CN107122663B - Injection attack detection method and device - Google Patents
Injection attack detection method and device Download PDFInfo
- Publication number
- CN107122663B CN107122663B CN201710297422.3A CN201710297422A CN107122663B CN 107122663 B CN107122663 B CN 107122663B CN 201710297422 A CN201710297422 A CN 201710297422A CN 107122663 B CN107122663 B CN 107122663B
- Authority
- CN
- China
- Prior art keywords
- executable file
- target process
- file
- determining
- injection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The application discloses a method and a device for detecting injection attack, which can determine the characteristic value of an executable file under a target process; if the characteristic value matched with the preset value exists in the characteristic values of the executable file under the target process, determining that the target process is attacked by the injection tool; wherein the preset value is a predetermined characteristic value of the injection tool. The characteristic value of the predetermined injection tool is used as a preset value and is compared with the characteristic value of the executable file under the target process, so that when the characteristic value of the executable file under the target process is matched with the preset value, the fact that the executable file of the injection tool exists under the target process is indicated, namely the fact that the target process is attacked by injection is indicated; otherwise, the target process is not attacked by the injection. Therefore, whether the target process is attacked by injection can be detected, a foundation is laid for timely taking defense measures to prevent the target process from being attacked by the injection tool, and the experience of using the application program by a user is improved.
Description
Technical Field
The application relates to the technical field of APP security, in particular to an injection attack detection method and device.
Background
With the rapid development of the mobile internet industry, mobile Application programs (APP for short) are exploded in a blowout manner, and especially Android system Application programs which are widely applied. However, due to the open source property of the Android system, the Android system application is also a main object of hacking, like a Personal Computer (PC), and the Android system application is vulnerable to viruses, injection, trojans, rogue software and phishing software, which seriously affects the security of the client and reduces the user experience and the benefit of the application developer.
The injection attack mainly refers to the attack of an injection tool. The specific attack mode is as follows: the injection tool injects its own executable file into the process that wants to attack. After the executable file is injected into the process which wants to attack, the executable file is operated subsequently, and the operation result is that the operation is carried out on the relevant data of the process. For example, for a financial industry application, the injection tool modifies data, such as account numbers, amounts, etc., of the business operations of the application by injecting an executable file into the processes of the application. Therefore, how to discover whether a process is attacked by an injection tool is very important.
Disclosure of Invention
An object of the present invention is to provide a method and an apparatus for detecting injection attack, so as to detect whether a target process is attacked by an injection tool.
In a first aspect, an embodiment of the present application provides an injection attack detection method, including:
determining a characteristic value of an executable file under a target process;
if the characteristic value matched with the preset value exists in the characteristic values of the executable file under the target process, determining that the target process is attacked by the injection tool; wherein the preset value is a predetermined characteristic value of the injection tool.
Optionally, the determining the feature value of the executable file under the target process includes:
determining a maps file matched with the process number in a proc file system according to the process number of the target process;
and determining the characteristic value of the executable file under the target process according to the maps file.
Optionally, the feature value of the executable file includes at least one of:
the name of the executable file;
a hash value of the file may be executed.
Optionally, when the feature value of the executable file is a hash value of the executable file, the determining the feature value of the executable file in the target process according to the maps file specifically includes:
determining the unique identification of the executable file recorded in the maps file;
determining the executable file according to the unique identifier;
and taking the hash value of the executable file as the characteristic value of the executable file.
Optionally, after determining that the target process is attacked by the injection tool, the method further includes:
and determining the executable file with the characteristic value matched with the preset value under the target process as an illegal executable file injected into the target process by the injection tool.
Optionally, after determining the illegal executable file, the method further includes:
and deleting the illegal executable file.
Optionally, after determining that the target process is attacked by the injection tool, the method further includes:
ending the target process; and/or the presence of a gas in the gas,
and outputting prompt information of the target process attacked by the injection tool.
In a second aspect, an embodiment of the present application further provides an injection attack detection apparatus, including:
the characteristic value determining module is used for determining the characteristic value of the executable file under the target process;
the injection attack determining module is used for determining that the target process is attacked by the injection tool if the characteristic value matched with the preset value exists in the characteristic values of the executable file under the target process; wherein the preset value is a predetermined characteristic value of the injection tool.
Optionally, the target process is a process in a linux system, and the characteristic value determining module specifically includes: a first determination submodule and a second determination submodule;
the first determining submodule is used for determining a maps file matched with the process number in the proc file system according to the process number of the target process;
and the second determining submodule is used for determining the characteristic value of the executable file under the target process according to the maps file.
Optionally, the apparatus further comprises:
an injection attack processing module, configured to end the target process after determining that the target process is attacked by the injection tool; and/or outputting prompt information of the target process attacked by the injection tool.
In the at least one technical solution adopted in the embodiment of the present application, since the predetermined characteristic value of the injection tool is used as the preset value and compared with the characteristic value of the executable file in the target process, when the characteristic value of the executable file in the target process matches with the preset value, it indicates that the executable file of the injection tool exists in the target process, that is, it indicates that the target process is attacked by injection; otherwise, the target process is not attacked by the injection. Therefore, the following advantageous effects can be obtained: whether the target process is attacked by injection can be detected, a foundation is laid for timely taking defense measures to prevent the target process from being attacked by an injection tool, and the experience of using an application program by a user is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of an injection attack detection method provided in embodiment 1 of the present application;
fig. 2 is a flowchart of an injection attack detection method provided in embodiment 2 of the present application;
fig. 3 is a flowchart of an injection attack detection method provided in embodiment 3 of the present application;
fig. 4 is a schematic structural diagram of an injection attack detection apparatus provided in embodiment 4 of the present application;
fig. 5 is a schematic structural diagram of an injection attack detection apparatus provided in embodiment 5 of the present application;
fig. 6 is a schematic structural diagram of an injection attack detection apparatus provided in embodiment 6 of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for detecting injection attacks to detect an injection attack, lay a foundation for timely taking a defense measure to prevent an injection tool from operating memory data of an application program during running, and improve user experience of using the application program.
An injection attack detection method provided by an embodiment of the present invention is explained below.
First, it should be noted that an execution main body of the injection attack detection method provided in the embodiment of the present application may be an electronic device installed with an Android system, for example, a mobile phone, a tablet computer, and the like. The execution main body does not constitute a limitation to the present application, and for convenience of description, the execution main body is a mobile phone with an Android system installed in the embodiment of the present application.
The functional software for implementing the injection attack detection method provided by the embodiment of the application can be security software, a functional module in the security software and the like. Nor does the functional software constitute a limitation of the present application.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of an injection attack detection method according to embodiment 1 of the present invention. Because the target process corresponding to the target application program to be protected and the injection process corresponding to the injection tool are two mutually independent processes, and the injection processes cannot directly operate related data in the target process, the injection tool can inject illegal executable files into the target process in order to operate the related data in the target process, and indirectly operate the related data in the target process by operating the illegal executable files. However, the characteristic values of the illegal executable file and the executable file of the target process itself are different. In view of this, as shown in fig. 1, the injection attack detection method provided in embodiment 1 of the present application may include:
s101, determining a characteristic value of an executable file under a target process;
s102, if the characteristic value matched with a preset value exists in the characteristic values of the executable file under the target process, determining that the target process is attacked by an injection tool; wherein the preset value is a predetermined characteristic value of the injection tool.
Step S101 will be described in detail below.
A process is a running activity of an application in a computer on a data set, and is a basic unit for resource allocation and scheduling of a system. When the application program is started, the operating system will create a new process to execute the application program. An executable file refers to a file that may be loaded for execution by an operating system.
Colloquially, an application presentation at runtime is a process, and the application's executable files are mapped to the process by virtual addresses. For example, when a process is created, a virtual address space is created first, then the header of the executable file of the process is read, and the virtual address in the virtual address is mapped with the executable file to establish a mapping relationship.
A specific implementation manner of step S101 is described below by taking a target process in the linux system as an example, that is, the target process is a process in the linux system.
As the maps file in the proc file system under the linux system is stored, the processes are mapped to a list consisting of mapping areas of each executable file and library file in the memory and access rights of the mapping areas. Therefore, step S101 may specifically include:
step 1, determining a maps file matched with a process number in a proc file system according to the process number of a target process;
the Android system is an operating system based on a Linux kernel, and in the Linux system, each process has a process number (PID or PID), and the process number is a positive number and is used for uniquely identifying a certain process in the system.
And 2, determining the characteristic value of the executable file under the target process according to the maps file.
It will be appreciated by those skilled in the art that a/proc directory in a Linux system is a file system, i.e. a proc file system. Unlike other common file systems, the proc file system is a pseudo file system (i.e., a virtual file system) in which a series of special files of the current kernel operating state are stored, and a user can view information about system hardware and a currently running process through the files.
Based on the particularities of the proc file system as described above, files within the proc file system are also often referred to as virtual files and have some unique characteristics. For example, although some of the files may be viewed using a view command with a large amount of information returned, the size of the files themselves may appear to be 0 bytes.
For ease of viewing and use, these virtual files are typically stored in different directories and even subdirectories, sorted by relevance. For example, the/proc/SCSI directory stores the related information of all Small Computer System Interface (SCSI) devices on the current System; the information related to the process currently running in the system is stored in the/proc/pid, wherein pid is the process number of the process currently running, and it can be imagined that the directory related to the process automatically disappears after a process is finished.
The characteristic value of the executable file comprises at least one of the following: name of executable file, hash value of executable file. It is understood that other characteristic values capable of distinguishing illegal executable files from legal executable files are also applicable to the present application, and the two characteristic values should not be construed as limiting the scope of protection of the present application.
In general, an illegal executable refers to an executable file that the injection tool injects into the target process, and a legal executable refers to an executable file of the target process itself.
In a first specific implementation manner, the name of the executable file can be used as a characteristic value of the executable file under the target process alone to determine whether the target process is attacked by injection. To avoid system resource overhead resulting from computing hash values for executable files.
However, the injector has a possibility to circumvent the detection by modifying or hiding the name of the executable file, resulting in inaccurate detection results obtained with the first specific implementation.
Therefore, in the second specific implementation manner, if it is determined that the target process is not under the injection attack by the name of the executable file (it is determined that the target process is not under the injection attack by the first specific implementation manner), the hash value of the executable file is further used as the feature value of the executable file to determine whether the target process is under the injection attack. The detection is avoided in a mode that the injection tool is prevented from modifying or hiding the name of the illegal executable file, and the detection accuracy is improved.
Of course, in the third specific implementation manner, the hash value of the executable file may also be used as the feature value of the executable file in the target process alone to determine whether the target process is attacked by injection, so as to improve the detection accuracy.
Specifically, when the feature value of the executable file is a hash value of the executable file, step 2, that is, the step of determining the feature value of the executable file in the target process according to the maps file, may specifically include:
substep 1, determining the unique identification of each executable file recorded in the maps file;
substep 2, determining the executable file according to the unique identifier;
and 3, taking the hash value of the executable file as a characteristic value of the executable file.
The unique identifier of the executable file may be a file name, a file header, and the like of the executable file.
Since/proc/pid/maps files in the proc file system generally exist in the form of a list (hereinafter referred to as a maps table), seven columns of data are usually recorded in the list, wherein the seventh column records a unique identifier of an executable file of a process, and is mapped to a corresponding executable file through the unique identifier.
Therefore, in concrete implementation, the corresponding executable file (binary file) can be found according to the unique identifier of the executable file recorded in the seventh column of the maps table; and calculating the hash value of the searched executable file by adopting a hash algorithm, and taking the calculated hash value as the characteristic value of the executable file.
The hash algorithm can map a binary value of arbitrary length to a smaller binary value of fixed length, referred to as a hash value. The hash value is a unique and extremely compact numerical representation of a piece of data, and therefore can reflect the characteristics of an executable file. The specific calculation process belongs to the prior art, and is not described herein again.
Step S102 will be described in detail below.
First, as will be appreciated by those skilled in the art, an injection tool generally refers to a malicious program that injects illegal executables into a target process and manipulates relevant data in the target process by running those illegal executables. Such as the common SQL injection tool.
The predetermined characteristic values of the injection tools are obtained by the applicant counting and analyzing the existing injection tools in advance, extracting and storing the characteristic values of the executable files of the injection tools. Since there are more than one injection tool available, there is also more than one characteristic value of the predetermined injection tool. In particular implementations, applicants store predetermined implant tool feature values in a database (which may be referred to as an implant feature database).
In addition, since new implantation tools are developed, the implantation characteristic database mentioned in the embodiment of the present application is not constant, and it is reasonable that the implantation characteristic database can be updated periodically or periodically to add the characteristic value of the new implantation tool.
In the injection attack detection method provided in embodiment 1 of the present application, a predetermined characteristic value of an injection tool is used as a preset value, and is compared with a characteristic value of an executable file in a target process, so that when the characteristic value of the executable file in the target process matches the preset value, it is indicated that the executable file of the injection tool exists in the target process, that is, it is indicated that the target process is under injection attack; otherwise, the target process is not attacked by the injection. Therefore, the method can detect whether the target process is attacked by injection or not, lays a foundation for timely taking defense measures to prevent the target process from being attacked by the injection tool, and improves the experience of a user in using the application program.
In addition, it should be noted that, when the injection attack detection method provided in embodiment 1 of the present invention is implemented, step S102 may be executed after step S101 is executed on all executable files in the target process; or after the steps S101 and S102 are respectively executed on one executable file under the target process, and when it is determined that the target process is not under the injection attack, the steps S101 and S102 are respectively executed on another executable file under the target process. This is reasonable, and since the latter method may only need to execute steps S101 and S102 on a few, even one, executable files of the target process to determine that the target process is under the injection attack, the latter method can shorten the time for determining whether the target process is under the injection attack, and improve the detection efficiency of the injection attack.
Example 2
Referring to fig. 2, fig. 2 is a flowchart of an injection attack detection method according to embodiment 2 of the present invention. The embodiment shown in fig. 2 provides an injection attack detection method, which is different from the embodiment shown in fig. 1 in that the method may further include:
s103, determining the executable file with the characteristic value matched with the preset value under the target process as an illegal executable file injected into the target process by the injection tool.
Optionally, after step S103, the method may further include:
and S104, deleting the illegal executable file.
It can be seen that determining and deleting an illegal executable file injected by an injection tool into a target process is one of effective ways for defending against injection attack, and after deletion, the injection tool can be prevented from operating memory data of an Android system application program during operation, so that the safety of user data is ensured, and the experience of a user in using the application program is improved.
Example 3
Referring to fig. 3, fig. 3 is a flowchart of an injection attack detection method according to embodiment 3 of the present invention. The embodiment shown in fig. 3 provides an injection attack detection method, which is different from the embodiment shown in fig. 1 or fig. 2 in that the method may further include:
s105, ending the target process; and/or outputting prompt information of the target process attacked by the injection tool.
The prompt message may include, in addition to information that the target process is attacked by the injection tool: the recommendation information, for example, recommends the user to end the target process, recommends the user to employ security software to kill the injection tool, etc.
It is easy to understand that ending the target process and/or outputting the prompt information is also an effective way for defending against injection attacks, and can also prevent the injection tool from operating the memory data of the Android system application program during operation, so that the safety of user data is ensured, and the experience of the user in using the application program is improved.
Corresponding to the above method embodiment, the present application further provides an injection attack detection apparatus, which is described in detail below.
Example 4
Referring to fig. 4, fig. 4 is a schematic structural diagram of an injection attack detection apparatus according to embodiment 4 of the present invention. As shown in fig. 4, an injection attack detection apparatus provided in embodiment 4 of the present application may include:
a feature value determining module 401, configured to determine a feature value of an executable file in a target process;
as described in embodiment 1, the maps file in the proc file system under the linux system stores a list composed of mapping areas of each executable file and library file mapped by a process in the memory and access rights thereof. Therefore, in a specific implementation manner, the characteristic value determining module 401 specifically includes: a first determination submodule and a second determination submodule;
the first determining submodule is used for determining a maps file matched with the process number in the proc file system according to the process number of the target process;
and the second determining submodule is used for determining the characteristic value of the executable file under the target process according to the maps file.
Specifically, the feature value of the executable file includes at least one of: name of executable file, hash value of executable file. It is understood that other characteristic values capable of distinguishing illegal executable files from legal executable files are also applicable to the present application, and the two characteristic values should not be construed as limiting the scope of protection of the present application.
When the feature value of the executable file is a hash value of the executable file, the second determining sub-module may specifically include:
the first determining subunit is used for determining the unique identifier of the executable file recorded in the maps file;
the second determining subunit is used for determining the executable file according to the unique identifier;
and the third determining subunit is used for taking the hash value of the executable file as the characteristic value of the executable file.
An injection attack determination module 402, configured to determine that the target process is attacked by an injection tool if a feature value matching a preset value exists in the feature values of the executable file in the target process; wherein the preset value is a predetermined characteristic value of the injection tool.
In the injection attack detection apparatus provided in embodiment 4 of the present application, a predetermined characteristic value of an injection tool is used as a preset value, and is compared with a characteristic value of an executable file in a target process, so that when the characteristic value of the executable file in the target process matches the preset value, it is indicated that the executable file of the injection tool exists in the target process, that is, it is indicated that the target process is under injection attack; otherwise, the target process is not attacked by the injection. Therefore, the device can detect whether the target process is attacked by injection or not, lays a foundation for timely taking defense measures to prevent the target process from being attacked by the injection tool, and improves the experience of a user in using the application program.
Example 5
Referring to fig. 5, fig. 5 is a schematic structural diagram of an injection attack detection apparatus according to embodiment 5 of the present invention. The embodiment shown in fig. 5 provides an injection attack detection apparatus, which is different from the embodiment shown in fig. 1 in that the apparatus may further include:
the determining module 403 is configured to determine, as an illegal executable file injected into the target process by the injection tool, an executable file whose feature value under the target process matches the preset value.
Optionally, the apparatus may further include:
a deleting module 404, configured to delete the illegal executable file.
It can be seen that determining and deleting an illegal executable file injected by an injection tool into a target process is one of effective ways for defending against injection attack, and after deletion, the injection tool can be prevented from operating memory data of an Android system application program during operation, so that the safety of user data is ensured, and the experience of a user in using the application program is improved.
Example 6
Referring to fig. 6, fig. 6 is a schematic structural diagram of an injection attack detection apparatus according to embodiment 6 of the present invention. The embodiment shown in fig. 6 provides an injection attack detection apparatus, which is different from the embodiment shown in fig. 4 or fig. 5 in that the apparatus may further include:
an injection attack processing module 405, configured to end the target process after determining that the target process is attacked by the injection tool; and/or outputting prompt information of the target process attacked by the injection tool.
It is easy to understand that ending the target process and/or outputting the prompt information is also an effective way for defending against injection attacks, and can also prevent the injection tool from operating the memory data of the Android system application program during operation, so that the safety of user data is ensured, and the experience of the user in using the application program is improved.
It should be noted that, since the apparatus embodiments are basically similar to the method embodiments, the description of the apparatus embodiments in the present application is relatively simple, and reference may be made to the method embodiments for relevant points.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (6)
1. An injection attack detection method, comprising:
determining a characteristic value of an executable file under a target process;
if the characteristic value matched with the preset value exists in the characteristic values of the executable file under the target process, determining that the target process is attacked by the injection tool; the preset value is a characteristic value of a predetermined injection tool, the characteristic value of the predetermined injection tool is obtained by counting and analyzing the existing injection tools in advance and extracting characteristic values of executable files of the injection tools, the preset value is stored in a database, and the database is periodically updated;
the target process is a process in the linux system, and the determining the characteristic value of the executable file under the target process specifically includes: determining a maps file matched with the process number in a proc file system according to the process number of the target process; determining a characteristic value of the executable file under the target process according to the maps file; wherein, the maps file in the proc file system under the linux system stores a list formed by mapping the process to a mapping area of each executable file and library file in a memory and an access right thereof;
wherein the characteristic value of the executable file comprises at least one of:
the name of the executable file; a hash value of the executable file;
when the feature value of the executable file is a hash value of the executable file, determining the feature value of the executable file in the target process according to the maps file specifically includes:
determining the unique identification of the executable file recorded in the maps file;
determining the executable file according to the unique identifier;
taking the hash value of the executable file as a characteristic value of the executable file;
the unique identifier of the executable file is the file name and the file header of the executable file.
2. The method of claim 1, wherein upon determining that the target process is attacked by an injection tool, the method further comprises:
and determining the executable file with the characteristic value matched with the preset value under the target process as an illegal executable file injected into the target process by the injection tool.
3. The method of claim 2, wherein after determining the illegal executable file, the method further comprises:
and deleting the illegal executable file.
4. The method of any of claims 1-3, wherein after determining that the target process is attacked by an injection tool, the method further comprises:
ending the target process; and/or the presence of a gas in the gas,
and outputting prompt information of the target process attacked by the injection tool.
5. An injection attack detection apparatus, comprising:
the characteristic value determining module is used for determining the characteristic value of the executable file under the target process;
the injection attack determining module is used for determining that the target process is attacked by the injection tool if the characteristic value matched with the preset value exists in the characteristic values of the executable file under the target process; the preset value is a characteristic value of a predetermined injection tool, the characteristic value of the predetermined injection tool is obtained by counting and analyzing the existing injection tools in advance and extracting characteristic values of executable files of the injection tools, the preset value is stored in a database, and the database is periodically updated;
the target process is a process in a linux system, and the characteristic value determining module specifically includes: a first determination submodule and a second determination submodule;
the first determining submodule is used for determining a maps file matched with the process number in the proc file system according to the process number of the target process;
the second determining submodule is used for determining a characteristic value of the executable file under the target process according to the maps file;
the maps file in the proc file system under the linux system stores a list formed by mapping the process to a mapping area of each executable file and library file in a memory and an access right of the mapping area;
wherein the characteristic value of the executable file comprises at least one of:
the name of the executable file; a hash value of the executable file;
when the feature value of the executable file is a hash value of the executable file, the second determining sub-module includes:
the first determining subunit is used for determining the unique identifier of the executable file recorded in the maps file;
the second determining subunit is used for determining the executable file according to the unique identifier;
a third determining subunit, configured to use the hash value of the executable file as a feature value of the executable file;
the unique identifier of the executable file is the file name and the file header of the executable file.
6. The apparatus of claim 5, further comprising:
an injection attack processing module, configured to end the target process after determining that the target process is attacked by the injection tool; and/or outputting prompt information of the target process attacked by the injection tool.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710297422.3A CN107122663B (en) | 2017-04-28 | 2017-04-28 | Injection attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710297422.3A CN107122663B (en) | 2017-04-28 | 2017-04-28 | Injection attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107122663A CN107122663A (en) | 2017-09-01 |
| CN107122663B true CN107122663B (en) | 2021-04-02 |
Family
ID=59726066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710297422.3A Active CN107122663B (en) | 2017-04-28 | 2017-04-28 | Injection attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107122663B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108197041B (en) * | 2017-12-28 | 2021-09-28 | 北京奇虎科技有限公司 | Method, device and storage medium for determining parent process of child process |
| CN111753301B (en) * | 2020-07-01 | 2024-04-09 | 深信服科技股份有限公司 | File attack-free detection method and device, electronic equipment and medium |
| CN113350799A (en) * | 2021-05-26 | 2021-09-07 | 上海蛮犀科技有限公司 | Safety protection method for mobile application modifier |
| CN116661975B (en) * | 2023-07-21 | 2023-10-13 | 天津卓朗昆仑云软件技术有限公司 | Process running control method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980237A (en) * | 2005-12-09 | 2007-06-13 | 北京瑞星国际软件有限公司 | Method for apparatus for identifying module of accessing network |
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| CN101414278A (en) * | 2008-12-01 | 2009-04-22 | 浙大网新科技股份有限公司 | Method for debugging binary application program based on dynamic inverse compiling technique |
| CN102368257A (en) * | 2010-10-06 | 2012-03-07 | 微软公司 | Cross-site scripts prevention in dynamic contents |
| CN104123489A (en) * | 2014-07-02 | 2014-10-29 | 珠海市君天电子科技有限公司 | Method and device for monitoring executable program |
| CN104462968A (en) * | 2014-12-16 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program scanning method, device and system |
| WO2016095489A1 (en) * | 2014-12-18 | 2016-06-23 | 中兴通讯股份有限公司 | Method, terminal, and storage medium for providing and loading executable module |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101950339B (en) * | 2010-09-14 | 2012-01-25 | 上海置水软件技术有限公司 | Security protection method and system of computer |
| US9473485B2 (en) * | 2011-03-21 | 2016-10-18 | Blue Cedar Networks, Inc. | Secure single sign-on for a group of wrapped applications on a computing device and runtime credential sharing |
| US8997239B2 (en) * | 2011-03-31 | 2015-03-31 | Infosys Limited | Detecting code injections through cryptographic methods |
| CN102750490B (en) * | 2012-03-23 | 2014-10-22 | 南京邮电大学 | Virus detection method based on collaborative immune network evolutionary algorithm |
| CN102855274B (en) * | 2012-07-17 | 2015-12-09 | 北京奇虎科技有限公司 | The method and apparatus that a kind of suspicious process detects |
| US9122873B2 (en) * | 2012-09-14 | 2015-09-01 | The Research Foundation For The State University Of New York | Continuous run-time validation of program execution: a practical approach |
| CN103929440B (en) * | 2014-05-09 | 2017-10-17 | 国家电网公司 | Webpage tamper resistant device and its method based on web server cache match |
| CN104091121B (en) * | 2014-06-12 | 2017-07-18 | 上海交通大学 | The detection, excision and the method recovered of the malicious code of bag Malware are beaten again Android |
| CN104318160B (en) * | 2014-10-29 | 2017-12-26 | 北京奇虎科技有限公司 | The method and apparatus of killing rogue program |
| CN104392176A (en) * | 2014-12-12 | 2015-03-04 | 北京奇虎科技有限公司 | Mobile terminal and method for intercepting device manager authority thereof |
-
2017
- 2017-04-28 CN CN201710297422.3A patent/CN107122663B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980237A (en) * | 2005-12-09 | 2007-06-13 | 北京瑞星国际软件有限公司 | Method for apparatus for identifying module of accessing network |
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| CN101414278A (en) * | 2008-12-01 | 2009-04-22 | 浙大网新科技股份有限公司 | Method for debugging binary application program based on dynamic inverse compiling technique |
| CN102368257A (en) * | 2010-10-06 | 2012-03-07 | 微软公司 | Cross-site scripts prevention in dynamic contents |
| CN104123489A (en) * | 2014-07-02 | 2014-10-29 | 珠海市君天电子科技有限公司 | Method and device for monitoring executable program |
| CN104462968A (en) * | 2014-12-16 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program scanning method, device and system |
| WO2016095489A1 (en) * | 2014-12-18 | 2016-06-23 | 中兴通讯股份有限公司 | Method, terminal, and storage medium for providing and loading executable module |
Non-Patent Citations (1)
| Title |
|---|
| "基于Simhash的SQL注入漏洞检测技术研究";池水明等;《计算机时代》;20140315;第3-5页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107122663A (en) | 2017-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110009334B (en) | Meckel tree construction and simple payment verification method and device | |
| CN107122663B (en) | Injection attack detection method and device | |
| CN109062582B (en) | Encryption method and device for application installation package | |
| TW201807576A (en) | Updating virtual memory addresses of target application functionalities for an updated version of application binary code | |
| US20230144818A1 (en) | Malicious software detection based on api trust | |
| TWI554907B (en) | Trojan horse detection method and device | |
| CN111008034B (en) | Patch generation method and device | |
| US11675905B2 (en) | System and method for validating in-memory integrity of executable files to identify malicious activity | |
| WO2016183951A1 (en) | System upgrade method and terminal | |
| CN115129716A (en) | Data management method, equipment and storage medium for industrial big data | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CN109933986B (en) | Malicious code detection method and device | |
| US11886350B2 (en) | System memory context determination for integrity monitoring and related techniques | |
| Fu et al. | Data correlation‐based analysis methods for automatic memory forensic | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| CN112580066A (en) | Data protection method and device | |
| CN114297630A (en) | Malicious data detection method and device, storage medium and processor | |
| CN112445805A (en) | Data query method and device | |
| CN103713945A (en) | Game identifying method and device | |
| WO2024125108A1 (en) | On-demand enabling method and apparatus for security aspect of mobile terminal | |
| CN109495432B (en) | Authentication method of anonymous account and server | |
| Srivastava et al. | Detecting code injection by cross-validating stack and VAD information in windows physical memory | |
| CN111104669A (en) | Cracking detection method, device, system, server, terminal and storage medium | |
| CN105975860B (en) | A kind of trust file management method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 101 and 102, 1st floor, building 7, 219 Tianhua 2nd Road, high tech Zone, Chengdu, Sichuan 610094 Applicant after: Chengdu Bangbang Information Technology Consulting Service Co.,Ltd. Address before: No. 501, 5th floor, building 6, No. 599, shijicheng South Road, high tech Zone, Chengdu, Sichuan 610000 Applicant before: CHENGDU BANGBANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210311 Address after: 100083 rooms 1-3, 20 / F, block a, Tiangong building, No.30 Xueyuan Road, Haidian District, Beijing Applicant after: BEIJING BANGCLE TECHNOLOGY Co.,Ltd. Applicant after: Chengdu Bangbang Information Technology Consulting Service Co.,Ltd. Address before: Room 101 and 102, 1st floor, building 7, 219 Tianhua 2nd Road, high tech Zone, Chengdu, Sichuan 610094 Applicant before: Chengdu Bangbang Information Technology Consulting Service Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211210 Address after: 100083 rooms 1-3, 20 / F, block a, Tiangong building, No.30 Xueyuan Road, Haidian District, Beijing Patentee after: BEIJING BANGCLE TECHNOLOGY Co.,Ltd. Address before: 100083 rooms 1-3, 20 / F, block a, Tiangong building, No.30 Xueyuan Road, Haidian District, Beijing Patentee before: BEIJING BANGCLE TECHNOLOGY Co.,Ltd. Patentee before: Chengdu Bangbang Information Technology Consulting Service Co.,Ltd. |