WO2014168406A1 - Appareil et procédé permettant de diagnostiquer une attaque qui contourne des mécanismes de protection de mémoire - Google Patents

Appareil et procédé permettant de diagnostiquer une attaque qui contourne des mécanismes de protection de mémoire Download PDF

Info

Publication number
WO2014168406A1
WO2014168406A1 PCT/KR2014/003052 KR2014003052W WO2014168406A1 WO 2014168406 A1 WO2014168406 A1 WO 2014168406A1 KR 2014003052 W KR2014003052 W KR 2014003052W WO 2014168406 A1 WO2014168406 A1 WO 2014168406A1
Authority
WO
WIPO (PCT)
Prior art keywords
malicious
memory area
attribute
memory
access violation
Prior art date
Application number
PCT/KR2014/003052
Other languages
English (en)
Korean (ko)
Inventor
임차성
이주석
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Publication of WO2014168406A1 publication Critical patent/WO2014168406A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to an apparatus and method for diagnosing a memory protection method bypass attack for determining whether a malicious code is targeted to a shell code that causes an attack that bypasses a memory protection function, that is, an attack that bypasses a memory protection method.
  • Malware is software that is intentionally designed to perform malicious activities, such as destroying the system or leaking information, contrary to the user's intentions and interests.
  • malicious code types include hacking tools such as viruses, worms, trojans, backdoors, logic bombs, and trap doors, and malicious spywares. spyware and ad-ware.
  • hacking tools such as viruses, worms, trojans, backdoors, logic bombs, and trap doors
  • malicious spywares spyware and ad-ware.
  • self-replicating or automatic propagation function malicious code can leak personal information such as user ID and password, control target system, delete / change file, destroy system, denial of application / system, leak of key data, It is causing problems such as installing other hacking programs, and the damage is very diverse and serious.
  • a malicious code treatment system for detecting and treating malware
  • Most of the malware detection systems (vaccine programs) known to date use file-based diagnostics. This is due to the fact that most malicious codes are executed in the form of files that can be executed on a specific system.
  • the malicious code in order for malicious code to run on a Windows system, the malicious code usually has a format of an executable file (PE).
  • File extensions with PE format include exe, cpl, ocx, dll, vxd, sys, scr, and drv.
  • the malware treatment system In order to diagnose malware in the form of an executable file (PE), the malware treatment system also needs to have a signature of a specific type that can recognize the file type and determine it as malicious code.
  • These diagnostics are the same as the signature-based or string-testing methods used by most malware treatment systems.
  • This signature-based diagnostic method targets specific or unique parts of a file classified as malicious code, enabling accurate diagnosis that minimizes false positives and false negatives.
  • the advantage is that fast scanning can be achieved by comparing only the characteristic parts of the files.
  • the signature-based diagnostic method cannot detect a new file that has been changed by only a few files since the malicious code does not diagnose even if the file itself changes only a few hundred bytes. In addition, since it can only respond to known malicious code, it cannot cope with new and unknown malicious code.
  • Non-PE non-portable Executable
  • the term "non-executable file” refers to a file that is not executed by itself as opposed to an executable file or an executable file.
  • the non-executable file may be a Korean file, a document file such as a word file, an image file such as a JPG file, a video file, a Java script file, an HTML file, or the like.
  • Such a conventional countermeasure against malicious code using a non-executable file includes a region in which a malicious shellcode is located in memory that is moved by an exploit during execution of a non-executable file in a malware detection engine. It checks whether it is set to determine whether it is malicious code and block it.
  • An embodiment of the present invention provides an apparatus and method for diagnosing a memory protection method bypass attack for determining whether a malicious code is targeted to a shell code that causes an attack that bypasses the memory protection method such as an ROP attack.
  • a method for diagnosing a memory protection technique bypass attack includes: a function detector for detecting whether a specific program function capable of modulating attribute information of a memory area is called; and the specific program function by the function detector.
  • a property checker that checks whether the property information is an execution property with respect to a corresponding position of the memory area when a call is detected; and if an execution property is confirmed by the property checker, an access violation occurs at the corresponding location of the memory area.
  • An attribute change unit for changing attribute information, an event detector for detecting whether the access violation occurs in the memory area, and a shellcode for generating the access violation if the access violation is detected by the event detector; It may include a malicious determination unit for determining whether or not malicious.
  • the memory map generation unit may further include a memory map generation unit configured to generate a memory map in which address information of a location where the property information is changed by the property change unit is stored, wherein the malicious determination unit includes the address information of the location where the access violation has occurred. In the case of the address information stored in the map, it can be determined whether the malicious information.
  • the malicious determination unit may determine whether malicious by comparing an entropy value of the memory area with a preset reference value.
  • the malicious determination unit may set a target memory area for calculating the entropy value by using a start address and a size of the memory area allocated by the specific program function.
  • the malicious determination unit may calculate an entropy value for codes except for “0” among codes recorded in the memory area when the entropy value is calculated.
  • the apparatus may further include a pattern storage unit in which pattern information is stored, and the malicious determination unit may determine whether malicious by comparing the shellcode with the pattern information.
  • the attribute changing unit may restore the attribute information to a state before the change so that the access violation does not occur after the shell determining unit determines that the shellcode is not malicious.
  • the apparatus When the call of the specific program function is detected, the apparatus further includes an infection checker that checks whether the register is infected.
  • the malicious determination unit may determine that the shellcode is malicious when the infection checker detects the infection of the register. .
  • the infection checker may compare the stored value of the register with the shellcode to check for infection.
  • the infection inspecting unit may identify an infection based on a matching ratio between at least one or more stored values of the general registers constituting the register and the shellcode.
  • a method for diagnosing a memory protection method bypass attack may include detecting whether a specific program function capable of modulating attribute information of a memory area is called, and when a call of the specific program function is detected, the memory area. Checking whether the attribute information is an execution attribute with respect to the corresponding position of, changing the attribute information so that an access violation occurs at a corresponding position of the memory area when the attribute information is identified as an execution attribute, and the memory The method may include detecting whether an access violation occurs in an area, and determining whether the malicious code is targeted to the shellcode that caused the access violation when the access violation is detected.
  • the method may further include generating a memory map in which address information of a location where the attribute information is changed is stored, and determining whether the malicious information comprises address information of a location where the access violation occurs is address information stored in the memory map. In this case, it can be determined whether the malicious.
  • the entropy value of the memory area and the predetermined reference value may be compared to determine whether malicious.
  • the determining of the malicious status may include setting a target memory area for calculating the entropy value by using a start address and a size of the memory area allocated by the specific program function.
  • the entropy value may be calculated for codes except for “0” among codes recorded in the memory area.
  • the shell code and the previously stored pattern information may be compared to determine whether malicious.
  • the attribute information may be restored to a state before the change so that the access violation does not occur thereafter.
  • the method may further include checking whether a register is infected when a call of the specific program function is detected, and determining whether the register is malicious may determine the shellcode as malicious when the infection of the register is confirmed.
  • the checking of the infection may include detecting the infection by comparing the stored value of the register with the shellcode.
  • the infection may be confirmed based on a matching ratio between at least one or more stored values of the general registers constituting the register and the shellcode.
  • a method of detecting whether a specific program function capable of modulating property information of a memory area is called, and when a call of the specific program function is detected, the property of a corresponding location of the memory area is detected.
  • Checking whether the information is an execution attribute if the attribute information is identified as an execution attribute, changing the attribute information so that an access violation occurs at a corresponding location in the memory area, and the access violation occurs in the memory area Detecting whether the access violation is detected, and determining whether the malicious code is targeted to the shellcode that caused the access violation, and performing each step according to the memory protection method bypass attack diagnosis method.
  • a computer readable recording medium having recorded thereon a program is provided. .
  • the present invention it is possible to determine whether or not malicious, that is, memory protection bypass attack, by targeting a shell code that causes an attack that bypasses a memory protection technique such as a ROP attack. Accordingly, it is possible to alert the malicious determination result so that an operator can recognize it, or perform a countermeasure such as deleting a shell code that causes an access violation.
  • FIG. 1 is a block diagram of a memory protection method bypass attack diagnosis apparatus according to a first embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a memory protection method bypass attack diagnosis method according to a first embodiment of the present invention.
  • FIG. 3 is a block diagram of a memory protection method bypass attack diagnosis apparatus according to a second embodiment of the present invention.
  • FIG. 4 is a flowchart illustrating a memory protection method bypass attack diagnosis method according to a second embodiment of the present invention.
  • FIG. 1 is a block diagram illustrating a memory protection method bypass attack diagnosis apparatus according to a first embodiment of the present invention
  • FIG. 2 is a flowchart illustrating a memory protection method bypass attack diagnosis method according to a first embodiment of the present invention
  • 3 is a block diagram of a memory protection method bypass attack diagnosis apparatus according to a second embodiment of the present invention
  • FIG. 4 is a flowchart illustrating a memory protection method bypass attack diagnosis method according to a second embodiment of the present invention. to be.
  • a first embodiment of the present invention will be described with reference to FIGS. 1 and 2, and then a second embodiment of the present invention will be described with reference to FIGS. 3 and 4.
  • the memory protection technique bypass attack diagnosis apparatus 100 includes a function detection unit 110, an infection inspection unit 120, an attribute inspection unit 130, and an attribute change unit ( 140, a memory map generator 150, an event detector 160, a malicious determiner 170, and the like.
  • the function detector 110 detects whether a specific program function that can modulate the attribute information of the memory area is called. For example, the function detector 110 may detect whether a virtual memory related application programming interface (API) is called through the kernel mode entry library file.
  • API application programming interface
  • the infection checker 120 checks whether a register is infected when a call of a specific program function is detected by the function detector 110.
  • the infection checker 120 compares the stored value of the register with the shellcode calling a specific program function and checks for infection.
  • the infection inspecting unit 120 may identify an infection based on a matching ratio between at least one stored value and a shell code among the general registers constituting the register.
  • the infection checker 120 may be included in order to quickly diagnose an attack state if the register is already infected, but may be excluded.
  • the attribute checker 130 detects that the register is not infected by the infection detector 120 after the call of the specific program function is detected by the function detector 110 or the call of the specific program function is detected. Check whether the attribute information is the execution attribute for the location.
  • the attribute changing unit 140 changes the attribute information so that an access violation occurs at a corresponding position in the memory area when the execution attribute is confirmed by the attribute inspecting unit 130.
  • the attribute inspecting unit 130 may not recognize the attribute information by deleting it, changing it to a non-executable attribute, or by modulating the stored attribute information.
  • the property changing unit 140 may restore the property information to the state before the change so that an access violation does not occur thereafter.
  • the memory map generator 150 generates a memory map in which address information of a location where attribute information is changed by the attribute change unit 140 is stored. This memory map is then used to determine if there is a need to determine whether the shellcode is executing at the location of the access violation.
  • the event detector 160 detects whether an access violation occurs in the memory area.
  • the malicious determination unit 170 determines that the shellcode is malicious when the infection checker 120 confirms that the register is infected. Alternatively, when the access violation is detected by the event detector 160, the malicious code is determined by targeting the shell code that caused the access violation. In this case, the malicious determination unit 170 may selectively determine whether the address information of the location where the access violation has occurred is address information stored in the memory map generated by the memory map generation unit 150. To determine whether this is malicious, the malicious determination unit 170 may compare the entropy value of the memory area with a preset reference value and determine whether the malicious is malicious according to the comparison result.
  • a target memory area for calculating an entropy value may be set using a start address and a size of a memory area allocated by a specific program function, except for "0" among codes recorded in the memory area. You can calculate entropy values for your code.
  • a specific program function capable of modulating attribute information of a memory area is provided. Detecting whether it is called (S201), and when a call of a specific program function is detected, checking whether the register is infected (S203), and when a call of the specific program function is detected or subsequently determined that the register is not infected (S205 and S207) checking whether the attribute information is the execution attribute for the corresponding position in the memory area, and if the attribute information is confirmed as the execution attribute, changing the attribute information so that an access violation occurs at the corresponding position in the memory region ( S209 and S211, generating a memory map storing address information of the location where the attribute information is changed (S213), and Detecting whether an access violation occurs (S215), and determining whether the malicious code is targeted to the shellcode that caused the access violation when the address information of the location that caused the access violation is the address information stored in
  • the function detection unit 110 of the memory protection technique bypass attack diagnosis apparatus 100 may modify attribute information of a memory region. Detect if a particular program function can be called. For example, the function detector 110 may detect whether a virtual memory related API is called through the kernel mode entry library file. For example, the function detector 110 may detect whether VirtualAlloc, HeapCreate, etc. are called in the virtual memory related API (S201).
  • ROI return oriented programming
  • the infection inspection unit 120 checks whether an infection is performed by targeting a register of a central processing unit (CPU) (S203). ).
  • the infection checker 120 compares the stored value of the register with the shellcode calling a specific program function and checks for infection.
  • the infection inspecting unit 120 may identify an infection based on a matching ratio between at least one stored value and a shell code among the general registers constituting the register.
  • the attack is when the stored code of Extended Accumulator Register (EAX), Extended Counter Register (ECX), Extended Data Register (EDX), Extended Base Register (EBX), Extended Stack Pointer (ESP) and shell code match.
  • EAX Extended Accumulator Register
  • ECX Extended Counter Register
  • EDX Extended Data Register
  • EBX Extended Base Register
  • ESP Extended Stack Pointer
  • the condition can be diagnosed (S205 and S225).
  • the attribute inspecting unit 130 checks whether the attribute information is an execution attribute for a corresponding position of the memory area.
  • the property inspection unit 130 inspects the property information immediately after the call of a specific program function is detected by the function detection unit 110. .
  • the infection inspection unit 120 determines that the register is not infected, It is checked whether the attribute information is an execution attribute for the position (S207).
  • the property changing unit 140 changes the property information so that an access violation occurs at the location.
  • the attribute inspecting unit 130 may delete the attribute information, change it to a non-executable attribute, or modulate the stored attribute information so as not to recognize the attribute information (S209 and S211).
  • the memory map generator 150 generates a memory map in which address information of a location where attribute information is changed by the attribute change unit 140 is stored (S213). This memory map is then used to determine if there is a need to determine whether the shellcode is executing at the location of the access violation.
  • the event detector 160 detects whether an access violation occurs in the memory area (S215).
  • the malicious determination unit 170 determines whether the address information of the location that caused the access violation is address information stored in the memory map generated by the memory map generator 150. Check (S217 and S219). This is because, even if an access violation occurs, it is not necessary to diagnose whether there is a bypass attack if it occurs in a position where the attribute information is not intentionally changed in step S211.
  • the malicious determination unit 170 calculates an entropy value of the memory area to determine whether malicious. For example, when calculating an entropy value, a target memory area for calculating an entropy value may be set using a start address and a size of a memory area allocated by a specific program function, except for "0" among codes recorded in the memory area. An entropy value can be calculated for the code (S221).
  • the malicious determination unit 170 compares the entropy value calculated in step S221 with a preset reference value and determines the current shellcode as malicious when the calculated entropy value is determined to be a malicious range (S223). . That is, it is determined that the shellcode is involved in a ROP attack or the like bypassing the memory protection technique (S225). In this case, the malicious determination unit 170 may alert the result of the malicious determination so that an operator can recognize it or perform a response such as deleting a shell code that causes an access violation.
  • the malicious determination unit 170 restores the attribute information to the state before the change so that an access violation does not occur thereafter. For example, if the attribute information is changed from the execution attribute to the non-execution attribute in step S211, the execution attribute can be restored to the execution attribute in its original state (S227).
  • the memory protection technique bypass attack diagnosis apparatus 100 ′ includes a function detector 110, an infection checker 120, a property checker 130, and a property changer. 140, the memory map generation unit 150, the event detection unit 160, the malicious determination unit 170, the pattern storage unit 180, and the like.
  • the memory protection method bypass attack diagnosis apparatus 100 Compared with the memory protection method bypass attack diagnosis apparatus 100 ′ according to the second embodiment of the present invention, the memory protection method bypass attack diagnosis apparatus 100 according to the first embodiment of the present invention shown in FIG. It can be seen that the storage unit 180 is included.
  • the pattern storage unit 180 stores pattern information for determining whether a shell code for calling a specific program function capable of tampering with attribute information of a memory area corresponds to malicious shell code involved in a memory protection technique bypass attack. Such pattern information may be obtained and stored through a pre-collecting process or updated by learning after malicious determination.
  • the malicious determination unit 170 may use the shell code and the pattern storage unit 180 to call a specific program function. By comparison, it is determined whether or not malicious based on the match.
  • the memory protection method bypass attack diagnosis method by the memory protection method bypass attack diagnosis apparatus 100 ′ according to the second embodiment of the present invention is illustrated in FIG. 4.
  • the same reference numerals are given for the same processing procedure when comparing FIG. 2 and FIG. 4.
  • the memory protection method bypass attack diagnosis method includes detecting whether a specific program function that can modulate the attribute information of the memory area is called (S201), and a call of the specific program function is performed. If it is detected, checking whether the register is infected (S203), and if it is determined that a call of a specific program function is detected or the register is not infected thereafter, checking whether the attribute information is an execution attribute for a corresponding position in the memory area. (S205 and S207), when the attribute information is confirmed as the execution attribute, changing the attribute information so that an access violation occurs at a corresponding position in the memory area (S209 and S211), and the memory in which the address information of the position where the attribute information is changed is stored.
  • Memory protection method bypass attack diagnosis method by the memory protection method bypass attack diagnosis apparatus 100 ′ according to the second embodiment of the present invention and memory protection method bypass attack diagnosis apparatus 100 according to the first embodiment The following is a closer look at the differences from the technique bypass attack diagnosis method.
  • the malicious determination unit 170 reads the pattern information previously stored in the pattern storage unit 180 and compares it with the pattern of the shell code identified in step S321, even if the patterns are not identical or completely identical to each other according to the comparison result. If the pattern matching ratio is high, the malicious pattern is determined, and the current shellcode is determined to be malicious. That is, it is determined that the shellcode is involved in a ROP attack or the like bypassing the memory protection technique (S325). In this case, the malicious determination unit 170 may alert the result of the malicious determination so that an operator can recognize it or perform a response such as deleting a shell code that causes an access violation.
  • the malicious determination unit 170 restores the attribute information to the state before the change so that an access violation does not occur thereafter. For example, if the attribute information is changed from the execution attribute to the non-execution attribute in step S211, the execution attribute may be restored to the execution attribute in its original state (S327).
  • Combinations of each block of the block diagrams and respective steps of the flowcharts attached to the present invention may be performed by computer program instructions.
  • These computer program instructions may be mounted on a processor of a general purpose computer, special purpose computer, or other programmable data processing equipment such that instructions executed through the processor of the computer or other programmable data processing equipment may not be included in each block or flowchart of the block diagram. It will create means for performing the functions described in each step.
  • These computer program instructions may be stored in a computer usable or computer readable memory that can be directed to a computer or other programmable data processing equipment to implement functionality in a particular manner, and thus the computer usable or computer readable memory.
  • instructions stored in may produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of each step of the block diagram.
  • Computer program instructions may also be mounted on a computer or other programmable data processing equipment, such that a series of operating steps may be performed on the computer or other programmable data processing equipment to create a computer-implemented process to create a computer or other programmable data. Instructions that perform processing equipment may also provide steps for performing the functions described in each block of the block diagram and in each step of the flowchart.
  • each block or step may represent a portion of a module, segment or code that includes one or more executable instructions for executing a specified logical function (s).
  • a specified logical function s.
  • the functions noted in the blocks or steps may occur out of order.
  • the two blocks or steps shown in succession may in fact be executed substantially concurrently or the blocks or steps may sometimes be performed in the reverse order, depending on the functionality involved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un appareil permettant de diagnostiquer une attaque qui contourne les techniques de protection de mémoire, ledit appareil comprenant : une unité de détection de fonction permettant de détecter si une fonction de programme spécifique, capable de modifier les informations d'attributs d'une zone de mémoire, est appelée ; une unité d'inspection d'attributs permettant d'inspecter si les informations d'attributs dans l'emplacement correspondant de la zone de mémoire correspondent à un attribut d'exécution lorsque la fonction de programme spécifique appelée est détectée par l'unité de détection de fonction ; une unité de modification d'attributs permettant de modifier les informations d'attributs de sorte qu'une violation d'accès survienne dans l'emplacement correspondant de la zone de mémoire lorsque l'attribution d'exécution est identifiée par l'unité d'inspection d'attribut ; une unité de détection d'événement permettant de détecter si la violation d'accès survient dans la zone de mémoire ; et une unité de détermination de malveillance permettant de déterminer si un code d'interprétation, qui provoque la violation d'accès, est malveillant lorsque la violation d'accès est détectée par l'unité de détection d'événement.
PCT/KR2014/003052 2013-04-09 2014-04-08 Appareil et procédé permettant de diagnostiquer une attaque qui contourne des mécanismes de protection de mémoire WO2014168406A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0038639 2013-04-09
KR1020130038639A KR101311367B1 (ko) 2013-04-09 2013-04-09 메모리 보호기능 우회 공격 진단 장치 및 방법

Publications (1)

Publication Number Publication Date
WO2014168406A1 true WO2014168406A1 (fr) 2014-10-16

Family

ID=49456680

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/003052 WO2014168406A1 (fr) 2013-04-09 2014-04-08 Appareil et procédé permettant de diagnostiquer une attaque qui contourne des mécanismes de protection de mémoire

Country Status (2)

Country Link
KR (1) KR101311367B1 (fr)
WO (1) WO2014168406A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9904780B2 (en) * 2014-07-31 2018-02-27 Nec Corporation Transparent detection and extraction of return-oriented-programming attacks
KR102156340B1 (ko) * 2014-11-21 2020-09-15 에스케이텔레콤 주식회사 웹 페이지 공격 차단 방법 및 장치
KR102304332B1 (ko) * 2014-11-21 2021-09-23 에스케이텔레콤 주식회사 웹 페이지 공격 차단 방법 및 장치
WO2016204770A1 (fr) * 2015-06-18 2016-12-22 Hewlett Packard Enterprise Development Lp Chargement protégé d'un module

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100954355B1 (ko) * 2008-01-18 2010-04-21 주식회사 안철수연구소 악성코드 진단 및 치료 장치
US7971255B1 (en) * 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
KR101244731B1 (ko) * 2012-09-11 2013-03-18 주식회사 안랩 디버그 이벤트를 이용한 악성 쉘 코드 탐지 장치 및 방법

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100992434B1 (ko) * 2008-07-07 2010-11-05 주식회사 안철수연구소 확장자를 위장한 파일을 탐지하는 방법 및 그 장치
KR101228900B1 (ko) 2010-12-31 2013-02-06 주식회사 안랩 비 pe파일의 악성 컨텐츠 포함 여부를 판단하는 방법 및 시스템

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7971255B1 (en) * 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
KR100954355B1 (ko) * 2008-01-18 2010-04-21 주식회사 안철수연구소 악성코드 진단 및 치료 장치
KR101244731B1 (ko) * 2012-09-11 2013-03-18 주식회사 안랩 디버그 이벤트를 이용한 악성 쉘 코드 탐지 장치 및 방법

Also Published As

Publication number Publication date
KR101311367B1 (ko) 2013-09-25

Similar Documents

Publication Publication Date Title
KR101265173B1 (ko) 비실행 파일 검사 장치 및 방법
JP6639588B2 (ja) 悪意あるファイルを検出するシステムおよび方法
US9418227B2 (en) Detecting malicious software
EP3462358B1 (fr) Système et procédé de détection de code malveillant dans l'espace d'adresse de processus
KR101212553B1 (ko) 악성 파일 검사 장치 및 방법
CA3017936A1 (fr) Systeme et procede de detection d'enveloppe de commande inverse
US8782615B2 (en) System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing
WO2015178578A1 (fr) Système et procédé pour analyser une pièce
US11288362B2 (en) System and method for creating antivirus records for antivirus applications
KR20180032566A (ko) 다수 소프트웨어 개체들에 걸쳐서 악성 행동을 트래킹하기 위한 시스템들 및 방법들
US10339305B2 (en) Sub-execution environment controller
WO2014042344A1 (fr) Appareil et procédé pour détecter un shellcode malveillant au moyen d'un événement de mise au point
WO2014168406A1 (fr) Appareil et procédé permettant de diagnostiquer une attaque qui contourne des mécanismes de protection de mémoire
KR100745639B1 (ko) 파일 시스템 및 레지스트리를 보호하는 방법 및 그 장치
WO2010093071A1 (fr) Système de sécurité pour site internet, et procédé correspondant
WO2023027228A1 (fr) Procédé et dispositif de détection de la malignité d'un fichier exécutable non portable par modification du flux d'exécution d'un programme d'application
RU2665910C1 (ru) Система и способ обнаружения вредоносного кода в адресном пространстве процессов
KR101908517B1 (ko) 스트링과 코드 시그니처를 이용한 악성코드 탐지 및 패커 해제 방법
KR20180045397A (ko) 악성코드 진단장치 및 방법
EP3522058B1 (fr) Système et procédé de création d'enregistrements antivirus
RU2673407C1 (ru) Система и способ определения вредоносного файла
Klymenko Modern information systems security means
CN117235714A (zh) 无文件攻击检测方法、装置、设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14782638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14782638

Country of ref document: EP

Kind code of ref document: A1