WO2022222255A1 - Reverse shell risk determination method, apparatus and system - Google Patents

Reverse shell risk determination method, apparatus and system Download PDF

Info

Publication number
WO2022222255A1
WO2022222255A1 PCT/CN2021/100292 CN2021100292W WO2022222255A1 WO 2022222255 A1 WO2022222255 A1 WO 2022222255A1 CN 2021100292 W CN2021100292 W CN 2021100292W WO 2022222255 A1 WO2022222255 A1 WO 2022222255A1
Authority
WO
WIPO (PCT)
Prior art keywords
protection
risk
information
program
shell
Prior art date
Application number
PCT/CN2021/100292
Other languages
French (fr)
Chinese (zh)
Inventor
郑云超
范渊
黄进
Original Assignee
杭州安恒信息技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州安恒信息技术股份有限公司 filed Critical 杭州安恒信息技术股份有限公司
Publication of WO2022222255A1 publication Critical patent/WO2022222255A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a method, device, system, protection terminal, and computer-readable storage medium for determining a bounce shell risk.
  • Rebound shell means that the control terminal listens on a TCP/UDP port, the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the control terminal, so that the control terminal can execute the shell of the remote controlled terminal locally. instruction.
  • the purpose of this application is to provide a method for determining the risk of a rebound shell, which can determine the protection effect of the rebound shell, and can also determine whether the rebound shell will cause a risk to the protection system, which can improve the protection capability of the system. Its specific plan is as follows:
  • the present application discloses a method for determining a rebound shell risk, including:
  • Risk information is obtained according to the protection result information.
  • a locally pre-stored protection program to protect the running process of the rebound shell program to generate protection result information including:
  • the protection result information is obtained.
  • the protection result information is obtained according to the startup result information, including:
  • startup result information is startup success information
  • use the protection program to block the running process of the rebound shell program from establishing a connection with the protection center, and generate connection result information
  • the protection result information is obtained.
  • the protection result information is obtained according to the connection result information, including:
  • connection result information is connection success information
  • use the protection program to block the rebound shell program from executing the shell command issued by the protection center, and generate execution result information
  • the protection result information is obtained.
  • the method further includes:
  • risk alarm information is generated, and the risk alarm information is sent to the protection center, so that the protection center performs protection supplementation according to the risk alarm information.
  • risk alarm information including:
  • the protection process information and the rebound shell program are used as risk warning information.
  • a rebound shell risk determination device including:
  • the running module is used to receive the rebound shell program issued by the protection center, and run the rebound shell program
  • a generation module is used to protect the running process of the rebound shell program by using a locally pre-stored protection program, and generate protection result information;
  • a risk information module configured to obtain risk information according to the protection result information.
  • a rebound shell risk determination system including:
  • the protection center is used to send the reverse shell program to the protection terminal;
  • the protection terminal is used for performing the steps of the above method for determining the risk of a rebound shell.
  • a protection terminal comprising:
  • the processor is configured to implement the steps of the above bounce shell risk determination method when executing the computer program.
  • the present application discloses a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above method for determining a bounce shell risk are implemented.
  • the present application provides a method for determining the risk of a rebound shell, including: receiving a rebound shell program issued by a protection center, and running the rebound shell program; using a locally pre-stored protection program to protect the running process of the rebound shell program, Generate protection result information; obtain risk information according to the protection result information.
  • the present application can use the locally pre-stored protection program to protect the rebound shell program, and can generate the protection result information, and then obtain the risk information according to the protection result information, that is, the present application can realize the protection result of the defense against the rebound shell. Judgment avoids the disadvantage that the protection effect of the rebound shell cannot be judged in the related art, nor can it be determined whether the rebound shell will cause a risk to the protection system. Whether it will cause risks to the protection system can improve the protection capability of the system.
  • the present application also provides a rebound shell risk determination device, system, protection terminal, and computer-readable storage medium, which have the above beneficial effects, and are not repeated here.
  • FIG. 1 is a flowchart of a method for determining a rebound shell risk provided by an embodiment of the present application
  • FIG. 2 is a flowchart of another method for determining a rebound shell risk provided by an embodiment of the present application
  • FIG. 3 is a schematic diagram of an internal module of a protection center provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of an internal module of a protection terminal provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of information interaction between an internal module of a protection center and a protection terminal provided by an embodiment of the application;
  • FIG. 6 is a schematic diagram of information interaction between a rebound shell attack module, a risk detection module, and a protection center provided by an embodiment of the present application;
  • FIG. 7 is a schematic flowchart of a risk detection module detecting a running process of a bounce shell provided by an embodiment of the present application
  • FIG. 8 is a schematic diagram of information interaction between a risk alarm module and a protection center provided by an embodiment of the application;
  • FIG. 9 is a schematic structural diagram of an apparatus for determining a rebound shell risk according to an embodiment of the present application.
  • Rebound shell means that the control terminal listens on a TCP/UDP port, the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the control terminal, so that the control terminal can execute the shell of the remote controlled terminal locally.
  • the controlled end creates a powershell rebound shell process through the Java process, the control end executes the ipconfig command, and the control end can display the IP information of the controlled end.
  • the rebound shell process fails to start; some are detected and blocked when the rebound shell is connected to the remote control terminal, and the effect is that the network connection between the rebound shell and the control terminal fails; some are when the rebound shell executes shell commands. To detect and block, the effect is that the command executed by the rebound shell fails to execute.
  • FIG. 1 is a flowchart of a method for determining a rebound shell risk provided by an embodiment of the present application, which specifically includes:
  • This embodiment does not limit the specific object of the execution body, which may be a computer, a server, or a protection terminal. It can be understood that, the bounce shell program in this embodiment is a code program of the bounce shell, and running the bounce shell program will execute the corresponding bounce shell event. This embodiment does not limit the location where the protection center is located, and the protection center and the execution body of this embodiment may be located in the same device, or may be located in two different devices.
  • the protection program in this embodiment is a code used for protection against rebound shells.
  • a locally pre-stored protection program is used to protect the running process of the rebound shell program.
  • the running process of the rebound shell program can be entered, that is, the event of executing the shell.
  • This embodiment does not limit the specific state of the running process of the rebound shell program, which may be the startup state, the state of establishing a connection with the protection center, or the state of executing the shell command.
  • this embodiment does not limit the specific operation of protection, which may be protection when starting the running process of the rebound shell program, protection when establishing a connection with the protection center, or protection when executing shell commands.
  • This embodiment does not limit the specific content of the generated protection result information, which may be protection success messages of different protection operations, or protection unsuccessful messages of different protection operations.
  • the running process of the rebound shell program is protected by using a locally pre-stored protection program, and the protection result information is generated, which may include:
  • the protection result information is obtained.
  • a protection program is used to intercept the running process that starts the rebound shell program, and the start-up result information is generated.
  • This embodiment does not limit the specific content of the startup result information, which may include startup success information or startup failure message, and may also include the specific operation of protection performed in this embodiment, that is, information about intercepting the startup of the rebound shell running process. After the startup result information is generated, protection result information can be obtained according to the startup result information. This embodiment does not limit the specific process of obtaining the protection result information according to the startup result information.
  • the protection result information is the protection failure information
  • the information about the unsuccessful startup of the running process of the reverse shell is the information about the protection result
  • the information about the protection result is the protection success information
  • the protection result information is obtained according to the startup result information, which may include:
  • the protection program is used to block the running process of the rebound shell program from establishing a connection with the protection center, and the connection result information is generated;
  • the protection result information is obtained.
  • the protection program is used in this embodiment to block the running process of the reverse shell program from establishing a connection with the protection center. That is to say, in this embodiment, when the running process of the rebound shell program is not successfully started to be protected, the process of establishing the connection between the running process of the rebound shell program and the protection center is protected, that is, blocked, and the connection result information is obtained.
  • This embodiment does not limit the specific content of the connection result information, which may include connection success information or connection failure information, and may also include information that this embodiment blocks the connection establishment with the protection center.
  • This embodiment does not limit the specific process of obtaining the protection result information according to the connection result information. For example, when the connection result information is the connection success information for blocking the connection with the protection center, the protection result information is the protection failure information; When the result information is that the connection established with the protection center is blocked, the protection result information is the protection success information.
  • obtaining protection result information according to the connection result information may include:
  • connection result information is the connection success information
  • the protection program is used to block the reverse shell program from executing the shell command issued by the protection center, and the execution result information is generated;
  • the protection result information is obtained.
  • the protection program is used to block the execution of the rebound shell program issued by the protection center. shell command. That is to say, in this embodiment, under the circumstance that the running process of the rebound shell program is successfully started without protection, and the connection between the running process of the rebound shell program and the protection center is blocked and the connection is established without protection, the reverse shell program is executed under the protection center.
  • the shell command sent is protected, that is, blocked, and the execution result information is obtained.
  • This embodiment does not limit the specific content of the execution result information, which may include execution success information or execution failure information, and may also include information about blocking the rebound shell program from executing shell commands in this embodiment.
  • This embodiment does not limit the specific process of obtaining the protection result information according to the execution result information.
  • the protection result information is the protection failure information
  • the protection result information is the protection successful information.
  • This embodiment does not limit the specific content of the risk information, which may include messages with risks and messages without risks, and may also include corresponding protection operations, and may also include other content.
  • the protection result information is the protection unsuccessful message
  • the risk information may be the message that the shell command issued by the protection center is unsuccessful in blocking the reverse shell program from executing the protection center; it may also be the message that the protection result information is protection successful.
  • the risk information can be the message that the shell command issued by the protection center is successfully blocked from executing the reverse shell program, and there is no risk.
  • this embodiment uses a locally pre-stored protection program to protect the rebound shell program, and can generate protection result information, and then obtain risk information according to the protection result information, that is, the present application can realize the protection of the rebound shell program.
  • the protection result can be determined, and it can also be determined whether the rebound shell will cause risks to the protection system, which can improve the protection capability of the system.
  • this embodiment provides a method for determining the risk of rebound shell.
  • FIG. 2 is another method for determining the risk of rebound shell provided by the embodiment of the present application.
  • a flowchart of the method including:
  • risk alarm information when the risk information is a message including a risk, risk alarm information is generated.
  • This embodiment does not limit the specific content of the risk alarm information, and may include a corresponding rebound shell program, and may include process operation information for protection, that is, protection process information.
  • the risk alarm information is also sent to the protection center, and the protection center can perform protection supplements according to the content of the risk alarm information.
  • generating risk alarm information may include:
  • the protection process information for protection by the protection program is determined.
  • the protection process information is the operation of using the protection program to block the running process of the rebound shell program. For example, it can block the running process of starting the rebound shell program; when the block is not successful, block the process of establishing the connection between the running process of the rebound shell program and the protection center; Blocks the execution of shell commands by the reverse shell program.
  • This embodiment does not limit the specific content of the protection process information, which is determined according to the actual protection operation.
  • the protection process information and the rebound shell program are used as the risk alarm information, and the protection center can perform protection supplements according to the specific content of the risk alarm information, which can effectively improve the protection capability of the system.
  • this embodiment uses a locally pre-stored protection program to protect the rebound shell program, and can generate protection result information, and then obtain risk information according to the protection result information, and can realize the determination of the protection effect of the rebound shell. , it can also determine whether the rebound shell will cause risks to the protection system, which can improve the protection capability of the system, and further, according to the risk alarm information, it can supplement the protection of the rebound shell that cannot be protected.
  • a rebound shell risk determination method and system consists of two parts, one is the protection center, which includes the rebound shell configuration module, the rebound shell control module, and the alarm display module, as shown in Figure 3; the other is the protection terminal, which includes the rebound shell attack module, the risk detection module, and the risk alarm module. As shown in Figure 4.
  • the rebound shell configuration module is used to configure the rebound shell program for attack testing and send it to the protection terminal;
  • the rebound shell control module is used to create a remote control service of the rebound shell, monitor whether the running process of the rebound shell is connected to the control service, and issue shell commands for testing through the channel established by the rebound shell;
  • the alarm display module is used to receive the risk alarm information of the rebound shell program detected by the protection terminal that cannot be protected, as shown in Figure 5.
  • the rebound shell attack module is used to accept the rebound shell program configured by the protection center for attack testing, run the rebound shell program, and notify the risk detection module to detect the rebound shell program, as shown in Figure 6;
  • the risk detection module is used to monitor the running rebound shell program. First, it monitors whether the running process of the rebound shell program is successfully started. If the startup fails, it means that the locally stored protection program is effective for the protection of this type of reverse shell, that is, the reverse shell program, and the running process of the reverse shell has been terminated by the protection program, and there is no risk. If the running process starts successfully, then request the reverse shell control module of the protection center to confirm whether the reverse shell control service of the protection center has established a connection with the running process of the reverse shell. If the connection fails to be established, it means that the protection program is effective for this type of reverse shell protection, and the creation of remote connections of the reverse shell is blocked by the protection program, and there is no risk.
  • the description of whether the execution result of the shell command is successful can be determined. For example, if a shell command to create a file is issued, then observe whether the file is created successfully. If the file is created successfully, it means that the shell command is successfully executed. Otherwise, the shell command fails to be executed.
  • the risk alarm module is used to send the rebound shell program that cannot be protected and the complete detection process, that is, the protection process information, to the protection center, as shown in Figure 8.
  • FIG. 9 is a schematic structural diagram of a rebound shell risk determination device provided by an embodiment of the application, including:
  • the operation module 901 is used to receive the rebound shell program issued by the protection center, and run the rebound shell program
  • the generating module 902 is used to protect the running process of the rebound shell program by using the locally pre-stored protection program, and generate protection result information;
  • the risk information module 903 is configured to obtain risk information according to the protection result information.
  • the generating module 902 includes:
  • the interception sub-module is used to intercept the startup of the running process of the rebound shell program by using the locally pre-stored protection program, and generate startup result information;
  • the protection result information sub-module is used to obtain the protection result information according to the startup result information.
  • the protection result information sub-module includes:
  • the blocking unit is used to use the protection program to block the running process of the rebound shell program from establishing a connection with the protection center when the startup result information is the startup success information, and generate the connection result information;
  • the protection result information unit is used to obtain the protection result information according to the connection result information.
  • the protection result information unit includes:
  • the blocking subunit is used to block the reverse shell program from executing the shell command issued by the protection center by using the protection program when the connection result information is the connection success information, and generate the execution result information;
  • the protection result information subunit is used to obtain protection result information according to the execution result information.
  • it also includes:
  • the risk alarm information module is used to generate risk alarm information when the risk information contains risk information, and send the risk alarm information to the protection center, so that the protection center can supplement the protection according to the risk alarm information.
  • the risk warning information module includes:
  • the determination unit is used to determine the protection process information for protection by the protection program when the risk information includes risk information
  • the risk alarm information unit is used to use the protection process information and the rebound shell program as the risk alarm information.
  • the embodiments of the rebound shell risk determination device part correspond to the embodiments of the rebound shell risk determination method part
  • the embodiments of the rebound shell risk determination device part refer to the description of the embodiments of the rebound shell risk determination method part, which is not mentioned here for the time being. Repeat.
  • the present application also discloses a rebound shell risk determination system, including:
  • the protection center is used to send the reverse shell program to the protection terminal;
  • the protection terminal is used to execute the steps of the above method for determining the risk of rebound shell.
  • the embodiments of the rebound shell risk determination system part correspond to the embodiments of the rebound shell risk determination method part
  • the embodiments of the rebound shell risk determination system part refer to the description of the embodiments of the rebound shell risk determination method part, which is not mentioned here for the time being Repeat.
  • a protection terminal provided by an embodiment of the present application is introduced below, and the protection terminal described below and the method described above may refer to each other correspondingly.
  • the application also discloses a protection terminal, comprising:
  • the processor is configured to implement the steps of the above method for determining the risk of rebound shell when executing the computer program.
  • the embodiments of the protection terminal part correspond to the embodiments of the method part, the embodiments of the protection terminal part refer to the description of the embodiments of the method part, which will not be repeated here.
  • the following describes a computer-readable storage medium provided by an embodiment of the present application.
  • the computer-readable storage medium described below and the bounce shell risk determination method described above may refer to each other correspondingly.
  • the present application also discloses a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above method for determining a bounce shell risk are implemented.
  • the embodiments of the computer-readable storage medium part correspond to the embodiments of the rebound shell risk determination method part
  • the embodiments of the computer-readable storage medium part refer to the description of the embodiments of the rebound shell risk determination method part, which are not mentioned here for the time being. Repeat.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two.
  • the software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.

Abstract

A reverse shell risk determination method, apparatus and system. The method comprises: receiving a reverse shell program issued by a protection center, and running the reverse shell program (S101); using a locally pre-stored protection program to perform protection on a running process of the reverse shell program, and generating protection result information (S102); and obtaining risk information according to the protection result information (S103).By means of the method, the locally pre-stored protection program is used to perform protection on the reverse shell program, and the protection result information can be generated; then, the risk information can be obtained according to the protection result information, the determination of a protection effect on a reverse shell can be implemented, and whether the reverse shell would pose a risk to a protection system can also be determined, such that the protection capability of the system can be improved.

Description

一种反弹shell风险判定方法、装置和系统A rebound shell risk determination method, device and system
本申请要求于2021年4月23日提交中国专利局、申请号为202110441328.7、发明名称为“一种反弹shell风险判定方法、装置和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on April 23, 2021 with the application number 202110441328.7 and the invention titled "A Rebound Shell Risk Determination Method, Device and System", the entire contents of which are incorporated by reference in this application.
技术领域technical field
本申请涉及计算机技术领域,特别涉及一种反弹shell风险判定方法、装置、系统、防护终端和计算机可读存储介质。The present application relates to the field of computer technologies, and in particular, to a method, device, system, protection terminal, and computer-readable storage medium for determining a bounce shell risk.
背景技术Background technique
反弹shell指的是控制端监听在某TCP/UDP端口,被控端发起请求到该端口,并将其命令行的输入输出转到控制端,控制端由此可以在本地执行远程被控端的shell指令。Rebound shell means that the control terminal listens on a TCP/UDP port, the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the control terminal, so that the control terminal can execute the shell of the remote controlled terminal locally. instruction.
相关技术中有很多针对反弹shell进行防御的技术手段,但是没有对防御反弹shell的防护效果进行判定,因此也就无法判定反弹shell是否会对防护系统造成风险。In the related art, there are many technical means for defending against the bounced shell, but the protection effect of defending against the bounced shell is not judged, so it is impossible to determine whether the bounced shell will cause a risk to the protection system.
发明内容SUMMARY OF THE INVENTION
本申请的目的是提供一种反弹shell风险判定方法,实现对反弹shell的防护效果进行判定,也可以判定反弹shell是否会对防护系统造成风险,能够提高系统的防护能力。其具体方案如下:The purpose of this application is to provide a method for determining the risk of a rebound shell, which can determine the protection effect of the rebound shell, and can also determine whether the rebound shell will cause a risk to the protection system, which can improve the protection capability of the system. Its specific plan is as follows:
第一方面,本申请公开了一种反弹shell风险判定方法,包括:In a first aspect, the present application discloses a method for determining a rebound shell risk, including:
接收防护中心下发的反弹shell程序,并运行所述反弹shell程序;Receive the rebound shell program issued by the protection center, and run the rebound shell program;
利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息;Use a locally pre-stored protection program to protect the running process of the rebound shell program, and generate protection result information;
根据所述防护结果信息,得到风险信息。Risk information is obtained according to the protection result information.
可选的,所述利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息,包括:Optionally, the use of a locally pre-stored protection program to protect the running process of the rebound shell program to generate protection result information, including:
利用本地预先存储的所述防护程序,拦截所述反弹shell程序的运行进程的启动,生成启动结果信息;Utilize the locally pre-stored protection program to intercept the startup of the running process of the rebound shell program, and generate startup result information;
根据所述启动结果信息,得到所述防护结果信息。According to the startup result information, the protection result information is obtained.
可选的,根据所述启动结果信息,得到所述防护结果信息,包括:Optionally, the protection result information is obtained according to the startup result information, including:
当所述启动结果信息为启动成功信息时,利用所述防护程序,阻断所述反弹shell程序的运行进程与所述防护中心建立连接,生成连接结果信息;When the startup result information is startup success information, use the protection program to block the running process of the rebound shell program from establishing a connection with the protection center, and generate connection result information;
根据所述连接结果信息,得到所述防护结果信息。According to the connection result information, the protection result information is obtained.
可选的,根据所述连接结果信息,得到所述防护结果信息,包括:Optionally, the protection result information is obtained according to the connection result information, including:
当所述连接结果信息为连接成功信息时,利用所述防护程序,阻断所述反弹shell程序执行所述防护中心下发的shell命令,生成执行结果信息;When the connection result information is connection success information, use the protection program to block the rebound shell program from executing the shell command issued by the protection center, and generate execution result information;
根据所述执行结果信息,得到所述防护结果信息。According to the execution result information, the protection result information is obtained.
可选的,在根据所述防护结果信息,得到风险信息之后,还包括:Optionally, after obtaining the risk information according to the protection result information, the method further includes:
当所述风险信息包含存在风险的信息时,生成风险告警信息,并将所述风险告警信息发送至所述防护中心,以使所述防护中心根据所述风险告警信息进行防护补充。When the risk information includes risk-existing information, risk alarm information is generated, and the risk alarm information is sent to the protection center, so that the protection center performs protection supplementation according to the risk alarm information.
可选的,当所述风险信息包含存在风险的信息时,生成风险告警信息,包括:Optionally, when the risk information includes risk information, generate risk alarm information, including:
当所述风险信息包含存在风险的信息时,确定所述防护程序进行防护的防护过程信息;When the risk information includes risk information, determine the protection process information of the protection program for protection;
将所述防护过程信息和所述反弹shell程序作为风险告警信息。The protection process information and the rebound shell program are used as risk warning information.
第二方面,本申请公开了一种反弹shell风险判定装置,包括:In a second aspect, the present application discloses a rebound shell risk determination device, including:
运行模块,用于接收防护中心下发的反弹shell程序,并运行所述反弹shell程序;The running module is used to receive the rebound shell program issued by the protection center, and run the rebound shell program;
生成模块,用于利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息;A generation module is used to protect the running process of the rebound shell program by using a locally pre-stored protection program, and generate protection result information;
风险信息模块,用于根据所述防护结果信息,得到风险信息。A risk information module, configured to obtain risk information according to the protection result information.
第三方面,本申请公开了一种反弹shell风险判定系统,包括:In a third aspect, the present application discloses a rebound shell risk determination system, including:
防护中心,用于发送反弹shell程序至防护终端;The protection center is used to send the reverse shell program to the protection terminal;
所述防护终端,用于执行如上述反弹shell风险判定方法的步骤。The protection terminal is used for performing the steps of the above method for determining the risk of a rebound shell.
第四方面,本申请公开了一种防护终端,包括:In a fourth aspect, the present application discloses a protection terminal, comprising:
存储器,用于存储计算机程序;memory for storing computer programs;
处理器,用于执行所述计算机程序时实现如上述反弹shell风险判定方法的步骤。The processor is configured to implement the steps of the above bounce shell risk determination method when executing the computer program.
第五方面,本申请公开了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述反弹shell风险判定方法的步骤。In a fifth aspect, the present application discloses a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above method for determining a bounce shell risk are implemented.
本申请提供一种反弹shell风险判定方法,包括:接收防护中心下发的反弹shell程序,并运行所述反弹shell程序;利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息;根据所述防护结果信息,得到风险信息。The present application provides a method for determining the risk of a rebound shell, including: receiving a rebound shell program issued by a protection center, and running the rebound shell program; using a locally pre-stored protection program to protect the running process of the rebound shell program, Generate protection result information; obtain risk information according to the protection result information.
可见,本申请能够利用本地预先存储的防护程序对反弹shell程序进行防护,并能够生成防护结果信息,进而可以根据该防护结果信息得到风险信息,即本申请能够实现对防御反弹shell的防护结果进行判定,避免了相关技术中无法对反弹shell的防护效果进行判定,也无法判定反弹shell是否会对防护系统造成风险的缺点,本申请可以实现对反弹shell的防护效果进行判定,也可以判定反弹shell是否会对防护系统造成风险,能够提高系统的防护能力。本申请同时还提供了一种反弹shell风险判定装置、系统、防护终端和计算机可读存储介质,具有上述有益效果,在此不再赘述。It can be seen that the present application can use the locally pre-stored protection program to protect the rebound shell program, and can generate the protection result information, and then obtain the risk information according to the protection result information, that is, the present application can realize the protection result of the defense against the rebound shell. Judgment avoids the disadvantage that the protection effect of the rebound shell cannot be judged in the related art, nor can it be determined whether the rebound shell will cause a risk to the protection system. Whether it will cause risks to the protection system can improve the protection capability of the system. The present application also provides a rebound shell risk determination device, system, protection terminal, and computer-readable storage medium, which have the above beneficial effects, and are not repeated here.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only It is an embodiment of the present application. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without any creative effort.
图1为本申请实施例所提供的一种反弹shell风险判定方法的流程图;1 is a flowchart of a method for determining a rebound shell risk provided by an embodiment of the present application;
图2为本申请实施例所提供的另一种反弹shell风险判定方法的流程图;2 is a flowchart of another method for determining a rebound shell risk provided by an embodiment of the present application;
图3为本申请实施例所提供的防护中心内部模块示意图;3 is a schematic diagram of an internal module of a protection center provided by an embodiment of the present application;
图4为本申请实施例所提供的防护终端内部模块示意图;4 is a schematic diagram of an internal module of a protection terminal provided by an embodiment of the present application;
图5为本申请实施例所提供的防护中心内部模块与防护终端的信息交互示意图;5 is a schematic diagram of information interaction between an internal module of a protection center and a protection terminal provided by an embodiment of the application;
图6为本申请实施例所提供的反弹shell攻击模块、风险检测模块与防护中心的信息交互示意图;6 is a schematic diagram of information interaction between a rebound shell attack module, a risk detection module, and a protection center provided by an embodiment of the present application;
图7为本申请实施例所提供的风险检测模块检测反弹shell的运行进程的流程示意图;7 is a schematic flowchart of a risk detection module detecting a running process of a bounce shell provided by an embodiment of the present application;
图8为本申请实施例所提供的风险告警模块与防护中心的信息交互示意图;8 is a schematic diagram of information interaction between a risk alarm module and a protection center provided by an embodiment of the application;
图9为本申请实施例提供的一种反弹shell风险判定装置的结构示意图。FIG. 9 is a schematic structural diagram of an apparatus for determining a rebound shell risk according to an embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be described clearly and completely below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
反弹shell指的是控制端监听在某TCP/UDP端口,被控端发起请求到该端口,并将其命令行的输入输出转到控制端,控制端由此可以在本地执行远程被控端的shell指令。例如,被控端通过Java进程创建powershell的反弹shell进程,控制端执行ipconfig的命令,控制端可显示被控端IP信息。相关技术中存在很多对反弹shell进行防御的技术手段,但是没有对反弹shell防护效果进行判定的方法,而且反弹shell的防护手段有很多,有的是在反弹shell进程启动阶段进行检测并阻断,效果就是反弹shell进程启动失败;有的就是反弹shell和远程控制终端进行连接的时候,进行检测并阻断,效果就是反弹shell与控制端进行网络连接失败;还有的就是在反弹shell执行shell命令的时候进行检测和阻断,效果就是反弹shell所执行的命令执行失败。Rebound shell means that the control terminal listens on a TCP/UDP port, the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the control terminal, so that the control terminal can execute the shell of the remote controlled terminal locally. instruction. For example, the controlled end creates a powershell rebound shell process through the Java process, the control end executes the ipconfig command, and the control end can display the IP information of the controlled end. There are many technical means to defend against the bounce shell in the related art, but there is no method for judging the protection effect of the bounce shell, and there are many protection methods for the bounce shell. The rebound shell process fails to start; some are detected and blocked when the rebound shell is connected to the remote control terminal, and the effect is that the network connection between the rebound shell and the control terminal fails; some are when the rebound shell executes shell commands. To detect and block, the effect is that the command executed by the rebound shell fails to execute.
基于上述技术问题,本实施例提供一种反弹shell风险判定方法,可以实现对反弹shell的防护效果进行判定,也可以判定反弹shell是否会对防护系统造成风险,能够提高系统的防护能力,具体请参考图1,图1为本申请实施例所提供的一种反弹shell风险判定方法的流程图,具体包括:Based on the above technical problems, this embodiment provides a method for determining the risk of a bounced shell, which can determine the protection effect of the bounced shell, and can also determine whether the bounced shell will cause a risk to the protection system, which can improve the protection capability of the system. Referring to FIG. 1, FIG. 1 is a flowchart of a method for determining a rebound shell risk provided by an embodiment of the present application, which specifically includes:
S101、接收防护中心下发的反弹shell程序,并运行反弹shell程序。S101. Receive the rebound shell program issued by the protection center, and run the rebound shell program.
本实施例并不限定执行主体的具体对象,可以是计算机,可以是服务器,也可以是防护终端。可以理解的是,本实施例中的反弹shell程序即为反弹shell的代码程序,运行该反弹shell程序就会执行对应的反弹shell事件。本实施例并不限定防护中心所在的位置,可以是防护中心与本实施例的执行主体处于同一设备,也可以是分别处于两个不同的设备。This embodiment does not limit the specific object of the execution body, which may be a computer, a server, or a protection terminal. It can be understood that, the bounce shell program in this embodiment is a code program of the bounce shell, and running the bounce shell program will execute the corresponding bounce shell event. This embodiment does not limit the location where the protection center is located, and the protection center and the execution body of this embodiment may be located in the same device, or may be located in two different devices.
S102、利用本地预先存储的防护程序对反弹shell程序的运行进程进行防护,生成防护结果信息。S102. Use a locally pre-stored protection program to protect the running process of the rebound shell program, and generate protection result information.
可以理解的是,本实施例的防护程序是用于防护反弹shell的代码。本实施例利用本地预先存储的防护程序对反弹shell程序的运行进程进行防护,可以理解的是,当运行反弹shell程序后,即可进入反弹shell程序的运行进程,也就是执行shell的事件。本实施例并不限定反弹shell程序运行进程的具体状态,可以是启动状态,可以是与防护中心建立连接的状态,还可以是执行shell命令的状态。相应的,本实施例并不限定进行防护的具体操作,可以是对启动反弹shell程序运行进程时进行防护,可以是与防护中心建立连接时进行防护,也可以是执行shell命令时进行防护。本实施例并不限定生成的防护结果信息的具体内容,可以是不同的防护操作的防护成功消息,也可以是不同的防护操作的防护不成功消息。It can be understood that, the protection program in this embodiment is a code used for protection against rebound shells. In this embodiment, a locally pre-stored protection program is used to protect the running process of the rebound shell program. It can be understood that, after running the rebound shell program, the running process of the rebound shell program can be entered, that is, the event of executing the shell. This embodiment does not limit the specific state of the running process of the rebound shell program, which may be the startup state, the state of establishing a connection with the protection center, or the state of executing the shell command. Correspondingly, this embodiment does not limit the specific operation of protection, which may be protection when starting the running process of the rebound shell program, protection when establishing a connection with the protection center, or protection when executing shell commands. This embodiment does not limit the specific content of the generated protection result information, which may be protection success messages of different protection operations, or protection unsuccessful messages of different protection operations.
本实施例并不限定进行防护的具体过程。在一种具体的实施例中,利用本地预先存储的防护程序对反弹shell程序的运行进程进行防护,生成防护结果信息,可以包括:This embodiment does not limit the specific process of performing protection. In a specific embodiment, the running process of the rebound shell program is protected by using a locally pre-stored protection program, and the protection result information is generated, which may include:
利用本地预先存储的防护程序,拦截反弹shell程序的运行进程的启动,生成启动结果信息;Use the locally pre-stored protection program to intercept the startup of the running process of the rebound shell program, and generate startup result information;
根据启动结果信息,得到防护结果信息。According to the startup result information, the protection result information is obtained.
即本实施例中是利用防护程序对启动反弹shell程序的运行进程进行拦截的防护操作,生成启动结果信息。本实施例并不限定启动结果信息的具体内容,可以包括启动成功信息或启动失败消息,还可以包括本实施例进行防护的具体操作即拦截反弹shell运行进程启动的信息。当生成启动结果信息后,即可根据启动结果信息,得到防护结果信息。本实施例并不限定根据启动结果信息得到防护结果信息的具体过程,例如,可以是当启动结果信息为反弹shell的运行进程的启动成功信息时,防护结果信息为防护失败信息;当启动结果信息为反弹shell的运行进程的启动未成功信息时,防护结果信息为防护成功信息。That is, in this embodiment, a protection program is used to intercept the running process that starts the rebound shell program, and the start-up result information is generated. This embodiment does not limit the specific content of the startup result information, which may include startup success information or startup failure message, and may also include the specific operation of protection performed in this embodiment, that is, information about intercepting the startup of the rebound shell running process. After the startup result information is generated, protection result information can be obtained according to the startup result information. This embodiment does not limit the specific process of obtaining the protection result information according to the startup result information. For example, when the startup result information is the startup success information of the running process of the rebound shell, the protection result information is the protection failure information; When the information about the unsuccessful startup of the running process of the reverse shell is the information about the protection result, the information about the protection result is the protection success information.
本实施例并不限定当防护未成功后的后续操作。在一种具体的实施例中,根据启动结果信息,得到防护结果信息,可以包括:This embodiment does not limit the subsequent operations after the protection is unsuccessful. In a specific embodiment, the protection result information is obtained according to the startup result information, which may include:
当启动结果信息为启动成功信息时,利用防护程序,阻断反弹shell程序的运行进程与防护中心建立连接,生成连接结果信息;When the startup result information is the startup success information, the protection program is used to block the running process of the rebound shell program from establishing a connection with the protection center, and the connection result information is generated;
根据连接结果信息,得到防护结果信息。According to the connection result information, the protection result information is obtained.
当对反弹shell的运行进程的启动防护未成功时,也就是启动结果信息为启动成功信息时,本实施例中再利用防护程序来阻断反弹shell程序的运行进程与防护中心建立连接。也就是说本实施例在针对反弹shell的运行进程启动未防护成功的情况下,又对反弹shell程序的运行进程与防护中心建立连接的过程进行防护即阻断,得到连接结果信息。本实施例并不限定连接成果信息的具体内容,可以包括连接成功信息或连接失败消息,还可以包括本实施例进行阻断与防护中心建立连接的信息。本实施例并不限定根据连接结果信息得到防护结果信息的具体过程,例如,可以是当连接结果信息为阻断与防护中心建立连接的连接成功信息时,防护结果信息为防护失败信息;当连接结果信息为阻断与防护中心建立连接的连接未成功信息时,防护结果信息为防护成功信息。When the startup protection for the running process of the reverse shell program is unsuccessful, that is, when the startup result information is the startup success information, the protection program is used in this embodiment to block the running process of the reverse shell program from establishing a connection with the protection center. That is to say, in this embodiment, when the running process of the rebound shell program is not successfully started to be protected, the process of establishing the connection between the running process of the rebound shell program and the protection center is protected, that is, blocked, and the connection result information is obtained. This embodiment does not limit the specific content of the connection result information, which may include connection success information or connection failure information, and may also include information that this embodiment blocks the connection establishment with the protection center. This embodiment does not limit the specific process of obtaining the protection result information according to the connection result information. For example, when the connection result information is the connection success information for blocking the connection with the protection center, the protection result information is the protection failure information; When the result information is that the connection established with the protection center is blocked, the protection result information is the protection success information.
本实施例并不限定当防护未成功后的后续操作。在一种具体的实施例中,根据连接结果信息,得到防护结果信息,可以包括:This embodiment does not limit the subsequent operations after the protection is unsuccessful. In a specific embodiment, obtaining protection result information according to the connection result information may include:
当连接结果信息为连接成功信息时,利用防护程序,阻断反弹shell程序执行防护中心下发的shell命令,生成执行结果信息;When the connection result information is the connection success information, the protection program is used to block the reverse shell program from executing the shell command issued by the protection center, and the execution result information is generated;
根据执行结果信息,得到防护结果信息。According to the execution result information, the protection result information is obtained.
当阻断反弹shell的运行进程与防护中心建立连接的防护未成功时,也就是连接结果信息为连接成功信息时,本实施例中再利用防护程序来阻断反弹shell程序执行防护中心下发的shell命令。也就是说本实施例在针对反弹shell的运行进程启动未防护成功,且对反弹shell程序的运行进程与防护中心建立连接进行阻断未防护成功的情况下,又对反弹shell程序执行防护中心下发的shell命令进行防护即阻断,得到执行结果信息。本实施例并不限定执行成果信息的具体内容,可以包括执行成功信息或执行失败消息,还可以包括本实施例进行阻断反弹shell程序执行shell命令的信息。本实施例并不限定根据执行结果信息得到防护结果信息的具体过程,例如,可以是当执行结果信息为阻断反弹shell程序执行shell命令的执行成功信息时,防护结果信息为防护失败信息;当执行结果信息为阻断反弹shell程序执行shell命令的执行未成功信息时,防护结果信息为防护成功信息。When the protection of blocking the connection between the running process of the rebound shell and the protection center is unsuccessful, that is, when the connection result information is the connection success information, in this embodiment, the protection program is used to block the execution of the rebound shell program issued by the protection center. shell command. That is to say, in this embodiment, under the circumstance that the running process of the rebound shell program is successfully started without protection, and the connection between the running process of the rebound shell program and the protection center is blocked and the connection is established without protection, the reverse shell program is executed under the protection center. The shell command sent is protected, that is, blocked, and the execution result information is obtained. This embodiment does not limit the specific content of the execution result information, which may include execution success information or execution failure information, and may also include information about blocking the rebound shell program from executing shell commands in this embodiment. This embodiment does not limit the specific process of obtaining the protection result information according to the execution result information. For example, when the execution result information is the execution success information of blocking the reverse shell program from executing the shell command, the protection result information is the protection failure information; When the execution result information is the unsuccessful execution of the shell command to block the reverse shell program from executing the shell command, the protection result information is the protection successful information.
S103、根据防护结果信息,得到风险信息。S103. Obtain risk information according to the protection result information.
本实施例并不限定风险信息的具体内容,可以包含存在风险的消息和不存在风险的消息,还可以包括对应的防护操作,还可以包括其他内容。例如,可以是当防护结果信息为防护未成功消息时,风险信息可以是阻断反弹shell程序执行防护中心下发的shell命令未成功,存在风险的消息;还可以是当防护结果信息为防护成功消息时,风险信息可以是阻断反弹shell程序执行防护中心下发的shell命令成功,不存在风险的消息。This embodiment does not limit the specific content of the risk information, which may include messages with risks and messages without risks, and may also include corresponding protection operations, and may also include other content. For example, when the protection result information is the protection unsuccessful message, the risk information may be the message that the shell command issued by the protection center is unsuccessful in blocking the reverse shell program from executing the protection center; it may also be the message that the protection result information is protection successful. When the message is displayed, the risk information can be the message that the shell command issued by the protection center is successfully blocked from executing the reverse shell program, and there is no risk.
基于上述技术方案,本实施例利用本地预先存储的防护程序对反弹shell程序进行防护,并能够生成防护结果信息,进而可以根据该防护结果信息得到风险信息,即本申请能够实现对防御反弹shell的防护结果进行判定,也可以判定反弹shell是否会对防护系统造成风险,能够提高系统的防护能力。Based on the above technical solution, this embodiment uses a locally pre-stored protection program to protect the rebound shell program, and can generate protection result information, and then obtain risk information according to the protection result information, that is, the present application can realize the protection of the rebound shell program. The protection result can be determined, and it can also be determined whether the rebound shell will cause risks to the protection system, which can improve the protection capability of the system.
基于上述实施例,为了能够有效的提高系统的防护能力,本实施例提供一种反弹shell风险判定方法,具体请参考图2,图2为本申请实施例所提供的另一种反弹shell风险判定方法的流程图,包括:Based on the above-mentioned embodiment, in order to effectively improve the protection capability of the system, this embodiment provides a method for determining the risk of rebound shell. For details, please refer to FIG. 2 , which is another method for determining the risk of rebound shell provided by the embodiment of the present application. A flowchart of the method, including:
S201、接收防护中心下发的反弹shell程序,并运行反弹shell程序。S201. Receive the rebound shell program issued by the protection center, and run the rebound shell program.
S202、利用本地预先存储的防护程序对反弹shell程序的运行进程进行防护,生成防护结果信息。S202. Use a locally pre-stored protection program to protect the running process of the rebound shell program, and generate protection result information.
S203、根据防护结果信息,得到风险信息。S203. Obtain risk information according to the protection result information.
步骤S201至S203可参考上述实施例,本实施例不再进行赘述。For steps S201 to S203, reference may be made to the above-mentioned embodiments, which will not be repeated in this embodiment.
S204、当风险信息包含存在风险的信息时,生成风险告警信息,并将风险告警信息发送至防护中心,以使防护中心根据风险告警信息进行防护补充。S204 , when the risk information includes risk information, generate risk alarm information, and send the risk alarm information to the protection center, so that the protection center performs protection supplements according to the risk alarm information.
本实施例在风险信息为包含风险的消息时,生成了风险告警信息。本实施例并不限定风险告警信息的具体内容,可以包含对应的反弹shell程序,可以包含进行防护的过程操作信息即防护过程信息。当生成风险告警信息后,还将该风险告警信息发送到防护中心,防护中心可以根据风险告警信息的内容进行防护补充。In this embodiment, when the risk information is a message including a risk, risk alarm information is generated. This embodiment does not limit the specific content of the risk alarm information, and may include a corresponding rebound shell program, and may include process operation information for protection, that is, protection process information. After the risk alarm information is generated, the risk alarm information is also sent to the protection center, and the protection center can perform protection supplements according to the content of the risk alarm information.
本实施例并不限定生成风险告警信息的具体过程。在一种具体的实施例中,当风险信息包含存在风险的信息时,生成风险告警信息,可以包括:This embodiment does not limit the specific process of generating risk alarm information. In a specific embodiment, when the risk information includes risk information, generating risk alarm information may include:
当风险信息包含存在风险的信息时,确定防护程序进行防护的防护过程信息;When the risk information includes risk information, determine the protection process information for protection by the protection program;
将防护过程信息和反弹shell程序作为风险告警信息。Use protection process information and rebound shell programs as risk warning information.
本实施例中在风险信息包含存在风险的信息时,确定了防护程序进行防护的防护过程信息。可以理解的是,防护过程信息即为利用防护程序阻断反弹shell程序的运行进程的操作。例如,可以是对启动反弹shell程序的运行进程进行阻断;当未阻断成功时,再对反弹shell程序的运行进程与防护中心建立连接的过程进行阻断;当未阻断成功时,再对反弹shell程序执行shell命令进行阻断。本实施例并不限定防护过程信息的具体内容,根据实际的防护操作而定。本实施例中将防护过程信息和反弹shell程序作为风险告警信息,防护中心可根据风险告警信息的具体内容进行防护补充,能够有效的提高系统的防护能力。In this embodiment, when the risk information includes risk information, the protection process information for protection by the protection program is determined. It can be understood that the protection process information is the operation of using the protection program to block the running process of the rebound shell program. For example, it can block the running process of starting the rebound shell program; when the block is not successful, block the process of establishing the connection between the running process of the rebound shell program and the protection center; Blocks the execution of shell commands by the reverse shell program. This embodiment does not limit the specific content of the protection process information, which is determined according to the actual protection operation. In this embodiment, the protection process information and the rebound shell program are used as the risk alarm information, and the protection center can perform protection supplements according to the specific content of the risk alarm information, which can effectively improve the protection capability of the system.
基于上述技术方案,本实施例利用本地预先存储的防护程序对反弹shell程序进行防护,并能够生成防护结果信息,进而可以根据该防护结果 信息得到风险信息,可以实现对反弹shell的防护效果进行判定,也可以判定反弹shell是否会对防护系统造成风险,能够提高系统的防护能力,进一步还可以根据风险告警信息,对无法防护的反弹shell进行防护补充。Based on the above technical solutions, this embodiment uses a locally pre-stored protection program to protect the rebound shell program, and can generate protection result information, and then obtain risk information according to the protection result information, and can realize the determination of the protection effect of the rebound shell. , it can also determine whether the rebound shell will cause risks to the protection system, which can improve the protection capability of the system, and further, according to the risk alarm information, it can supplement the protection of the rebound shell that cannot be protected.
下面提供一种反弹shell风险判定方法及系统的具体实施例。包括两个部分,一个是防护中心,包含反弹shell配置模块、反弹shell控制模块、告警展示模块,如图3所示;一个是防护终端,包含反弹shell攻击模块,风险检测模块,风险告警模块,如图4所示。Specific embodiments of a rebound shell risk determination method and system are provided below. It consists of two parts, one is the protection center, which includes the rebound shell configuration module, the rebound shell control module, and the alarm display module, as shown in Figure 3; the other is the protection terminal, which includes the rebound shell attack module, the risk detection module, and the risk alarm module. As shown in Figure 4.
1、防护中心1. Protection Center
反弹shell配置模块,用于配置进行攻击测试的反弹shell程序,并下发给防护终端;The rebound shell configuration module is used to configure the rebound shell program for attack testing and send it to the protection terminal;
反弹shell控制模块,用于创建反弹shell的远程控制服务,对反弹shell的运行进程是否连接到该控制服务进行监控,并可以通过反弹shell所建立的通道下发用于测试的shell命令;The rebound shell control module is used to create a remote control service of the rebound shell, monitor whether the running process of the rebound shell is connected to the control service, and issue shell commands for testing through the channel established by the rebound shell;
告警展示模块,用于接收防护终端所检测出无法防护的反弹shell程序的风险告警信息,如图5所示。The alarm display module is used to receive the risk alarm information of the rebound shell program detected by the protection terminal that cannot be protected, as shown in Figure 5.
2、防护终端2. Protection terminal
反弹shell攻击模块,用于接受防护中心所配置进行攻击测试的反弹shell程序,并运行该反弹shell程序,同时通知风险检测模块对该反弹shell程序进行检测,如图6所示;The rebound shell attack module is used to accept the rebound shell program configured by the protection center for attack testing, run the rebound shell program, and notify the risk detection module to detect the rebound shell program, as shown in Figure 6;
风险检测模块,用于对运行的反弹shell程序进行监控,首先监控反弹shell程序的运行进程是否启动成功。如果启动失败,则表示本地存储的防护程序对该类反弹shell即反弹shell程序防护有效,反弹shell的运行进程已经被防护程序终止运行,无风险。如果运行进程启动成功,那么再请求防护中心的反弹shell控制模块,确认防护中心的反弹shell控制服务是否与该反弹shell的运行进程建立了连接。如果建立连接失败,则表示防护程序对该类反弹shell防护有效,反弹shell的远程连接创建被防护程序阻断,无风险。如果连接建立成功,那么在防护中心控制服务发起执行shell命令,观测shell命令结果是否执行成功。如果执行失败,则表示防护程序对该类反 弹shell防护有效,反弹shell的执行命令的行为被防护程序阻断,无风险;如果执行成功,则代表防护程序对该类反弹shell防护无效,存在风险,如图7所示。The risk detection module is used to monitor the running rebound shell program. First, it monitors whether the running process of the rebound shell program is successfully started. If the startup fails, it means that the locally stored protection program is effective for the protection of this type of reverse shell, that is, the reverse shell program, and the running process of the reverse shell has been terminated by the protection program, and there is no risk. If the running process starts successfully, then request the reverse shell control module of the protection center to confirm whether the reverse shell control service of the protection center has established a connection with the running process of the reverse shell. If the connection fails to be established, it means that the protection program is effective for this type of reverse shell protection, and the creation of remote connections of the reverse shell is blocked by the protection program, and there is no risk. If the connection is established successfully, initiate and execute the shell command on the control service of the protection center, and observe whether the shell command is executed successfully. If the execution fails, it means that the protection program is effective for this type of reverse shell protection, and the execution of the reverse shell command is blocked by the protection program, and there is no risk; if the execution is successful, it means that the protection program is invalid for this type of reverse shell protection, and there is a risk , as shown in Figure 7.
其中,Shell命令的执行结果是否成功判定说明可以是,比如下发一个创建文件的shell命令,那么观测文件是否创建成功,文件创建成功则代表shell命令执行成功,反之则shell命令执行失败。Among them, the description of whether the execution result of the shell command is successful can be determined. For example, if a shell command to create a file is issued, then observe whether the file is created successfully. If the file is created successfully, it means that the shell command is successfully executed. Otherwise, the shell command fails to be executed.
风险告警模块,用于将无法防护的反弹shell程序以及完整的检测流程即防护过程信息发送给防护中心,如图8所示。The risk alarm module is used to send the rebound shell program that cannot be protected and the complete detection process, that is, the protection process information, to the protection center, as shown in Figure 8.
下面对本申请实施例提供的一种反弹shell风险判定装置进行介绍,下文描述的反弹shell风险判定装置与上文描述的反弹shell风险判定方法可相互对应参照,相关模块均设置于中,参考图9,图9为本申请实施例所提供的一种反弹shell风险判定装置的结构示意图,包括:The following describes a rebound shell risk determination device provided by an embodiment of the present application. The rebound shell risk determination device described below and the rebound shell risk determination method described above can be referred to each other in correspondence with each other, and the relevant modules are set in , refer to FIG. 9 . 9 is a schematic structural diagram of a rebound shell risk determination device provided by an embodiment of the application, including:
在一些具体的实施例中,具体包括:In some specific embodiments, it specifically includes:
运行模块901,用于接收防护中心下发的反弹shell程序,并运行反弹shell程序;The operation module 901 is used to receive the rebound shell program issued by the protection center, and run the rebound shell program;
生成模块902,用于利用本地预先存储的防护程序对反弹shell程序的运行进程进行防护,生成防护结果信息;The generating module 902 is used to protect the running process of the rebound shell program by using the locally pre-stored protection program, and generate protection result information;
风险信息模块903,用于根据防护结果信息,得到风险信息。The risk information module 903 is configured to obtain risk information according to the protection result information.
在一些具体的实施例中,生成模块902,包括:In some specific embodiments, the generating module 902 includes:
拦截子模块,用于利用本地预先存储的防护程序,拦截反弹shell程序的运行进程的启动,生成启动结果信息;The interception sub-module is used to intercept the startup of the running process of the rebound shell program by using the locally pre-stored protection program, and generate startup result information;
防护结果信息子模块,用于根据启动结果信息,得到防护结果信息。The protection result information sub-module is used to obtain the protection result information according to the startup result information.
在一些具体的实施例中,防护结果信息子模块,包括:In some specific embodiments, the protection result information sub-module includes:
阻断单元,用于当启动结果信息为启动成功信息时,利用防护程序,阻断反弹shell程序的运行进程与防护中心建立连接,生成连接结果信息;The blocking unit is used to use the protection program to block the running process of the rebound shell program from establishing a connection with the protection center when the startup result information is the startup success information, and generate the connection result information;
防护结果信息单元,用于根据连接结果信息,得到防护结果信息。The protection result information unit is used to obtain the protection result information according to the connection result information.
在一些具体的实施例中,防护结果信息单元,包括:In some specific embodiments, the protection result information unit includes:
阻断子单元,用于当连接结果信息为连接成功信息时,利用防护程序,阻断反弹shell程序执行防护中心下发的shell命令,生成执行结果信息;The blocking subunit is used to block the reverse shell program from executing the shell command issued by the protection center by using the protection program when the connection result information is the connection success information, and generate the execution result information;
防护结果信息子单元,用于根据执行结果信息,得到防护结果信息。The protection result information subunit is used to obtain protection result information according to the execution result information.
在一些具体的实施例中,还包括:In some specific embodiments, it also includes:
风险告警信息模块,用于当风险信息包含存在风险的信息时,生成风险告警信息,并将风险告警信息发送至防护中心,以使防护中心根据风险告警信息进行防护补充。The risk alarm information module is used to generate risk alarm information when the risk information contains risk information, and send the risk alarm information to the protection center, so that the protection center can supplement the protection according to the risk alarm information.
在一些具体的实施例中,风险告警信息模块,包括:In some specific embodiments, the risk warning information module includes:
确定单元,用于当风险信息包含存在风险的信息时,确定防护程序进行防护的防护过程信息;The determination unit is used to determine the protection process information for protection by the protection program when the risk information includes risk information;
风险告警信息单元,用于将防护过程信息和反弹shell程序作为风险告警信息。The risk alarm information unit is used to use the protection process information and the rebound shell program as the risk alarm information.
由于反弹shell风险判定装置部分的实施例与反弹shell风险判定方法部分的实施例相互对应,因此反弹shell风险判定装置部分的实施例请参见反弹shell风险判定方法部分的实施例的描述,这里暂不赘述。Since the embodiments of the rebound shell risk determination device part correspond to the embodiments of the rebound shell risk determination method part, the embodiments of the rebound shell risk determination device part refer to the description of the embodiments of the rebound shell risk determination method part, which is not mentioned here for the time being. Repeat.
本申请还公开一种反弹shell风险判定系统,包括:The present application also discloses a rebound shell risk determination system, including:
防护中心,用于发送反弹shell程序至防护终端;The protection center is used to send the reverse shell program to the protection terminal;
防护终端,用于执行如上述反弹shell风险判定方法的步骤。The protection terminal is used to execute the steps of the above method for determining the risk of rebound shell.
由于反弹shell风险判定系统部分的实施例与反弹shell风险判定方法部分的实施例相互对应,因此反弹shell风险判定系统部分的实施例请参见反弹shell风险判定方法部分的实施例的描述,这里暂不赘述。Since the embodiments of the rebound shell risk determination system part correspond to the embodiments of the rebound shell risk determination method part, the embodiments of the rebound shell risk determination system part refer to the description of the embodiments of the rebound shell risk determination method part, which is not mentioned here for the time being Repeat.
下面对本申请实施例提供的一种防护终端进行介绍,下文描述的防护终端与上文描述的方法可相互对应参照。A protection terminal provided by an embodiment of the present application is introduced below, and the protection terminal described below and the method described above may refer to each other correspondingly.
本申请还公开一种防护终端,包括:The application also discloses a protection terminal, comprising:
存储器,用于存储计算机程序;memory for storing computer programs;
处理器,用于执行计算机程序时实现如上述反弹shell风险判定方法的步骤。The processor is configured to implement the steps of the above method for determining the risk of rebound shell when executing the computer program.
由于防护终端部分的实施例与方法部分的实施例相互对应,因此防护终端部分的实施例请参见方法部分的实施例的描述,这里暂不赘述。Since the embodiments of the protection terminal part correspond to the embodiments of the method part, the embodiments of the protection terminal part refer to the description of the embodiments of the method part, which will not be repeated here.
下面对本申请实施例提供的一种计算机可读存储介质进行介绍,下文描述的计算机可读存储介质与上文描述的反弹shell风险判定方法可相互对应参照。The following describes a computer-readable storage medium provided by an embodiment of the present application. The computer-readable storage medium described below and the bounce shell risk determination method described above may refer to each other correspondingly.
本申请还公开一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现如上述反弹shell风险判定方法的步骤。The present application also discloses a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above method for determining a bounce shell risk are implemented.
由于计算机可读存储介质部分的实施例与反弹shell风险判定方法部分的实施例相互对应,因此计算机可读存储介质部分的实施例请参见反弹shell风险判定方法部分的实施例的描述,这里暂不赘述。Since the embodiments of the computer-readable storage medium part correspond to the embodiments of the rebound shell risk determination method part, the embodiments of the computer-readable storage medium part refer to the description of the embodiments of the rebound shell risk determination method part, which are not mentioned here for the time being. Repeat.
说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals may further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, the above description has generally described the components and steps of each example in terms of functionality. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in connection with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. The software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.
以上对本申请所提供的一种反弹shell风险判定方法、装置、系统、防护终端及计算机可读存储介质进行了详细介绍。本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。The method, device, system, protection terminal, and computer-readable storage medium provided by the present application for determining a bounce shell risk have been described above in detail. Specific examples are used herein to illustrate the principles and implementations of the present application, and the descriptions of the above embodiments are only used to help understand the methods and core ideas of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from the principles of the present application, several improvements and modifications can also be made to the present application, and these improvements and modifications also fall within the protection scope of the claims of the present application.

Claims (10)

  1. 一种反弹shell风险判定方法,其特征在于,包括:A rebound shell risk determination method, characterized in that it includes:
    接收防护中心下发的反弹shell程序,并运行所述反弹shell程序;Receive the rebound shell program issued by the protection center, and run the rebound shell program;
    利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息;Use a locally pre-stored protection program to protect the running process of the rebound shell program, and generate protection result information;
    根据所述防护结果信息,得到风险信息。Risk information is obtained according to the protection result information.
  2. 根据权利要求1所述的反弹shell风险判定方法,其特征在于,所述利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息,包括:The method for determining the risk of a bounce shell according to claim 1, wherein the protection of the running process of the bounce shell program by using a locally pre-stored protection program to generate protection result information includes:
    利用本地预先存储的所述防护程序,拦截所述反弹shell程序的运行进程的启动,生成启动结果信息;Utilize the locally pre-stored protection program to intercept the startup of the running process of the rebound shell program, and generate startup result information;
    根据所述启动结果信息,得到所述防护结果信息。According to the startup result information, the protection result information is obtained.
  3. 根据权利要求2所述的反弹shell风险判定方法,其特征在于,根据所述启动结果信息,得到所述防护结果信息,包括:The method for determining a bounce shell risk according to claim 2, wherein the protection result information is obtained according to the startup result information, comprising:
    当所述启动结果信息为启动成功信息时,利用所述防护程序,阻断所述反弹shell程序的运行进程与所述防护中心建立连接,生成连接结果信息;When the startup result information is startup success information, use the protection program to block the running process of the rebound shell program from establishing a connection with the protection center, and generate connection result information;
    根据所述连接结果信息,得到所述防护结果信息。According to the connection result information, the protection result information is obtained.
  4. 根据权利要求3所述的反弹shell风险判定方法,其特征在于,根据所述连接结果信息,得到所述防护结果信息,包括:The method for determining a bounce shell risk according to claim 3, wherein the protection result information is obtained according to the connection result information, comprising:
    当所述连接结果信息为连接成功信息时,利用所述防护程序,阻断所述反弹shell程序执行所述防护中心下发的shell命令,生成执行结果信息;When the connection result information is connection success information, use the protection program to block the rebound shell program from executing the shell command issued by the protection center, and generate execution result information;
    根据所述执行结果信息,得到所述防护结果信息。According to the execution result information, the protection result information is obtained.
  5. 根据权利要求1至4任一项所述的反弹shell风险判定方法,其特征在于,在根据所述防护结果信息,得到风险信息之后,还包括:The method for determining a bounce shell risk according to any one of claims 1 to 4, wherein after obtaining the risk information according to the protection result information, the method further comprises:
    当所述风险信息包含存在风险的信息时,生成风险告警信息,并将所述风险告警信息发送至所述防护中心,以使所述防护中心根据所述风险告警信息进行防护补充。When the risk information includes risk-existing information, risk alarm information is generated, and the risk alarm information is sent to the protection center, so that the protection center performs protection supplementation according to the risk alarm information.
  6. 根据权利要求5所述的反弹shell风险判定方法,其特征在于,当所述风险信息包含存在风险的信息时,生成风险告警信息,包括:The method for determining a bounce shell risk according to claim 5, wherein when the risk information includes risk information, generating risk alarm information, comprising:
    当所述风险信息包含存在风险的信息时,确定所述防护程序进行防护的防护过程信息;When the risk information includes risk information, determine the protection process information of the protection program for protection;
    将所述防护过程信息和所述反弹shell程序作为风险告警信息。The protection process information and the rebound shell program are used as risk warning information.
  7. 一种反弹shell风险判定装置,其特征在于,包括:A rebound shell risk determination device, characterized in that it includes:
    运行模块,用于接收防护中心下发的反弹shell程序,并运行所述反弹shell程序;The running module is used to receive the rebound shell program issued by the protection center, and run the rebound shell program;
    生成模块,用于利用本地预先存储的防护程序对所述反弹shell程序的运行进程进行防护,生成防护结果信息;A generation module is used to protect the running process of the rebound shell program by using a locally pre-stored protection program, and generate protection result information;
    风险信息模块,用于根据所述防护结果信息,得到风险信息。A risk information module, configured to obtain risk information according to the protection result information.
  8. 一种反弹shell风险判定系统,其特征在于,包括:A rebound shell risk determination system, characterized in that it includes:
    防护中心,用于发送反弹shell程序至防护终端;The protection center is used to send the reverse shell program to the protection terminal;
    所述防护终端,用于执行如权利要求1至6任一项所述反弹shell风险判定方法的步骤。The protection terminal is configured to execute the steps of the bounce shell risk determination method according to any one of claims 1 to 6.
  9. 一种防护终端,其特征在于,包括:A protection terminal is characterized in that, comprising:
    存储器,用于存储计算机程序;memory for storing computer programs;
    处理器,用于执行所述计算机程序时实现如权利要求1至6任一项所述反弹shell风险判定方法的步骤。The processor is configured to implement the steps of the rebound shell risk determination method according to any one of claims 1 to 6 when executing the computer program.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至6任一项所述反弹shell风险判定方法的步骤。A computer-readable storage medium, characterized in that, a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the rebound shell risk determination according to any one of claims 1 to 6 is realized steps of the method.
PCT/CN2021/100292 2021-04-23 2021-06-16 Reverse shell risk determination method, apparatus and system WO2022222255A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110441328.7A CN113139193A (en) 2021-04-23 2021-04-23 Rebound shell risk judgment method, device and system
CN202110441328.7 2021-04-23

Publications (1)

Publication Number Publication Date
WO2022222255A1 true WO2022222255A1 (en) 2022-10-27

Family

ID=76812472

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/100292 WO2022222255A1 (en) 2021-04-23 2021-06-16 Reverse shell risk determination method, apparatus and system

Country Status (2)

Country Link
CN (1) CN113139193A (en)
WO (1) WO2022222255A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8819655B1 (en) * 2007-09-17 2014-08-26 Symantec Corporation Systems and methods for computer program update protection
CN107423622A (en) * 2017-07-04 2017-12-01 上海高重信息科技有限公司 A kind of method and system for detecting and taking precautions against bounce-back shell
CN109995794A (en) * 2019-04-15 2019-07-09 深信服科技股份有限公司 A kind of security protection system, method, equipment and storage medium
CN110138727A (en) * 2019-03-28 2019-08-16 江苏通付盾信息安全技术有限公司 The information searching method and device that the shell that rebounds is connected to the network
CN111049782A (en) * 2018-10-12 2020-04-21 北京奇虎科技有限公司 Protection method, device, equipment and system for rebound network attack

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7100195B1 (en) * 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system
CN104796405B (en) * 2015-03-18 2019-04-12 深信服网络科技(深圳)有限公司 Rebound connecting detection method and apparatus
CN110381009A (en) * 2018-04-16 2019-10-25 北京升鑫网络科技有限公司 A kind of detection method of the rebound shell of Behavior-based control detection
CN110166420A (en) * 2019-03-28 2019-08-23 江苏通付盾信息安全技术有限公司 Rebound shell blocking-up method and device
CN111651754A (en) * 2020-04-13 2020-09-11 北京奇艺世纪科技有限公司 Intrusion detection method and device, storage medium and electronic device
CN111988302A (en) * 2020-08-14 2020-11-24 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for detecting rebound program
CN111931166B (en) * 2020-09-24 2021-06-22 中国人民解放军国防科技大学 Application program anti-attack method and system based on code injection and behavior analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8819655B1 (en) * 2007-09-17 2014-08-26 Symantec Corporation Systems and methods for computer program update protection
CN107423622A (en) * 2017-07-04 2017-12-01 上海高重信息科技有限公司 A kind of method and system for detecting and taking precautions against bounce-back shell
CN111049782A (en) * 2018-10-12 2020-04-21 北京奇虎科技有限公司 Protection method, device, equipment and system for rebound network attack
CN110138727A (en) * 2019-03-28 2019-08-16 江苏通付盾信息安全技术有限公司 The information searching method and device that the shell that rebounds is connected to the network
CN109995794A (en) * 2019-04-15 2019-07-09 深信服科技股份有限公司 A kind of security protection system, method, equipment and storage medium

Also Published As

Publication number Publication date
CN113139193A (en) 2021-07-20

Similar Documents

Publication Publication Date Title
US10635809B2 (en) Authenticating application legitimacy
CN106027487B (en) A kind of access management method and system of hardware device
CN109005204A (en) A kind of live streaming processing method, apparatus and system
US20110252153A1 (en) Securely providing session key information for user consent to remote management of a computer device
US8719625B2 (en) Method, apparatus and computer program for processing invalid data
JP2014167720A (en) Remote debug system
CN106940769B (en) Safe remote loading method for operating system
CN104639555B (en) request processing method, system and device
CN114327803A (en) Method, apparatus, device and medium for accessing machine learning model by block chain
WO2022222255A1 (en) Reverse shell risk determination method, apparatus and system
CN111404956A (en) Risk information acquisition method and device, electronic equipment and storage medium
WO2022062478A1 (en) Method and apparatus for detecting arbitrary account password reset logic vulnerability, and medium
CN112838930A (en) Block chain transaction execution method and device, electronic equipment and storage medium
CN111416851A (en) Method for session synchronization among multiple load balancers and load balancer
WO2014106391A1 (en) Method, device and system for installing application
CN104580135B (en) A kind of terminal real-time control system and method based on UEFI
WO2020000753A1 (en) Device security monitoring method and apparatus
CN113438225B (en) Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium
CN111083134A (en) Industrial control system communication encryption method and device, electronic equipment and storage medium
CN106203096B (en) A kind of application program identifying processing method and device
CN111400094A (en) Method, device, equipment and medium for restoring factory settings of server system
CN115242858B (en) Message processing method, device, electronic equipment and computer readable storage medium
CN110046079B (en) Network request detection method, device and equipment
WO2017000609A1 (en) Iris information processing method and user terminal
CN111988333B (en) Proxy software work abnormality detection method, device and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21937480

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE