WO2016145749A1 - 一种确定危险文件所对应的行为信息的方法和装置 - Google Patents

一种确定危险文件所对应的行为信息的方法和装置 Download PDF

Info

Publication number
WO2016145749A1
WO2016145749A1 PCT/CN2015/082409 CN2015082409W WO2016145749A1 WO 2016145749 A1 WO2016145749 A1 WO 2016145749A1 CN 2015082409 W CN2015082409 W CN 2015082409W WO 2016145749 A1 WO2016145749 A1 WO 2016145749A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
behavior
dangerous
dangerous file
computer device
Prior art date
Application number
PCT/CN2015/082409
Other languages
English (en)
French (fr)
Inventor
钱科明
郭明强
Original Assignee
百度在线网络技术(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 百度在线网络技术(北京)有限公司 filed Critical 百度在线网络技术(北京)有限公司
Priority to EP15885132.9A priority Critical patent/EP3113060B1/en
Priority to JP2016564985A priority patent/JP2017520820A/ja
Priority to KR1020167030047A priority patent/KR101974989B1/ko
Priority to US15/300,770 priority patent/US10915624B2/en
Publication of WO2016145749A1 publication Critical patent/WO2016145749A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the application is filed as a priority application by a Chinese patent application.
  • the application date of the Chinese patent application is March 18, 2015, and the application number is 201510119820.7.
  • the invention is entitled “A method and apparatus for determining behavior information corresponding to a dangerous document. ".
  • the present invention relates to the field of computer technologies, and in particular, to a method and apparatus for determining behavior information corresponding to a dangerous file in a computer device.
  • a method for determining behavior information corresponding to a dangerous file in a computer device comprises:
  • Running a virtual environment in the computer device when a dangerous file is detected The dangerous file, wherein the virtual environment includes at least one virtual API that is identical to at least one real API in a real environment of the computer device;
  • the behavior of the dangerous file is monitored in a virtual environment to obtain behavior information corresponding to the dangerous file.
  • an apparatus for determining behavior information corresponding to a dangerous file in a computer device comprising:
  • Means for operating the dangerous file in a virtual environment of the computer device when a dangerous file is detected wherein the virtual environment includes the same as at least one real API in a real environment of the computer device At least one virtual API;
  • the present invention has the following advantages: 1) can obtain behavior information of dangerous files by running dangerous files in a virtual environment of a computer device, which does not require manual analysis, and greatly saves obtaining behavior information. The required time; 2) because the virtual execution of the virtual API can record all the operational behaviors of the dangerous files, so that the behavior information obtained by the computer device is comprehensive, thereby avoiding the realization of the computer device due to the incomplete behavior information. The environment cannot be fully repaired; 3) running dangerous files in a virtual environment does not affect the real environment of the computer device, and the virtual environment takes up very little space in the computer device, and the virtual environment does not need to actually execute the virtual API.
  • Computer equipment can be based on the dangers obtained in the virtual environment Behavior information files to be repaired on the real environment of computer equipment to quickly and comprehensively repair dangerous files, and other dangerous files dangerous files released by the destruction of the real environment.
  • FIG. 1 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to another embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to another embodiment of the present invention.
  • FIG. 1 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
  • the method of this embodiment is mainly implemented by a computer device; the computer device includes a network device and a user device.
  • the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud computing-based cloud composed of a large number of computers or network servers, where the cloud computing is distributed computing.
  • a super virtual computer consisting of a group of loosely coupled computers; the network in which the network device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a VPN (Virtual Private Network) network Wait.
  • the user equipment includes, but is not limited to, a PC (Personal Computer), a tablet, a smart phone, a PDA (Personal Digital Assistant), an IPTV (Internet Protocol Television), and the like.
  • the method according to the present embodiment includes step S1 and step S2.
  • step S1 when it is detected that a dangerous file exists, the computer device runs the dangerous file in the virtual environment of the computer device.
  • the dangerous file includes any dangerous files, such as virus files, Trojan files, and the like.
  • the virtual environment is used in a real environment of a virtual computer device, and the virtual environment includes at least one virtual API that is identical to at least one real application API (Application Programming Interface) in the real environment.
  • the virtual API can be called in the virtual environment and can return the same feedback result as the real API corresponding to calling the virtual API in the real environment.
  • the real environment is used to represent a system environment that is actually running in a computer device; for example, a system environment corresponding to a real operating Windows operating system in a computer device.
  • the real API is used to represent an API in a real environment; for example, a system API in a real running Windows operating system in a computer device.
  • DeleteFile which is used to delete a specified file in the real environment, and returns a feedback result indicating successful execution of the delete operation
  • the virtual environment of the computer device has The virtual API corresponding to the real API calls the virtual API in the virtual environment, and also returns a feedback result indicating that the delete operation is successfully performed.
  • the function of the virtual API is not actually executed, but only the effect of calling the real API corresponding to the virtual API is virtualized.
  • a virtual API corresponding to the DeleteFile is invoked in the virtual environment, and the virtual API does not perform the operation of deleting the specified file in the virtual environment, but directly returns to indicate successful execution of the deletion when called. The feedback of the operation results in a virtual call to the effect of calling DeleteFile.
  • the virtual environment does not need to configure a registry and an environment variable in the computer device, so it can be directly started and run without performing a corresponding installation operation.
  • the virtual environment can be started in various scenarios, such as automatically starting when the computer device is powered on, automatically starting when a scanning operation is performed in the computer device, automatically starting when a dangerous file is detected, according to User action to be started, etc.
  • the virtual environment is restored to its initial environment each time it is started; more preferably, after the virtual environment is started, the virtual environment may automatically perform an initialization operation after each dangerous file is completed. Or the initialization operation can be performed according to user operations to restore the virtual environment to the initial environment.
  • the virtual environment may have a very small footprint in the computer device (eg, occupying a space of about 10 M), and its operation does not affect the operation of the real system of the computer device.
  • the size of the occupied space may vary according to the behavior of the dangerous file in the virtual environment, such as the behavior of dangerous files releasing other files.
  • the computer device when a dangerous file is detected, the computer device provides the dangerous file to the virtual environment of the computer device and runs the dangerous file in the virtual environment.
  • the computer device when a virus file is detected in a computer device, the computer device provides the virus file to a virtual environment of the computer device and runs the virus file in the virtual environment.
  • the at least one virtual API in the virtual environment comprises an application reading virtual API capable of reading the currently active application
  • the step S1 further comprises: when the dangerous file calling application reads the virtual API, the computer device provides the current file to the dangerous file Active application information.
  • the application read virtual API includes any virtual API for reading the currently active application, such as a virtual API corresponding to CreateToolhelp32Snapshot in the real system, and the CreateToolhelp32Snapshot is used in the real system to obtain information about all currently active processes. .
  • the application information includes any information indicating the currently active application, such as an application name of the currently active application, a process ID of the currently active application, and the like.
  • the computer device in the process of running the dangerous file in the virtual environment, when the dangerous file invokes the application to read the virtual API, the computer device returns the currently active application information to the dangerous file through the read virtual API.
  • the virus file file1 is run.
  • the computer device reads the virtual API through the application to return the currently active application information to the file1, where the application information is used to indicate that the currently active application includes APP1 and APP2.
  • the application reading the virtual API can obtain the currently active application information in various ways.
  • the application reads the virtual API to obtain the currently active application information through the user's process configuration of the virtual environment. For example, the user configures the process list in the virtual environment, and adds the applications APP1 and APP2 in the process list, and the application read virtual API can read the currently active applications according to the process list, including APP1 and APP2.
  • an application reading virtual API triggers obtaining current active application information from a real environment of a computer device.
  • the application reading the virtual API triggers a real API corresponding to the application reading virtual API in the real environment of the computer device, and obtains the currently active application information according to the returned result of the real API.
  • step S2 the computer device monitors the behavior of the dangerous file in the virtual environment to obtain behavior information corresponding to the dangerous file.
  • the computer device can obtain the behavior information corresponding to the dangerous file by monitoring and recording the behavior performed by the dangerous file in the virtual environment.
  • the computer device monitors the behavior of the dangerous file based on the virtual API invoked during the running of the dangerous file, and obtains behavior information corresponding to the dangerous file.
  • a computer device records all behaviors of a dangerous file that cause a virtual environment to send changes through a virtual API invoked during a running of a dangerous file, and obtains behavior information corresponding to the behavior.
  • the behavior information includes any information related to the operational behavior of the dangerous file in the virtual environment.
  • the behavior information includes but is not limited to:
  • the file operation behavior includes any operation behavior that can be performed on the file, such as creating, updating, deleting a file, and the like.
  • the information related to the file operation behavior includes but is not limited to: information indicating a type of operation behavior of the file (such as creation, update, deletion operation behavior), a file name to be operated, a path of the file to be operated Information, etc.
  • the registry operation behavior includes any operation behavior that can be performed on the registry, such as creating, setting, deleting a registry key, and the like.
  • the information related to the registry operation behavior includes, but is not limited to, information indicating a type of operation behavior of the registry (such as creating, setting, deleting operation behavior), an operated registry key, a registry key Corresponding values, etc.
  • the process operation behavior includes any operation behaviors that can be performed on the process, such as creating and closing processes, writing across processes, and the like.
  • the information related to the process operation behavior includes but is not limited to information indicating a type of operation behavior of the thread (such as creating and closing a process, writing across a process), an ID of the operated process, and being operated. Path information corresponding to the process.
  • the thread operation behavior includes any operation behavior that can be performed on a thread, such as thread injection.
  • the information related to the thread operation behavior includes, but is not limited to, information for indicating a type of operation behavior of the thread, an identifier ID of the thread to be operated, a feature value corresponding to the thread to be operated, and the like;
  • the feature value is used to indicate a feature of the thread.
  • the feature value is a check value corresponding to a code length of the thread; for example, the code length of the thread is 0x100, and the feature value is a CRC corresponding to the code length (Cyclic) Redundancy Check, cyclic redundancy check code) 32 values.
  • the method in this embodiment further includes step S4, the step S2 further includes step S21.
  • step S4 the computer device obtains at least one file released by the dangerous file in the virtual environment.
  • the computer device obtains the following files released during the running of the dangerous file file2: ser2vet.exe, autorun.inf.
  • step S21 the computer device monitors the behavior of the dangerous file and the at least one file released by the dangerous file in the virtual environment, and obtains behavior information corresponding to the dangerous file.
  • step S4 the computer device obtains the following dangerous files released by the dangerous file file2: ser2vet.exe, autorun.inf; in step S21, the computer device is in the virtual environment, respectively for file2, ser2vet.exe, autorun.
  • the behavior of inf is monitored to obtain the three dangerous behavioral information, and the obtained behavior information is used as the behavior information corresponding to the dangerous file file2.
  • the method of this embodiment further includes step S5.
  • step S5 the computer device turns off the virtual environment when the predetermined shutdown condition is met.
  • the predetermined closing condition includes any predetermined condition for indicating to close the virtual environment.
  • the predetermined closing condition includes but is not limited to:
  • the dangerous file performs a process exit operation in a virtual environment.
  • the process exit operation includes any operation for indicating a process of exiting the dangerous file; preferably, the process exit operation includes, but is not limited to, a self-delete operation of the dangerous file, and the deletion of the dangerous file performed by the user in the virtual environment. Operation, etc.
  • the predetermined closing condition is satisfied when the running time of the dangerous file in the virtual environment exceeds 5 s.
  • predetermined closing conditions are merely examples, and are not intended to limit the present invention.
  • any predetermined condition for indicating the shutdown of the virtual environment should be included in the predetermined shutdown described in the present invention. Within the scope of the condition.
  • the behavior information of the dangerous file can be obtained by running the dangerous file in the virtual environment of the computer device, the process does not need manual analysis, and the time required for obtaining the behavior information is greatly saved;
  • the virtual execution of the virtual API can be used to record all the operational behaviors of the dangerous files, so that the behavior information obtained by the computer device is comprehensive, so as to avoid the real environment of the computer device cannot be completely repaired due to the incomplete behavior information.
  • running dangerous files in a virtual environment does not affect the real environment of the computer device, and the virtual environment takes up very little space in the computer device, and the virtual environment does not need to actually perform the function of the virtual API, but only needs to be able to Returning the same feedback results as the real API corresponding to calling the virtual API in the real environment, which allows dangerous files to run faster in the virtual environment, thereby quickly obtaining behavioral information for dangerous files.
  • FIG. 2 is a schematic flow chart of a method for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
  • the method of the present embodiment is mainly implemented by a computer device; wherein any reference to the computer device in the embodiment shown in FIG. 1 is incorporated herein.
  • the method according to the present embodiment includes step S1, step S2, and step S3.
  • the step S1 and the step S2 are described in detail with reference to FIG. 1 and will not be further described herein.
  • step S3 the computer device repairs the real environment of the computer device according to the behavior information corresponding to the dangerous file.
  • the computer device can repair the real environment of the computer device according to the behavior information corresponding to the dangerous file in various scenarios.
  • step S2 the computer device directly performs step S3 to repair the real environment of the computer device.
  • step S2 the computer device directly performs step S3 to repair the real environment of the computer device while clearing the dangerous file, when it is determined that the dangerous file is cleared according to the user's operation.
  • step S3 is performed to repair the real environment of the computer device.
  • step S3 the computer device directly performs an operation opposite to the operation behavior indicated by the behavior information according to the behavior information corresponding to the dangerous file, to perform restoration and restoration on the real environment of the computer device.
  • the behavior information of the dangerous file includes information indicating the creation of the file, and path information of the created file. Then, in step S3, the computer device deletes the created file according to the behavior information in the file path indicated by the path information, to restore the real environment to a state before the dangerous file is run.
  • the behavior information of the dangerous file includes information indicating that the registry key is deleted, and the deleted registry key. Then in step S3, the computer device restores the deleted registry entry according to the behavior information to restore the real environment to a state before the dangerous file is run.
  • step S3 further includes step S31 and step S32.
  • step S31 the computer device determines corresponding repair operation information according to the behavior information corresponding to the dangerous file.
  • the repair operation information includes any information related to the repair operation.
  • the repair operation information includes but is not limited to:
  • the file repair operation includes any operation for repairing a file, such as restoring File parameters, delete files, etc.
  • the information related to the file repair operation includes, but is not limited to, information indicating a type of repair operation of the file, a file name to be operated, a file parameter to be restored, a value of the file parameter, and the like.
  • the computer device scans the dangerous file and at least one file released by the dangerous file in its real system, and determines the information related to the file repair operation according to the scan result and the behavior information of the dangerous file.
  • the registry repair operation includes any operations for repairing the registry, such as restoring, deleting a registry key, and the like.
  • the information related to the registry repair operation includes, but is not limited to, information indicating a type of repair operation of the registry, a registry key to be operated, a value corresponding to the registry key, and the like.
  • the computer device can obtain a default value corresponding to the registry key by querying the local knowledge base, and use the default value as a value corresponding to the registry key.
  • the process repair operation includes any operations for repairing a process, such as closing, restarting, etc. of a process.
  • the information related to the process repair operation includes, but is not limited to, information indicating a type of repair operation of the process, path information corresponding to the operated process, and the like.
  • the process being operated is a system file
  • the process repair operation can be completed directly by restarting the computer device without obtaining the repair operation information of the process.
  • the thread repair operation includes any operation for repairing a thread, such as stopping a thread.
  • the information related to the thread repair operation includes, but is not limited to, information indicating a type of repair operation of the thread, and a feature value corresponding to the thread being operated.
  • repair operation information is only an example, and is not intended to limit the present invention. Those skilled in the art should understand that any information related to the repair operation should be included in the scope of the repair operation information described in the present invention. .
  • step S31 the computer device determines the repair operation indicated by the repair operation information according to the operation behavior indicated by the behavior information corresponding to the dangerous file, and further determines the repair operation information according to the repair operation and the behavior information.
  • the behavior information includes information for indicating cross-process writing and path information of the operated process; in step S31, the computer device determines that the repair operation is a restart process according to the information for indicating the cross-process write operation, and according to The repair operation and behavior information, determining the repair operation information includes: information indicating the restart process and path information of the restarted process.
  • the behavior information includes information for indicating thread injection and a feature value corresponding to the operated thread; in step S31, the computer device determines, according to the information indicating the thread injection, that the repair operation is a stop thread, and according to the repair
  • the operation and behavior information, determining the repair operation information includes: information indicating the stop thread and the feature value corresponding to the stopped thread.
  • step S32 the computer device repairs the real environment of the computer device according to the repair operation information.
  • the repair operation information determined in step S31 includes information indicating a restart process and path information corresponding to the operated process.
  • the computer device searches for the corresponding process according to the path information, and restarts the found process.
  • the repair operation information determined in step S31 includes information indicating a stop thread and a feature value corresponding to the operated thread.
  • the computer device determines the matching thread based on the feature value and stops the thread.
  • step S3 when it is determined that the computer device needs to be restarted, the computer device presents the user with prompt information for prompting to restart the computer device.
  • the computer device can repair the real environment of the computer device according to the behavior information of the dangerous file obtained in the virtual environment, so as to quickly and comprehensively repair the dangerous file and other released by the dangerous file.
  • FIG. 3 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
  • the apparatus for determining behavior information corresponding to a dangerous file according to the present embodiment includes means for operating the dangerous file in a virtual environment of a computer device when a dangerous file is detected
  • the device hereinafter simply referred to as "running device 1”
  • monitoring device 2 a device for monitoring the behavior of the dangerous file in the virtual environment to obtain behavior information corresponding to the dangerous file.
  • the running device 1 runs the dangerous file in the virtual environment of the computer device.
  • the dangerous file includes any dangerous files, such as virus files, Trojan files, and the like.
  • the virtual environment is used in a real environment of a virtual computer device, and the virtual environment includes at least one virtual API that is identical to at least one real API in the real environment.
  • the virtual API can be called in the virtual environment and can return the same feedback result as the real API corresponding to calling the virtual API in the real environment.
  • the real environment is used to represent a system environment that is actually running in a computer device; for example, a system environment corresponding to a real operating Windows operating system in a computer device.
  • the real API is used to represent an API in a real environment; for example, a system API in a real running Windows operating system in a computer device.
  • DeleteFile which is used to delete a specified file in the real environment, and returns a feedback result indicating successful execution of the delete operation
  • the virtual environment of the computer device has The virtual API corresponding to the real API, the virtual API is called in the virtual environment, and is also returned for Indicates the feedback result of a successful delete operation.
  • the function of the virtual API is not actually executed, but only the effect of calling the real API corresponding to the virtual API is virtualized.
  • a virtual API corresponding to the DeleteFile is invoked in the virtual environment, and the virtual API does not perform the operation of deleting the specified file in the virtual environment, but directly returns to indicate successful execution of the deletion when called. The feedback of the operation results in a virtual call to the effect of calling DeleteFile.
  • the virtual environment does not need to configure a registry and an environment variable in the computer device, so it can be directly started and run without performing a corresponding installation operation.
  • the virtual environment can be started in various scenarios, such as automatically starting when the computer device is powered on, automatically starting when a scanning operation is performed in the computer device, automatically starting when a dangerous file is detected, according to User action to be started, etc.
  • the virtual environment is restored to its initial environment each time it is started; more preferably, after the virtual environment is started, the virtual environment may automatically perform an initialization operation after each dangerous file is completed. Or the initialization operation can be performed according to user operations to restore the virtual environment to the initial environment.
  • the virtual environment may have a very small footprint in the computer device (eg, occupying a space of about 10 M), and its operation does not affect the operation of the real system of the computer device.
  • the size of the occupied space may vary according to the behavior of the dangerous file in the virtual environment, such as the behavior of dangerous files releasing other files.
  • the running device 1 when it is detected that a dangerous file exists, the running device 1 provides the dangerous file to the virtual environment of the computer device, and runs the dangerous file in the virtual environment.
  • the running device 1 when it is detected that a virus file exists in the computer device, the running device 1 provides the virus file to the virtual environment of the computer device, and runs the virus file in the virtual environment.
  • the at least one virtual API in the virtual environment comprises an application read virtual API capable of reading the currently active application
  • the running device 1 further comprises: providing the current active event to the dangerous file when the dangerous file calling the application reads the virtual API
  • a device for applying information hereinafter referred to as "providing device”, not shown).
  • the application read virtual API includes any virtual API for reading the currently active application, such as a virtual API corresponding to CreateToolhelp32Snapshot in the real system, and the CreateToolhelp32Snapshot is used in the real system to obtain information about all currently active processes. .
  • the application information includes any information indicating the currently active application, such as an application name of the currently active application, a process ID of the currently active application, and the like.
  • the providing device when the dangerous file invokes the application to read the virtual API, the providing device returns the currently active application information to the dangerous file through the read virtual API.
  • the virus file file1 is run in the virtual environment, and when the file1 calls the application to read the virtual API, the providing device returns the currently active application information to the file1 through the application reading virtual API, where the application information is used to indicate that the currently active application includes APP1 and APP2.
  • the application reading the virtual API can obtain the currently active application information in various ways.
  • the application reads the virtual API to obtain the currently active application information through the user's process configuration of the virtual environment. For example, the user configures the process list in the virtual environment, and adds the applications APP1 and APP2 in the process list, and the application read virtual API can read the currently active applications according to the process list, including APP1 and APP2.
  • an application reading virtual API triggers obtaining current active application information from a real environment of a computer device.
  • the application reading the virtual API triggers a real API corresponding to the application reading virtual API in the real environment of the computer device, and obtains the currently active application information according to the returned result of the real API.
  • the monitoring device 2 monitors the behavior of the dangerous file in the virtual environment to obtain the behavior information corresponding to the dangerous file.
  • the monitoring device 2 can obtain behavior information corresponding to the dangerous file by monitoring and recording the behavior performed by the dangerous file in the virtual environment.
  • the monitoring device 2 monitors the behavior of the dangerous file based on the virtual API invoked during the running of the dangerous file, and obtains behavior information corresponding to the dangerous file.
  • the monitoring device 2 records all the behaviors of the dangerous files that cause the virtual environment to send changes through the virtual API invoked during the running of the dangerous files, and obtains the behavior information corresponding to the behaviors.
  • the behavior information includes any information related to the operational behavior of the dangerous file in the virtual environment.
  • the behavior information includes but is not limited to:
  • the file operation behavior includes any operation behavior that can be performed on the file, such as creating, updating, deleting a file, and the like.
  • the information related to the file operation behavior includes but is not limited to: information indicating a type of operation behavior of the file (such as creation, update, deletion operation behavior), a file name to be operated, a path of the file to be operated Information, etc.
  • the registry operation behavior includes any operation behavior that can be performed on the registry, such as creating, setting, deleting a registry key, and the like.
  • the information related to the registry operation behavior includes, but is not limited to, information indicating a type of operation behavior of the registry (such as creating, setting, deleting operation behavior), an operated registry key, a registry key Corresponding values, etc.
  • the process operation behavior includes any operation behaviors that can be performed on the process, such as creating and closing processes, writing across processes, and the like.
  • the information related to the process operation behavior includes but is not limited to information indicating a type of operation behavior of the thread (such as creating and closing a process, writing across a process), an ID of the operated process, and being operated. Path information corresponding to the process.
  • the thread operation behavior includes any operation behavior that can be performed on a thread, such as thread injection.
  • the information related to the thread operation behavior includes, but is not limited to, information for indicating a type of operation behavior of the thread, an identifier ID of the thread to be operated, a feature value corresponding to the thread to be operated, and the like;
  • the feature value is used to indicate a feature of the thread.
  • the feature value is a check value corresponding to a code length of the thread; for example, the code length of the thread is 0x100, and the feature value is a CRC corresponding to the code length (Cyclic) Redundancy Check, cyclic redundancy check code) 32 values.
  • the behavior determining apparatus of the embodiment further includes means for obtaining at least one file released by the dangerous file in the virtual environment (hereinafter referred to as "obtaining device”, not shown), the monitoring device 2 further comprising means for monitoring the behavior of the at least one file released by the dangerous file and the dangerous file in the virtual environment, and obtaining the behavior information corresponding to the dangerous file (hereinafter referred to as "sub-monitoring device”, Not shown).
  • the obtaining device acquires at least one file released by the dangerous file in the virtual environment.
  • the obtaining device in the virtual environment obtains the following files released during the running of the dangerous file file2: ser2vet.exe, autorun.inf.
  • the sub-monitoring device monitors the behavior of the dangerous file and the at least one file released by the dangerous file in a virtual environment, and obtains behavior information corresponding to the dangerous file.
  • the obtaining device obtains the following dangerous files released by the dangerous file file2: ser2vet.exe, autorun.inf; the sub-monitoring device monitors the behaviors of file2, ser2vet.exe, autorun.inf in the virtual environment to obtain the 3 dangerous behavioral information, and the obtained behavior information is the behavior information corresponding to the dangerous file file2.
  • the manner in which the sub-monitoring device monitors the behavior of each file released by the dangerous file is the same as or similar to the manner in which the behavior of the dangerous file in the monitoring device 2 is monitored, and details are not described herein again.
  • the behavior determining apparatus of the present embodiment further includes means for turning off the virtual environment (hereinafter simply referred to as "shutdown device", not shown) when the predetermined shutdown condition is satisfied.
  • shutdown device means for turning off the virtual environment
  • the shutdown device shuts down the virtual environment.
  • the predetermined closing condition includes any predetermined condition for indicating to close the virtual environment.
  • the predetermined closing condition includes but is not limited to:
  • the dangerous file performs a process exit operation in a virtual environment.
  • the process exit operation includes any operation for indicating a process of exiting the dangerous file; preferably, the process exit operation includes, but is not limited to, a self-delete operation of the dangerous file, and the deletion of the dangerous file performed by the user in the virtual environment. Operation, etc.
  • the predetermined closing condition is satisfied when the running time of the dangerous file in the virtual environment exceeds 5 s.
  • predetermined closing conditions are merely examples, and are not intended to limit the present invention.
  • any predetermined condition for indicating the shutdown of the virtual environment should be included in the predetermined shutdown described in the present invention. Within the scope of the condition.
  • the behavior information of the dangerous file can be obtained by running the dangerous file in the virtual environment of the computer device, the process does not need manual analysis, and the time required for obtaining the behavior information is greatly saved;
  • the virtual execution of the virtual API can be used to record all the operational behaviors of the dangerous files, so that the behavior information obtained by the computer device is comprehensive, so as to avoid the real environment of the computer device cannot be completely repaired due to the incomplete behavior information.
  • running dangerous files in a virtual environment does not affect the reality of the computer equipment. Environment, and the virtual environment takes up very little space in the computer device, and the virtual environment does not need to actually perform the function of the virtual API, but only needs to be able to return the same real API corresponding to the virtual API in the real environment. Feedback results in the ability to run dangerous files more quickly in a virtual environment, thereby quickly obtaining behavioral information about dangerous files.
  • FIG. 4 is a schematic structural diagram of an apparatus for determining behavior information corresponding to a dangerous file in a computer device according to an embodiment of the present invention.
  • the behavior determining apparatus according to the present embodiment includes the operating device 1, the monitoring device 2, and a device for repairing the real environment of the computer device according to the behavior information corresponding to the dangerous file (hereinafter referred to as "repair device 3") .
  • the operation device 1 and the monitoring device 2 have been described in detail with reference to FIG. 3, and details are not described herein again.
  • the repairing device 3 repairs the real environment of the computer device according to the behavior information corresponding to the dangerous file.
  • the repairing device 3 can repair the real environment of the computer device according to the behavior information corresponding to the dangerous file in various scenarios.
  • the direct repair device 3 performs an operation to repair the real environment of the computer device.
  • the repairing device 3 directly performs an operation to repair the real environment of the computer device while clearing the dangerous file.
  • the repairing device 3 performs an operation to repair the real environment of the computer device.
  • the repairing device 3 directly performs an operation opposite to the operational behavior indicated by the behavior information according to the behavior information corresponding to the dangerous file, to perform restoration and restoration on the real environment of the computer device.
  • the behavior information of the dangerous file includes information indicating the creation of the file, and path information of the created file. Then, the repairing device 3 deletes the created file according to the behavior information under the file path indicated by the path information, to restore the real environment to the dangerous text. The state before the piece is run.
  • the behavior information of the dangerous file includes information indicating that the registry key is deleted, and the deleted registry key. Then, the repairing device 3 restores the deleted registry item according to the behavior information to restore the real environment to the state before the dangerous file is run.
  • the repairing device 3 further includes means for determining corresponding repairing operation information according to the behavior information corresponding to the dangerous document (hereinafter referred to as "determining device”, not shown), And a device for repairing the real environment of the computer device according to the repair operation information (hereinafter referred to as "sub-repair device”, not shown).
  • the determining device determines the corresponding repair operation information according to the behavior information corresponding to the dangerous file.
  • the repair operation information includes any information related to the repair operation.
  • the repair operation information includes but is not limited to:
  • the file repair operation includes any operations for repairing files, such as restoring file parameters, deleting files, and the like.
  • the information related to the file repair operation includes, but is not limited to, information indicating a type of repair operation of the file, a file name to be operated, a file parameter to be restored, a value of the file parameter, and the like.
  • the determining means scans the dangerous file and the at least one file released by the dangerous file in a real system of the computer device, and determines the information related to the file repairing operation according to the scanning result and the behavior information of the dangerous file.
  • the registry repair operation includes any operations for repairing the registry, such as restoring, deleting a registry key, and the like.
  • the information related to the registry repair operation includes, but is not limited to, information indicating a type of repair operation of the registry, a registry key to be operated, a value corresponding to the registry key, and the like.
  • the determining device may obtain a default value corresponding to the registry key by querying the local knowledge base, and use the default value as a value corresponding to the registry key.
  • the process repair operation includes any operations for repairing a process, such as closing, restarting, etc. of a process.
  • the information related to the process repair operation includes, but is not limited to, information indicating a type of repair operation of the process, path information corresponding to the operated process, and the like.
  • the process being operated is a system file
  • the process repair operation can be completed directly by restarting the computer device without obtaining the repair operation information of the process.
  • the thread repair operation includes any operation for repairing a thread, such as stopping a thread.
  • the information related to the thread repair operation includes, but is not limited to, information indicating a type of repair operation of the thread, and a feature value corresponding to the thread being operated.
  • repair operation information is only an example, and is not intended to limit the present invention. Those skilled in the art should understand that any information related to the repair operation should be included in the scope of the repair operation information described in the present invention. .
  • the determining device determines the repair operation indicated by the repair operation information according to the operation behavior indicated by the behavior information corresponding to the dangerous file, and further determines the repair operation information according to the repair operation and the behavior information.
  • the behavior information includes information indicating the information written across the process and the path information of the operated process; the determining means determines the repair operation as the restart process according to the information for indicating the cross-process write operation, and according to the repair operation and behavior
  • the information determining the repair operation information includes: information indicating the restart process and path information of the restarted process.
  • the behavior information includes information for indicating thread injection and a feature value corresponding to the operated thread; the determining means determines, according to the information for indicating thread injection, that the repair operation is a stop thread, and according to the repair operation and behavior information, Determining the repair operation information includes: information indicating the stop thread and the feature value corresponding to the stopped thread.
  • the sub-repair device repairs the real environment of the computer device according to the repair operation information.
  • the repair operation information determined by the determining means includes information indicating a restart process and path information corresponding to the operated process.
  • the sub-repair device searches for the corresponding process according to the path information, and restarts the found process.
  • the repair operation information determined by the determining means includes information indicating the stop of the thread and a feature value corresponding to the thread being operated.
  • the sub-repair device determines the matching thread based on the feature value and stops the thread.
  • the computer device presents the user with prompt information for prompting to restart the computer device.
  • the computer device can repair the real environment of the computer device according to the behavior information of the dangerous file obtained in the virtual environment, so as to quickly and comprehensively repair the dangerous file and other released by the dangerous file.
  • the present invention may be implemented in software and/or a combination of software and hardware.
  • each device of the present invention may employ an Application Specific Integrated Circuit (ASIC) or any other similar hardware device.
  • ASIC Application Specific Integrated Circuit
  • the software program of the present invention may be executed by a processor to implement the steps or functions described above.
  • the software program (including related data structures) of the present invention can be stored in a computer readable recording medium such as a RAM (random access memory) memory, a magnetic or optical drive or a floppy disk and the like.
  • some of the steps or functions of the present invention may be implemented in hardware, for example, as a circuit that cooperates with a processor to perform various steps or functions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Stored Programmes (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

一种在计算机设备中确定危险文件所对应的行为信息的方法,其中,该方法包括:当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息。根据该方法,不需要人工分析危险文件的破坏行为,能够快速地在虚拟环境中获得危险文件的行为信息,来对计算机设备的真实系统进行快速且全面的修复。

Description

一种确定危险文件所对应的行为信息的方法和装置
本申请以一中国专利申请作为优先权申请,该中国专利申请的申请日为2015年3月18日,申请号为201510119820.7,发明名称为“一种确定危险文件所对应的行为信息的方法和装置”。
技术领域
本发明涉及计算机技术领域,尤其涉及一种用于在计算机设备中确定危险文件所对应的行为信息的方法和装置。
背景技术
现有技术中,计算机设备中检测到危险文件时,往往仅对危险文件执行简单的删除操作。然而,危险文件在计算机设备中运行时,往往会对计算机设备的系统环境执行破坏行为(如对注册表项、计划任务、可执行文件等执行的破坏行为),故简单地删除危险文件,并不能使得计算机设备还原到原先正常的系统环境。
此外,该等破坏行为仅能通过人工分析危险文件以及危险文件的运行过程来获得,这需要用户投入大量的时间和精力,处理周期较长,效率极低,且容易由于人工分析的不全面或者危险文件的部分逻辑未被触发,而使得危险文件的所有破坏行为不能被完全获得。
发明内容
本发明的目的是提供一种用于在计算机设备中确定危险文件所对应的行为信息的方法和装置。
根据本发明的一个方面,提供一种在计算机设备中确定危险文件所对应的行为信息的方法,其中,该方法包括:
当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所 述危险文件,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;
在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息。
根据本发明的另一个方面,还提供了一种在计算机设备中确定危险文件所对应的行为信息的装置,其中,该装置包括:
用于当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件的装置,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;
用于在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的装置。
与现有技术相比,本发明具有以下优点:1)能够通过在计算机设备的虚拟环境中运行危险文件,来获得危险文件的行为信息,该过程不需要进行人工分析,大大节省了获得行为信息所需的时间;2)由于可通过虚拟API来的虚拟执行来记录危险文件的所有操作行为,使得计算机设备所获得的行为信息是全面的,从而避免由于行为信息不全面而使得计算机设备的真实环境不能被全面修复;3)在虚拟环境中运行危险文件不会影响到计算机设备的真实环境,且虚拟环境在计算机设备中的占用空间极小,并且,虚拟环境中可无需真正执行虚拟API的功能,而仅需能够返回与在真实环境中调用该虚拟API所对应的真实API相同的反馈结果,这使得危险文件能够更快速地在虚拟环境运行,进而快速地获得危险文件的行为信息;4)计算机设备可根据在虚拟环境中所获得的、危险文件的行为信息,来对计算机设备的真实环境进行修复,以快速且全面地修复危险文件以及危险文件所释放的其他危险文件对真实环境的破坏。
附图说明
通过阅读参照以下附图所作的对非限制性实施例所作的详细描述, 本发明的其它特征、目的和优点将会变得更明显:
图1为本发明一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的方法的流程示意图;
图2为本发明另一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的方法的流程示意图;
图3为本发明一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的装置的结构示意图;
图4为本发明另一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的装置的结构示意图。
附图中相同或相似的附图标记代表相同或相似的部件。
具体实施方式
下面结合附图对本发明作进一步详细描述。
图1为本发明一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的方法的流程示意图。
其中,本实施例的方法主要通过计算机设备来实现;所述计算机设备包括网络设备和用户设备。其中,所述网络设备包括但不限于单个网络服务器、多个网络服务器组成的服务器组或基于云计算(Cloud Computing)的由大量计算机或网络服务器构成的云,其中,云计算是分布式计算的一种,由一群松散耦合的计算机集组成的一个超级虚拟计算机;所述网络设备所处的网络包括但不限于互联网、广域网、城域网、局域网、VPN(Virtual Private Network,虚拟专用网络)网络等。所述用户设备包括但不限于PC(Personal Computer,个人电脑)机、平板电脑、智能手机、PDA(Personal Digital Assistant,掌上电脑)、IPTV(Internet Protocol Television,网络协议电视)等。
需要说明的是,所述计算机设备仅为举例,其他现有的或今后可能出现的计算机设备如可适用于本发明,也应包含在本发明保护范围以内,并以引用方式包含于此。
根据本实施例的方法包括步骤S1和步骤S2。
在步骤S1中,当检测到存在危险文件时,计算机设备在该计算机设备的虚拟环境中运行该危险文件。
其中,所述危险文件包括任何具有危险性的文件,如病毒文件、木马文件等。
其中,所述虚拟环境用于虚拟计算机设备的真实环境,所述虚拟环境中包括与真实环境中的至少一个真实API(Application Program Interface,应用程序编程接口)相同的至少一个虚拟API。其中,所述虚拟API能够在虚拟环境中被调用,且能够返回与在真实环境中调用该虚拟API所对应的真实API相同的反馈结果。其中,所述真实环境用于表示计算机设备中真实运行的系统环境;例如,计算机设备中真实运行的Windows操作系统所对应的系统环境。其中,所述真实API用于表示真实环境中的API;例如,计算机设备中真实运行的Windows操作系统中的系统API。
例如,计算机设备的真实环境中存在以下真实API:DeleteFile,该真实API用于在该真实环境中删除指定文件,且返回用于指示成功执行删除操作的反馈结果;该计算机设备的虚拟环境中具有与该真实API对应的虚拟API,在虚拟环境中调用该虚拟API,同样返回用于指示成功执行删除操作的反馈结果。
需要说明的是,优选地,在虚拟环境中调用虚拟API时,该虚拟API的功能并未真正的被执行,而仅需虚拟出调用与虚拟API相对应的真实API的效果。例如,在上述举例中,在虚拟环境中调用与DeleteFile相对应的虚拟API,该虚拟API并未在虚拟环境中执行删除指定文件的操作,而是在被调用时直接返回用于指示成功执行删除操作的反馈结果,以虚拟出调用DeleteFile的效果。
优选地,所述虚拟环境不需要对计算机设备中的注册表和环境变量等进行配置,故不需要执行相应的安装操作,即可直接被启动并运行。需要说明的是,所述虚拟环境可在多种场景下被启动,如,在计算机设备开机时自动启动、当计算机设备中执行扫描操作时自动启动、当检测到存在危险文件时自动启动、根据用户操作来被启动等。 需要说明的是,优选地,所述虚拟环境每次被启动后均被还原为其初始环境;更优选地,虚拟环境启动之后,在每个危险文件运行完成之后,虚拟环境可自动执行初始化操作,或者可根据用户操作来执行初始化操作,以将该虚拟环境还原为初始环境。
进一步需要说明的是,所述虚拟环境在计算机设备中的占用空间可以极小(如占用空间约为10M),且其运行不会影响计算机设备的真实系统的运行。优选地,所述占用空间的大小可根据危险文件在虚拟环境中的行为(如危险文件释放其他文件的行为)而发生变化。
具体地,当检测到存在危险文件时,计算机设备将该危险文件提供给该计算机设备的虚拟环境,并在该虚拟环境中运行该危险文件。
例如,当检测到计算机设备中存在病毒文件时,计算机设备将该病毒文件提供给该计算机设备的虚拟环境,并在该虚拟环境中运行该病毒文件。
优选地,虚拟环境中的至少一个虚拟API包括能够读取当前活动应用的应用读取虚拟API,所述步骤S1进一步包括:当危险文件调用应用读取虚拟API时,计算机设备向危险文件提供当前活动的应用信息。
其中,所述应用读取虚拟API包括任何用于读取当前活动应用的虚拟API,如与真实系统中的CreateToolhelp32Snapshot相对应的虚拟API,该CreateToolhelp32Snapshot在真实系统中用于获取所有当前活动进程的信息。
其中,所述应用信息包括任何用于指示当前活动应用的信息,如当前活动应用的应用名称、当前活动应用的进程ID等。
具体地,在虚拟环境中运行危险文件的过程中,当该危险文件调用应用读取虚拟API,计算机设备通过该读取虚拟API向危险文件返回当前活动的应用信息。
例如,在虚拟环境中运行病毒文件file1,当file1调用应用读取虚拟API,计算机设备通过该应用读取虚拟API向file1返回当前活动的应用信息,该应用信息用于指示当前活动应用包括APP1和 APP2。
需要说明的是,应用读取虚拟API可采用多种方式获得当前活动的应用信息。
作为一个示例,应用读取虚拟API通过用户对虚拟环境的进程配置,来获取当前活动的应用信息。例如,用户对虚拟环境中的进程列表进行配置,在该进程列表中添加应用APP1和APP2,则应用读取虚拟API根据该进程列表可读取到当前活动的应用包括APP1和APP2。
作为另一个示例,应用读取虚拟API触发从计算机设备的真实环境中获得当前活动的应用信息。例如,应用读取虚拟API触发在计算机设备的真实环境中调用与该应用读取虚拟API对应的真实API,并根据该真实API的返回结果获得当前活动的应用信息。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件的实现方式,均应包含在本发明的范围内。
在步骤S2中,计算机设备在虚拟环境中对危险文件的行为进行监测,获得危险文件所对应的行为信息。
具体地,计算机设备可通过监测并记录危险文件在虚拟环境中执行的行为,来获得危险文件所对应的行为信息。
优选地,计算机设备在虚拟环境中,基于危险文件在运行过程中所调用的虚拟API,来对该危险文件的行为进行监测,获得该危险文件所对应的行为信息。
例如,计算机设备在虚拟环境中,通过危险文件在运行过程中所调用的虚拟API,记录危险文件的所有使得虚拟环境发送变化的行为,并获得该等行为所对应的行为信息。
其中,所述行为信息包括任何与危险文件在虚拟环境中的操作行为相关的信息。优选地,所述行为信息包括但不限于:
1)与文件操作行为相关的信息。
其中,所述文件操作行为包括任何能够对文件执行的操作行为,如创建、更新、删除文件等。优选地,所述与文件操作行为相关的信息包括但不限于:用于指示文件的操作行为类型(如创建、更新、删除操作行为)的信息、被操作的文件名称、被操作的文件的路径信息等。
2)与注册表操作行为相关的信息。
其中,所述注册表操作行为包括任何能够对注册表执行的操作行为,如创建、设置、删除注册表项等。优选地,所述与注册表操作行为相关的信息包括但不限于:用于指示注册表的操作行为类型(如创建、设置、删除操作行为)的信息、被操作的注册表项、注册表项对应的值等。
3)与进程操作行为相关的信息。
其中,所述进程操作行为包括任何能够对进程执行的操作行为,如创建和关闭进程、跨进程写入等。优选地,所述与进程操作行为相关的信息包括但不限于用于指示线程的操作行为类型(如创建和关闭进程、跨进程写入)的信息、被操作的进程的标识ID、被操作的进程对应的路径信息等。
4)与线程操作行为相关的信息。
其中,所述线程操作行为包括任何能够对线程执行的操作行为,如线程注入等。优选地,所述与线程操作行为相关的信息包括但不限于:用于指示线程的操作行为类型的信息、被操作的线程的标识ID、被操作的线程所对应的特征值等;其中,所述特征值用于指示线程的特征,优选地,所述特征值为线程的代码长度所对应的校验值;例如,线程的代码长度为0x100,特征值为该代码长度所对应的CRC(Cyclic Redundancy Check,循环冗余校验码)32值。
需要说明的是,上述行为信息仅为举例,而非对本发明的限制,本领域技术人员应能理解,任何与危险文件在虚拟环境中的行为相关的信息均应包含在本发明所述的行为信息的范围内。
作为一种优选方案,本实施例的方法还包括步骤S4,所述步骤 S2进一步包括步骤S21。
在步骤S4中,计算机设备在虚拟环境中获得危险文件所释放的至少一个文件。
例如,计算机设备在虚拟环境中,获得危险文件file2在运行过程中所释放的以下文件:ser2vet.exe、autorun.inf。
在步骤S21中,计算机设备在虚拟环境中,对危险文件以及危险文件所释放的至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息。
例如,在步骤S4中,计算机设备获得危险文件file2所释放的以下危险文件:ser2vet.exe、autorun.inf;在步骤S21中,计算机设备在虚拟环境中,分别对file2、ser2vet.exe、autorun.inf的行为进行监测,来获得该3个危险的行为信息,并将所获得的行为信息作为危险文件file2所对应的行为信息。
需要说明的是,计算机设备对危险文件所释放的每个文件的行为进行监测的方式,与前述步骤S2中对危险文件的行为进行监测的方式相同或相似,在此不再赘述。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的实现方式,均应包含在本发明的范围内。
作为一种优选方案,本实施例的方法还包括步骤S5。
在步骤S5中,当满足预定关闭条件时,计算机设备关闭虚拟环境。
其中,所述预定关闭条件包括任何预定的用于指示关闭虚拟环境的条件。优选地,所述预定关闭条件包括但不限于:
1)所述危险文件在虚拟环境中执行进程退出操作。
其中,所述进程退出操作包括任何用于指示退出危险文件的进程的操作;优选地,所述进程退出操作包括但不限于危险文件的自删除操作、用户在虚拟环境中执行的删除危险文件的操作等。
2)所述危险文件在虚拟环境中的运行时间超过预定时间。
例如,预定时间为5s,则当危险文件在虚拟环境中的运行时间超过5s时,满足预定关闭条件。
需要说明的是,上述预定关闭条件仅为举例,而非对本发明的限制,本领域技术人员应能理解,任何预定的用于指示关闭虚拟环境的条件均应包含在本发明所述的预定关闭条件的范围内。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何当满足预定关闭条件时,关闭虚拟环境的实现方式,均应包含在本发明的范围内。
根据本实施例的方案,能够通过在计算机设备的虚拟环境中运行危险文件,来获得危险文件的行为信息,该过程不需要进行人工分析,大大节省了获得行为信息所需的时间;并且,由于可通过虚拟API来的虚拟执行来记录危险文件的所有操作行为,使得计算机设备所获得的行为信息是全面的,从而避免由于行为信息不全面而使得计算机设备的真实环境不能被全面修复。
此外,在虚拟环境中运行危险文件不会影响到计算机设备的真实环境,且虚拟环境在计算机设备中的占用空间极小,并且,虚拟环境中可无需真正执行虚拟API的功能,而仅需能够返回与在真实环境中调用该虚拟API所对应的真实API相同的反馈结果,这使得危险文件能够更快速地在虚拟环境运行,进而快速地获得危险文件的行为信息。
图2为本发明一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的方法的流程示意图。其中,本实施例的方法主要通过计算机设备来实现;其中,参照图1所示实施例中对计算机设备所作的任何说明,均已引用的方式包含于此。
根据本实施例的方法包括步骤S1、步骤S2和步骤S3。其中,所述步骤S1和所述步骤S2已在参照图1中予以详述,在此不再赘述。
在步骤S3中,计算机设备根据危险文件所对应的行为信息,对该计算机设备的真实环境进行修复。
具体地,计算机设备可在多种场景下根据危险文件所对应的行为信息,对该计算机设备的真实环境进行修复。
例如,计算机设备在步骤S2之后,直接执行步骤S3对计算机设备的真实环境进行修复。
又例如,计算机设备在步骤S2之后,当根据用户的操作确定清除危险文件时,直接执行步骤S3来在清除危险文件的同时对计算机设备的真实环境进行修复。
再例如,计算机设备在清除危险文件之后,当根据用户的操作确定需要对真实环境进行修复时,执行步骤S3对计算机设备的真实环境进行修复。
优选地,在步骤S3中,计算机设备根据危险文件所对应的行为信息,直接执行与该行为信息所指示的操作行为相反的操作,来对该计算机设备的真实环境进行还原修复。
例如,危险文件的行为信息包括用于指示创建文件的信息、被创建的文件的路径信息。则在步骤S3中,计算机设备根据该行为信息,在该路径信息所指示的文件路径下删除所创建的文件,以将真实环境还原为危险文件运行前的状态。
又例如,危险文件的行为信息包括用于指示删除注册表项的信息、被删除的注册表项。则在步骤S3中,计算机设备根据该行为信息还原被删除的注册表项,以将真实环境还原为危险文件运行前的状态。
作为步骤S3的一种优选方案,所述步骤S3进一步包括步骤S31和步骤S32。
在步骤S31中,计算机设备根据危险文件所对应的行为信息,确定相应的修复操作信息。
其中,所述修复操作信息包括任何与修复操作相关的信息。优选地,所述修复操作信息包括但不限于:
a)与文件修复操作相关的信息。
其中,所述文件修复操作包括任何用于修复文件的操作,如还原 文件参数、删除文件等。优选地,所述与文件修复操作相关的信息包括但不限于:用于指示文件的修复操作类型的信息、被操作的文件名称、被还原的文件参数以及该文件参数的值等。
优选地,计算机设备在其真实系统中对危险文件以及该危险文件所释放的至少一个文件进行扫描,并根据扫描结果以及危险文件的行为信息,来确定该与文件修复操作相关的信息。
b)与注册表修复操作相关的信息。
其中,所述注册表修复操作包括任何用于修复注册表的操作,如还原、删除注册表项等。优选地,所述与注册表修复操作相关的信息包括但不限于:用于指示注册表的修复操作类型的信息、被操作的注册表项、注册表项对应的值等。
优选地,当注册表修复操作为设置注册表项时,计算机设备可通过查询本地知识库来获取该注册表项所对应的默认值,并将该默认值作为该注册表项对应的值。
c)与进程修复操作相关的信息。
其中,所述进程修复操作包括任何用于修复进程的操作,如进程的关闭、重启等。优选地,所述与进程修复操作相关的信息包括但不限于:用于指示进程的修复操作类型的信息、被操作的进程对应的路径信息等。
需要说明的是,当被操作的进程为系统文件时,可直接通过重启该计算机设备,来完成进程修复操作,而无需获得该进程的修复操作信息。
d)与线程修复操作相关的信息。
其中,所述线程修复操作包括任何用于修复线程的操作,如停止线程等。优选地,所述与线程修复操作相关的信息包括但不限于:用于指示线程的修复操作类型的信息、被操作的线程所对应的特征值。
需要说明的是,上述修复操作信息仅为举例,而非对本发明的限制,本领域技术人员应能理解,任何与修复操作相关的信息均应包含在本发明所述的修复操作信息的范围内。
具体地,在步骤S31中,计算机设备根据危险文件所对应的行为信息所指示的操作行为,确定修复操作信息所指示的修复操作,并进一步根据该修复操作和行为信息,确定修复操作信息。
例如,行为信息包括用于指示跨进程写入的信息以及被操作的进程的路径信息;在步骤S31中,计算机设备根据用于指示跨进程写入操作的信息确定修复操作为重启进程,且根据该修复操作和行为信息,确定修复操作信息包括:用于指示重启进程的信息以及被重启的进程的路径信息。
又例如,行为信息包括用于指示线程注入的信息以及被操作的线程所对应的特征值;在步骤S31中,计算机设备根据用于指示线程注入的信息确定修复操作为停止线程,且根据该修复操作和行为信息,确定修复操作信息包括:用于指示停止线程的信息以及被停止的线程所对应的特征值。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何根据危险文件所对应的行为信息,确定相应的修复操作信息的实现方式,均应包含在本发明的范围内。
在步骤S32中,计算机设备根据修复操作信息,对计算机设备的真实环境进行修复。
例如,步骤S31中所确定修复操作信息包括用于指示重启进程的信息以及被操作的进程对应的路径信息。在步骤S32中,计算机设备根据该路径信息查找相应的进程,并重启所查找到的进程。
又例如,步骤S31中所确定修复操作信息包括用于指示停止线程的信息以及被操作的线程所对应的特征值。在步骤S32中,计算机设备根据该特征值确定相匹配的线程,并停止该线程。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何根据修复操作信息,对计算机设备的真实环境进行修复的实现方式,均应包含在本发明的范围内。
优选地,在步骤S3之后,当判断需要重启该计算机设备时,计算机设备向用户呈现用于提示重启该计算机设备的提示信息。
根据本实施例的方案,计算机设备可根据在虚拟环境中所获得的、危险文件的行为信息,来对计算机设备的真实环境进行修复,以快速且全面地修复危险文件以及危险文件所释放的其他危险文件对真实环境的破坏。
图3为本发明一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的装置的结构示意图。根据本实施例的用于确定危险文件所对应的行为信息的装置(以下简称为“行为确定装置”)包括用于当检测到存在危险文件时,在计算机设备的虚拟环境中运行该危险文件的装置(以下简称为“运行装置1”)、以及用于在虚拟环境中对危险文件的行为进行监测,获得危险文件所对应的行为信息的装置(以下简称为“监测装置2”)。
当检测到存在危险文件时,运行装置1在计算机设备的虚拟环境中运行该危险文件。
其中,所述危险文件包括任何具有危险性的文件,如病毒文件、木马文件等。
其中,所述虚拟环境用于虚拟计算机设备的真实环境,所述虚拟环境中包括与真实环境中的至少一个真实API相同的至少一个虚拟API。其中,所述虚拟API能够在虚拟环境中被调用,且能够返回与在真实环境中调用该虚拟API所对应的真实API相同的反馈结果。其中,所述真实环境用于表示计算机设备中真实运行的系统环境;例如,计算机设备中真实运行的Windows操作系统所对应的系统环境。其中,所述真实API用于表示真实环境中的API;例如,计算机设备中真实运行的Windows操作系统中的系统API。
例如,计算机设备的真实环境中存在以下真实API:DeleteFile,该真实API用于在该真实环境中删除指定文件,且返回用于指示成功执行删除操作的反馈结果;该计算机设备的虚拟环境中具有与该真实API对应的虚拟API,在虚拟环境中调用该虚拟API,同样返回用于 指示成功执行删除操作的反馈结果。
需要说明的是,优选地,在虚拟环境中调用虚拟API时,该虚拟API的功能并未真正的被执行,而仅需虚拟出调用与虚拟API相对应的真实API的效果。例如,在上述举例中,在虚拟环境中调用与DeleteFile相对应的虚拟API,该虚拟API并未在虚拟环境中执行删除指定文件的操作,而是在被调用时直接返回用于指示成功执行删除操作的反馈结果,以虚拟出调用DeleteFile的效果。
优选地,所述虚拟环境不需要对计算机设备中的注册表和环境变量等进行配置,故不需要执行相应的安装操作,即可直接被启动并运行。需要说明的是,所述虚拟环境可在多种场景下被启动,如,在计算机设备开机时自动启动、当计算机设备中执行扫描操作时自动启动、当检测到存在危险文件时自动启动、根据用户操作来被启动等。需要说明的是,优选地,所述虚拟环境每次被启动后均被还原为其初始环境;更优选地,虚拟环境启动之后,在每个危险文件运行完成之后,虚拟环境可自动执行初始化操作,或者可根据用户操作来执行初始化操作,以将该虚拟环境还原为初始环境。
进一步需要说明的是,所述虚拟环境在计算机设备中的占用空间可以极小(如占用空间约为10M),且其运行不会影响计算机设备的真实系统的运行。优选地,所述占用空间的大小可根据危险文件在虚拟环境中的行为(如危险文件释放其他文件的行为)而发生变化。
具体地,当检测到存在危险文件时,运行装置1将该危险文件提供给该计算机设备的虚拟环境,并在该虚拟环境中运行该危险文件。
例如,当检测到计算机设备中存在病毒文件时,运行装置1将该病毒文件提供给该计算机设备的虚拟环境,并在该虚拟环境中运行该病毒文件。
优选地,虚拟环境中的至少一个虚拟API包括能够读取当前活动应用的应用读取虚拟API,运行装置1进一步包括用于当危险文件调用应用读取虚拟API时,向危险文件提供当前活动的应用信息的装置(以下简称为“提供装置”,图未示)。
其中,所述应用读取虚拟API包括任何用于读取当前活动应用的虚拟API,如与真实系统中的CreateToolhelp32Snapshot相对应的虚拟API,该CreateToolhelp32Snapshot在真实系统中用于获取所有当前活动进程的信息。
其中,所述应用信息包括任何用于指示当前活动应用的信息,如当前活动应用的应用名称、当前活动应用的进程ID等。
具体地,在虚拟环境中运行危险文件的过程中,当该危险文件调用应用读取虚拟API,提供装置通过该读取虚拟API向危险文件返回当前活动的应用信息。
例如,在虚拟环境中运行病毒文件file1,当file1调用应用读取虚拟API,提供装置通过该应用读取虚拟API向file1返回当前活动的应用信息,该应用信息用于指示当前活动应用包括APP1和APP2。
需要说明的是,应用读取虚拟API可采用多种方式获得当前活动的应用信息。
作为一个示例,应用读取虚拟API通过用户对虚拟环境的进程配置,来获取当前活动的应用信息。例如,用户对虚拟环境中的进程列表进行配置,在该进程列表中添加应用APP1和APP2,则应用读取虚拟API根据该进程列表可读取到当前活动的应用包括APP1和APP2。
作为另一个示例,应用读取虚拟API触发从计算机设备的真实环境中获得当前活动的应用信息。例如,应用读取虚拟API触发在计算机设备的真实环境中调用与该应用读取虚拟API对应的真实API,并根据该真实API的返回结果获得当前活动的应用信息。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件的实现方式,均应包含在本发明的范围内。
监测装置2在虚拟环境中对危险文件的行为进行监测,获得危险文件所对应的行为信息。
具体地,监测装置2可通过监测并记录危险文件在虚拟环境中执行的行为,来获得危险文件所对应的行为信息。
优选地,监测装置2在虚拟环境中,基于危险文件在运行过程中所调用的虚拟API,来对该危险文件的行为进行监测,获得该危险文件所对应的行为信息。
例如,监测装置2在虚拟环境中,通过危险文件在运行过程中所调用的虚拟API,记录危险文件的所有使得虚拟环境发送变化的行为,并获得该等行为所对应的行为信息。
其中,所述行为信息包括任何与危险文件在虚拟环境中的操作行为相关的信息。优选地,所述行为信息包括但不限于:
1)与文件操作行为相关的信息。
其中,所述文件操作行为包括任何能够对文件执行的操作行为,如创建、更新、删除文件等。优选地,所述与文件操作行为相关的信息包括但不限于:用于指示文件的操作行为类型(如创建、更新、删除操作行为)的信息、被操作的文件名称、被操作的文件的路径信息等。
2)与注册表操作行为相关的信息。
其中,所述注册表操作行为包括任何能够对注册表执行的操作行为,如创建、设置、删除注册表项等。优选地,所述与注册表操作行为相关的信息包括但不限于:用于指示注册表的操作行为类型(如创建、设置、删除操作行为)的信息、被操作的注册表项、注册表项对应的值等。
3)与进程操作行为相关的信息。
其中,所述进程操作行为包括任何能够对进程执行的操作行为,如创建和关闭进程、跨进程写入等。优选地,所述与进程操作行为相关的信息包括但不限于用于指示线程的操作行为类型(如创建和关闭进程、跨进程写入)的信息、被操作的进程的标识ID、被操作的进程对应的路径信息等。
4)与线程操作行为相关的信息。
其中,所述线程操作行为包括任何能够对线程执行的操作行为,如线程注入等。优选地,所述与线程操作行为相关的信息包括但不限于:用于指示线程的操作行为类型的信息、被操作的线程的标识ID、被操作的线程所对应的特征值等;其中,所述特征值用于指示线程的特征,优选地,所述特征值为线程的代码长度所对应的校验值;例如,线程的代码长度为0x100,特征值为该代码长度所对应的CRC(Cyclic Redundancy Check,循环冗余校验码)32值。
需要说明的是,上述行为信息仅为举例,而非对本发明的限制,本领域技术人员应能理解,任何与危险文件在虚拟环境中的行为相关的信息均应包含在本发明所述的行为信息的范围内。
作为一种优选方案,本实施例的行为确定装置还包括用于在虚拟环境中获得危险文件所释放的至少一个文件的装置(以下简称为“获得装置”,图未示),所述监测装置2进一步包括用于在虚拟环境中,对危险文件以及危险文件所释放的至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息的装置(以下简称为“子监测装置”,图未示)。
获得装置在虚拟环境中获得危险文件所释放的至少一个文件。
例如,获得装置在虚拟环境中,获得危险文件file2在运行过程中所释放的以下文件:ser2vet.exe、autorun.inf。
子监测装置在虚拟环境中,对危险文件以及危险文件所释放的至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息。
例如,获得装置获得危险文件file2所释放的以下危险文件:ser2vet.exe、autorun.inf;子监测装置在虚拟环境中,分别对file2、ser2vet.exe、autorun.inf的行为进行监测,来获得该3个危险的行为信息,并将所获得的行为信息作为危险文件file2所对应的行为信息。
需要说明的是,子监测装置对危险文件所释放的每个文件的行为进行监测的方式,与前述监测装置2中对危险文件的行为进行监测的方式相同或相似,在此不再赘述。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而 非对本发明的限制,本领域技术人员应该理解,任何在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的实现方式,均应包含在本发明的范围内。
作为一种优选方案,本实施例的行为确定装置还包括用于当满足预定关闭条件时,关闭虚拟环境的装置(以下简称为“关闭装置”,图未示)。
当满足预定关闭条件时,关闭装置关闭虚拟环境。
其中,所述预定关闭条件包括任何预定的用于指示关闭虚拟环境的条件。优选地,所述预定关闭条件包括但不限于:
1)所述危险文件在虚拟环境中执行进程退出操作。
其中,所述进程退出操作包括任何用于指示退出危险文件的进程的操作;优选地,所述进程退出操作包括但不限于危险文件的自删除操作、用户在虚拟环境中执行的删除危险文件的操作等。
2)所述危险文件在虚拟环境中的运行时间超过预定时间。
例如,预定时间为5s,则当危险文件在虚拟环境中的运行时间超过5s时,满足预定关闭条件。
需要说明的是,上述预定关闭条件仅为举例,而非对本发明的限制,本领域技术人员应能理解,任何预定的用于指示关闭虚拟环境的条件均应包含在本发明所述的预定关闭条件的范围内。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何当满足预定关闭条件时,关闭虚拟环境的实现方式,均应包含在本发明的范围内。
根据本实施例的方案,能够通过在计算机设备的虚拟环境中运行危险文件,来获得危险文件的行为信息,该过程不需要进行人工分析,大大节省了获得行为信息所需的时间;并且,由于可通过虚拟API来的虚拟执行来记录危险文件的所有操作行为,使得计算机设备所获得的行为信息是全面的,从而避免由于行为信息不全面而使得计算机设备的真实环境不能被全面修复。
此外,在虚拟环境中运行危险文件不会影响到计算机设备的真实 环境,且虚拟环境在计算机设备中的占用空间极小,并且,虚拟环境中可无需真正执行虚拟API的功能,而仅需能够返回与在真实环境中调用该虚拟API所对应的真实API相同的反馈结果,这使得危险文件能够更快速地在虚拟环境运行,进而快速地获得危险文件的行为信息。
图4为本发明一个实施例的用于在计算机设备中确定危险文件所对应的行为信息的装置的结构示意图。根据本实施例的行为确定装置包括运行装置1、监测装置2、以及用于根据危险文件所对应的行为信息,对该计算机设备的真实环境进行修复的装置(以下简称为“修复装置3”)。其中,所述运行装置1和监测装置2已在参照图3中予以详述,在此不再赘述。
修复装置3根据危险文件所对应的行为信息,对该计算机设备的真实环境进行修复。
具体地,修复装置3可在多种场景下根据危险文件所对应的行为信息,对计算机设备的真实环境进行修复。
例如,在监测装置2执行操作之后,直修复装置3接执行操作对计算机设备的真实环境进行修复。
又例如,在监测装置2执行操作之后,当根据用户的操作确定清除危险文件时,修复装置3直接执行操作来在清除危险文件的同时对计算机设备的真实环境进行修复。
再例如,在清除危险文件之后,当根据用户的操作确定需要对真实环境进行修复时,修复装置3执行操作对计算机设备的真实环境进行修复。
优选地,修复装置3根据危险文件所对应的行为信息,直接执行与该行为信息所指示的操作行为相反的操作,来对计算机设备的真实环境进行还原修复。
例如,危险文件的行为信息包括用于指示创建文件的信息、被创建的文件的路径信息。则修复装置3根据该行为信息,在该路径信息所指示的文件路径下删除所创建的文件,以将真实环境还原为危险文 件运行前的状态。
又例如,危险文件的行为信息包括用于指示删除注册表项的信息、被删除的注册表项。则修复装置3根据该行为信息还原被删除的注册表项,以将真实环境还原为危险文件运行前的状态。
作为修复装置3的一种优选方案,所述修复装置3进一步包括用于根据危险文件所对应的行为信息,确定相应的修复操作信息的装置(以下简称为“确定装置”,图未示)、以及用于根据修复操作信息,对计算机设备的真实环境进行修复的装置(以下简称为“子修复装置”,图未示)。
确定装置根据危险文件所对应的行为信息,确定相应的修复操作信息。
其中,所述修复操作信息包括任何与修复操作相关的信息。优选地,所述修复操作信息包括但不限于:
a)与文件修复操作相关的信息。
其中,所述文件修复操作包括任何用于修复文件的操作,如还原文件参数、删除文件等。优选地,所述与文件修复操作相关的信息包括但不限于:用于指示文件的修复操作类型的信息、被操作的文件名称、被还原的文件参数以及该文件参数的值等。
优选地,确定装置在计算机设备的真实系统中对危险文件以及该危险文件所释放的至少一个文件进行扫描,并根据扫描结果以及危险文件的行为信息,来确定该与文件修复操作相关的信息。
b)与注册表修复操作相关的信息。
其中,所述注册表修复操作包括任何用于修复注册表的操作,如还原、删除注册表项等。优选地,所述与注册表修复操作相关的信息包括但不限于:用于指示注册表的修复操作类型的信息、被操作的注册表项、注册表项对应的值等。
优选地,当注册表修复操作为设置注册表项时,确定装置可通过查询本地知识库来获取该注册表项所对应的默认值,并将该默认值作为该注册表项对应的值。
c)与进程修复操作相关的信息。
其中,所述进程修复操作包括任何用于修复进程的操作,如进程的关闭、重启等。优选地,所述与进程修复操作相关的信息包括但不限于:用于指示进程的修复操作类型的信息、被操作的进程对应的路径信息等。
需要说明的是,当被操作的进程为系统文件时,可直接通过重启该计算机设备,来完成进程修复操作,而无需获得该进程的修复操作信息。
d)与线程修复操作相关的信息。
其中,所述线程修复操作包括任何用于修复线程的操作,如停止线程等。优选地,所述与线程修复操作相关的信息包括但不限于:用于指示线程的修复操作类型的信息、被操作的线程所对应的特征值。
需要说明的是,上述修复操作信息仅为举例,而非对本发明的限制,本领域技术人员应能理解,任何与修复操作相关的信息均应包含在本发明所述的修复操作信息的范围内。
具体地,确定装置根据危险文件所对应的行为信息所指示的操作行为,确定修复操作信息所指示的修复操作,并进一步根据该修复操作和行为信息,确定修复操作信息。
例如,行为信息包括用于指示跨进程写入的信息以及被操作的进程的路径信息;确定装置根据用于指示跨进程写入操作的信息确定修复操作为重启进程,且根据该修复操作和行为信息,确定修复操作信息包括:用于指示重启进程的信息以及被重启的进程的路径信息。
又例如,行为信息包括用于指示线程注入的信息以及被操作的线程所对应的特征值;确定装置根据用于指示线程注入的信息确定修复操作为停止线程,且根据该修复操作和行为信息,确定修复操作信息包括:用于指示停止线程的信息以及被停止的线程所对应的特征值。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何根据危险文件所对应的行为信息,确定相应的修复操作信息的实现方式,均应包含在 本发明的范围内。
子修复装置根据修复操作信息,对计算机设备的真实环境进行修复。
例如,确定装置所确定修复操作信息包括用于指示重启进程的信息以及被操作的进程对应的路径信息。子修复装置根据该路径信息查找相应的进程,并重启所查找到的进程。
又例如,确定装置所确定修复操作信息包括用于指示停止线程的信息以及被操作的线程所对应的特征值。子修复装置根据该特征值确定相匹配的线程,并停止该线程。
需要说明的是,上述举例仅为更好地说明本发明的技术方案,而非对本发明的限制,本领域技术人员应该理解,任何根据修复操作信息,对计算机设备的真实环境进行修复的实现方式,均应包含在本发明的范围内。
优选地,修复装置3执行操作之后,当判断需要重启该计算机设备时,计算机设备向用户呈现用于提示重启该计算机设备的提示信息。
根据本实施例的方案,计算机设备可根据在虚拟环境中所获得的、危险文件的行为信息,来对计算机设备的真实环境进行修复,以快速且全面地修复危险文件以及危险文件所释放的其他危险文件对真实环境的破坏。
需要注意的是,本发明可在软件和/或软件与硬件的组合体中被实施,例如,本发明的各个装置可采用专用集成电路(ASIC,Application Specific Integrated Circuit)或任何其他类似硬件设备来实现。在一个实施例中,本发明的软件程序可以通过处理器执行以实现上文所述步骤或功能。同样地,本发明的软件程序(包括相关的数据结构)可以被存储到计算机可读记录介质中,例如,RAM(random access memory,随机存储器)存储器,磁或光驱动器或软磁盘及类似设备。另外,本发明的一些步骤或功能可采用硬件来实现,例如,作为与处理器配合从而执行各个步骤或功能的电路。
对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本发明内。不应将权利要求中的任何附图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。系统权利要求中陈述的多个单元或装置也可以由一个单元或装置通过软件或者硬件来实现。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。

Claims (21)

  1. 一种在计算机设备中确定危险文件所对应的行为信息的方法,其中,该方法包括:
    当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;
    在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息。
  2. 根据权利要求1所述的方法,其中,所述至少一个虚拟API包括能够读取当前活动应用的应用读取虚拟API,在所述虚拟环境中运行所述危险文件的步骤包括:
    当所述危险文件调用所述应用读取虚拟API时,向所述危险文件提供当前活动的应用信息。
  3. 根据权利要求1或2所述的方法,其中,该方法还包括:
    在所述虚拟环境中获得运行的危险文件所释放的至少一个文件;
    其中,在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的步骤包括:
    在虚拟环境中,对所述危险文件以及所述至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息。
  4. 根据权利要求1至3中任一项所述的方法,其中,所述行为信息包括以下至少一项:
    -与文件操作行为相关的信息;
    -与注册表操作行为相关的信息;
    -与进程操作行为相关的信息;
    -与线程操作行为相关的信息。
  5. 根据权利要求1至4中任一项所述的方法,其中,该方法还包括:
    根据所述危险文件所对应的行为信息,对所述计算机设备的真实环 境进行修复。
  6. 根据权利要求5所述的方法,其中,根据所述危险文件所对应的行为信息,对所述计算机设备的系统环境进行修复的步骤包括:
    根据所述危险文件所对应的行为信息,确定相应的修复操作信息;
    根据所述修复操作信息,对所述计算机设备的真实环境进行修复。
  7. 根据权利要求6所述的方法,其中,所述修复操作信息包括以下至少一项:
    -与文件修复操作相关的信息;
    -与注册表修复操作相关的信息;
    -与进程修复操作相关的信息;
    -与线程修复操作相关的信息。
  8. 根据权利要求1至7所述的方法,其中,该方法还包括:
    当满足预定关闭条件时,关闭所述虚拟环境。
  9. 根据权利要求8所述的方法,其中,所述预定关闭条件包括以下至少一项:
    -所述危险文件在虚拟环境中执行进程退出操作;
    -所述危险文件在虚拟环境中的运行时间超过预定时间。
  10. 一种在计算机设备中确定危险文件所对应的行为信息的装置,其中,该装置包括:
    用于当检测到存在危险文件时,在所述计算机设备的虚拟环境中运行所述危险文件的装置,其中,所述虚拟环境中包括与该计算机设备的真实环境中的至少一个真实API相同的至少一个虚拟API;
    用于在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的装置。
  11. 根据权利要求10所述的装置,其中,所述至少一个虚拟API包括能够读取当前活动应用的应用读取虚拟API,用于在所述虚拟环境中运行所述危险文件的装置包括:
    用于当所述危险文件调用所述应用读取虚拟API时,向所述危险文件提供当前活动的应用信息的装置。
  12. 根据权利要求10或11所述的装置,其中,该装置还包括:
    用于在所述虚拟环境中获得运行的危险文件所释放的至少一个文件的装置;
    其中,用于在虚拟环境中对所述危险文件的行为进行监测,获得所述危险文件所对应的行为信息的装置包括:
    用于在虚拟环境中,对所述危险文件以及所述至少一个文件的行为进行监测,获得所述危险文件所对应的行为信息的装置。
  13. 根据权利要求10至12中任一项所述的装置,其中,所述行为信息包括以下至少一项:
    -与文件操作行为相关的信息;
    -与注册表操作行为相关的信息;
    -与进程操作行为相关的信息;
    -与线程操作行为相关的信息。
  14. 根据权利要求10至13中任一项所述的装置,其中,该装置还包括:
    用于根据所述危险文件所对应的行为信息,对所述计算机设备的真实环境进行修复的装置。
  15. 根据权利要求14所述的装置,其中,用于根据所述危险文件所对应的行为信息,对所述计算机设备的系统环境进行修复的装置包括:
    用于根据所述危险文件所对应的行为信息,确定相应的修复操作信息的装置;
    用于根据所述修复操作信息,对所述计算机设备的真实环境进行修复的装置。
  16. 根据权利要求15所述的装置,其中,所述修复操作信息包括以下至少一项:
    -与文件修复操作相关的信息;
    -与注册表修复操作相关的信息;
    -与进程修复操作相关的信息;
    -与线程修复操作相关的信息。
  17. 根据权利要求10至16所述的装置,其中,该装置还包括:
    用于当满足预定关闭条件时,关闭所述虚拟环境的装置。
  18. 根据权利要求17所述的方法,其中,所述预定关闭条件包括以下至少一项:
    -所述危险文件在虚拟环境中执行进程退出操作;
    -所述危险文件在虚拟环境中的运行时间超过预定时间。
  19. 一种计算机可读介质,所述计算机可读介质包括计算机代码,当所述计算机代码被执行时,如权利要求1至9中任一项所述的方法被执行。
  20. 一种计算机程序产品,当所述计算机程序产品被计算机设备执行时,如权利要求1至9中任一项所述的方法被执行。
  21. 一种计算机设备,所述计算机设备包括存储器和处理器,所述存储器中存储有计算机代码,所述处理器被配置来通过执行所述计算机代码以执行如权利要求1至9中任一项所述的方法。
PCT/CN2015/082409 2015-03-18 2015-06-25 一种确定危险文件所对应的行为信息的方法和装置 WO2016145749A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP15885132.9A EP3113060B1 (en) 2015-03-18 2015-06-25 Method and apparatus for determining behaviour information corresponding to dangerous file
JP2016564985A JP2017520820A (ja) 2015-03-18 2015-06-25 危険ファイルに対応する挙動情報特定方法及び危険ファイルに対応する挙動情報特定装置
KR1020167030047A KR101974989B1 (ko) 2015-03-18 2015-06-25 위험 파일에 대응하는 행위 정보를 결정하는 방법 및 장치
US15/300,770 US10915624B2 (en) 2015-03-18 2015-06-25 Method and apparatus for determining behavior information corresponding to a dangerous file

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510119820.7 2015-03-18
CN201510119820.7A CN104766006B (zh) 2015-03-18 2015-03-18 一种确定危险文件所对应的行为信息的方法和装置

Publications (1)

Publication Number Publication Date
WO2016145749A1 true WO2016145749A1 (zh) 2016-09-22

Family

ID=53647828

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/082409 WO2016145749A1 (zh) 2015-03-18 2015-06-25 一种确定危险文件所对应的行为信息的方法和装置

Country Status (6)

Country Link
US (1) US10915624B2 (zh)
EP (1) EP3113060B1 (zh)
JP (1) JP2017520820A (zh)
KR (1) KR101974989B1 (zh)
CN (1) CN104766006B (zh)
WO (1) WO2016145749A1 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106921608B (zh) 2015-12-24 2019-11-22 华为技术有限公司 一种检测终端安全状况方法、装置及系统
WO2019009601A1 (ko) * 2017-07-04 2019-01-10 주식회사 수산아이앤티 웹 소스를 보호하기 위한 장치 및 방법
CN110020933B (zh) * 2019-04-10 2020-06-23 南方电网数字电网研究院有限公司 应用于财务业务系统的自动退出方法、装置和计算机设备
US11336690B1 (en) * 2019-11-15 2022-05-17 National Technology & Engineering Solutions Of Sandia, Llc Threat emulation framework
JP7489197B2 (ja) * 2020-01-31 2024-05-23 株式会社Nttデータ クラウド監視・修復方法、クラウド監視・修復システム及びプログラム

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1314638A (zh) * 2001-04-29 2001-09-26 北京瑞星科技股份有限公司 检测和清除已知及未知计算机病毒的方法、系统和介质
CN1356631A (zh) * 2001-12-03 2002-07-03 上海市计算机病毒防范服务中心 分布式病毒监测体系结构
CN101350049A (zh) * 2007-07-16 2009-01-21 珠海金山软件股份有限公司 鉴定病毒文件的方法、装置及网络设备

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6192512B1 (en) * 1998-09-24 2001-02-20 International Business Machines Corporation Interpreter with virtualized interface
US7146305B2 (en) * 2000-10-24 2006-12-05 Vcis, Inc. Analytical virtual machine
US8171553B2 (en) * 2004-04-01 2012-05-01 Fireeye, Inc. Heuristic based capture with replay to virtual machine
US7779472B1 (en) * 2005-10-11 2010-08-17 Trend Micro, Inc. Application behavior based malware detection
JP2007334536A (ja) * 2006-06-14 2007-12-27 Securebrain Corp マルウェアの挙動解析システム
EP1933248A1 (de) * 2006-12-12 2008-06-18 secunet Security Networks Aktiengesellschaft Verfahren zur sicheren Datenverarbeitung auf einem Computersystem
US8307443B2 (en) * 2007-09-28 2012-11-06 Microsoft Corporation Securing anti-virus software with virtualization
US7797748B2 (en) * 2007-12-12 2010-09-14 Vmware, Inc. On-access anti-virus mechanism for virtual machine architecture
KR20090067569A (ko) * 2007-12-21 2009-06-25 (주) 세인트 시큐리티 가상화 기법을 이용한 윈도우 커널 보호 시스템
JP4705961B2 (ja) * 2008-01-25 2011-06-22 Sky株式会社 ウィルス被害範囲予測システム
JP4755658B2 (ja) * 2008-01-30 2011-08-24 日本電信電話株式会社 解析システム、解析方法および解析プログラム
US8312547B1 (en) * 2008-03-31 2012-11-13 Symantec Corporation Anti-malware scanning in a portable application virtualized environment
JP2009037651A (ja) * 2008-11-17 2009-02-19 Fujitsu Ltd セキュリティ管理システム
US8528075B2 (en) * 2008-11-30 2013-09-03 Red Hat Israel, Ltd. Accelerating the execution of anti-virus programs in a virtual machine environment
JP5274227B2 (ja) 2008-12-10 2013-08-28 株式会社ラック ウェブページ検査装置、コンピュータシステム、ウェブページ検査方法、及びプログラム
US8407787B1 (en) * 2009-01-22 2013-03-26 Trend Micro Incorporated Computer apparatus and method for non-intrusive inspection of program behavior
JP5440973B2 (ja) * 2009-02-23 2014-03-12 独立行政法人情報通信研究機構 コンピュータ検査システム、コンピュータ検査方法
JP5225942B2 (ja) * 2009-07-01 2013-07-03 日本電信電話株式会社 解析システム、解析方法、及び解析プログラム
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
KR20110087826A (ko) * 2010-01-27 2011-08-03 한남대학교 산학협력단 가상머신을 이용한 악성소프트웨어 탐지 방법
TWI407328B (zh) 2010-09-15 2013-09-01 Chunghwa Telecom Co Ltd 網路病毒防護方法及系統
US8555385B1 (en) * 2011-03-14 2013-10-08 Symantec Corporation Techniques for behavior based malware analysis
US20120254993A1 (en) * 2011-03-28 2012-10-04 Mcafee, Inc. System and method for virtual machine monitor based anti-malware security
US9298910B2 (en) * 2011-06-08 2016-03-29 Mcafee, Inc. System and method for virtual partition monitoring
RU2514141C1 (ru) * 2012-09-28 2014-04-27 Закрытое акционерное общество "Лаборатория Касперского" Способ эмуляции вызовов системных функций для обхода средств противодействия эмуляции
KR101429131B1 (ko) 2013-06-12 2014-08-11 소프트캠프(주) 시스템 보호를 위한 파일 보안용 관리장치와 관리방법
US9591003B2 (en) 2013-08-28 2017-03-07 Amazon Technologies, Inc. Dynamic application security verification
RU2580030C2 (ru) * 2014-04-18 2016-04-10 Закрытое акционерное общество "Лаборатория Касперского" Система и способ распределения задач антивирусной проверки между виртуальными машинами в виртуальной сети
US9973531B1 (en) * 2014-06-06 2018-05-15 Fireeye, Inc. Shellcode detection
US9471283B2 (en) * 2014-06-11 2016-10-18 Ca, Inc. Generating virtualized application programming interface (API) implementation from narrative API documentation
US9917855B1 (en) * 2016-03-03 2018-03-13 Trend Micro Incorporated Mixed analysys-based virtual machine sandbox

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1314638A (zh) * 2001-04-29 2001-09-26 北京瑞星科技股份有限公司 检测和清除已知及未知计算机病毒的方法、系统和介质
CN1356631A (zh) * 2001-12-03 2002-07-03 上海市计算机病毒防范服务中心 分布式病毒监测体系结构
CN101350049A (zh) * 2007-07-16 2009-01-21 珠海金山软件股份有限公司 鉴定病毒文件的方法、装置及网络设备

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3113060A4 *

Also Published As

Publication number Publication date
CN104766006A (zh) 2015-07-08
US10915624B2 (en) 2021-02-09
CN104766006B (zh) 2019-03-12
KR101974989B1 (ko) 2019-05-07
KR20160138523A (ko) 2016-12-05
US20170124321A1 (en) 2017-05-04
EP3113060A1 (en) 2017-01-04
JP2017520820A (ja) 2017-07-27
EP3113060A4 (en) 2017-11-08
EP3113060B1 (en) 2021-01-13

Similar Documents

Publication Publication Date Title
EP3555789B1 (en) Intelligent backup and versioning
WO2016145749A1 (zh) 一种确定危险文件所对应的行为信息的方法和装置
US7614084B2 (en) System and method for detecting multi-component malware
US20220398321A1 (en) Data management
US20130160126A1 (en) Malware remediation system and method for modern applications
US10339316B2 (en) Integrity assurance through early loading in the boot phase
US20160156645A1 (en) Method and apparatus for detecting macro viruses
US20210182392A1 (en) Method for Detecting and Defeating Ransomware
US8448243B1 (en) Systems and methods for detecting unknown malware in an executable file
JP5888386B2 (ja) ウィルスの処理方法及び装置
RU2583711C2 (ru) Способ отложенного устранения вредоносного кода
JP6404771B2 (ja) ログ判定装置、ログ判定方法、およびログ判定プログラム
US20140229526A1 (en) Systems, methods and media for securely executing remote commands using cross-platform library
US11509738B2 (en) System for migration of data from legacy computer system using wireless peer-to-peer connection
KR101138746B1 (ko) 실행 파일을 이용한 악성 코드 차단 장치 및 방법
EP2230616B1 (en) System and method for detecting multi-component malware
KR20120039569A (ko) 실행 파일을 이용한 악성 코드 차단 장치
JP2022141590A (ja) 空のスパースファイルを使用してアーカイブスライスをマルウェアについて検査するシステムおよび方法
WO2014139295A1 (zh) 数据处理的方法及终端

Legal Events

Date Code Title Description
REEP Request for entry into the european phase

Ref document number: 2015885132

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015885132

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20167030047

Country of ref document: KR

Kind code of ref document: A

Ref document number: 2016564985

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15885132

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15300770

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE