WO2020000741A1 - Rootkit measurement method, apparatus, and server - Google Patents

Rootkit measurement method, apparatus, and server Download PDF

Info

Publication number
WO2020000741A1
WO2020000741A1 PCT/CN2018/108469 CN2018108469W WO2020000741A1 WO 2020000741 A1 WO2020000741 A1 WO 2020000741A1 CN 2018108469 W CN2018108469 W CN 2018108469W WO 2020000741 A1 WO2020000741 A1 WO 2020000741A1
Authority
WO
WIPO (PCT)
Prior art keywords
system call
call table
state
backed
module
Prior art date
Application number
PCT/CN2018/108469
Other languages
French (fr)
Chinese (zh)
Inventor
郑彪
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020000741A1 publication Critical patent/WO2020000741A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to the field of computer technology, and in particular, to a method, a device, and a server for detecting rookit of malicious software.
  • Rookit is the most stubborn malicious virus on Linux system, and it is also a special type of malware. It can hide almost any software, including file servers, keyloggers, botnets and remailers.
  • Embodiments of the present invention provide a rookit detection method, device, and server, which is beneficial to improve the accuracy of rookit detection.
  • an embodiment of the present invention provides a rookit detection method.
  • the method is applied to a Linux system.
  • the Linux system includes a secure backup area in which a system call table is backed up in advance.
  • the Linux system is divided into a user mode ring3 mode and Kernel state ring0 state, the method includes:
  • an embodiment of the present invention provides a rookit detection device, and the rookit detection device includes a module for executing the method in the first aspect.
  • an embodiment of the present invention provides a server.
  • the server includes a processor, a network interface, and a memory.
  • the processor, the network interface, and the memory are connected to each other.
  • the network interface is controlled by the processor.
  • the memory is configured to receive and send messages, and the memory is configured to store a computer program that supports a server to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
  • an embodiment of the present invention provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause all the The processor executes the method of the first aspect.
  • rookit can be detected against the system call table.
  • the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified and detected at the kernel compilation stage, It will not be changed during the process, which can improve the accuracy of rookit detection.
  • FIG. 1 is a schematic flowchart of a rookit detection method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of another rookit detection method according to an embodiment of the present invention.
  • FIG. 3 is a schematic block diagram of a rookit detection device according to an embodiment of the present invention.
  • FIG. 4 is a schematic block diagram of a server according to an embodiment of the present invention.
  • the Linux operating system is divided into the kernel state ring0 state and the user state ring3 state. Most of the user's operations are in the ring3 state. All system commands and applications basically call system files. These system files are read by ring0.
  • System call table syscall table to affect the hardware. When the ring0 state of the Linux system is attacked by the rootkit, the memory address of the syscall in the syscall table can be tampered, causing the program to read the modified syscall address and execute malicious functions to implement special functions (such as hiding background malicious processes, etc.) ).
  • an embodiment of the present invention proposes a rogueit detection method for malicious software.
  • it When it detects that the Linux system is running, it loads a kernel module that is pre-deployed in the Linux system, and triggers the kernel module when it detects that the kernel module is loaded completely.
  • the obtaining program in the ring obtains the current system call table in the ring0 state, and then obtains the pre-backed-up system call table from the secure backup area, and calls the comparison program in the ring3 state to determine the pre-backed-up system call table in the secure backup area and the acquired current Whether the system call tables are consistent. If they are not consistent, it is determined that the ring0 state of the Linux system is attacked by rookit. Detecting rookit against the system call table.
  • the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified during the kernel compilation stage, it will not be detected during the detection process. Changes can improve the accuracy of rookit detection.
  • FIG. 1 is a schematic flowchart of a rookit detection method according to an embodiment of the present invention.
  • the method is applied to a linux system.
  • the linux system is divided into a security backup area in advance, and the security backup area is backed up with a system call table in advance.
  • the Linux system is divided into user mode ring3 mode and kernel mode ring0 mode.
  • the rookit detection method may include:
  • the server When the server detects that the Linux system is running, it loads a kernel module that is pre-deployed in the Linux system.
  • a developer can design a separate partition during system installation to mount a backup partition file used as the system call table syscall_table through a separate mount point.
  • Linux uses ring3 level user mode, and ring0 is used as the kernel mode.
  • the kernel state ring0 state and the user state ring3 state are two operating levels of the operating system.
  • the user runs a program. The process created by the program starts in user mode. If you want to perform file operations, network data sending, and other operations, you must use various system calls. These system calls will call the code in the kernel to complete Operation, at this time, you must switch to ring0 state, and then enter the kernel address space to execute these codes to complete the operation. After completion, switch back to ring3 state, that is, return to user mode. In this way, the program in the ring3 state cannot manipulate the kernel address space at will, and has certain security protection.
  • the kernel module is a socket provided by the Linux kernel to the outside, which is called a dynamically loadable kernel module (Loadable Kernel Module, LKM), and can be referred to as a module for short.
  • LKM dynamically loadable kernel module
  • the reason the linux kernel provides a module mechanism is because it is a monolithic kernel.
  • the biggest advantage of a single kernel is high efficiency, because everything is integrated, but its disadvantage is that scalability and maintainability are relatively poor.
  • the module mechanism is to make up for this shortcoming.
  • the server when the server detects that the Linux system is running, the server may load a kernel module that is pre-deployed in the Linux system.
  • the specific manner of loading the kernel module can be loaded by using a driver of the Linux system, and the driver can be, for example, insmod and modprobe.
  • modprobe loads all required modules according to the output of depmod-a /lib/modules/version/modules.dep; insmod loads the kernel when needed by mode.
  • a. Modprobe can solve the dependency relationship when loading kernel modules. For example, if kernel module A is loaded, kernel module B must be loaded first. It is through / lib / modules / ⁇ kernel -version> /modules.dep file to find dependencies. And insmod cannot solve the dependency problem.
  • b.modprobe will look for kernel modules under / lib / modules / ⁇ kernel-version> / by default, while insmod only looks for kernel modules in the parameters given to it (by default it looks in the current directory).
  • the server may call the driver of the Linux system to start the loading process, and after the loading process is started, the module loading function is called to embed the pre-deployed kernel module into the ring0 state, thereby completing the loading of the kernel module.
  • the driver of the Linux system may be, for example, insmod; and the loading function may be, for example, a load module function.
  • the server When the server detects that the loading of the kernel module is completed, the server triggers the obtaining program in the kernel module to obtain the current system call table in the ring0 state.
  • the server obtains a pre-backed-up system call table from the secure backup area, and calls a comparison program in the ring3 state to determine whether the pre-backed-up system call table in the secure backup area is consistent with the obtained current system call table.
  • the server determines that the ring0 state of the linux system is attacked by rookit.
  • a comparison program is stored in the ring3 state in advance, and the comparison program is used to compare whether the system call table pre-backed up in the secure backup area is consistent with the current system call table obtained in step 102, and whether it has been tampered with. Was redirected.
  • the server detects that the kernel module is loaded, it triggers the fetch program in the kernel module to obtain the current system call table in ring0 state in real time, and obtains the previously backed up system call table from the secure backup area, and then calls
  • the comparison program in the ring3 state determines whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
  • a timing function may be set for the comparison program, that is, at a preset time interval.
  • the comparison program in the ring3 state is called to perform a step of determining whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
  • the server may call a comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table. If they are not consistent, it is determined that the ring0 state of the linux system is rookit attacked. Detecting rookit against the system call table. On the one hand, because the system call table is compared, the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified during the kernel compilation stage, it will not be detected during the detection process. Changes can improve the accuracy of rookit detection.
  • FIG. 2 is a schematic flowchart of another rookit detection method according to an embodiment of the present invention.
  • the rookit detection method may include:
  • the server When the server detects that the Linux system is running, it loads a kernel module that is pre-deployed in the Linux system.
  • the server When the server detects that the loading of the kernel module is completed, the server triggers the obtaining program in the kernel module to obtain the current system call table in the ring0 state.
  • steps 201 to 202 For specific implementations of steps 201 to 202, reference may be made to related descriptions of steps 101 to 102 in the foregoing embodiment, and details are not described herein again.
  • the server obtains the comparison program in the ring3 state, and obtains a system backup table and comparison program that are backed up in advance from the secure backup area.
  • the server compares whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent.
  • the server calls the comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
  • the secure backup area is backed up with a comparison program in advance.
  • the server can obtain the pre-backed-up system call table and comparison program from the secure backup area, and compare the comparison program in the secure backup area with the ring3 state.
  • the comparison program in the ring3 state is compared to determine whether the comparison program in the ring3 state is consistent with the comparison program in the secure backup area. If the comparison program in the ring3 state and the comparison program in the secure backup area are consistent, the comparison program in the ring3 state is called. Determine whether the system call table backed up in the secure backup area is consistent with the current system call table obtained.
  • the server can output a prompt message to indicate that the comparison program in the ring3 state has been tampered with.
  • the prompt message When the operation and maintenance personnel sees the prompt message, it can be processed in time.
  • the server when the server compares whether the comparison program in the ring3 state is consistent with the comparison program in the secure backup area, the server can compare the file content verification information of the two. If the file content verification information of the two is inconsistent, it can determine the The comparison program and the comparison program backed up in the secure backup area are inconsistent.
  • the file content checking information may include a cyclic redundancy check (Cyclic Redundancy Check, CRC), a message digest algorithm value (such as Message Digest Algorithm 5 (MD5)), and the like.
  • the cyclic redundancy check code CRC is a hash function that generates a short fixed-digit check code based on data such as network data packets or computer files. It is mainly used to detect or verify that data may appear after transmission or storage. mistake. The generated number is calculated before being transmitted or stored and appended to the data. The receiver then checks to determine if the data has changed. That is, if the contents of the two files are exactly the same, the CRCs of the two files must be the same. Therefore, in the embodiment of the present invention, the CRC value of the comparison program can also be used to determine whether the comparison program in the ring3 state and the comparison program backed up in the secure backup area are consistent.
  • MD5 has been widely used to judge the reliability of file transmission.
  • the sending terminal provides an MD5 checksum in advance.
  • the receiving terminal uses the MD5 algorithm to calculate the MD5 checksum of the received file. Then, by checking whether the two checksums are consistent, the received file can be judged. Whether there is an error. Even if you make a small change in the original text (such as replacing d with c), the MD5 checksum will change dramatically. Therefore, in the embodiment of the present invention, the MD5 value of the comparison program can also be used to determine whether the comparison program in the ring3 state and the comparison program backed up in the secure backup area are consistent.
  • the reliability of the message digest algorithm is greater than the cyclic redundancy check, that is, if the CRCs of the two comparison programs are different, it can be proven that the contents of the two comparison programs are definitely different.
  • the CRC codes of the two comparison programs are the same, but the contents of the two comparison programs are not necessarily the same.
  • the CRC only takes 2 bytes, and the MD5 takes 16 bytes. Therefore, when using the CRC code for verification, the efficiency will be relatively high. In summary, when comparing whether the contents of the two comparison programs are the same, you can first compare based on the CRC code.
  • the server determines that the ring0 state of the linux system has been rookit attacked.
  • the server can obtain the function address of the current system call table and output alarm information, which is used to remind the user that the current system call table located at the function address has been tampered with. In this way, after viewing the alarm information, the operation and maintenance personnel can directly find the current system call table through the function address and process the system call table.
  • the server after the server determines that the ring0 state of the linux system has been attacked by rookit, it can also determine the memory address of the current system call table in the ring0 state, find the current system call table according to the memory address, and use the previously backed up The system call table replaces the current system call table, and then restores and repairs the system.
  • the server determines the memory address of the current system call table in the ring0 state in various ways.
  • the server may obtain a system call table address file in the linux system, which records the mapping relationship between the memory address of the current system call table in the ring0 state and the system call table backed up in advance.
  • the server may determine the memory address of the current system call table from the system call table address file according to the mapping relationship and the system call table backed up in advance.
  • the system call table address file may be a system.map file.
  • the system.map file is used to store a kernel symbol table.
  • the kernel symbol table is a mapping table of all kernel symbols and their memory addresses. Through the address, you can find the symbol, that is, find the variable and function; through the symbol, you can also know its address.
  • the memory address of the current system call table can be obtained by using a symbol.
  • the known symbol is the system call table backed up in advance. Through the system call table, the memory address of the current system call table can be found in the system.map file.
  • the server may also obtain the interrupt descriptor table IDT in the linux system, and determine the entry point of the interrupt int0 ⁇ 80 according to the IDT, and move back from the entry point to the address where the three bytes are located. Determine the memory address of the current system call table in the ring0 state.
  • the way the server determines the memory address of the current system call table in the ring0 state can also be brute-forced from the memory space to find the memory address of the current system call table in the ring0 state. It can also use the pre-backed up system call table. Feature search is performed in the machine code of the unexported function to determine the memory address of the current system call table in the ring0 state. The invention does not specifically limit this.
  • the server may obtain the pre-backed-up system call table and comparison program from the secure backup area, and then compare whether the comparison program in the ring3 state and the pre-backup comparison program are consistent.
  • the program determines whether the system call table backed up in the secure backup area is consistent with the current system call table obtained, and the server determines that the ring0 state of the Linux system has been rookit attacked. Detect rookit against the system call table.
  • the system call table is compared, the detection effect can be achieved with very little overhead, and because the system call table is specified during the kernel compilation stage, it will not be changed, and rookit can be improved.
  • the accuracy of the detection when it is determined that the comparison program in the ring3 state has not been tampered with, the comparison program is called to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table, Can further improve the accuracy of rookit detection.
  • An embodiment of the present invention further provides a rookit detection device, which is applied to a linux system.
  • the linux system includes a secure backup area in which a system call table is backed up in advance.
  • the linux system is divided into a user state ring3 state and a kernel state ring0 state.
  • the apparatus includes a module for performing the method described in FIG. 1 or FIG. 2.
  • FIG. 3 it is a schematic block diagram of a rookit detection device according to an embodiment of the present invention.
  • the rookit detection device in this embodiment includes:
  • An obtaining module 302 configured to trigger an obtaining program in the kernel module to obtain a current system call table in the ring0 state when the loading of the kernel module is detected;
  • the obtaining module 302 is further configured to obtain the system call table backed up in advance from the secure backup area;
  • a determining module 303 is configured to call a comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the current system call table obtained by the obtaining module. If the system call table is inconsistent with the obtained current system call table, it is determined that the ring0 state of the linux system has been rookit attacked.
  • a comparison program is also backed up in the secure backup area, and the device further includes a comparison module 304, where:
  • An obtaining module 302 configured to obtain a comparison program in the ring3 state, and the comparison program backed up in the secure backup area in advance;
  • the comparison module 304 is configured to compare whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent. If the comparison program in the ring3 state and the comparison program in the secure backup area are consistent, then The comparison module in the ring3 state is called by the determination module 303 to determine whether the system call table backed up in the secure backup area and the obtained system call table are consistent.
  • the apparatus further includes a replacement module 305, wherein:
  • a determining module 303 configured to determine a memory address of the current system call table in the ring0 state
  • the replacement module 305 is configured to find the current system call table according to the memory address, and replace the current system call table with the system call table that is backed up in advance.
  • the determining module 303 is specifically configured to obtain a system call table address file in the linux system, where the file records a memory address and a preset address of the current system call table in the ring0 state.
  • the mapping relationship of the backed up system call table; according to the mapping relationship and the previously backed up system call table, a memory address of the current system call table is determined from the system call table address file.
  • the determining module 303 is specifically configured to obtain the interrupt descriptor table IDT in the linux system, and determine an entry point of the interrupt int0 ⁇ 80 according to the IDT; from the entry point to The address where the three bytes are shifted backward is determined as the memory address of the current system call table in the ring0 state.
  • the loading module 301 is specifically used to call the driver of the Linux system to start the loading process. After the loading process is started, a module loading function is called to embed a pre-deployed kernel module into the ring0. state.
  • the apparatus further includes: an output module 306, wherein:
  • the obtaining module 302 is further configured to obtain a function address of the current system call table.
  • An output module 306 is configured to: after the obtaining module 302 obtains the function address of the current system call table, and output alarm information, the alarm information is used to prompt the user that the current system call table at the function address has been tampered with .
  • FIG. 4 is a schematic block diagram of a server provided by an embodiment of the present invention.
  • the server is applied to a linux system.
  • the linux system includes a secure backup area in which a system call table is backed up in advance. Ring3 state for user mode and ring0 state for kernel mode.
  • the server includes a processor 401, a memory 402, and a network interface 403.
  • the processor 401, the memory 402, and the network interface 403 may be connected through a bus or in other manners. In FIG. 4 shown in the embodiment of the present invention, connection through a bus is taken as an example.
  • the network interface 403 is controlled by the processor to send and receive messages, and the memory 402 is used to store a computer program.
  • the computer program includes program instructions, and the processor 401 is used to execute the program instructions stored in the memory 402.
  • the processor 401 is configured to call the program instructions for execution: when the Linux system is detected to be running, load a kernel module pre-deployed in the Linux system; and when it is detected that the kernel module is loaded completely Next, the obtaining program in the kernel module is triggered to obtain the current system call table in the ring0 state; the system call table backed up in advance is obtained from the secure backup area, and the comparison program in the ring3 state is called to determine Whether the system call table backed up in the secure backup area is consistent with the acquired current system call table; if the system call table backed up in advance is inconsistent with the acquired current system call table, determining the The ring0 state of the linux system was attacked by rookit.
  • the processor 401 may be a central processing unit (CPU), and the processor 401 may also be another general-purpose processor or a digital signal processor (Digital Signal Processor, DSP). ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP Digital Signal Processor
  • ASIC Application Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory 402 may include a read-only memory and a random access memory, and provide instructions and data to the processor 401.
  • a part of the memory 402 may further include a non-volatile random access memory.
  • the memory 402 may also store information of a device type.
  • the processor 401, the memory 402, and the network interface 403 described in the embodiment of the present invention may execute the implementation manner described in the method embodiment shown in FIG. 1 or FIG. 2 provided by the embodiment of the present invention, and may also execute The implementation manner of the rookit detection device described in the embodiment of the present invention is not repeated here.
  • a computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions are implemented when executed by a processor: When the linux system is detected to be running, a kernel module pre-deployed in the linux system is loaded; when the completion of the loading of the kernel module is detected, an acquisition program in the kernel module is triggered to obtain the ring0 state.
  • the computer-readable storage medium may be an internal storage unit of the server according to any of the foregoing embodiments, such as a hard disk or a memory of the server.
  • the computer-readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) card provided on the server. , Flash card (Flash card) and so on.
  • the computer-readable storage medium may further include both an internal storage unit of the server and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the server.
  • the computer-readable storage medium may also be used to temporarily store data that has been or will be output.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed by the embodiments of the present invention are a rootkit measurement method, apparatus, and server; said method can be applied to a Linux system; said Linux system comprises a secure backup area which is backed up with a system call table; the Linux system is divided into a ring3 state and a ring0 state. The method comprises: if it is detected that a Linux system is running, then loading a kernel module pre-deployed in the Linux system, and triggering an obtain program in the kernel module to obtain a current system call table in the ring0 state; obtaining the system call table, which has been backed up beforehand, from the secure backup area, and calling a comparison program in the ring3 state to determine whether the backed-up system call table is consistent with the current system call table; if not, then determining that the ring0 state of the Linux system has been attacked by the rootkit. The embodiments of the present invention are advantageous to improving the accuracy of rootkit detection.

Description

一种rookit检测方法、装置及服务器Rookit detection method, device and server
本申请要求于2018年06月30日提交中国专利局、申请号为201810706457.2、申请名称为“一种rookit检测方法、装置及服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority from a Chinese patent application filed on June 30, 2018 with the Chinese Patent Office, application number 201810706457.2, and application name "A rookit detection method, device, and server", the entire contents of which are incorporated herein by reference. Applying.
技术领域Technical field
本发明涉及计算机技术领域,尤其涉及一种恶意软件rookit检测方法、装置及服务器。The present invention relates to the field of computer technology, and in particular, to a method, a device, and a server for detecting rookit of malicious software.
背景技术Background technique
随着计算机技术的飞速发展,各种网站、移动终端以及移动终端上app服务的广泛应用,服务器系统的安全性问题越来越受到重视。linux系统作为服务器系统中重要的一员,采用linux系统的服务器数量与日俱增,针对linux系统的各种木马病毒也在不断更新。rookit是linux系统上最为顽固的一种恶意病毒,也是一种特殊类型的恶意软件,它几乎可以隐藏任何软件,包括文件服务器、键盘记录器、botnet和remailer。With the rapid development of computer technology and the widespread application of various websites, mobile terminals, and app services on mobile terminals, the security of server systems has received increasing attention. As an important member of the server system, the linux system has an increasing number of servers using the linux system, and various Trojan viruses targeting the linux system are also constantly updated. Rookit is the most stubborn malicious virus on Linux system, and it is also a special type of malware. It can hide almost any software, including file servers, keyloggers, botnets and remailers.
目前,虽然检测rookit在不断增多,但是恶意软件的开发者也在不断寻找新的途径来掩盖rookit的踪迹。因此,如何更加准确地对rookit进行检测,成为一个亟待解决的问题。At present, although rookit detection is increasing, malware developers are constantly looking for new ways to cover up rookit's tracks. Therefore, how to detect rookit more accurately has become an urgent problem.
发明内容Summary of the invention
本发明实施例提供了一种rookit检测方法、装置及服务器,有利于提高rookit检测的准确度。Embodiments of the present invention provide a rookit detection method, device, and server, which is beneficial to improve the accuracy of rookit detection.
第一方面,本发明实施例提供了一种rookit检测方法,该方法应用于linux系统,所述linux系统包括预先备份有系统调用表的安全备份区,所述linux系统分为用户态ring3态和内核态ring0态,该方法包括:In a first aspect, an embodiment of the present invention provides a rookit detection method. The method is applied to a Linux system. The Linux system includes a secure backup area in which a system call table is backed up in advance. The Linux system is divided into a user mode ring3 mode and Kernel state ring0 state, the method includes:
在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;When detecting that the linux system is running, loading a kernel module pre-deployed in the linux system;
在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0态中的当前系统调用表;When it is detected that the loading of the kernel module is completed, triggering an obtaining program in the kernel module to obtain the current system call table in the ring0 state;
从所述安全备份区获取预先备份的所述系统调用表,并调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一 致;Obtain the system call table backed up in advance from the secure backup area, and call the comparison program in the ring3 state to determine the system call table backed up in the secure backup area and the acquired current system call table Whether consistent
若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit攻击。If the system call table backed up in advance is inconsistent with the obtained current system call table, it is determined that the ring0 state of the linux system has been rookit attacked.
第二方面,本发明实施例提供了一种rookit检测装置,该rookit检测装置包括用于执行上述第一方面的方法的模块。In a second aspect, an embodiment of the present invention provides a rookit detection device, and the rookit detection device includes a module for executing the method in the first aspect.
第三方面,本发明实施例提供了一种服务器,该服务器包括处理器、网络接口和存储器,所述处理器、网络接口和存储器相互连接,其中,所述网络接口受所述处理器的控制用于收发消息,所述存储器用于存储支持服务器执行上述方法的计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行上述第一方面的方法。According to a third aspect, an embodiment of the present invention provides a server. The server includes a processor, a network interface, and a memory. The processor, the network interface, and the memory are connected to each other. The network interface is controlled by the processor. The memory is configured to receive and send messages, and the memory is configured to store a computer program that supports a server to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
第四方面,本发明实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause all the The processor executes the method of the first aspect.
采用本申请,可以针对系统调用表对rookit进行检测,一方面由于对比的是系统调用表,可以非常小开销的实现检测效果;另一方面,由于系统调用表在内核编译阶段就被指定,检测过程中不会被更改,可以提高rookit检测的准确性。Using this application, rookit can be detected against the system call table. On the one hand, because the system call table is compared, the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified and detected at the kernel compilation stage, It will not be changed during the process, which can improve the accuracy of rookit detection.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本发明实施例提供的一种rookit检测方法的流程示意图;FIG. 1 is a schematic flowchart of a rookit detection method according to an embodiment of the present invention;
图2是本发明实施例提供的另一种rookit检测方法的流程示意图;2 is a schematic flowchart of another rookit detection method according to an embodiment of the present invention;
图3是本发明实施例提供的一种rookit检测装置的示意性框图;3 is a schematic block diagram of a rookit detection device according to an embodiment of the present invention;
图4是本发明实施例提供的一种服务器的示意性框图。FIG. 4 is a schematic block diagram of a server according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In the following, the technical solutions in the embodiments of the present invention will be clearly and completely described with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
linux操作系统分为内核态ring0态和用户态ring3态,用户的绝大多数的操作都在ring3态,所有的系统命令和应用程序基本上都会调用系统文件,这些系统文件则是通过读取 ring0态的系统调用表syscall table从而作用到硬件。而当linux系统的ring0态被rootkit攻击后,syscall table中syscall的内存地址会被篡改,导致程序读取到的是修改过的syscall地址从而执行恶意函数实现特殊功能(如隐藏后台恶意进程等等)。The Linux operating system is divided into the kernel state ring0 state and the user state ring3 state. Most of the user's operations are in the ring3 state. All system commands and applications basically call system files. These system files are read by ring0. System call table syscall table to affect the hardware. When the ring0 state of the Linux system is attacked by the rootkit, the memory address of the syscall in the syscall table can be tampered, causing the program to read the modified syscall address and execute malicious functions to implement special functions (such as hiding background malicious processes, etc.) ).
因此,本发明实施例提出了一种恶意软件rookit检测方法,在检测到linux系统运行时,加载预先部署在linux系统中的内核模块,并在检测到内核模块加载完成的情况下,触发内核模块中的获取程序获取ring0态中的当前系统调用表,进而从安全备份区获取预先备份的系统调用表,并调用ring3态中的比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致,若不一致,则确定linux系统的ring0态被rookit攻击。针对系统调用表对rookit进行检测,一方面由于对比的是系统调用表,可以非常小开销的实现检测效果;另一方面,由于系统调用表在内核编译阶段就被指定,检测过程中不会被更改,可以提高rookit检测的准确性。Therefore, an embodiment of the present invention proposes a rogueit detection method for malicious software. When it detects that the Linux system is running, it loads a kernel module that is pre-deployed in the Linux system, and triggers the kernel module when it detects that the kernel module is loaded completely. The obtaining program in the ring obtains the current system call table in the ring0 state, and then obtains the pre-backed-up system call table from the secure backup area, and calls the comparison program in the ring3 state to determine the pre-backed-up system call table in the secure backup area and the acquired current Whether the system call tables are consistent. If they are not consistent, it is determined that the ring0 state of the Linux system is attacked by rookit. Detecting rookit against the system call table. On the one hand, because the system call table is compared, the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified during the kernel compilation stage, it will not be detected during the detection process. Changes can improve the accuracy of rookit detection.
参见图1,图1是本发明实施例提供的一种rookit检测方法的流程示意图,该方法应用于linux系统,该linux系统预先划分有安全备份区,该安全备份区预先备份有系统调用表,该linux系统分为用户态ring3态和内核态ring0态,如图所示,该rookit检测方法可包括:Referring to FIG. 1, FIG. 1 is a schematic flowchart of a rookit detection method according to an embodiment of the present invention. The method is applied to a linux system. The linux system is divided into a security backup area in advance, and the security backup area is backed up with a system call table in advance. The Linux system is divided into user mode ring3 mode and kernel mode ring0 mode. As shown in the figure, the rookit detection method may include:
101、服务器在检测到linux系统运行时,加载预先部署在linux系统中的内核模块。101. When the server detects that the Linux system is running, it loads a kernel module that is pre-deployed in the Linux system.
在一个实施例中,开发人员可以在系统安装时设计单独的分区通过单独的挂载点挂载用作系统调用表syscall_table的备份分区文件,linux使用了ring3级别运行用户态,ring0作内核态,该内核态ring0态与用户态ring3态是操作系统的两种运行级别。例如用户运行一个程序,该程序所创建的进程开始是运行在用户态的,如果要执行文件操作,网络数据发送等操作,必须通过各种系统调用,这些系统调用会调用内核中的代码来完成操作,这时,必须切换到ring0态,然后进入内核地址空间去执行这些代码完成操作,完成后,切换回ring3态,也即回到用户态。这样,ring3态的程序就不能随意操作内核地址空间,具有一定的安全保护作用。In one embodiment, a developer can design a separate partition during system installation to mount a backup partition file used as the system call table syscall_table through a separate mount point. Linux uses ring3 level user mode, and ring0 is used as the kernel mode. The kernel state ring0 state and the user state ring3 state are two operating levels of the operating system. For example, the user runs a program. The process created by the program starts in user mode. If you want to perform file operations, network data sending, and other operations, you must use various system calls. These system calls will call the code in the kernel to complete Operation, at this time, you must switch to ring0 state, and then enter the kernel address space to execute these codes to complete the operation. After completion, switch back to ring3 state, that is, return to user mode. In this way, the program in the ring3 state cannot manipulate the kernel address space at will, and has certain security protection.
其中,内核模块是linux内核向外部提供的一个插口,其全称为动态可加载内核模块(Loadable Kernel Module,LKM),可以简称为模块。linux内核之所以提供模块机制,是因为它本身是一个单内核(monolithic kernel)。单内核的最大优点是效率高,因为所有的内容都集成在一起,但其缺点是可扩展性和可维护性相对较差,模块机制就是为了弥补这一缺陷。Among them, the kernel module is a socket provided by the Linux kernel to the outside, which is called a dynamically loadable kernel module (Loadable Kernel Module, LKM), and can be referred to as a module for short. The reason the linux kernel provides a module mechanism is because it is a monolithic kernel. The biggest advantage of a single kernel is high efficiency, because everything is integrated, but its disadvantage is that scalability and maintainability are relatively poor. The module mechanism is to make up for this shortcoming.
在一个实施例中,服务器在检测到linux系统运行时,可以加载预先部署在linux系统 中的内核模块。其中,加载内核模块的具体方式,可以利用linux系统的驱动程序进行加载,该驱动程序例如可以为insmod和modprobe。其中,modprobe是根据depmod-a的输出/lib/modules/version/modules.dep来加载全部的所需要模块;insmod是通过模式的方式在需要时载入内核。In one embodiment, when the server detects that the Linux system is running, the server may load a kernel module that is pre-deployed in the Linux system. The specific manner of loading the kernel module can be loaded by using a driver of the Linux system, and the driver can be, for example, insmod and modprobe. Among them, modprobe loads all required modules according to the output of depmod-a /lib/modules/version/modules.dep; insmod loads the kernel when needed by mode.
其中,这两种加载方式存在以下区别:a.modprobe可以解决加载内核模块时的依赖关系,比如加载内核模块A就必须先加载内核模块B之类的,它是通过/lib/modules/<kernel-version>/modules.dep文件来查找依赖关系的。而insmod不能解决依赖问题。b.modprobe默认会去/lib/modules/<kernel-version>/下面查找内核模块,而insmod只在给它的参数中去找内核模块(默认在当前目录找)。Among them, there are the following differences between the two loading methods: a. Modprobe can solve the dependency relationship when loading kernel modules. For example, if kernel module A is loaded, kernel module B must be loaded first. It is through / lib / modules / <kernel -version> /modules.dep file to find dependencies. And insmod cannot solve the dependency problem. b.modprobe will look for kernel modules under / lib / modules / <kernel-version> / by default, while insmod only looks for kernel modules in the parameters given to it (by default it looks in the current directory).
在一个实施例中,服务器可以调用linux系统的驱动程序启动加载过程,并在该加载过程启动后,调用模块加载函数将预先部署的内核模块嵌入ring0态,进而完成对内核模块的加载。其中,该linux系统的驱动程序,例如可以为insmod;该加载函数,例如可以为load module函数。In one embodiment, the server may call the driver of the Linux system to start the loading process, and after the loading process is started, the module loading function is called to embed the pre-deployed kernel module into the ring0 state, thereby completing the loading of the kernel module. The driver of the Linux system may be, for example, insmod; and the loading function may be, for example, a load module function.
102、服务器在检测到内核模块加载完成的情况下,触发内核模块中的获取程序获取ring0态中的当前系统调用表。102. When the server detects that the loading of the kernel module is completed, the server triggers the obtaining program in the kernel module to obtain the current system call table in the ring0 state.
103、服务器从安全备份区获取预先备份的系统调用表,并调用ring3态中的比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致。103. The server obtains a pre-backed-up system call table from the secure backup area, and calls a comparison program in the ring3 state to determine whether the pre-backed-up system call table in the secure backup area is consistent with the obtained current system call table.
104、若预先备份的系统调用表与获取的当前系统调用表不一致,服务器则确定linux系统的ring0态被rookit攻击。104. If the pre-backed-up system call table is inconsistent with the obtained current system call table, the server determines that the ring0 state of the linux system is attacked by rookit.
在一个实施例中,ring3态中预先存储有一个比较程序,该比较程序用于比较安全备份区中预先备份的系统调用表和步骤102中获取到的当前系统调用表是否一致,是否被篡改是否被重定向。这种情况下,服务器在检测到内核模块加载完成的情况下,触发内核模块中的获取程序实时获取ring0态中的当前系统调用表,并从安全备份区获取原先备份的系统调用表,进而调用ring3态中的该比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致,若不一致,则确定linux系统的ring0态被rookit攻击。针对系统调用表对rookit进行检测,一方面由于对比的是系统调用表,可以非常小开销的实现检测效果;另一方面,由于系统调用表在内核编译阶段就被指定,不会更改,可以提高rookit检测的准确性。In one embodiment, a comparison program is stored in the ring3 state in advance, and the comparison program is used to compare whether the system call table pre-backed up in the secure backup area is consistent with the current system call table obtained in step 102, and whether it has been tampered with. Was redirected. In this case, when the server detects that the kernel module is loaded, it triggers the fetch program in the kernel module to obtain the current system call table in ring0 state in real time, and obtains the previously backed up system call table from the secure backup area, and then calls The comparison program in the ring3 state determines whether the system call table backed up in the secure backup area is consistent with the obtained current system call table. If they are not consistent, it is determined that the ring0 state of the linux system has been rookit attacked. Detecting rookit against the system call table, on the one hand, because the system call table is compared, the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified during the kernel compilation stage, it will not be changed, which can improve rookit detection accuracy.
其中,在调用ring3态中的比较程序确定安全备份区中预先备份的系统调用表与获取的 当前系统调用表是否一致时,还可以对该比较程序设置定时功能,也即在预设的时间间隔去调用ring3态中的比较程序执行确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致的步骤。When the comparison program in the ring3 state is called to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table, a timing function may be set for the comparison program, that is, at a preset time interval. The comparison program in the ring3 state is called to perform a step of determining whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
本发明实施例中,服务器可以调用ring3态中的比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致,若不一致,则确定linux系统的ring0态被rookit攻击。针对系统调用表对rookit进行检测,一方面由于对比的是系统调用表,可以非常小开销的实现检测效果;另一方面,由于系统调用表在内核编译阶段就被指定,检测过程中不会被更改,可以提高rookit检测的准确性。In the embodiment of the present invention, the server may call a comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table. If they are not consistent, it is determined that the ring0 state of the linux system is rookit attacked. Detecting rookit against the system call table. On the one hand, because the system call table is compared, the detection effect can be achieved with very little overhead; on the other hand, because the system call table is specified during the kernel compilation stage, it will not be detected during the detection process. Changes can improve the accuracy of rookit detection.
参见图2,图2是本发明实施例提供的另一种rookit检测方法的流程示意图,如图所示,该rookit检测方法可包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of another rookit detection method according to an embodiment of the present invention. As shown in the figure, the rookit detection method may include:
201、服务器在检测到linux系统运行时,加载预先部署在linux系统中的内核模块。201. When the server detects that the Linux system is running, it loads a kernel module that is pre-deployed in the Linux system.
202、服务器在检测到内核模块加载完成的情况下,触发内核模块中的获取程序获取ring0态中的当前系统调用表。202. When the server detects that the loading of the kernel module is completed, the server triggers the obtaining program in the kernel module to obtain the current system call table in the ring0 state.
其中,步骤201-步骤202的具体实施方式可以参见上述实施例中步骤101-步骤102的相关描述,此处不再赘述。For specific implementations of steps 201 to 202, reference may be made to related descriptions of steps 101 to 102 in the foregoing embodiment, and details are not described herein again.
203、服务器获取ring3态中的比较程序,并从安全备份区获取预先备份的系统调用表和比较程序。203. The server obtains the comparison program in the ring3 state, and obtains a system backup table and comparison program that are backed up in advance from the secure backup area.
204、服务器比较ring3态中的比较程序和安全备份区中的比较程序是否一致。204. The server compares whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent.
205、若ring3态中的比较程序和安全备份区中的比较程序一致,服务器则调用ring3态中的该比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致。205: If the comparison program in the ring3 state is consistent with the comparison program in the secure backup area, the server calls the comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
在一个实施例中,安全备份区还预先备份有比较程序。这种情况下,当服务器获取到ring0态中的当前系统调用表后,可以从安全备份区中获取预先备份的系统调用表和比较程序,并将安全备份区中的比较程序与获取到ring3态中的比较程序进行比较,确定ring3态中的比较程序和安全备份区中的比较程序是否一致,如果ring3态中的比较程序和安全备份区中的比较程序一致,则调用ring3态中的比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致。In one embodiment, the secure backup area is backed up with a comparison program in advance. In this case, after the server obtains the current system call table in the ring0 state, it can obtain the pre-backed-up system call table and comparison program from the secure backup area, and compare the comparison program in the secure backup area with the ring3 state. The comparison program in the ring3 state is compared to determine whether the comparison program in the ring3 state is consistent with the comparison program in the secure backup area. If the comparison program in the ring3 state and the comparison program in the secure backup area are consistent, the comparison program in the ring3 state is called. Determine whether the system call table backed up in the secure backup area is consistent with the current system call table obtained.
如果确定ring3态中的比较程序和安全备份区中的比较程序不一致,则可以确定ring3 态中的比较程序被篡改。这种情况下,服务器可以输出提示信息,用于提示ring3态中的比较程序被篡改,当运维人员查看到该提示信息时,则可以及时处理。If it is determined that the comparison program in the ring3 state is inconsistent with the comparison program in the secure backup area, it can be determined that the comparison program in the ring3 state has been tampered with. In this case, the server can output a prompt message to indicate that the comparison program in the ring3 state has been tampered with. When the operation and maintenance personnel sees the prompt message, it can be processed in time.
其中,服务器在比较ring3态中比较程序和安全备份区中的比较程序是否一致时,可以对比两者的文件内容校验信息,若两者的文件内容检验信息不一致,则可以确定ring3态中的比较程序和安全备份区中预先备份的比较程序不一致。该文件内容检验信息可以包括循环冗余校验码(Cyclic Redundancy Check,CRC)、信息摘要算法值(如信息摘要算法第五版(Message-Digest Algorithm 5,MD5))等。Among them, when the server compares whether the comparison program in the ring3 state is consistent with the comparison program in the secure backup area, the server can compare the file content verification information of the two. If the file content verification information of the two is inconsistent, it can determine the The comparison program and the comparison program backed up in the secure backup area are inconsistent. The file content checking information may include a cyclic redundancy check (Cyclic Redundancy Check, CRC), a message digest algorithm value (such as Message Digest Algorithm 5 (MD5)), and the like.
其中,循环冗余校验码CRC是一种根据网络数据封包或电脑档案等数据产生简短固定位数校验码的一种散列函数,主要用来检测或校验数据传输或者保存后可能出现的错误。生成的数字在传输或者储存之前计算出来并且附加到数据后面,然后接收方进行检验确定数据是否发生变化。也即,如果两个文件的内容是完全相同的,则两个文件的CRC一定是相同的。因此,在本发明实施例中,也可以用比较程序的CRC值来判断ring3态中比较程序和安全备份区中预先备份的比较程序是否一致。Among them, the cyclic redundancy check code CRC is a hash function that generates a short fixed-digit check code based on data such as network data packets or computer files. It is mainly used to detect or verify that data may appear after transmission or storage. mistake. The generated number is calculated before being transmitted or stored and appended to the data. The receiver then checks to determine if the data has changed. That is, if the contents of the two files are exactly the same, the CRCs of the two files must be the same. Therefore, in the embodiment of the present invention, the CRC value of the comparison program can also be used to determine whether the comparison program in the ring3 state and the comparison program backed up in the secure backup area are consistent.
其中,MD5已经广泛使用于文件传输可靠性的判断。例如,发送终端预先提供一个MD5校验和,接收终端接收到文件以后,用MD5算法计算接收文件的MD5校验和,然后通过检查这两个校验和是否一致,就能判断该接收的文件是否出错。即使在原文中作一个小变化(比如用c取代d),其MD5校验和也会发生巨大的变化。因此,在本发明实施例中,也可以用比较程序的MD5值来判断ring3态中比较程序和安全备份区中预先备份的比较程序是否一致。Among them, MD5 has been widely used to judge the reliability of file transmission. For example, the sending terminal provides an MD5 checksum in advance. After receiving the file, the receiving terminal uses the MD5 algorithm to calculate the MD5 checksum of the received file. Then, by checking whether the two checksums are consistent, the received file can be judged. Whether there is an error. Even if you make a small change in the original text (such as replacing d with c), the MD5 checksum will change dramatically. Therefore, in the embodiment of the present invention, the MD5 value of the comparison program can also be used to determine whether the comparison program in the ring3 state and the comparison program backed up in the secure backup area are consistent.
需要说明的是,一般而言,信息摘要算法的可靠性要大于循环冗余校验,也即,如果两个比较程序的CRC不同,则可以证明两个比较程序的内容肯定不同,然而,如果两个比较程序的CRC码相同,则两个比较程序的内容却不一定是相同的。但是CRC只占2个字节,而MD5却要占16个字节,因此,用CRC码进行校验时,效率会比较高。综上,具体在比较两个比较程序的内容是否相同时,可以首先基于CRC码进行比对,如果不同,则直接确定两个比较程序的内容不同;如果CRC码相同,则进一步比较两个比较程序的MD5值是否相同,如果相同,则确定两个比较程序的内容相同,否则,确定两个比较程序的内容不同。这样,相当于首先通过CRC码将内容肯定不同的比较程序过滤掉,然后仅针对CRC码相同的比较程序进行进一步地验证,因此,相当于综合利用了两种验证码的优点,既可以提高验证效率,又可以保证验证的可靠性。It should be noted that, in general, the reliability of the message digest algorithm is greater than the cyclic redundancy check, that is, if the CRCs of the two comparison programs are different, it can be proven that the contents of the two comparison programs are definitely different. However, if The CRC codes of the two comparison programs are the same, but the contents of the two comparison programs are not necessarily the same. However, the CRC only takes 2 bytes, and the MD5 takes 16 bytes. Therefore, when using the CRC code for verification, the efficiency will be relatively high. In summary, when comparing whether the contents of the two comparison programs are the same, you can first compare based on the CRC code. If they are different, directly determine that the contents of the two comparison programs are different; if the CRC codes are the same, then further compare the two comparisons. Whether the MD5 values of the programs are the same. If they are the same, it is determined that the contents of the two comparison programs are the same. Otherwise, it is determined that the contents of the two comparison programs are different. In this way, it is equivalent to first filter out comparison programs with definitely different contents through the CRC code, and then further verify only the comparison programs with the same CRC code. Therefore, it is equivalent to comprehensively utilize the advantages of the two verification codes, which can improve verification Efficiency can also ensure the reliability of verification.
206、若预先备份的系统调用表与获取的当前系统调用表不一致,服务器则确定linux系统的ring0态被rookit攻击。206. If the system call table backed up in advance is inconsistent with the obtained current system call table, the server determines that the ring0 state of the linux system has been rookit attacked.
在一个实施例中,服务器可以获取当前系统调用表的函数地址,并输出告警信息,该告警信息用于提示用户位于该函数地址的当前系统调用表已被篡改。采用这样的方式,运维人员查看到该告警信息后,可以直接通过该函数地址查找到该当前系统调用表,并对该系统调用表进行处理。In one embodiment, the server can obtain the function address of the current system call table and output alarm information, which is used to remind the user that the current system call table located at the function address has been tampered with. In this way, after viewing the alarm information, the operation and maintenance personnel can directly find the current system call table through the function address and process the system call table.
在一个实施例中,服务器确定出linux系统的ring0态被rookit攻击后,还可以确定ring0态中的当前系统调用表的内存地址,并根据内存地址查找到当前系统调用表,并利用预先备份的系统调用表替换当前系统调用表,进而实现对系统的还原修复。In one embodiment, after the server determines that the ring0 state of the linux system has been attacked by rookit, it can also determine the memory address of the current system call table in the ring0 state, find the current system call table according to the memory address, and use the previously backed up The system call table replaces the current system call table, and then restores and repairs the system.
其中,服务器确定ring0态中当前系统调用表的内存地址的方式有多种。在一个实施例中,服务器可以获取linux系统中的系统调用表地址文件,该文件记录了所述ring0态中的所述当前系统调用表的内存地址与预先备份的所述系统调用表的映射关系。进一步地,服务器可以根据该映射关系和预先备份的系统调用表,从系统调用表地址文件中确定出当前系统调用表的内存地址。Among them, the server determines the memory address of the current system call table in the ring0 state in various ways. In one embodiment, the server may obtain a system call table address file in the linux system, which records the mapping relationship between the memory address of the current system call table in the ring0 state and the system call table backed up in advance. . Further, the server may determine the memory address of the current system call table from the system call table address file according to the mapping relationship and the system call table backed up in advance.
示例性地,该系统调用表地址文件可以为system.map文件,该system.map文件用于存放内核符号表,该内核符号表是所有内核符号及其所在内存地址的一个映射表。通过地址,可以找到符号,也就是找到变量及函数;通过符号,也可以得知其所在地址。本发明中可以通过符号来获取当前系统调用表的内存地址,已知的符号就是预先备份的系统调用表。通过系统调用表则可以在system.map文件中查找到当前系统调用表的内存地址。Exemplarily, the system call table address file may be a system.map file. The system.map file is used to store a kernel symbol table. The kernel symbol table is a mapping table of all kernel symbols and their memory addresses. Through the address, you can find the symbol, that is, find the variable and function; through the symbol, you can also know its address. In the present invention, the memory address of the current system call table can be obtained by using a symbol. The known symbol is the system call table backed up in advance. Through the system call table, the memory address of the current system call table can be found in the system.map file.
在另一个实施例中,服务器还可以获取linux系统中的中断描述符表IDT,并根据IDT确定出中断int0×80的入口点,并将从该入口点往后移三个字节所在的地址确定为ring0态中的当前系统调用表的内存地址。除此之外,服务器确定ring0态中当前系统调用表的内存地址的方式还可以从内存空间中暴力搜取寻找ring0态中当前系统调用表的内存地址,还可以利用预先备份的系统调用表中未导出函数的机器码中进行特征搜索,进而确定出ring0态中的当前系统调用表的内存地址。本发明对此不作具体限定。In another embodiment, the server may also obtain the interrupt descriptor table IDT in the linux system, and determine the entry point of the interrupt int0 × 80 according to the IDT, and move back from the entry point to the address where the three bytes are located. Determine the memory address of the current system call table in the ring0 state. In addition, the way the server determines the memory address of the current system call table in the ring0 state can also be brute-forced from the memory space to find the memory address of the current system call table in the ring0 state. It can also use the pre-backed up system call table. Feature search is performed in the machine code of the unexported function to determine the memory address of the current system call table in the ring0 state. The invention does not specifically limit this.
本发明实施例中,服务器可以从安全备份区获取预先备份的系统调用表和比较程序,进而比较ring3态中的比较程序和预先备份的比较程序是否一致,若一致,则调用ring3态中的比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致,不一致,服务器则确定linux系统的ring0态被rookit攻击。针对系统调用表对rookit进行 检测,一方面,由于对比的是系统调用表,可以非常小开销的实现检测效果,且由于系统调用表在内核编译阶段就被指定,不会更改,还可以提高rookit检测的准确性;另一方面,在确定ring3态中的比较程序未被篡改的情况下,再调用该比较程序确定安全备份区中预先备份的系统调用表与获取的当前系统调用表是否一致,可以进一步提高rookit检测的准确性。In the embodiment of the present invention, the server may obtain the pre-backed-up system call table and comparison program from the secure backup area, and then compare whether the comparison program in the ring3 state and the pre-backup comparison program are consistent. The program determines whether the system call table backed up in the secure backup area is consistent with the current system call table obtained, and the server determines that the ring0 state of the Linux system has been rookit attacked. Detect rookit against the system call table. On the one hand, because the system call table is compared, the detection effect can be achieved with very little overhead, and because the system call table is specified during the kernel compilation stage, it will not be changed, and rookit can be improved. The accuracy of the detection; on the other hand, when it is determined that the comparison program in the ring3 state has not been tampered with, the comparison program is called to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table, Can further improve the accuracy of rookit detection.
本发明实施例还提供了一种rookit检测装置,该装置应用于linux系统,所述linux系统包括预先备份有系统调用表的安全备份区,所述linux系统分为用户态ring3态和内核态ring0态。该装置包括用于执行前述图1或者图2所述的方法的模块。具体地,参见图3,是本发明实施例提供的一种rookit检测装置的示意框图。本实施例的rookit检测装置包括:An embodiment of the present invention further provides a rookit detection device, which is applied to a linux system. The linux system includes a secure backup area in which a system call table is backed up in advance. The linux system is divided into a user state ring3 state and a kernel state ring0 state. The apparatus includes a module for performing the method described in FIG. 1 or FIG. 2. Specifically, referring to FIG. 3, it is a schematic block diagram of a rookit detection device according to an embodiment of the present invention. The rookit detection device in this embodiment includes:
加载模快301,用于在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;A loading module 301 for loading a kernel module pre-deployed in the linux system when the linux system is detected to be running;
获取模块302,用于在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0态中的当前系统调用表;An obtaining module 302, configured to trigger an obtaining program in the kernel module to obtain a current system call table in the ring0 state when the loading of the kernel module is detected;
所述获取模块302,还用于从所述安全备份区获取预先备份的所述系统调用表;The obtaining module 302 is further configured to obtain the system call table backed up in advance from the secure backup area;
确定模块303,用于调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与所述获取模块获取的所述当前系统调用表是否一致,若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit攻击。A determining module 303 is configured to call a comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the current system call table obtained by the obtaining module. If the system call table is inconsistent with the obtained current system call table, it is determined that the ring0 state of the linux system has been rookit attacked.
在一个实施例中,所述安全备份区还预先备份有比较程序,所述装置还包括:比较模块304,其中:In one embodiment, a comparison program is also backed up in the secure backup area, and the device further includes a comparison module 304, where:
获取模块302,用于获取所述ring3态中的比较程序,以及所述安全备份区中预先备份的所述比较程序;An obtaining module 302, configured to obtain a comparison program in the ring3 state, and the comparison program backed up in the secure backup area in advance;
比较模块304,用于比较所述ring3态中的比较程序和所述安全备份区中的比较程序是否一致,若所述ring3态中的比较程序和所述安全备份区中的比较程序一致,则通过确定模块303调用ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致。The comparison module 304 is configured to compare whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent. If the comparison program in the ring3 state and the comparison program in the secure backup area are consistent, then The comparison module in the ring3 state is called by the determination module 303 to determine whether the system call table backed up in the secure backup area and the obtained system call table are consistent.
在一个实施例中,所述装置还包括:替换模块305,其中:In one embodiment, the apparatus further includes a replacement module 305, wherein:
确定模块303,用于确定所述ring0态中的所述当前系统调用表的内存地址;A determining module 303, configured to determine a memory address of the current system call table in the ring0 state;
替换模块305,用于根据所述内存地址查找到所述当前系统调用表,并利用所述预先备份的所述系统调用表替换所述当前系统调用表。The replacement module 305 is configured to find the current system call table according to the memory address, and replace the current system call table with the system call table that is backed up in advance.
在一个实施例中,所述确定模块303,具体用于获取所述linux系统中的系统调用表地址文件,所述文件记录了所述ring0态中的所述当前系统调用表的内存地址与预先备份的所述系统调用表的映射关系;根据所述映射关系和所述预先备份的所述系统调用表,从所述系统调用表地址文件中确定出所述当前系统调用表的内存地址。In one embodiment, the determining module 303 is specifically configured to obtain a system call table address file in the linux system, where the file records a memory address and a preset address of the current system call table in the ring0 state. The mapping relationship of the backed up system call table; according to the mapping relationship and the previously backed up system call table, a memory address of the current system call table is determined from the system call table address file.
在一个实施例中,所述确定模块303,具体用于获取所述linux系统中的中断描述符表IDT,并根据所述IDT确定出中断int0×80的入口点;将从所述入口点往后移三个字节所在的地址确定为所述ring0态中的所述当前系统调用表的内存地址。In one embodiment, the determining module 303 is specifically configured to obtain the interrupt descriptor table IDT in the linux system, and determine an entry point of the interrupt int0 × 80 according to the IDT; from the entry point to The address where the three bytes are shifted backward is determined as the memory address of the current system call table in the ring0 state.
在一个实施例中,所述加载模快301,具体用于调用所述linux系统的驱动程序启动加载过程,在所述加载过程启动后,调用模块加载函数将预先部署的内核模块嵌入所述ring0态。In one embodiment, the loading module 301 is specifically used to call the driver of the Linux system to start the loading process. After the loading process is started, a module loading function is called to embed a pre-deployed kernel module into the ring0. state.
在一个实施例中,所述装置还包括:输出模块306,其中:In one embodiment, the apparatus further includes: an output module 306, wherein:
获取模块302,还用于获取所述当前系统调用表的函数地址The obtaining module 302 is further configured to obtain a function address of the current system call table.
输出模块306,用于在获取模块302获取所到当前系统调用表的函数地址后,并输出告警信息,所述告警信息用于提示用户位于所述函数地址的所述当前系统调用表已被篡改。An output module 306 is configured to: after the obtaining module 302 obtains the function address of the current system call table, and output alarm information, the alarm information is used to prompt the user that the current system call table at the function address has been tampered with .
需要说明的是,本发明实施例所描述的rookit检测装置的各功能模块的功能可根据图1或者图2所述的方法实施例中的方法具体实现,其具体实现过程可以参照图1或者图2的方法实施例的相关描述,此处不再赘述。It should be noted that the functions of the functional modules of the rookit detection device described in the embodiment of the present invention may be specifically implemented according to the method in the method embodiment described in FIG. 1 or FIG. 2, and its specific implementation process may refer to FIG. 1 or FIG. The description of the method embodiment of 2 is not repeated here.
请参见图4,图4是本发明实施例提供的一种服务器的示意性框图,该服务器应用于linux系统,所述linux系统包括预先备份有系统调用表的安全备份区,所述linux系统分为用户态ring3态和内核态ring0态。如图4所示,该服务器包括,处理器401、存储器402和网络接口403。上述处理器401、存储器402和网络接口403可通过总线或其他方式连接,在本发明实施例所示图4中以通过总线连接为例。其中,网络接口403受所述处理器的控制用于收发消息,存储器402用于存储计算机程序,所述计算机程序包括程序指令,处理器401用于执行存储器402存储的程序指令。其中,处理器401被配置用于调用所述程序指令执行:在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0 态中的当前系统调用表;从所述安全备份区获取预先备份的所述系统调用表,并调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致;若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit攻击。Please refer to FIG. 4. FIG. 4 is a schematic block diagram of a server provided by an embodiment of the present invention. The server is applied to a linux system. The linux system includes a secure backup area in which a system call table is backed up in advance. Ring3 state for user mode and ring0 state for kernel mode. As shown in FIG. 4, the server includes a processor 401, a memory 402, and a network interface 403. The processor 401, the memory 402, and the network interface 403 may be connected through a bus or in other manners. In FIG. 4 shown in the embodiment of the present invention, connection through a bus is taken as an example. The network interface 403 is controlled by the processor to send and receive messages, and the memory 402 is used to store a computer program. The computer program includes program instructions, and the processor 401 is used to execute the program instructions stored in the memory 402. Wherein, the processor 401 is configured to call the program instructions for execution: when the Linux system is detected to be running, load a kernel module pre-deployed in the Linux system; and when it is detected that the kernel module is loaded completely Next, the obtaining program in the kernel module is triggered to obtain the current system call table in the ring0 state; the system call table backed up in advance is obtained from the secure backup area, and the comparison program in the ring3 state is called to determine Whether the system call table backed up in the secure backup area is consistent with the acquired current system call table; if the system call table backed up in advance is inconsistent with the acquired current system call table, determining the The ring0 state of the linux system was attacked by rookit.
应当理解,在本发明实施例中,所称处理器401可以是中央处理单元(Central Processing Unit,CPU),该处理器401还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 401 may be a central processing unit (CPU), and the processor 401 may also be another general-purpose processor or a digital signal processor (Digital Signal Processor, DSP). ), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
该存储器402可以包括只读存储器和随机存取存储器,并向处理器401提供指令和数据。存储器402的一部分还可以包括非易失性随机存取存储器。例如,存储器402还可以存储设备类型的信息。The memory 402 may include a read-only memory and a random access memory, and provide instructions and data to the processor 401. A part of the memory 402 may further include a non-volatile random access memory. For example, the memory 402 may also store information of a device type.
具体实现中,本发明实施例中所描述的处理器401、存储器402和网络接口403可执行本发明实施例提供的图1或者图2所述的方法实施例所描述的实现方式,也可执行本发明实施例所描述的rookit检测装置的实现方式,在此不再赘述。In specific implementation, the processor 401, the memory 402, and the network interface 403 described in the embodiment of the present invention may execute the implementation manner described in the method embodiment shown in FIG. 1 or FIG. 2 provided by the embodiment of the present invention, and may also execute The implementation manner of the rookit detection device described in the embodiment of the present invention is not repeated here.
在本发明的另一实施例中提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令被处理器执行时实现:在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0态中的当前系统调用表;从所述安全备份区获取预先备份的所述系统调用表,并调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致;若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit攻击。In another embodiment of the present invention, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions are implemented when executed by a processor: When the linux system is detected to be running, a kernel module pre-deployed in the linux system is loaded; when the completion of the loading of the kernel module is detected, an acquisition program in the kernel module is triggered to obtain the ring0 state. Obtain the current system call table backed up from the secure backup area, and call a comparison program in the ring3 state to determine the system call table backed up in the secure backup area and the acquired Whether the current system call table is consistent; if the system call table backed up in advance is inconsistent with the obtained current system call table, it is determined that the ring0 state of the linux system has been rookit attacked.
所述计算机可读存储介质可以是前述任一实施例所述的服务器的内部存储单元,例如服务器的硬盘或内存。所述计算机可读存储介质也可以是所述服务器的外部存储设备,例如所述服务器上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,所述计算机可读存储介质还可以既包括所述服务器的内部存储单元也包括外部存储设备。所述计算机可读存储介质 用于存储所述计算机程序以及所述服务器所需的其他程序和数据。所述计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。The computer-readable storage medium may be an internal storage unit of the server according to any of the foregoing embodiments, such as a hard disk or a memory of the server. The computer-readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) card provided on the server. , Flash card (Flash card) and so on. Further, the computer-readable storage medium may further include both an internal storage unit of the server and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by the server. The computer-readable storage medium may also be used to temporarily store data that has been or will be output.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the method of the foregoing embodiment can be implemented by using a computer program to instruct related hardware. The program can be stored in a computer-readable storage medium. When executed, the processes of the embodiments of the methods described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).
以上所揭露的仅为本发明的部分实施例而已,当然不能以此来限定本发明之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本发明权利要求所作的等同变化,仍属于发明所涵盖的范围。The above disclosure is only part of the embodiments of the present invention. Of course, the scope of rights of the present invention cannot be limited by this. Those of ordinary skill in the art can understand all or part of the process of implementing the above embodiments and make according to the claims of the present invention. The equivalent changes still fall within the scope of the invention.

Claims (20)

  1. 一种恶意软件rookit检测方法,其特征在于,该方法应用于linux系统,所述linux系统包括预先备份有系统调用表的安全备份区,所述linux系统分为用户态ring3态和内核态ring0态,包括:A malware rookit detection method, characterized in that the method is applied to a linux system, which includes a secure backup area with a system call table backed up in advance, and the linux system is divided into a user state ring3 state and a kernel state ring0 state ,include:
    在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;When detecting that the linux system is running, loading a kernel module pre-deployed in the linux system;
    在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0态中的当前系统调用表;When it is detected that the loading of the kernel module is completed, triggering an obtaining program in the kernel module to obtain the current system call table in the ring0 state;
    从所述安全备份区获取预先备份的所述系统调用表,并调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致;Obtain the system call table backed up in advance from the secure backup area, and call the comparison program in the ring3 state to determine the system call table backed up in the secure backup area and the acquired current system call table Whether consistent
    若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit攻击。If the system call table backed up in advance is inconsistent with the obtained current system call table, it is determined that the ring0 state of the linux system has been rookit attacked.
  2. 根据权利要求1所述的方法,其特征在于,所述安全备份区还预先备份有比较程序,所述调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致之前,所述方法还包括:The method according to claim 1, wherein a comparison program is also backed up in the secure backup area, and the comparison program in the ring3 state is called to determine the system call backed up in the secure backup area in advance. Before the table is consistent with the obtained current system call table, the method further includes:
    获取所述ring3态中的比较程序,以及所述安全备份区中预先备份的所述比较程序;Acquiring the comparison program in the ring3 state and the comparison program backed up in the secure backup area in advance;
    比较所述ring3态中的比较程序和所述安全备份区中的比较程序是否一致;Comparing whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent;
    若所述ring3态中的比较程序和所述安全备份区中的比较程序一致,则触发所述调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致的步骤。If the comparison program in the ring3 state is consistent with the comparison program in the secure backup area, triggering the calling of the comparison program in the ring3 state to determine the system call table and A step of obtaining whether the current system call table is consistent.
  3. 根据权利要求1或2所述的方法,其特征在于,所述确定所述linux系统的所述ring0态被rookit攻击之后,所述方法还包括:The method according to claim 1 or 2, wherein after determining that the ring0 state of the linux system is attacked by rookit, the method further comprises:
    确定所述ring0态中的所述当前系统调用表的内存地址;Determining a memory address of the current system call table in the ring0 state;
    根据所述内存地址查找到所述当前系统调用表,并利用所述预先备份的所述系统调用表替换所述当前系统调用表。Find the current system call table according to the memory address, and replace the current system call table with the system call table backed up in advance.
  4. 根据权利要求3所述的方法,其特征在于,所述确定所述ring0态中的所述当前系统调用表的内存地址,包括:The method according to claim 3, wherein the determining a memory address of the current system call table in the ring0 state comprises:
    获取所述linux系统中的系统调用表地址文件,所述文件记录了所述ring0态中的所述当前系统调用表的内存地址与预先备份的所述系统调用表的映射关系;Obtaining a system call table address file in the linux system, where the file records a mapping relationship between a memory address of the current system call table in the ring0 state and the system call table backed up in advance;
    根据所述映射关系和所述预先备份的所述系统调用表,从所述系统调用表地址文件中确定出所述当前系统调用表的内存地址。According to the mapping relationship and the system call table backed up in advance, a memory address of the current system call table is determined from the system call table address file.
  5. 根据权利要求3所述的方法,其特征在于,所述确定所述ring0态的所述当前系统调用表的内存地址,包括:The method according to claim 3, wherein determining a memory address of the current system call table of the ring0 state comprises:
    获取所述linux系统中的中断描述符表IDT,并根据所述IDT确定出中断int0×80的入口点;Obtaining the interrupt descriptor table IDT in the linux system, and determining an entry point of the interrupt int0 × 80 according to the IDT;
    将从所述入口点往后移三个字节所在的地址确定为所述ring0态中的所述当前系统调用表的内存地址。The address where three bytes are moved backward from the entry point is determined as the memory address of the current system call table in the ring0 state.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述加载预先部署在所述linux系统中的内核模块,包括:The method according to any one of claims 1-5, wherein the loading a kernel module pre-deployed in the linux system comprises:
    调用所述linux系统的驱动程序启动加载过程;Calling the driver of the Linux system to start the loading process;
    在所述加载过程启动后,调用模块加载函数将预先部署的内核模块嵌入所述ring0态。After the loading process is started, a module loading function is called to embed a pre-deployed kernel module into the ring0 state.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表不一致后,所述方法还包括:The method according to any one of claims 1 to 6, wherein after determining that the system call table backed up in the secure backup area in advance is inconsistent with the obtained current system call table, the method Also includes:
    获取所述当前系统调用表的函数地址,并输出告警信息,所述告警信息用于提示用户位于所述函数地址的所述当前系统调用表已被篡改。The function address of the current system call table is obtained, and alarm information is output, and the alarm information is used to prompt a user that the current system call table located at the function address has been tampered with.
  8. 一种恶意软件rookit检测装置,其特征在于,该装置应用于linux系统,所述linux系统包括预先备份有系统调用表的安全备份区,所述linux系统分为用户态ring3态和内核态ring0态,包括:A malicious software rookit detection device, characterized in that the device is applied to a linux system, which includes a secure backup area with a system call table backed up in advance, and the linux system is divided into a user state ring3 state and a kernel state ring0 state ,include:
    加载模快,用于在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;The loading module is fast, and is used to load a kernel module pre-deployed in the linux system when the linux system is detected to be running;
    获取模块,用于在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0态中的当前系统调用表;An obtaining module, configured to trigger an obtaining program in the kernel module to obtain a current system call table in the ring0 state when the loading of the kernel module is detected;
    所述获取模块,还用于从所述安全备份区获取预先备份的所述系统调用表;The obtaining module is further configured to obtain the system call table backed up in advance from the secure backup area;
    确定模块,用于调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与所述获取模块获取的所述当前系统调用表是否一致,若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit 攻击。A determining module for invoking a comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the current system call table obtained by the obtaining module; If the system call table is inconsistent with the obtained current system call table, then it is determined that the ring0 state of the linux system is attacked by rookit.
  9. 根据权利要求8所述的装置,其特征在于,所述安全备份区还预先备份有比较程序,所述装置还包括:比较模块,其中:The device according to claim 8, characterized in that the security backup area further backups a comparison program in advance, and the device further comprises: a comparison module, wherein:
    所述获取模块,用于获取所述ring3态中的比较程序,以及所述安全备份区中预先备份的所述比较程序;The obtaining module is configured to obtain a comparison program in the ring3 state and the comparison program backed up in the secure backup area in advance;
    所述比较模块,用于比较所述ring3态中的比较程序和所述安全备份区中的比较程序是否一致,若所述ring3态中的比较程序和所述安全备份区中的比较程序一致,则通过所述确定模块调用ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致。The comparison module is configured to compare whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent. If the comparison program in the ring3 state and the comparison program in the secure backup area are consistent, Then, the comparison module in the ring3 state is called by the determining module to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
  10. 根据权利要求8或9所述的装置,其特征在于,所述装置还包括:替换模块,其中:The device according to claim 8 or 9, wherein the device further comprises: a replacement module, wherein:
    所述确定模块,还用于确定所述ring0态中的所述当前系统调用表的内存地址;The determining module is further configured to determine a memory address of the current system call table in the ring0 state;
    所述替换模块,用于根据所述内存地址查找到所述当前系统调用表,并利用所述预先备份的所述系统调用表替换所述当前系统调用表。The replacement module is configured to find the current system call table according to the memory address, and replace the current system call table with the system call table backed up in advance.
  11. 根据权利要求10所述的装置,其特征在于,所述确定模块,具体用于获取所述linux系统中的系统调用表地址文件,所述文件记录了所述ring0态中的所述当前系统调用表的内存地址与预先备份的所述系统调用表的映射关系;根据所述映射关系和所述预先备份的所述系统调用表,从所述系统调用表地址文件中确定出所述当前系统调用表的内存地址。The device according to claim 10, wherein the determining module is specifically configured to obtain a system call table address file in the linux system, and the file records the current system call in the ring0 state. Mapping relationship between the memory address of the table and the system call table backed up in advance; and determining the current system call from the system call table address file according to the mapping relationship and the system call table backed up in advance The memory address of the table.
  12. 根据权利要求10所述的装置,其特征在于,所述确定模块,具体还用于获取所述linux系统中的中断描述符表IDT,并根据所述IDT确定出中断int0×80的入口点;将从所述入口点往后移三个字节所在的地址确定为所述ring0态中的所述当前系统调用表的内存地址。The device according to claim 10, wherein the determining module is further configured to obtain an interrupt descriptor table IDT in the linux system, and determine an entry point of the interrupt int0 × 80 according to the IDT; The address where three bytes are moved backward from the entry point is determined as the memory address of the current system call table in the ring0 state.
  13. 根据权利要求8-12任一项所述的装置,其特征在于,所述加载模快,具体用于调用所述linux系统的驱动程序启动加载过程,在所述加载过程启动后,调用模块加载函数将预先部署的内核模块嵌入所述ring0态。The device according to any one of claims 8-12, wherein the loading module is fast, and is specifically configured to call a driver of the Linux system to start a loading process, and after the loading process is started, a module loading is called The function embeds a pre-deployed kernel module into the ring0 state.
  14. 根据权利要求8-13任一项所述的装置,其特征在于,所述装置还包括:输出模块,其中:The device according to any one of claims 8-13, wherein the device further comprises: an output module, wherein:
    所述获取模块,还用于获取所述当前系统调用表的函数地址The obtaining module is further configured to obtain a function address of the current system call table
    所述输出模块,用于在获取模块获取所到当前系统调用表的函数地址后,并输出告警 信息,所述告警信息用于提示用户位于所述函数地址的所述当前系统调用表已被篡改。The output module is configured to output alarm information after the acquisition module obtains the function address of the current system call table, and the alarm information is used to remind the user that the current system call table at the function address has been tampered with. .
  15. 一种服务器,其特征在于,该服务器应用于linux系统,所述linux系统包括预先备份有系统调用表的安全备份区,所述linux系统分为用户态ring3态和内核态ring0态,所述服务器包括处理器和存储器,所述处理器和所述存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令执行:在检测到所述linux系统运行时,加载预先部署在所述linux系统中的内核模块;在检测到所述内核模块加载完成的情况下,触发所述内核模块中的获取程序获取所述ring0态中的当前系统调用表;从所述安全备份区获取预先备份的所述系统调用表,并调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致;若预先备份的所述系统调用表与获取的所述当前系统调用表不一致,则确定所述linux系统的所述ring0态被rookit攻击。A server is characterized in that the server is applied to a linux system, the linux system includes a secure backup area in which a system call table is backed up, and the linux system is divided into a user mode ring3 state and a kernel mode ring0 state, and the server The processor includes a processor and a memory, where the processor and the memory are connected to each other, wherein the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to execute : When detecting that the linux system is running, loading a kernel module that is pre-deployed in the linux system; when detecting that the kernel module is loaded completely, triggering an obtaining program in the kernel module to obtain the ring0 The current system call table in the state; obtain the system call table backed up in advance from the secure backup area, and call the comparison program in the ring3 state to determine the system call table backed up in the secure backup area and Whether the obtained current system call table is consistent; if the system call table backed up in advance is identical to the obtained current call The system call table is inconsistent, it is determined that the state of the linux ring0 rookit system is attacked.
  16. 根据权利要求15所述的服务器,其特征在于,所述安全备份区还预先备份有比较程序,所述处理器,还用于获取所述ring3态中的比较程序,以及所述安全备份区中预先备份的所述比较程序;比较所述ring3态中的比较程序和所述安全备份区中的比较程序是否一致;若所述ring3态中的比较程序和所述安全备份区中的比较程序一致,则触发所述确定模块调用所述ring3态中的比较程序确定所述安全备份区中预先备份的所述系统调用表与获取的所述当前系统调用表是否一致的步骤。The server according to claim 15, wherein a comparison program is also backed up in the secure backup area, and the processor is further configured to obtain the comparison program in the ring3 state and the secure backup area. The comparison program backed up in advance; comparing whether the comparison program in the ring3 state and the comparison program in the secure backup area are consistent; if the comparison program in the ring3 state and the comparison program in the secure backup area are consistent Then triggering the step of determining, by the determining module, calling a comparison program in the ring3 state to determine whether the system call table backed up in the secure backup area is consistent with the obtained current system call table.
  17. 根据权利要求15或16所述的服务器,其特征在于,所述处理器,还用于确定所述ring0态中的所述当前系统调用表的内存地址;根据所述内存地址查找到所述当前系统调用表,并利用所述预先备份的所述系统调用表替换所述当前系统调用表。The server according to claim 15 or 16, wherein the processor is further configured to determine a memory address of the current system call table in the ring0 state; and find the current address according to the memory address. A system call table, and replacing the current system call table with the system call table backed up in advance.
  18. 根据权利要求17所述的服务器,其特征在于,所述处理器,还用于获取所述linux系统中的系统调用表地址文件,所述文件记录了所述ring0态中的所述当前系统调用表的内存地址与预先备份的所述系统调用表的映射关系;根据所述映射关系和所述预先备份的所述系统调用表,从所述系统调用表地址文件中确定出所述当前系统调用表的内存地址。The server according to claim 17, wherein the processor is further configured to obtain a system call table address file in the linux system, and the file records the current system call in the ring0 state. Mapping relationship between the memory address of the table and the system call table backed up in advance; and determining the current system call from the system call table address file according to the mapping relationship and the system call table backed up in advance The memory address of the table.
  19. 根据权利要求17所述的服务器,其特征在于,所述处理器,还用于获取所述linux系统中的中断描述符表IDT,并根据所述IDT确定出中断int0×80的入口点;将从所述入口点往后移三个字节所在的地址确定为所述ring0态中的所述当前系统调用表的内存地址。The server according to claim 17, wherein the processor is further configured to obtain an interrupt descriptor table IDT in the linux system, and determine an entry point of the interrupt int0 × 80 according to the IDT; The address where three bytes are moved backward from the entry point is determined as the memory address of the current system call table in the ring0 state.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行 如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of claims 1-7 is required.
PCT/CN2018/108469 2018-06-30 2018-09-28 Rootkit measurement method, apparatus, and server WO2020000741A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810706457.2A CN108959915B (en) 2018-06-30 2018-06-30 Rootkit detection method, rootkit detection device and server
CN201810706457.2 2018-06-30

Publications (1)

Publication Number Publication Date
WO2020000741A1 true WO2020000741A1 (en) 2020-01-02

Family

ID=64484686

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/108469 WO2020000741A1 (en) 2018-06-30 2018-09-28 Rootkit measurement method, apparatus, and server

Country Status (2)

Country Link
CN (1) CN108959915B (en)
WO (1) WO2020000741A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111639340A (en) * 2020-05-28 2020-09-08 北京金山云网络技术有限公司 Malicious application detection method and device, electronic equipment and readable storage medium
CN111695116A (en) * 2020-05-13 2020-09-22 北京安天网络安全技术有限公司 Evidence obtaining method and device based on kernel layer Rootkit of Linux system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1920786A (en) * 2005-08-23 2007-02-28 北京软通科技有限责任公司 System and method for implementing safety control of operation system
CN101436234A (en) * 2008-04-30 2009-05-20 北京飞天诚信科技有限公司 System and method for ensuring operation environment safety
US20100121975A1 (en) * 2008-11-12 2010-05-13 Rajiv Sinha Systems and Methods For Application Fluency Policies
CN102222194A (en) * 2011-07-14 2011-10-19 哈尔滨工业大学 Module and method for LINUX host computing environment safety protection
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method
CN103699839A (en) * 2013-12-09 2014-04-02 Tcl集团股份有限公司 Method and device of detection processing of core-level rootkit
CN103886259A (en) * 2014-03-19 2014-06-25 四川大学 Kernel-level rootkit detecting and processing method based on Xen virtualization environment
CN106020932A (en) * 2015-05-21 2016-10-12 中国科学院计算技术研究所 Security protection method and system used for KVM system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103400074B (en) * 2013-07-09 2016-08-24 青岛海信传媒网络技术有限公司 The detection method of a kind of hidden process and device
CN104035787A (en) * 2014-07-01 2014-09-10 深圳数字电视国家工程实验室股份有限公司 Mandatory access control method and device based on Andriod kernel
US9779240B2 (en) * 2015-01-30 2017-10-03 Vmware, Inc. System and method for hypervisor-based security
CN106529299A (en) * 2016-12-26 2017-03-22 郑州云海信息技术有限公司 Method for detecting and repairing malicious software Rootkit in linux system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1920786A (en) * 2005-08-23 2007-02-28 北京软通科技有限责任公司 System and method for implementing safety control of operation system
CN101436234A (en) * 2008-04-30 2009-05-20 北京飞天诚信科技有限公司 System and method for ensuring operation environment safety
US20100121975A1 (en) * 2008-11-12 2010-05-13 Rajiv Sinha Systems and Methods For Application Fluency Policies
CN102222194A (en) * 2011-07-14 2011-10-19 哈尔滨工业大学 Module and method for LINUX host computing environment safety protection
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method
CN103699839A (en) * 2013-12-09 2014-04-02 Tcl集团股份有限公司 Method and device of detection processing of core-level rootkit
CN103886259A (en) * 2014-03-19 2014-06-25 四川大学 Kernel-level rootkit detecting and processing method based on Xen virtualization environment
CN106020932A (en) * 2015-05-21 2016-10-12 中国科学院计算技术研究所 Security protection method and system used for KVM system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111695116A (en) * 2020-05-13 2020-09-22 北京安天网络安全技术有限公司 Evidence obtaining method and device based on kernel layer Rootkit of Linux system
CN111695116B (en) * 2020-05-13 2024-05-24 北京安天网络安全技术有限公司 Evidence obtaining method and device based on Rootkit of kernel layer of Linux system
CN111639340A (en) * 2020-05-28 2020-09-08 北京金山云网络技术有限公司 Malicious application detection method and device, electronic equipment and readable storage medium
CN111639340B (en) * 2020-05-28 2023-11-03 北京金山云网络技术有限公司 Malicious application detection method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN108959915B (en) 2022-07-22
CN108959915A (en) 2018-12-07

Similar Documents

Publication Publication Date Title
CN107038045B (en) Method and device for loading library file
US9652632B2 (en) Method and system for repairing file at user terminal
US11068591B2 (en) Cybersecurity systems and techniques
US9703958B2 (en) Rollback feature
US9948670B2 (en) Cloud security-based file processing by generating feedback message based on signature information and file features
US8719935B2 (en) Mitigating false positives in malware detection
EP2840492A1 (en) Method and apparatus for modifying a computer program in a trusted manner
US8352484B1 (en) Systems and methods for hashing executable files
US11960869B2 (en) Android penetration method and device for implementing silent installation based on accessibility services
US9270467B1 (en) Systems and methods for trust propagation of signed files across devices
US8266691B2 (en) Renewable integrity rooted system
CN107092824B (en) Application program running method and device
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN110995825B (en) Intelligent contract issuing method, intelligent node equipment and storage medium
JP6000465B2 (en) Process inspection apparatus, process inspection program, and process inspection method
CN113360913A (en) Malicious program detection method and device, electronic equipment and storage medium
WO2020000741A1 (en) Rootkit measurement method, apparatus, and server
US11055416B2 (en) Detecting vulnerabilities in applications during execution
CN114417335A (en) Malicious file detection method and device, electronic equipment and storage medium
CN105791250B (en) Application program detection method and device
CN111176685A (en) Upgrading method and device
WO2020233044A1 (en) Plug-in verification method and device, and server and computer-readable storage medium
CN115935373A (en) Method and apparatus for protecting operating system kernel
CN113312623B (en) Process detection method and device in access control, electronic equipment and storage medium
TWI779515B (en) Method and system for determining tampering with unified extensible firmware interface (uefi), and related non-transitory computer-readable medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18924385

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16.04.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18924385

Country of ref document: EP

Kind code of ref document: A1