CN107103237A - A kind of detection method and device of malicious file - Google Patents
A kind of detection method and device of malicious file Download PDFInfo
- Publication number
- CN107103237A CN107103237A CN201610098803.4A CN201610098803A CN107103237A CN 107103237 A CN107103237 A CN 107103237A CN 201610098803 A CN201610098803 A CN 201610098803A CN 107103237 A CN107103237 A CN 107103237A
- Authority
- CN
- China
- Prior art keywords
- script file
- target script
- malicious
- file
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 70
- 230000006870 function Effects 0.000 claims abstract description 118
- 238000000034 method Methods 0.000 claims abstract description 76
- 230000008569 process Effects 0.000 claims description 43
- 238000004422 calculation algorithm Methods 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 15
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000007689 inspection Methods 0.000 abstract 1
- 238000012360 testing method Methods 0.000 description 118
- 238000010586 diagram Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 7
- 238000012216 screening Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 235000014510 cooky Nutrition 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000010606 normalization Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application is related to computer technology, discloses a kind of detection method and device of malicious file, the detection accuracy for improving WEBSHELL.This method is:Stain is set to mark key parameter, input parameter is used as using key parameter again, performance objective script file, and by carrying out Hook to the Key Functions in target script file, judge whether to have used the key parameter for being provided with stain mark in Key Functions implementation procedure, so as to judge in target script file with the presence or absence of deformation WEBSHELL, so, just from WEBSHELL essence, WEBSHELL operation key point is caught, no matter how WEBSHEL deforms, WEBSHELL can be detected exactly, it is effectively improved detection precision and detection efficiency, avoid missing inspection and wrong report, simultaneously, also reduce detection complexity and reduce later stage O&M cost.
Description
Technical Field
The present application relates to computer technologies, and in particular, to a method and an apparatus for detecting malicious files.
Background
The Hypertext Preprocessor (PHP) language is a weak type programming language, supports a large number of flexible syntax formats, and allows a malicious attacker who is skilled in the PHP programming language to write a large number of web page backdoor (WEBSHELL) files to attack a target script file by fully utilizing the language characteristics of the PHP.
In the prior art, a cloud server usually detects webhell by using a webhell detection engine on a host level, and the operation principle of the webhell detection engine is to examine a target script file based on a preset character string and a regular rule to determine whether the target script file contains webhell.
However, whether the character string or the regular rule is a character string or a regular rule, the configuration mode of the character string or the regular rule depends on the understanding of the PHP language itself and the webhell deformation mode of the administrator, and there is a certain subjectivity, so when the webhell detection engine performs webhell investigation by using the preset character string and the regular rule, the webhell detection engine cannot cover all types of webhells, and there is a certain program missing detection.
On the other hand, there are also a lot of "bypass" techniques, i.e. the detection of the webhell detection engine is hidden by a special syntax structure, which also causes the missing detection of the webhell detection engine.
Therefore, in the prior art, the detection accuracy of the web detection engine is not high, and optimization is needed.
Disclosure of Invention
The embodiment of the application provides a malicious file detection method and device, which are used for improving the detection accuracy of WEBSHELL.
The specific technical scheme provided by the embodiment of the application is as follows:
a method of detecting malicious files, comprising:
taking the first parameter set as an input parameter, and executing a specified target script file;
when determining that the target script file uses any parameter in the first parameter set in the process of executing any function in the first function set, judging that the target script file is a malicious file; and each parameter recorded in the first parameter set is provided with a taint mark, and each function recorded in the first function set is a command function which can be used in the running process of the script file.
Preferably, the parameters recorded in the first parameter set are super-global variables.
Preferably, before executing the specified target script file, the method further includes, using the first parameter set as an input parameter:
and inserting the corresponding function in the target script file to be tested into the Hook detection code based on each function in the first function set.
Preferably, before executing the specified target script file, the method further comprises:
and matching the target script file with a preset first white list and a preset first black list, and determining that the target script file can be executed when the target script file is judged not to be recorded in the first white list and the first black list.
Preferably, before executing the specified target script file, one or any combination of the following operations is further executed:
matching a target script file with a preset first sentence language (WEBSHELL) set, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the first sentence language (WEBSHELL) set is used for describing the mode characteristics of a malicious program; or,
matching a target script file with a first multimode regular rule set preset corresponding to the target script file, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset first big horse malicious sample set, and determining that the target script file can be executed when the mismatching is judged to be successful, wherein the first big horse malicious sample set is a malicious script file set with complete functions.
Preferably, the method is applied to a client side or a cloud server side.
Preferably, if the method is applied to the client side, after determining that the target script file is not a malicious file, the method further includes:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute one or any combination of the following operations:
matching the target script file with a preset second sentence WEBSHELL set, and determining that the target script file is a malicious file when the matching is judged to be successful; wherein the second set of statements WEBSHELL is used to describe model characteristics of malicious programs; or,
matching a target script file with a second multimode regular rule set preset corresponding to the target script file, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset second big horse malicious sample set, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second big horse malicious sample set is a malicious script file set with complete functions.
Preferably, if the method is applied to the client side, after determining that the target script file is not a malicious file, the method further includes:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute the following operations:
taking the second parameter set as an input parameter, and executing the target script file;
determining that the target script file is a malicious file when any parameter in the second parameter set is used in the process of executing any function in the second function set by the target script file;
and each parameter recorded in the second parameter set is provided with a taint mark, and each function recorded in the second function set is a command function which can be used in the running process of the script file.
An apparatus for detecting malicious files, comprising:
the execution unit is used for taking the first parameter set as an input parameter and executing the specified target script file;
a judging unit, configured to judge that an object script file is a malicious file when it is determined that the object script file uses any one parameter in the first parameter set in a process of executing any one function in the first function set; and each parameter recorded in the first parameter set is provided with a taint mark, and each function recorded in the first function set is a command function which can be used in the running process of the script file.
Preferably, the parameters recorded in the first parameter set are super-global variables.
Preferably, before executing the specified target script file, using the first parameter set as an input parameter, the execution unit is further configured to:
and inserting the corresponding function in the target script file to be tested into the Hook detection code based on each function in the first function set.
Preferably, before executing the specified target script file, the execution unit is further configured to:
and matching the target script file with a preset first white list and a preset first black list, and determining that the target script file can be executed when the target script file is judged not to be recorded in the first white list and the first black list.
Preferably, before executing the specified target script file, the execution unit further performs one or any combination of the following operations:
matching a target script file with a preset first sentence language (WEBSHELL) set, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the first sentence language (WEBSHELL) set is used for describing the mode characteristics of a malicious program; or,
matching a target script file with a first multimode regular rule set preset corresponding to the target script file, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset first big horse malicious sample set, and determining that the target script file can be executed when the mismatching is judged to be successful, wherein the first big horse malicious sample set is a malicious script file set with complete functions.
Preferably, the testing device is a client, or a cloud server.
Preferably, if the device is a client, after the determining unit determines that the target script file is not a malicious file, the executing unit is further configured to:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute one or any combination of the following operations:
matching the target script file with a preset second sentence WEBSHELL set, and determining that the target script file is a malicious file when the matching is judged to be successful; wherein the second set of statements WEBSHELL is used to describe model characteristics of malicious programs; or,
matching a target script file with a second multimode regular rule set preset corresponding to the target script file, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset second big horse malicious sample set, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second big horse malicious sample set is a malicious script file set with complete functions.
Preferably, if the device is a client, after the determining unit determines that the target script file is not a malicious file, the executing unit is further configured to:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute the following operations:
taking the second parameter set as an input parameter, and executing the target script file;
determining that the target script file is a malicious file by using any parameter in the second parameter set in the process of executing any function in the second function set;
and each parameter recorded in the second parameter set is provided with a taint mark, and each function recorded in the second function set is a command function which can be used in the running process of the script file.
In the embodiment of the application, a lightweight PHP grammar compiler/interpreter is redesigned at the host level to realize dynamic detection of the target script file, namely, a dirty mark is set on a key parameter, the key parameter is used as an input parameter to execute the target script file, and a Hook is performed on a key function in the target script file to judge whether the key parameter with the dirty mark is used in the execution process of the key function, so as to judge whether a deformed WEBSHELL exists in the target script file, therefore, the operation key point of the WEBSHELL is grasped from the essence of the WEBSHELL, the WEBSHELL can be accurately detected no matter how the WEBSHEL is deformed, the detection accuracy and the detection efficiency are effectively improved, and missing detection and false alarm are avoided, on the other hand, the technical scheme provided by the embodiment of the application is adopted, people can finish detection of the WEBSHELL by using a simple PHP tool, and a complex detection algorithm is not needed, so that the detection complexity is reduced, and the later operation and maintenance cost is also reduced.
Drawings
Fig. 1 is a schematic diagram illustrating a malicious file detection process when a test device is a client in an embodiment of the present application;
fig. 2 is a schematic diagram illustrating a malicious file detection process when the test device is a cloud server in the embodiment of the present application;
fig. 3 is a schematic functional structure diagram of a testing apparatus in an embodiment of the present application.
Detailed Description
In order to improve the detection accuracy of web virtual machine, in the embodiment of the application, based on understanding of the deformation nature of web virtual machine, a detection method based on a PHP virtual machine sandbox is redesigned, that is, a taint mark is set in advance for a specified input parameter, then a Hook detection code is inserted into a target function in a target script file, whether the target function uses the input parameter carrying the taint mark is detected, and whether the target script file contains the web virtual machine is judged according to a detection result.
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
At present, the popular web websphere has various evolution modes, but after summary, the popular web websphere has some common characteristics:
1) a super-global variable is received as an input parameter.
2) In the command execution part, the partial correlation function uses the super global variable as an input parameter.
Based on the above characteristics, in the embodiment of the present application, a new PHP testing tool is designed, in which a PHP kernel code is rewritten, and is used to insert a Hook detection code into a target script file for a function related to command execution, so as to implement stain mark detection on an input parameter, to determine whether a current input parameter is transmitted through a specified hyper-global variable, and further determine whether the current target script file has suspicious behavior.
In the embodiment of the application, the test process can be executed on the client side or the network side, that is, the test device can be a client or a cloud server, or can be a service structure of the client and the cloud server. These two cases will be described in detail separately below.
In the first case, the testing device 1 is assumed to be a client (e.g., a PC, a notebook, a tablet, etc.).
Referring to fig. 1, a specific process of the test apparatus 1 for malicious file detection is as follows:
step 100: when the test apparatus 1 determines that the file has changed, the target script file is acquired.
In practical applications, the testing apparatus 1 may obtain, in real time, a file change condition (e.g., creation, update, etc.) of a designated monitoring directory through an API for notifying a file change operation event provided by the client operating system, and obtain a target script file when determining that a file has changed, where the target script file may be an existing but updated script file under the designated monitoring directory, or a newly created script file under the designated monitoring directory, or the like.
Step 101: the test apparatus 1 performs encoding preprocessing on the target script file.
Since the target script file may have a code portion encoded in a specific language, the testing apparatus 1 needs to perform encoding preprocessing on the target script file in advance, that is, decode the target script file, for example, decode the vbscript and utf7 encoded file, in order to smoothly perform the subsequent script execution process.
Step 102: the test apparatus 1 performs normalization processing on the target script file.
Since the target script file may have a code portion written by using an irregular syntax, in order to smoothly perform a subsequent script execution process, the testing apparatus 1 needs to perform a normalization process on the target script file in advance, for example, perform a syntax normalization process on a relevant statement in the target script file based on a standard syntax rule of an Active Server Page (ASP) or a standard syntax rule of a PHP.
Of course, before performing formal detection, the testing apparatus 1 may match the target script file by using the white list 1 and the black list 1, and then execute the subsequent step 103 when determining that the target script file is not recorded in the white list 1 and the black list 1. The so-called white list 1 and black list 1 may be a trusted list and an untrusted list summarized by the testing apparatus 1 according to previous testing experience, and if the relevant information of the target script file is recorded in any one of the two lists, it may be directly determined whether the target script file is a malicious file. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
Of course, if it is determined in advance that the target script file is a newly created file, the white list 1 and the black list 1 may not be used for screening, and are not described herein again.
Step 103: the testing device 1 loads a rule configuration file preset corresponding to the target script file.
Preferably, after step 103 is executed and before step 104 is executed, the target script file may be matched with a preset word WEBSHELL set 1, and when the matching is determined not to be successful, the subsequent operation steps are determined to be executed, wherein the word WEBSHELL set 1 is used for describing the pattern characteristics of the malicious program.
In the embodiment of the present application, a so-called sentence, webschell, e.g., <? phpeval ($ _ POST [ 'op' ]); is there a The websphere Trojan is extremely fine, short and small, and can be inserted into any position of a script file by an attacker due to small volume to achieve the purpose of being unnoticed, so that before formal testing, the target script file can be screened through a preset one-sentence websphere set 1 (containing at least one sentence websphere), and if the target script file is hit (namely the target script file is determined to be in accordance with the Trojan characteristics described by the one-sentence websphere set 1, for example, the model of the file is in accordance with the description of the one-sentence websphere set 1), the target script file can be directly determined to be a malicious file, so that the subsequent testing steps are saved. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
Of course, if it is determined in advance that there is no any one of the words webhell in the target script file, the word webhell set 1 may not be used for the screening, and is not described herein again.
Step 104: the testing device 1 acquires a multimode regular rule set 1 corresponding to the target script file.
In this embodiment, different types of target script files correspond to different multimode regular rule sets, and therefore, the testing device 1 needs to load a rule configuration file, and then selects a corresponding multimode regular rule set (hereinafter, both referred to as a multimode regular rule set 1) according to a suffix of the target script file, where the multimode regular rule set 1 is used to describe content characteristics of a malicious program.
For example, the multi-modal regularization rule set 1 of the client used by the testing apparatus 1 is:
rule 1:
<RULE>[^\w](eval|assert|popen|proc_open|shell_exec|passthru|system)\(([^\(\),]*)(\$_GET|\$_COOKIE|\$_POST|\$_SESSION|\$_REQUEST)\[(.{1,20})\]\)</RULE>
the above-mentioned multi-mode regularization rule indicates that: the function name represented by any one of eval, assert, popen, proc _ open, shell _ exec, passhru, and system appears in the character string, and its input parameter is any one of $ _ GET, $ _ COOKIE, $ _ POST, $ _ SESSION, and $ _ REQUEST.
Rule 2:
<RULE>[^\w](eval|assert)\(\$_(GET|POST|REQUEST)\[.{0,34}\]\)</RULE>
the above-mentioned multi-mode regularization rule indicates that: the function name represented by eval and alert appears in the character string, and the input parameters are any one of $ _ GET, $ _ POST and $ _ REQUEST, the 3 parameters represent the super-global array in the PHP, and the length of the index subscript element character string is between 1 and 34 characters.
Step 105: the testing device 1 matches the target script file by adopting the acquired multi-mode regular rule set 1.
Compared with the single-mode regular rule adopted in the prior art, the multi-mode regular rule set can describe the malicious characteristics of WEBSHELL from multiple aspects, and therefore, the matching accuracy is higher. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
Of course, if the number of the target script files is not large, or it is known in advance that the multi-mode regular rule is not needed for screening, the multi-mode regular rule set 1 may not be used for matching, which is not described herein again.
Step 106: the test device 1 judges whether hit occurs (i.e., whether matching is successful); if yes, go to step 110, otherwise, go to step 107.
Further, after step 106 is executed and before step 107 is executed, the testing apparatus 1 may further process the target script file by using a fuzzy Hash (Hash) algorithm, match the processed target script file with a preset majestic sample set 1, and determine that the target script file is a malicious file when the matching is determined to be successful, where the majestic sample set 1 is a malicious script file set with a complete function. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
The fuzzy Hash algorithm is an open source standardization similarity comparison algorithm, the algorithm calculates the similarity of two texts with locality and small modification by carrying out subsection HASH calculation on a target file and then comprehensively judging the similarity result of all the subsections, and has good tolerance. The so-called big horse is a script file with quite complete functions written by script programming languages such as PHP, etc., wherein the complete website management functions are realized, such as file management, database operation, etc., and can be utilized by hackers for repeated intrusion utilization, and the biggest difference between a sentence of webhell and a big horse is that the big horse has no obvious malicious code characteristics, and security operation and maintenance personnel can easily mistake the big horse as a normal website background management file, so that the big horse can be understood as a variant of webhell.
Therefore, in the embodiment of the application, the fuzzification Hash algorithm can be introduced to detect the big horse, and the fuzzification Hash algorithm has better fault tolerance on the minor change of the target script file, so that even if an attacker modifies the local code or partial code characteristics of the big horse, the fuzzification Hash algorithm and a sample library known by security personnel are compared in similarity, and still higher detection success rate can be obtained. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
Of course, if the number of the target script files is not large, or it is determined in advance that no malicious file exists, the fuzzification Hash algorithm may not be used for checking, and details are not described here.
Step 107: the test apparatus 1 performs the PHP test using the target script file.
Specifically, when step 107 is executed, PHP detection may be implemented based on the PHP virtual machine sandbox technology, which is specifically as follows:
first, the test apparatus 1 performs necessary initialization work on the PHP virtual machine, and applies for necessary contents and corresponding data structures.
Next, the testing apparatus 1 sets a stain flag for the superglobal variable in the parameter set 1.
The super-global variables are predefined global variables in the PHP language, can be used in all action domains of the PHP script file, and can be used in functions and classes without special description.
Optionally, in the embodiment of the present application, the supertotal office variable may include any one or a combination of the following parameters: $ SERVER, $ POST, $ GET, $ COOKIES and $ _ FILES; all elements in parameter set 1 are marked with a dirty mark, i.e. each parameter is assigned a special mark string.
Thirdly, the testing device 1 adds a Hook detection code to the corresponding function in the target script file based on the function set 1, so that whether the transmitted parameter contains a stain mark can be detected when the target script file is executed, wherein the functions provided with the Hook detection code are all command functions which can be used in the running process of the script file; for example:
vm_builtin_eval;
m_builtin_assert;
case PH7_OP_CALL;
vm_builtin_require;
vm_builtin_require_once;
vm_builtin_include;
vm_builtin_include_once;
vm_builtin_ob_start;
vm_builtin_json_decode;
vm_builtin_extract;
vm_builtin_call_user_func。
finally, the test apparatus 1 executes the target script file with the parameter set 1 as an input parameter, and in the execution process, if the test apparatus 1 finds that the incoming parameters include a dirty mark in any function provided with the Hook detection code (i.e. finds that any function uses the parameters in the parameter set 1), it indicates that the current script file is performing dangerous operation, i.e. determining that web page is detected, because the execution process directly brings the externally incoming parameters provided with the dirty mark into a more sensitive function execution process.
Step 108: the testing device 1 determines whether there is a hit (i.e., whether web is tested); if yes, go to step 110, otherwise go to step 109.
Step 110: the testing device 1 reports the relevant information of the target script file to the cloud server, namely reports whether the target script file is a malicious file to the cloud server.
Correspondingly, after the cloud server obtains the target script file reported by the testing device 1, if it is known that the target script file is judged to be a malicious file containing webhell, the malicious file is recorded in the sample library, and if it is known that the target script file is not judged to be the malicious file containing webhell, the target script file is further checked. Thus, the cloud server may further assist in arbitrating in the event that the client cannot determine, as will be explained in subsequent embodiments.
In the second case, the test apparatus 2 is assumed to be a cloud server, corresponding to the first case described above. The cloud server may perform webbelll detection separately for the target script file, and the specific process of the cloud server is similar with reference to steps 100 to 110, or may perform further arbitration based on steps 100 to 110, which is described in this embodiment by taking the further arbitration as an example.
Referring to fig. 2, a specific process of the testing apparatus 2 performing malicious file detection is as follows:
step 200: the test apparatus 2 acquires a target script file.
In this embodiment, it is assumed that the testing apparatus 2 is a cloud server, and the testing apparatus 2 further arbitrates after receiving the target script file reported by the testing apparatus 1, so that the testing apparatus 2 obtains the target script file through the testing apparatus 1.
In practical applications, if the testing device 2 executes the detection task alone, the change condition (e.g., creation, update, etc.) of the file of the designated monitoring directory can also be obtained through real-time monitoring, and when the change of the file is determined, the target script file is obtained, which is not described herein again.
Step 201: the test apparatus 2 determines whether the target script file exists in the preset white list 2? If yes, go to step 210; otherwise, step 202 is performed.
Step 202: the testing device determines whether the target script file exists in a preset blacklist 2, if yes, go to step 211; otherwise, step 203 is executed.
As can be seen from step 201 and step 202, the testing device 2 can perform a quick HASH matching on the target script file to-be-detected sample for one time in a set of non-black, i.e., white, massive malicious file HASH libraries maintained in the cloud.
Compared with the white list 1 and the black list 1, the accuracy of the white list 2 and the black list 2 maintained by the cloud is higher, and the arbitration result is more accurate, so that even if the black list and the white list are screened on the testing device 1, the black list and the white list can be screened again at the cloud.
On the other hand, in the present embodiment, the test apparatus 2 is described as an example of further arbitrating the target script file reported by the test apparatus 1, and therefore, the black and white lists used by the test apparatus 2 are referred to as a white list 2 and a black list 2 for distinguishing. In practical applications, if the testing apparatus 2 performs the detection task independently, the black and white lists used by the testing apparatus 2 may also be referred to as a white list 1 and a black list 1, which is not described herein again.
Of course, if it is determined in advance that the target script file is a newly created file, the white list 2 and the black list 2 may not be used for screening, and are not described herein again.
Step 203: the test apparatus 2 determines that the target script file misses when the reporting source (i.e., the test apparatus 1) performs PHP detection.
If the report source hits the report source when performing PHP detection, the testing device directly records the target script file into the database.
Step 204: the testing apparatus 2 determines whether the target script file hits a preset statement WEBSHELL set 2, if yes, execute step 205; otherwise, step 206 is performed.
The WEBSHELL set 2 is used to describe the pattern characteristics of a malicious program, such as the file model (SIZE), because some target script files look complete and usually have only one line of code after being opened, which is usually WEBSHELL, so that whether the target script files are malicious files can be preliminarily determined through the file SIZE. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
Compared with a speech webhell set 1, the speech webhell set 2 maintained by the cloud has higher precision and more accurate arbitration result, so that even if the test device 1 is screened by the speech webhell set 1, the cloud can perform the screening of the speech webhell set 2 again.
On the other hand, the present embodiment is described by taking the example that the testing apparatus 2 performs further arbitration on the object script file reported by the testing apparatus 1, and therefore, the testing apparatus 2 is called to use a statement webschel set 2 for distinction. In practical applications, if the testing apparatus 2 performs the detection task independently, it may also be said that the testing apparatus 2 uses a statement webhell set 1, which is not described herein again.
Of course, if it is determined in advance that there is no any one of the words webhell in the target script file, the word webhell set 2 may not be used for the screening, and is not described herein again.
Step 205: the test apparatus 2 determines to delete webhell.
In the embodiment of the present application, deleting webehll is a special operation manner when determining that webehll exists, and is only applicable to a word webehll, and this is done for the following reasons:
1. an attacker often inserts malicious codes into normal website files of the damaged users, so that although the products detect that relevant samples have malicious behaviors, the products cannot execute deletion work
2. Meanwhile, another type of sample exists, the sample is a pure malicious file, namely an independent file containing malicious codes, and the normal operation of a user website is not influenced by deleting the file, so that the sample is separated independently, the deleting operation is executed, the file is directly deleted from a user machine, and the further loss of the user caused by the file is prevented.
Step 206: the testing device 2 acquires the multimode regular rule set 2 corresponding to the target script file to match the target script file.
In this embodiment, different types of target script files correspond to different multimode regular rule sets, and therefore, the testing device 2 needs to obtain the corresponding multimode regular rule set 2 according to the suffix of the target script file to perform matching operation.
Compared with the testing device 1, the testing device 2 has different detection strengths in the rule configuration mode maintained at the cloud, the multi-mode regular rule set 1 of the client used by the testing device 1 is equivalent to a coarse-grained network and can report a large number of suspicious target script files, and the multi-mode regular rule set 2 of the cloud used by the testing device 2 is equivalent to a fine-grained network and can screen out malicious files with true WEBSHELL so as to prevent the missing report. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
For example, the cloud-side multi-mode regularization rule set 2 used by the testing apparatus 2 is:
rule 1:
<RULE>function\\s{0,}(lambda_n).*?</RULE>
the above-mentioned multi-mode regularization rule indicates that: a function declaration named lambda _ n appears in the character.
Rule 2:
<RULE>[^\w](eval|assert|popen|proc_open|shell_exec|passthru|system)\(([^\(\),]*)(\$_GET|\$_COOKIE|\$_POST|\$_SESSION|\$_REQUEST)\[(.{1,20})\]\)</RULE>
the above-mentioned multi-mode regularization rule indicates that: the function name represented by any one of eval, assert, popen, proc _ open, shell _ exec, passhru, and system appears in the character string, and its input parameter is any one of $ _ GET, $ _ COOKIE, $ _ POST, $ _ SESSION, and $ _ REQUEST.
Rule 3:
<RULE>\\1\\(\\\s{0,}\)</RULE>
the above-mentioned multi-mode regularization rule indicates that: function declarations named lambda _ n appear in the string, and the code structure of function calls, lambda _ n (), appear elsewhere.
The multi-mode regular rule sets with different detection strengths used by the test device 1 and the test device 2 can be realized by writing a PHP extension script.
On the other hand, the present embodiment is described by taking an example in which the test apparatus 2 performs further arbitration on the target script file reported by the test apparatus 1, and therefore, the test apparatus 2 is referred to as using the multi-mode rule set 2 for distinction. In practical applications, if the testing apparatus 2 performs the detection task independently, it may also be called that the testing apparatus 2 uses the multi-mode regular rule set 1, which is not described herein again.
Of course, if the number of the target script files is not large, or it is known in advance that the multi-mode regular rule is not needed for screening, the multi-mode regular rule set 2 may not be used for matching, which is not described herein again.
Step 207: the testing apparatus 2 determines whether the result is hit (i.e. whether the matching is successful), if yes, step 211 is executed; otherwise, step 208 is performed.
Further, after step 207 is executed and before step 208 is executed, the testing device 2 may further process the target script file by using a fuzzification Hash algorithm, match the processed target script file with a preset majestic sample set 2, and determine that the target script file is a malicious file when it is determined that the matching is successful, where the majestic sample set 2 is a malicious script file set with a complete function. By adopting the method, when a large number of target script files exist, a part of the target script files can be filtered in advance so as to improve the testing efficiency.
Compared with the big horse malicious sample set 1, the big horse malicious sample set 2 maintained by the cloud has higher precision and more accurate arbitration result, so that even if the testing device 1 is screened by the big horse malicious sample set 1, the big horse malicious sample set 2 can be screened again at the cloud.
On the other hand, the present embodiment is described by taking an example in which the testing apparatus 2 performs further arbitration on the target script file reported by the testing apparatus 1, and therefore, the testing apparatus 2 is referred to as using the malicious sample set 2 of the big horse for distinguishing. In practical applications, if the testing apparatus 2 performs the detection task independently, it may also be called that the testing apparatus 2 uses the malicious horse sample set 1, which is not described herein again.
Of course, if the number of the target script files is not large, or it is determined in advance that no malicious file exists, the fuzzification Hash algorithm may not be used for checking, and details are not described here.
Step 208: the test apparatus 2 performs the PHP test using the target script file.
Specifically, when step 208 is executed, the PHP detection may be implemented based on the PHP virtual machine sandbox technology, which is specifically as follows:
first, the testing apparatus 2 sets a dirty mark on the super-global variable in the parameter set 2, wherein the so-called super-global variable may include any one or a combination of the following parameters: $ SERVER, $ POST, $ GET, $ COOKIES and $ _ FILES; all elements in parameter set 2 are marked with a dirty mark, i.e. each parameter is assigned a special mark string.
Secondly, the test device 2 adds a Hook detection code to a corresponding function in the target script file based on the function set 2, so that whether the transmitted parameter contains a stain mark can be detected when the target script file is executed, wherein the functions provided with the Hook detection code are all command functions which can be used in the running process of the script file; for example:
vm_builtin_eval;
m_builtin_assert;
case PH7_OP_CALL;
vm_builtin_require;
vm_builtin_require_once;
vm_builtin_include;
vm_builtin_include_once;
vm_builtin_ob_start;
vm_builtin_json_decode;
vm_builtin_extract;
vm_builtin_call_user_func。
finally, the testing device 2 executes the target script file by taking the parameter set 2 as an input parameter, and in the executing process, if the testing device 2 finds that the incoming parameters include a dirty mark in any function provided with Hook detection codes (that is, finds that any function uses the parameters in the parameter set 2), it indicates that the current script file is in dangerous operation, that is, it is determined that web is detected, because the executing process directly brings the externally incoming parameters provided with the dirty mark into a more sensitive function executing process.
In practical application, compared with the parameter set 1 and the function set 1, the parameter set 2 and the function set 2 can be set more finely, so that after the PHP test is performed on the target script file on the testing device 1, the PHP test can be performed on the testing device 2 again to improve the testing accuracy.
On the other hand, the present embodiment is described by taking an example in which the test apparatus 2 performs further arbitration on the target script file reported by the test apparatus 1, and therefore, the test apparatus 2 is referred to as using the parameter set 2 and the function set 2 for distinguishing. In practical applications, if the testing apparatus 2 performs the detection task independently, the testing apparatus 2 may also be referred to as using the parameter set 1 and the function set 1, which is not described herein again.
Step 209: the testing device 2 determines whether there is a hit (i.e., whether web is tested); if so, go to step 211, otherwise, go to step 210.
Step 210: the testing device 2 determines that WEBSHELL is not present in the target script file.
Step 211: the testing device 2 determines that WEBSHELL is present in the target script file.
Based on the above embodiments, referring to fig. 3, in the embodiment of the present application, the testing apparatus at least includes an execution unit 30 and a determination unit 31, wherein,
an execution unit 30, configured to execute the specified target script file with the first parameter set as an input parameter;
a determining unit 31, configured to determine that a target script file is a malicious file when it is determined that the target script file uses any one parameter in a first parameter set in a process of executing any one function in the first function set; and each parameter recorded in the first parameter set is provided with a taint mark, and each function recorded in the first function set is a command function which can be used in the running process of the script file.
Preferably, the parameters recorded in the first parameter set are super-global variables.
Preferably, before executing the specified target script file, using the first parameter set as an input parameter, the execution unit 30 is further configured to:
and inserting the corresponding function in the target script file to be tested into the Hook detection code based on each function in the first function set.
Preferably, before executing the specified target script file, the execution unit 30 is further configured to:
and matching the target script file with a preset first white list and a preset first black list, and determining that the target script file can be executed when the target script file is judged not to be recorded in the first white list and the first black list.
Before executing the specified object script file, the execution unit 30 further performs one or any combination of the following operations:
matching a target script file with a preset first sentence language (WEBSHELL) set, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the first sentence language (WEBSHELL) set is used for describing the mode characteristics of a malicious program; or,
matching a target script file with a first multimode regular rule set preset corresponding to the target script file, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset first big horse malicious sample set, and determining that the target script file can be executed when the mismatching is judged to be successful, wherein the first big horse malicious sample set is a malicious script file set with complete functions.
Preferably, the testing device is a client, or a cloud server.
Preferably, if the testing apparatus is a client, after the determining unit 31 determines that the target script file is not a malicious file, the executing unit 30 is further configured to:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute one or any combination of the following operations:
matching the target script file with a preset second sentence WEBSHELL set, and determining that the target script file is a malicious file when the matching is judged to be successful; wherein the second set of statements WEBSHELL is used to describe model characteristics of malicious programs; or,
matching a target script file with a second multimode regular rule set preset corresponding to the target script file, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset second big horse malicious sample set, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second big horse malicious sample set is a malicious script file set with complete functions.
Preferably, if the device is a client, after the determining unit 31 determines that the target script file is not a malicious file, the executing unit 30 is further configured to:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute the following operations:
taking the second parameter set as an input parameter, and executing the target script file;
determining that the target script file is a malicious file by using any parameter in the second parameter set in the process of executing any function in the second function set;
and each parameter recorded in the second parameter set is provided with a taint mark, and each function recorded in the second function set is a command function which can be used in the running process of the script file.
In summary, in the embodiment of the present application, a lightweight PHP syntax compiler/interpreter is redesigned at the host level to implement dynamic detection of the target script file, i.e. a dirty flag is set for the key parameter, then the target script file is executed by using the key parameter as the input parameter, and Hook is performed on the key function in the target script file to determine whether the key parameter with the dirty flag is used in the execution process of the key function, so as to determine whether a deformed webhell exists in the target script file, therefore, based on the essence of webhell, the operating key point of webhell is grasped, and regardless of how the webhell is deformed, the webhell can be accurately detected, thereby effectively improving the detection accuracy and detection efficiency, avoiding missing detection and false alarm, on the other hand, by using the technical solution provided by the embodiment of the present application, a person can complete the detection of the webhell by using a simple PHP tool, and a complex detection algorithm is not needed, so that the detection complexity is reduced, and the later operation and maintenance cost is also reduced.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (16)
1. A method for detecting a malicious file, comprising:
taking the first parameter set as an input parameter, and executing a specified target script file;
when determining that the target script file uses any parameter in the first parameter set in the process of executing any function in the first function set, judging that the target script file is a malicious file; and each parameter recorded in the first parameter set is provided with a taint mark, and each function recorded in the first function set is a command function which can be used in the running process of the script file.
2. The method of claim 1, wherein the parameters recorded in the first set of parameters are super-global-office variables.
3. The method of claim 1, wherein, using the first set of parameters as input parameters, prior to executing the specified object script file, further comprising:
and inserting the corresponding function in the target script file to be tested into the Hook detection code based on each function in the first function set.
4. A method as recited in claim 1, 2, or 3, wherein prior to executing the specified object script file, further comprising:
and matching the target script file with a preset first white list and a preset first black list, and determining that the target script file can be executed when the target script file is judged not to be recorded in the first white list and the first black list.
5. A method as claimed in claim 1, 2 or 3, wherein before executing the specified object script file, one or any combination of the following operations are further performed:
matching a target script file with a preset first sentence language (WEBSHELL) set, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the first sentence language (WEBSHELL) set is used for describing the mode characteristics of a malicious program; or,
matching a target script file with a first multimode regular rule set preset corresponding to the target script file, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset first big horse malicious sample set, and determining that the target script file can be executed when the mismatching is judged to be successful, wherein the first big horse malicious sample set is a malicious script file set with complete functions.
6. The method of any of claims 1-5, wherein the method is applied on a client side or a cloud server side.
7. The method of claim 6, wherein if the method is applied to the client side, after determining that the target script file is not a malicious file, further comprising:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute one or any combination of the following operations:
matching the target script file with a preset second sentence WEBSHELL set, and determining that the target script file is a malicious file when the matching is judged to be successful; wherein the second set of statements WEBSHELL is used to describe model characteristics of malicious programs; or,
matching a target script file with a second multimode regular rule set preset corresponding to the target script file, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset second big horse malicious sample set, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second big horse malicious sample set is a malicious script file set with complete functions.
8. The method of claim 6, wherein if the method is applied to the client side, after determining that the target script file is not a malicious file, further comprising:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute the following operations:
taking the second parameter set as an input parameter, and executing the target script file;
determining that the target script file is a malicious file when any parameter in the second parameter set is used in the process of executing any function in the second function set by the target script file;
and each parameter recorded in the second parameter set is provided with a taint mark, and each function recorded in the second function set is a command function which can be used in the running process of the script file.
9. An apparatus for detecting malicious files, comprising:
the execution unit is used for taking the first parameter set as an input parameter and executing the specified target script file;
a judging unit, configured to judge that an object script file is a malicious file when it is determined that the object script file uses any one parameter in the first parameter set in a process of executing any one function in the first function set; and each parameter recorded in the first parameter set is provided with a taint mark, and each function recorded in the first function set is a command function which can be used in the running process of the script file.
10. The apparatus of claim 9, wherein the parameters recorded in the first set of parameters are super-global-office variables.
11. The apparatus of claim 9, wherein, with the first set of parameters as input parameters, prior to executing the specified object script file, the execution unit is further to:
and inserting the corresponding function in the target script file to be tested into the Hook detection code based on each function in the first function set.
12. The apparatus of claim 9, 10 or 11, wherein prior to executing the specified object script file, the execution unit is further to:
and matching the target script file with a preset first white list and a preset first black list, and determining that the target script file can be executed when the target script file is judged not to be recorded in the first white list and the first black list.
13. The apparatus of claim 9, 10 or 11, wherein the execution unit, prior to executing the specified object script file, is further to perform one or any combination of the operations of:
matching a target script file with a preset first sentence language (WEBSHELL) set, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the first sentence language (WEBSHELL) set is used for describing the mode characteristics of a malicious program; or,
matching a target script file with a first multimode regular rule set preset corresponding to the target script file, and determining that the target script file can be executed when the matching is judged to be unsuccessful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset first big horse malicious sample set, and determining that the target script file can be executed when the mismatching is judged to be successful, wherein the first big horse malicious sample set is a malicious script file set with complete functions.
14. The apparatus according to any one of claims 9-13, wherein the apparatus is a client or a cloud server.
15. The apparatus according to claim 14, wherein if the apparatus is a client, after the determining unit determines that the target script file is not a malicious file, the executing unit is further configured to:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute one or any combination of the following operations:
matching the target script file with a preset second sentence WEBSHELL set, and determining that the target script file is a malicious file when the matching is judged to be successful; wherein the second set of statements WEBSHELL is used to describe model characteristics of malicious programs; or,
matching a target script file with a second multimode regular rule set preset corresponding to the target script file, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second multimode regular rule set is used for describing the content characteristics of a malicious program; or,
processing the target script file by adopting a fuzzification hash algorithm, matching the processed target script file with a preset second big horse malicious sample set, and determining that the target script file is a malicious file when the matching is judged to be successful, wherein the second big horse malicious sample set is a malicious script file set with complete functions.
16. The apparatus according to claim 14, wherein if the apparatus is a client, after the determining unit determines that the target script file is not a malicious file, the executing unit is further configured to:
reporting relevant information of the target script file to a cloud server, and triggering the cloud server to execute the following operations:
taking the second parameter set as an input parameter, and executing the target script file;
determining that the target script file is a malicious file when any parameter in the second parameter set is used in the process of executing any function in the second function set by the target script file;
and each parameter recorded in the second parameter set is provided with a taint mark, and each function recorded in the second function set is a command function which can be used in the running process of the script file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610098803.4A CN107103237A (en) | 2016-02-23 | 2016-02-23 | A kind of detection method and device of malicious file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610098803.4A CN107103237A (en) | 2016-02-23 | 2016-02-23 | A kind of detection method and device of malicious file |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107103237A true CN107103237A (en) | 2017-08-29 |
Family
ID=59659028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610098803.4A Pending CN107103237A (en) | 2016-02-23 | 2016-02-23 | A kind of detection method and device of malicious file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107103237A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108959071A (en) * | 2018-06-14 | 2018-12-07 | 湖南鼎源蓝剑信息科技有限公司 | A kind of detection method and system of the PHP deformation webshell based on RASP |
| CN109634844A (en) * | 2018-11-06 | 2019-04-16 | 北京奇虎科技有限公司 | JS code test method, device and electronic equipment |
| CN110162973A (en) * | 2019-05-24 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of Webshell file test method and device |
| CN110610088A (en) * | 2019-09-12 | 2019-12-24 | 北京升鑫网络科技有限公司 | Webshell detection method based on php |
| WO2020000743A1 (en) * | 2018-06-27 | 2020-01-02 | 平安科技(深圳)有限公司 | Webshell detection method and related device |
| CN111062034A (en) * | 2018-10-16 | 2020-04-24 | 中移(杭州)信息技术有限公司 | Webshell file detection method and device, electronic device and storage medium |
| CN111368303A (en) * | 2020-03-12 | 2020-07-03 | 深信服科技股份有限公司 | PowerShell malicious script detection method and device |
| CN113746784A (en) * | 2020-05-29 | 2021-12-03 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078864A (en) * | 2010-08-18 | 2013-05-01 | 北京奇虎科技有限公司 | Active defense file repairing method based on cloud security |
| CN103839008A (en) * | 2014-03-21 | 2014-06-04 | 彭岸峰 | Immune safety service for one-word script backdoors and PHP variable function backdoors |
| CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
-
2016
- 2016-02-23 CN CN201610098803.4A patent/CN107103237A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078864A (en) * | 2010-08-18 | 2013-05-01 | 北京奇虎科技有限公司 | Active defense file repairing method based on cloud security |
| CN103839008A (en) * | 2014-03-21 | 2014-06-04 | 彭岸峰 | Immune safety service for one-word script backdoors and PHP variable function backdoors |
| CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
Non-Patent Citations (1)
| Title |
|---|
| 杜海章: "《PHP webshell实时动态检测》", 《网络安全技术与应用》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108959071A (en) * | 2018-06-14 | 2018-12-07 | 湖南鼎源蓝剑信息科技有限公司 | A kind of detection method and system of the PHP deformation webshell based on RASP |
| CN108959071B (en) * | 2018-06-14 | 2021-09-24 | 湖南鼎源蓝剑信息科技有限公司 | RASP-based PHP deformation webshell detection method and system |
| WO2020000743A1 (en) * | 2018-06-27 | 2020-01-02 | 平安科技(深圳)有限公司 | Webshell detection method and related device |
| CN111062034A (en) * | 2018-10-16 | 2020-04-24 | 中移(杭州)信息技术有限公司 | Webshell file detection method and device, electronic device and storage medium |
| CN109634844B (en) * | 2018-11-06 | 2023-12-22 | 三六零科技集团有限公司 | JS code testing method and device and electronic equipment |
| CN109634844A (en) * | 2018-11-06 | 2019-04-16 | 北京奇虎科技有限公司 | JS code test method, device and electronic equipment |
| CN110162973A (en) * | 2019-05-24 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of Webshell file test method and device |
| CN110162973B (en) * | 2019-05-24 | 2021-04-09 | 新华三信息安全技术有限公司 | Webshell file detection method and device |
| CN110610088A (en) * | 2019-09-12 | 2019-12-24 | 北京升鑫网络科技有限公司 | Webshell detection method based on php |
| CN111368303A (en) * | 2020-03-12 | 2020-07-03 | 深信服科技股份有限公司 | PowerShell malicious script detection method and device |
| CN111368303B (en) * | 2020-03-12 | 2023-12-29 | 深信服科技股份有限公司 | PowerShell malicious script detection method and device |
| CN113746784B (en) * | 2020-05-29 | 2023-04-07 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
| CN113746784A (en) * | 2020-05-29 | 2021-12-03 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11481492B2 (en) | Method and system for static behavior-predictive malware detection | |
| CN107103237A (en) | A kind of detection method and device of malicious file | |
| Naway et al. | A review on the use of deep learning in android malware detection | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| CN105069355B (en) | The static detection method and device of webshell deformations | |
| JP5265061B1 (en) | Malicious file inspection apparatus and method | |
| CN110225029B (en) | Injection attack detection method, device, server and storage medium | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| US9804948B2 (en) | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing | |
| CN106326737B (en) | System and method for detecting the harmful file that can be executed on virtual stack machine | |
| CN103761481A (en) | Method and device for automatically processing malicious code sample | |
| CN113158197B (en) | SQL injection vulnerability detection method and system based on active IAST | |
| EA029778B1 (en) | Method for neutralizing pc blocking malware using a separate device for an antimalware procedure activated by user | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| US10339305B2 (en) | Sub-execution environment controller | |
| CN115098858A (en) | Malicious software detection method and device | |
| Choi et al. | All‐in‐One Framework for Detection, Unpacking, and Verification for Malware Analysis | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| CN116382755A (en) | Domestic operating system patch upgrading method based on vulnerability protection | |
| EP2854065A1 (en) | A system and method for evaluating malware detection rules | |
| KR102465307B1 (en) | Method for generating of whitelist and user device for perfoming the same, computer-readable storage medium and computer program | |
| CN118215917A (en) | Vulnerability analysis for computer drivers | |
| Bai et al. | Malware detection method based on dynamic variable length API sequence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170829 |
|
| RJ01 | Rejection of invention patent application after publication |