WO2014206268A1 - Action processing method and device on windows platform - Google Patents

Action processing method and device on windows platform Download PDF

Info

Publication number
WO2014206268A1
WO2014206268A1 PCT/CN2014/080579 CN2014080579W WO2014206268A1 WO 2014206268 A1 WO2014206268 A1 WO 2014206268A1 CN 2014080579 W CN2014080579 W CN 2014080579W WO 2014206268 A1 WO2014206268 A1 WO 2014206268A1
Authority
WO
WIPO (PCT)
Prior art keywords
behavior
operating system
unsafe
cpu
processing
Prior art date
Application number
PCT/CN2014/080579
Other languages
French (fr)
Chinese (zh)
Inventor
潘剑锋
李宜檑
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2014206268A1 publication Critical patent/WO2014206268A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the present invention relates to the field of the Internet, and in particular, to a method and apparatus for performing behavior processing on a Windows platform. Background technique
  • Active defense is a real-time protection technology based on independent analysis and judgment of program behavior. It does not use feature code as the basis for judging malicious programs. Instead, it starts from the most primitive definition and directly uses the behavior of the program as the basis for judging malicious programs. The active defense software first intercepts the malicious program and then processes it accordingly. Among them, the interception of program behavior is an important first step of active defense. The way many malicious programs resist active defense also interferes with or bypasses behavioral interception.
  • the present invention has been made in order to provide an apparatus for performing behavior processing on a Windows platform and a corresponding method of performing behavior processing on a Windows platform that overcomes the above problems or at least partially solves the above problems.
  • a method for performing behavior processing on a Windows platform is provided, which is applied to a CPU supporting hardware virtualization, including:
  • the local operating system is placed in a supervised state, and the behavior triggered by the at least one CPU is monitored by the V ⁇ , and corresponding processing is performed according to the triggering result.
  • the generating manner of the V ⁇ includes the following steps:
  • placing the native operating system in a supervised state including:
  • the current state of the native operating system is switched from a host host state to a client guest state, and the at least one CPU is placed in a supervised state.
  • the foregoing method further includes: setting a V ⁇ mode for the local operating system.
  • the current state of the native operating system is switched from a host host state to a client guest state, including:
  • the native operating system is set to run in a non-root virtualized VMX-non-root mode, correspondingly,
  • the V ⁇ is set to run in root virtualization VMX-root mode.
  • corresponding processing is performed according to the triggering result, including:
  • V ⁇ intercepts the unsafe behavior.
  • the method includes: searching, in a pre-stored processing list, the unsafe behavior and a corresponding processing manner, where the processing list stores at least one Unsafe events and how they are handled; The intercepted unsafe behavior is processed according to the search result.
  • the intercepted unsafe behavior is processed according to the search result, including:
  • the unsafe behavior is an operation of reading or writing or modifying
  • the behavior value determined by the user is returned by using the V ⁇ , wherein the behavior value is different from the actual value obtained by the read/write or modification operation.
  • the unsafe behavior includes at least one of the following:
  • the Windows platform includes a 64-bit Windows platform.
  • an apparatus for performing behavior processing on a Windows platform which is applied to a CPU supporting hardware virtualization, includes:
  • a virtual module configured to start a local operating system, perform a hardware virtualization operation on the local operating system, and generate a virtual machine monitor V;
  • a permission setting module configured to place the native operating system into a client operation, such that the authority of the operating system is lower than the authority of the V ⁇ ;
  • the processing module is configured to put the local operating system into a supervised state, and monitor, by using the V ⁇ , the behavior triggered by the at least one CPU, and perform corresponding processing according to the triggering result.
  • the virtual module is further configured to:
  • processing module is further configured to:
  • the current state of the native operating system is switched from a host host state to a client guest state, and the at least one CPU is placed in a supervised state.
  • processing module is further configured to: set a V ⁇ mode for the local operating system.
  • processing module is further configured to:
  • the native operating system is set to run in a non-root virtualized VMX-non-root mode, correspondingly,
  • the V ⁇ is set to run in root virtualization VMX-root mode.
  • the processing module is further configured to: the trigger result is triggered by the CPU When the behavior is unsafe, use the V ⁇ to intercept the unsafe behavior.
  • the foregoing apparatus further includes:
  • the locating module is configured to search for the unsafe behavior and the corresponding processing manner in the pre-stored processing list, where the processing list stores at least one unsafe event and a processing manner of the unsafe event;
  • the processing module is further configured to process the intercepted unsafe behavior based on the lookup result.
  • processing module is further configured to:
  • the unsafe behavior is an operation of reading or writing or modifying
  • the behavior value determined by the user is returned by using the V ⁇ , wherein the behavior value is different from the actual value obtained by the read/write or modification operation.
  • the unsafe behavior includes at least one of the following:
  • the Windows platform includes a 64-bit Windows platform.
  • a computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform according to any of the above A method of behavioral processing on the Windows platform.
  • a computer readable medium wherein a computer program as described above is stored.
  • the local operating system is started, the hardware virtualization operation is performed on the system, the VMM is generated, and at least one CPU is monitored by using a V ⁇ having a higher authority than the local operating system, and corresponding processing is performed according to the trigger result.
  • V ⁇ having a higher authority than the local operating system
  • corresponding processing is performed according to the trigger result.
  • FIG. 1 shows a process flow diagram of a method for performing behavior processing on a Windows platform in accordance with one embodiment of the present invention
  • FIG. 2 is a block diagram showing the structure of an apparatus for performing behavior processing on a Windows platform according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram showing a system architecture for performing behavior processing on a Windows platform according to an embodiment of the present invention
  • FIG. 4 is a block diagram schematically showing a computing device for performing a method of performing behavior processing on a Windows platform in accordance with the present invention
  • Figure 5 is a schematic representation of a method for maintaining or carrying in accordance with the present invention.
  • a storage unit of program code for a method of behavior processing on a Windows platform A storage unit of program code for a method of behavior processing on a Windows platform. detailed description
  • the present invention is applicable to computer systems/servers that can operate with numerous other general purpose or special purpose computing system environments or configurations.
  • Examples of well-known computing system environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, based on micro Processor system, set-top box, programmable consumer electronics, network PC, Small computer systems, mainframe systems, and distributed cloud computing technology environments including any of the above, and the like.
  • the computer system/server can be described in the general context of computer system executable instructions (such as program modules) executed by the computer system.
  • program modules may include routines, programs, target programs, components, logic, data structures, and the like, which perform particular tasks or implement particular abstract data types.
  • the computer system/server can be implemented in a distributed cloud computing environment where tasks are performed by remote processing devices connected through a communication network.
  • program modules can be located on a local or remote computing system storage medium including storage devices.
  • the embodiment of the present invention adopts a unique technical solution, and the main idea is to: expand the support by hardware virtualization of a CPU (Central Processing Unit) (such as Intel or AMD), so that Implement full behavior processing on 64-bit or higher Windows platforms.
  • hardware virtualization refers to the realization of efficient full virtualization with the support of hardware (mainly host processor).
  • the execution environment of Guest OS and VMM is automatically and completely isolated.
  • Guest OS has its own register and can run directly at the highest level.
  • the solution provided by the embodiment of the present invention can break through the limitation of an operating system such as Microsoft, and the method can provide a complete and effective active defense software system on a 64-bit or higher system.
  • Virtualization technology allows physical machines (such as servers, PCs, tablets, etc.) to be partitioned or shared so that the underlying hardware of the machine is presented as one or more virtual machines that work independently.
  • the hypervisor can run on a computer and present an abstraction of one or more virtual machines to other software.
  • Each virtual machine can be used as a self-sustaining platform to run its own operating system (OS) and/or application software.
  • OS operating system
  • Software execution performed within a virtual machine can be referred to as client software.
  • Guest The user software can be expected to run on a dedicated computer rather than a VM (Virtual Machine), at which point V ⁇ and Guest OS can share the underlying processor resources. That is, client software can expect to control various events and access hardware resources on a computer, such as a physical machine.
  • the hardware resources of the physical machine may include one or more processors, resources residing on the processor (eg, control registers, caches, and others), memory (and structures resident in memory such as descriptor tables) ) and other resources that reside in the physical machine (such as input/output (I/O) devices).
  • processors e.g, control registers, caches, and others
  • memory and structures resident in memory such as descriptor tables
  • other resources that reside in the physical machine (such as input/output (I/O) devices).
  • the embodiment of the invention provides a method for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization.
  • 1 is a process flow diagram of a method for performing behavior processing on a Windows platform according to an embodiment of the present invention, including:
  • Step S102 Start a local operating system, perform a hardware virtualization operation on the system, and generate a VMM (Virtual Machine Monitor).
  • VMM Virtual Machine Monitor
  • the system includes an operating system, a CPU, and application layer software.
  • the native operating system runs on the CPU it manages and manages and monitors all CPUs. In this case, if you need to supervise the local operating system, you need to modify its permissions. For details, see step S104.
  • Step S104 Put the local operating system into the client operation, so that the authority of the local operating system is lower than the generated V ⁇ permission.
  • this step can be performed with the permissions of the driver.
  • the highest privilege of the driver can be used to make the CPU run in the mode that supports virtualization extension, then the native operating system will be in the management mode, its permissions Will be lower than the V ⁇ permission.
  • the CPU can switch to the non-root state of the customer state, restore the Windows execution environment, and change from the root state to the non-root state when the environment resumes switching.
  • Step S106 The system is placed in a supervised state, and the generated V ⁇ is used to monitor behavior triggered by at least one CPU, and corresponding processing is performed according to the trigger result.
  • the local operating system Since the local operating system is in the management mode, it is equivalent to running in the client. At this time, the V ⁇ is still located in the local machine, and the behavior triggered by the CPU can be monitored, and then the subsequent operation processing can be performed.
  • the step of correspondingly processing according to the triggering result specifically includes: first determining the nature of the behavior triggered by the CPU, determining whether the triggered behavior is a safe behavior, and then performing different differentiation processing on the safe behavior and the unsafe behavior. .
  • This embodiment focuses on In order to ensure that unsafe behavior does not harm the computer terminal and the software running on it, you can use V ⁇ to intercept unsafe behavior, and then process the intercepted behavior according to the pre-stored behavior processing method. .
  • the local operating system is started, the hardware virtualization operation is performed on the system, the VMM is generated, and at least one CPU is monitored by using a V ⁇ having a higher authority than the local operating system, and corresponding processing is performed according to the trigger result.
  • the behavior of Windows can be monitored by generating V ⁇ , and third-party software can be executed in V ⁇ , thereby realizing the use of third-party software for Windows platforms (especially 64-bit or higher which cannot modify the kernel) Patching can provide a complete active defense product on the 64-bit Windows platform, solve the existing security risks for the user computer system, and improve the security performance.
  • the means of implementing behavioral processing on different Windows platforms is different.
  • take the x86 processor as an example.
  • the x86 processor has 4 privilege levels, Rin g 0 ⁇ Ring 3, and the processor can access privileged resources or execute privileged instructions only when running at Ring 0 to 2; when running at Ring 0, the processor can access all Privileged state.
  • the operating system on the x86 platform generally uses only the two levels of Ring 0 and Ring 3, the operating system runs at Ring 0, and the user process runs at Ring 3.
  • V ⁇ must run at the Ring O level, and in order to avoid the Guest OS control system resources, Guest OS has to lower its own running level, running at Ring 1 or Ring 3 (Ring 2 is not used).
  • the driver may send an instruction for implementing the VMM to at least one CPU by using a driver, and in order to implement V, the corresponding code is carried in the instruction.
  • the driver After at least one CPU receives the instruction, it parses the specific code. Subsequently, each CPU executes the code and performs a hardware virtualization operation on its own to generate a VMM.
  • the embodiment of the present invention preferably switches the current state of the CPU from a host state to a guest state, and sets at least one CPU. In a regulated state.
  • the native operating system is further set to the V ⁇ mode.
  • the authority of the operating system is higher than that of the native operating system, therefore, Monitoring of at least one CPU can be achieved using V ⁇ .
  • VMX-non-root is just for example.
  • at least one CPU can be set to non-root virtualization (VMX-non-root). Run in mode, and correspondingly, set V to run in root virtualization (VMX root) mode.
  • VMX root root virtualization
  • Set the CPU and V ⁇ to different modes, and the mode level of V ⁇ is higher than the mode the CPU is in.
  • AMD also has a corresponding AMD-V (Virtualization) mode for the x86 platform.
  • the behavior triggered by the CPU is that some specific processing or behavior is another result
  • the behavior triggered by the CPU is that the safe behavior is another result
  • the result of each trigger is different and the corresponding processing is different. For example, if the triggering result proves that the behavior triggered by the CPU is a safe behavior, then the security behavior can be released directly.
  • the V ⁇ can be used to intercept the unsafe behavior.
  • Embodiments of the present invention provide a pre-stored processing list in which at least one unsecure event and a manner of processing the unsecure event are stored. Any kind of unsafe event can be handled in one way or in multiple ways. In addition, a variety of unsafe events may be handled in the same way. ⁇ , the correspondence between unsafe events and their processing methods may be one-to-one, one-to-many, or many-to-one. After the unsafe behavior and the corresponding processing mode are found in the pre-stored processing list, the intercepted unsafe behavior is processed according to the search result.
  • an unsafe behavior is an operation of reading or writing or modifying.
  • a malicious program attempts to read, write or modify the stored data.
  • the machine can use V ⁇ to return the behavior value determined by the user, where The value is different from the actual value obtained by the read or write or modify operation. Since the behavior value returned by V ⁇ is not the actual value, the behavior value that the malicious program reads or prepares to write or modify must also be a false value.
  • a malicious program subsequently attacks a false value without affecting the actual value, thereby improving the security and stability of the computer system.
  • the unsafe behavior mentioned above may be any behavior that adversely affects a computer system (including a combination of an operating system, computer software, and computer hardware), the present invention
  • the example exemplifies it, for example, the read and write behavior of the special register, the malicious read and write behavior of the control register, the malicious behavior of changing the control flow, and the like.
  • This behavior changes the control flow in the interception of page exceptions that are initiated during the execution of the client code by controlling the client page table.
  • the above method is applicable to the Windows platform, especially the 64-bit or higher-bit Windows platform.
  • the CPUs of the x86 and X86-64 architectures do not meet the definition of efficient VMM in Popek and Goldberg's theorem, Intel and AMD each designed a hardware virtualization extension support for their own CPUs, namely Intel-VT and AMD-V. , in order to improve processor acceleration virtualization.
  • This case is only a description of the Windows system.
  • it can also be applied to other systems such as Unix systems.
  • the application method can refer to the Windows system.
  • the above method can provide an interface for the upper driver, realizes the virtualized operation on the 64-bit windows platform, and places the operating system in the state of the client (client software), thereby completely monitoring the operating system.
  • the caller can be provided with a complete operation call library of related events, and the call library can be used to return a corresponding callback result for the requester, and the call library can be called an interface, and It can be called a function, which is specifically a general term for a function interface or service provided by a certain system.
  • the method can be applied to the technical fields of active defense, Trojan attack and defense, and can not only provide protection against files, registry, processes and thread objects by using Microsoft's standard callback interface, but also provide window messages. Attack, use RPC (Remote Procedure Call) and other interprocess communication machines System attacks, etc., can also achieve many functions on the 32-bit Windows platform such as keyboard protection.
  • RPC Remote Procedure Call
  • the embodiment of the present invention can complete the security behavior and event interception that cannot be implemented on a 64-bit or higher-bit Windows system, and can greatly prevent the security software or other security software that needs behavior event interception at 64 bits or higher.
  • the embodiment of the present invention provides a new operation mode, such that the V ⁇ is in an unrestricted operation mode, and the client operating system of the ring 0 or the client application software of the ring 3 are limited in operation.
  • the operational mode, sensitive behaviors and events of the guest operating system or client application software can be perceived and intercepted by V ⁇ .
  • the method provided by the embodiment of the present invention can intercept behaviors and events that are not intercepted or difficult to implement in a traditional manner (for example, the embedded hook Inl ine H00K), for example, can intercept system service calls (this is not allowed in x64 systems) , page exception mode, etc.
  • the customer operating system and client applications that are not regulated can be detected and interfered with, so they can coexist with PatchGuard, greatly improving the ability of active defense software or other security software that requires behavioral event interception on 64-bit Windows systems.
  • the CPU is extended by means of hardware virtualization, and the entire operating system to be monitored is placed in a lower-order customer state, and the monitor is in a relatively advanced environment.
  • a CPU When a CPU triggers some events (such as sensitive behaviors or instructions) or operations that are of interest, for example, some read or write or modified operations.
  • the triggered event is returned to the virtual machine monitor (located on the outside host), at which point the user can change their behavior. For example, after the user monitors the operation of reading a register, it monitors its behavior and returns a behavior value that is confirmed by the user (for example, the content read from the memory, that is, the value of the read or write register).
  • the behavior value is not the same as the actual value actually read, so that the operating system can be completely monitored and taken over. At this time, the user can modify the data, and the system scan check cannot obtain the real result.
  • a part of the code can be set in the operating system of the client, and work with the V ⁇ part of the code.
  • V ⁇ can handle some interception results by itself, or switch the control flow to the collaboration part in the client, which actually handles the interception result, and finally restores the execution of the correct position of the client code as needed.
  • an embodiment of the present invention further provides an apparatus for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization.
  • 2 is a block diagram showing the structure of an apparatus for performing behavior processing on a Windows platform according to an embodiment of the present invention.
  • the apparatus of Figure 2 is capable of implementing a method of behavioral processing on a Windows platform as provided by any of the preferred embodiments described above or a combination thereof.
  • the apparatus includes at least:
  • the virtual module 210 is configured to start a local operating system, perform a hardware virtualization operation on the local operating system, and generate a V ⁇ ;
  • the permission setting module 220 is coupled to the virtual module 210 and configured to place the native operating system into the client operation, so that the operating system has lower authority than the VMM;
  • the processing module 230 is coupled to the permission setting module 220, configured to place the local operating system in a supervised state, and monitors at least one CPU triggered behavior by using V ⁇ , and performs corresponding processing according to the triggering result.
  • the virtual module 210 can also be configured to:
  • At least one CPU executes a hardware virtualization operation according to the code, and generates a VMM.
  • the processing module 230 can also be configured to:
  • processing module 230 can also be configured to:
  • processing module 230 can also be configured to:
  • At least one CPU is set to run in non-root virtualization VMX-non-root mode, corresponding,
  • processing module 230 can also be configured to:
  • the above apparatus may further include:
  • the searching module 240 is coupled to the processing module 230, configured to search for unsafe behaviors and corresponding processing manners in the pre-stored processing list, where the processing list stores at least one unsafe event and the unsafe event. Processing method
  • the processing module 230 may be further configured to process the intercepted unsafe behavior according to the search result.
  • processing module 230 can also be configured to:
  • the unsafe behavior is an operation of reading or writing or modifying
  • the behavior value determined by the user is returned by using V ⁇ , wherein the behavior value is different from the actual value obtained by the reading/writing or modification operation.
  • the unsafe behavior includes at least one of the following:
  • the Windows platform includes a 64-bit Windows platform. Based on the same inventive concept, an embodiment of the present invention further provides a system for performing behavior processing on a Windows platform.
  • Figure 3 illustrates an embodiment in accordance with one embodiment of the present invention.
  • FIG. 3 Schematic diagram of the system architecture for behavior processing on the Windows platform.
  • multiple clients can be converted into Virtual Guests in the system through virtualization operations.
  • Virtual Hosts or Virtual Hosts, or Virtual Machine Monitors
  • the various behaviors are handled accordingly.
  • the system provided by the embodiment of the present invention can support the method and corresponding device for performing behavior processing on the Windows platform provided by any one of the above embodiments or a combination thereof.
  • the local operating system is started, the hardware virtualization operation is performed on the system, and the VMM is generated, and the utilization authority is higher than that of the local operating system.
  • V ⁇ monitors at least one CPU and processes it according to the trigger result. It can be seen that the behavior of Windows can be monitored by generating V ⁇ , and those skilled in the art can execute third-party software in the VMM, thereby realizing the use of third-party software for the Windows platform (especially the 64-bit and even the kernel cannot be modified)
  • a higher level) patching provides a complete active defense product on a 64-bit Windows platform, solving existing security problems for the user's computer system and improving security.
  • the present invention can be applied to numerous security products (for example, "360 Security Guard" system first aid kit, Trojan horse killing engine, main Machine defense system and other products).
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further, they may be divided into a plurality of sub-modules or sub-units or sub-assemblies.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in the specification (including the accompanying claims, the abstract, and the drawings) may be replaced by alternative features that provide the same, equivalent, or similar purpose, unless stated otherwise.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • Those skilled in the art will appreciate that some or all of the devices for performing behavioral processing on the Windows platform in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP). Some or all of the features of the part.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 4 illustrates a computing device, such as an application server, that can implement a method of behavior processing on a Windows platform in accordance with the present invention.
  • the computing device conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420.
  • the memory 420 can be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 420 has a memory space 430 for program code 431 for performing any of the method steps described above.
  • storage space 430 for program code may include various program code 431 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • Such computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to Figure 5.
  • the storage unit can have storage segments, storage spaces, and the like that are similarly arranged to memory 420 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 431 ', ie, code that can be read by a processor, such as 410, which, when executed by a computing device, causes the computing device to perform each of the methods described above step.
  • an embodiment or “one or more embodiments” as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention.
  • the examples of the words “in one embodiment” are not necessarily all referring to the same embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An actions processing method and device on a Windows platform. The method is applied to a CPU supporting hardware virtualization, and comprises: starting an operating system, and performing an operation of hardware virtualization in the operating system to generate a virtual machine monitor (VMM); installing and running the operating system on a client to make sure that the operating system has a lower permission than the VMM; setting the operating system to be in a monitored state, using the VMM to monitor at least one action triggered by the CPU, and taking relevant measures according to the triggered result. The method improves security of a computer system.

Description

在 Windows平台上进行行为处理的方法及装置 技术领域  Method and device for performing behavior processing on Windows platform
本发明涉及互联网领域, 具体涉及一种在 Windows平台上进行行 为处理的方法及装置。 背景技术  The present invention relates to the field of the Internet, and in particular, to a method and apparatus for performing behavior processing on a Windows platform. Background technique
目前, 越来越多的恶意程序 (如计算机病毒、 后门程序、 木马、 间谍软件以及广告软件等) 攻击着用户的计算机。 为了保护用户的计 算机不受恶意程序的侵害, 许多第三方公司推出了主动防御软件。 主 动防御是基于程序行为自主分析判断的实时防护技术, 不以特征码作 为判断恶意程序的依据, 而是从最原始的定义出发, 直接将程序的行 为作为判断恶意程序的依据。 主动防御软件首先对恶意程序进行行为 拦截, 然后进行相应处理。 其中, 程序行为的拦截就是主动防御的重 要第一步, 很多恶意程序对抗主动防御的方式也是干扰或绕过行为拦 截。  Currently, more and more malicious programs (such as computer viruses, backdoors, Trojans, spyware, and adware) are attacking users' computers. In order to protect users' computers from malicious programs, many third-party companies have introduced proactive defense software. Active defense is a real-time protection technology based on independent analysis and judgment of program behavior. It does not use feature code as the basis for judging malicious programs. Instead, it starts from the most primitive definition and directly uses the behavior of the program as the basis for judging malicious programs. The active defense software first intercepts the malicious program and then processes it accordingly. Among them, the interception of program behavior is an important first step of active defense. The way many malicious programs resist active defense also interferes with or bypasses behavioral interception.
目前, 针对微软的 Windows平台, 行为拦截除了使用微软的标准 接口外, 更多地需要第三方软件系统内核进行修改 (patch ) 操作。 在 微软的 32位 Windows平台上, 第三方软件可以通过 patch去修改操作 系统, 获取操作系统内核代码和关键数据, 从而能够对操作系统执行 的可疑程序进行有效拦截。  Currently, for Microsoft's Windows platform, in addition to using Microsoft's standard interface, behavioral interception requires more third-party software system kernels to perform patch operations. On Microsoft's 32-bit Windows platform, third-party software can modify the operating system through the patch to obtain the operating system kernel code and key data, so as to effectively intercept the suspicious programs executed by the operating system.
然而, 微软在其 64位 Windows操作系统中引入了内核保护系统禁 止修改 (Patch Guard ) 机制, 禁止了任何非授权的第三方软件 patch 操作系统内核代码与关键数据。 微软设计 Patch Guard的目的是确保 Windows 内核不会受到恶意代码的攻击, 从而也导致了第三方软件无 法对 Windows的行为进行监控, 所以这一功能使得保护 Windows 计算 机的安全带来了困难。  However, Microsoft introduced a kernel protection system (Patch Guard) mechanism in its 64-bit Windows operating system, which prohibits any unauthorized third-party software patch operating system kernel code and critical data. Microsoft designed Patch Guard to ensure that the Windows kernel is not attacked by malicious code, which also prevents third-party software from monitoring Windows behavior, so this feature makes it difficult to secure Windows computers.
现有技术中, 由于微软禁止了第三方软件对其 64位的 Windows内 核进行 patch , 从而使得第三方公司无法在 64位 Windows平台上提供 完整的主动防御产品, 这给用户计算机系统带来了很大的安全隐患。 发明内容 In the prior art, because Microsoft prohibits third-party software from patching its 64-bit Windows kernel, third-party companies cannot provide a complete active defense product on the 64-bit Windows platform, which brings a very high degree to the user computer system. A big security risk. Summary of the invention
鉴于上述问题, 提出了本发明以便提供一种克服上述问题或者至 少部分地解决上述问题的在 Windows平台上进行行为处理的装置和相 应的在 Windows平台上进行行为处理的方法。  In view of the above problems, the present invention has been made in order to provide an apparatus for performing behavior processing on a Windows platform and a corresponding method of performing behavior processing on a Windows platform that overcomes the above problems or at least partially solves the above problems.
依据本发明的一个方面, 提供了一种在 Windows平台上进行行为 处理的方法, 应用于支持硬件虚拟化的 CPU , 包括:  According to an aspect of the present invention, a method for performing behavior processing on a Windows platform is provided, which is applied to a CPU supporting hardware virtualization, including:
启动本机操作系统, 对所述本机操作系统执行硬件虚拟化操作, 生成虚拟机监视器 V匪;  Starting a local operating system, performing a hardware virtualization operation on the local operating system, and generating a virtual machine monitor V匪;
将本机操作系统置入客户机运行, 使得所述操作系统的权限低于 所述 VMM的权限;  Putting the native operating system into the client operation, so that the authority of the operating system is lower than the authority of the VMM;
将本机操作系统置于受监管状态, 利用所述 V匪监控所述至少一 个 CPU触发的行为, 根据触发结果进行相应处理。  The local operating system is placed in a supervised state, and the behavior triggered by the at least one CPU is monitored by the V匪, and corresponding processing is performed according to the triggering result.
可选地, 所述 V匪的生成方式包括如下步骤:  Optionally, the generating manner of the V匪 includes the following steps:
利用驱动程序向所述至少一个 CPU发送用于实现 V匪的指令; 其中, 所述至少一个 CPU根据所述指令在自身执行硬件虚拟化操 作, 生成所述 VMM。  And transmitting, by the driver, an instruction for implementing V匪 to the at least one CPU; wherein, the at least one CPU executes a hardware virtualization operation according to the instruction to generate the VMM.
可选地, 将本机操作系统置于受监管状态, 包括:  Optionally, placing the native operating system in a supervised state, including:
将所述本机操作系统的当前状态由主机 host状态切换为客户机 guest状态, 将所述至少一个 CPU置于受监管状态。  The current state of the native operating system is switched from a host host state to a client guest state, and the at least one CPU is placed in a supervised state.
可选地, 上述方法还包括: 为本机操作系统设置 V匪方式。  Optionally, the foregoing method further includes: setting a V匪 mode for the local operating system.
可选地, 将所述本机操作系统的当前状态由主机 host状态切换为 客户机 guest状态, 包括:  Optionally, the current state of the native operating system is switched from a host host state to a client guest state, including:
将所述本机操作系统置为在非根虚拟化 VMX-non-root模式下运 行, 相应的,  The native operating system is set to run in a non-root virtualized VMX-non-root mode, correspondingly,
将所述 V匪置为在根虚拟化 VMX-root模式下运行。  The V匪 is set to run in root virtualization VMX-root mode.
可选地, 根据触发结果进行相应处理, 包括:  Optionally, corresponding processing is performed according to the triggering result, including:
所述触发结果为所述 CPU触发的行为是不安全行为时, 利用所述 When the triggering result is that the behavior triggered by the CPU is an unsafe behavior,
V匪拦截其中的不安全行为。 V匪 intercepts the unsafe behavior.
可选地, 利用所述 V匪拦截其中的不安全行为之后, 包括: 在预存储的处理列表中查找所述不安全行为以及相应的处理方 式 , 其中, 所述处理列表中存储有至少一种不安全事件以及对该不安 全事件的处理方式; 根据查找结果对所述被拦截的不安全行为进行处理。 Optionally, after the intercepting the unsafe behavior by using the V匪, the method includes: searching, in a pre-stored processing list, the unsafe behavior and a corresponding processing manner, where the processing list stores at least one Unsafe events and how they are handled; The intercepted unsafe behavior is processed according to the search result.
可选地, 根据查找结果对所述被拦截的不安全行为进行处理, 包 括:  Optionally, the intercepted unsafe behavior is processed according to the search result, including:
当不安全行为是读写或修改的操作时, 利用所述 V匪返回由用户 确定的行为值, 其中, 所述行为值与所述读写或修改操作获取的实际 值不同。  When the unsafe behavior is an operation of reading or writing or modifying, the behavior value determined by the user is returned by using the V匪, wherein the behavior value is different from the actual value obtained by the read/write or modification operation.
可选地, 所述不安全行为包括下列至少之一:  Optionally, the unsafe behavior includes at least one of the following:
专用寄存器的读写行为、 控制寄存器的恶意读写行为、 改变控制 流的恶意行为。  The read and write behavior of the special registers, the malicious read and write behavior of the control registers, and the malicious behavior of the control flow.
可选地, 所述 Windows平台包括 64位 Windows平台。  Optionally, the Windows platform includes a 64-bit Windows platform.
依据本发明的另一个方面, 提供了一种在 Windows平台上进行行 为处理的装置, 应用于支持硬件虚拟化的 CPU , 包括:  According to another aspect of the present invention, an apparatus for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization, includes:
虚拟模块, 配置为启动本机操作系统, 对所述本机操作系统执行 硬件虚拟化操作, 生成虚拟机监视器 V匪;  a virtual module, configured to start a local operating system, perform a hardware virtualization operation on the local operating system, and generate a virtual machine monitor V;
权限设置模块, 配置为将本机操作系统置入客户机运行, 使得所 述操作系统的权限低于所述 V匪的权限;  a permission setting module configured to place the native operating system into a client operation, such that the authority of the operating system is lower than the authority of the V匪;
处理模块, 配置为将所述本机操作系统置于受监管状态, 利用所 述 V匪监控所述至少一个 CPU触发的行为, 根据触发结果进行相应处 理。  The processing module is configured to put the local operating system into a supervised state, and monitor, by using the V匪, the behavior triggered by the at least one CPU, and perform corresponding processing according to the triggering result.
可选地, 所述虚拟模块还配置为:  Optionally, the virtual module is further configured to:
利用驱动程序向所述至少一个 CPU发送用于实现 V匪的指令; 其中, 所述至少一个 CPU根据所述指令在自身执行硬件虚拟化操 作, 生成所述 VMM。  And transmitting, by the driver, an instruction for implementing V匪 to the at least one CPU; wherein, the at least one CPU executes a hardware virtualization operation according to the instruction to generate the VMM.
可选地, 所述处理模块还配置为:  Optionally, the processing module is further configured to:
将所述本机操作系统的当前状态由主机 host状态切换为客户机 guest状态, 将所述至少一个 CPU置于受监管状态。  The current state of the native operating system is switched from a host host state to a client guest state, and the at least one CPU is placed in a supervised state.
可选地, 所述处理模块还配置为: 为本机操作系统设置 V匪方式。 可选地, 所述处理模块还配置为:  Optionally, the processing module is further configured to: set a V匪 mode for the local operating system. Optionally, the processing module is further configured to:
将所述本机操作系统置为在非根虚拟化 VMX-non-root模式下运 行, 相应的,  The native operating system is set to run in a non-root virtualized VMX-non-root mode, correspondingly,
将所述 V匪置为在根虚拟化 VMX-root模式下运行。  The V匪 is set to run in root virtualization VMX-root mode.
可选地, 所述处理模块还配置为: 所述触发结果为所述 CPU触发 的行为是不安全行为时, 利用所述 V匪拦截其中的不安全行为。 Optionally, the processing module is further configured to: the trigger result is triggered by the CPU When the behavior is unsafe, use the V匪 to intercept the unsafe behavior.
可选地, 上述装置还包括:  Optionally, the foregoing apparatus further includes:
查找模块, 配置为在预存储的处理列表中查找所述不安全行为以 及相应的处理方式, 其中, 所述处理列表中存储有至少一种不安全事 件以及对该不安全事件的处理方式;  The locating module is configured to search for the unsafe behavior and the corresponding processing manner in the pre-stored processing list, where the processing list stores at least one unsafe event and a processing manner of the unsafe event;
所述处理模块还配置为根据查找结果对所述被拦截的不安全行为 进行处理。  The processing module is further configured to process the intercepted unsafe behavior based on the lookup result.
可选地, 所述处理模块还配置为:  Optionally, the processing module is further configured to:
当不安全行为是读写或修改的操作时, 利用所述 V匪返回由用户 确定的行为值, 其中, 所述行为值与所述读写或修改操作获取的实际 值不同。  When the unsafe behavior is an operation of reading or writing or modifying, the behavior value determined by the user is returned by using the V匪, wherein the behavior value is different from the actual value obtained by the read/write or modification operation.
可选地, 所述不安全行为包括下列至少之一:  Optionally, the unsafe behavior includes at least one of the following:
专用寄存器的读写行为、 控制寄存器的恶意读写行为、 改变控制 流的恶意行为。  The read and write behavior of the special registers, the malicious read and write behavior of the control registers, and the malicious behavior of the control flow.
可选地, 所述 Windows平台包括 64位 Windows平台。  Optionally, the Windows platform includes a 64-bit Windows platform.
根据本发明的又一个方面, 提供了一种计算机程序, 其包括计算 机可读代码, 当所述计算机可读代码在计算设备上运行时, 导致所述 计算设备执行根据上述任一个所述的在 Windows 平台上进行行为处理 的方法。  According to still another aspect of the present invention, a computer program is provided, comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform according to any of the above A method of behavioral processing on the Windows platform.
根据本发明的再一个方面, 提供了一种计算机可读介质, 其中存 储了如上述的计算机程序。  According to still another aspect of the present invention, a computer readable medium is provided, wherein a computer program as described above is stored.
本发明的有益效果为:  The beneficial effects of the invention are:
在本发明实施例中, 启动本机操作系统, 对该系统执行硬件虚拟 化操作, 生成 VMM, 利用权限高于本机操作系统的 V匪对至少一个 CPU 进行监控, 并根据触发结果进行相应处理。 由此可见, 利用生成 V匪 可以实现对 Windows的行为进行监控, 本领域技术人员可以在 VMM中 执行第三方软件, 从而实现了利用第三方软件对 Windows平台 (特别 是无法修改内核的 64位乃至更高位)进行 Patch,可以在 64位 Windows 平台上提供完整的主动防御产品, 为用户计算机系统解决了现有的安 全隐患问题, 提高了安全性能。  In the embodiment of the present invention, the local operating system is started, the hardware virtualization operation is performed on the system, the VMM is generated, and at least one CPU is monitored by using a V权限 having a higher authority than the local operating system, and corresponding processing is performed according to the trigger result. . It can be seen that the behavior of Windows can be monitored by generating V匪, and those skilled in the art can execute third-party software in the VMM, thereby realizing the use of third-party software for the Windows platform (especially the 64-bit and even the kernel cannot be modified) A higher level) patching provides a complete active defense product on a 64-bit Windows platform, solving existing security problems for the user's computer system and improving security.
上述说明仅是本发明技术方案的概述, 为了能够更清楚了解本发 明的技术手段, 而可依照说明书的内容予以实施, 并且为了让本发明 的上述和其它目的、 特征和优点能够更明显易懂, 以下特举本发明的 具体实施方式。 附图说明 The above description is merely an overview of the technical solution of the present invention, and in order to more clearly understand the technical means of the present invention, it can be implemented in accordance with the contents of the specification, and in order to make the present invention The above and other objects, features and advantages of the present invention will become more apparent and understood. DRAWINGS
通过阅读下文优选实施方式的详细描述, 各种其他的优点和益处 对于本领域普通技术人员将变得清楚明了。 附图仅用于示出优选实施 方式的目的, 而并不认为是对本发明的限制。 而且在整个附图中, 用 相同的参考符号表示相同的部件。 在附图中:  Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not intended to limit the invention. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图 1示出了根据本发明一个实施例的在 Windows平台上进行行为 处理的方法的处理流程图;  1 shows a process flow diagram of a method for performing behavior processing on a Windows platform in accordance with one embodiment of the present invention;
图 2示出了根据本发明一个实施例的在 Windows平台上进行行为 处理的装置的结构示意图;  2 is a block diagram showing the structure of an apparatus for performing behavior processing on a Windows platform according to an embodiment of the present invention;
图 3示出了根据本发明一个实施例的在 Windows平台上进行行为 处理的系统架构示意图;  3 is a schematic diagram showing a system architecture for performing behavior processing on a Windows platform according to an embodiment of the present invention;
图 4示意性地示出了用于执行根据本发明的在 Windows平台上进 行行为处理的方法的计算设备的框图; 以及  4 is a block diagram schematically showing a computing device for performing a method of performing behavior processing on a Windows platform in accordance with the present invention;
图 5示意性地示出了用于保持或者携带实现根据本发明的在  Figure 5 is a schematic representation of a method for maintaining or carrying in accordance with the present invention.
Windows平台上进行行为处理的方法的程序代码的存储单元。 具体实施方式 A storage unit of program code for a method of behavior processing on a Windows platform. detailed description
下面结合附图和具体的实施方式对本发明作进一步的描述。  The invention is further described below in conjunction with the drawings and specific embodiments.
在此提供的算法和显示不与任何特定计算机、 虚拟系统或者其它 设备固有相关。 各种通用系统也可以与基于在此的示教一起使用。 根 据上面的描述, 构造这类系统所要求的结构是显而易见的。 此外, 本 发明也不针对任何特定编程语言。 应当明白, 可以利用各种编程语言 实现在此描述的本发明的内容, 并且上面对特定语言所做的描述是为 了披露本发明的最佳实施方式。  The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. The structure required to construct such a system is apparent from the above description. Moreover, the invention is not directed to any particular programming language. It is to be understood that the present invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.
本发明可以应用于计算机系统 /服务器, 其可与众多其它通用或专 用计算系统环境或配置一起操作。 适于与计算机系统 /服务器一起使用 的众所周知的计算系统环境和 /或配置的例子包括但不限于: 个人计算 机系统、 服务器计算机系统、 瘦客户机、 厚客户机、 手持或膝上设备、 基于微处理器的系统、 机顶盒、 可编程消费电子产品、 网络个人电脑、 小型计算机系统、 大型计算机系统和包括上述任何系统的分布式云计 算技术环境, 等等。 The present invention is applicable to computer systems/servers that can operate with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing system environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, based on micro Processor system, set-top box, programmable consumer electronics, network PC, Small computer systems, mainframe systems, and distributed cloud computing technology environments including any of the above, and the like.
计算机系统 /服务器可以在由计算机系统执行的计算机系统可执 行指令 (诸如程序模块) 的一般语境下描述。 通常, 程序模块可以包 括例程、 程序、 目标程序、 组件、 逻辑、 数据结构等等, 它们执行特 定的任务或者实现特定的抽象数据类型。 计算机系统 /服务器可以在分 布式云计算环境中实施, 分布式云计算环境中, 任务是由通过通信网 络连接的远程处理设备执行的。 在分布式云计算环境中, 程序模块可 以位于包括存储设备的本地或远程计算系统存储介质上。  The computer system/server can be described in the general context of computer system executable instructions (such as program modules) executed by the computer system. Generally, program modules may include routines, programs, target programs, components, logic, data structures, and the like, which perform particular tasks or implement particular abstract data types. The computer system/server can be implemented in a distributed cloud computing environment where tasks are performed by remote processing devices connected through a communication network. In a distributed cloud computing environment, program modules can be located on a local or remote computing system storage medium including storage devices.
64位 Windows平台中引入了 Patch Guard机制后, 禁止了任何非 授权的第三方软件 patch操作系统内核代码与关键数据, 但是后果是 第三方软件无法在 Windows平台上对基于 Windows平台上的操作进行 有效监控, 这给用户计算机系统带来了很大的安全隐患。  After the introduction of the Patch Guard mechanism in the 64-bit Windows platform, any unauthorized third-party software is prohibited from patching the operating system kernel code and key data, but the consequence is that the third-party software cannot be effective on the Windows platform based on the Windows platform. Monitoring, this brings a great security risk to the user's computer system.
为解决这一技术问题, 本发明实施例采用一种独特的技术方案, 其主要思路是: 利用 CPU ( Central Processing Unit , 中央处理器) (例如 Intel或 AMD ) 的硬件虚拟化来扩展支持, 以便于实现在 64位 甚至更高位的 Windows平台上实现完整行为处理。 其中, 硬件虚拟化 是指借助硬件 (主要是主机处理器) 的支持来实现高效的全虚拟化。 例如有了 Intel-VT 技术的支持, Guest OS 和 VMM 的执行环境自动 地完全隔离开来, Guest OS 有自己的寄存器, 可以直接运行在最高级 另 1」。 本发明实施例提供的这一解决思路能够突破微软等操作系统的限 制, 利用该方法可在 64位甚至更高位的系统上提供完整有效的主动防 御软件系统。  In order to solve this technical problem, the embodiment of the present invention adopts a unique technical solution, and the main idea is to: expand the support by hardware virtualization of a CPU (Central Processing Unit) (such as Intel or AMD), so that Implement full behavior processing on 64-bit or higher Windows platforms. Among them, hardware virtualization refers to the realization of efficient full virtualization with the support of hardware (mainly host processor). For example, with the support of Intel-VT technology, the execution environment of Guest OS and VMM is automatically and completely isolated. Guest OS has its own register and can run directly at the highest level. The solution provided by the embodiment of the present invention can break through the limitation of an operating system such as Microsoft, and the method can provide a complete and effective active defense software system on a 64-bit or higher system.
采用上述思路的主要理由是虚拟化技术目前已得到了广泛使用, 硬件虚拟化能够具有独立的操作平台, 实现对不安全行为的拦截及处 理。 虚拟化技术的具体原理为:  The main reason for adopting the above ideas is that virtualization technology has been widely used. Hardware virtualization can have an independent operating platform to intercept and handle unsafe behavior. The specific principles of virtualization technology are:
虚拟化技术允许物理机器(例如服务器、 PC ( Personal Computer, 个人电脑) 机、 平板电脑等) 被分区或共享, 以使该机器的底层硬件 呈现为一个或多个独立工作的虚拟机。 虚拟机监控程序可在计算机上 运行, 并向其他软件呈现一个或多个虚拟机的抽象。 每个虚拟机可用 作运行其自己的操作系统 (Operating System, OS ) 和 /或应用程序 软件的自持平台。 虚拟机内执行的软件执行可以被称为客户软件。 客 户软件可期望如同在专用计算机上而不是在 VM ( Virtual Machine , 虚 拟机) 上运行, 此时, V匪 和 Guest OS能够共享底层的处理器资源。 即, 客户软件可期望控制各种事件, 并可访问计算机 (例如物理机) 上的硬件资源。 该物理机器的硬件资源可包括一个或多个处理器、 驻 留在该处理器上的资源 (例如控制寄存器、 高速缓存以及其他) 、 存 储器 (以及诸如描述符表的驻留在存储器内的结构) 以及驻留在物理 机中的其他资源 (例如输入 /输出 (I/O ) 设备) 。 Virtualization technology allows physical machines (such as servers, PCs, tablets, etc.) to be partitioned or shared so that the underlying hardware of the machine is presented as one or more virtual machines that work independently. The hypervisor can run on a computer and present an abstraction of one or more virtual machines to other software. Each virtual machine can be used as a self-sustaining platform to run its own operating system (OS) and/or application software. Software execution performed within a virtual machine can be referred to as client software. Guest The user software can be expected to run on a dedicated computer rather than a VM (Virtual Machine), at which point V匪 and Guest OS can share the underlying processor resources. That is, client software can expect to control various events and access hardware resources on a computer, such as a physical machine. The hardware resources of the physical machine may include one or more processors, resources residing on the processor (eg, control registers, caches, and others), memory (and structures resident in memory such as descriptor tables) ) and other resources that reside in the physical machine (such as input/output (I/O) devices).
本发明实施例提供了一种在 Windows平台上进行行为处理的方法, 应用于支持硬件虚拟化的 CPU。图 1示出了根据本发明一个实施例的在 Windows平台上进行行为处理的方法的处理流程图, 包括:  The embodiment of the invention provides a method for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization. 1 is a process flow diagram of a method for performing behavior processing on a Windows platform according to an embodiment of the present invention, including:
步骤 S102、 启动本机操作系统, 对该系统执行硬件虚拟化操作, 生成 VMM (Virtual Machine Monitor, 虚拟机监视器) ;  Step S102: Start a local operating system, perform a hardware virtualization operation on the system, and generate a VMM (Virtual Machine Monitor).
其中, 本系统包括操作系统、 CPU, 还包括应用层软件等。  The system includes an operating system, a CPU, and application layer software.
需要说明的是, 本机操作系统运行在其管理的 CPU上, 对所有的 CPU进行管理和监控。 此时, 若需要对本机操作系统进行监管, 则需要 修改其权限, 具体见步骤 S104。  It should be noted that the native operating system runs on the CPU it manages and manages and monitors all CPUs. In this case, if you need to supervise the local operating system, you need to modify its permissions. For details, see step S104.
步骤 S104、 将本机操作系统置入客户机运行, 使得本机操作系统 的权限低于生成的 V匪的权限。  Step S104: Put the local operating system into the client operation, so that the authority of the local operating system is lower than the generated V匪 permission.
具体的, 可以利用驱动程序的权限执行该步骤。 考虑到驱动程序 与本机操作系统具有相同的最高权限, 因此, 可以利用驱动程序的最 高权限使得 CPU运行在支持虚拟化扩展的模式下, 那么本机操作系统 会处于管理态的模式, 其权限会低于 V匪的权限。 此时, CPU可以切换 到非根态的客户状态, 恢复 Windows执行环境, 在环境恢复切换的时 候由根态转变为非根态。  Specifically, this step can be performed with the permissions of the driver. Considering that the driver has the same highest authority as the native operating system, the highest privilege of the driver can be used to make the CPU run in the mode that supports virtualization extension, then the native operating system will be in the management mode, its permissions Will be lower than the V匪 permission. At this point, the CPU can switch to the non-root state of the customer state, restore the Windows execution environment, and change from the root state to the non-root state when the environment resumes switching.
步骤 S106、 将该系统置于受监管状态, 利用生成的 V匪监控至少 一个 CPU触发的行为, 根据触发结果进行相应处理。  Step S106: The system is placed in a supervised state, and the generated V匪 is used to monitor behavior triggered by at least one CPU, and corresponding processing is performed according to the trigger result.
由于本机操作系统处于管理态的模块, 因此, 相当于运行在客户 机中, 此时 V匪仍是位于本机的, 可以对 CPU触发的行为进行监控, 进而执行后续的操作处理。  Since the local operating system is in the management mode, it is equivalent to running in the client. At this time, the V匪 is still located in the local machine, and the behavior triggered by the CPU can be monitored, and then the subsequent operation processing can be performed.
此处值得说明的是, 根据触发结果进行相应处理这一步骤具体包 括: 先判断 CPU触发的行为的性质, 判断触发的行为是否是安全行为, 然后针对安全行为和不安全行为进行不同的区分处理。 本实施例侧重 于不安全行为的处理, 为保证不安全行为不会对计算机终端以及其上 运行的软件造成危害, 可以利用 V匪拦截不安全行为, 进而根据预存 储的行为处理方式对拦截下的行为进行处理。 It is worth noting here that the step of correspondingly processing according to the triggering result specifically includes: first determining the nature of the behavior triggered by the CPU, determining whether the triggered behavior is a safe behavior, and then performing different differentiation processing on the safe behavior and the unsafe behavior. . This embodiment focuses on In order to ensure that unsafe behavior does not harm the computer terminal and the software running on it, you can use V匪 to intercept unsafe behavior, and then process the intercepted behavior according to the pre-stored behavior processing method. .
在本发明实施例中, 启动本机操作系统, 对该系统执行硬件虚拟 化操作, 生成 VMM, 利用权限高于本机操作系统的 V匪对至少一个 CPU 进行监控, 并根据触发结果进行相应处理。 由此可见, 利用生成 V匪 可以实现对 Windows的行为进行监控, 可以在 V匪中执行第三方软件, 从而实现了利用第三方软件对 Windows平台 (特别是无法修改内核的 64位乃至更高位) 进行 patch, 可以在 64位 Windows平台上提供完整 的主动防御产品, 为用户计算机系统解决了现有的安全隐患问题, 提 高了安全性能。  In the embodiment of the present invention, the local operating system is started, the hardware virtualization operation is performed on the system, the VMM is generated, and at least one CPU is monitored by using a V权限 having a higher authority than the local operating system, and corresponding processing is performed according to the trigger result. . It can be seen that the behavior of Windows can be monitored by generating V匪, and third-party software can be executed in V匪, thereby realizing the use of third-party software for Windows platforms (especially 64-bit or higher which cannot modify the kernel) Patching can provide a complete active defense product on the 64-bit Windows platform, solve the existing security risks for the user computer system, and improve the security performance.
考虑到不同计算机系统或功能或性能或能力或硬件或软件配置皆 不相同, 在不同的 Windows平台上实现行为处理这一方法的手段也不 同。 例如, 以 x86处理器为例。 x86处理器有 4个特权级别, Ring 0 〜 Ring 3, 只有运行在 Ring 0 〜 2 级时, 处理器才可以访问特权资源 或执行特权指令; 运行在 Ring 0 级时, 处理器可以访问所有的特权 状态。 x86 平台上的操作系统一般只使用 Ring 0 和 Ring 3 这两个 级别, 操作系统运行在 Ring 0 级, 用户进程运行在 Ring 3 级。 为 了满足上面的第一个充分条件 -资源控制, V匪自己必须运行在 Ring O 级, 同时为了避免 Guest OS 控制系统资源, Guest OS 不得不降低自 身的运行级别, 运行在 Ring 1 或 Ring 3 级 (Ring 2 不使用) 。 Considering different computer systems or functions or capabilities or capabilities or hardware or software configurations, the means of implementing behavioral processing on different Windows platforms is different. For example, take the x86 processor as an example. The x86 processor has 4 privilege levels, Rin g 0 ~ Ring 3, and the processor can access privileged resources or execute privileged instructions only when running at Ring 0 to 2; when running at Ring 0, the processor can access all Privileged state. The operating system on the x86 platform generally uses only the two levels of Ring 0 and Ring 3, the operating system runs at Ring 0, and the user process runs at Ring 3. In order to satisfy the first sufficient condition-resource control above, V匪 must run at the Ring O level, and in order to avoid the Guest OS control system resources, Guest OS has to lower its own running level, running at Ring 1 or Ring 3 (Ring 2 is not used).
此处仅仅是一个例证, 对本发明实施例提供的在不同的 Windows 平台上进行行为处理这一方法本身不造成任何限定。  This is merely an example. The method for performing behavior processing on different Windows platforms provided by the embodiments of the present invention does not impose any limitation.
步骤 S102在执行时, 可以利用驱动程序向至少一个 CPU发送用于 实现 VMM的指令, 为了实现 V匪, 在指令中携带相应代码。 至少一个 CPU接收到指令后, 解析获取具体代码。 随后, 各 CPU执行代码, 在自 身执行硬件虚拟化操作, 生成 VMM。  In step S102, the driver may send an instruction for implementing the VMM to at least one CPU by using a driver, and in order to implement V, the corresponding code is carried in the instruction. After at least one CPU receives the instruction, it parses the specific code. Subsequently, each CPU executes the code and performs a hardware virtualization operation on its own to generate a VMM.
为了达到步骤 S106中提及的将至少一个 CPU置于受监管状态的目 的, 本发明实施例优选将 CPU的当前状态由主机 (host ) 状态切换为 客户机 (guest ) 状态, 将至少一个 CPU置于受监管状态。 在 CPU可处 于受监管状态的情况下, 进一步将本机操作系统设置为 V匪方式。 此 时,参考步骤 S104中提及的 V匪权限会高于本机操作系统权限,因此, 可以利用 V匪实现对至少一个 CPU的监控。 In order to achieve the purpose of placing at least one CPU in a supervised state mentioned in step S106, the embodiment of the present invention preferably switches the current state of the CPU from a host state to a guest state, and sets at least one CPU. In a regulated state. In the case where the CPU can be in a supervised state, the native operating system is further set to the V匪 mode. At this time, referring to the V匪 permission mentioned in step S104, the authority of the operating system is higher than that of the native operating system, therefore, Monitoring of at least one CPU can be achieved using V匪.
CPU的当前状态的切换方式可以有多种, VMX-non-root只是用于 示例, 例如, 针对于英特尔的 CPU类型, 可以将至少一个 CPU置为在 非根虚拟化 (VMX-non-root ) 模式下运行, 相应的, 将 V匪置为在根 虚拟化 (VMX root ) 模式下运行。 将 CPU和 V匪分别置在不同的模式, 并且, V匪所处于的模式级别要高于 CPU所处于的模式。 对于其他的 CPU类型也可以选择该 CPU相应其他的模式来运行,从而将 V匪置为在 虚拟化模式下运行。例如,针对 AMD也有对应的 AMD-V( Virtual ization, 虚拟化) 模式用于 x86平台。  There are many ways to switch the current state of the CPU. VMX-non-root is just for example. For example, for Intel CPU type, at least one CPU can be set to non-root virtualization (VMX-non-root). Run in mode, and correspondingly, set V to run in root virtualization (VMX root) mode. Set the CPU and V匪 to different modes, and the mode level of V匪 is higher than the mode the CPU is in. For other CPU types, you can also select the other mode of the CPU to run, so that V is set to run in virtualized mode. For example, AMD also has a corresponding AMD-V (Virtualization) mode for the x86 platform.
触发结果有多种,例如, CPU触发的行为是不安全行为是一种结果, There are many triggering results, for example, the behavior triggered by the CPU is an unsafe behavior is a result,
CPU触发的行为是某些特定处理或行为是另一种结果, CPU触发的行为 是安全行为是另一种结果, 等等。 每种触发结果不同, 相应的处理也 不同。 例如, 如果触发结果证明 CPU触发的行为是安全行为, 那么就 可以直接对该安全行为放行。 再例如, 触发结果证明 CPU触发的行为 是不安全行为时, 可以利用 V匪拦截其中的不安全行为。 The behavior triggered by the CPU is that some specific processing or behavior is another result, the behavior triggered by the CPU is that the safe behavior is another result, and so on. The result of each trigger is different and the corresponding processing is different. For example, if the triggering result proves that the behavior triggered by the CPU is a safe behavior, then the security behavior can be released directly. For another example, when the triggering result proves that the behavior triggered by the CPU is unsafe, the V不 can be used to intercept the unsafe behavior.
在利用 V匪拦截其中的不安全行为之后, 需要对拦截的不安全行 为进行处理。 本发明实施例提供了一个预存储的处理列表, 其中存储 有至少一种不安全事件以及对该不安全事件的处理方式。 任意一种不 安全事件, 可以有一种处理方式, 也可以有多种处理方式。 另外, 多 种不安全事件, 其处理方式也可能是相同的。 δΡ, 不安全事件与其处 理方式的对应关系可能是一对一, 也可能是一对多, 还可能是多对一。 在预存储的处理列表中查找到不安全行为以及相应的处理方式后, 根 据查找结果对被拦截的不安全行为进行处理。  After intercepting the unsafe behaviors with V匪, the intercepted unsafe behavior needs to be handled. Embodiments of the present invention provide a pre-stored processing list in which at least one unsecure event and a manner of processing the unsecure event are stored. Any kind of unsafe event can be handled in one way or in multiple ways. In addition, a variety of unsafe events may be handled in the same way. δΡ, the correspondence between unsafe events and their processing methods may be one-to-one, one-to-many, or many-to-one. After the unsafe behavior and the corresponding processing mode are found in the pre-stored processing list, the intercepted unsafe behavior is processed according to the search result.
现以不安全行为是读写或修改的操作为例, 恶意程序试图读取、 写入或修改已存储的数据, 此时, 本机可以利用 V匪返回由用户确定 的行为值, 其中, 行为值与读写或修改操作获取的实际值不同。 由于 利用 V匪返回的行为值并不是实际值, 因此, 恶意程序读取或准备写 入或修改的行为值也必然是一个虚假值。 恶意程序后续对一个虚假值 进行攻击, 不会对实际值产生影响, 从而提高了计算机系统的安全性 和稳定性。  For example, an unsafe behavior is an operation of reading or writing or modifying. A malicious program attempts to read, write or modify the stored data. At this time, the machine can use V匪 to return the behavior value determined by the user, where The value is different from the actual value obtained by the read or write or modify operation. Since the behavior value returned by V匪 is not the actual value, the behavior value that the malicious program reads or prepares to write or modify must also be a false value. A malicious program subsequently attacks a false value without affecting the actual value, thereby improving the security and stability of the computer system.
上文提及的不安全行为可以是任意对计算机系统(包括操作系统、 计算机软件以及计算机硬件的组合) 产生不良后果的行为, 本发明实 施例对其进行例举, 例如, 专用寄存器的读写行为、 控制寄存器的恶 意读写行为、 改变控制流的恶意行为等等。 The unsafe behavior mentioned above may be any behavior that adversely affects a computer system (including a combination of an operating system, computer software, and computer hardware), the present invention The example exemplifies it, for example, the read and write behavior of the special register, the malicious read and write behavior of the control register, the malicious behavior of changing the control flow, and the like.
现对各种不安全行为进行具体说明。 各类不安全事件 (也可以称 为敏感行为) 包括但不限于:  Various unsafe acts are now specified. Various types of insecure events (also known as sensitive behaviors) including but not limited to:
1、 各类模式的专用寄存器 (MSRs ) 的读写行为, 例如, V匪修改 了 PatchGuard保护的 MSR (例如 LSTAR ) , 则需要拦截操作系统对该 寄存器的访问,保持其一致性,防止蓝屏。其中, PatchGuard为 Windows Vi sta加入一个新安全操作层, PatchGuard能够有效防止内核模式驱 动改动或替换 Windows内核的任何内容, 第三方软件将无法再给  1. The read and write behavior of the special registers (MSRs) of various modes. For example, if V匪 modifies the MSR of PatchGuard protection (such as LSTAR), it needs to intercept the access of the operating system to the register, maintain its consistency, and prevent blue screen. Among them, PatchGuard adds a new security operation layer to Windows Vi sta. PatchGuard can effectively prevent kernel mode from changing or replacing any content of Windows kernel. Third-party software will no longer be able to give
Windows Vi sta内核添加任何 "补丁" 。 Add any "patches" to the Windows Vistat kernel.
2、 各类控制寄存器的读写行为, 有可能捕获一些恶意内核模块的 行为, 例如要修改系统内核代码的方式很多会先清除 CR0寄存器的 WP 2, the read and write behavior of various control registers, it is possible to capture the behavior of some malicious kernel modules, for example, the way to modify the system kernel code will clear the WP of the CR0 register first.
(写保护) 保护位。 (Write protection) Protection bit.
3、 此种行为通过对客户页表控制, 在客户代码执行过程中出发的 页异常的拦截中改变控制流。  3. This behavior changes the control flow in the interception of page exceptions that are initiated during the execution of the client code by controlling the client page table.
上述方法适用于 Windows平台,尤其是 64位甚至更高位的 Windows 平台, 具体理由请参见上文, 在此不做赘述。 由于 x86和 X86-64体系 结构的 CPU不满足 Popek和 Goldberg定理中关于高效 VMM的定义, Intel与 AMD各自为自己的 CPU设计了一套硬件虚拟化扩展支持,分别 为 Intel-VT与 AMD-V , 以此来改进处理器加速虚拟化。 本案仅仅是 Windows系统为例进行说明, 除此之外, 也可以应用到 Unix系统等其 他系统上, 应用方法可以参考 Windows系统。  The above method is applicable to the Windows platform, especially the 64-bit or higher-bit Windows platform. For details, please refer to the above, and I will not repeat them here. Since the CPUs of the x86 and X86-64 architectures do not meet the definition of efficient VMM in Popek and Goldberg's theorem, Intel and AMD each designed a hardware virtualization extension support for their own CPUs, namely Intel-VT and AMD-V. , in order to improve processor acceleration virtualization. This case is only a description of the Windows system. In addition, it can also be applied to other systems such as Unix systems. The application method can refer to the Windows system.
进一步, 上述方法可以为上层驱动程序提供接口, 实现了在 64位 windows平台的基础上通过虚拟化的方式, 将操作系统放置于客户机 (客户软件) 的状态, 从而完整的监控操作系统。 在用户态部分和内 核态部分, 可以为调用者提供一套完整的相关事件的操作调用库, 利 用该调用库可以为请求者返回相应的回调结果, 这一调用库就可以称 为接口, 也可以称为函数, 其具体是某个系统对外提供的功能接口或 服务的统称。 由于降低了操作系统的权限, 因此, 本方法可以应用在 主动防御, 木马攻防等技术领域, 不仅能利用微软的标准回调接口对 文件、 注册表、 进程与线程对象提供防护, 还可以提供窗口消息攻击、 利用 RPC ( Remote Procedure Call , 远程过程调用) 等进程间通信机 制攻击等等, 进而也能够实现很多 32位 Windows平台上的功能如键盘 保护等。 Further, the above method can provide an interface for the upper driver, realizes the virtualized operation on the 64-bit windows platform, and places the operating system in the state of the client (client software), thereby completely monitoring the operating system. In the user mode part and the kernel mode part, the caller can be provided with a complete operation call library of related events, and the call library can be used to return a corresponding callback result for the requester, and the call library can be called an interface, and It can be called a function, which is specifically a general term for a function interface or service provided by a certain system. Because the operating system permissions are reduced, the method can be applied to the technical fields of active defense, Trojan attack and defense, and can not only provide protection against files, registry, processes and thread objects by using Microsoft's standard callback interface, but also provide window messages. Attack, use RPC (Remote Procedure Call) and other interprocess communication machines System attacks, etc., can also achieve many functions on the 32-bit Windows platform such as keyboard protection.
进一步, 本发明实施例可以完成以前无法在 64位甚至更高位的 Windows系统上实现的安全行为与事件的拦截,可大大主动防御类软件 或其他需要行为事件拦截的安全软件在 64位甚至更高位的 Windows系 统上的能力, 从而可在 64位甚至更高位的系统上提供完整有效的主动 防御软件系统。  Further, the embodiment of the present invention can complete the security behavior and event interception that cannot be implemented on a 64-bit or higher-bit Windows system, and can greatly prevent the security software or other security software that needs behavior event interception at 64 bits or higher. The ability on a Windows system to provide a complete and effective active defense software system on 64-bit or higher systems.
综上可知, 本发明实施例提供了一种新的操作模式, 使得 V匪处 于不受限的操作模式, 而无论环 0的客户操作系统或是环 3的客户应 用软件都运行在受限的操作模式, 客户操作系统或者客户应用软件的 敏感行为和事件皆可被 V匪感知与拦截。 使用本发明实施例提供的方 法可以拦截传统方式 (例如内嵌挂钩 Inl ine H00K ) 所拦截不到或很难 实现的行为、 事件, 例如, 可以拦截系统服务调用 (这点在 x64系统 是不允许的) 、 页异常方式等。 更重要的可以不被其监管的客户操作 系统及客户应用程序发觉和干扰, 因此可以和 PatchGuard并存, 大大 提升主动防御类软件或其他需要行为事件拦截的安全软件在 64位 Windows系统上的能力。  In summary, the embodiment of the present invention provides a new operation mode, such that the V匪 is in an unrestricted operation mode, and the client operating system of the ring 0 or the client application software of the ring 3 are limited in operation. The operational mode, sensitive behaviors and events of the guest operating system or client application software can be perceived and intercepted by V匪. The method provided by the embodiment of the present invention can intercept behaviors and events that are not intercepted or difficult to implement in a traditional manner (for example, the embedded hook Inl ine H00K), for example, can intercept system service calls (this is not allowed in x64 systems) , page exception mode, etc. More importantly, the customer operating system and client applications that are not regulated can be detected and interfered with, so they can coexist with PatchGuard, greatly improving the ability of active defense software or other security software that requires behavioral event interception on 64-bit Windows systems.
现以具体实施例对本发明实施例提供的方法进行详细阐述。  The method provided by the embodiments of the present invention will be described in detail with reference to specific embodiments.
实施例一  Embodiment 1
本实施例通过硬件虚拟化的方式对 CPU进行扩展, 将待监控整个 操作系统放置于更低阶的客户状态, 而监视器处于比较高级的环境中。  In this embodiment, the CPU is extended by means of hardware virtualization, and the entire operating system to be monitored is placed in a lower-order customer state, and the monitor is in a relatively advanced environment.
在驱动程序加载后, 将包含代码的指令发送到每个 CPU, 在每个 CPU上将 CPU的状态从当前的 host状态切换到 guest状态, 使其置于 受监管状态。  After the driver is loaded, instructions containing the code are sent to each CPU, and the state of the CPU is switched from the current host state to the guest state on each CPU, placing it in a supervised state.
当某一 CPU其触发一些被关注的事件 (例如敏感行为或指令) 或 操作, 例如, 一些读写或者修改的操作。 触发的事件会被返回到虚拟 机监视器 (位于外侧 host ) , 此时, 用户可以改变其行为。 例如, 用 户监控到其读取寄存器的操作后, 会监控其行为, 进而返回一个由用 户确认的行为值, (例如, 从存储器中读取到的内容, 即读或写寄存 器的值) , 该行为值和真正读取到的实际值不一样, 从而可以完整的 监控并接管操作系统。 这时, 用户可以修改数据, 系统扫描检查无法 获取真实结果。 在实际运用中, 可以将一部分代码设置在客户机的操作系统中, 和 V匪部分代码配合工作。 V匪既可以自行处理一些拦截结果, 也可以 将控制流切换至客户端中的协作部分, 由它实际去处理拦截结果, 最 后再按需恢复客户代码正确位置的执行。 When a CPU triggers some events (such as sensitive behaviors or instructions) or operations that are of interest, for example, some read or write or modified operations. The triggered event is returned to the virtual machine monitor (located on the outside host), at which point the user can change their behavior. For example, after the user monitors the operation of reading a register, it monitors its behavior and returns a behavior value that is confirmed by the user (for example, the content read from the memory, that is, the value of the read or write register). The behavior value is not the same as the actual value actually read, so that the operating system can be completely monitored and taken over. At this time, the user can modify the data, and the system scan check cannot obtain the real result. In practice, a part of the code can be set in the operating system of the client, and work with the V匪 part of the code. V匪 can handle some interception results by itself, or switch the control flow to the collaboration part in the client, which actually handles the interception result, and finally restores the execution of the correct position of the client code as needed.
基于同一发明构思, 本发明实施例还提供了一种在 Windows平台 上进行行为处理的装置, 应用于支持硬件虚拟化的 CPU。 图 2示出了根 据本发明一个实施例的在 Windows平台上进行行为处理的装置的结构 示意图。 图 2所示装置能够实现上述任意一项优选实施例或其组合所 提供的在 Windows平台上进行行为处理的方法。参见图 2, 该装置至少 包括:  Based on the same inventive concept, an embodiment of the present invention further provides an apparatus for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization. 2 is a block diagram showing the structure of an apparatus for performing behavior processing on a Windows platform according to an embodiment of the present invention. The apparatus of Figure 2 is capable of implementing a method of behavioral processing on a Windows platform as provided by any of the preferred embodiments described above or a combination thereof. Referring to Figure 2, the apparatus includes at least:
虚拟模块 210, 配置为启动本机操作系统, 对所述本机操作系统执 行硬件虚拟化操作, 生成 V匪;  The virtual module 210 is configured to start a local operating system, perform a hardware virtualization operation on the local operating system, and generate a V匪;
权限设置模块 220, 与虚拟模块 210耦合, 配置为将本机操作系统 置入客户机运行, 使得操作系统的权限低于 VMM的权限;  The permission setting module 220 is coupled to the virtual module 210 and configured to place the native operating system into the client operation, so that the operating system has lower authority than the VMM;
处理模块 230, 与权限设置模块 220耦合, 配置为将本机操作系统 置于受监管状态, 利用 V匪监控至少一个 CPU触发的行为, 根据触发 结果进行相应处理。  The processing module 230 is coupled to the permission setting module 220, configured to place the local operating system in a supervised state, and monitors at least one CPU triggered behavior by using V匪, and performs corresponding processing according to the triggering result.
在一个优选实施例中, 虚拟模块 210还可以配置为:  In a preferred embodiment, the virtual module 210 can also be configured to:
利用驱动程序向至少一个 CPU发送用于实现 VMM的指令, 指令中 携带有相应代码;  Using a driver to send an instruction for implementing a VMM to at least one CPU, the instruction carrying a corresponding code;
其中,至少一个 CPU根据代码在自身执行硬件虚拟化操作,生 VMM。 在一个优选实施例中, 处理模块 230还可以配置为:  At least one CPU executes a hardware virtualization operation according to the code, and generates a VMM. In a preferred embodiment, the processing module 230 can also be configured to:
将本机操作系统的当前状态由主机 host状态切换为客户机 guest 状态, 将至少一个 CPU置于受监管状态。  Switch the current state of the native operating system from the host host state to the guest guest state, placing at least one CPU in a supervised state.
在一个优选实施例中, 处理模块 230还可以配置为:  In a preferred embodiment, the processing module 230 can also be configured to:
为本机操作系统设置 V匪方式。  Set the V匪 mode for the local operating system.
在一个优选实施例中, 处理模块 230还可以配置为:  In a preferred embodiment, the processing module 230 can also be configured to:
将至少一个 CPU置为在非根虚拟化 VMX-non-root模式下运行, 相 应的,  At least one CPU is set to run in non-root virtualization VMX-non-root mode, corresponding,
将 V匪置为在根虚拟化 VMX-root模式下运行。  Set V匪 to run in root virtualization VMX-root mode.
在一个优选实施例中, 处理模块 230还可以配置为:  In a preferred embodiment, the processing module 230 can also be configured to:
触发结果为 CPU触发的行为是不安全行为时, 利用 V匪拦截其中 的不安全行为。 When the trigger result is that the behavior triggered by the CPU is unsafe, use V匪 to intercept the Unsafe behavior.
在一个优选实施例中, 参见图 2, 上述装置还可以包括:  In a preferred embodiment, referring to FIG. 2, the above apparatus may further include:
查找模块 240, 与处理模块 230相耦合, 配置为在预存储的处理列 表中查找不安全行为以及相应的处理方式 , 其中, 处理列表中存储有 至少一种不安全事件以及对该不安全事件的处理方式;  The searching module 240 is coupled to the processing module 230, configured to search for unsafe behaviors and corresponding processing manners in the pre-stored processing list, where the processing list stores at least one unsafe event and the unsafe event. Processing method
此时, 处理模块 230还可以配置为根据查找结果对被拦截的不安 全行为进行处理。  At this time, the processing module 230 may be further configured to process the intercepted unsafe behavior according to the search result.
在一个优选实施例中, 处理模块 230还可以配置为:  In a preferred embodiment, the processing module 230 can also be configured to:
当不安全行为是读写或修改的操作时, 利用 V匪返回由用户确定 的行为值, 其中, 行为值与读写或修改操作获取的实际值不同。  When the unsafe behavior is an operation of reading or writing or modifying, the behavior value determined by the user is returned by using V匪, wherein the behavior value is different from the actual value obtained by the reading/writing or modification operation.
在一个优选实施例中, 不安全行为包括下列至少之一:  In a preferred embodiment, the unsafe behavior includes at least one of the following:
专用寄存器的读写行为、 控制寄存器的恶意读写行为、 改变控制 流的恶意行为。  The read and write behavior of the special registers, the malicious read and write behavior of the control registers, and the malicious behavior of the control flow.
在一个优选实施例中, Windows平台包括 64位 Windows平台。 基于同一发明构思, 本发明实施例还提供了一种在 Windows平台 上进行行为处理的系统。 图 3示出了根据本发明一个实施例的在  In a preferred embodiment, the Windows platform includes a 64-bit Windows platform. Based on the same inventive concept, an embodiment of the present invention further provides a system for performing behavior processing on a Windows platform. Figure 3 illustrates an embodiment in accordance with one embodiment of the present invention.
Windows平台上进行行为处理的系统架构示意图。在图 3中, 多台客户 机通过虚拟化操作可转化为系统中的虚拟客户机 (Virtual Guests ) , 虚拟主机 (Virtual Host , 或者可以称为虚拟机监视器 V匪) 可以监控 Virtual Guests中触发的各种行为, 进而进行相应处理。 Schematic diagram of the system architecture for behavior processing on the Windows platform. In Figure 3, multiple clients can be converted into Virtual Guests in the system through virtualization operations. Virtual Hosts (or Virtual Hosts, or Virtual Machine Monitors) can monitor triggers in Virtual Guests. The various behaviors are handled accordingly.
本发明实施例提供的系统能够支持上述任一实施例或其组合所提 供的在 Windows平台上进行行为处理的方法以及相应装置。  The system provided by the embodiment of the present invention can support the method and corresponding device for performing behavior processing on the Windows platform provided by any one of the above embodiments or a combination thereof.
采用本发明实施例提供的方法及装置可以达到如下有益效果: 在本发明实施例中, 启动本机操作系统, 对该系统执行硬件虚拟 化操作, 生成 VMM, 利用权限高于本机操作系统的 V匪对至少一个 CPU 进行监控, 并根据触发结果进行相应处理。 由此可见, 利用生成 V匪 可以实现对 Windows的行为进行监控, 本领域技术人员可以在 VMM中 执行第三方软件, 从而实现了利用第三方软件对 Windows平台 (特别 是无法修改内核的 64位乃至更高位)进行 Patch,可以在 64位 Windows 平台上提供完整的主动防御产品, 为用户计算机系统解决了现有的安 全隐患问题, 提高了安全性能。 在实际中, 本发明可以应用于众多安 全产品 (例如, " 360安全卫士" 的系统急救箱、 木马云查杀引擎、 主 机防御系统等产品中) 。 The method and the device provided by the embodiments of the present invention can achieve the following beneficial effects: In the embodiment of the present invention, the local operating system is started, the hardware virtualization operation is performed on the system, and the VMM is generated, and the utilization authority is higher than that of the local operating system. V匪 monitors at least one CPU and processes it according to the trigger result. It can be seen that the behavior of Windows can be monitored by generating V匪, and those skilled in the art can execute third-party software in the VMM, thereby realizing the use of third-party software for the Windows platform (especially the 64-bit and even the kernel cannot be modified) A higher level) patching provides a complete active defense product on a 64-bit Windows platform, solving existing security problems for the user's computer system and improving security. In practice, the present invention can be applied to numerous security products (for example, "360 Security Guard" system first aid kit, Trojan horse killing engine, main Machine defense system and other products).
在此处所提供的说明书中, 说明了大量具体细节。 然而, 能够理 解, 本发明的实施例可以在没有这些具体细节的情况下实践。 在一些 实例中, 并未详细示出公知的方法、 结构和技术, 以便不模糊对本说 明书的理解。  Numerous specific details are set forth in the description provided herein. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of the specification.
类似地, 应当理解, 为了精简本公开并帮助理解各个发明方面中的一个 或多个, 在上面对本发明的示例性实施例的描述中, 本发明的各个特征有时 被一起分组到单个实施例、 图、 或者对其的描述中。 然而, 并不应将该公开 的方法解释成反映如下意图: 即所要求保护的本发明要求比在每个权利要求 中所明确记载的特征更多的特征。 更确切地说, 如下面的权利要求书所反映 的那样, 发明方面在于少于前面公开的单个实施例的所有特征。 因此, 遵循 具体实施方式的权利要求书由此明确地并入该具体实施方式, 其中每个权利 要求本身都作为本发明的单独实施例。  Similarly, the various features of the present invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the appended claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the specific embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解, 可以对实施例中的设备中的模块进行自 适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以 把实施例中的模块或单元或组件组合成一个模块或单元或组件, 以及此外可 以把它们分成多个子模块或子单元或子组件。除了这样的特征和 /或过程或者 单元中的至少一些是相互排斥之外, 可以采用任何组合对本说明书(包括伴 随的权利要求、 摘要和附图) 中公开的所有特征以及如此公开的任何方法或 者设备的所有过程或单元进行组合。 除非另外明确陈述, 本说明书 (包括伴 随的权利要求、 摘要和附图) 中公开的每个特征可以由提供相同、 等同或相 似目的的替代特征来代替。  Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further, they may be divided into a plurality of sub-modules or sub-units or sub-assemblies. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in the specification (including the accompanying claims, the abstract, and the drawings) may be replaced by alternative features that provide the same, equivalent, or similar purpose, unless stated otherwise.
此外, 本领域的技术人员能够理解, 尽管在此所述的一些实施例包括其 它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组 合意味着处于本发明的范围之内并且形成不同的实施例。 例如, 在下面的权 利要求书中, 所要求保护的实施例的任意之一都可以以任意的组合方式来使 用。  In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现, 或者以在一个或者多个处理 器上运行的软件模块实现, 或者以它们的组合实现。 本领域的技术人员应当 理解, 可以在实践中使用微处理器或者数字信号处理器 (DSP) 来实现根据 本发明实施例的在 Windows平台上进行行为处理的装置中的一些或者全部 部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法 的一部分或者全部的设备或者装置程序(例如, 计算机程序和计算机程序产 品) 。 这样的实现本发明的程序可以存储在计算机可读介质上, 或者可以具 有一个或者多个信号的形式。 这样的信号可以从因特网网站上下载得到, 或 者在载体信号上提供, 或者以任何其他形式提供。 The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the devices for performing behavioral processing on the Windows platform in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP). Some or all of the features of the part. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如, 图 4示出了可以实现根据本发明的在 Windows平台上进行行为 处理的方法的计算设备,例如应用服务器。该计算设备传统上包括处理器 410 和以存储器 420形式的计算机程序产品或者计算机可读介质。存储器 420可 以是诸如闪存、 EEPROM (电可擦除可编程只读存储器) 、 EPROM、 硬盘 或者 ROM之类的电子存储器。 存储器 420具有用于执行上述方法中的任何 方法步骤的程序代码 431的存储空间 430。 例如, 用于程序代码的存储空间 430可以包括分别用于实现上面的方法中的各种步骤的各个程序代码 431。 这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一 个或者多个计算机程序产品中。 这些计算机程序产品包括诸如硬盘, 紧致盘 ( CD ) 、 存储卡或者软盘之类的程序代码载体。 这样的计算机程序产品通 常为如参考图 5所述的便携式或者固定存储单元。该存储单元可以具有与图 4的计算设备中的存储器 420类似布置的存储段、 存储空间等。 程序代码可 以例如以适当形式进行压缩。 通常, 存储单元包括计算机可读代码 431 ', 即 可以由例如诸如 410之类的处理器读取的代码, 这些代码当由计算设备运行 时, 导致该计算设备执行上面所描述的方法中的各个步骤。  For example, Figure 4 illustrates a computing device, such as an application server, that can implement a method of behavior processing on a Windows platform in accordance with the present invention. The computing device conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420. The memory 420 can be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Memory 420 has a memory space 430 for program code 431 for performing any of the method steps described above. For example, storage space 430 for program code may include various program code 431 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such a computer program product is typically a portable or fixed storage unit as described with reference to Figure 5. The storage unit can have storage segments, storage spaces, and the like that are similarly arranged to memory 420 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 431 ', ie, code that can be read by a processor, such as 410, which, when executed by a computing device, causes the computing device to perform each of the methods described above step.
本文中所称的 "一个实施例"、 "实施例"或者 "一个或者多个实施例" 意味着, 结合实施例描述的特定特征、 结构或者特性包括在本发明的至少一 个实施例中。 此外, 请注意, 这里 "在一个实施例中"的词语例子不一定全 指同一个实施例。  "an embodiment," or "one or more embodiments" as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention. In addition, it should be noted that the examples of the words "in one embodiment" are not necessarily all referring to the same embodiment.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制, 并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换 实施例。 在权利要求中, 不应将位于括号之间的任何参考符号构造成对权利 要求的限制。 单词 "包含"不排除存在未列在权利要求中的元件或步骤。 位 于元件之前的单词 "一"或 "一个"不排除存在多个这样的元件。 本发明可 以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。 在列举了若干装置的单元权利要求中, 这些装置中的若干个可以是通过同一 个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。 可将这些单词解释为名称。 It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to limit the scope of the invention, and those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or the steps in the claims. The word "a" or "an" preceding the <RTIgt; The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be the same A hardware item is embodied. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外, 还应当注意, 本说明书中使用的语言主要是为了可读性和教导的 目的而选择的, 而不是为了解释或者限定本发明的主题而选择的。 因此, 在 不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术 人员来说许多修改和变更都是显而易见的。 对于本发明的范围, 对本发明所 做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。  In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed or limited. Therefore, many modifications and variations will be apparent to those of ordinary skill in the art. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims

权 利 要 求 Rights request
1、 一种在 Windows平台上进行行为处理的方法, 应用于支持硬件 虚拟化的 CPU , 包括: 1. A method of behavioral processing on the Windows platform, applied to CPUs that support hardware virtualization, including:
启动本机操作系统, 对所述本机操作系统执行硬件虚拟化操作, 生成虚拟机监视器 V匪; Start the native operating system, perform a hardware virtualization operation on the native operating system, and generate a virtual machine monitor VMM;
将本机操作系统置入客户机运行, 使得所述操作系统的权限低于 所述 VMM的权限; Put the local operating system into the client computer to run, so that the permissions of the operating system are lower than the permissions of the VMM;
将本机操作系统置于受监管状态, 利用所述 V匪监控所述至少一 个 CPU触发的行为, 根据触发结果进行相应处理。 Put the local operating system into a supervised state, use the V bandit to monitor the behavior triggered by the at least one CPU, and perform corresponding processing according to the trigger result.
2、 根据权利要求 1所述的方法, 其中, 所述 V匪的生成方式包括 如下步骤: 2. The method according to claim 1, wherein the generation method of the V bandit includes the following steps:
利用驱动程序向所述至少一个 CPU发送用于实现 V匪的指令; 其中, 所述至少一个 CPU 根据所述指令在自身执行硬件虚拟化操 作, 生成所述 VMM。 The driver is used to send instructions for implementing VMM to the at least one CPU; wherein the at least one CPU performs a hardware virtualization operation on itself according to the instructions to generate the VMM.
3、 根据权利要求 1或 2所述的方法, 其中, 将本机操作系统置于 受监管状态, 包括: 3. The method according to claim 1 or 2, wherein placing the local operating system in a supervised state includes:
将所述本机操作系统的当前状态由主机 host 状态切换为客户机 guest状态, 将所述至少一个 CPU置于受监管状态。 Switch the current state of the local operating system from the host state to the guest state, and place the at least one CPU in a supervised state.
4、 根据权利要求 3所述的方法, 其中, 还包括: 为本机操作系统 设置 VMM方式。 4. The method according to claim 3, further comprising: setting a VMM mode for the local operating system.
5、 根据权利要求 3或 4所述的方法, 其中, 将所述本机操作系统 的当前状态由主机 host状态切换为客户机 guest状态, 包括: 5. The method according to claim 3 or 4, wherein switching the current state of the local operating system from the host state to the guest state includes:
将所述本机操作系统置为在非根虚拟化 VMX-non-root 模式下运 行, 相应的, Set the native operating system to run in non-root virtualization VMX-non-root mode, accordingly,
将所述 V匪置为在根虚拟化 VMX-root模式下运行。 Configure the VMX to run in root virtualization VMX-root mode.
6、 根据权利要求 1至 5任一项所述的方法, 其中, 根据触发结果 进行相应处理, 包括: 6. The method according to any one of claims 1 to 5, wherein corresponding processing is performed according to the triggering result, including:
所述触发结果为所述 CPU触发的行为是不安全行为时, 利用所述 V匪拦截其中的不安全行为。 When the triggering result is that the behavior triggered by the CPU is an unsafe behavior, the V bandit is used to intercept the unsafe behavior.
7、 根据权利要求 6所述的方法, 其中, 利用所述 V匪拦截其中的 不安全行为之后, 包括: 在预存储的处理列表中查找所述不安全行为以及相应的处理方 式 , 其中, 所述处理列表中存储有至少一种不安全事件以及对该不安 全事件的处理方式; 7. The method according to claim 6, wherein, after using the V bandit to intercept unsafe behaviors, the method includes: Search for the unsafe behavior and the corresponding processing method in a pre-stored processing list, where at least one unsafe event and a processing method for the unsafe event are stored in the processing list;
根据查找结果对所述被拦截的不安全行为进行处理。 The intercepted unsafe behavior is processed according to the search results.
8、 根据权利要求 7所述的方法, 其中, 根据查找结果对所述被拦 截的不安全行为进行处理, 包括: 8. The method according to claim 7, wherein the intercepted unsafe behavior is processed according to the search results, including:
当不安全行为是读写或修改的操作时, 利用所述 VMM返回由用户 确定的行为值, 其中, 所述行为值与所述读写或修改操作获取的实际 值不同。 When the unsafe behavior is a read, write or modify operation, the VMM is used to return a behavior value determined by the user, where the behavior value is different from the actual value obtained by the read, write or modify operation.
9、 根据权利要求 6至 8任一项所述的方法, 其中, 所述不安全行 为包括下列至少之一: 9. The method according to any one of claims 6 to 8, wherein the unsafe behavior includes at least one of the following:
专用寄存器的读写行为、 控制寄存器的恶意读写行为、 改变控制 流的恶意行为。 The reading and writing behavior of special registers, the malicious reading and writing behavior of control registers, and the malicious behavior of changing the control flow.
10、 根据权利要求 1至 9任一项所述的方法, 其中, 所述 Windows 平台包括 64位 Windows平台。 10. The method according to any one of claims 1 to 9, wherein the Windows platform includes a 64-bit Windows platform.
11、 一种在 Windows 平台上进行行为处理的装置, 应用于支持硬 件虚拟化的 CPU , 包括: 11. A device for behavioral processing on the Windows platform, applied to CPUs that support hardware virtualization, including:
虚拟模块, 配置为启动本机操作系统, 对所述本机操作系统执行 硬件虚拟化操作, 生成虚拟机监视器 V匪; A virtual module configured to start a native operating system, perform a hardware virtualization operation on the native operating system, and generate a virtual machine monitor VMM;
权限设置模块, 配置为将本机操作系统置入客户机运行, 使得所 述操作系统的权限低于所述 V匪的权限; The permission setting module is configured to put the local operating system into the client to run, so that the permissions of the operating system are lower than the permissions of the V bandit;
处理模块, 配置为将所述本机操作系统置于受监管状态, 利用所 述 VMM监控所述至少一个 CPU触发的行为, 根据触发结果进行相应处 理。 The processing module is configured to put the native operating system into a supervised state, use the VMM to monitor the behavior triggered by the at least one CPU, and perform corresponding processing according to the trigger result.
12、根据权利要求 11所述的装置, 其中, 所述虚拟模块还配置为: 利用驱动程序向所述至少一个 CPU发送用于实现 V匪的指令; 其中, 所述至少一个 CPU 根据所述指令在自身执行硬件虚拟化操 作, 生成所述 VMM。 12. The device according to claim 11, wherein the virtual module is further configured to: use a driver to send instructions for implementing VMM to the at least one CPU; wherein the at least one CPU performs the VMM according to the instructions. Perform hardware virtualization operations on itself to generate the VMM.
13、 根据权利要求 11或 12所述的装置, 其中, 所述处理模块还 配置为: 13. The device according to claim 11 or 12, wherein the processing module is further configured to:
将所述本机操作系统的当前状态由主机 host 状态切换为客户机 guest状态, 将所述至少一个 CPU置于受监管状态。 The current state of the local operating system is switched from the host state to the guest state, and the at least one CPU is placed in a supervised state.
14、根据权利要求 13所述的装置, 其中, 所述处理模块还配置为: 为本机操作系统设置 V匪方式。 14. The device according to claim 13, wherein the processing module is further configured to: set a VPN mode for the local operating system.
15、 根据权利要求 13或 14所述的装置, 其中, 所述处理模块还 配置为: 15. The device according to claim 13 or 14, wherein the processing module is further configured to:
将所述本机操作系统置为在非根虚拟化 VMX-non-root 模式下运 行, 相应的, Set the native operating system to run in non-root virtualization VMX-non-root mode, accordingly,
将所述 V匪置为在根虚拟化 VMX-root模式下运行。 Configure the VMX to run in root virtualization VMX-root mode.
16、 根据权利要求 11至 15任一项所述的装置, 其中, 所述处理 模块还配置为: 所述触发结果为所述 CPU触发的行为是不安全行为时, 利用所述 V匪拦截其中的不安全行为。 16. The device according to any one of claims 11 to 15, wherein the processing module is further configured to: use the V bandit to intercept when the trigger result is that the behavior triggered by the CPU is an unsafe behavior. unsafe behavior.
17、 根据权利要求 16所述的装置, 其中, 还包括: 17. The device according to claim 16, further comprising:
查找模块, 配置为在预存储的处理列表中查找所述不安全行为以 及相应的处理方式, 其中, 所述处理列表中存储有至少一种不安全事 件以及对该不安全事件的处理方式; A search module configured to search for the unsafe behavior and the corresponding processing method in a pre-stored processing list, where at least one unsafe event and a processing method for the unsafe event are stored in the processing list;
所述处理模块还配置为根据查找结果对所述被拦截的不安全行为 进行处理。 The processing module is also configured to process the intercepted unsafe behavior according to the search results.
18、根据权利要求 17所述的装置, 其中, 所述处理模块还配置为: 当不安全行为是读写或修改的操作时, 利用所述 VMM返回由用户 确定的行为值, 其中, 所述行为值与所述读写或修改操作获取的实际 值不同。 18. The device according to claim 17, wherein the processing module is further configured to: when the unsafe behavior is a read, write or modify operation, use the VMM to return a behavior value determined by the user, wherein, the The behavior value is different from the actual value obtained by the read, write or modify operation.
19、 根据权利要求 16至 18任一项所述的装置, 其中, 所述不安 全行为包括下列至少之一: 19. The device according to any one of claims 16 to 18, wherein the unsafe behavior includes at least one of the following:
专用寄存器的读写行为、 控制寄存器的恶意读写行为、 改变控制 流的恶意行为。 The reading and writing behavior of special registers, the malicious reading and writing behavior of control registers, and the malicious behavior of changing the control flow.
20、根据权利要求 11至 19任一项所述的装置,其中,所述 Windows 平台包括 64位 Windows平台。 20. The device according to any one of claims 11 to 19, wherein the Windows platform includes a 64-bit Windows platform.
21、 一种计算机程序, 包括计算机可读代码, 当所述计算机可读 代码在计算设备上运行时, 导致所述计算设备执行根据权利要求 1 至 10中的任一个所述的在 Windows平台上进行行为处理的方法。 21. A computer program, comprising computer readable code, which, when run on a computing device, causes the computing device to execute the method according to any one of claims 1 to 10 on a Windows platform. Methods for behavioral processing.
22、 一种计算机可读介质, 其中存储了如权利要求 21所述的计算 机程序。 22. A computer-readable medium in which the computer program according to claim 21 is stored.
PCT/CN2014/080579 2013-06-25 2014-06-24 Action processing method and device on windows platform WO2014206268A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310255011.X 2013-06-25
CN201310255011.XA CN103294956B (en) 2013-06-25 2013-06-25 It it is the method and device processed in the enterprising every trade of windows platform

Publications (1)

Publication Number Publication Date
WO2014206268A1 true WO2014206268A1 (en) 2014-12-31

Family

ID=49095798

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080579 WO2014206268A1 (en) 2013-06-25 2014-06-24 Action processing method and device on windows platform

Country Status (2)

Country Link
CN (1) CN103294956B (en)
WO (1) WO2014206268A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103294956B (en) * 2013-06-25 2016-08-24 北京奇虎科技有限公司 It it is the method and device processed in the enterprising every trade of windows platform
US9753770B2 (en) * 2014-04-03 2017-09-05 Strato Scale Ltd. Register-type-aware scheduling of virtual central processing units
CN104636647A (en) * 2015-03-17 2015-05-20 南开大学 Sensitive information protection method based on virtualization technology
CN106909840A (en) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 A kind of method and device of monitor operating system behavior
CN106055982B (en) * 2016-06-29 2019-11-12 珠海豹趣科技有限公司 A kind of hold-up interception method, device and the electronic equipment of rogue program triggering blue screen
CN111428240B (en) * 2020-03-20 2021-10-15 安芯网盾(北京)科技有限公司 Method and device for detecting illegal access of memory of software
CN111831395B (en) * 2020-07-09 2024-01-09 西安交通大学 Behavior monitoring analysis method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
CN101398769A (en) * 2008-10-28 2009-04-01 北京航空航天大学 Processor resource integrating and utilizing method transparent to operating system
CN101557420A (en) * 2009-03-31 2009-10-14 北京航空航天大学 Realization method of high-efficiency network communication of a virtual machine monitor
US20110072428A1 (en) * 2009-09-22 2011-03-24 International Business Machines Corporation Nested Virtualization Performance In A Computer System
CN103294956A (en) * 2013-06-25 2013-09-11 北京奇虎科技有限公司 Method and device for processing behaviors on Windows platform

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
CN101398769A (en) * 2008-10-28 2009-04-01 北京航空航天大学 Processor resource integrating and utilizing method transparent to operating system
CN101557420A (en) * 2009-03-31 2009-10-14 北京航空航天大学 Realization method of high-efficiency network communication of a virtual machine monitor
US20110072428A1 (en) * 2009-09-22 2011-03-24 International Business Machines Corporation Nested Virtualization Performance In A Computer System
CN103294956A (en) * 2013-06-25 2013-09-11 北京奇虎科技有限公司 Method and device for processing behaviors on Windows platform

Also Published As

Publication number Publication date
CN103294956A (en) 2013-09-11
CN103294956B (en) 2016-08-24

Similar Documents

Publication Publication Date Title
US11200080B1 (en) Late load technique for deploying a virtualization layer underneath a running operating system
US20210294900A1 (en) Systems and Methods Involving Features of Hardware Virtualization Such as Separation Kernel Hypervisors, Hypervisors, Hypervisor Guest Context, Hypervisor Context, Rootkit Detection/Prevention, and/or Other Features
US10630643B2 (en) Dual memory introspection for securing multiple network endpoints
King et al. SubVirt: Implementing malware with virtual machines
Christodorescu et al. Cloud security is not (just) virtualization security: a short paper
KR101946982B1 (en) Process Evaluation for Malware Detection in Virtual Machines
CN107949846B (en) Detection of malicious thread suspension
US7996836B1 (en) Using a hypervisor to provide computer security
US7845009B2 (en) Method and apparatus to detect kernel mode rootkit events through virtualization traps
US8402441B2 (en) Monitoring execution of guest code in a virtual machine
US10095538B2 (en) Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
WO2014206268A1 (en) Action processing method and device on windows platform
WO2017052947A1 (en) Hardware-assisted software verification and secure execution
US10108800B1 (en) ARM processor-based hardware enforcement of providing separate operating system environments for mobile devices with capability to employ different switching methods
Baliga et al. Automated containment of rootkits attacks
WO2018005388A1 (en) Regulating control transfers for execute-only code execution
Price The paradox of security in virtual environments
Cheng et al. Guardian: Hypervisor as security foothold for personal computers
Mahapatra et al. An online cross view difference and behavior based kernel rootkit detector
Pouraghily et al. Hardware support for embedded operating system security
Fu et al. Subverting system authentication with context-aware, reactive virtual machine introspection
AT&T
Win et al. Handling the hypervisor hijacking attacks on virtual cloud environment
Chen et al. DScope: To Reliably and Securely Acquire Live Data from Kernel-Compromised ARM Devices
Hu et al. Position Paper: Consider Hardware-enhanced Defenses for Rootkit Attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14817702

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14817702

Country of ref document: EP

Kind code of ref document: A1