CN109753791A - Malware detection methods and device - Google Patents
Malware detection methods and device Download PDFInfo
- Publication number
- CN109753791A CN109753791A CN201811641802.5A CN201811641802A CN109753791A CN 109753791 A CN109753791 A CN 109753791A CN 201811641802 A CN201811641802 A CN 201811641802A CN 109753791 A CN109753791 A CN 109753791A
- Authority
- CN
- China
- Prior art keywords
- program
- clicking operation
- simulation mouse
- mouse clicking
- simulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 276
- 230000008569 process Effects 0.000 claims abstract description 228
- 238000004088 simulation Methods 0.000 claims abstract description 144
- 230000006870 function Effects 0.000 claims description 50
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012544 monitoring process Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 8
- 238000003197 gene knockdown Methods 0.000 description 9
- 230000008260 defense mechanism Effects 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000012856 packing Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 241000894006 Bacteria Species 0.000 description 1
- 241001167556 Catena Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of malware detection methods and devices, which comprises monitors simulation mouse clicking operation and process creation operations;When listening to simulation mouse clicking operation, judge to simulate whether mouse clicking operation is the remote procedure call initiated by IAccessible interface;If simulating mouse clicking operation is the remote procedure call initiated by the IAccessible interface, the filename for the unknown program that the simulation mouse clicking operation is clicked and the Thread Id of remote procedure call originating end are parsed;Judge the unknown program filename whether be target process process path substring;If the substring of the process path of the entitled target process of the file of the unknown program, analyze whether the unknown program is rogue program according to the process ID of the target process, the process path of the target process and the Thread Id.Malware detection methods and device provided by the invention are capable of detecting when to click the rogue program of starting by MSAA technical modelling mouse.
Description
Technical field
The present invention relates to technical field of data security, and in particular to a kind of malware detection methods and device.
Background technique
With computer being widely used worldwide, means of defence caused by rogue program and software fault also exist
Lasting extension.Since rogue program has infectious, replicability and destructiveness, one that puzzlement computer uses is had become
Significant problem.Rogue program refers to that any intentional creation is used to execute without permission and the software program of usually harmful act,
It, to steal user's confidential information, is finally destroyed operating system of user or is led to other danger by secret implantation custom system
Evil occurs.Trapdoor, logic bomb, Trojan Horse, worm, bacterium, virus etc. can be referred to as rogue program.
Rogue program is huge to computer equipment and harm caused by user security risk, thus how to be carried out to rogue program
Detection is just particularly important.As the growth of explosion type, the generation and update of feature database and usually lag is presented in rogue program
In the generation of rogue program, tradition is more and more unable to do what one wishes in such a way that feature storehouse matching detects rogue program, in
It is active defense mechanism occurred.Active defense mechanism is the real-time protection technology independently analyzed based on program behavior, no
Using the feature of rogue program as judgment basis, but from the definition of rogue program, directly using program behavior as judgement
Foundation, solves the drawbacks of conventional security software can not defend unknown rogue program, technically realizes the master of rogue program
Dynamic defence.
However, for clicking starting by MSAA (Microsoft Active Accessibility) technical modelling mouse
The operation of rogue program, process chain information that rogue program generates after being activated and user's active normal operation program generate into
City chain information is identical, and the starting of rogue program can be mistakenly considered the independent behaviour of user by active defense mechanism.
Summary of the invention
To be solved by this invention is that active defense mechanism can not detect to click starting by MSAA technical modelling mouse
The problem of rogue program.
The present invention is achieved through the following technical solutions:
A kind of malware detection methods, comprising:
Monitor simulation mouse clicking operation and process creation operations;
When listening to the simulation mouse clicking operation, judge whether the simulation mouse clicking operation is to pass through
The remote procedure call that IAccessible interface is initiated;
If the simulation mouse clicking operation is the remote procedure call initiated by the IAccessible interface,
Parse the filename for the unknown program that the simulation mouse clicking operation is clicked and the Thread Id of remote procedure call originating end;
Judge the unknown program filename whether be target process process path substring, the target process is
The process of the process creation operations creation listened to after the simulation mouse clicking operation;
If the substring of the process path of the entitled target process of the file of the unknown program, according to the target into
The process ID of journey, the process path of the target process and the Thread Id analyze whether the unknown program is malice journey
Sequence.
Optionally, the monitoring simulation mouse clicking operation includes:
To the function hooks hook for realizing simulation mouse click executable program original in Program Manager process;With/
Or
To the function hooks hook for realizing simulation mouse click executable program shortcut in Program Manager process.
Optionally, the monitor process creation, which operates, includes:
To the function hooks hook for realizing process creation in Program Manager process.
Optionally, it is described judge the simulation mouse clicking operation whether be initiated by IAccessible interface it is remote
The journey invocation of procedure includes:
Stack backtracking is carried out to the simulation mouse clicking operation, obtains the call stack of the simulation mouse clicking operation;
Determine whether the simulation mouse clicking operation is to pass through according to the call stack of the simulation mouse clicking operation
The remote procedure call that IAccessible interface is initiated.
Optionally, the filename and remote process tune for the unknown program that the parsing simulation mouse clicking operation is clicked
Include: with the Thread Id of originating end
By realizing that the function parameter of the simulation mouse clicking operation obtains the filename of the unknown program;
The Thread Id is obtained by thread environment block.
Optionally, the time of origin that the creation time of the target process subtracts the simulation mouse clicking operation is less than pre-
If the time difference.
Optionally, described according to the process ID of the target process, the process path of the target process and described
Thread Id is analyzed after whether the unknown program be rogue program, further includes:
If the unknown program is rogue program, warning information is generated.
Optionally, after the generation warning information, further includes:
The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations
To the user.
Based on same inventive concept, the present invention also provides a kind of rogue program detection devices, comprising:
First monitors module, for monitoring simulation mouse clicking operation;
Second monitors module, for monitor process creation operation;
First judgment module, for when listening to the simulation mouse clicking operation, judging that the simulation mouse is clicked
Whether operation is the remote procedure call initiated by IAccessible interface;
Parsing module, for remote to be initiated by the IAccessible interface in the simulation mouse clicking operation
When the journey invocation of procedure, the filename and remote procedure call for parsing the unknown program that the simulation mouse clicking operation is clicked are initiated
The Thread Id at end;
Second judgment module, for judge the unknown program filename whether be target process process path son
String, the target process be it is described simulation mouse clicking operation after listen to the process creation operations creation into
Journey;
Analysis module, when the substring of the process path for the entitled target process of the file in the unknown program,
The unknown program is analyzed according to the process ID of the target process, the process path of the target process and the Thread Id
It whether is rogue program.
Optionally, the first monitoring module includes:
First knock-down module, for clicking executable program original to realization simulation mouse in Program Manager process
Function hooks hook;And/or
Second knock-down module, for clicking executable program shortcut to realization simulation mouse in Program Manager process
Function hooks hook.
Optionally, the second monitoring module includes:
Third knock-down module, for the function hooks hook for realizing process creation in Program Manager process.
Optionally, the first judgment module includes:
Call stack obtains module, for carrying out stack backtracking to the simulation mouse clicking operation, obtains the simulation mouse
The call stack of clicking operation;
Determining module, for determining the simulation mouse clicking operation according to the call stack of the simulation mouse clicking operation
It whether is the remote procedure call initiated by IAccessible interface.
Optionally, the parsing module includes:
Filename obtains module, obtains for the function parameter by realizing the simulation mouse clicking operation described unknown
The filename of program;
Thread Id obtains module, for obtaining the Thread Id by thread environment block.
Optionally, the time of origin that the creation time of the target process subtracts the simulation mouse clicking operation is less than pre-
If the time difference.
Optionally, the rogue program detection device further include:
Warning information generation module, for generating warning information when the unknown program is rogue program.
Optionally, the rogue program detection device further include:
Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations
Warning information is sent to the user.
Based on same inventive concept, the present invention also provides a kind of computer readable storage mediums, are stored thereon with calculating
Machine program, the computer program realize above-mentioned malware detection methods when being executed by processor.
Based on same inventive concept, the present invention also provides a kind of computer equipment, including memory, processor and deposit
The computer program that can be run on a memory and on the processor is stored up, when the processor executes the computer program
Realize above-mentioned malware detection methods.
Compared with prior art, the present invention having the following advantages and benefits:
Malware detection methods and device provided by the invention judge institute when listening to simulation mouse clicking operation
State whether simulation mouse clicking operation is the remote procedure call initiated by IAccessible interface;If the simulation mouse
Clicking operation is the remote procedure call initiated by the IAccessible interface, then parses the simulation mouse and click behaviour
Make the filename for the unknown program clicked and the Thread Id of remote procedure call originating end;Judge the filename of the unknown program
Whether be target process process path substring, the target process be listened to after the simulation mouse clicking operation
The process creation operations creation process;If the process path of the entitled target process of the file of the unknown program
Substring, then according to the analysis of the process ID of the target process, the process path of the target process and the Thread Id
Whether unknown program is rogue program.Due to malware detection methods provided by the invention and device, pass through listening to
IAccessible interface initiate remote procedure call simulation mouse clicking operation when, be according to be the simulation mouse point
The process ID for hitting operation creation, the process path and remote procedure call originating end created for the simulation mouse clicking operation
Thread Id comprehensive analysis described in unknown program whether be rogue program, rather than according only to the unknown program run when father
Process judges whether the unknown program is rogue program, it is thus achieved that disliking to starting is clicked by MSAA technical modelling mouse
The detection for program of anticipating.
Detailed description of the invention
Attached drawing described herein is used to provide to further understand the embodiment of the present invention, constitutes one of the application
Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the malware detection methods of the embodiment of the present invention;
Fig. 2 is the structural schematic diagram of the rogue program detection device of the embodiment of the present invention.
Specific embodiment
The full name of MSAA is Microsoft Active Accessibility, and technology model is to pass through user interface
(UI, User Interface) program can expose an IAccessible interface, another program is facilitated to control it
System.The original intention of MSAA technology is that disabled person can also be borrowed using Windows program, user interface automatic test for convenience
This technology, however, the IAccessible interface that MSAA is exposed also brings opportunity to rogue program.With C packing
There are for the rogue program of file entitled " a.exe " under catalogue, started by MSAA technical modelling mouse clicking operation
Journey is as follows: firstly, opening C packing catalogue;Then the window handle of C packing directory window is obtained;Then the window handle is obtained
Corresponding IAccessible interface;IEnumVARIANT is obtained according to the corresponding IAccessible interface of the window handle to connect
Mouthful;All UI elements of the window handle are traversed by IEnumVARIANT interface, and obtain the filename of each UI element;It will be every
The filename of the UI element obtained when secondary traversal and the filename " a.exe " of the rogue program carry out character string comparison, so that it may
To obtain the corresponding IAccessible interface of the rogue program, there is this interface that can start the rogue program,
Exactly the rogue program is started by simulating mouse clicking operation.
Existing active defense mechanism is according to the parent process judgement when operation of the unknown program of doubtful rogue program
Whether unknown program is rogue program: if the parent process of the unknown program is Program Manager process, then it is assumed that described unknown
Program is the program that user actively opens, and not will do it alarm;If the parent process of the unknown program be not Program Manager into
Journey, then it is assumed that the program that the unknown program not instead of user actively opens has the other process initiation unknown journey
Sequence, at this time it is considered that the unknown program is rogue program.But for example assume the journey for having a file entitled " f.exe "
Sequence starts the rogue program of file entitled " a.exe " by MSAA technical modelling mouse clicking operation, then file is entitled
The parent process of the rogue program of " a.exe " is exactly Program Manager process, is actually sent out by the program of file entitled " f.exe "
It rises, has thus bypassed the detection of active defense mechanism.Based on this, the present invention provides a kind of malware detection methods and dress
It sets, realizes the detection to starting rogue program is clicked by MSAA technical modelling mouse.
To make the objectives, technical solutions, and advantages of the present invention clearer, below with reference to embodiment and attached drawing, to this
Invention is described in further detail, and exemplary embodiment of the invention and its explanation for explaining only the invention, are not made
For limitation of the invention.
Embodiment 1
The present embodiment provides a kind of malware detection methods, Fig. 2 is the flow chart of the malware detection methods, institute
Stating malware detection methods includes step S11 to step S15.
Step S11 monitors simulation mouse clicking operation and process creation operations.
Specifically, by the function hooks hook to realization simulation mouse click in Program Manager process to the simulation
Mouse clicking operation is monitored.It is executable program original that due to the simulation, mouse clicking operation, which may be clicked,
What may be clicked is executable program shortcut, thus monitoring simulation mouse clicking operation can be to Program Manager
Realize that simulation mouse clicks the function hooks hook of executable program original in process, i.e., in Program Manager process
SendInput () function hooks hook derived from user32.dll is also possible to realization simulation mouse in Program Manager process
Punctuate hits the function hooks hook of executable program shortcut, i.e. one to the shell32.dll in Program Manager process
IContextMenu::InvokeCommand () function hooks hook in a com interface, can also be certainly while to journey
Realizing the function of simulation mouse click executable program original in sequence manager process and realizing that simulation mouse is clicked can be performed
The function hooks hook of program bar.Rogue program due to clicking starting by MSAA technical modelling mouse is by program
The API of the function of manager process calling process creation starts, thus by realizing process in Program Manager process
The function hooks hook of creation monitors the process creation operations, so that obtaining is that the simulation mouse clicking operation is created
The process path built.
Step S12, when listening to the simulation mouse clicking operation, judge the simulation mouse clicking operation whether be
The remote procedure call initiated by IAccessible interface.
Specifically, stack backtracking is carried out to the simulation mouse clicking operation, obtains the tune of the simulation mouse clicking operation
Use stack.If what the simulation mouse clicking operation was clicked is executable program original, in Program Manager process
SendInput () function derived from user32.dll carries out stack backtracking;If what the simulation mouse clicking operation was clicked is that can hold
Line program shortcut, then in a com interface of the shell32.dll in Program Manager process
IContextMenu::InvokeCommand () function carries out stack backtracking.By taking function A calls function B as an example, stack recalls principle
Are as follows: the EBP value (i.e. the stack plot of function B) of called function B is exactly the memory first address for storing the EBP value of homophony function A,
Assuming that being recalled from function B, the EBP value of homophony function A is obtained by the EBP value of function B, is prepared for backtracking upwards,
In addition the return address being located next on memory is taken out, can be obtained by return address and be located at which homophony function suffers, then
Recall the address that can be obtained caller upwards again using the EBP value of function A.Due to the address of caller each in system and each
Corresponding relationship between the module name of a caller be it is determining, after the address for obtaining the caller, according to the calling
Call by location GetModuleHandleExW () function of person can obtain the module name of the caller.Obtain the tune
Behind the address of user and the module name of the caller after, that is, obtain it is described simulation mouse clicking operation call stack it
Afterwards, determine whether the simulation mouse clicking operation is to pass through according to the call stack of the simulation mouse clicking operation
The remote procedure call that IAccessible interface is initiated, the call stack of the even described simulation mouse clicking operation meet following
Call stack:
UIAutomationCore
UIAutomationCore
UIAutomationCore
oleacc
oleacc
rpcrt4
rpcrt4
ole32
ole32
Ole32
Then determine that the simulation mouse clicking operation is the remote procedure call initiated by IAccessible interface.
If the simulation mouse clicking operation is the remote procedure call initiated by the IAccessible interface,
Step S13 is executed, the filename and remote procedure call for parsing the unknown program that the simulation mouse clicking operation is clicked are initiated
The Thread Id at end.
Specifically, by realizing that the function parameter of the simulation mouse clicking operation obtains the file of the unknown program
Name.If what the simulation mouse clicking operation was clicked is executable program original, by Program Manager process
The filename of unknown program described in the gain of parameter of SendInput () function derived from user32.dll;If the simulation mouse
What clicking operation was clicked is executable program shortcut, then passes through one of the shell32.dll in Program Manager process
IContextMenu::InvokeCommand () function in com interface obtains the filename of the unknown program.Long-range mistake
Journey calls the Thread Id of originating end that can obtain by thread environment block, i.e., thread environment block -> ReservedForOle is directed toward
Data are the Thread Id at the+0x0034 offset of structure.
Step S14, judge the unknown program filename whether be target process process path substring, the mesh
Mark process is the process of the process creation operations creation listened to after the simulation mouse clicking operation.
After simulation mouse clicking operation generation, Program Manager process can be created for the simulation mouse clicking operation
Build process.By judge the unknown program filename whether be the target process process path substring, can obtain
Calling program manager process is the process of the simulation mouse clicking operation creation.The filename of the judgement unknown program
Whether be the target process process path substring, be by the filename of the unknown program and the target process
Process path is matched.If the corresponding character string of the process path of the target process includes the filename of the unknown program
Corresponding character string, the then substring of the process path of the entitled target process of the file of the unknown program.Further, due to
It, will not be to the simulation mouse point under the abnormal conditions such as function hooks hook for realizing process creation in Program Manager process
Hit operation creation process, can be set the target process creation time subtract it is described simulation mouse clicking operation generation when
Between be less than preset time it is poor, i.e., the described target process be it is described simulation mouse clicking operation time of origin after it is default when
Between difference in create.The preset time difference can be configured according to system processing speed: system processing speed is faster, described
Preset time difference can be set smaller, and the preset time difference is set as 1S in the present embodiment.
If the substring of the process path of the entitled target process of the file of the unknown program, thens follow the steps S15, root
Analyzing the unknown program according to the process ID of the target process, the process path of the target process and the Thread Id is
No is rogue program.
If the substring of the process path of the entitled target process of the file of the unknown program, the target process are
It is that the simulation mouse clicking operation creates process for Program Manager process, according to the process ID of the target process, described
The process path of target process and the Thread Id carry out catena analysis, i.e., with the process ID of the target process, the mesh
The process path of mark process and the Thread Id compare the rule of local virus base or cloud to determine the unknown journey
Whether sequence is rogue program.If the process path and the Thread Id of the process ID of the target process, the target process
With the rule match of local virus base or cloud, it is determined that the unknown program is rogue program.It should be noted that this
Field technical staff knows how the process path and the thread of the process ID with the target process, the target process
The rule of ID comparison local virus base or cloud, the present embodiment is to this without excessively illustrating.
Further, if the unknown program is rogue program, warning information is generated, the warning information is used for prompting
There are rogue programs for the computer equipment at family.After generating the warning information, the warning information can also be sent to
The user.For example, the warning information can be sent to specified email address by way of mail, can also pass through
The warning information is sent to specified mobile terminal by the mode of short message, can also directly calculated by way of dialog box
Machine equipment shows the warning information, the warning information can also be sent to the user by way of instant messaging.
Of course, it is possible to the warning information is sent to by the user using any one of the above mode, it can also be using any several
The warning information is sent to the user by the combination of mode.
Malware detection methods provided in this embodiment, listen to initiated by IAccessible interface it is long-range
When the simulation mouse clicking operation of the invocation of procedure, it is according to the process ID created for the simulation mouse clicking operation, is described
It simulates unknown described in the process path of mouse clicking operation creation and the Thread Id comprehensive analysis of remote procedure call originating end
Whether program is rogue program, rather than according only to the unknown program run when parent process whether judge the unknown program
For rogue program, it is thus achieved that the detection to starting rogue program is clicked by MSAA technical modelling mouse.
Embodiment 2
Based on same inventive concept, the present embodiment provides a kind of rogue program detection device, the rogue program detection
Device includes:
First monitors module 21, for monitoring simulation mouse clicking operation;
Second monitors module 22, for monitor process creation operation;
First judgment module 23, for when listening to the simulation mouse clicking operation, judging the simulation mouse point
Hit whether operation is the remote procedure call initiated by IAccessible interface;
Parsing module 24, for being to be initiated by the IAccessible interface in the simulation mouse clicking operation
When remote procedure call, the filename and remote procedure call hair of the unknown program that the simulation mouse clicking operation is clicked are parsed
The Thread Id of origin or beginning;
Second judgment module 25, for judge the unknown program filename whether be target process process path
Substring, the target process be it is described simulation mouse clicking operation after listen to the process creation operations creation into
Journey;
Analysis module 26, the substring of the process path for the entitled target process of the file in the unknown program
When, it is analyzed according to the process ID of the target process, the process path of the target process and the Thread Id described unknown
Whether program is rogue program.
Further, the first monitoring module 21 includes:
First knock-down module, for clicking executable program original to realization simulation mouse in Program Manager process
Function hooks hook;And/or
Second knock-down module, for clicking executable program shortcut to realization simulation mouse in Program Manager process
Function hooks hook.
Further, the second monitoring module 22 includes:
Third knock-down module, for the function hooks hook for realizing process creation in Program Manager process.
Further, the first judgment module 23 includes:
Call stack obtains module, for carrying out stack backtracking to the simulation mouse clicking operation, obtains the simulation mouse
The call stack of clicking operation;
Determining module, for determining the simulation mouse clicking operation according to the call stack of the simulation mouse clicking operation
It whether is the remote procedure call initiated by IAccessible interface.
Further, the parsing module 24 includes:
Filename obtains module, obtains for the function parameter by realizing the simulation mouse clicking operation described unknown
The filename of program;
Thread Id obtains module, for obtaining the Thread Id by thread environment block.
Further, the time of origin that the creation time of the target process subtracts the simulation mouse clicking operation is less than pre-
If the time difference.
Further, the rogue program detection device further include:
Warning information generation module, for generating warning information when the unknown program is rogue program.
Further, the rogue program detection device further include:
Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations
Warning information is sent to the user.
The concrete operating principle of the rogue program detection device can refer in embodiment 1 for step S11 to step S15
Description, details are not described herein for the present embodiment.
Embodiment 3
Based on same inventive concept, the present embodiment provides a kind of computer readable storage mediums, are stored thereon with calculating
Machine program, if the malware detection methods that the embodiment of the present invention 1 provides are realized in the form of SFU software functional unit and conduct
Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally
The all or part of the process in the malware detection methods that embodiment 1 provides is realized in invention, can also pass through computer program
It is completed to instruct relevant hardware, the computer program can be stored in a computer readable storage medium, the computer
Program is when being executed by processor, it can be achieved that the step of above-mentioned each embodiment of the method.Wherein, the computer program includes meter
Calculation machine program code, the computer program code can be source code form, object identification code form, executable file or certain
Intermediate form etc..The computer-readable medium may include: can carry the computer program code any entity or
Device, medium, USB flash disk, mobile hard disk, magnetic disk, CD, computer storage, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software
Distribution medium etc..It should be noted that the content that the computer-readable medium includes can be according to making laws in jurisdiction
Requirement with patent practice carries out increase and decrease appropriate, such as in certain jurisdictions, according to legislation and patent practice, computer
Readable medium does not include electric carrier signal and telecommunication signal.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
The invention discloses A1, a kind of malware detection methods, comprising:
Monitor simulation mouse clicking operation and process creation operations;
When listening to the simulation mouse clicking operation, judge whether the simulation mouse clicking operation is to pass through
The remote procedure call that IAccessible interface is initiated;
If the simulation mouse clicking operation is the remote procedure call initiated by the IAccessible interface,
Parse the filename for the unknown program that the simulation mouse clicking operation is clicked and the Thread Id of remote procedure call originating end;
Judge the unknown program filename whether be target process process path substring, the target process is
The process of the process creation operations creation listened to after the simulation mouse clicking operation;
If the substring of the process path of the entitled target process of the file of the unknown program, according to the target into
The process ID of journey, the process path of the target process and the Thread Id analyze whether the unknown program is malice journey
Sequence.
A2, malware detection methods according to a1, the monitoring simulation mouse clicking operation include:
To the function hooks hook for realizing simulation mouse click executable program original in Program Manager process;With/
Or
To the function hooks hook for realizing simulation mouse click executable program shortcut in Program Manager process.
A3, malware detection methods according to a1, the monitor process creation operation include:
To the function hooks hook for realizing process creation in Program Manager process.
A4, malware detection methods according to a1, it is described to judge whether the simulation mouse clicking operation is logical
Crossing the remote procedure call that IAccessible interface is initiated includes:
Stack backtracking is carried out to the simulation mouse clicking operation, obtains the call stack of the simulation mouse clicking operation;
Determine whether the simulation mouse clicking operation is to pass through according to the call stack of the simulation mouse clicking operation
The remote procedure call that IAccessible interface is initiated.
A5, malware detection methods according to a1, the parsing simulation mouse clicking operation are clicked not
The Thread Id of the filename and remote procedure call originating end of knowing program includes:
By realizing that the function parameter of the simulation mouse clicking operation obtains the filename of the unknown program;
The Thread Id is obtained by thread environment block.
A6, malware detection methods according to a1, the creation time of the target process subtract the simulation mouse
The time of origin for marking clicking operation is poor less than preset time.
A7, malware detection methods according to a1, in the process ID according to the target process, the mesh
The process path of mark process and the Thread Id are analyzed after whether the unknown program be rogue program, further includes:
If the unknown program is rogue program, warning information is generated.
A8, the malware detection methods according to A7, after the generation warning information, further includes:
The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations
To the user.
The invention also discloses B9, a kind of rogue program detection device, comprising:
First monitors module, for monitoring simulation mouse clicking operation;
Second monitors module, for monitor process creation operation;
First judgment module, for when listening to the simulation mouse clicking operation, judging that the simulation mouse is clicked
Whether operation is the remote procedure call initiated by IAccessible interface;
Parsing module, for remote to be initiated by the IAccessible interface in the simulation mouse clicking operation
When the journey invocation of procedure, the filename and remote procedure call for parsing the unknown program that the simulation mouse clicking operation is clicked are initiated
The Thread Id at end;
Second judgment module, for judge the unknown program filename whether be target process process path son
String, the target process be it is described simulation mouse clicking operation after listen to the process creation operations creation into
Journey;
Analysis module, when the substring of the process path for the entitled target process of the file in the unknown program,
The unknown program is analyzed according to the process ID of the target process, the process path of the target process and the Thread Id
It whether is rogue program.
B10, the rogue program detection device according to B9, the first monitoring module include:
First knock-down module, for clicking executable program original to realization simulation mouse in Program Manager process
Function hooks hook;And/or
Second knock-down module, for clicking executable program shortcut to realization simulation mouse in Program Manager process
Function hooks hook.
B11, the rogue program detection device according to B9, the second monitoring module include:
Third knock-down module, for the function hooks hook for realizing process creation in Program Manager process.
B12, the rogue program detection device according to B9, the first judgment module include:
Call stack obtains module, for carrying out stack backtracking to the simulation mouse clicking operation, obtains the simulation mouse
The call stack of clicking operation;
Determining module, for determining the simulation mouse clicking operation according to the call stack of the simulation mouse clicking operation
It whether is the remote procedure call initiated by IAccessible interface.
B13, the malware detection methods according to B9, the parsing module include:
Filename obtains module, obtains for the function parameter by realizing the simulation mouse clicking operation described unknown
The filename of program;
Thread Id obtains module, for obtaining the Thread Id by thread environment block.
B14, the rogue program detection device according to B9, the creation time of the target process subtract the simulation mouse
The time of origin for marking clicking operation is poor less than preset time.
B15, the rogue program detection device according to B9, further includes:
Warning information generation module, for generating warning information when the unknown program is rogue program.
B16, the rogue program detection device according to B15, further includes:
Sending module, will be described for passing through one of mail, short message, dialog box and instant messaging or multiple combinations
Warning information is sent to the user.
The invention also discloses C17, a kind of computer readable storage medium, are stored thereon with computer program, the meter
A1 to A8 described in any item malware detection methods are realized when calculation machine program is executed by processor.
The invention also discloses D18, a kind of computer equipment, including memory, processor and storage are on a memory
And the computer program that can be run on the processor, the processor realize that A1 to A8 appoints when executing the computer program
Malware detection methods described in one.
Claims (10)
1. a kind of malware detection methods characterized by comprising
Monitor simulation mouse clicking operation and process creation operations;
When listening to the simulation mouse clicking operation, judge whether the simulation mouse clicking operation is to pass through
The remote procedure call that IAccessible interface is initiated;
If the simulation mouse clicking operation is the remote procedure call initiated by the IAccessible interface, parse
The filename for the unknown program that the simulation mouse clicking operation is clicked and the Thread Id of remote procedure call originating end;
Judge the unknown program filename whether be target process process path substring, the target process is in institute
State the process of the process creation operations creation listened to after simulation mouse clicking operation;
If the substring of the process path of the entitled target process of the file of the unknown program, according to the target process
Process ID, the process path of the target process and the Thread Id analyze whether the unknown program is rogue program.
2. malware detection methods according to claim 1, which is characterized in that mouse clicking operation is simulated in the monitoring
Include:
To the function hooks hook for realizing simulation mouse click executable program original in Program Manager process;And/or
To the function hooks hook for realizing simulation mouse click executable program shortcut in Program Manager process.
3. malware detection methods according to claim 1, which is characterized in that the monitor process creation operation packet
It includes:
To the function hooks hook for realizing process creation in Program Manager process.
4. malware detection methods according to claim 1, which is characterized in that the judgement simulation mouse is clicked
Whether operation is that the remote procedure call initiated by IAccessible interface includes:
Stack backtracking is carried out to the simulation mouse clicking operation, obtains the call stack of the simulation mouse clicking operation;
Determine whether the simulation mouse clicking operation is to pass through according to the call stack of the simulation mouse clicking operation
The remote procedure call that IAccessible interface is initiated.
5. malware detection methods according to claim 1, which is characterized in that the parsing simulation mouse is clicked
It operates the filename of unknown program clicked and the Thread Id of remote procedure call originating end includes:
By realizing that the function parameter of the simulation mouse clicking operation obtains the filename of the unknown program;
The Thread Id is obtained by thread environment block.
6. malware detection methods according to claim 1, which is characterized in that the creation time of the target process subtracts
The time of origin of the simulation mouse clicking operation is gone to be less than preset time poor.
7. malware detection methods according to claim 1, which is characterized in that described according to the target process
Process ID, the process path of the target process and the Thread Id analyze the unknown program whether be rogue program it
Afterwards, further includes:
If the unknown program is rogue program, warning information is generated.
8. a kind of rogue program detection device characterized by comprising
First monitors module, for monitoring simulation mouse clicking operation;
Second monitors module, for monitor process creation operation;
First judgment module, for when listening to the simulation mouse clicking operation, judging the simulation mouse clicking operation
It whether is the remote procedure call initiated by IAccessible interface;
Parsing module, for being the long-range mistake initiated by the IAccessible interface in the simulation mouse clicking operation
Journey tune used time, the parsing filename for simulating the unknown program that mouse clicking operation is clicked and remote procedure call originating end
Thread Id;
Second judgment module, for judge the unknown program filename whether be target process process path substring,
The target process is the process of the process creation operations creation listened to after the simulation mouse clicking operation;
Analysis module, when the substring of the process path for the entitled target process of the file in the unknown program, according to
Whether the process ID of the target process, the process path of the target process and the Thread Id analyze the unknown program
For rogue program.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt
Claim 1 to 7 described in any item malware detection methods are realized when processor executes.
10. a kind of computer equipment, including memory, processor and storage can transport on a memory and on the processor
Capable computer program, which is characterized in that the processor realizes that claim 1 to 7 is any when executing the computer program
Malware detection methods described in.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641802.5A CN109753791B (en) | 2018-12-29 | 2018-12-29 | Malicious program detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641802.5A CN109753791B (en) | 2018-12-29 | 2018-12-29 | Malicious program detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109753791A true CN109753791A (en) | 2019-05-14 |
| CN109753791B CN109753791B (en) | 2024-07-26 |
Family
ID=66404490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811641802.5A Active CN109753791B (en) | 2018-12-29 | 2018-12-29 | Malicious program detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109753791B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112131565A (en) * | 2020-09-27 | 2020-12-25 | 浙江华途信息安全技术股份有限公司 | Transparent encryption and decryption anti-cracking method and management equipment thereof |
| CN112380540A (en) * | 2020-11-13 | 2021-02-19 | 武汉虹旭信息技术有限责任公司 | Android application security detection method and device |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
| CN114465752A (en) * | 2021-12-10 | 2022-05-10 | 奇安信科技集团股份有限公司 | Remote call detection method and device, electronic equipment and storage medium |
| CN114465753A (en) * | 2021-12-10 | 2022-05-10 | 奇安信科技集团股份有限公司 | Remote operation behavior identification method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100082733A1 (en) * | 2008-09-30 | 2010-04-01 | Microsoft Corporation | Extensible remote programmatic access to user interface |
| CN106557701A (en) * | 2016-11-28 | 2017-04-05 | 北京奇虎科技有限公司 | kernel leak detection method and device based on virtual machine |
| CN106682513A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method for target sample file and device |
-
2018
- 2018-12-29 CN CN201811641802.5A patent/CN109753791B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100082733A1 (en) * | 2008-09-30 | 2010-04-01 | Microsoft Corporation | Extensible remote programmatic access to user interface |
| CN106557701A (en) * | 2016-11-28 | 2017-04-05 | 北京奇虎科技有限公司 | kernel leak detection method and device based on virtual machine |
| CN106682513A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method for target sample file and device |
Non-Patent Citations (2)
| Title |
|---|
| CHAO SHEN等: "Performance evaluation of anomaly-detection algorithms for mouse dynamics", pages 1 - 16, Retrieved from the Internet <URL:《网页在线公开:https://www.sciencedirect.com/science/article/pii/S0167404814000807》> * |
| 党华等: "Linux系统中基于系统调用序列的病毒检测方法研究", 《计算机工程与应用》, 14 April 2005 (2005-04-14), pages 129 - 131 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112131565A (en) * | 2020-09-27 | 2020-12-25 | 浙江华途信息安全技术股份有限公司 | Transparent encryption and decryption anti-cracking method and management equipment thereof |
| CN112380540A (en) * | 2020-11-13 | 2021-02-19 | 武汉虹旭信息技术有限责任公司 | Android application security detection method and device |
| CN113360913A (en) * | 2021-08-10 | 2021-09-07 | 杭州安恒信息技术股份有限公司 | Malicious program detection method and device, electronic equipment and storage medium |
| CN114465752A (en) * | 2021-12-10 | 2022-05-10 | 奇安信科技集团股份有限公司 | Remote call detection method and device, electronic equipment and storage medium |
| CN114465753A (en) * | 2021-12-10 | 2022-05-10 | 奇安信科技集团股份有限公司 | Remote operation behavior identification method and device, electronic equipment and storage medium |
| CN114465752B (en) * | 2021-12-10 | 2024-06-28 | 奇安信科技集团股份有限公司 | Remote call detection method and device, electronic equipment and storage medium |
| CN114465753B (en) * | 2021-12-10 | 2024-06-28 | 奇安信科技集团股份有限公司 | Remote operation behavior recognition method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109753791B (en) | 2024-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109753791A (en) | Malware detection methods and device | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN109067815B (en) | Attack event tracing analysis method, system, user equipment and storage medium | |
| CN105989283B (en) | A kind of method and device identifying virus mutation | |
| CN105264861B (en) | Method and apparatus for detecting multistage event | |
| US9306889B2 (en) | Method and device for processing messages | |
| AU2015203069B2 (en) | Deception network system | |
| CN106650436B (en) | A kind of safety detection method and device based on local area network | |
| CN109753806A (en) | Server protection method and device | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| US20170061126A1 (en) | Process Launch, Monitoring and Execution Control | |
| CN110717183B (en) | Virus checking and killing method, device, equipment and storage medium | |
| CN103632096A (en) | Method and device for carrying out safety detection on equipment | |
| CN107426231B (en) | Method and device for identifying user behavior | |
| CN105512045B (en) | Application program testing method and device and testing equipment | |
| US9479521B2 (en) | Software network behavior analysis and identification system | |
| CN110099044A (en) | Cloud Host Security detection system and method | |
| CN109074454A (en) | Malware is grouped automatically based on artefact | |
| CN103581185A (en) | Cloud searching and killing method, device and system for resisting anti-antivirus test | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN112153062A (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN105205398B (en) | It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours | |
| CN110135162A (en) | The recognition methods of the back door WEBSHELL, device, equipment and storage medium | |
| CN105978904A (en) | Intrusion detect system and electronic device | |
| CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |