CN109471697A - The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine - Google Patents
The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine Download PDFInfo
- Publication number
- CN109471697A CN109471697A CN201711250086.3A CN201711250086A CN109471697A CN 109471697 A CN109471697 A CN 109471697A CN 201711250086 A CN201711250086 A CN 201711250086A CN 109471697 A CN109471697 A CN 109471697A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- information
- called
- monitored
- description information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The method, apparatus and storage medium called the embodiment of the invention provides system in a kind of monitoring virtual machine, to solve the problems, such as that current monitoring method had not only been easy to be found and evaded by Malware but also was easy to influence the stability of client computer.This method comprises: reading the corresponding description information of the virtual machine from configuration file for the virtual machine for needing to monitor;According to the description information read out, the application heap for the process being monitored in the virtual machine is determined;According to the data stored in determining application heap, the information of monitored process is obtained;According to the information of the monitored process of acquisition, determining that the system being currently executing is called is that the system initiated by the monitored process being currently running is called;The relevant information called to the system being currently executing is handled.
Description
Technical field
The present invention relates to the methods of system calling, dress in field of information security technology more particularly to a kind of monitoring virtual machine
It sets and storage medium.
Background technique
With the development and universal, computer application work and life of the overall permeation to people of computer technology
In, become the indispensable important tool of people and home entertainment device.Being widely used while can also generate with computer
Corresponding computer security issue.In face of the temptation of money, some hackers can utilize computer security loophole, by disliking accordingly
Meaning program is stolen the computerized information of user and is destroyed to computer system, causes to numerous computer users
Huge economic loss.
In order to detect relevant rogue program, computer security researcher develops corresponding virus investigation anti-virus tools, such as
One section of unknown code is run in sandbox, analyzes whether position code is malicious code by monitoring operation action.Wherein, husky
Case is a kind of equipment for monitoring operation action to excavate potentially malicious code ability, and sandbox operates in virtual machine, and virtual machine is
Using software virtual machine, the virtual unit that is mounted on host.
At present in the system of sandbox or similar sandbox, VME operating system inner nuclear layer application programming interface is monitored
The method that (API, Application Programming Interface) is called usually is based on hook in virtual machine internal
(Hook) what principle was monitored, there are mainly two types of common means, and one is the subsystem call tables of modification kernel, another
It is that dynamic replacement is carried out to it according to the address of core A PI, is inherently customized realization or insertion to kernel API
Customized execution logic.
The realization of these monitoring methods is realized in virtual machine internal, these technologies are relatively easy in realization, but
It is easy by Malware by checking that well known Hook point finds and escapes, on the other hand since monitoring programme operates in virtually
The inner nuclear layer of machine has significant effect the stability of VME operating system, and result caused by this influence is all often to cause
Life, gently then system Caton, service exception, heavy then system frequent crashes crash.
In conclusion being not only easy to be found and evaded by Malware using current monitoring method, but also it is easy to influence virtual
The stability of machine.
Summary of the invention
The method, apparatus and storage medium called the embodiment of the invention provides system in a kind of monitoring virtual machine, to
Solve the problems, such as that current monitoring method had not only been easy to be found and evaded by Malware but also was easy to influence the stability of client computer.
Based on the above issues, the method that system is called in a kind of monitoring virtual machine provided in an embodiment of the present invention, comprising:
For the virtual machine that needs monitor, the corresponding description information of the virtual machine is read from configuration file;
According to the description information read out, the application heap for the process being monitored in the virtual machine is determined;
According to the data stored in determining application heap, the information of monitored process is obtained;
According to the information of the monitored process of acquisition, determine that the system being currently executing calling is supervised by what is be currently running
The system that the process of control is initiated is called;
The relevant information called to the system being currently executing is handled.
It is provided in an embodiment of the present invention it is a kind of monitoring virtual machine in system call device, described device include memory and
Processor, the memory for storing a plurality of instruction, the processor be used to load the instruction that is stored in the memory with
It executes:
For the virtual machine that needs monitor, the corresponding description information of the virtual machine is read from configuration file;
According to the description information read out, the application heap for the process being monitored in the virtual machine is determined;
According to the data stored in determining application heap, the information of monitored process is obtained;
According to the information of the monitored process of acquisition, determine that the system being currently executing calling is supervised by what is be currently running
The system that the process of control is initiated is called;
The relevant information called to the system being currently executing is handled.
A kind of non-volatile memories computer storage medium provided in an embodiment of the present invention is stored with the executable finger of computer
It enables, the computer executable instructions are performed the side for realizing that system is called in monitoring virtual machine provided in an embodiment of the present invention
Method.
The beneficial effect of the embodiment of the present invention includes:
The method, apparatus and storage medium that system is called in monitoring virtual machine provided in an embodiment of the present invention, first from configuration text
It is read in part and determines that this is virtual with the corresponding description information for the virtual machine for needing to monitor, the description information that then basis is read out
The application heap for the process being monitored in machine obtains monitored process then according to the data stored in determining application heap
Information, and determine that the system being currently executing calling is monitored by what is be currently running according to the information of monitored process
The system that process is initiated is called, and the relevant information called to the system being currently executing is handled, to realize in void
Outside quasi- machine, that is, run on the host of the virtual machine to the system for needing to monitor in the operating system of virtual machine call into
Row monitors and processes, and then has evaded when virtual machine internal is monitored, and is not only easy to be found and evaded by Malware, but also hold
The problem of easily influencing the stability of virtual machine.
Detailed description of the invention
Fig. 1 is the mould for method each participation at runtime that system is called in monitoring virtual machine provided in an embodiment of the present invention
The relational graph of block;
Fig. 2 is the flow chart for the method that system is called in a kind of monitoring virtual machine provided in an embodiment of the present invention;
Fig. 3 is the flow chart for the method that system is called in another monitoring virtual machine provided in an embodiment of the present invention;
Fig. 4 is the structure chart for the device that system is called in monitoring virtual machine provided in an embodiment of the present invention.
Specific embodiment
The method, apparatus and storage medium called the embodiment of the invention provides system in a kind of monitoring virtual machine, the party
Method is led to from the outside of virtual machine, that is, from the target process on the host of operation virtual machine in the direct monitoring virtual machine
Crossing the description information corresponding with monitored virtual machine is needed read from configuration file calls corresponding operation interface to determine
Then the memory section of the virtual machine obtains the application heap for the process being monitored in the virtual machine, so obtain it is monitored into
The information of journey, so that calling in the system being currently executing is that the system initiated by the monitored process being currently running is called
When, the relevant information called to the system being currently executing is handled, and is monitored to evade in virtual machine internal
When, it is not only easy to be found and evaded by Malware, but also be easy the problem of influencing the stability of virtual machine.
The method that system is called in the monitoring virtual machine provided in an embodiment of the present invention module of each participation at runtime
Relationship is as shown in Figure 1, wherein software virtual machine works on host, is responsible for the running of management virtual machine, needs to use host
The operation interface that machine itself provides and operation interface of examining oneself;Virtual machine be mounted on using software virtual machine it is virtual on host
Equipment;Host is the carrier of virtual machine, is true physical equipment;Sandbox system operates in virtual machine, be responsible for execute to
The program of monitoring;Monitoring programme namely includes that the system in monitoring virtual machine provided in an embodiment of the present invention that can be realized is called
Method code program.
With reference to the accompanying drawings of the specification, to a kind of side for monitoring system calling in virtual machine provided in an embodiment of the present invention
The specific embodiment of method, device and storage medium is illustrated.
The method that system is called in a kind of monitoring virtual machine provided in an embodiment of the present invention, as shown in Figure 2, comprising:
S201, the virtual machine monitored for needs, read the corresponding description information of the virtual machine from configuration file;Wherein,
After putting into sample program into sandbox, the virtual machine that namely needs to monitor for the virtual machine that the sandbox is started;
The description information that S202, basis are read out, determines the application heap for the process being monitored in the virtual machine;
S203, according to the data stored in determining application heap, obtain the information of monitored process;Wherein, be monitored process
Information, including process name, process number, process first address, stack, parent process number, subprocess number etc.;
S204, the information according to the monitored process of acquisition determine that the system being currently executing calling is by being currently running
The system initiated of monitored process call;
S205, the relevant information called to the system being currently executing are handled.
Wherein, configuration file is for different VME operating systems, the related data for each system collected in advance
Structural information.The effect of configuration file is to describe the information of clear each virtual machine, the type including software virtual machine, virtual machine
The type of operating system, virtual machine title, the offset of key data structure, the file path etc. of Kernel Symbol Table.
When the operating system of virtual machine is linux system, configuration file can be as shown in table 1:
| ? | Example | Explanation |
| vm_type | kvm | Type of virtual machine |
| vm_name | vm_ubuntu | Virtual machine title |
| os_type | linux | The type of VME operating system |
| linux_task | 0x448 | The offset of task in current |
| linux_mm | 0x480 | The offset of mm in current |
| linux_pid | 0x4a8 | The offset of pid in current |
| Linux_pname | 0x678 | The offset of name in current |
| sysmap_path | /tmp/system.map | The path of Kernel Symbol Table |
Table 1
When the operating system of virtual machine is Windows system, configuration file can be as shown in table 2:
| ? | Example | Explanation |
| vm_type | kvm | Type of virtual machine |
| vm_name | vm_winxp | Virtual machine title |
| os_type | windows | The type of VME operating system |
| win_task | 0x88 | The offset of task |
| win_pdbase | 0x18 | The offset of mm |
| win_pid | 0x84 | The offset of pid |
| win_pname | 0x174 | The cheap amount of pname |
| Sysmap_path | /tmp/system.map | The path of Kernel Symbol Table |
Table 2
Configuration file can be indicated using following form:
vm_ubuntu:
vm_type = “kvm”;
os_type = “linux”;
linux_task =“0x448”;
linux_mm = “0x480”;
linux_pname = “0x067”;
linux_pid = “0x4a8”;
sysmap_path = “/opt/sysmap/linux/sysmap-vmubuntu.txt”;
vm_winxp:
vm_type = “kvm”;
os_type = “windows”;
win_tesk = “0xb8”;
win_pdbase = “0x18”;
win_pname = “0x174”;
win_pid = “0x84”;
sysmap_path = “/opt/sysmap/windows/sysmap=vmwinxp.txt”。
Optionally, the method that system is called in a kind of monitoring virtual machine provided in an embodiment of the present invention, as shown in Figure 3, comprising:
S301, the virtual machine monitored for needs, filter out description information corresponding with the virtual machine from configuration file;
S302, according to the title of virtual machine described in the description information filtered out and the type of software virtual machine, call corresponding
The query interface of software virtual machine searched from active virtual machine and described need the virtual machine that monitors;
Can S303, the description information that find and filter out from active virtual machine according to the description information filtered out unique
Corresponding virtual machine, if it can, then executing S304;If it is not, executing S319;
Believe if not finding the description for illustrating if the description information that filters out uniquely corresponding virtual machine and filtering out
Ceasing the description information (virtual machine title, the type of software virtual machine) that unique corresponding virtual machine does not start or filters out has
Therefore problem terminates process after can showing corresponding miscue;If can be found therewith according to information described in configuration
Unique corresponding virtual machine, then read all information of the virtual machine found in configuration file and saved.
S304, all description informations that the virtual machine found is read from configuration file;
Here verify whether the description information filtered out is the description information for needing the virtual machine monitored, it can be each by calling
The API that virtual machine provides realizes that concrete form is unlimited, can be order line form, can be python interface, be also possible to
C interface, but effect is identical.Here with kvm virtual machine instance, the python interface for calling libvirt to provide is realized.First
Call libvirt.open (' qemu: ///system') obtain all kvm virtual machine informations then with name-matches need by
The virtual machine of monitoring, function call are lookupByName (vm_name).
After reading the description information in configuration file, the type of the operating system of virtual machine is determined, then check and read
Description information data legitimacy;
S305, judge whether the numerical value of the description information read is legal, if so, executing S306;Otherwise S319 is executed;
When the numerical value of the data of the description information of reading is less than or equal to 0, then the data for being considered as the description information of reading are illegal, stream
Journey terminates;Otherwise, the data of the description information of reading are legal;
S306, it determines to need the memory offset of the virtual machine monitored from the description information of reading;
S307, carry out process traversal according to the memory offset determined, obtain be currently running in the virtual machine it is all into
The application heap of journey;
Wherein, it needs to find a beginning dot address before traversal, is the memory for beginning stepping through entire virtual machine with this address
Section.Using the offset of the cyclic address change tasks of init_task as head in Linux system, in windows system
In using the address of PsActiveProcessHead as head, dot address is started with head() start the cycle over traversal, obtain virtual
The application heap of all processes in machine;
Furthermore it is possible to obtain the memory section of virtual machine using following two method:
(1) using Virtual Machine Manager software provide access memory interface, such as qemu provide access memory interface and
The operation interface that libvirt is provided selects suitable API according to usage scenario;
(2) realize that existing common software virtual machine has corresponding mechanism of examining oneself, calls it using the technology of examining oneself of virtual machine
Open interface realizes the crawl to specified address, the realization of open source also can be used, the libvmi open source projects being currently known
It has been able to that xen and kvm virtual machine, the virtual machine of support is supported to have windows (98/2000/2003/xp) and linux etc.;
Both methods does not need the manually implemented conversion to virtual address by physical address, straight by corresponding A PI interface
Virtual address after obtaining to convert, therefore this method is most laborsaving, most efficient method, and is obtained by this method
Data be also most accurately;
S308, according to the process name of monitored process, from the application heap of all processes got, determine it is monitored into
The application heap of journey;
S309, the data structure according to described in the description information of reading are converted to the data stored in determining application heap
High-rise semantic information, obtains the information of monitored process;Monitored progress information includes process name, process number, process
First address, stack, parent process number, subprocess number etc.;
Wherein, the data that will be stored in determining application heap, i.e. binary data are converted to high-rise semantic information, can use
Following two scheme:
1, by parsing virtual machine kernel data structure, binary data is carried out to translate adult energy according to corresponding data structure
The semantic information for the goal systems understood;
2, loading module or progress information directly are obtained with ready-made library function and the access interface of software virtual machine system, but
It is that the data that this method obtains are limited;
In the method that system is called in monitoring virtual machine provided in an embodiment of the present invention, semantic turn is carried out using first method
Change, this is done to obtain more bottom semantic informations, and can adjust at any time according to their needs, modification is got up
It is more convenient;
Whether the monitored process of S310, judgement is currently running, if so, executing S311, otherwise, executes S319;
Judge whether a process is also to obtain the task_struct knot of the process in the method for operation in linux kernel
Structure, wherein member state indicates the value of process, if the value of task_struct.state is greater than 0, indicates process stop over
Only.
Whether also at runtime a process is judged in windows system, can use the process address most started
The pid or pname of process are obtained, if pid or pname can be obtained successfully, illustrates that the process is appointed and is so running, if do not had
Any information, or access error are obtained, then proves that monitored process is over.
The system that S311, acquisition are currently executing is called;
S312, the stack information called according to the system being currently executing, find the initial launching person of system calling;
To windows and linux, the system being currently executing is invoked in eax register, therefore is only needed to obtain eax and be posted
The value of storage can obtain system and call id, according to system call the system that is carrying out of id call and it is corresponding its
The position of his register and information, wherein can be by directly being obtained using the virtual register operation interface of software virtual machine
Take eax register.
For example, ptrace system calls the parameter of (0x1a) to get request from ebx under 32 Linux systems,
Pid is got in ecx, addr is got in edx, gets data in esi, is 32 bit lengths.
As the User space address pointer of system call parameter, memory pages where memory address are called in system
Shi Yiding has been loaded into physical memory, can be converted directly into physical address access.
The register Transfer Parameters that the system of Windows is called can carry out dis-assembling by pair correlation function and take, can also
It collects from network;It can be handled at code in instructions such as iret, sysexit about call result, addition correlative code obtains prison
The call result that the system of control is called.The call result that the system of linux system is called is in EAX.To Windows system, it is
The call result pass through mechanism that system calls can be obtained by reverse-engineering.The call result that common system is called is present in EAX
(lo word) and EDX(hi word) in.
S313, judge initial launching person function address whether the monitored process being currently running address field
In, if so, executing S314;Otherwise, S310 is executed;
S314, determine that the system being currently executing calling is that the system initiated by the monitored process being currently running is called;
The relevant information that the system that S315, acquisition are currently executing is called;
S316, judge whether the relevant information that the system obtained is called is to obtain for the first time, if so, executing S317, otherwise, is executed
S318;
The relevant information that the system that S317, record obtain is called;
S318, judge whether the relevant information of the system calling of relevant information and state-of-the-art record that the system obtained is called is different,
If so, executing S317, otherwise, S310 is executed;Repetition record can be removed in this way, avoid being recorded twice identical system tune
The relevant information used calls log as system, the advantage of doing so is that saving memory space, avoids system longer for the used time
The repetition record that system calls, if comparing result is just the same, It is not necessary to going to record this log, only when front and back two
The relevant information that the system of secondary acquisition is called is different or first obtain (calls day without record system before that is
Will) in the case where the log just can quilt, and system calls the preservation form of log unlimited, can be file, database, even
It can be binary system, as long as read-write both sides arrange an identical format.
S319, the process for terminating the method that system is called in monitoring virtual machine provided in an embodiment of the present invention.
The method that system is called in monitoring virtual machine provided in an embodiment of the present invention is being transported from the process for determining monitored
The step of capable step rises is constantly in the state of circulation, constantly repeat to determine the step of monitored process is currently running and its
Step afterwards, until showing that monitored process terminates, this indicates that system is called after detecting that monitored process is over
The collection process of log is completed.
Based on the same inventive concept, the embodiment of the invention also provides it is a kind of monitoring virtual machine in system call device and
Storage medium, since the principle of the solved problem of the device is similar to the method that system in aforementioned monitoring virtual machine is called,
The implementation of the device and storage medium may refer to the implementation of preceding method, and overlaps will not be repeated.
The device that system is called in a kind of monitoring virtual machine provided in an embodiment of the present invention, as shown in figure 4, the device includes
Memory 41 and processor 42, memory 41 are used to store a plurality of instruction, what processor 42 was used to store in load store device 41
Instruction is to execute:
For the virtual machine that needs monitor, the corresponding description information of the virtual machine is read from configuration file;
According to the description information read out, the application heap for the process being monitored in the virtual machine is determined;
According to the data stored in determining application heap, the information of monitored process is obtained;
According to the information of the monitored process of acquisition, determine that the system being currently executing calling is supervised by what is be currently running
The system that the process of control is initiated is called;
The relevant information called to the system being currently executing is handled.
Optionally, instruction of the processor 42 for storing in load store device 41 is to execute:
For the virtual machine that needs monitor, description information corresponding with the virtual machine is filtered out from configuration file;
According to the title of virtual machine described in the description information filtered out and the type of software virtual machine, call corresponding virtual
The query interface of machine software searches the virtual machine for needing to monitor from active virtual machine;
It is uniquely right in the description information that can be found and filter out from active virtual machine according to the description information filtered out
When the virtual machine answered, all description informations of the virtual machine found are read from configuration file.
Further, the instruction that processor 42 is also used to store in load store device 41 is to execute:
After reading the corresponding description information of the virtual machine in configuration file, determine in the virtual machine be monitored into
Before the application heap of journey, determine that the numerical value of the description information read is legal.
Optionally, instruction of the processor 42 for storing in load store device 41 is to execute:
The memory offset for the virtual machine that needs monitor is determined from the description information of reading;
Process traversal is carried out according to the memory offset determined, obtains the interior of all processes being currently running in the virtual machine
Deposit section;
According to the process name of monitored process, from the application heap of all processes got, monitored process is determined
Application heap.
Optionally, instruction of the processor 42 for storing in load store device 41 is to execute:
The data stored in determining application heap are converted to high level by the data structure according to described in the description information of reading
Semantic information obtains the information of monitored process.
Further, the instruction that processor 42 is also used to store in load store device 41 is to execute:
After the information for the process being monitored according to the data acquisition stored in determining application heap, in being supervised according to acquisition
The information of the process of control determines the system initiated in the system being currently executing calling by the monitored process being currently running
Before calling, determine that monitored process is currently running.
Optionally, instruction of the processor 42 for storing in load store device 41 is to execute:
According to the stack information that the system being currently executing is called, the initial launching person of system calling is found;
When the function address of initial launching person is in the address field of the monitored process being currently running, determine currently just
Calling in the system of execution is that the system initiated by the monitored process being currently running is called.
Optionally, instruction of the processor 42 for storing in load store device 41 is to execute:
Obtain the relevant information that the system being currently executing is called;
It is different in the relevant information that the system of relevant information and state-of-the-art record that the system of acquisition is called is called, or acquisition is
The relevant information that system calls is the relevant information that the system for recording acquisition is called when obtaining for the first time.
A kind of non-volatile memories computer storage medium provided in an embodiment of the present invention is stored with the executable finger of computer
It enables, the computer executable instructions are performed the side for realizing that system is called in monitoring virtual machine provided in an embodiment of the present invention
Method.
Through the above description of the embodiments, those skilled in the art can be understood that the embodiment of the present invention
The mode of necessary general hardware platform can be added to realize by software.Based on this understanding, the skill of the embodiment of the present invention
Art scheme can be embodied in the form of software products, which can store in a non-volatile memory medium
In (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions are used so that a computer equipment (can be individual
Computer, server or network equipment etc.) execute method described in each embodiment of the present invention.
It will be appreciated by those skilled in the art that attached drawing is the schematic diagram of a preferred embodiment, module or stream in attached drawing
Journey is not necessarily implemented necessary to the present invention.
It will be appreciated by those skilled in the art that the module in device in embodiment can describe be divided according to embodiment
It is distributed in the device of embodiment, corresponding change can also be carried out and be located in one or more devices different from the present embodiment.On
The module for stating embodiment can be merged into a module, can also be further split into multiple submodule.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (17)
1. a kind of method that system is called in monitoring virtual machine characterized by comprising
For the virtual machine that needs monitor, the corresponding description information of the virtual machine is read from configuration file;
According to the description information read out, the application heap for the process being monitored in the virtual machine is determined;
According to the data stored in determining application heap, the information of monitored process is obtained;
According to the information of the monitored process of acquisition, determine that the system being currently executing calling is supervised by what is be currently running
The system that the process of control is initiated is called;
The relevant information called to the system being currently executing is handled.
2. the method as described in claim 1, which is characterized in that the virtual machine monitored for needs reads institute from configuration file
State the corresponding description information of virtual machine, comprising:
For the virtual machine that needs monitor, description information corresponding with the virtual machine is filtered out from configuration file;
According to the title of virtual machine described in the description information filtered out and the type of software virtual machine, call corresponding virtual
The query interface of machine software searches the virtual machine for needing to monitor from active virtual machine;
It is uniquely right in the description information that can be found and filter out from active virtual machine according to the description information filtered out
When the virtual machine answered, all description informations of the virtual machine found are read from configuration file.
3. the method as described in claim 1, which is characterized in that reading the corresponding description of the virtual machine from configuration file
After information, before the application heap for determining the process being monitored in the virtual machine, the method also includes:
Determine that the numerical value of the description information read is legal.
4. the method as described in claim 1, which is characterized in that according to the description information read out, determine in the virtual machine
The application heap of monitored process, comprising:
The memory offset for the virtual machine that needs monitor is determined from the description information of reading;
Process traversal is carried out according to the memory offset determined, obtains the interior of all processes being currently running in the virtual machine
Deposit section;
According to the process name of monitored process, from the application heap of all processes got, monitored process is determined
Application heap.
5. the method as described in claim 1, which is characterized in that according to the data stored in determining application heap, acquisition is supervised
The information of the process of control;
The data stored in determining application heap are converted to high level by the data structure according to described in the description information of reading
Semantic information obtains the information of monitored process.
6. the method as described in claim 1, which is characterized in that supervised according to the data acquisition stored in determining application heap
After the information of the process of control, determined in the system calling being currently executing in the information of the monitored process according to acquisition
Before being called by the system that the monitored process being currently running is initiated, the method also includes:
Determine that monitored process is currently running.
7. the method as described in claim 1, which is characterized in that according to the information of the monitored process of acquisition, determine current
It is that the system initiated by the monitored process being currently running is called that the system being carrying out, which is called, comprising:
According to the stack information that the system being currently executing is called, the initial launching person of system calling is found;
When the function address of initial launching person is in the address field of the monitored process being currently running, determine currently just
Calling in the system of execution is that the system initiated by the monitored process being currently running is called.
8. the method as described in claim 1, which is characterized in that carried out to the relevant information that the system being currently executing is called
Processing, comprising:
Obtain the relevant information that the system being currently executing is called;
It is different in the relevant information that the system of relevant information and state-of-the-art record that the system of acquisition is called is called, or acquisition is
The relevant information that system calls is the relevant information that the system for recording acquisition is called when obtaining for the first time.
9. the device that system is called in a kind of monitoring virtual machine, which is characterized in that described device includes memory and processor, institute
Memory is stated for storing a plurality of instruction, the processor is for loading the instruction stored in the memory to execute:
For the virtual machine that needs monitor, the corresponding description information of the virtual machine is read from configuration file;
According to the description information read out, the application heap for the process being monitored in the virtual machine is determined;
According to the data stored in determining application heap, the information of monitored process is obtained;
According to the information of the monitored process of acquisition, determine that the system being currently executing calling is supervised by what is be currently running
The system that the process of control is initiated is called;
The relevant information called to the system being currently executing is handled.
10. device as claimed in claim 9, which is characterized in that the processor is used to load to store in the memory
Instruction is to execute:
For the virtual machine that needs monitor, description information corresponding with the virtual machine is filtered out from configuration file;
According to the title of virtual machine described in the description information filtered out and the type of software virtual machine, call corresponding virtual
The query interface of machine software searches the virtual machine for needing to monitor from active virtual machine;
It is uniquely right in the description information that can be found and filter out from active virtual machine according to the description information filtered out
When the virtual machine answered, all description informations of the virtual machine found are read from configuration file.
11. device as claimed in claim 9, which is characterized in that the processor is also used to load to be stored in the memory
Instruction to execute:
After reading the corresponding description information of the virtual machine in configuration file, determine in the virtual machine be monitored into
Before the application heap of journey, determine that the numerical value of the description information read is legal.
12. device as claimed in claim 9, which is characterized in that the processor is used to load to store in the memory
Instruction is to execute:
The memory offset for the virtual machine that needs monitor is determined from the description information of reading;
Process traversal is carried out according to the memory offset determined, obtains the interior of all processes being currently running in the virtual machine
Deposit section;
According to the process name of monitored process, from the application heap of all processes got, monitored process is determined
Application heap.
13. device as claimed in claim 9, which is characterized in that the processor is used to load to store in the memory
Instruction is to execute:
The data stored in determining application heap are converted to high level by the data structure according to described in the description information of reading
Semantic information obtains the information of monitored process.
14. device as claimed in claim 9, which is characterized in that the processor is also used to load to be stored in the memory
Instruction to execute:
After the information for the process being monitored according to the data acquisition stored in determining application heap, in being supervised according to acquisition
The information of the process of control determines the system initiated in the system being currently executing calling by the monitored process being currently running
Before calling, determine that monitored process is currently running.
15. device as claimed in claim 9, which is characterized in that the processor is used to load to store in the memory
Instruction is to execute:
According to the stack information that the system being currently executing is called, the initial launching person of system calling is found;
When the function address of initial launching person is in the address field of the monitored process being currently running, determine currently just
Calling in the system of execution is that the system initiated by the monitored process being currently running is called.
16. device as claimed in claim 9, which is characterized in that the processor is used to load to store in the memory
Instruction is to execute:
Obtain the relevant information that the system being currently executing is called;
It is different in the relevant information that the system of relevant information and state-of-the-art record that the system of acquisition is called is called, or acquisition is
The relevant information that system calls is the relevant information that the system for recording acquisition is called when obtaining for the first time.
17. a kind of non-volatile memories computer storage medium, which is characterized in that computer executable instructions are stored with, it is described
Computer executable instructions, which are performed, realizes any method of claim 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711250086.3A CN109471697B (en) | 2017-12-01 | 2017-12-01 | Method, device and storage medium for monitoring system call in virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711250086.3A CN109471697B (en) | 2017-12-01 | 2017-12-01 | Method, device and storage medium for monitoring system call in virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109471697A true CN109471697A (en) | 2019-03-15 |
| CN109471697B CN109471697B (en) | 2021-08-17 |
Family
ID=65658210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711250086.3A Active CN109471697B (en) | 2017-12-01 | 2017-12-01 | Method, device and storage medium for monitoring system call in virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109471697B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026599A (en) * | 2019-07-24 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Data collection method and device based on API call and storage device |
| CN111027072A (en) * | 2019-12-20 | 2020-04-17 | 北京安天网络安全技术有限公司 | Kernel Rootkit detection method and device based on elf binary system standard analysis under Linux |
| CN111611580A (en) * | 2020-05-27 | 2020-09-01 | 福建天晴在线互动科技有限公司 | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system |
| CN112464221A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Method and system for monitoring memory access behavior |
| CN113448690A (en) * | 2021-08-27 | 2021-09-28 | 阿里云计算有限公司 | Monitoring method and device |
| CN114266037A (en) * | 2021-12-16 | 2022-04-01 | 北京安天网络安全技术有限公司 | Sample detection method and device, electronic equipment and storage medium |
| CN114924810A (en) * | 2021-05-14 | 2022-08-19 | 武汉深之度科技有限公司 | Heterogeneous program execution method and device, computing device and readable storage medium |
| WO2023035510A1 (en) * | 2021-09-09 | 2023-03-16 | 三六零科技集团有限公司 | Virtual machine security reinforcement method and apparatus, and storage medium |
| WO2023160398A1 (en) * | 2022-02-25 | 2023-08-31 | 阿里巴巴(中国)有限公司 | Data processing method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793288A (en) * | 2014-02-14 | 2014-05-14 | 北京邮电大学 | Software watchdog system and method |
| CN105740046A (en) * | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
| CN106055385A (en) * | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
-
2017
- 2017-12-01 CN CN201711250086.3A patent/CN109471697B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793288A (en) * | 2014-02-14 | 2014-05-14 | 北京邮电大学 | Software watchdog system and method |
| CN105740046A (en) * | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
| CN106055385A (en) * | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
Non-Patent Citations (3)
| Title |
|---|
| BO LI: "A VMM-Based System Call Interposition Framework for Program Monitoring", 《2010 IEEE 16TH INTERNATIONAL CONFERENCE ON PARALLEL AND DISTRIBUTED SYSTEMS》 * |
| 周天宇: "基于系统调用的云计算平台虚拟机安全监控与增强", 《万方学位论文》 * |
| 王沛: "基于HMM的Linux主机入侵检测系统", 《中国优秀博硕士学位论文全文数据库 (硕士)信息科技辑》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026599A (en) * | 2019-07-24 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Data collection method and device based on API call and storage device |
| CN112464221A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Method and system for monitoring memory access behavior |
| CN111027072A (en) * | 2019-12-20 | 2020-04-17 | 北京安天网络安全技术有限公司 | Kernel Rootkit detection method and device based on elf binary system standard analysis under Linux |
| CN111027072B (en) * | 2019-12-20 | 2024-02-27 | 北京安天网络安全技术有限公司 | Kernel Rootkit detection method and device based on elf binary standard analysis under Linux |
| CN111611580A (en) * | 2020-05-27 | 2020-09-01 | 福建天晴在线互动科技有限公司 | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system |
| CN111611580B (en) * | 2020-05-27 | 2022-09-23 | 福建天晴在线互动科技有限公司 | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system |
| CN114924810B (en) * | 2021-05-14 | 2024-02-23 | 武汉深之度科技有限公司 | Heterogeneous program execution method, heterogeneous program execution device, computing equipment and readable storage medium |
| CN114924810A (en) * | 2021-05-14 | 2022-08-19 | 武汉深之度科技有限公司 | Heterogeneous program execution method and device, computing device and readable storage medium |
| CN113448690A (en) * | 2021-08-27 | 2021-09-28 | 阿里云计算有限公司 | Monitoring method and device |
| CN113448690B (en) * | 2021-08-27 | 2022-02-01 | 阿里云计算有限公司 | Monitoring method and device |
| WO2023035510A1 (en) * | 2021-09-09 | 2023-03-16 | 三六零科技集团有限公司 | Virtual machine security reinforcement method and apparatus, and storage medium |
| CN114266037A (en) * | 2021-12-16 | 2022-04-01 | 北京安天网络安全技术有限公司 | Sample detection method and device, electronic equipment and storage medium |
| CN114266037B (en) * | 2021-12-16 | 2024-05-17 | 北京安天网络安全技术有限公司 | Sample detection method and device, electronic equipment and storage medium |
| WO2023160398A1 (en) * | 2022-02-25 | 2023-08-31 | 阿里巴巴(中国)有限公司 | Data processing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109471697B (en) | 2021-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109471697A (en) | The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine | |
| US8978141B2 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| US9230106B2 (en) | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment | |
| US8141056B2 (en) | Just-in-time dynamic instrumentation | |
| Pagani et al. | Introducing the temporal dimension to memory forensics | |
| WO2015131804A1 (en) | Call stack relationship acquiring method and apparatus | |
| US10089474B2 (en) | Virtual machine introspection | |
| CN107358096B (en) | File virus searching and killing method and system | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| US20230153439A1 (en) | Early filtering of clean file using dynamic analysis | |
| CN111783094A (en) | Data analysis method and device, server and readable storage medium | |
| CN110895537A (en) | Method and device for freely inquiring authority control | |
| CN110245074B (en) | Log record generation method and device, storage medium and server | |
| CN110298173A (en) | The detection Malware hiding by the delay circulation of software program | |
| US8972784B2 (en) | Method and device for testing a system comprising at least a plurality of software units that can be executed simultaneously | |
| US10114951B2 (en) | Virus signature matching method and apparatus | |
| CN109885489B (en) | Data race detection method and device in driver | |
| CN109472135A (en) | A kind of method, apparatus and storage medium of detection procedure injection | |
| CN102945343A (en) | Method and device for enumerating system process | |
| CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
| US7448029B2 (en) | Modification of array access checking in AIX | |
| Wang et al. | Detecting data races in interrupt-driven programs based on static analysis and dynamic simulation | |
| CN114373173B (en) | Data processing method, device, terminal equipment and storage medium | |
| CN113918377B (en) | Method, device and equipment for positioning C + + program crash and storage medium | |
| KR20170093121A (en) | Synchronization in a computing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |