[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN109933986B - Malicious code detection method and device - Google Patents

Malicious code detection method and device Download PDF

Info

Publication number
CN109933986B
CN109933986B CN201910174299.5A CN201910174299A CN109933986B CN 109933986 B CN109933986 B CN 109933986B CN 201910174299 A CN201910174299 A CN 201910174299A CN 109933986 B CN109933986 B CN 109933986B
Authority
CN
China
Prior art keywords
function
sensitive
path
program
operating system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910174299.5A
Other languages
Chinese (zh)
Other versions
CN109933986A (en
Inventor
贾佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jowto Technology Co ltd
Original Assignee
Jowto Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jowto Technology Co ltd filed Critical Jowto Technology Co ltd
Priority to CN201910174299.5A priority Critical patent/CN109933986B/en
Publication of CN109933986A publication Critical patent/CN109933986A/en
Application granted granted Critical
Publication of CN109933986B publication Critical patent/CN109933986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The application discloses a malicious code detection method and device, wherein a calling path of a sensitive function in the process of executing a program of a Linux operating system is obtained, whether the calling path is the sensitive path or not is determined, and when the calling path is determined to be the sensitive path, the threat of malicious codes in the program of the Linux operating system is determined. Different from the malicious code protection method in the prior art, the scheme provided by the embodiment of the application is that the malicious code is detected based on the function call relation contained in the program of the operating system, unknown malicious code can be detected, and the malicious code generated after the known malicious code is deformed can be detected, and compared with the method for protecting the malicious code based on the Linux operating system, the protection granularity is finer, so that the malicious code can be effectively detected even if the malicious code is implanted into a white list program.

Description

Malicious code detection method and device
Technical Field
The present application relates to the technical field of network security protection, and more particularly, to a malicious code detection method and apparatus.
Background
With the rapid development of network and computer technologies, Linux operating systems are gradually used by more and more network users, and the network security problem under the Linux operating systems receives more and more attention. Currently, the network security problem under the Linux operating system is mostly caused by an attacker implanting malicious codes (such as viruses, worms, backdoor programs, and the like) into the programs of the Linux operating system, and in order to avoid the malicious codes threatening the network security under the Linux operating system, the malicious codes implanted into the programs of the Linux operating system generally need to be protected.
In the prior art, the following two protection methods for malicious code are mainly used:
first, malicious code in a program embedded in the Linux operating system is detected based on feature codes of the malicious code. The feature codes of the malicious codes are a series of bytes which can represent a class of malicious codes and are extracted from known malicious codes, and the feature codes of various malicious codes form a feature library of the malicious codes. And (3) detecting the feature code based on the malicious code, namely, comparing and matching the feature library of the malicious code with the program of the Linux operating system, thereby judging whether the malicious code is implanted in the program of the Linux operating system. However, for unknown malicious codes and malicious codes generated after the known malicious codes are deformed, the detection method cannot detect the unknown malicious codes and further cannot avoid the threat of the malicious codes to the network security problem under the Linux operating system.
Secondly, a white list program is preset, if an attacker implants malicious codes into other programs except the white list program, the malicious codes are not allowed to be executed because the programs are not in the white list program, so that the network security problem under the Linux operating system can be prevented from being threatened by the malicious codes, but if the attacker implants the malicious codes into the white list program, the malicious codes are allowed to be executed, and in this case, the network security problem under the Linux operating system can not be prevented from being threatened by the malicious codes.
Therefore, the existing protection mode for malicious codes cannot protect part of malicious codes, so that the protection reliability of the malicious codes is low, and therefore, how to improve the protection reliability of the malicious codes becomes a technical problem to be solved by technical personnel in the field.
Disclosure of Invention
In view of the above, the present application is proposed to provide a malicious code detection method and apparatus that overcomes or at least partially solves the above problems. The specific scheme is as follows:
a method of malicious code detection, the method comprising:
acquiring a calling path of a sensitive function in the process of executing a program of a Linux operating system;
when the calling path is a sensitive path, determining that the threat of malicious codes exists in the program of the Linux operating system;
the sensitive function is a function which can access the resources of the Linux operating system and/or a function which can change the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by the Linux operating system for the sensitive function.
Preferably, the method further comprises:
before a call path of a sensitive function in the process of executing a program of the Linux operating system is obtained, the sensitive function in the program of the Linux operating system and a function used in the sensitive path are instrumented to obtain the instrumented program of the Linux operating system.
Preferably, the obtaining of the call path of the sensitive function in the process of executing the program of the Linux operating system includes:
and tracking the sensitive function and the calling of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring the calling path of the sensitive function in the process of executing the program of the Linux operating system.
Preferably, the method further comprises:
before the instrumentation is carried out on the sensitive function in the program of the Linux operating system and the function used in the sensitive path, the sensitive function is determined and the sensitive path is determined.
Preferably, the determining the sensitivity function includes:
determining a file operation function, a creating process function, a memory operation function, a network access function and a system related function in a program of the Linux operation system as sensitive functions;
the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function, and an init _ module function.
Preferably, the determining the sensitive path includes:
determining the following paths as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
Preferably, the method further comprises:
and after determining that the threat of the malicious code exists in the program of the Linux operating system, outputting alarm information, wherein the alarm information is used for prompting a user that the threat of the malicious code exists in the program of the Linux operating system.
A malicious code detection apparatus comprising:
the acquiring unit is used for acquiring a calling path of a sensitive function in the process of executing a program of the Linux operating system;
the determining unit is used for determining that the threat of malicious codes exists in the program of the Linux operating system when the calling path is a sensitive path;
the sensitive function is a function which can access the resources of the Linux operating system and/or a function which can change the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by the Linux operating system for the sensitive function.
A storage medium having stored thereon a program which, when executed by a processor, implements the malicious code detection method as described above.
An electronic device comprising a memory for storing a program and a processor for running the program, wherein the program runs to perform the malicious code detection method as described above.
By means of the technical scheme, the method and the device for detecting the malicious codes are characterized in that a calling path of a sensitive function in the process that a program of the Linux operating system is executed is obtained, whether the calling path is the sensitive path or not is determined, and when the calling path is determined to be the sensitive path, the threat of the malicious codes exists in the program of the Linux operating system is determined. Different from the protection method for malicious codes in the prior art, the scheme provided by the embodiment of the application is to detect the malicious codes based on the function call relation contained in the program of the operating system, can detect unknown malicious codes and the malicious codes generated after the known malicious codes are deformed, and has finer protection granularity compared with the method for protecting the malicious codes based on the program of the Linux operating system, so that the malicious codes can be effectively detected even if the malicious codes are implanted into a white list program.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flowchart of a malicious code detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another malicious code detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a malicious code detection apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of another malicious code detection apparatus according to an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The inventor finds that, in the process of implementing the scheme of the application, the existing two protection modes of malicious codes are combined for use, namely, known malicious codes implanted in a program of a Linux operating system are detected based on feature codes of the malicious codes, unknown malicious codes and malicious codes generated by deformation of the known malicious codes are further protected by executing the program, and the malicious codes implanted in a white list program cannot be protected, so that the source of the malicious codes is considered, and the protection granularity is too coarse because the program based on the Linux operating system protects the malicious codes.
The embodiment of the application provides a corresponding improvement scheme aiming at the situation. The scheme can be provided for a security protection system of a Linux operating system host to use, the security protection system detects the malicious codes in the running process, and different from the protection method of the malicious codes in the prior art, the scheme provided by the embodiment of the application detects the malicious codes based on the function call relation contained in the program of the operating system, and compared with the method for protecting the malicious codes based on the Linux operating system, the protection granularity is finer, so that the malicious codes can be effectively detected even if the malicious codes are implanted into a white list program.
The following describes in detail specific implementations provided in embodiments of the present application.
Example one
In this embodiment, a malicious code detection method is provided from the perspective of a security protection system of a Linux operating system host, and specifically, referring to fig. 1, the method may specifically include:
s101: acquiring a calling path of a sensitive function in the process of executing a program of a Linux operating system;
s102: and when the calling path is not a sensitive path, determining that the threat of malicious codes exists in the program of the Linux operating system.
It should be noted that the sensitive function is a function that can access resources of the Linux operating system and/or a function that can change a state of the Linux operating system, and the sensitive path is a call path other than a normal call path set by the Linux operating system for the sensitive function.
According to the malicious code detection method provided by the embodiment, the calling path of the sensitive function in the process of executing the program of the Linux operating system is obtained, whether the calling path is the sensitive path or not is determined, and when the calling path is determined to be the sensitive path, the threat of the malicious code in the program of the Linux operating system is determined. Different from the protection method for malicious codes in the prior art, the scheme provided by the embodiment of the application detects the malicious codes based on the function call relation contained in the program of the operating system, and compared with the method for protecting the malicious codes based on the Linux operating system, the protection granularity is finer, so that the malicious codes can be effectively detected even if the malicious codes are implanted into a white list program.
Example two
The second embodiment is based on the first embodiment, and provides another malicious code detection method from the perspective of a security protection system of a Linux operating system host, and specifically, referring to fig. 2, the method may specifically include:
s201: determining the sensitive function and determining the sensitive path;
as an implementable manner, in the present application, it is determined that a file operation function, a creation process function, a memory operation function, a network access function, and a system related function in a program of the Linux operating system are sensitive functions:
wherein the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function, and an init _ module function.
As an implementation manner, in the present application, the following paths are determined as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
It should be further noted that, different programs of the Linux operating system and different determined sensitive functions are also different, and besides the cases listed in the above embodiments, other sensitive function determination methods are also within the protection scope of the embodiments of the present application. Different programs of the Linux operating system are different, and the determined sensitive path is also different, and besides the cases listed in the above embodiments, other sensitive path determining manners are also within the protection scope of the embodiment of the present application.
S202: performing instrumentation on the sensitive function in the program of the Linux operating system and the function used in the sensitive path to obtain the instrumented program of the Linux operating system;
s203: tracking the sensitive function and the calling of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring the calling path of the sensitive function in the process of executing the instrumented program of the Linux operating system;
based on the foregoing embodiment, the embodiment of the present application further provides two examples of tracking the sensitive function and the call of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring a call path of the sensitive function in the process of executing the program of the Linux operating system, which are specifically as follows:
example one:
the dlsym function in the sensitive path after being instrumented first is monitored at the first time, and is found to call the syscall function further, while the syscall function is instrumented as well, and is monitored continuously, and is further found to call the openat64 function in the sensitive function through the syscall function, and the calling path of the openat64 function in the sensitive function is determined to be called through the syscall function through the tracking.
Example two:
firstly, a memfd _ create function in a sensitive path after dynamic instrumentation is monitored at the first time, a femec function is further called when the memfd _ create function is found to be dynamically instrumented, the femec function is also instrumented as a sensitive function, monitoring is continued, finally, a memory file descriptor with a memfd as a prefix is found to be executed, through the tracking, the calling path of the femec function in the sensitive function is determined as 'a file descriptor with a mark is generated under a/proc/self/fd/directory by calling the memfd _ create function first', and the memfd is further executed by the femec function: marked path of file descriptor ".
S204: when the calling path is a sensitive path, determining that the threat of malicious codes exists in the program of the Linux operating system;
in the first example, the call path of the openat64 function in the sensitive function is compared with the sensitive path, and the call path is determined to be the sensitive path "the path passes through the syscall function, and the system call number directly calls the path of the sensitive function", so that the threat of malicious code existing in the program of the Linux operating system can be determined.
In the second example, the calling path of the fexecve function in the sensitive function is compared with the sensitive path to determine that the calling path is the sensitive path, "a file descriptor of a memfd: flag is generated under/proc/self/fd/directory by calling a memfd _ create function first, and the femxecve function is further used to execute the memfd: and marking the path of the file descriptor ", thereby determining the threat of malicious codes in the program of the Linux operating system.
S205: and outputting alarm information, wherein the alarm information is used for prompting a user that the threat of malicious codes exists in the program of the Linux operating system.
By the malicious code detection method provided by the embodiment, it can be seen that an intersection exists between the function in the sensitive path and the sensitive function, and a three-dimensional protection system is formed for causal relations between the functions of me and you, so that the purpose of accurately detecting the malicious code can be achieved through different combinations.
EXAMPLE III
The third embodiment corresponds to the first embodiment, and provides a malicious code detection apparatus from the perspective of a security protection system of a Linux operating system, and specifically, referring to fig. 3, the apparatus may specifically include:
an obtaining unit 31, configured to obtain a call path to a sensitive function in a process that a program of the Linux operating system is executed;
a determining unit 32, configured to determine that a threat of a malicious code exists in a program of the Linux operating system when the call path is a sensitive path;
the sensitive function is a function which can access the resources of the Linux operating system and/or a function which can change the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by the Linux operating system for the sensitive function.
Preferably, referring to fig. 4, the apparatus further comprises:
the instrumentation unit 41 is configured to, before obtaining a call path to a sensitive function in a process of executing a program of the Linux operating system, perform instrumentation on the sensitive function in the program of the Linux operating system and a function used in the sensitive path to obtain an instrumented program of the Linux operating system.
Preferably, the obtaining unit is specifically configured to:
and tracking the sensitive function and the calling of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring the calling path of the sensitive function in the process of executing the program of the Linux operating system.
Preferably, the apparatus further comprises:
a sensitive function determining unit 42, configured to determine the sensitive function before the instrumentation is performed on the sensitive function in the program of the Linux operating system and the function used in the sensitive path;
a sensitive path determining unit 43, configured to determine the sensitive path before the instrumentation is performed on the sensitive function in the program of the Linux operating system and the function used in the sensitive path.
Preferably, the sensitive function determining unit is specifically configured to:
determining a file operation function, a creating process function, a memory operation function, a network access function and a system related function in a program of the Linux operation system as sensitive functions;
the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function, and an init _ module function.
Preferably, the sensitive path determining unit is specifically configured to:
determining the following paths as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
Preferably, the apparatus further comprises:
and an alarm unit 44, configured to output alarm information after determining that the threat of the malicious code exists in the program of the Linux operating system, where the alarm information is used to prompt a user that the threat of the malicious code exists in the program of the Linux operating system.
It should be noted that specific implementations of the above units have been described in detail in the method embodiments, and please refer to relevant contents in the method embodiments, which is not described in detail in this embodiment.
The malicious code detection device comprises a processor and a memory, wherein the units are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to one or more than one, and the detection of the malicious code is realized by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present application provides a storage medium on which a program is stored, and the program implements the malicious code detection method when executed by a processor.
The embodiment of the application provides a processor, wherein the processor is used for running a program, and the malicious code detection method is executed when the program runs.
The embodiment of the application provides an electronic device, the electronic device comprises a processor, a memory and a program which is stored on the memory and can be run on the processor, and the following steps are realized when the processor executes the program:
acquiring a calling path of a sensitive function in the process of executing a program of a Linux operating system;
when the calling path is a sensitive path, determining that the threat of malicious codes exists in the program of the Linux operating system;
the sensitive function is a function which can access the resources of the Linux operating system and/or a function which can change the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by the Linux operating system for the sensitive function.
Preferably, the method further comprises:
before a call path of a sensitive function in the process of executing a program of the Linux operating system is obtained, the sensitive function in the program of the Linux operating system and a function used in the sensitive path are instrumented to obtain the instrumented program of the Linux operating system.
Preferably, the obtaining of the call path of the sensitive function in the process of executing the program of the Linux operating system includes:
and tracking the sensitive function and the calling of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring the calling path of the sensitive function in the process of executing the program of the Linux operating system.
Preferably, the method further comprises:
before the instrumentation is carried out on the sensitive function in the program of the Linux operating system and the function used in the sensitive path, the sensitive function is determined and the sensitive path is determined.
Preferably, the determining the sensitivity function includes:
determining a file operation function, a creating process function, a memory operation function, a network access function and a system related function in a program of the Linux operation system as sensitive functions;
the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function, and an init _ module function.
Preferably, the determining the sensitive path includes:
determining the following paths as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
Preferably, the method further comprises:
and after determining that the threat of the malicious code exists in the program of the Linux operating system, outputting alarm information, wherein the alarm information is used for prompting a user that the threat of the malicious code exists in the program of the Linux operating system.
The electronic device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
acquiring a calling path of a sensitive function in the process of executing a program of a Linux operating system;
when the calling path is a sensitive path, determining that the threat of malicious codes exists in the program of the Linux operating system;
the sensitive function is a function which can access the resources of the Linux operating system and/or a function which can change the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by the Linux operating system for the sensitive function.
Preferably, the method further comprises:
before a call path of a sensitive function in the process of executing a program of the Linux operating system is obtained, the sensitive function in the program of the Linux operating system and a function used in the sensitive path are instrumented to obtain the instrumented program of the Linux operating system.
Preferably, the obtaining of the call path of the sensitive function in the process of executing the program of the Linux operating system includes:
and tracking the sensitive function and the calling of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring the calling path of the sensitive function in the process of executing the program of the Linux operating system.
Preferably, the method further comprises:
before the instrumentation is carried out on the sensitive function in the program of the Linux operating system and the function used in the sensitive path, the sensitive function is determined and the sensitive path is determined.
Preferably, the determining the sensitivity function includes:
determining a file operation function, a creating process function, a memory operation function, a network access function and a system related function in a program of the Linux operation system as sensitive functions;
the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function, and an init _ module function.
Preferably, the determining the sensitive path includes:
determining the following paths as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
Preferably, the method further comprises:
and after determining that the threat of the malicious code exists in the program of the Linux operating system, outputting alarm information, wherein the alarm information is used for prompting a user that the threat of the malicious code exists in the program of the Linux operating system.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (8)

1. A method for malicious code detection, the method comprising:
acquiring a calling path of a sensitive function in the process of executing a program of a Linux operating system, wherein the calling of the sensitive function and the function used in the sensitive path is tracked to acquire the calling path of the sensitive function in the process of executing the program of the Linux operating system;
when the calling path is a sensitive path, determining that the threat of malicious codes exists in the program of the Linux operating system; wherein, the function in the sensitive path has intersection with the sensitive function;
the sensitive function is a function for accessing the resources of the Linux operating system and/or a function for changing the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by a Linux operating system for the sensitive function;
the method further comprises the following steps:
determining the sensitive function and determining the sensitive path;
the determining the sensitivity function includes:
determining a file operation function, a creating process function, a memory operation function, a network access function and a system related function in a program of the Linux operation system as sensitive functions;
the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function and an init _ module function;
the determining the sensitive path includes:
determining the following paths as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
2. The method of claim 1, further comprising:
before a call path of a sensitive function in the process of executing a program of the Linux operating system is obtained, the sensitive function in the program of the Linux operating system and a function used in the sensitive path are instrumented to obtain the instrumented program of the Linux operating system.
3. The method of claim 2,
the acquiring of the call path of the sensitive function in the process of executing the program of the Linux operating system comprises the following steps:
and tracking the sensitive function and the calling of the function used in the sensitive path in the process of executing the instrumented program of the Linux operating system, and acquiring the calling path of the sensitive function in the process of executing the program of the Linux operating system.
4. The method of claim 2, wherein:
before the instrumentation is carried out on the sensitive function in the program of the Linux operating system and the function used in the sensitive path, the sensitive function is determined and the sensitive path is determined.
5. The method of any one of claims 1 to 4, further comprising:
and after determining that the threat of the malicious code exists in the program of the Linux operating system, outputting alarm information, wherein the alarm information is used for prompting a user that the threat of the malicious code exists in the program of the Linux operating system.
6. A malicious code detection apparatus, comprising:
the acquiring unit is used for acquiring a calling path of a sensitive function in the process of executing the program of the Linux operating system, and tracking the sensitive function and the calling of the function used in the sensitive path so as to acquire the calling path of the sensitive function in the process of executing the program of the Linux operating system;
the first determining unit is used for determining that the threat of malicious codes exists in the program of the Linux operating system when the calling path is a sensitive path; wherein, the function in the sensitive path has intersection with the sensitive function;
the sensitive function is a function for accessing the resources of the Linux operating system and/or a function for changing the state of the Linux operating system;
the sensitive path is a calling path except a normal calling path set by a Linux operating system for the sensitive function;
the device further comprises:
a second determining unit, configured to determine the sensitive function and determine the sensitive path;
wherein said determining said sensitivity function comprises:
determining a file operation function, a creating process function, a memory operation function, a network access function and a system related function in a program of the Linux operation system as sensitive functions;
the file operation function comprises any one or more of an open function, an open 64 function, a read function, a lead function, a write function and a write function;
the creating process function comprises any one or more of an execute function, a clone function and a fexecve function;
the memory operation function comprises any one or more of a ptrace function, a process _ vm _ write function and a memfd _ create function;
the network access function comprises any one or more of a connect function, an accept function, a sendto function and a recvfrom function;
the system correlation function comprises any one or more of an mknodal function, a chorot function and an init _ module function;
the determining the sensitive path includes:
determining the following paths as sensitive paths:
directly calling a path of the sensitive function by a syscall function with a system call number;
directly calling a path of the sensitive function through any one or more of a dlopen function, a dlmopen function, an __ libc _ dlopen function, a __ libc _ dlsym function, a dlvsym function, a dlsym _ dot function, and a _ dl _ sym function;
the method generates memfd under/proc/self/fd/directory by calling the memfd _ create function first, the file descriptor of the flag is marked, and the memfd is further executed by a fexecve function: the path of the file descriptor of the token.
7. A storage medium on which a program is stored, the program implementing the malicious code detection method according to any one of claims 1 to 5 when executed by a processor.
8. An electronic device comprising a memory for storing a program and a processor for executing the program, wherein the program when executed performs the malicious code detection method of any of claims 1 to 5.
CN201910174299.5A 2019-03-08 2019-03-08 Malicious code detection method and device Active CN109933986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910174299.5A CN109933986B (en) 2019-03-08 2019-03-08 Malicious code detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910174299.5A CN109933986B (en) 2019-03-08 2019-03-08 Malicious code detection method and device

Publications (2)

Publication Number Publication Date
CN109933986A CN109933986A (en) 2019-06-25
CN109933986B true CN109933986B (en) 2022-02-15

Family

ID=66986624

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910174299.5A Active CN109933986B (en) 2019-03-08 2019-03-08 Malicious code detection method and device

Country Status (1)

Country Link
CN (1) CN109933986B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110472409B (en) * 2019-08-06 2021-02-09 长沙学院 Process management method and system based on white list mechanism
CN110955894B (en) * 2019-11-22 2022-09-30 深信服科技股份有限公司 Malicious content detection method and device, electronic equipment and readable storage medium
CN116611068B (en) * 2023-07-21 2023-09-29 北京安天网络安全技术有限公司 File scanning method based on confusion path, electronic equipment and storage medium
CN118312959B (en) * 2024-06-07 2024-09-10 卓望数码技术(深圳)有限公司 Quick investigation method and device for abnormal Trojan asset of existing network host equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN105550581A (en) * 2015-12-10 2016-05-04 北京奇虎科技有限公司 Malicious code detection method and device
CN108694320A (en) * 2018-05-15 2018-10-23 中国科学院信息工程研究所 The method and system of sensitive application dynamic measurement under a kind of more security contexts

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103207969B (en) * 2013-04-12 2016-10-05 百度在线网络技术(北京)有限公司 The device of detection Android malware and method
CN103440459B (en) * 2013-09-25 2016-04-06 西安交通大学 A kind of Android malicious code detecting method based on function call
CN106778264A (en) * 2016-11-24 2017-05-31 北京金山安全管理系统技术有限公司 The application program analysis method and analysis system of a kind of mobile client

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN105550581A (en) * 2015-12-10 2016-05-04 北京奇虎科技有限公司 Malicious code detection method and device
CN108694320A (en) * 2018-05-15 2018-10-23 中国科学院信息工程研究所 The method and system of sensitive application dynamic measurement under a kind of more security contexts

Also Published As

Publication number Publication date
CN109933986A (en) 2019-06-25

Similar Documents

Publication Publication Date Title
CN109933986B (en) Malicious code detection method and device
US11244044B1 (en) Method to detect application execution hijacking using memory protection
US10986103B2 (en) Signal tokens indicative of malware
KR101759008B1 (en) Profiling code execution
CN107066311B (en) Kernel data access control method and system
US8539593B2 (en) Extraction of code level security specification
US9798981B2 (en) Determining malware based on signal tokens
CN107273744B (en) Electronic device and protection method
EP2891104B1 (en) Detecting a malware process
CN112395612A (en) Malicious file detection method and device, electronic equipment and storage medium
CN113569246B (en) Vulnerability detection method, vulnerability detection device, computer equipment and storage medium
KR101064164B1 (en) Kernel integrity inspection and the recovery method on linux kernel based smart platform
US12079337B2 (en) Systems and methods for identifying malware injected into a memory of a computing device
US20080028180A1 (en) Inappropriate access detector based on system segmentation faults
CN114327791B (en) Virtualization-based trusted computing measurement method, device, equipment and storage medium
CN111259386A (en) Kernel security detection method, device, equipment and storage medium
CN115688106A (en) Method and device for detecting Java agent non-file-injection memory horse
CN106911635B (en) Method and device for detecting whether backdoor program exists in website
CN114297630A (en) Malicious data detection method and device, storage medium and processor
CN112395603B (en) Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment
CN111752570A (en) Compiling method, device, terminal and computer readable storage medium
CN110543759A (en) Malicious file detection method and device, computer equipment and storage medium
CN114417341A (en) Non-invasive system safety protection method and safety protection device
CN114936368A (en) Java memory Trojan detection method, terminal device and storage medium
US11989572B2 (en) Computer system enabled with runtime software module tracking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant