[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108875372B - Code detection method and device, electronic equipment and storage medium - Google Patents

Code detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN108875372B
CN108875372B CN201711498572.7A CN201711498572A CN108875372B CN 108875372 B CN108875372 B CN 108875372B CN 201711498572 A CN201711498572 A CN 201711498572A CN 108875372 B CN108875372 B CN 108875372B
Authority
CN
China
Prior art keywords
memory
code
loading process
address
recorded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711498572.7A
Other languages
Chinese (zh)
Other versions
CN108875372A (en
Inventor
李鹏
黄显澍
王小丰
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN201711498572.7A priority Critical patent/CN108875372B/en
Publication of CN108875372A publication Critical patent/CN108875372A/en
Application granted granted Critical
Publication of CN108875372B publication Critical patent/CN108875372B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a code detection method, a code detection device, electronic equipment and a storage medium. The method comprises the following steps: when it is monitored that a system allocates a first memory, determining whether the first memory has an executable authority or not; if the first memory has the executable authority, analyzing a first loading process of a first code stored in the first memory; if the first loading process is different from the standard loading process corresponding to the system, recording the address of the first memory, and carrying out virus detection on the first code to obtain a first detection result; if the first detection result is that the first code is a malicious code, terminating execution of the first code, and deleting the first code stored in the first memory according to the recorded address of the first memory. The method can detect the code loaded in the mode of loading the code without the entity, and reduces the safety risk of the equipment supporting the mode of loading the code without the entity.

Description

Code detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a code detection method and apparatus, an electronic device, and a storage medium.
Background
At present, virus detection technologies mainly adopt static detection and dynamic behavior analysis. Wherein the static detection is to distinguish whether the code is malicious code according to the characteristics of the code. The dynamic behavior analysis is to analyze the behavior corresponding to the code to distinguish whether the code is malicious code, for example, execute the code in a sandbox, and in the process of executing the code, if an abnormal behavior occurs, determine that the code is malicious code. Whether statically detected or dynamically analyzed, the code is loaded on a tangible medium (e.g., a compact disk, a removable hard drive, etc.) and analyzed before execution.
At present, the high-level malicious code threat adopts a code loading mode without entity, namely, a harmless loader program is adopted, and then malicious codes are automatically executed in an internal memory according to remote configuration, so that static detection and dynamic behavior analysis aiming at the codes are avoided. Therefore, there is a high security risk for devices that support this way of loading code without entities.
Disclosure of Invention
In view of this, embodiments of the present invention provide a code detection method and apparatus, an electronic device, and a storage medium, which can detect a code loaded in a code loading manner without an entity, and reduce a security risk of a device supporting the code loading manner without the entity.
In a first aspect, an embodiment of the present invention provides a code detection method, where the method includes:
when it is monitored that a system allocates a first memory, determining whether the first memory has an executable authority or not;
if the first memory has the executable authority, analyzing a first loading process of a first code stored in the first memory;
if the first loading process is different from the standard loading process corresponding to the system, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result;
if the first detection result is that the first code is a malicious code, terminating the execution of the first code, and deleting the first code stored in the first memory according to the recorded address of the first memory.
Preferably, the analyzing a first loading process of the first code stored in the first memory includes: analyzing a stack corresponding to the first loading process; if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process corresponding to the system; and if the recorded function call sequence in the stack is different from the standard function call sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
Preferably, the method further comprises: and if the first detection result is that the first code is a non-malicious code, adding authentication information in the first code to a white list.
Preferably, the recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result includes: if the white list does not include the authentication information in the first code, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result.
Preferably, the method further comprises: when the fact that the system is ready to release a second memory is monitored, whether the second memory has an executable authority or not is determined; if the second memory does not have the executable authority, releasing the second memory; if the second memory has the executable authority, determining whether the address of the second memory is recorded; if the address of the second memory is recorded, releasing the second memory; if the address of the second memory is not recorded, before the second memory is released, the address of the second memory is recorded, and virus detection is performed on a second code stored in the second memory to obtain a detection result.
Preferably, after the recording the address of the first memory, the method further includes: outputting prompt information for prompting the suspicious code, wherein the prompt information comprises: an address of the first memory.
In a second aspect, an embodiment of the present invention provides a code detection apparatus, including:
the system comprises a determining unit and a judging unit, wherein the determining unit is used for determining whether a first memory has an executable authority or not when the fact that the first memory is distributed by a system is monitored;
the analysis unit is used for analyzing a first loading process of a first code stored in the first memory if the first memory has an executable authority;
the detection unit is used for recording the address of the first memory and carrying out virus detection on the first code to obtain a first detection result if the first loading process is different from the standard loading process corresponding to the system;
and the terminating unit is used for terminating the execution of the first code if the first detection result indicates that the first code is a malicious code, and deleting the first code stored in the first memory according to the recorded address of the first memory.
Preferably, the analysis unit is specifically configured to: analyzing a stack corresponding to the first loading process; if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process corresponding to the system; and if the recorded function calling sequence in the stack is different from the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
Preferably, the apparatus further comprises: an adding unit, configured to add, if the first detection result is that the first code is a non-malicious code, authentication information in the first code to a white list.
Preferably, the detection unit is specifically configured to: if the first loading process is different from a standard loading process corresponding to the system and the white list does not include the authentication information in the first code, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result.
Preferably, the determining unit is further configured to determine whether the second memory has an executable right when it is monitored that the system is ready to release the second memory; the device further comprises: a release unit, configured to release the second memory if the second memory does not have the executable authority; the determining unit is further configured to determine whether an address of the second memory is recorded if the second memory has an executable authority; the release unit is further configured to release the second memory if the address of the second memory is recorded; the detection unit is further configured to, if the address of the second memory is not recorded, record the address of the second memory before releasing the second memory, and perform virus detection on a second code stored in the second memory to obtain a detection result.
Preferably, the apparatus further comprises: an output unit, configured to output, after the recording of the address of the first memory, prompt information for prompting a suspicious code, where the prompt information includes: an address of the first memory.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the code detection method described in the foregoing first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the code detection method of the first aspect.
According to the code detection method, the code detection device, the electronic equipment and the storage medium, after the system is determined to be allocated with the memory with the executable authority, the current loading mode can be judged according to the loading process, and generally if the system loads codes without entities, the loading process of the codes is different from the standard loading process corresponding to the system, so that if the current loading process is different from the standard loading process corresponding to the system, the current loading mode can be determined to be loading without entities, the codes loaded in the mode of loading the codes without entities can be detected, and when the codes are detected to be malicious codes, the codes are stopped to be executed, so that the safety risk of equipment supporting the mode of loading the codes without entities is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flowchart of a code detection method according to an embodiment of the present invention;
FIG. 2 is a schematic flowchart of another code detection method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a code detection method according to another embodiment of the present invention;
fig. 4 is a schematic structural diagram of a code detection apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of another code detection apparatus according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of another code detecting apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of another code detection apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a code detection method according to an embodiment of the present invention. The code detection method can be applied to electronic equipment.
As shown in fig. 1, the code detection method of the present embodiment may include:
step 101, when it is monitored that the system allocates the first memory, determining whether the first memory has an executable right.
If the first memory has an executable attribute, executing step 102; if the first memory has no executable attribute from allocation to release, the process ends.
In one example, the system calls the VirtualAlloc function when allocating the memory, and thus when the system calls the VirtualAlloc function, it is determined that the system allocates the memory. And if the memory attribute comprises any one of PAGE _ EXECUTE, PAGE _ EXECUTE _ READ, PAGE _ EXECUTE _ READWRITE, PAGE _ EXECUTE _ write copy, determining that the memory has the executable authority, otherwise, determining that the memory does not have the executable authority.
In one example, when the system calls the VirtualAlloc function to allocate the memory, the allocated memory may not have the executable right, but the system may modify the executable right of the memory by calling the VirtualProtect function after calling the VirtualAlloc function, that is, the executable right of the memory is modified from having no right to having right. That is to say, after detecting that the system calls the VirtualAlloc function, if the current memory does not have the executable right, the memory needs to be detected, if the VirtualProtect function that is commonly used by the system for the memory is detected, the memory attribute is judged again to include any one of PAGE _ EXECUTE, PAGE _ EXECUTE _ READ, PAGE _ EXECUTE _ READWRITE, PAGE _ EXECUTE _ write copy, and the memory is determined to have the executable right, otherwise, the memory is determined to have no executable right.
Step 102, a first loading process of a first code stored in the first memory is analyzed.
In one example, step 102 may specifically include: analyzing a stack corresponding to the first loading process; if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process when the code corresponding to the system is loaded; and if the recorded function calling sequence in the stack is different from the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
It should be noted that, generally, if the code is loaded without an entity, the loading process of the code is different from the standard loading process corresponding to the system, and the function call sequence recorded in the stack corresponding to the code loading process can well reflect the loading process of the code, so that the function call sequence recorded in the stack corresponding to the first loading process is different from the standard function call sequence when the code corresponding to the system is loaded, and it can be determined that the first loading process is different from the standard loading process corresponding to the system, and the first loading process is determined to be a process of loading the code without an entity.
It should be further noted that the standard loading processes corresponding to different systems may be different, but the standard loading processes corresponding to different systems can be obtained by analyzing the systems, and the analysis process may adopt the prior art, and is not described herein again.
In a specific example, taking the Windows10 system as an example, the standard loading procedure of the Windows10 system corresponds to the recorded contents in the stack as follows:
“ntd11_77cc0000!NtAllocateVirtualMemory
ntd11_77cc0000!RtlCreateHeap+0x36d
ntd11_77cc0000!RtlDebugCreateHeap+0x21f
ntd11_77cc0000!RtlCreatHeap+0x62a8e
KERNELBASE!HeapCreat+0x45
msvcrt!_heap_init+0x1b
msvcrt!_core_crt_dll_init+0xd0
msvcrt!_CRTDLL_INIT+0x13
ntd11_77cc0000!LdrxCallInitRoutine+0x16
ntd11_77cc0000!LdrpCallInitRoutine+0x7f
ntd11_77cc0000!LdrpInitializeNode+0x10e
ntd11_77cc0000!LdrpInitializeGraphRecurse+0x5d
ntd11_77cc0000!LdrpInitializeGraphRecurse+0x7c
ntd11_77cc0000!LdrpInitializeGraphRecurse+0x7c
ntd11_77cc0000!LdrpPrepareModuleForExecution+0x8f
ntd11_77cc0000!LdrpLoadDllInternal+0x128
ntd11_77cc0000!LdrpLoadDll+0xa2
ntd11_77cc0000!LdrLoadDll+0x7e
KERNELBASE!LoadLibraryExW+0x144
KERNELBASE!LoadLibraryW+0x11”
under the Windows10 system, the loading process of the entity-free loading code corresponds to the recorded contents in the stack as follows:
“ntd11_77cc0000!NtAllocateVirtualMemory
KERNELBASE!VirtualAlloc+0x41
LoaderTest!wmain+0x34
LoaderTest!__tmainCRTStartup+0x1a8
LoaderTest!wmainCRTStartup+0xf
KERNEL32!BaseThreadInitThunk+0x24
ntd11_77cc0000!__RtlUserThreadstart+0x2f
ntd11_77cc0000!_RtlUserThreadstart+0x1b”
where ntdll _77cc000, KERNELBASE, msvcrt, KERNEL32 represent the system space, LoaderTest represents the user space, exclamation Point! The latter content indicates the address of a function in the corresponding space, i.e. a function can be uniquely indicated by this address. The function call sequence of the standard loading process and the loading process of the entity-free loading code of the Windows10 system can be respectively determined from the function address sequence recorded in the two specific stacks. It can be seen that the standard loading process and the loading process of the code without entity of the Windows10 system are different. Therefore, whether the process is a process of loading code without entity can be determined by analyzing the loading process of the code, namely, if the loading process is different from the standard loading process of the Windows10 system, the loading process is determined as the process of loading code without entity.
In order to detect the code loaded in the way of loading code without entity, if the first loading process is different from the standard loading process corresponding to the system, step 103 is executed; if the first loading process is the same as the standard loading process corresponding to the system, the process is a normal loading process, and the process is ended.
Step 103, if the first loading process is different from the standard loading process corresponding to the system, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result.
In one example, after recording the address of the first memory, the method may further include: outputting prompt information for prompting the suspicious code, wherein the prompt information comprises: the address of the first memory. Therefore, the first code can be terminated or the memory can be released in advance by manpower while virus detection is carried out, so that the safety of the equipment is improved.
For the first detection result, if the first detection result is that the first code is a malicious code, step 104 is executed. If the first detection result is a non-malicious code, the process is ended.
And 104, terminating the execution of the first code, and deleting the first code stored in the first memory according to the recorded address of the first memory.
It should be noted that steps 102-104 are performed after the first code is copied to the first memory, for example, steps 102-104 are typically performed after the system calls the VirtualProtect function for the first memory. However, after the system allocates the first memory with the executable right, the first code may not be stored in the first memory in time, so that after it is determined that the first memory has the executable right, there may be a case that the first code cannot be acquired, and at this time, the first code in the first memory is defaulted to be non-malicious code, that is, the steps 102 to 104 are not performed, and the process is directly ended. For example, after the system calls the VirtualProtect function for the first memory, if no code is stored in the first memory within a preset time period, the code in the first memory is defaulted to be a non-malicious code, and the process is ended.
By using the code detection method provided by the embodiment of the invention, after the system is determined to be allocated with the memory with the executable authority, the current loading mode can be judged according to the loading process, and generally, if the system loads the code without the entity, the loading process of the code is different from the standard loading process corresponding to the system, so that if the current loading process is different from the standard loading process corresponding to the system, the current loading mode can be determined as loading without the entity, the code loaded in the mode of loading the code without the entity can be detected, and when the code is detected to be a malicious code, the code is stopped to be executed, thereby reducing the security risk of equipment supporting the mode of loading the code without the entity.
Fig. 2 is a flowchart illustrating another code detection method according to an embodiment of the present invention. The code detection method can be applied to electronic equipment.
As shown in fig. 2, the code detection method of the present embodiment may include:
step 201, when it is monitored that the system allocates the first memory, determining whether the first memory has an executable right.
If the first memory has an executable attribute, go to step 202; if the first memory has no executable attribute from allocation to release, the process ends.
In one example, the system calls the VirtualAlloc function when allocating the memory, and thus when the system calls the VirtualAlloc function, it is determined that the system allocates the memory. And if the memory attribute comprises any one of PAGE _ EXECUTE, PAGE _ EXECUTE _ READ, PAGE _ EXECUTE _ READWRITE, PAGE _ EXECUTE _ write copy, determining that the memory has the executable authority, otherwise, determining that the memory does not have the executable authority.
In one example, when the system calls the VirtualAlloc function to allocate the memory, the allocated memory may not have the executable right, but the system may modify the executable right of the memory by calling the VirtualProtect function after calling the VirtualAlloc function, that is, the executable right of the memory is modified from having no right to having right. That is to say, after detecting that the system calls the VirtualAlloc function, if the current memory does not have the executable right, the memory needs to be detected, if the VirtualProtect function that is common to the system and is specific to the memory is detected, it is determined again that the memory attribute includes any one of PAGE _ EXECUTE, PAGE _ EXECUTE _ READ, PAGE _ EXECUTE _ READWRITE, PAGE _ EXECUTE _ write copy, and if not, it is determined that the memory does not have the executable right.
Step 202, a first loading process of a first code stored in the first memory is analyzed.
In one example, step 202 may specifically include: analyzing a stack corresponding to the first loading process; if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process when the code corresponding to the system is loaded; and if the recorded function calling sequence in the stack is different from the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
It should be noted that, generally, if the code is loaded without an entity, the loading process of the code is different from the standard loading process corresponding to the system, and the function call sequence recorded in the stack corresponding to the code loading process can well reflect the loading process of the code, so that the function call sequence recorded in the stack corresponding to the first loading process is different from the standard function call sequence when the code corresponding to the system is loaded, it can be determined that the first loading process is different from the standard loading process corresponding to the system, and it is determined that the first loading process is a process of loading the code without an entity.
It should be further noted that the standard loading processes corresponding to different systems may be different, but the standard loading processes corresponding to different systems can be obtained by analyzing the systems, and the analysis process may adopt the prior art, and is not described herein again.
In order to detect the code loaded in a manner of loading code without entity in time, if the first loading process is different from the standard loading process corresponding to the system, step 203 is executed; if the first loading process is the same as the standard loading process corresponding to the system, the first loading process is a normal loading process, and the process is ended.
Step 203, if the first loading process is different from the standard loading process corresponding to the system, determining whether the white list includes the authentication information in the first code.
If the white list includes the authentication information in the first code, which indicates that the code is detected and determined to be a non-malicious code, the process may be ended; if the white list does not include the authentication information in the first code, the code is identified as malicious or undetected, so step 204 is performed.
Step 204, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result.
In one example, after recording the address of the first memory, the method may further include: outputting prompt information for prompting the suspicious code, wherein the prompt information comprises: an address of the first memory. Therefore, the first code can be terminated or the memory can be released in advance by manpower while virus detection is carried out, so that the safety of the equipment is improved.
For the first detection result, if the first detection result is that the first code is a malicious code, step 205 is executed. If the first detection result is non-malicious code, step 206 is executed.
Step 205, terminate the execution of the first code, and delete the first code stored in the first memory according to the recorded address of the first memory.
Step 206, add the authentication information in the first code to the white list.
It should be noted that steps 202-206 are performed after the second code is copied to the second memory, for example, steps 202-206 are typically performed after the system calls the VirtualProtect function to the second memory. However, after the system allocates the second memory with the executable authority, the second code may not be stored in the second memory in time, so that after it is determined that the second memory has the executable authority, there may be a case that the second code cannot be acquired, at this time, the second code in the second memory is defaulted to be non-malicious code, that is, the steps 202 to 206 are not performed, and the process is directly ended. For example, after the system calls the VirtualProtect function for the second memory, within the preset time length, no code is stored in the second memory, and the code in the second memory is defaulted to be a non-malicious code, and the process is ended.
By using the code detection method provided by the embodiment of the invention, after the system is determined to be allocated with the memory with the executable authority, the current loading mode can be judged according to the loading process, and generally, if the system loads the code without the entity, the loading process of the code is different from the standard loading process corresponding to the system, so that if the current loading process is different from the standard loading process corresponding to the system, the current loading mode can be determined as loading without the entity, the code loaded in the mode of loading the code without the entity can be detected, and when the code is detected to be a malicious code, the code is stopped to be executed, thereby reducing the security risk of equipment supporting the mode of loading the code without the entity.
Fig. 3 is a flowchart illustrating another code detection method according to an embodiment of the present invention. The code detection method can be applied to electronic equipment.
As shown in fig. 3, the code detection method of the present embodiment may include:
step 301, when it is monitored that the system is ready to release the second memory, determining whether the second memory has an executable right.
The second memory is any memory allocated by the system.
Based on this, if the second memory does not have the executable right, go to step 302; if the second memory has the executable right, go to step 303.
In one example, the system calls the VirtualFree function when it is ready to release memory, so when it is detected that the system calls the VirtualFree function for the second memory, it is determined that the system is ready to release the second memory.
Step 302, releasing the second memory.
Step 303, determine whether the address of the second memory is recorded.
If the address of the second memory is recorded, which indicates that the second code stored in the second memory is detected, and the second memory is directly released, step 302 is executed; if the address of the second memory is not recorded, which indicates that the second code stored in the second memory is detected and needs to be detected, step 304 is executed.
Step 304, recording the address of the second memory, and performing virus detection on the second code stored in the second memory to obtain a detection result.
After step 304 is performed, step 302 is performed.
It should be noted that, after the system allocates the memory with the executable right, the code may not be stored in the memory in time, and therefore, after it is determined that the memory has the executable right, there may be a case that the code cannot be acquired, and at this time, the code in the memory is a non-malicious code by default. However, after that, there may be codes stored in the memory, and these codes are not detected, so a mechanism for performing supplementary detection on the codes is needed, that is, the method shown in fig. 3. The method shown in fig. 3 may be used in combination with the method shown in fig. 1 or fig. 2.
Fig. 4 is a schematic structural diagram of a code detection apparatus according to an embodiment of the present invention. The apparatus may be applied to an electronic device.
As shown in fig. 4, the apparatus of the present embodiment may include: determination section 401, analysis section 402, detection section 403, and termination section 404.
The determining unit 401 is configured to determine whether the first memory has an executable right when it is monitored that the system allocates the first memory.
The analysis unit 402 is configured to analyze a first loading process of a first code stored in a first memory if the first memory has an executable right.
The detecting unit 403 is configured to record an address of the first memory if the first loading process is different from a standard loading process corresponding to the system, and perform virus detection on the first code to obtain a first detection result.
The terminating unit 404 is configured to terminate executing the first code if the first detection result indicates that the first code is a malicious code, and delete the first code stored in the first memory according to the recorded address of the first memory.
Preferably, the analysis unit 402 is specifically configured to analyze a stack corresponding to the first loading process; if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process corresponding to the system; and if the recorded function calling sequence in the stack is different from the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
Preferably, as shown in fig. 5, the apparatus further comprises: an adding unit 405. The adding unit 405 is configured to add the authentication information in the first code to the white list if the first detection result is that the first code is a non-malicious code.
Preferably, the detecting unit 403 is specifically configured to record an address of the first memory and perform virus detection on the first code to obtain a first detection result, if the first loading process is different from a standard loading process corresponding to the system and the white list does not include the authentication information in the first code.
Preferably, as shown in fig. 6, the apparatus may further include: releasing the unit 406. Correspondingly, the determining unit 401 is further configured to determine whether the second memory has the executable right when it is monitored that the system is ready to release the second memory. The releasing unit 406 is configured to release the second memory if the second memory does not have the executable right. The determining unit 401 is further configured to determine whether to record an address of the second memory if the second memory has an executable right. The releasing unit 406 is further configured to release the second memory if the address of the second memory is recorded. The detecting unit 403 is further configured to, if the address of the second memory is not recorded, record the address of the second memory before releasing the second memory, and perform virus detection on the second code stored in the second memory to obtain a detection result.
Preferably, as shown in fig. 7, the apparatus further comprises: an output unit 407. The output unit 407 is configured to output a prompt message for prompting the suspicious code after recording the address of the first memory, where the prompt message includes: an address of the first memory.
The code detection device provided by the embodiment of the invention can judge the current loading mode according to the loading process after determining that the system allocates the memory with the executable authority, and generally, if the system loads the code without an entity, the loading process of the code is different from the standard loading process corresponding to the system, so that if the current loading process is different from the standard loading process corresponding to the system, the current loading mode can be determined as loading without an entity, the code loaded in the mode of loading the code without an entity can be detected, and when the code is detected to be a malicious code, the code is stopped to be executed, thereby reducing the safety risk of equipment supporting the mode of loading the code without an entity.
The embodiment of the invention also provides the electronic equipment. Fig. 8 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which may implement the processes of the embodiments shown in fig. 1, fig. 2, or fig. 3 of the present invention, and as shown in fig. 8, the electronic device may include: a housing 81, a processor 82, a memory 83, a circuit board 84, and a power supply circuit 85, wherein the circuit board 84 is disposed inside a space surrounded by the housing 81, and the processor 82 and the memory 83 are provided on the circuit board 84; a power supply circuit 85 for supplying power to each circuit or device of the electronic apparatus; the memory 83 is used for storing executable program codes; the processor 82 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 83, and is configured to perform the code detection method according to any of the foregoing embodiments.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice and data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices may display and play multimedia content. This kind of equipment includes: audio, video playing modules (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with a data interaction function.
Embodiments of the present invention provide a computer-readable storage medium, which stores one or more programs, where the one or more programs are executable by one or more processors to implement a code detection method as described in any of the foregoing embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (12)

1. A method of code detection, the method comprising:
when it is monitored that a system allocates a first memory, determining whether the first memory has an executable authority;
copying a first code to the first memory, and analyzing a first loading process of the first code stored in the first memory if the first memory has an executable authority;
if the first loading process is different from the standard loading process corresponding to the system, determining that the first code is an entity-free loading code, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result;
if the first detection result is that the first code is a malicious code, terminating execution of the first code, and deleting the first code stored in the first memory according to the recorded address of the first memory;
wherein the analyzing a first loading process of a first code stored in the first memory includes:
analyzing a stack corresponding to the first loading process;
if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process corresponding to the system;
and if the recorded function calling sequence in the stack is different from the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
2. The method of claim 1, further comprising:
and if the first detection result is that the first code is a non-malicious code, adding authentication information in the first code to a white list.
3. The method of claim 2, wherein the recording the address of the first memory and performing virus detection on the first code to obtain a first detection result comprises:
if the white list does not include the authentication information in the first code, the address of the first memory is recorded, and virus detection is performed on the first code to obtain a first detection result.
4. The method of claim 1, further comprising:
when the fact that the system is ready to release a second memory is monitored, whether the second memory has an executable authority or not is determined;
if the second memory does not have the executable authority, releasing the second memory;
if the second memory has the executable authority, determining whether the address of the second memory is recorded;
if the address of the second memory is recorded, releasing the second memory;
if the address of the second memory is not recorded, before the second memory is released, the address of the second memory is recorded, and virus detection is performed on a second code stored in the second memory to obtain a detection result.
5. The method of any of claims 1-4, wherein after said recording the address of the first memory, the method further comprises:
outputting prompt information for prompting the suspicious code, wherein the prompt information comprises: an address of the first memory.
6. A code detection apparatus, characterized in that the apparatus comprises:
the system comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining whether a first memory has an executable authority or not when the fact that the system distributes the first memory is monitored;
the analysis unit is used for analyzing a first loading process of a first code stored in the first memory if the first memory has an executable authority after the first code is copied to the first memory;
the detection unit is used for determining that the first code is an entity-free loading code if the first loading process is different from a standard loading process corresponding to the system, recording the address of the first memory, and performing virus detection on the first code to obtain a first detection result;
a termination unit, configured to terminate execution of the first code if the first detection result indicates that the first code is a malicious code, and delete the first code stored in the first memory according to the recorded address of the first memory;
wherein the analysis unit is specifically configured to:
analyzing a stack corresponding to the first loading process;
if the recorded function calling sequence in the stack is the same as the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is the same as the standard loading process corresponding to the system;
and if the recorded function calling sequence in the stack is different from the standard function calling sequence when the code corresponding to the system is loaded, determining that the first loading process is different from the standard loading process corresponding to the system.
7. The apparatus of claim 6, further comprising:
an adding unit, configured to add, if the first detection result is that the first code is a non-malicious code, authentication information in the first code to a white list.
8. The apparatus according to claim 7, wherein the detection unit is specifically configured to:
if the first loading process is different from a standard loading process corresponding to the system and the white list does not include authentication information in the first code, recording an address of the first memory, and performing virus detection on the first code to obtain a first detection result.
9. The apparatus of claim 6,
the determining unit is further configured to determine whether the second memory has an executable right when it is monitored that the system is ready to release the second memory;
the device further comprises:
the release unit is used for releasing the second memory if the second memory does not have the executable authority;
the determining unit is further configured to determine whether an address of the second memory is recorded if the second memory has an executable authority;
the release unit is further configured to release the second memory if the address of the second memory is recorded;
the detection unit is further configured to, if the address of the second memory is not recorded, record the address of the second memory before releasing the second memory, and perform virus detection on the second code stored in the second memory to obtain a detection result.
10. The apparatus of any of claims 6-9, further comprising:
an output unit, configured to output, after the recording of the address of the first memory, prompt information for prompting a suspicious code, where the prompt information includes: an address of the first memory.
11. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the code detecting method of any one of the preceding claims 1 to 5.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs, which are executable by one or more processors, to implement the code detection method of any of the preceding claims 1-5.
CN201711498572.7A 2017-12-29 2017-12-29 Code detection method and device, electronic equipment and storage medium Active CN108875372B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711498572.7A CN108875372B (en) 2017-12-29 2017-12-29 Code detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711498572.7A CN108875372B (en) 2017-12-29 2017-12-29 Code detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN108875372A CN108875372A (en) 2018-11-23
CN108875372B true CN108875372B (en) 2022-07-26

Family

ID=64325886

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711498572.7A Active CN108875372B (en) 2017-12-29 2017-12-29 Code detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN108875372B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112784270A (en) * 2021-01-18 2021-05-11 仙境文化传媒(武汉)有限公司 System and method for loading code file by annotation mode

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1295600C (en) * 2002-10-25 2007-01-17 华为技术有限公司 Windows program abnormality capturing and positioning method
CN101901323B (en) * 2010-07-22 2015-04-22 湖北盛天网络技术股份有限公司 System filtration method for monitoring loading activity of program module
CN102622536B (en) * 2011-01-26 2014-09-03 中国科学院软件研究所 Method for catching malicious codes
CN103810427B (en) * 2014-02-20 2016-09-21 中国科学院信息工程研究所 A kind of malicious code hidden behaviour method for digging and system
WO2015131324A1 (en) * 2014-03-04 2015-09-11 华为技术有限公司 Software security detection method, apparatus and device
CN106055933B (en) * 2016-06-24 2019-08-23 武汉斗鱼网络科技有限公司 A kind of method and system of client software code check

Also Published As

Publication number Publication date
CN108875372A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
CN105955762A (en) Method and device for injecting dynamic link library file and electronic equipment
CN104424423B (en) The permission of application program determines method and apparatus
WO2016019893A1 (en) Application installation method and apparatus
CN106326735B (en) Method and apparatus for preventing injection
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
CN105893847B (en) A kind of method, apparatus and electronic equipment for protecting security protection application file
CN106203092B (en) Method and device for intercepting shutdown of malicious program and electronic equipment
CN110727941A (en) Private data protection method and device, terminal equipment and storage medium
CN105868625B (en) Method and device for intercepting restart deletion of file
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
CN108875372B (en) Code detection method and device, electronic equipment and storage medium
CN106022117A (en) Method and device for preventing system environment variable from being modified and electronic equipment
CN106203087B (en) Injection protection method, system, terminal and storage medium
CN105787302B (en) A kind of processing method of application program, device and electronic equipment
CN111062035A (en) Lesog software detection method and device, electronic equipment and storage medium
CN107316197B (en) Payment protection method, mobile terminal and computer readable storage medium
CN107392010B (en) Root operation execution method and device, terminal equipment and storage medium
CN111026609B (en) Information auditing method, system, equipment and computer readable storage medium
CN108875371B (en) Sandbox analysis method and device, electronic equipment and storage medium
CN107567627B (en) Device with test execution environment
CN104850551A (en) Data processing method, data processing apparatus and mobile terminal
KR20190125880A (en) Static analysis method and apparatus for activity injection detecting
CN111797393B (en) Method and device for detecting malicious mining behavior based on GPU
CN110659489B (en) Threat detection method, device and storage medium for character string splicing behavior
CN115659342B (en) Harmless PE file executing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Applicant after: Harbin Antian Science and Technology Group Co.,Ltd.

Address before: 150090 506, room 162, Hongqi Street, Nangang 17 building, Harbin hi tech Industrial Development Zone, Heilongjiang.

Applicant before: HARBIN ANTIY TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Applicant after: Antan Technology Group Co.,Ltd.

Address before: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Applicant before: Harbin Antian Science and Technology Group Co.,Ltd.

GR01 Patent grant
GR01 Patent grant