[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102622536B - Method for catching malicious codes - Google Patents

Method for catching malicious codes Download PDF

Info

Publication number
CN102622536B
CN102622536B CN201110029135.7A CN201110029135A CN102622536B CN 102622536 B CN102622536 B CN 102622536B CN 201110029135 A CN201110029135 A CN 201110029135A CN 102622536 B CN102622536 B CN 102622536B
Authority
CN
China
Prior art keywords
stain
api
instruction
packet
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110029135.7A
Other languages
Chinese (zh)
Other versions
CN102622536A (en
Inventor
杨轶
冯登国
苏璞睿
应凌云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN201110029135.7A priority Critical patent/CN102622536B/en
Publication of CN102622536A publication Critical patent/CN102622536A/en
Application granted granted Critical
Publication of CN102622536B publication Critical patent/CN102622536B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method for catching malicious codes, which belongs to the technical field of network safety. The method comprises the steps of (1) configuring a hardware simulator and loading and starting a target operating system; (2) enabling the hardware simulator to read virtual memory of the target operating system, identifying all courses and an export table in a dynamic library loaded by the courses and obtaining all application program interface (API) addresses in the export table and intercepting network received API functions; (3) marking network received data packages of the courses into stain data packages; (4) enabling the hardware simulator to disassemble commands executed by current courses and calculating stain spread; and (5) judging whether current curse states in the stain spread process produce abnormal behaviors, confirming the current curses as the malicious codes if the abnormal behaviors are produced and extracting mirror images of the malicious codes from an internal memory of the target operating system. The method for catching the malicious codes achieves fully transparent analysis of the malicious codes and has high efficiency and accuracy.

Description

A kind of malicious code catching method
Technical field
The invention belongs to network security technology field, be specifically related to a kind of malicious code catching method based on hardware simulator and tainting.
Background technology
Along with social development and progress, computing machine is more and more extensive in the application of social every field.Due to the extensive existence of software vulnerability and the deficiency of the sense of security of users, the velocity of propagation of wooden horse is more and more faster, and infection scope constantly expands, and the destruction of causing is day by day serious.Traditional malicious code is caught with analysis means owing to being subject to the restriction of analysis efficiency and user's technical merit, and response cycle is difficult to shorten, and response speed can not adapt to this new situation gradually.Therefore, improve catching with analysis ability of malicious code and seem very necessary.
Existing malicious code capturing tools, as 360 cloud security platforms, Kingsoft cloud security platform etc., must modify to operating system, as Hook system function, or by PsSetCreateProcessNotifyRoutine registered callbacks function, could realize corresponding capturing function.And due to operating system is made an amendment, itself can cause integrity issue, the patch data being therefore modified or the function of registration are easy to be found by malicious code, and produce corresponding countermove., due to current malicious code capture platform, be simultaneously all to move with in the same operating system of malicious code, on to the control of system and the malicious code relation of competing, be unfavorable for that the accurate and stable malicious code of realizing catches.
Current malicious code capture technique, is used following several method conventionally:
1. system integrity verification
First system integrity method of calibration creates the record of file hash data in system snapshot or register system in clean system, it is random or after specific behavior is carried out when system is moved, by the system snapshot of record or comparing of file hash value and current file, when difference appears in comparative result, think the sample that has infected malicious code and extracted malicious code.
2. heuristic detection, extracts unlawful practice
The method of heuristic detection is by definition normal running, take its behavior being produced in benchmark comparison code is carried out flow process, measure the difference between current malicious code behavior and normal running, when behavior departs from normal running when far away, think malicious act, extract the malicious code sample of carrying out the behavior.
The virtual machine Commissioning Analysis method of malicious code in present analysis hidden process, the dummy machine systems such as application VMware, VirtualPC are realized.Dummy machine system is directly given local true CPU by fictitious order and is carried out, and self has back door simultaneously.Malicious code in hidden process can be by checking the code execution time, or the method for calling virtual machine back door function differentiates and ownly on a virtual system, move, and takes to operate hiding truth function.
To sum up, the major defect that malicious code sample extracts is at present: hidden process and malicious code, on same level, are easily detected and produce corresponding countermove by malicious code; Only can extract malicious code sample, and not enough to the analysis of its behavior and attack process.
Summary of the invention
For the technical matters existing in prior art, the object of the present invention is to provide a kind of malicious code catching method based on hardware simulator, by building malicious code running environment, the accessing operation of manipulation and control simulation cpu instruction and various analog hardwares, the information of all processes in data acquisition module collection system in hardware simulator, take CR3 as sign, analysis process implementation; Monitor the operational process of all processes, directly extract malicious code mirror image from virtual memory, the mutual relationship of analytical attack data and attack process, extracts behavioural characteristic and attack data characteristics that malicious code is carried out.
Technical scheme of the present invention is:
A malicious code catching method, the steps include:
1) configure hardware simulator, hardware simulator loads and starts destination OS;
2) hardware simulator reads the virtual memory of destination OS, and the derived table in the dynamic base that all processes of carrying out in identification current system and process load obtains the address of all API in described derived table and tackles network reception api function;
3) according to network, receive the rreturn value of api function, the packet marking that process is received by network is stain packet;
4) instruction that hardware simulator dis-assembling current process is carried out, if the source operand offset address of this instruction and length are within the scope of stain packet, this instruction is carried out to tainting calculating, if this instruction is api function call instruction, according to this API Name of API address acquisition and inquire about its skew of importing parameter into and whether length belongs to stain data area, if belong to stain data area, this API Calls is carried out to tainting calculating;
5) in judgement tainting process, whether the state of current process there is abnormal behaviour, if there is abnormal behaviour, judges that current process is as malicious code, and from the internal memory of destination OS, extracts malicious code mirror image.
Further, described configure hardware simulator comprises: the emulated memory size of configure hardware simulator, type, the virtual hard disk of simulation CPU.
Further, the method for the virtual hard disk of configure hardware simulator is: adopt the method for linear addressing to create virtual image file, using created virtual image file as virtual hard disk.
Further, the method for obtaining the address of all API in described derived table is: the title in the title in the derived table of more described dynamic base and API table, the address that obtains all API in described derived table.
Further, the method that described tainting calculates is: the instruction of carrying out according to current process, variable and register that the stain data that judgement stain packet produces affect.
Further, described abnormal behaviour comprises: API Calls sequence and predefined abnormal behaviour sequences match that the function return address in current process corresponding stack is carried out by stain packet or the stain data cover being produced by stain packet, current process.
The method whether state of further, judging current process abnormal behaviour occurs as:
1) an abnormal behaviour sequence is set, hardware simulator reads and safeguards in internal memory the single linked list data structure of an abnormal behaviour sequence;
2) in the counter structure of current process, create stain record; Set up stain behavior list simultaneously, record instruction and API Calls that current process operates stain packet or the stain data that produced by stain packet;
3) in the moment of returning from current process network data receiver function, analyze each instruction of the follow-up execution of this process:
If this command operating stain data, the result present instruction being obtained joins in described stain record as the stain being produced by stain packet, and this instruction is added to stain behavior list; If API Calls, and the parameter of this API Calls is containing the stain data that have a stain packet or produced by stain packet, this API Calls is added to stain behavior list;
4) judge whether the destination address of stain data manipulation has covered the return address of function, if covered, judge the state generation abnormal behaviour of current process; Whether the API Calls of carrying out according to stain behavior list determinating processes mates with the abnormal behaviour sequence in internal memory, if mated, judges the state generation abnormal behaviour of current process.
Further, the method for extracting described malicious code mirror image is: stain behavior list is recalled, and the API calling according to abnormal behaviour process and the instruction of execution, the stain data that find the behavior sequence of this process to rely on, are the malicious code capturing; Extract data that attack process carries out skew, length and the content in whole stain packet simultaneously.
Further, described abnormal behaviour sequence is a series of continuous API operations.
A malicious code catching method, its using method is as follows:
1. the type of the emulated memory of configuration mirroring path, hardware simulator size and simulation CPU; Hardware simulator load operation system image is to start goal systems;
2. utilize hardware simulator to read current system internal memory, resolution system internal storage data, the derived table in the dynamic base that all processes of carrying out in identification current system and process load; Title in title in the derived table of more described dynamic base and API table, obtains the address of all API in described derived table and tackles api function WSARecv, recv and the RecvFrom (being that network receives API) of predefined network.
3. according to the network of tackling in the 2nd step, receive the rreturn value of api function, the packet that the process of obtaining is received by network, this packet of mark is stain data.
4. hardware simulator dis-assembling analyze the instruction that current process is carried out in current process implementation, if the address of the source operand of current process instruction and skew belong to the stain source data generating in the 2nd step, need this instruction to carry out tainting calculating.If this instruction is api function call instruction, according to this API Name of API address acquisition and inquire about its address of importing parameter into and skew whether belong to stain data, if belong to stain data, this API Calls is carried out to tainting calculating; Tainting computing, the instruction of carrying out according to current process, variable and register that the stain data that judgement stain packet and this packet produce affect.In order to propagate computing, we have resolved operational code, source operand and the destination operand of cpu instruction for each instruction, if its source operand has been quoted stain data, its destination operand is also marked as stain data.Carrying out the object of tainting, is in order to be extracted in more accurately the processing procedure to network input data in process implementation.In tainting process, judge the state of current process, as: whether the return address in current process corresponding stack is covered by stain data, whether has carried out the behavior etc. that continuous API Calls sequence realizes data retransmission.
5. definition abnormal behaviour: in program process, judge that function return address in current process corresponding stack is whether by stain packet or the stain data cover that produced by stain packet, or current process API Calls sequence and the predefined abnormal behaviour sequences match carried out; By above-mentioned two kinds of methods, judge abnormal behaviour.If note abnormalities behavior, start to recall whole tainting computation process, judge data areas different in stain data and its effect that this attack process is played, obtain its skew in stain source, length, Functions information and with the formatted output of journal file.
Further, the illegal change of process status in above-mentioned steps 4, detected, automatically extract sample.Its process is: watchdog routine integrated in hardware simulator is when the execution instruction of monitoring process, according to the process EPROCESS structure getting, obtain process load address, take this address reads the code in physical memory as starting point, the PE structure of analysis process executable file, the scope of definite file that need to read in internal memory; And find corresponding page in the position of physical vlan internal memory according to internal memory page table, according to the address offset obtaining and the file size in internal memory, disposable read the code mirror image.
Compared with prior art, advantage of the present invention and good effect are as follows:
1. the present invention is because data acquisition realizes by hardware simulation technique, rather than malicious code is placed on to the upper execution of real CPU, whether malicious code cannot operate in virtual environment in perception self, also cannot differentiate whether self tracked, thereby realizes malicious code transparent analysis completely.
2. all simulation execution after translation of the instruction of all virtual cpus of analog hardware equipment of the present invention and various hardware operation, rather than directly use code snippet to carry out in real machine, can be in instruction operation process time of this instruction operation of accurate Calculation, thereby guaranteed the transparency of virtual environment.
3. the present invention is based on tainting malicious code is analyzed, by the calculating process of identification stain data, judge malicious operation and attack, there is higher efficiency and accuracy.
Accompanying drawing explanation
The malicious code catching method schematic diagram of Fig. 1 based on hardware simulator and tainting.
The malicious code catching method process flow diagram of Fig. 2 based on hardware simulator and tainting.
Embodiment
Below in conjunction with accompanying drawing, describe technical scheme of the present invention in detail:
As shown in Figure 1, a kind of malicious code catching method and system based on hardware simulator and tainting, comprises step:
1, create file destination and move required operating system mirror image
The present invention adopts the method for linear addressing, creates virtual image file, and this document is used as virtual hard disk, take it as basis installing operating system on virtual analysis platform.
2, configure and start hardware simulator
The mirror path of configuration operation system, the operating system mirror image position that obtains actual motion; The type of the analog physical memory size of configure hardware simulator, system start-up time and simulation CPU, hardware simulator distributes the memory headroom of corresponding size according to the memory size of input, as the physical memory of simulation; According to the system of input, set the system clock of simulator start-up time; According to the corresponding Instruction decoding engine of type selecting of simulation CPU, realize the translation of sourse instruction and target instruction target word and carry out.After completing aforesaid operations, the guidance code in hardware simulator read operation system image, jumps to this guidance code place by EIP and starts this operating system.
