應用本發明方法對本案例所產生的行程啟動關係日魏及高 階關鍵資訊之後,可獲得圖11、圖12、圖13。圖11係表示,Windows系 統開機完成後’由系統服務的行程啟動關係日誌資料,所獲得的系統服務 行程啟動關係圖。由圖11可以清楚的了解,(l)Windows系統開機啟動時, 有那些系統服務被啟動執行,(2)所有系統服務皆是被系統服務管理行程 services, exe (Π11)所啟動。 接著請參閱圖12。圖12係表示,由登錄後啟動的行程以及由使用者主 動啟動的行程所產生的行程啟動關係日Ί志資料,所獲得的應用程式行程啟 動關係圖。由圖12可以清楚的了解,(1) Windows系統開機啟動時,有那 些應用程式被啟動執行,(2)所有該些應用程式皆是被檔案總管行程 explorer.exe (P121)、explorer.exe 0^122)所啟動,(3)該序號產生器 keygen.exe (ΡΊ23)安裝了 一支潛伏程式netshell.exe於系統服務區(如 圖 13 的 P131)。 請再參閱圖13。圖13係表示,在該使用者使用該序號產生器 keygen, exe (如圖12的P123)之後,Windows系統開機完成後,由系統服 務的行程啟動關係日誌資料,所獲得的系統服務行程啟動關係圖。比對圖 1卜圖13 ’可清楚了解Windows系統被安裝了一支疑似潛伏程式 netshell.exe於系統服務區(如圖13的?131),再調閱該高階關鍵資訊(如 圖10的0104),可明確知道,(丨)ψ^η_Ιηί〇 (如圖10的〇i〇4A): a.被安 裝到系統中的時間:10/19/2007 15:34:35. 079,(2) Target-Info (如圖 1〇 的0104B): a.疑似潛伏程式的植入器的完整檔案名稱:c:\user\temp\ keygen, exe,b·疑似潛伏程式的載入器的完整檔案名稱: 19 200919251 %SystemRoot%\system32 \netshell.exe,c.註冊位址: HKEY_L0CAL_MACHINE\ SYSTEMXCurrentContro1Set\ Services\Netshell\ImagePath ’(3) How-Info (如圖 10 的 〇l〇4c) : a 疑 似潛伏程式的植入器的啟動者:c:\Windows\explorer.exe,b.疑似潛伏 程式的載入器的啟動者:c:\Windows\system32\ services, exe。 總之,應用本發明方法之一較佳實施例所獲得的該些行程啟動關係曰 誌資料、該高階關鍵資訊、以及該些行程啟動關係圖,可幫助潛伏程式案 件調查者,以最少的時間與人力成本將可疑的問題點鎖定在曾安裝於自啟 動註冊區的程式。而且應用本發明方法所獲得的該高階關鍵資訊可提供有 力又清楚的佐證資料,可幫助潛伏程式案件調查者’按圖索驥,找出最可 疑的潛伏程式,進一步分析、觀察它的行為,以確認案件的肇始者。 由上述可知,本發明提供一種調查潛伏程式案件之輔助方法,對輔助 調查潛伏程式歸有_的幫助,可節省大量的人卫資料絲與事後分析 的工作,並林發财㈣從潛雌從裝峨點,錢產丨祕、Target-InfG (01_), How-InfoCGlGC). The Sakamoto Fortune Law system monitors the system from the point of view of the installation of the program. Therefore, the daily data (such as face, surface, and surface) and high-level key information (such as _4) are quite accurate and high-order. In addition, the number of daily data (such as deleted, surface, (10) 3) and high-level key information (as shown in (10) 4) generated by applying the method of the present invention are relatively small, so that the disadvantages of the prior art can be avoided. Only a small amount of system resources are used. The analysis is as follows: (1) Each trip is from birth to , , , . The bundle will only generate up to 2 stroke start relationship date data (as shown in (10) 1,), (2) each trip is registered in the self-start registration area - at most, only the stroke start relationship date is generated (as shown in 0102). ) and 1 high-level key information (as shown in 〇1〇4). Every time, every service, and service will start at boot time, and * will end before _, so up to ~ page for each department, service service record record two trips start relationship log, data. In addition, the number of trips initiated after login and the schedule initiated by the user are generally quite small. For example, if the user has __pages--only the level-movement m|| itinerary, even if he opens a lot of browser windows, the system still only starts - a kind of program itinerary. In short, the number of trips that the computer system will open from the start-up to the shutdown is quite limited, usually between the touches, so the number of days and data generated by applying the method of the present invention is between 5 and Between the sheds. In general, the number of computer systems registered in the self-starting registration area is less frequent. In this case, for example, one system service is started, three applications started after login, three programs are started by the user, and the crane is installed, so the method of the present invention is applied. A total of (1) 26 strokes are initiated due to the start of the trip or the trip due to the end of the trip. 18 200919251 Relationship date data (2) 1 stroke start relationship log data generated by the self-starting s main volume and j key high-level key information. In contrast, the conventional technology monitors the travel status of the Windows system (as shown in Figure 3) and the system registration database (as shown in Figure 4). During the period of 60 seconds, the two generate a total of 175,431 records and data. (175431= 28793x6 + 2673) 'And it will continue to produce a lot of low-level logs. Finally, after analyzing the application of the method of the present invention to the itinerary and high-order key information of the trip generated in this case, FIG. 11, FIG. 12 and FIG. 13 can be obtained. Fig. 11 is a diagram showing the system service trip start relationship obtained after the Windows system is booted up and the relationship log data is started by the system service. It can be clearly seen from Figure 11 that (1) when the Windows system is booted up, those system services are started, and (2) all system services are started by the system service management service services, exe (Π11). Then see Figure 12. Fig. 12 is a diagram showing an application start relationship diagram obtained by the travel start-up schedule and the trip start relationship log data generated by the user-initiated trip. As can be clearly seen from Figure 12, (1) when the Windows system is booted, those applications are launched, and (2) all of these applications are Explorer Explorer (executor.exe (P121), explorer.exe 0) ^122) is started, (3) the serial number generator keygen.exe (ΡΊ23) installs a latent program netshell.exe in the system service area (Fig. 13 P131). Please refer to Figure 13. FIG. 13 is a diagram showing that after the user uses the sequence generator keygen, exe (P123 in FIG. 12), after the Windows system is booted up, the relationship log data is started by the service of the system service, and the obtained system service travel start relationship is obtained. Figure. Compare Figure 1 to Figure 13 'It is clear that the Windows system is installed with a suspected latent program netshell.exe in the system service area (Figure 131, Figure 13), and then access the high-level key information (Figure 10, 0104) ), you can clearly know that (丨)ψ^η_Ιηί〇 (Figure 10 〇i〇4A): a. Time to be installed in the system: 10/19/2007 15:34:35. 079, (2) Target-Info (Figure 0〇B104B): a. Full file name of the implanter suspected of the latent program: c:\user\temp\ keygen, exe, b·full file name of the loader of the suspected latent program : 19 200919251 %SystemRoot%\system32 \netshell.exe, c. Registered Address: HKEY_L0CAL_MACHINE\ SYSTEMXCurrentContro1Set\ Services\Netshell\ImagePath '(3) How-Info (Figure 10 〇l〇4c): a Suspected latent program The initiator of the implanter: c:\Windows\explorer.exe, b. The initiator of the loader suspected of being a latent program: c:\Windows\system32\ services, exe. In summary, the stroke initiation relationship information obtained by applying the preferred embodiment of the method of the present invention, the high-level key information, and the trip initiation relationship diagrams can help the latent program case investigator to minimize the time with Labor costs lock suspicious issues to programs that were installed in the self-starting registry. Moreover, the high-level key information obtained by applying the method of the present invention can provide powerful and clear supporting information, which can help the latent program investigator to find the most suspicious latent program according to the figure, further analyze and observe its behavior to confirm the case. The originator. It can be seen from the above that the present invention provides an auxiliary method for investigating a latent program case, and helps the auxiliary investigation of the latent program, which can save a lot of work on the data and post-mortem analysis, and Lin Facai (4) from the procrastination Point, money production secret,
Target-Info、How—Info等對調查案件有幫助的高階關鍵資訊,但又 目前習知技術的缺點 上所述’本發明係實為—具麵酿、進步性及可供產業利用 ^符合我國專利法所蚊之專利巾請要件無疑,爰依法提出發明專利申 请,祈鈞局早日賜准專利,至感為禱。 惟以上所述者,僅為本發明之-較佳實施例而已,並非用來 明實施之賴,舉凡依本發财請專纖_述之形狀、構造、特徵及^ 神所為之均等與修飾,均聽括於本發明巧請翻翻.月 【圖式簡單說明】 第1圖:目 前習知技術f需簡制者來_程式的安 第2圖:目前習知技術的敬轉要由使用者決定 全性 下載使用 網 路程式ActiveX可否 20 200919251 第3圖:目前習知技術的行程監控,產生極大量的低階資料; 第4圖:目前習知技術的註冊系統資料庫監控,產生極大量的低階資料; 第5圖:本發明所歸納之潛伏程式之程式模型; 第6圖:典型潛伏程式之安裝過程之資料流程示意圖; 第7圖.典型潛伏程式之啟動過程之資料流程示意圖; 第8圖:本發明之—較佳實施例之資料流程示意圖; 第9圖.本發明之一較佳實施例之關聯分析處理之流程示意圖; 第10圖:本發明之一較佳實施例結果之行程啟動關係日誌資料與高階關鍵 資料; 第11圖·本發明之-較佳實施繼果之系統服務行程啟細係示意圖; 第12圖·本發明之—I紐實關絲之制者被植人潛健式之應用程式 行程啟動關係示意圖;及 第13圖.本㈣之—紐實關絲讀肖者被植场健狀減服務 行程啟動關係示意圖。 【主要元件符號說明】 E51潛伏程式之一可能程式模型 E52潛伏程式之—可能可執行程式模組 E53潛伏程式之-可能可執行程式模組 E54潛伏程式之-可能可執行程式模組 E55潛伏程式之-可能可執行程式模組 E56潛伏程式之-可能可執行程式模組 E61 第一線啟動程式 E62 潛伏程式的植入器 E63 潛伏程式的載入器 061 系統註冊資料庫 〇62檔案系統 21 200919251 E71 第二線啟動程式 E72 潛伏程式的載入器 E73 潛伏程式的主體 071 系統註冊資料庫 E81 第一處理模組 E82 第二處理模組 E83 第三處理模組 081 行程啟動關係資料 082 自啟動註冊資料 083 行程啟動關係日誌資料庫 084 疑似潛伏程式之高階關鍵資訊資料庫 085 活動中的行程啟動關係日就、區 0101因行程啟動所產生的行程啟動關係日誌資料 0102因自啟動註冊所產生的行程啟動關係日誌資料 0103因行程結束所產生的行程啟動關係日誌資料 0104高階關鍵資訊 0104A被安裝的時間資訊(When-Info) 0104B植入標的的資訊(Target-Info) 0104C啟動者的資訊(How-Info) PI 11系統服務管理程式(services. exe) P121 權案總管(explorer.exe) P122 標案總管(explorer, exe) P123 序號產生器(keylgen.exe) P131 潛伏程式(netshell.exe) 22Target-Info, How-Info, etc. are high-level key information that is helpful for investigating cases, but the shortcomings of the current technology are described as 'the invention is true---------------------------- The patent law of the patent law for the patent towel is undoubtedly, and the patent application for the invention is filed according to law, and the prayer bureau will grant the patent as soon as possible. However, the above description is only for the preferred embodiment of the present invention, and is not intended to be used for the sake of implementation, and the shape, structure, features, and equivalents of the genius , are all included in the present invention, please turn over. Month [simple description of the map] Figure 1: The current state of the art knows that the need for the simpler to come to the program _ program of the second figure: the current state of the art of the triumph The user decides whether to download the full-use network program ActiveX. 20 200919251 Figure 3: The current monitoring of the technology of the known technology, generating a very large amount of low-level data; Figure 4: The current registration system database monitoring of the prior art, generated A very large number of low-level data; Figure 5: The program model of the latent program summarized in the present invention; Figure 6: Schematic diagram of the data flow of the installation process of a typical latent program; Figure 7. Data flow of the startup process of a typical latent program FIG. 8 is a schematic view showing the flow of the data of the preferred embodiment of the present invention; FIG. 9 is a flow chart showing the process of the associated analysis of a preferred embodiment of the present invention; FIG. 10 is a preferred embodiment of the present invention. Example The trip initiates the relationship log data and the high-level key data; Figure 11 · The schematic diagram of the system service travel schedule of the present invention - the preferred embodiment of the invention; Figure 12 - The invention of the present invention - I Schematic diagram of the start-up relationship of the application of the implanted submersible application; and Fig. 13 (4) - Schematic diagram of the relationship between the start of the service and the reduction of the service schedule. [Main component symbol description] One of the E51 latency programs may be the program model E52 latent program - possible executable program module E53 latent program - possible executable program module E54 latent program - possible executable program module E55 latent program - Possible executable module E56 latent program - Possible executable program module E61 First line startup program E62 Latent program implanter E63 Latent program loader 061 System registration database 〇 62 file system 21 200919251 E71 second line start program E72 latent program loader E73 latent program main body 071 system registration database E81 first processing module E82 second processing module E83 third processing module 081 trip start relationship data 082 self-start registration Data 083 Itinerary Relationship Log Database 084 The high-level key information database of the suspected latent program 085 The itinerary start relationship relationship in the activity, the zone 0101 is the trip start relationship log data generated by the trip start 0102 due to the self-start registration Start relationship log data 0103 Start the relationship log due to the end of the trip Information 0104 High-level key information 0104A installed time information (When-Info) 0104B implanted target information (Target-Info) 0104C initiator information (How-Info) PI 11 system service management program (services. exe) P121 Case Manager (explorer.exe) P122 Standard Explorer (exerator, exe) P123 Sequence Generator (keylgen.exe) P131 Latent Program (netshell.exe) 22