WO2014088276A1 - Abnormal path call detecting apparatus and abnormal path call detecting method - Google Patents

Abnormal path call detecting apparatus and abnormal path call detecting method Download PDF

Info

Publication number
WO2014088276A1
WO2014088276A1 PCT/KR2013/011069 KR2013011069W WO2014088276A1 WO 2014088276 A1 WO2014088276 A1 WO 2014088276A1 KR 2013011069 W KR2013011069 W KR 2013011069W WO 2014088276 A1 WO2014088276 A1 WO 2014088276A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
time point
called
lbr
protected object
Prior art date
Application number
PCT/KR2013/011069
Other languages
French (fr)
Korean (ko)
Inventor
김일용
최유나
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Publication of WO2014088276A1 publication Critical patent/WO2014088276A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity

Definitions

  • Embodiments of the present invention relate to techniques that can effectively increase the reliability of a determination result of determining whether a malicious function is called through an abnormal path to an important function not exposed to the outside.
  • the return address checking method that checks the return address and detects whether the call is a malicious action or not, and the thread information by checking the thread information, the call is caused by a malicious action.
  • the thread information checking method is widely known to access and modify the thread information structure existing in the user area, and it is possible to easily bypass the thread information by modifying its thread information to valid information before calling important functions. If the critical function is abnormally called by intercepting the execution flow of a normal thread using a technique such as hooking, the thread information itself is normal and thus cannot be detected.
  • the present invention intends to propose a method for effectively increasing the reliability of a determination result of determining whether an important function that is not exposed to the outside, that is, a protected object function is called through an abnormal path by a malicious subject.
  • Embodiments of the present invention by using the LBR function to determine whether an important function that is not exposed to the outside through the abnormal path by the malicious subject, effectively the reliability of the determination result of the abnormal path call of the function call It is possible to propose technical measures to increase.
  • the protected object function call step of calling a specific protected object function Among the stack information recorded by the last branch record (LBR) function, recording is performed between a first time point at which the specific protection subject function is called and a second time point earlier than the first time in relation to the specific protection target function.
  • the abnormal path call detection apparatus for achieving the above object is related to the specific protected object function from the stack information recorded by the LBR function when a specific protected object function designated as a protected object is called.
  • a stack information verification unit for confirming stack information recorded between a first time point at which the specific protected object function is called and a second time point that is earlier than the first time point by a specific time point;
  • an abnormality determination unit determining whether the specific protected object function is called through an abnormal path based on the stack information recorded between the first time point and the second time point.
  • Embodiments of the present invention can derive an effect that can effectively increase the reliability of the determination result of determining whether an important function not exposed to the outside is called through the abnormal path by the malicious subject.
  • FIG. 1 is an exemplary view showing an execution path according to a call of an abnormal path call detection device and a protection target function according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating an operation flow of an abnormal path call detection method according to an embodiment of the present invention.
  • the apparatus 100 for detecting abnormal path calls includes a stack information checking unit 120 and an abnormality determining unit 130, and further, an LBR function activation control unit. 110 may further include.
  • the abnormal path call detection apparatus 100 may be included in a computer system equipped with a functional unit (for example, a CPU) that basically supports the LBR function, and furthermore, may be mounted in the computer system in the form of a module.
  • a functional unit for example, a CPU
  • the LBR function When the LBR function is activated, the LBR function is activated every time a branch instruction such as Call, Jump, Return, etc. is executed at the machine level, and whenever an interrupt instruction or an exception instruction is executed.
  • This function is used to store a specified number of LBR stacks in a designated storage location, for example, a model-specific register (MSR).
  • MSR model-specific register
  • the LBR function activation control unit 110 activates the LBR function before a specific protection target function designated as a protection target is called.
  • the protected object function may be previously designated as an important function for providing an important function that should not be exposed to the outside.
  • the LBR function activation control unit 110 may activate the LBR function supported by the CPU as described above before the predetermined specific protection target function is called as described above.
  • an execution path according to a call when a call is made by a normal subject is predictable for a specific protected function.
  • the LBR function activation control unit 110 calls the LBR function activation function (eg, Enable_LBR ()) in the execution path when the LBR function activation function is called by the normal subject with respect to the specific protected object function, thereby calling the specific protected object function. You can enable the LBR function as Enable_LBR () is called before.
  • the LBR function activation control unit 110 may adopt any one of various existing methods in addition to this, and may activate the LBR function before a specific protection target function is called.
  • the stack information recorded on the LBR stack by the LBR function is stored in the call subject for each function call event of each function executed / called by the aforementioned branch statement, interrupt instruction, or exception instruction.
  • the address information and the called target address information in which the called function is stored may be mapped and stored in pairs.
  • the stack information checking unit 120 when the specific protection target function specified as the protection target is called, the first point in time and the tactic in which the specific protection target function is called in relation to the specific protection target function among the stack information recorded by the LBR function. The stack information recorded between the second time point preceding the specific time point of the first time point is checked.
  • the stack information checking unit 120 calls this time among the stack information recorded in the LBR stack located inside the MSR by the LBR function. Check the stack information associated with the specific protected function.
  • the stack information checking unit 120 may check all of the stack information recorded between the first time point at which the specific protection target function is called and the second time point earlier than the first time point described above among the stack information. .
  • the stack information checking unit 120 may check a stack information related to a specific protected object function called this time among stack information recorded in the LBR stack in the execution path of the specific protected object function (eg, LBR_IsValidCall ()). ), As a function (eg, LBR_IsValidCall ()) is called, it may be possible to check the stack information recorded between the first time point and the second time point as described above.
  • the stack information confirming unit 120 adopts any one of various existing methods, and displays the stack information recorded between the first time point and the second time point related to the specific protected object function that is called this time from the stack information. You will see.
  • the second time point is a time point at which the LBR function is activated by the LBR function activation control unit 110 or after a time point at which the LBR function is activated by the LBR function activation control unit 110 and before the first time point described above. It may be a time point.
  • the function_Idx1 () is an external subject (normal) in the abnormal path call detection apparatus 100 according to an embodiment of the present invention.
  • the function_Idx1 () When called by a subject or an abnormal subject, explain the execution path according to the call.
  • the LBR function is activated by a function call.
  • the protected object function, that is, Function_Idx1 () is called by an external subject (normal subject or abnormal subject)
  • the abnormal path call detection apparatus 100 according to an embodiment of the present invention, the stack information check unit 120, and the like.
  • the stack information recorded between the first time point and the second time point related to the specific protected object function called this time can be checked from the stack information recorded on the LBR stack by the LBR_IsValidCall () function call during the execution of Function_Idx1 (). .
  • the stack information checked by the stack information checking unit 120 includes, for each function call event of each function, call subject address information and a called function stored therein. Stored call destination address information will be mapped in pairs to have a stored structure.
  • stack information for example, stack information 5 in which address information of 1 and address information of 2 are mapped in pairs, corresponds to the first point of time described above, and the stack information checking unit 120 starts from the first point of time, that is, stack information 5.
  • stack information for example, stack information 5 in which address information of 1 and address information of 2 are mapped in pairs
  • the stack information checking unit 120 starts from the first point of time, that is, stack information 5.
  • stack information up to the second time point, such as stack information 4, stack information 3, etc ..
  • the abnormality determination unit 130 determines whether a specific protected object function is called through an abnormal path based on the stack information recorded between the first time point and the second time point checked by the stack information checking unit 120 described above. To judge.
  • the abnormality determination unit 130 checks the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above, and thus, the stack between the first time point and the second time point. If there is no information, that is, if no information is recorded in the LBR stack, it is determined that the LBR function is not activated by a malicious subject, and it is determined that the specific protected function called this time was called through an abnormal path. can do.
  • the LBR function may be activated by the LBR function activation control unit 110, that is, the LBR function activation function (eg, Enable_LBR ()), during the execution path.
  • the LBR function activation function eg, Enable_LBR ()
  • the malicious subject eg, hacking tool
  • the protected object directly through hooking such as Jump
  • the abnormality determination unit 130 has the stack information between the first time point and the second time point as a result of checking the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above. Otherwise, if no information is recorded in the LBR stack, it can be determined that the LBR function has not been activated by a malicious subject, and as a result, it is determined that the specific protected function called this time was called through an abnormal path. Can be.
  • the abnormality determination unit 130 checks the call subject address information for each function call event of the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above, and then returns to the normal path. If address information other than the designated address information belonging to the terminal is confirmed, it may be determined that the specific protection target function called this time is called through an abnormal path.
  • the abnormality determination unit 130 the address information of the calling subject that can be included in the execution path when the protection target function is called by the normal subject, that is, the predetermined address information that can be determined to belong to the normal path May have them in advance.
  • the abnormality determination unit 130 confirms the call subject address information for each function call event of the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above, and makes each call. By comparing the address information of the subject with the address information belonging to the normal path, it can be determined that the specific protected object function called this time is called through the abnormal path when the address information other than the address information belonging to the normal path is confirmed.
  • the abnormal path call detection apparatus 100 determines whether an important function that is not exposed to the outside is called through an abnormal path by a malicious subject of an unauthorized memory area. In the judgment, it is possible to effectively increase the reliability of the determination result of the abnormal path call of the function call by judging using a stable and difficult to bypass function provided by the hardware, that is, the LBR (Last Branch Record) function.
  • LBR Last Branch Record
  • FIG. 2 a method for detecting an abnormal path call according to an embodiment of the present invention will be described with reference to FIG. 2.
  • FIG. 1 the configuration shown in FIG. 1 described above will be described with reference to the corresponding reference numerals.
  • the abnormal path call detection method activates the LBR function before a specific protection target function previously designated as a protection target is called (S100).
  • the protected object function may be previously designated as an important function for providing an important function that should not be exposed to the outside.
  • the abnormal path call detection method may activate the LBR function supported by the CPU as described above before the predetermined specific protection target function is called as described above.
  • an execution path according to a call when a call is made by a normal subject is predictable for a specific protected function.
  • the abnormal path call detection method by calling the LBR function activation function (for example, Enable_LBR ()) in the execution path when the call to the specific protected function by the normal subject, It is possible to enable the LBR function as Enable_LBR () is called before the protected function is called.
  • the abnormal path call detection method in addition to adopting any one of a variety of existing methods, it will be possible to activate the LBR function before a specific protected object function is called.
  • the specific path object detection function is related to the specific protected object function from the stack information recorded by the LBR function.
  • the stack information recorded between the first time point at which the protection target function is called and the second time point earlier than the first time point described above is checked (S120).
  • the LBR function is recorded in the LBR stack located inside the MSR by the LBR function.
  • the stack information check the stack information related to the specific protected function called this time.
  • a stack recorded between the first time point that the specific protected object function is called and the second time point earlier than the first time point described above among the stack information You can check all the information.
  • an abnormal path call detection method includes a function for confirming stack information related to a specific protected object function called this time among stack information recorded in the LBR stack in the execution path of the specific protected object function.
  • a function eg, LBR_IsValidCall ()
  • LBR_IsValidCall a function for confirming stack information related to a specific protected object function called this time among stack information recorded in the LBR stack in the execution path of the specific protected object function.
  • the second time point may be a time point at which the LBR function is activated or a specific time point after the time point at which the LBR function is activated and before the first time point described above.
  • the abnormal path call detection method based on the stack information recorded between the first time point and the second time point identified in step S120 described above, whether the specific protection target function is called through the abnormal path; Determine whether or not.
  • the abnormal path call detection method as a result of checking stack information recorded between the first time point and the second time point, there is no stack information between the first time point and the second time point. If no information is recorded in the LBR stack (S130 No), it is determined that the LBR function is not activated by a malicious subject, and it is determined that a specific protected function called this time is called through an abnormal path. It may be (S160).
  • the LBR function may have been activated by the above LBR function activation function (e.g. Enable_LBR ()) in the execution path, but it may be a malicious subject (eg : LBR function may not be activated if hacking tool) calls protected target function through hooking such as Jump.
  • LBR function activation function e.g. Enable_LBR ()
  • the abnormal path call detection method if the stack information between the first time point and the second time point as a result of checking the stack information recorded between the first time point and the second time point, that is, LBR If no information is recorded on the stack, it can be determined that the LBR function is not activated by a malicious subject, and as a result, it can be determined that the specific protected function called this time was called through an abnormal path.
  • the abnormal path call detection method if the stack information between the first time point and the second time point as a result of the determination in step S130 described above (S130 Yes), the first time point and the second time point When the address information of each function call event recorded in the stack information recorded between is checked and address information other than the designated address information belonging to the normal path is checked (S140 Yes), the specific protected object function called this time is an abnormal path. It may be determined that the call through (S160).
  • the abnormal path call detection method may be determined that the abnormal path call detection method belongs to address information, that is, normal path, which may be included in an execution path when a protected function is called by a normal subject. It may have previously specified address information.
  • the call subject address information for each function call event of the stack information recorded between the first time point and the second time point is checked, and the address information of each call subject is determined.
  • the address information belonging to the normal route is checked, and the address information of each call subject is determined.
  • the specific protection target function called this time is called through the abnormal path (S160). If the address information other than the address information is not confirmed, it may be determined that the specific protection target function called this time is called through the normal path (S150).
  • the abnormal path call detection method according to an embodiment of the present invention may deactivate the LBR function again after a predetermined time elapses after the protection target function is called (S170).
  • the abnormal path call detection method provides a method for determining whether an important function that is not exposed to the outside is called through an abnormal path by a malicious subject of an unauthorized memory region.
  • the LBR Layer Branch Record
  • Abnormal path call detection method is implemented in the form of program instructions that can be executed by various computer means may be recorded on a computer readable medium.
  • the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks.
  • Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.
  • the hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed are an abnormal path call detecting apparatus and an abnormal path call detecting method. Embodiments of the present invention pertain to a technology for efficiently increasing the reliability of a determination result of whether a function call is an abnormal path call by determining whether a significant function not exposed externally is called through an abnormal path by a malicious subject using a last branch record (LBR).

Description

비정상 경로 호출 감지 장치 및 비정상 경로 호출 감지 방법Abnormal path call detection device and abnormal path call detection method
본 발명의 실시예들은, 외부로 노출되지 않은 중요한 함수에 대하여, 악의적인 주체에 의해 비정상 경로를 통해 호출되는지 여부를 판단한 판단 결과의 신뢰도를 효과적으로 높일 수 있는 기술들과 관련된다.Embodiments of the present invention relate to techniques that can effectively increase the reliability of a determination result of determining whether a malicious function is called through an abnormal path to an important function not exposed to the outside.
현재, 외부로 노출되지 않은 중요한 함수를 허용되지 않은 메모리 영역의 악의적인 주체가 호출하여 허가되지 않은 상황에서도 중요 함수가 제공하는 중요 기능을 사용할 수 있도록 하는 악의적인 행위가 온라인 게임을 대상으로 하는 해킹툴에서 많이 보고되고 있다.Currently, malicious behavior that targets online games by malicious behavior that calls critical functions in the unlicensed memory area to use critical functions provided by the critical functions even in unauthorized situations is possible. It is reported a lot in the tool.
이에, 현재는, 중요 함수가 호출되었을 때, 복귀 주소를 검사하여 금번 호출이 악의적인 행위에 의한 호출인지 아닌지를 감지하는 복귀 주소 검사 방식, 쓰레드 정보를 검사하여 금번 호출이 악의적인 행위에 의한 호출인지 아닌지를 감지하는 쓰레드 정보 검사 방식을 이용하여, 이러한 악의적인 행위를 감지하고 있다.Now, when an important function is called, the return address checking method that checks the return address and detects whether the call is a malicious action or not, and the thread information by checking the thread information, the call is caused by a malicious action. These malicious behaviors are detected by using thread information inspection methods that detect whether they are aware or not.
하지만, 복귀 주소 검사 방식은, 컴파일 방식에 따라 콜 스택(Call Stack)을 생성하지 않도록 하는 경우에 적용할 수 없다는 구조적 문제가 발생하게 되고, 생성이 된다고 하더라도 정상적인 위치에 악의적인 코드로의 분기 명령을 두고 중요 함수를 호출할 때 해당 위치로의 복귀 주소로 수정하는 경우에는 쉽게 우회될 수 있다는 문제가 있다.However, there is a structural problem that the return address checking method cannot be applied when the call stack is not generated according to the compilation method, and even if it is generated, a branch instruction to malicious code in a normal position is generated. There is a problem that it can be easily bypassed when modifying the return address to the corresponding position when calling a critical function.
반면, 쓰레드 정보 검사 방식은, 사용자 영역에 존재하는 쓰레드 정보 구조체로의 접근 및 수정 방법이 이미 널리 알려져 있어, 중요 함수를 호출하기 전에 자신의 쓰레드 정보를 유효한 정보로 수정하여 우회가 쉽게 가능해지며, 후킹 등의 기법을 이용하여 정상 쓰레드의 실행 흐름을 가로채어 중요 함수를 비정상 호출하는 경우, 쓰레드 정보 자체는 정상이기 때문에 감지할 수 없는 문제가 발생하게 된다.On the other hand, the thread information checking method is widely known to access and modify the thread information structure existing in the user area, and it is possible to easily bypass the thread information by modifying its thread information to valid information before calling important functions. If the critical function is abnormally called by intercepting the execution flow of a normal thread using a technique such as hooking, the thread information itself is normal and thus cannot be detected.
따라서, 전술의 복귀 주소 검사 방식 및 쓰레드 정보 검사 방식이 갖는 한계점을 극복하고, 외부로 노출되지 않은 중요한 함수가 악의적인 행위에 의한 호출되는지 여부 즉 악의적인 주체에 의해 비정상 경로를 통해 호출되는지 여부를 신뢰도 높게 판단할 수 있는 방안의 필요성이 커지고 있다. Therefore, the above limitations of the return address checking method and the thread information checking method are overcome, and whether an important function that is not exposed to the outside is called by malicious behavior, that is, whether it is called through an abnormal path by a malicious subject. There is a growing need for measures that can be judged with high reliability.
이에 본 발명에서는, 외부로 노출되지 않은 중요한 함수 즉 보호대상함수에 대하여, 악의적인 주체에 의해 비정상 경로를 통해 호출되는지 여부를 판단한 판단 결과의 신뢰도를 효과적으로 높일 수 있는 방안을 제안하고자 한다.Accordingly, the present invention intends to propose a method for effectively increasing the reliability of a determination result of determining whether an important function that is not exposed to the outside, that is, a protected object function is called through an abnormal path by a malicious subject.
본 발명의 실시예들은 외부로 노출되지 않은 중요한 함수가 악의적인 주체에 의해 비정상 경로를 통해 호출되는지 여부를 LBR 기능을 이용하여 판단함으로써, 함수 호출의 비정상 경로 호출 여부에 대한 판단 결과의 신뢰도를 효과적으로 높이는 기술 방안을 제안할 수 있다.Embodiments of the present invention by using the LBR function to determine whether an important function that is not exposed to the outside through the abnormal path by the malicious subject, effectively the reliability of the determination result of the abnormal path call of the function call It is possible to propose technical measures to increase.
상기 목적을 달성하기 위한 본 발명의 제 1 관점에 따른 비정상 경로 호출 감지 방법은, 특정 보호대상함수가 호출되는 보호대상함수호출단계; LBR(Last Branch Record) 기능에 의해 기록되는 스택정보 중에서, 상기 특정 보호대상함수와 관련하여 상기 특정 보호대상함수가 호출되는 제1시점 및 상기 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 스택정보를 확인하는 스택정보확인단계; 및 상기 제1시점 및 상기 제2시점 사이에 기록된 스택정보를 기초로, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었는지 여부를 판단하는 비정상여부판단단계를 포함한다.Abnormal path call detection method according to a first aspect of the present invention for achieving the above object, the protected object function call step of calling a specific protected object function; Among the stack information recorded by the last branch record (LBR) function, recording is performed between a first time point at which the specific protection subject function is called and a second time point earlier than the first time in relation to the specific protection target function. A stack information checking step of checking the stacked stack information; And an abnormality determination step of determining whether the specific protected object function is called through an abnormal path based on the stack information recorded between the first time point and the second time point.
상기 목적을 달성하기 위한 본 발명의 제 2 관점에 따른 비정상 경로 호출 감지 장치는, 보호대상으로서 기 지정된 특정 보호대상함수가 호출되면, LBR 기능에 의해 기록되는 스택정보 중에서 상기 특정 보호대상함수와 관련하여 상기 특정 보호대상함수가 호출되는 제1시점 및 상기 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 스택정보를 확인하는 스택정보확인부; 및 상기 제1시점 및 상기 제2시점 사이에 기록된 스택정보를 기초로, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었는지 여부를 판단하는 비정상여부판단부를 포함한다.The abnormal path call detection apparatus according to the second aspect of the present invention for achieving the above object is related to the specific protected object function from the stack information recorded by the LBR function when a specific protected object function designated as a protected object is called. A stack information verification unit for confirming stack information recorded between a first time point at which the specific protected object function is called and a second time point that is earlier than the first time point by a specific time point; And an abnormality determination unit determining whether the specific protected object function is called through an abnormal path based on the stack information recorded between the first time point and the second time point.
본 발명의 실시예들은 외부로 노출되지 않은 중요한 함수가 악의적인 주체에 의해 비정상 경로를 통해 호출되는지 여부를 판단한 판단 결과의 신뢰도를 효과적으로 높일 수 있는 효과를 도출한다.Embodiments of the present invention can derive an effect that can effectively increase the reliability of the determination result of determining whether an important function not exposed to the outside is called through the abnormal path by the malicious subject.
도 1은 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치 및 보호대상함수의 호출에 따른 실행 경로를 보여주는 예시도이다. 1 is an exemplary view showing an execution path according to a call of an abnormal path call detection device and a protection target function according to an embodiment of the present invention.
도 2는 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법의 동작 흐름을 나타내는 흐름도이다.2 is a flowchart illustrating an operation flow of an abnormal path call detection method according to an embodiment of the present invention.
본 발명은 다양한 변경을 가할 수 있고 여러 가지 실시예를 가질 수 있는 바, 특정 실시예들을 도면에 예시하고 상세한 설명에 상세하게 설명하고자 한다. 그러나, 이는 본 발명을 특정한 실시 형태에 대해 한정하려는 것이 아니며, 본 발명의 사상 및 기술 범위에 포함되는 모든 변경, 균등물 내지 대체물을 포함하는 것으로 이해되어야 한다. 각 도면을 설명하면서 유사한 참조부호를 유사한 구성요소에 대해 사용하였다.As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention. In describing the drawings, similar reference numerals are used for similar elements.
어떤 구성요소가 다른 구성요소에 "연결되어" 있다거나 "접속되어" 있다고 언급된 때에는, 그 다른 구성요소에 직접적으로 연결되어 있거나 또는 접속되어 있을 수도 있지만, 중간에 다른 구성요소가 존재할 수도 있다고 이해되어야 할 것이다. 반면에, 어떤 구성요소가 다른 구성요소에 "직접 연결되어" 있다거나 "직접 접속되어" 있다고 언급된 때에는, 중간에 다른 구성요소가 존재하지 않는 것으로 이해되어야 할 것이다.When a component is referred to as being "connected" or "connected" to another component, it may be directly connected to or connected to that other component, but it may be understood that other components may be present in between. Should be. On the other hand, when a component is said to be "directly connected" or "directly connected" to another component, it should be understood that there is no other component in between.
본 출원에서 사용한 용어는 단지 특정한 실시예를 설명하기 위해 사용된 것으로, 본 발명을 한정하려는 의도가 아니다. 단수의 표현은 문맥상 명백하게 다르게 뜻하지 않는 한, 복수의 표현을 포함한다. 본 출원에서, "포함하다" 또는 "가지다" 등의 용어는 명세서상에 기재된 특징, 숫자, 단계, 동작, 구성요소, 부품 또는 이들을 조합한 것이 존재함을 지정하려는 것이지, 하나 또는 그 이상의 다른 특징들이나 숫자, 단계, 동작, 구성요소, 부품 또는 이들을 조합한 것들의 존재 또는 부가 가능성을 미리 배제하지 않는 것으로 이해되어야 한다.The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting of the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In this application, the terms "comprise" or "have" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, and one or more other features. It is to be understood that the present invention does not exclude the possibility of the presence or the addition of numbers, steps, operations, components, components, or a combination thereof.
다르게 정의되지 않는 한, 기술적이거나 과학적인 용어를 포함해서 여기서 사용되는 모든 용어들은 본 발명이 속하는 기술 분야에서 통상의 지식을 가진 자에 의해 일반적으로 이해되는 것과 동일한 의미를 가지고 있다. 일반적으로 사용되는 사전에 정의되어 있는 것과 같은 용어들은 관련 기술의 문맥 상 가지는 의미와 일치하는 의미를 가지는 것으로 해석되어야 하며, 본 출원에서 명백하게 정의하지 않는 한, 이상적이거나 과도하게 형식적인 의미로 해석되지 않는다.Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art. Terms such as those defined in the commonly used dictionaries should be construed as having meanings consistent with the meanings in the context of the related art and shall not be construed in ideal or excessively formal meanings unless expressly defined in this application. Do not.
이하, 첨부된 도면을 참조하여 본 발명의 일 실시예에 대하여 설명한다.Hereinafter, with reference to the accompanying drawings will be described an embodiment of the present invention.
먼저, 도 1을 참조하여 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치를 설명하도록 한다.First, an abnormal path call detection apparatus according to an embodiment of the present invention will be described with reference to FIG. 1.
도 1에 도시된 바와 같이 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치(100)는, 스택정보확인부(120) 및 비정상여부판단부(130)를 포함하고, 더 나아가 LBR기능활성화제어부(110)를 더 포함할 수 있다. As shown in FIG. 1, the apparatus 100 for detecting abnormal path calls according to an embodiment of the present invention includes a stack information checking unit 120 and an abnormality determining unit 130, and further, an LBR function activation control unit. 110 may further include.
이러한 비정상 경로 호출 감지 장치(100)는, 기본적으로 LBR 기능을 지원하는 기능부(예 : CPU)가 탑재된 컴퓨터시스템에 포함될 수 있고, 더 나아가 모듈의 형태로 컴퓨터시스템에 탑재되는 것이 가능하다.The abnormal path call detection apparatus 100 may be included in a computer system equipped with a functional unit (for example, a CPU) that basically supports the LBR function, and furthermore, may be mounted in the computer system in the form of a module.
여기서, LBR(Last Branch Record) 기능은, LBR 기능이 활성화 되면 기계어 수준에서 분기문 명령 예컨대 Call, Jump, Return 등이 실행될 때마다, 그리고 인터럽트 명령, 예외(Exception) 명령이 실행될 때마다, 해당 명령들을 지정된 저장 위치 예컨대 MSR(Model-Specific Register) 내부에 위치하는 LBR 스택에 지정된 수만큼 저장하는 기능으로, 최근에 생산되는 CPU에 기본적으로 탑재되는 기능이다.When the LBR function is activated, the LBR function is activated every time a branch instruction such as Call, Jump, Return, etc. is executed at the machine level, and whenever an interrupt instruction or an exception instruction is executed. This function is used to store a specified number of LBR stacks in a designated storage location, for example, a model-specific register (MSR).
LBR기능활성화제어부(110)는, 보호대상으로서 기 지정된 특정 보호대상함수가 호출되기 이전에 LBR 기능을 활성화시킨다.The LBR function activation control unit 110 activates the LBR function before a specific protection target function designated as a protection target is called.
여기서, 보호대상함수는, 외부로 노출되지 않아야 하는 중요 기능을 제공하기 위한 중요 함수로서, 기 지정될 수 있다.Here, the protected object function may be previously designated as an important function for providing an important function that should not be exposed to the outside.
이에 LBR기능활성화제어부(110)는, 전술과 같이 기 지정된 특정 보호대상함수가 호출되기 이전에, 전술과 같이 CPU가 지원하는 LBR 기능을 활성화시키도록 할 수 있다.Accordingly, the LBR function activation control unit 110 may activate the LBR function supported by the CPU as described above before the predetermined specific protection target function is called as described above.
예컨대, 특정 보호대상함수에 대하여 정상적인 주체 즉 허용된 메모리 영역의 정상적인 주체에 의해 호출되는 경우의 호출에 따른 실행 경로가 예측 가능하다. For example, an execution path according to a call when a call is made by a normal subject, that is, a normal subject of an allowed memory region, is predictable for a specific protected function.
이에, LBR기능활성화제어부(110)는, 특정 보호대상함수에 대하여 정상적인 주체에 의해 호출되는 경우의 실행 경로 중에 LBR기능활성화 함수(예 : Enable_LBR())를 호출함으로써, 특정 보호대상함수가 호출되기 이전에 Enable_LBR()가 호출됨에 따라 LBR 기능을 활성화시키도록 할 수 있다. 물론, LBR기능활성화제어부(110)는, 이 외에도 다양한 기존 방식 중 어느 하나를 채택하여, 특정 보호대상함수가 호출되기 이전에 LBR 기능을 활성화시킬 수 있을 것이다.Accordingly, the LBR function activation control unit 110 calls the LBR function activation function (eg, Enable_LBR ()) in the execution path when the LBR function activation function is called by the normal subject with respect to the specific protected object function, thereby calling the specific protected object function. You can enable the LBR function as Enable_LBR () is called before. Of course, the LBR function activation control unit 110 may adopt any one of various existing methods in addition to this, and may activate the LBR function before a specific protection target function is called.
이처럼, LBR기능활성화제어부(110)에 의해 LBR 기능이 활성화되면, 활성화된 LBR 기능에 따라서 분기문 명령 예컨대 Call, Jump, Return 등이 실행될 때마다 , 그리고 인터럽트 명령, 예외(Exception) 명령이 실행될 때마다, 해당 명령들이 MSR 내부에 위치하는 LBR 스택에 지정된 수만큼 저장/기록될 것이다.As such, when the LBR function is activated by the LBR function activation control unit 110, whenever a branch statement such as Call, Jump, Return, etc. is executed according to the activated LBR function, and when an interrupt command or an exception command is executed Each time, these instructions will be stored / written to the specified number of LBR stacks located inside the MSR.
이에, LBR 기능에 의해 LBR 스택에 기록되는 스택정보는, 전술의 분기문 명령 또는 인터럽트 명령 또는 예외 명령에 의해 실행/호출되는 각 함수의 함수호출이벤트 별로, 해당 함수를 호출하는 주체가 저장된 호출주체주소정보 및 호출된 해당 함수가 저장된 호출대상주소정보가 쌍으로 맵핑되어 저장된 정보일 수 있다.Therefore, the stack information recorded on the LBR stack by the LBR function is stored in the call subject for each function call event of each function executed / called by the aforementioned branch statement, interrupt instruction, or exception instruction. The address information and the called target address information in which the called function is stored may be mapped and stored in pairs.
스택정보확인부(120)는, 보호대상으로서 기 지정된 특정 보호대상함수가 호출되면, LBR 기능에 의해 기록되는 스택정보 중에서 특정 보호대상함수와 관련하여 특정 보호대상함수가 호출되는 제1시점 및 전술의 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 스택정보를 확인한다.The stack information checking unit 120, when the specific protection target function specified as the protection target is called, the first point in time and the tactic in which the specific protection target function is called in relation to the specific protection target function among the stack information recorded by the LBR function. The stack information recorded between the second time point preceding the specific time point of the first time point is checked.
즉, 스택정보확인부(120)는, 특정 보호대상함수가 외부의 주체(정상적인 주체 또는 비정상적인 주체)에 의해 호출되면, LBR 기능에 의해 MSR 내부에 위치하는 LBR 스택에 기록되는 스택정보 중에서 금번 호출된 특정 보호대상함수와 관련되는 스택정보를 확인한다.That is, when the specific protected object function is called by an external subject (normal or abnormal subject), the stack information checking unit 120 calls this time among the stack information recorded in the LBR stack located inside the MSR by the LBR function. Check the stack information associated with the specific protected function.
이때, 스택정보확인부(120)는, 스택정보 중에서, 특정 보호대상함수가 호출되는 제1시점 및 전술의 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 스택정보를 모두 확인할 수 있다.In this case, the stack information checking unit 120 may check all of the stack information recorded between the first time point at which the specific protection target function is called and the second time point earlier than the first time point described above among the stack information. .
예컨대, 스택정보확인부(120)는, 특정 보호대상함수의 실행 경로 중에 LBR 스택에 기록되는 스택정보 중 금번 호출된 특정 보호대상함수와 관련되는 스택정보를 확인하도록 하는 함수(예 : LBR_IsValidCall())를 호출함으로써, 함수(예 : LBR_IsValidCall())가 호출됨에 따라서 전술과 같이 제1시점 및 제2시점 사이에 기록된 스택정보를 확인하는 것이 가능할 수 있다. 물론, 스택정보확인부(120)는, 이 외에도 다양한 기존 방식 중 어느 하나를 채택하여, 스택정보 중에서 금번 호출된 특정 보호대상함수와 관련되는 제1시점 및 제2시점 사이에 기록된 스택정보를 확인할 수 있을 것이다.For example, the stack information checking unit 120 may check a stack information related to a specific protected object function called this time among stack information recorded in the LBR stack in the execution path of the specific protected object function (eg, LBR_IsValidCall ()). ), As a function (eg, LBR_IsValidCall ()) is called, it may be possible to check the stack information recorded between the first time point and the second time point as described above. Of course, the stack information confirming unit 120 adopts any one of various existing methods, and displays the stack information recorded between the first time point and the second time point related to the specific protected object function that is called this time from the stack information. You will see.
여기서, 제2시점은, LBR기능활성화제어부(110)에 의해 LBR 기능이 활성화되는 시점이거나, 또는 LBR기능활성화제어부(110)에 의해 LBR 기능이 활성화되는 시점 이후이면서 전술의 제1시점 이전인 특정 시점일 수 있다.Here, the second time point is a time point at which the LBR function is activated by the LBR function activation control unit 110 or after a time point at which the LBR function is activated by the LBR function activation control unit 110 and before the first time point described above. It may be a time point.
이에, 도 1이 도시된 바와 같이, 특정 보호대상함수가 Function_Idx1()인 경우를 언급하여, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치(100)에서 Function_Idx1()가 외부의 주체(정상적인 주체 또는 비정상적인 주체)에 의해 호출되는 경우 호출에 따른 실행 경로를 설명하도록 한다.Accordingly, as shown in FIG. 1, referring to the case where a specific protected object function is Function_Idx1 (), the function_Idx1 () is an external subject (normal) in the abnormal path call detection apparatus 100 according to an embodiment of the present invention. When called by a subject or an abnormal subject, explain the execution path according to the call.
즉, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치(100)에서는, 전술에서 설명한 바와 같이 보호대상함수 즉 Function_Idx1()가 호출되기 이전에 LBR기능활성화제어부(110)에 의해 즉 Enable_LBR() 함수 호출에 의해 LBR 기능이 활성화 된다. 그리고 외부의 주체(정상적인 주체 또는 비정상적인 주체)에 의해 보호대상함수 즉 Function_Idx1()가 호출되면, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치(100)에서는, 스택정보확인부(120)에 의해 즉 Function_Idx1()의 실행 중 LBR_IsValidCall() 함수 호출에 의해 LBR 스택에 기록되는 스택정보 중에서 금번 호출된 특정 보호대상함수와 관련되는 제1시점 및 제2시점 사이에 기록된 스택정보를 확인할 수 있다.That is, in the abnormal path call detection apparatus 100 according to an embodiment of the present invention, as described above, the LBR function activation control unit 110 before the protected object function, that is, Function_Idx1 () is called, that is, Enable_LBR (). The LBR function is activated by a function call. When the protected object function, that is, Function_Idx1 () is called by an external subject (normal subject or abnormal subject), the abnormal path call detection apparatus 100 according to an embodiment of the present invention, the stack information check unit 120, and the like. That is, the stack information recorded between the first time point and the second time point related to the specific protected object function called this time can be checked from the stack information recorded on the LBR stack by the LBR_IsValidCall () function call during the execution of Function_Idx1 (). .
이에, 스택정보확인부(120)에 의해 확인되는 스택정보는, 아래의 표 1과 같이, 각 함수의 함수호출이벤트 별로, 해당 함수를 호출하는 주체가 저장된 호출주체주소정보 및 호출된 해당 함수가 저장된 호출대상주소정보가 쌍으로 맵핑되어 저장된 구조를 가질 것이다.Thus, as shown in Table 1 below, the stack information checked by the stack information checking unit 120 includes, for each function call event of each function, call subject address information and a called function stored therein. Stored call destination address information will be mapped in pairs to have a stored structure.
표 1
스택정보 호출주체주소정보(FromIP) 호출대상주소정보(ToIP)
... ... ...
4 ... ...
5 ① 의 주소정보 ② 의 주소정보(=Function_Idx1()의 주소정보)
6 ③ 의 주소정보 LBR_IsValidCall() 의 주소정보
... ... ...
Table 1
Stack Information Caller Address Information (FromIP) Destination address information (ToIP)
... ... ...
4 ... ...
5 ① address information ② address information (= address information of Function_Idx1 ())
6 ③ address information LBR_IsValidCall () address information
... ... ...
이를 구체적으로 설명하면, 표 1에서 알수 있듯이, 각 함수의 함수호출이벤트 별로, 보호대상함수의 함수호출이벤트에 대하여 보호대상함수 Function_Idx1()를 호출하는 주체 ①가 저장된 ①의 주소정보 및 보호대상함수 Function_Idx1()의 시작 위치인 ②의 주소정보가 쌍으로 맵핑되고, LBR_IsValidCall() 함수의 함수호출이벤트에 대하여 LBR_IsValidCall() 함수를 호출하는 주체(명령어) ③의 주소정보 및 LBR_IsValidCall()의 시작 위치인 LBR_IsValidCall() 의 주소정보가 쌍으로 맵핑되어 저장될 것이다. Specifically, as shown in Table 1, for each function call event of each function, the address information and the protected object function of ① where the subject ① calling the protected function Function_Idx1 () is stored for the function call event of the protected function. Address information of ②, which is the starting position of Function_Idx1 (), is mapped into a pair, and address information of the subject ③ that calls LBR_IsValidCall () function for the function call event of LBR_IsValidCall () function and starting position of LBR_IsValidCall (). The address information of LBR_IsValidCall () will be mapped and stored in pairs.
이때, ①의 주소정보 및 ②의 주소정보가 쌍으로 맵핑되는 스택정보 예컨대 스택정보5가 전술의 제1시점에 대응되며, 스택정보확인부(120)는, 제1시점 즉 스택정보5부터 이보다 앞선 스택정보4, 스택정보3 ... 등 제2시점까지의 스택정보를 모두 확인할 것이다.In this case, stack information, for example, stack information 5 in which address information of ① and address information of ② are mapped in pairs, corresponds to the first point of time described above, and the stack information checking unit 120 starts from the first point of time, that is, stack information 5. We will check all stack information up to the second time point, such as stack information 4, stack information 3, etc ..
비정상여부판단부(130)는, 전술의 스택정보확인부(120)에서 확인한 제1시점 및 제2시점 사이에 기록된 스택정보를 기초로, 특정 보호대상함수가 비정상 경로를 통해 호출되었는지 여부를 판단한다.The abnormality determination unit 130 determines whether a specific protected object function is called through an abnormal path based on the stack information recorded between the first time point and the second time point checked by the stack information checking unit 120 described above. To judge.
보다 구체적으로는, 비정상여부판단부(130)는, 전술의 스택정보확인부(120)에서 제1시점 및 제2시점 사이에 기록된 스택정보를 확인한 결과 제1시점 및 제2시점 사이의 스택정보가 존재하지 않는 경우 즉 LBR 스택에 어떠한 정보도 기록되어 있지 않은 경우, 악의적인 주체에 의해 LBR 기능이 활성화되지 못한 경우로 판단하여, 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다. More specifically, the abnormality determination unit 130 checks the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above, and thus, the stack between the first time point and the second time point. If there is no information, that is, if no information is recorded in the LBR stack, it is determined that the LBR function is not activated by a malicious subject, and it is determined that the specific protected function called this time was called through an abnormal path. can do.
예컨대, 정상적인 주체에 의해 보호대상함수가 호출되는 경우라면 실행 경로 중에 전술의 LBR기능활성화제어부(110) 즉 LBR기능활성화 함수(예 : Enable_LBR())에 의해 LBR 기능이 활성화되었을 것이나, 허용되지 않은 메모리 영역의 악의적인 주체(예 : 해킹툴)가 Jump 등의 후킹을 통해 바로 보호대상함수를 호출하는 경우라면 LBR 기능이 활성화되지 못할 수도 있다. For example, if the protected object function is called by a normal subject, the LBR function may be activated by the LBR function activation control unit 110, that is, the LBR function activation function (eg, Enable_LBR ()), during the execution path. If the malicious subject (eg, hacking tool) in memory area calls the protected object directly through hooking such as Jump, the LBR function may not be activated.
이에, 비정상여부판단부(130)는, 전술의 스택정보확인부(120)에서 제1시점 및 제2시점 사이에 기록된 스택정보를 확인한 결과 제1시점 및 제2시점 사이의 스택정보가 존재하지 않으면 즉 LBR 스택에 어떠한 정보도 기록되어 있지 않으면, 악의적인 주체에 의해 LBR 기능이 활성화되지 못한 경우로 판단할 수 있어, 결과적으로 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다.Thus, the abnormality determination unit 130 has the stack information between the first time point and the second time point as a result of checking the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above. Otherwise, if no information is recorded in the LBR stack, it can be determined that the LBR function has not been activated by a malicious subject, and as a result, it is determined that the specific protected function called this time was called through an abnormal path. Can be.
한편, 비정상여부판단부(130)는, 전술의 스택정보확인부(120)에서 제1시점 및 제2시점 사이에 기록된 스택정보의 각 함수호출이벤트별 호출주체주소정보를 확인하여 정상 경로에 속하는 기 지정된 주소정보가 아닌 주소정보가 확인되는 경우, 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다.Meanwhile, the abnormality determination unit 130 checks the call subject address information for each function call event of the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above, and then returns to the normal path. If address information other than the designated address information belonging to the terminal is confirmed, it may be determined that the specific protection target function called this time is called through an abnormal path.
예컨대, 비정상여부판단부(130)는, 정상적인 주체에 의해 보호대상함수가 호출되는 경우의 실행 경로에 포함될 수 있는 호출 주체의 주소정보들, 즉 정상 경로에 속하는 것으로 판단할 수 있는 기 지정된 주소정보들을 미리 보유하고 있을 수 있다. For example, the abnormality determination unit 130, the address information of the calling subject that can be included in the execution path when the protection target function is called by the normal subject, that is, the predetermined address information that can be determined to belong to the normal path May have them in advance.
이에, 비정상여부판단부(130)는, 전술의 스택정보확인부(120)에서 제1시점 및 제2시점 사이에 기록된 스택정보의 각 함수호출이벤트별 호출주체주소정보를 확인하고, 각 호출 주체의 주소정보와 미리 보유한 정상 경로에 속하는 주소정보들을 비교하여, 정상 경로에 속하는 주소정보가 아닌 주소정보가 확인되면 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다.Therefore, the abnormality determination unit 130 confirms the call subject address information for each function call event of the stack information recorded between the first time point and the second time point in the stack information checking unit 120 described above, and makes each call. By comparing the address information of the subject with the address information belonging to the normal path, it can be determined that the specific protected object function called this time is called through the abnormal path when the address information other than the address information belonging to the normal path is confirmed.
이상에서 설명한 바와 같이 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 장치(100)는, 외부로 노출되지 않은 중요한 함수가 허용되지 않은 메모리 영역의 악의적인 주체에 의해 비정상적인 경로를 통해 호출되는지 여부를 판단함에 있어서, 하드웨어가 제공하는 안정적이고 우회가 어려운 기능 즉 LBR(Last Branch Record) 기능을 이용하여 판단함으로써 함수 호출의 비정상 경로 호출 여부에 대한 판단 결과의 신뢰도를 효과적으로 높일 수 있는 효과를 갖는다.As described above, the abnormal path call detection apparatus 100 according to an exemplary embodiment of the present invention determines whether an important function that is not exposed to the outside is called through an abnormal path by a malicious subject of an unauthorized memory area. In the judgment, it is possible to effectively increase the reliability of the determination result of the abnormal path call of the function call by judging using a stable and difficult to bypass function provided by the hardware, that is, the LBR (Last Branch Record) function.
이하에서는 도 2를 참조하여 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법을 설명하도록 한다. 여기서, 설명의 편의를 위해 전술한 도 1에 도시된 구성은 해당 참조번호를 언급하여 설명하겠다. Hereinafter, a method for detecting an abnormal path call according to an embodiment of the present invention will be described with reference to FIG. 2. Here, for the convenience of description, the configuration shown in FIG. 1 described above will be described with reference to the corresponding reference numerals.
본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 보호대상으로서 기 지정된 특정 보호대상함수가 호출되기 이전에 LBR 기능을 활성화시킨다(S100). 여기서, 보호대상함수는, 외부로 노출되지 않아야 하는 중요 기능을 제공하기 위한 중요 함수로서, 기 지정될 수 있다.The abnormal path call detection method according to an embodiment of the present invention activates the LBR function before a specific protection target function previously designated as a protection target is called (S100). Here, the protected object function may be previously designated as an important function for providing an important function that should not be exposed to the outside.
이에 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 전술과 같이 기 지정된 특정 보호대상함수가 호출되기 이전에, 전술과 같이 CPU가 지원하는 LBR 기능을 활성화시키도록 할 수 있다.Accordingly, the abnormal path call detection method according to an embodiment of the present invention may activate the LBR function supported by the CPU as described above before the predetermined specific protection target function is called as described above.
예컨대, 특정 보호대상함수에 대하여 정상적인 주체 즉 허용된 메모리 영역의 정상적인 주체에 의해 호출되는 경우의 호출에 따른 실행 경로가 예측 가능하다. For example, an execution path according to a call when a call is made by a normal subject, that is, a normal subject of an allowed memory region, is predictable for a specific protected function.
이에, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 특정 보호대상함수에 대하여 정상적인 주체에 의해 호출되는 경우의 실행 경로 중에 LBR기능활성화 함수(예 : Enable_LBR())를 호출함으로써, 특정 보호대상함수가 호출되기 이전에 Enable_LBR()가 호출됨에 따라 LBR 기능을 활성화시키도록 할 수 있다. 물론, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 이 외에도 다양한 기존 방식 중 어느 하나를 채택하여, 특정 보호대상함수가 호출되기 이전에 LBR 기능을 활성화시킬 수 있을 것이다.Therefore, the abnormal path call detection method according to an embodiment of the present invention, by calling the LBR function activation function (for example, Enable_LBR ()) in the execution path when the call to the specific protected function by the normal subject, It is possible to enable the LBR function as Enable_LBR () is called before the protected function is called. Of course, the abnormal path call detection method according to an embodiment of the present invention, in addition to adopting any one of a variety of existing methods, it will be possible to activate the LBR function before a specific protected object function is called.
그리고 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 보호대상으로서 기 지정된 특정 보호대상함수가 호출되면(S110 Yes), LBR 기능에 의해 기록되는 스택정보 중에서 특정 보호대상함수와 관련하여 특정 보호대상함수가 호출되는 제1시점 및 전술의 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 스택정보를 확인한다(S120).In the abnormal path call detection method according to an embodiment of the present invention, when a specific protected object function designated as a protected object is called (S110 Yes), the specific path object detection function is related to the specific protected object function from the stack information recorded by the LBR function. The stack information recorded between the first time point at which the protection target function is called and the second time point earlier than the first time point described above is checked (S120).
즉, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 특정 보호대상함수가 외부의 주체(정상적인 주체 또는 비정상적인 주체)에 의해 호출되면, LBR 기능에 의해 MSR 내부에 위치하는 LBR 스택에 기록되는 스택정보 중에서 금번 호출된 특정 보호대상함수와 관련되는 스택정보를 확인한다.That is, in the abnormal path call detection method according to an embodiment of the present invention, when a specific protected object function is called by an external subject (either a normal subject or an abnormal subject), the LBR function is recorded in the LBR stack located inside the MSR by the LBR function. Among the stack information, check the stack information related to the specific protected function called this time.
이때, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 스택정보 중에서, 특정 보호대상함수가 호출되는 제1시점 및 전술의 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 스택정보를 모두 확인할 수 있다.At this time, in the abnormal path call detection method according to an embodiment of the present invention, a stack recorded between the first time point that the specific protected object function is called and the second time point earlier than the first time point described above among the stack information. You can check all the information.
예컨대, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 특정 보호대상함수의 실행 경로 중에 LBR 스택에 기록되는 스택정보 중 금번 호출된 특정 보호대상함수와 관련되는 스택정보를 확인하도록 하는 함수(예 : LBR_IsValidCall())를 호출함으로써, 함수(예 : LBR_IsValidCall())가 호출됨에 따라서 전술과 같이 제1시점 및 제2시점 사이에 기록된 스택정보를 확인하는 것이 가능할 수 있다. 물론, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 이 외에도 다양한 기존 방식 중 어느 하나를 채택하여, 스택정보 중에서 금번 호출된 특정 보호대상함수와 관련되는 제1시점 및 제2시점 사이에 기록된 스택정보를 확인할 수 있을 것이다.For example, an abnormal path call detection method according to an embodiment of the present invention includes a function for confirming stack information related to a specific protected object function called this time among stack information recorded in the LBR stack in the execution path of the specific protected object function. As a function (eg, LBR_IsValidCall ()) is called by calling LBR_IsValidCall (), it may be possible to check the stack information recorded between the first time point and the second time point as described above. Of course, the abnormal path call detection method according to an embodiment of the present invention, in addition to adopting any one of a variety of existing methods, between the first time point and the second time point associated with the specific protected object function that is called this time from the stack information You will see the stack information recorded in.
여기서, 제2시점은, LBR 기능이 활성화되는 시점이거나, 또는 LBR 기능이 활성화되는 시점 이후이면서 전술의 제1시점 이전인 특정 시점일 수 있다.Here, the second time point may be a time point at which the LBR function is activated or a specific time point after the time point at which the LBR function is activated and before the first time point described above.
이에 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 전술의 S120단계에서 확인한 제1시점 및 제2시점 사이에 기록된 스택정보를 기초로, 특정 보호대상함수가 비정상 경로를 통해 호출되었는지 여부를 판단한다.Therefore, the abnormal path call detection method according to an embodiment of the present invention, based on the stack information recorded between the first time point and the second time point identified in step S120 described above, whether the specific protection target function is called through the abnormal path; Determine whether or not.
보다 구체적으로는, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 제1시점 및 제2시점 사이에 기록된 스택정보를 확인한 결과 제1시점 및 제2시점 사이의 스택정보가 존재하지 않는 경우 즉 LBR 스택에 어떠한 정보도 기록되어 있지 않은 경우(S130 No), 악의적인 주체에 의해 LBR 기능이 활성화되지 못한 경우로 판단하여, 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다(S160). More specifically, in the abnormal path call detection method according to an embodiment of the present invention, as a result of checking stack information recorded between the first time point and the second time point, there is no stack information between the first time point and the second time point. If no information is recorded in the LBR stack (S130 No), it is determined that the LBR function is not activated by a malicious subject, and it is determined that a specific protected function called this time is called through an abnormal path. It may be (S160).
예컨대, 정상적인 주체에 의해 보호대상함수가 호출되는 경우라면 실행 경로 중에 전술의 LBR기능활성화 함수(예 : Enable_LBR())에 의해 LBR 기능이 활성화되었을 것이나, 허용되지 않은 메모리 영역의 악의적인 주체(예 : 해킹툴)가 Jump 등의 후킹을 통해 바로 보호대상함수를 호출하는 경우라면 LBR 기능이 활성화되지 못할 수도 있다. For example, if the protected function is called by a normal subject, the LBR function may have been activated by the above LBR function activation function (e.g. Enable_LBR ()) in the execution path, but it may be a malicious subject (eg : LBR function may not be activated if hacking tool) calls protected target function through hooking such as Jump.
이에, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 제1시점 및 제2시점 사이에 기록된 스택정보를 확인한 결과 제1시점 및 제2시점 사이의 스택정보가 존재하지 않으면 즉 LBR 스택에 어떠한 정보도 기록되어 있지 않으면, 악의적인 주체에 의해 LBR 기능이 활성화되지 못한 경우로 판단할 수 있어, 결과적으로 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다.Therefore, the abnormal path call detection method according to an embodiment of the present invention, if the stack information between the first time point and the second time point as a result of checking the stack information recorded between the first time point and the second time point, that is, LBR If no information is recorded on the stack, it can be determined that the LBR function is not activated by a malicious subject, and as a result, it can be determined that the specific protected function called this time was called through an abnormal path.
한편, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 전술의 S130단계의 판단결과 제1시점 및 제2시점 사이의 스택정보가 존재하면(S130 Yes), 제1시점 및 제2시점 사이에 기록된 스택정보의 각 함수호출이벤트별 호출주체주소정보를 확인하여 정상 경로에 속하는 기 지정된 주소정보가 아닌 주소정보가 확인되는 경우(S140 Yes), 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있다(S160).On the other hand, in the abnormal path call detection method according to an embodiment of the present invention, if the stack information between the first time point and the second time point as a result of the determination in step S130 described above (S130 Yes), the first time point and the second time point When the address information of each function call event recorded in the stack information recorded between is checked and address information other than the designated address information belonging to the normal path is checked (S140 Yes), the specific protected object function called this time is an abnormal path. It may be determined that the call through (S160).
예컨대, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 정상적인 주체에 의해 보호대상함수가 호출되는 경우의 실행 경로에 포함될 수 있는 호출 주체의 주소정보들, 즉 정상 경로에 속하는 것으로 판단할 수 있는 기 지정된 주소정보들을 미리 보유하고 있을 수 있다. For example, in the abnormal path call detection method according to an embodiment of the present invention, it may be determined that the abnormal path call detection method belongs to address information, that is, normal path, which may be included in an execution path when a protected function is called by a normal subject. It may have previously specified address information.
이에, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 제1시점 및 제2시점 사이에 기록된 스택정보의 각 함수호출이벤트별 호출주체주소정보를 확인하고, 각 호출 주체의 주소정보와 미리 보유한 정상 경로에 속하는 주소정보들을 비교하여, 정상 경로에 속하는 주소정보가 아닌 주소정보가 확인되면 금번 호출된 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단할 수 있고(S160), 정상 경로에 속하는 주소정보가 아닌 주소정보가 확인되지 않으면 금번 호출된 특정 보호대상함수가 정상 경로를 통해 호출되었다고 판단할 수 있다(S150). 그리고, 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 보호대상함수가 호출된 후 일정 시간이 경과하면 LBR 기능을 다시 비활성화시킬 수 있다(S170).Therefore, in the abnormal path call detection method according to an embodiment of the present invention, the call subject address information for each function call event of the stack information recorded between the first time point and the second time point is checked, and the address information of each call subject is determined. By comparing the address information belonging to the normal route with the previously held, if the address information other than the address information belonging to the normal path is confirmed, it can be determined that the specific protection target function called this time is called through the abnormal path (S160). If the address information other than the address information is not confirmed, it may be determined that the specific protection target function called this time is called through the normal path (S150). In addition, the abnormal path call detection method according to an embodiment of the present invention may deactivate the LBR function again after a predetermined time elapses after the protection target function is called (S170).
이상에서 설명한 바와 같이 본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은, 외부로 노출되지 않은 중요한 함수가 허용되지 않은 메모리 영역의 악의적인 주체에 의해 비정상적인 경로를 통해 호출되는지 여부를 판단함에 있어서, 하드웨어가 제공하는 안정적이고 우회가 어려운 기능 즉 LBR(Last Branch Record) 기능을 이용하여 판단함으로써 함수 호출의 비정상 경로 호출 여부에 대한 판단 결과의 신뢰도를 효과적으로 높일 수 있는 효과를 갖는다.As described above, the abnormal path call detection method according to an exemplary embodiment of the present invention provides a method for determining whether an important function that is not exposed to the outside is called through an abnormal path by a malicious subject of an unauthorized memory region. In addition, by using the stable and difficult to bypass function provided by the hardware, that is, the LBR (Last Branch Record) function, the reliability of the decision result of the abnormal path call of the function call can be effectively increased.
본 발명의 일 실시예에 따른 비정상 경로 호출 감지 방법은 다양한 컴퓨터 수단을 통하여 수행될 수 있는 프로그램 명령 형태로 구현되어 컴퓨터 판독 가능 매체에 기록될 수 있다. 상기 컴퓨터 판독 가능 매체는 프로그램 명령, 데이터 파일, 데이터 구조 등을 단독으로 또는 조합하여 포함할 수 있다. 상기 매체에 기록되는 프로그램 명령은 본 발명을 위하여 특별히 설계되고 구성된 것들이거나 컴퓨터 소프트웨어 당업자에게 공지되어 사용 가능한 것일 수도 있다. 컴퓨터 판독 가능 기록 매체의 예에는 하드 디스크, 플로피 디스크 및 자기 테이프와 같은 자기 매체(magnetic media), CD-ROM, DVD와 같은 광기록 매체(optical media), 플롭티컬 디스크(floptical disk)와 같은 자기-광 매체(magneto-optical media), 및 롬(ROM), 램(RAM), 플래시 메모리 등과 같은 프로그램 명령을 저장하고 수행하도록 특별히 구성된 하드웨어 장치가 포함된다. 프로그램 명령의 예에는 컴파일러에 의해 만들어지는 것과 같은 기계어 코드뿐만 아니라 인터프리터 등을 사용해서 컴퓨터에 의해서 실행될 수 있는 고급 언어 코드를 포함한다. 상기된 하드웨어 장치는 본 발명의 동작을 수행하기 위해 하나 이상의 소프트웨어 모듈로서 작동하도록 구성될 수 있으며, 그 역도 마찬가지이다.Abnormal path call detection method according to an embodiment of the present invention is implemented in the form of program instructions that can be executed by various computer means may be recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
이상과 같이 본 발명에서는 구체적인 구성 요소 등과 같은 특정 사항들과 한정된 실시예 및 도면에 의해 설명되었으나 이는 본 발명의 보다 전반적인 이해를 돕기 위해서 제공된 것일 뿐, 본 발명은 상기의 실시예에 한정되는 것은 아니며, 본 발명이 속하는 분야에서 통상적인 지식을 가진 자라면 이러한 기재로부터 다양한 수정 및 변형이 가능하다. In the present invention as described above has been described by the specific embodiments, such as specific components and limited embodiments and drawings, but this is provided to help a more general understanding of the present invention, the present invention is not limited to the above embodiments. For those skilled in the art, various modifications and variations are possible from these descriptions.
따라서, 본 발명의 사상은 설명된 실시예에 국한되어 정해져서는 아니되며, 후술하는 특허청구범위뿐 아니라 이 특허청구범위와 균등하거나 등가적 변형이 있는 모든 것들은 본 발명 사상의 범주에 속한다고 할 것이다.Therefore, the spirit of the present invention should not be limited to the described embodiments, and all the things that are equivalent to or equivalent to the claims as well as the following claims will belong to the scope of the present invention. .

Claims (12)

  1. 특정 보호대상함수가 호출되는 보호대상함수호출단계;A protected object function calling step in which a specific protected object function is called;
    LBR(Last Branch Record) 기능에 의해 기록되는 스택정보 중에서, 상기 특정 보호대상함수가 호출되는 제1시점 및 상기 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보를 확인하는 스택정보확인단계; 및Of the stack information recorded by the last branch record (LBR) function, the stack of the specific protected object function recorded between the first time point at which the specific protected object function is called and the second time point earlier than the first time point by the specific time point. Stack information checking step of checking information; And
    상기 제1시점 및 상기 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보를 기초로, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었는지 여부를 판단하는 비정상여부판단단계를 포함하는 것을 특징으로 하는 비정상 경로 호출 감지 방법.And an abnormality determination step of determining whether the specific protected object function is called through an abnormal path based on the stack information of the specific protected object function recorded between the first time point and the second time point. Abnormal path call detection method.
  2. 제 1 항에 있어서, The method of claim 1,
    상기 특정 보호대상함수가 호출되기 이전에 상기 LBR 기능을 활성화시키는 단계를 더 포함하는 비정상 경로 호출 감지 방법.And activating the LBR function before the specific protected object function is called.
  3. 제 2 항에 있어서, The method of claim 2,
    상기 제2시점은, 상기 LBR 기능이 활성화되는 시점이거나 또는 상기 LBR 기능이 활성화되는 시점 이후인 것을 특징으로 하는 비정상 경로 호출 감지 방법.The second point of time, the abnormal path call detection method, characterized in that after the time or when the LBR function is activated.
  4. 제 1 항에 있어서, The method of claim 1,
    상기 LBR 기능에 의해 기록된 스택정보는,The stack information recorded by the LBR function is
    각 함수가 호출되는 함수호출이벤트 별로, 함수를 호출하는 주체가 저장된 호출주체주소정보 및 호출된 상기 함수가 저장된 호출대상주소정보가 쌍으로 맵핑되어 저장된 정보인 것을 특징으로 하는 비정상 경로 호출 감지 방법.For each function call event in which each function is called, abnormal path call detection method, characterized in that the calling party address information stored in the subject calling the function and the call destination address information stored in the called function are mapped and stored in pairs.
  5. 제 1 항에 있어서, The method of claim 1,
    상기 비정상여부판단단계는, The abnormal determination step,
    상기 제1시점 및 상기 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보가 존재하지 않는 경우 악의적인 주체에 의해 상기 LBR 기능이 활성화되지 못한 경우로 판단하여, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단하는 것을 특징으로 하는 비정상 경로 호출 감지 방법.If there is no stack information of the specific protected object function recorded between the first time point and the second time point, it is determined that the LBR function is not activated by a malicious subject, and the specific protected object function is abnormal. The abnormal path call detection method, characterized in that it is determined that the call through the path.
  6. 제 4 항에 있어서, The method of claim 4, wherein
    상기 비정상여부판단단계는, The abnormal determination step,
    상기 제1시점 및 상기 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보의 각 함수호출이벤트별 호출주체주소정보를 확인하여 정상 경로로 기 지정된 주소정보가 아닌 주소정보가 확인되는 경우, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단하는 것을 특징으로 하는 비정상 경로 호출 감지 방법.When the address information of each function call event of the stack information of the specific protected object function recorded between the first time point and the second time point is checked, and address information other than the address information designated as a normal path is confirmed, The abnormal path call detection method, characterized in that it is determined that the specific protected object function is called through the abnormal path.
  7. 보호대상으로서 기 지정된 특정 보호대상함수가 호출되면, LBR 기능에 의해 기록되는 스택정보 중에서 상기 특정 보호대상함수가 호출되는 제1시점 및 상기 제1시점 보다 특정 시점만큼 앞선 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보를 확인하는 스택정보확인부; 및When a specific protected object function that is designated as a protected object is called, it is recorded between a first time point at which the specific protected object function is called and a second time earlier than the first time point among the stack information recorded by the LBR function. A stack information checking unit for checking stack information of the specific protected target function; And
    상기 제1시점 및 상기 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보를 기초로, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었는지 여부를 판단하는 비정상여부판단부를 포함하는 것을 특징으로 하는 비정상 경로 호출 감지 장치.And an abnormality determination unit determining whether the specific protected object function is called through an abnormal path based on the stack information of the specific protected object function recorded between the first time point and the second time point. Abnormal path call detection device.
  8. 제 7 항에 있어서, The method of claim 7, wherein
    상기 특정 보호대상함수가 호출되기 이전에 상기 LBR 기능을 활성화시키는 LBR기능활성화제어부를 더 포함하고;An LBR function activation control unit for activating the LBR function before the specific protected object function is called;
    상기 제2시점은, 상기 LBR 기능이 활성화되는 시점인 것을 특징으로 하는 비정상 경로 호출 감지 장치.The second time point, the abnormal path call detection device, characterized in that the time when the LBR function is activated.
  9. 제 7 항에 있어서, The method of claim 7, wherein
    상기 LBR 기능에 의해 기록된 스택정보는,The stack information recorded by the LBR function is
    각 함수가 호출되는 함수호출이벤트 별로, 함수를 호출하는 주체가 저장된 호출주체주소정보 및 호출된 상기 함수가 저장된 호출대상주소정보가 쌍으로 맵핑되어 저장된 정보인 것을 특징으로 하는 비정상 경로 호출 감지 장치.Device for abnormal path call detection, characterized in that for each function call event that each function is called, the calling party address information stored in the subject calling the function and the call destination address information stored in the called function is mapped and stored in pairs.
  10. 제 8 항에 있어서, The method of claim 8,
    상기 비정상여부판단부는, The abnormal determination unit,
    상기 제1시점 및 상기 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보가 존재하지 않는 경우 악의적인 주체에 의해 상기 LBR 기능이 활성화되지 못한 경우로 판단하여, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단하는 것을 특징으로 하는 비정상 경로 호출 감지 장치.If there is no stack information of the specific protected object function recorded between the first time point and the second time point, it is determined that the LBR function is not activated by a malicious subject, and the specific protected object function is abnormal. Abnormal path call detection device, characterized in that it is determined that the call through the path.
  11. 제 9 항에 있어서, The method of claim 9,
    상기 비정상여부판단부는, The abnormal determination unit,
    상기 제1시점 및 상기 제2시점 사이에 기록된 상기 특정 보호대상함수의 스택정보의 각 함수호출이벤트별 호출주체주소정보를 확인하여 정상 경로로 기 지정된 주소정보가 아닌 주소정보가 확인되는 경우, 상기 특정 보호대상함수가 비정상 경로를 통해 호출되었다고 판단하는 것을 특징으로 하는 비정상 경로 호출 감지 장치.When the address information of each function call event of the stack information of the specific protected object function recorded between the first time point and the second time point is checked, and address information other than the address information designated as a normal path is confirmed, The abnormal path call detection device, characterized in that it is determined that the specific protected object function is called through the abnormal path.
  12. 제 1 항 내지 제 6 항 중 어느 한 항의 방법을 수행하는 프로그램을 기록한 컴퓨터 판독 가능 기록 매체.A computer-readable recording medium having recorded thereon a program for performing the method of any one of claims 1 to 6.
PCT/KR2013/011069 2012-12-04 2013-12-02 Abnormal path call detecting apparatus and abnormal path call detecting method WO2014088276A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2012-0139841 2012-12-04
KR1020120139841A KR101444929B1 (en) 2012-12-04 2012-12-04 Abnormal call detecting device and abnormal call detecting method

Publications (1)

Publication Number Publication Date
WO2014088276A1 true WO2014088276A1 (en) 2014-06-12

Family

ID=50883651

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/011069 WO2014088276A1 (en) 2012-12-04 2013-12-02 Abnormal path call detecting apparatus and abnormal path call detecting method

Country Status (2)

Country Link
KR (1) KR101444929B1 (en)
WO (1) WO2014088276A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102242000B1 (en) * 2019-08-23 2021-04-20 숭실대학교산학협력단 Behavioral of malware characteristics extraction device, method, and program for performing the same

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040032859A (en) * 2001-07-31 2004-04-17 발리디 Method for protecting a software using a so-called conditional jump principle against its unauthorized use
KR20080092813A (en) * 2007-04-13 2008-10-16 삼성전자주식회사 Processor having indirect branch validation unit for secure program execution
KR20120045233A (en) * 2010-10-29 2012-05-09 주식회사 엔씨소프트 Method and computer readable recording medium for detecting malicious module of on-line game
KR20120126667A (en) * 2011-05-12 2012-11-21 주식회사 안랩 Malicious program hooking prevention apparatus and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040032859A (en) * 2001-07-31 2004-04-17 발리디 Method for protecting a software using a so-called conditional jump principle against its unauthorized use
KR20080092813A (en) * 2007-04-13 2008-10-16 삼성전자주식회사 Processor having indirect branch validation unit for secure program execution
KR20120045233A (en) * 2010-10-29 2012-05-09 주식회사 엔씨소프트 Method and computer readable recording medium for detecting malicious module of on-line game
KR20120126667A (en) * 2011-05-12 2012-11-21 주식회사 안랩 Malicious program hooking prevention apparatus and method

Also Published As

Publication number Publication date
KR20140071818A (en) 2014-06-12
KR101444929B1 (en) 2014-09-26

Similar Documents

Publication Publication Date Title
US9116711B2 (en) Exception handling in a data processing apparatus having a secure domain and a less secure domain
KR100942795B1 (en) A method and a device for malware detection
US8042190B2 (en) Pre-boot protected memory channel
KR102160916B1 (en) Data processing apparatus and method using secure domain and less secure domain
EP2901355B1 (en) A data processing apparatus and method for protecting secure data and program code from non-secure access when switching between secure and less secure domains
WO2014088144A1 (en) Function test device based on unit test case reuse and function test method therefor
US7917753B2 (en) Transferring control between programs of different security levels
WO2015178578A1 (en) System and method for analyzing patch file
WO2015072689A1 (en) Anti-debugging method
US20160196428A1 (en) System and Method for Detecting Stack Pivot Programming Exploit
WO2012033237A1 (en) System testing method
WO2016195343A1 (en) Method for controlling file input-output in virtualization system
WO2019004638A1 (en) Method and system for setting electronic controller security function
CN101599113A (en) Driven malware defence method and device
WO2014088276A1 (en) Abnormal path call detecting apparatus and abnormal path call detecting method
WO2010093071A1 (en) Internet site security system and method thereof
KR101982734B1 (en) Apparatus and method for detecting malicious code
WO2016190485A1 (en) Method for blocking unauthorized access to data and computing device having same function
WO2011037321A2 (en) Windows kernel alteration searching method
CN106557693A (en) A kind of malice Hook behavioral value method and system
CN105912417A (en) Detection method of virtual system, related software running method and related device
WO2018151500A1 (en) System and method for monitoring whether fire extinguishing agent in fire extinguishing agent container is leaking
JP4643201B2 (en) Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program
CN109446755A (en) The guard method of kernel hooking function, device, equipment and storage medium
WO2017115976A1 (en) Method and device for blocking harmful site by using accessibility event

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13861057

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13861057

Country of ref document: EP

Kind code of ref document: A1