WO2014206268A1 - Procédé de traitement d'action et dispositif sur une plate-forme windows - Google Patents

Procédé de traitement d'action et dispositif sur une plate-forme windows Download PDF

Info

Publication number
WO2014206268A1
WO2014206268A1 PCT/CN2014/080579 CN2014080579W WO2014206268A1 WO 2014206268 A1 WO2014206268 A1 WO 2014206268A1 CN 2014080579 W CN2014080579 W CN 2014080579W WO 2014206268 A1 WO2014206268 A1 WO 2014206268A1
Authority
WO
WIPO (PCT)
Prior art keywords
behavior
operating system
unsafe
cpu
processing
Prior art date
Application number
PCT/CN2014/080579
Other languages
English (en)
Chinese (zh)
Inventor
潘剑锋
李宜檑
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2014206268A1 publication Critical patent/WO2014206268A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the present invention relates to the field of the Internet, and in particular, to a method and apparatus for performing behavior processing on a Windows platform. Background technique
  • Active defense is a real-time protection technology based on independent analysis and judgment of program behavior. It does not use feature code as the basis for judging malicious programs. Instead, it starts from the most primitive definition and directly uses the behavior of the program as the basis for judging malicious programs. The active defense software first intercepts the malicious program and then processes it accordingly. Among them, the interception of program behavior is an important first step of active defense. The way many malicious programs resist active defense also interferes with or bypasses behavioral interception.
  • the present invention has been made in order to provide an apparatus for performing behavior processing on a Windows platform and a corresponding method of performing behavior processing on a Windows platform that overcomes the above problems or at least partially solves the above problems.
  • a method for performing behavior processing on a Windows platform is provided, which is applied to a CPU supporting hardware virtualization, including:
  • the local operating system is placed in a supervised state, and the behavior triggered by the at least one CPU is monitored by the V ⁇ , and corresponding processing is performed according to the triggering result.
  • the generating manner of the V ⁇ includes the following steps:
  • placing the native operating system in a supervised state including:
  • the current state of the native operating system is switched from a host host state to a client guest state, and the at least one CPU is placed in a supervised state.
  • the foregoing method further includes: setting a V ⁇ mode for the local operating system.
  • the current state of the native operating system is switched from a host host state to a client guest state, including:
  • the native operating system is set to run in a non-root virtualized VMX-non-root mode, correspondingly,
  • the V ⁇ is set to run in root virtualization VMX-root mode.
  • corresponding processing is performed according to the triggering result, including:
  • V ⁇ intercepts the unsafe behavior.
  • the method includes: searching, in a pre-stored processing list, the unsafe behavior and a corresponding processing manner, where the processing list stores at least one Unsafe events and how they are handled; The intercepted unsafe behavior is processed according to the search result.
  • the intercepted unsafe behavior is processed according to the search result, including:
  • the unsafe behavior is an operation of reading or writing or modifying
  • the behavior value determined by the user is returned by using the V ⁇ , wherein the behavior value is different from the actual value obtained by the read/write or modification operation.
  • the unsafe behavior includes at least one of the following:
  • the Windows platform includes a 64-bit Windows platform.
  • an apparatus for performing behavior processing on a Windows platform which is applied to a CPU supporting hardware virtualization, includes:
  • a virtual module configured to start a local operating system, perform a hardware virtualization operation on the local operating system, and generate a virtual machine monitor V;
  • a permission setting module configured to place the native operating system into a client operation, such that the authority of the operating system is lower than the authority of the V ⁇ ;
  • the processing module is configured to put the local operating system into a supervised state, and monitor, by using the V ⁇ , the behavior triggered by the at least one CPU, and perform corresponding processing according to the triggering result.
  • the virtual module is further configured to:
  • processing module is further configured to:
  • the current state of the native operating system is switched from a host host state to a client guest state, and the at least one CPU is placed in a supervised state.
  • processing module is further configured to: set a V ⁇ mode for the local operating system.
  • processing module is further configured to:
  • the native operating system is set to run in a non-root virtualized VMX-non-root mode, correspondingly,
  • the V ⁇ is set to run in root virtualization VMX-root mode.
  • the processing module is further configured to: the trigger result is triggered by the CPU When the behavior is unsafe, use the V ⁇ to intercept the unsafe behavior.
  • the foregoing apparatus further includes:
  • the locating module is configured to search for the unsafe behavior and the corresponding processing manner in the pre-stored processing list, where the processing list stores at least one unsafe event and a processing manner of the unsafe event;
  • the processing module is further configured to process the intercepted unsafe behavior based on the lookup result.
  • processing module is further configured to:
  • the unsafe behavior is an operation of reading or writing or modifying
  • the behavior value determined by the user is returned by using the V ⁇ , wherein the behavior value is different from the actual value obtained by the read/write or modification operation.
  • the unsafe behavior includes at least one of the following:
  • the Windows platform includes a 64-bit Windows platform.
  • a computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform according to any of the above A method of behavioral processing on the Windows platform.
  • a computer readable medium wherein a computer program as described above is stored.
  • the local operating system is started, the hardware virtualization operation is performed on the system, the VMM is generated, and at least one CPU is monitored by using a V ⁇ having a higher authority than the local operating system, and corresponding processing is performed according to the trigger result.
  • V ⁇ having a higher authority than the local operating system
  • corresponding processing is performed according to the trigger result.
  • FIG. 1 shows a process flow diagram of a method for performing behavior processing on a Windows platform in accordance with one embodiment of the present invention
  • FIG. 2 is a block diagram showing the structure of an apparatus for performing behavior processing on a Windows platform according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram showing a system architecture for performing behavior processing on a Windows platform according to an embodiment of the present invention
  • FIG. 4 is a block diagram schematically showing a computing device for performing a method of performing behavior processing on a Windows platform in accordance with the present invention
  • Figure 5 is a schematic representation of a method for maintaining or carrying in accordance with the present invention.
  • a storage unit of program code for a method of behavior processing on a Windows platform A storage unit of program code for a method of behavior processing on a Windows platform. detailed description
  • the present invention is applicable to computer systems/servers that can operate with numerous other general purpose or special purpose computing system environments or configurations.
  • Examples of well-known computing system environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, based on micro Processor system, set-top box, programmable consumer electronics, network PC, Small computer systems, mainframe systems, and distributed cloud computing technology environments including any of the above, and the like.
  • the computer system/server can be described in the general context of computer system executable instructions (such as program modules) executed by the computer system.
  • program modules may include routines, programs, target programs, components, logic, data structures, and the like, which perform particular tasks or implement particular abstract data types.
  • the computer system/server can be implemented in a distributed cloud computing environment where tasks are performed by remote processing devices connected through a communication network.
  • program modules can be located on a local or remote computing system storage medium including storage devices.
  • the embodiment of the present invention adopts a unique technical solution, and the main idea is to: expand the support by hardware virtualization of a CPU (Central Processing Unit) (such as Intel or AMD), so that Implement full behavior processing on 64-bit or higher Windows platforms.
  • hardware virtualization refers to the realization of efficient full virtualization with the support of hardware (mainly host processor).
  • the execution environment of Guest OS and VMM is automatically and completely isolated.
  • Guest OS has its own register and can run directly at the highest level.
  • the solution provided by the embodiment of the present invention can break through the limitation of an operating system such as Microsoft, and the method can provide a complete and effective active defense software system on a 64-bit or higher system.
  • Virtualization technology allows physical machines (such as servers, PCs, tablets, etc.) to be partitioned or shared so that the underlying hardware of the machine is presented as one or more virtual machines that work independently.
  • the hypervisor can run on a computer and present an abstraction of one or more virtual machines to other software.
  • Each virtual machine can be used as a self-sustaining platform to run its own operating system (OS) and/or application software.
  • OS operating system
  • Software execution performed within a virtual machine can be referred to as client software.
  • Guest The user software can be expected to run on a dedicated computer rather than a VM (Virtual Machine), at which point V ⁇ and Guest OS can share the underlying processor resources. That is, client software can expect to control various events and access hardware resources on a computer, such as a physical machine.
  • the hardware resources of the physical machine may include one or more processors, resources residing on the processor (eg, control registers, caches, and others), memory (and structures resident in memory such as descriptor tables) ) and other resources that reside in the physical machine (such as input/output (I/O) devices).
  • processors e.g, control registers, caches, and others
  • memory and structures resident in memory such as descriptor tables
  • other resources that reside in the physical machine (such as input/output (I/O) devices).
  • the embodiment of the invention provides a method for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization.
  • 1 is a process flow diagram of a method for performing behavior processing on a Windows platform according to an embodiment of the present invention, including:
  • Step S102 Start a local operating system, perform a hardware virtualization operation on the system, and generate a VMM (Virtual Machine Monitor).
  • VMM Virtual Machine Monitor
  • the system includes an operating system, a CPU, and application layer software.
  • the native operating system runs on the CPU it manages and manages and monitors all CPUs. In this case, if you need to supervise the local operating system, you need to modify its permissions. For details, see step S104.
  • Step S104 Put the local operating system into the client operation, so that the authority of the local operating system is lower than the generated V ⁇ permission.
  • this step can be performed with the permissions of the driver.
  • the highest privilege of the driver can be used to make the CPU run in the mode that supports virtualization extension, then the native operating system will be in the management mode, its permissions Will be lower than the V ⁇ permission.
  • the CPU can switch to the non-root state of the customer state, restore the Windows execution environment, and change from the root state to the non-root state when the environment resumes switching.
  • Step S106 The system is placed in a supervised state, and the generated V ⁇ is used to monitor behavior triggered by at least one CPU, and corresponding processing is performed according to the trigger result.
  • the local operating system Since the local operating system is in the management mode, it is equivalent to running in the client. At this time, the V ⁇ is still located in the local machine, and the behavior triggered by the CPU can be monitored, and then the subsequent operation processing can be performed.
  • the step of correspondingly processing according to the triggering result specifically includes: first determining the nature of the behavior triggered by the CPU, determining whether the triggered behavior is a safe behavior, and then performing different differentiation processing on the safe behavior and the unsafe behavior. .
  • This embodiment focuses on In order to ensure that unsafe behavior does not harm the computer terminal and the software running on it, you can use V ⁇ to intercept unsafe behavior, and then process the intercepted behavior according to the pre-stored behavior processing method. .
  • the local operating system is started, the hardware virtualization operation is performed on the system, the VMM is generated, and at least one CPU is monitored by using a V ⁇ having a higher authority than the local operating system, and corresponding processing is performed according to the trigger result.
  • the behavior of Windows can be monitored by generating V ⁇ , and third-party software can be executed in V ⁇ , thereby realizing the use of third-party software for Windows platforms (especially 64-bit or higher which cannot modify the kernel) Patching can provide a complete active defense product on the 64-bit Windows platform, solve the existing security risks for the user computer system, and improve the security performance.
  • the means of implementing behavioral processing on different Windows platforms is different.
  • take the x86 processor as an example.
  • the x86 processor has 4 privilege levels, Rin g 0 ⁇ Ring 3, and the processor can access privileged resources or execute privileged instructions only when running at Ring 0 to 2; when running at Ring 0, the processor can access all Privileged state.
  • the operating system on the x86 platform generally uses only the two levels of Ring 0 and Ring 3, the operating system runs at Ring 0, and the user process runs at Ring 3.
  • V ⁇ must run at the Ring O level, and in order to avoid the Guest OS control system resources, Guest OS has to lower its own running level, running at Ring 1 or Ring 3 (Ring 2 is not used).
  • the driver may send an instruction for implementing the VMM to at least one CPU by using a driver, and in order to implement V, the corresponding code is carried in the instruction.
  • the driver After at least one CPU receives the instruction, it parses the specific code. Subsequently, each CPU executes the code and performs a hardware virtualization operation on its own to generate a VMM.
  • the embodiment of the present invention preferably switches the current state of the CPU from a host state to a guest state, and sets at least one CPU. In a regulated state.
  • the native operating system is further set to the V ⁇ mode.
  • the authority of the operating system is higher than that of the native operating system, therefore, Monitoring of at least one CPU can be achieved using V ⁇ .
  • VMX-non-root is just for example.
  • at least one CPU can be set to non-root virtualization (VMX-non-root). Run in mode, and correspondingly, set V to run in root virtualization (VMX root) mode.
  • VMX root root virtualization
  • Set the CPU and V ⁇ to different modes, and the mode level of V ⁇ is higher than the mode the CPU is in.
  • AMD also has a corresponding AMD-V (Virtualization) mode for the x86 platform.
  • the behavior triggered by the CPU is that some specific processing or behavior is another result
  • the behavior triggered by the CPU is that the safe behavior is another result
  • the result of each trigger is different and the corresponding processing is different. For example, if the triggering result proves that the behavior triggered by the CPU is a safe behavior, then the security behavior can be released directly.
  • the V ⁇ can be used to intercept the unsafe behavior.
  • Embodiments of the present invention provide a pre-stored processing list in which at least one unsecure event and a manner of processing the unsecure event are stored. Any kind of unsafe event can be handled in one way or in multiple ways. In addition, a variety of unsafe events may be handled in the same way. ⁇ , the correspondence between unsafe events and their processing methods may be one-to-one, one-to-many, or many-to-one. After the unsafe behavior and the corresponding processing mode are found in the pre-stored processing list, the intercepted unsafe behavior is processed according to the search result.
  • an unsafe behavior is an operation of reading or writing or modifying.
  • a malicious program attempts to read, write or modify the stored data.
  • the machine can use V ⁇ to return the behavior value determined by the user, where The value is different from the actual value obtained by the read or write or modify operation. Since the behavior value returned by V ⁇ is not the actual value, the behavior value that the malicious program reads or prepares to write or modify must also be a false value.
  • a malicious program subsequently attacks a false value without affecting the actual value, thereby improving the security and stability of the computer system.
  • the unsafe behavior mentioned above may be any behavior that adversely affects a computer system (including a combination of an operating system, computer software, and computer hardware), the present invention
  • the example exemplifies it, for example, the read and write behavior of the special register, the malicious read and write behavior of the control register, the malicious behavior of changing the control flow, and the like.
  • This behavior changes the control flow in the interception of page exceptions that are initiated during the execution of the client code by controlling the client page table.
  • the above method is applicable to the Windows platform, especially the 64-bit or higher-bit Windows platform.
  • the CPUs of the x86 and X86-64 architectures do not meet the definition of efficient VMM in Popek and Goldberg's theorem, Intel and AMD each designed a hardware virtualization extension support for their own CPUs, namely Intel-VT and AMD-V. , in order to improve processor acceleration virtualization.
  • This case is only a description of the Windows system.
  • it can also be applied to other systems such as Unix systems.
  • the application method can refer to the Windows system.
  • the above method can provide an interface for the upper driver, realizes the virtualized operation on the 64-bit windows platform, and places the operating system in the state of the client (client software), thereby completely monitoring the operating system.
  • the caller can be provided with a complete operation call library of related events, and the call library can be used to return a corresponding callback result for the requester, and the call library can be called an interface, and It can be called a function, which is specifically a general term for a function interface or service provided by a certain system.
  • the method can be applied to the technical fields of active defense, Trojan attack and defense, and can not only provide protection against files, registry, processes and thread objects by using Microsoft's standard callback interface, but also provide window messages. Attack, use RPC (Remote Procedure Call) and other interprocess communication machines System attacks, etc., can also achieve many functions on the 32-bit Windows platform such as keyboard protection.
  • RPC Remote Procedure Call
  • the embodiment of the present invention can complete the security behavior and event interception that cannot be implemented on a 64-bit or higher-bit Windows system, and can greatly prevent the security software or other security software that needs behavior event interception at 64 bits or higher.
  • the embodiment of the present invention provides a new operation mode, such that the V ⁇ is in an unrestricted operation mode, and the client operating system of the ring 0 or the client application software of the ring 3 are limited in operation.
  • the operational mode, sensitive behaviors and events of the guest operating system or client application software can be perceived and intercepted by V ⁇ .
  • the method provided by the embodiment of the present invention can intercept behaviors and events that are not intercepted or difficult to implement in a traditional manner (for example, the embedded hook Inl ine H00K), for example, can intercept system service calls (this is not allowed in x64 systems) , page exception mode, etc.
  • the customer operating system and client applications that are not regulated can be detected and interfered with, so they can coexist with PatchGuard, greatly improving the ability of active defense software or other security software that requires behavioral event interception on 64-bit Windows systems.
  • the CPU is extended by means of hardware virtualization, and the entire operating system to be monitored is placed in a lower-order customer state, and the monitor is in a relatively advanced environment.
  • a CPU When a CPU triggers some events (such as sensitive behaviors or instructions) or operations that are of interest, for example, some read or write or modified operations.
  • the triggered event is returned to the virtual machine monitor (located on the outside host), at which point the user can change their behavior. For example, after the user monitors the operation of reading a register, it monitors its behavior and returns a behavior value that is confirmed by the user (for example, the content read from the memory, that is, the value of the read or write register).
  • the behavior value is not the same as the actual value actually read, so that the operating system can be completely monitored and taken over. At this time, the user can modify the data, and the system scan check cannot obtain the real result.
  • a part of the code can be set in the operating system of the client, and work with the V ⁇ part of the code.
  • V ⁇ can handle some interception results by itself, or switch the control flow to the collaboration part in the client, which actually handles the interception result, and finally restores the execution of the correct position of the client code as needed.
  • an embodiment of the present invention further provides an apparatus for performing behavior processing on a Windows platform, which is applied to a CPU supporting hardware virtualization.
  • 2 is a block diagram showing the structure of an apparatus for performing behavior processing on a Windows platform according to an embodiment of the present invention.
  • the apparatus of Figure 2 is capable of implementing a method of behavioral processing on a Windows platform as provided by any of the preferred embodiments described above or a combination thereof.
  • the apparatus includes at least:
  • the virtual module 210 is configured to start a local operating system, perform a hardware virtualization operation on the local operating system, and generate a V ⁇ ;
  • the permission setting module 220 is coupled to the virtual module 210 and configured to place the native operating system into the client operation, so that the operating system has lower authority than the VMM;
  • the processing module 230 is coupled to the permission setting module 220, configured to place the local operating system in a supervised state, and monitors at least one CPU triggered behavior by using V ⁇ , and performs corresponding processing according to the triggering result.
  • the virtual module 210 can also be configured to:
  • At least one CPU executes a hardware virtualization operation according to the code, and generates a VMM.
  • the processing module 230 can also be configured to:
  • processing module 230 can also be configured to:
  • processing module 230 can also be configured to:
  • At least one CPU is set to run in non-root virtualization VMX-non-root mode, corresponding,
  • processing module 230 can also be configured to:
  • the above apparatus may further include:
  • the searching module 240 is coupled to the processing module 230, configured to search for unsafe behaviors and corresponding processing manners in the pre-stored processing list, where the processing list stores at least one unsafe event and the unsafe event. Processing method
  • the processing module 230 may be further configured to process the intercepted unsafe behavior according to the search result.
  • processing module 230 can also be configured to:
  • the unsafe behavior is an operation of reading or writing or modifying
  • the behavior value determined by the user is returned by using V ⁇ , wherein the behavior value is different from the actual value obtained by the reading/writing or modification operation.
  • the unsafe behavior includes at least one of the following:
  • the Windows platform includes a 64-bit Windows platform. Based on the same inventive concept, an embodiment of the present invention further provides a system for performing behavior processing on a Windows platform.
  • Figure 3 illustrates an embodiment in accordance with one embodiment of the present invention.
  • FIG. 3 Schematic diagram of the system architecture for behavior processing on the Windows platform.
  • multiple clients can be converted into Virtual Guests in the system through virtualization operations.
  • Virtual Hosts or Virtual Hosts, or Virtual Machine Monitors
  • the various behaviors are handled accordingly.
  • the system provided by the embodiment of the present invention can support the method and corresponding device for performing behavior processing on the Windows platform provided by any one of the above embodiments or a combination thereof.
  • the local operating system is started, the hardware virtualization operation is performed on the system, and the VMM is generated, and the utilization authority is higher than that of the local operating system.
  • V ⁇ monitors at least one CPU and processes it according to the trigger result. It can be seen that the behavior of Windows can be monitored by generating V ⁇ , and those skilled in the art can execute third-party software in the VMM, thereby realizing the use of third-party software for the Windows platform (especially the 64-bit and even the kernel cannot be modified)
  • a higher level) patching provides a complete active defense product on a 64-bit Windows platform, solving existing security problems for the user's computer system and improving security.
  • the present invention can be applied to numerous security products (for example, "360 Security Guard" system first aid kit, Trojan horse killing engine, main Machine defense system and other products).
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further, they may be divided into a plurality of sub-modules or sub-units or sub-assemblies.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in the specification (including the accompanying claims, the abstract, and the drawings) may be replaced by alternative features that provide the same, equivalent, or similar purpose, unless stated otherwise.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • Those skilled in the art will appreciate that some or all of the devices for performing behavioral processing on the Windows platform in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP). Some or all of the features of the part.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 4 illustrates a computing device, such as an application server, that can implement a method of behavior processing on a Windows platform in accordance with the present invention.
  • the computing device conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420.
  • the memory 420 can be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 420 has a memory space 430 for program code 431 for performing any of the method steps described above.
  • storage space 430 for program code may include various program code 431 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • Such computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to Figure 5.
  • the storage unit can have storage segments, storage spaces, and the like that are similarly arranged to memory 420 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 431 ', ie, code that can be read by a processor, such as 410, which, when executed by a computing device, causes the computing device to perform each of the methods described above step.
  • an embodiment or “one or more embodiments” as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention.
  • the examples of the words “in one embodiment” are not necessarily all referring to the same embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé de traitement d'action et un dispositif sur une plate-forme Windows. Le procédé est appliqué à une UCT prenant en charge une virtualisation de matériel. Le procédé comprend les étapes consistant à : lancer un système d'exploitation et exécuter une opération de virtualisation de matériel dans le système d'exploitation de façon à créer un moniteur de machine virtuelle (VMM) ; installer et faire fonctionner le système d'exploitation sur un client de façon à s'assurer que le système d'exploitation à une autorisation inférieure au VMM ; paramétrer le système d'exploitation afin qu'il soit dans un état surveillé en utilisant le VMM pour surveiller au moins une action déclenchée par l'UCT et prendre des mesures pertinentes en fonction du résultat déclenché. Le procédé accroît la sécurité d'un système informatique.
PCT/CN2014/080579 2013-06-25 2014-06-24 Procédé de traitement d'action et dispositif sur une plate-forme windows WO2014206268A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310255011.X 2013-06-25
CN201310255011.XA CN103294956B (zh) 2013-06-25 2013-06-25 在Windows平台上进行行为处理的方法及装置

Publications (1)

Publication Number Publication Date
WO2014206268A1 true WO2014206268A1 (fr) 2014-12-31

Family

ID=49095798

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080579 WO2014206268A1 (fr) 2013-06-25 2014-06-24 Procédé de traitement d'action et dispositif sur une plate-forme windows

Country Status (2)

Country Link
CN (1) CN103294956B (fr)
WO (1) WO2014206268A1 (fr)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103294956B (zh) * 2013-06-25 2016-08-24 北京奇虎科技有限公司 在Windows平台上进行行为处理的方法及装置
US9753770B2 (en) * 2014-04-03 2017-09-05 Strato Scale Ltd. Register-type-aware scheduling of virtual central processing units
CN104636647A (zh) * 2015-03-17 2015-05-20 南开大学 基于虚拟化技术的敏感信息保护方法
CN106909840A (zh) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 一种监控操作系统行为的方法及装置
CN106055982B (zh) * 2016-06-29 2019-11-12 珠海豹趣科技有限公司 一种恶意程序触发蓝屏的拦截方法、装置及电子设备
CN111428240B (zh) * 2020-03-20 2021-10-15 安芯网盾(北京)科技有限公司 一种用于检测软件的内存违规访问的方法及装置
CN111831395B (zh) * 2020-07-09 2024-01-09 西安交通大学 一种行为监控分析方法与系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (zh) * 2008-01-28 2008-07-23 南京大学 基于可信硬件与虚拟机的微内核操作系统完整性保护方法
CN101398769A (zh) * 2008-10-28 2009-04-01 北京航空航天大学 一种对操作系统透明的处理器资源整合利用方法
CN101557420A (zh) * 2009-03-31 2009-10-14 北京航空航天大学 虚拟机监控器高效网络通信的实现方法
US20110072428A1 (en) * 2009-09-22 2011-03-24 International Business Machines Corporation Nested Virtualization Performance In A Computer System
CN103294956A (zh) * 2013-06-25 2013-09-11 北京奇虎科技有限公司 在Windows平台上进行行为处理的方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (zh) * 2008-01-28 2008-07-23 南京大学 基于可信硬件与虚拟机的微内核操作系统完整性保护方法
CN101398769A (zh) * 2008-10-28 2009-04-01 北京航空航天大学 一种对操作系统透明的处理器资源整合利用方法
CN101557420A (zh) * 2009-03-31 2009-10-14 北京航空航天大学 虚拟机监控器高效网络通信的实现方法
US20110072428A1 (en) * 2009-09-22 2011-03-24 International Business Machines Corporation Nested Virtualization Performance In A Computer System
CN103294956A (zh) * 2013-06-25 2013-09-11 北京奇虎科技有限公司 在Windows平台上进行行为处理的方法及装置

Also Published As

Publication number Publication date
CN103294956A (zh) 2013-09-11
CN103294956B (zh) 2016-08-24

Similar Documents

Publication Publication Date Title
US11200080B1 (en) Late load technique for deploying a virtualization layer underneath a running operating system
US20210294900A1 (en) Systems and Methods Involving Features of Hardware Virtualization Such as Separation Kernel Hypervisors, Hypervisors, Hypervisor Guest Context, Hypervisor Context, Rootkit Detection/Prevention, and/or Other Features
US10630643B2 (en) Dual memory introspection for securing multiple network endpoints
King et al. SubVirt: Implementing malware with virtual machines
Christodorescu et al. Cloud security is not (just) virtualization security: a short paper
KR101946982B1 (ko) 가상 머신에서 멀웨어 탐지를 위한 프로세스 평가
CN107949846B (zh) 恶意线程挂起的检测
US7996836B1 (en) Using a hypervisor to provide computer security
US7845009B2 (en) Method and apparatus to detect kernel mode rootkit events through virtualization traps
US8402441B2 (en) Monitoring execution of guest code in a virtual machine
US10095538B2 (en) Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
WO2014206268A1 (fr) Procédé de traitement d'action et dispositif sur une plate-forme windows
WO2017052947A1 (fr) Vérification de logiciel assistée par matériel et exécution sécurisée
US10108800B1 (en) ARM processor-based hardware enforcement of providing separate operating system environments for mobile devices with capability to employ different switching methods
Baliga et al. Automated containment of rootkits attacks
WO2018005388A1 (fr) Régulation de transferts de commande pour exécution de code à exécution seule
Price The paradox of security in virtual environments
Cheng et al. Guardian: Hypervisor as security foothold for personal computers
Mahapatra et al. An online cross view difference and behavior based kernel rootkit detector
Pouraghily et al. Hardware support for embedded operating system security
Fu et al. Subverting system authentication with context-aware, reactive virtual machine introspection
AT&T
Win et al. Handling the hypervisor hijacking attacks on virtual cloud environment
Chen et al. DScope: To Reliably and Securely Acquire Live Data from Kernel-Compromised ARM Devices
Hu et al. Position Paper: Consider Hardware-enhanced Defenses for Rootkit Attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14817702

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14817702

Country of ref document: EP

Kind code of ref document: A1