Wherein, virtual memory of the present invention is simulated by directly apply for the internal memory of corresponding size in real machine.The size of configuration emulated memory is the basis of virtual opetrating system operation, and emulated memory setting is larger, and virtual opetrating system operation is faster.The present embodiment provides the size configure of emulated memory between 216M~1G.
The present invention's definition is when the type of front simulation CPU, that decoding module by hardware simulator obtains, the instruction that the instruction that makes to simulate CPU is converted into local cpu is reruned, the execution instruction that the operating system turning round on virtual machine can be correct, and the present invention can simulate multiple CPU.For example: if current mirror image is to read out from the machine of a P4, hardware simulator need to be simulated to the type configuration of CPU be P4 in the present invention, and can not be the other types CPU such as ARM or MIPS, otherwise this operating system cannot true(-)running.If true CPU is Intel P4, and the CPU of hardware simulator of the present invention simulation is ARM, needs to utilize decoding module the instruction of ARM to be converted into the instruction of one or more of Intel P4.
3, the instruction of hardware simulator performance objective operating system, the identification system call of process and the instruction of execution
The program of application layer visits operating system by API.The present embodiment is used the method for address comparison to obtain system call.Before process is scheduled and carries out, now the code of process is not also carried out, but the dynamic base that the executable file of self and process need is all mapped, enters internal memory.Therefore the present invention is after process loads, before code is carried out, by the memory management module machine of hardware simulator, read the internal memory of process, and the derived table in the dynamic base of analysis process loading, derived table comprises API Name and API address, the present invention is by adopting the method for charactor comparison, title in comparison derived table in API Name and API table, obtain the address of all API in derived table, all API address is joined to API table, and described API table comprises API Name, API address and API parameter and rreturn value.During hidden process is carried out, the parameter of function address in the EIP value of hidden process and API table is done to matching ratio one by one.
If article one instruction of each function matches in EIP value and API table, call analytical function, read the general-purpose register in storehouse and current C PU, obtain function parameter and return address, when function is carried out return address, read eax register and obtain function return value; In hardware simulator, data acquisition module records the data of this instruction and this instruction execution, wherein, the data that instruction is carried out comprise the operating system of the file of this instruction unpack, the port of opening, the data that send by certain port, the file of access, the service of the process of establishment and thread, establishment or termination, establishment or use synchronous/content of mutex, network data transmit operation, the information such as the filename of file creation operation.
4, decision procedure execute exception and illegal act
Process implementation is carried out to tainting analysis, manual setting network stain source marking rule, the packet that all-network receives is marked as stain source, and this process is carried out according to rule automatically by hardware simulator.The decision process of program execute exception and illegal act is as follows:
1) in order to identify the malicious operation of process, first we be provided with abnormal behaviour sequence, this abnormal behaviour sequence represents a series of continuous API operations, the set of this sequence is stored in a configuration file, by hardware simulator, reads and safeguard the single linked list data structure of an abnormal behaviour sequence in internal memory.
2) when the process of certain in goal systems generation network data receives, its network packet of obtaining of mark is stain packet, in the counter structure of this process, create corresponding stain record, set up instruction and API Calls that stain behavior list records operates stain packet or the stain data that produced by stain packet simultaneously.
3) the moment of returning from network data receiver function, analyze each instruction of the follow-up execution of this process, if this command operating stain data, the result present instruction being obtained joins in stain record as the stain being produced by stain packet, and this instruction is added to stain behavior list; If API Calls, and the parameter of this API Calls is containing the stain data that have a stain packet or produced by stain packet, needs equally this API Calls to add stain behavior list.When process is carried out, judge the destination address of stain data manipulation, whether covered the return address of function; The API Calls of simultaneously process being carried out and the abnormal behaviour sequence in internal memory are mated.Matching process for abnormal behaviour sequence is: if the API Calls title of current generation is all identical with first API in abnormal chained list with parameter, use identical method to continue the trailer record in this sequence relatively; If there are differences difference, search first API of other predefined abnormal API sequences, use identical method to match.If tainting path can match with predefined abnormal operation sequence, can judge that the process of now carrying out is malicious code.
5, gather and analyze data
After judging malicious code, need to extract malicious code sample and attack the sample of data.The extraction of malicious code sample realizes by file reading in the destination OS mirror image directly being loaded by hardware simulator, attacks data sample and realizes by the stain packet dump that this process is received.In order better to extract malicious code, the present invention recalls by the stain behavior list to producing in analytic process, the API calling according to the process that abnormal behaviour occurs and the instruction of execution, find the stain data of the behavior sequence dependence of this process, extract described malicious code mirror image, wherein stain data comprise its skew, length and content in whole stain packet.Data analysis module receives and stores the data that above-mentioned data acquisition module is collected, and these data are returned to user.
The malicious code catching method based on hardware simulator and tainting that the present invention proposes, for a person skilled in the art, can oneself configure various environmental informations, design analysis and catching method, thereby the malicious code in multianalysis hidden process as required.
Although disclose for the purpose of illustration specific embodiments of the invention and accompanying drawing, its object is help to understand content of the present invention and implement according to this, but it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification are all possible.Therefore, the present invention should not be limited to most preferred embodiment and the disclosed content of accompanying drawing, and the scope that the scope of protection of present invention defines with claims is as the criterion.

Claims (8)

1. a malicious code catching method, the steps include:
1) configure hardware simulator, hardware simulator loads and starts destination OS;
2) hardware simulator reads the virtual memory of destination OS, and the derived table in the dynamic base that all processes of carrying out in identification current system and process load obtains the address of all API in described derived table and tackles network reception api function;
3) according to network, receive the rreturn value of api function, the packet marking that process is received by network is stain packet;
4) instruction that hardware simulator dis-assembling current process is carried out, if the source operand offset address of this instruction and length are within the scope of stain packet, this instruction is carried out to tainting calculating, if this instruction is api function call instruction, according to this API Name of API address acquisition and inquire about its skew of importing parameter into and whether length belongs to stain data area, if belong to stain data area, this API Calls is carried out to tainting calculating;
5) in judgement tainting process, whether the state of current process there is abnormal behaviour, if there is abnormal behaviour, judges that current process is as malicious code, and from the internal memory of destination OS, extracts malicious code mirror image; The method whether state of wherein, judging current process abnormal behaviour occurs as:
51) an abnormal behaviour sequence is set, hardware simulator reads and safeguards in internal memory the single linked list data structure of an abnormal behaviour sequence;
52) in the counter structure of current process, create stain record; Set up stain behavior list simultaneously, record instruction and API Calls that current process operates stain packet or the stain data that produced by stain packet;
53) the moment of returning from current process network data receiver function, analyze each instruction of the follow-up execution of this process: if this command operating stain data, the result present instruction being obtained joins in described stain record as the stain being produced by stain packet, and this instruction is added to stain behavior list; If API Calls, and the parameter of this API Calls is containing the stain data that have a stain packet or produced by stain packet, this API Calls is added to stain behavior list;
54) judge whether the destination address of stain data manipulation has covered the return address of function, if covered, judge the state generation abnormal behaviour of current process; Whether the API Calls of carrying out according to stain behavior list determinating processes mates with the abnormal behaviour sequence in internal memory, if mated, judges the state generation abnormal behaviour of current process.
2. the method for claim 1, is characterized in that described configure hardware simulator comprises: the emulated memory size of configure hardware simulator, type, the virtual hard disk of simulation CPU.
3. method as claimed in claim 2, is characterized in that the method for the virtual hard disk of configure hardware simulator is: adopt the method for linear addressing to create virtual image file, using created virtual image file as virtual hard disk.
4. method as claimed in claim 3, is characterized in that the method for obtaining the address of all API in described derived table is: the title in the title in the derived table of more described dynamic base and API table, the address that obtains all API in described derived table.
5. method as claimed in claim 1 or 2 or 3 or 4, is characterized in that the method that described tainting calculates is: the instruction of carrying out according to current process, judge variable and register that stain data that stain packet produces affect.
6. method as claimed in claim 5, is characterized in that described abnormal behaviour comprises: API Calls sequence and predefined abnormal behaviour sequences match that the function return address in current process corresponding stack is carried out by stain packet or the stain data cover being produced by stain packet, current process.
7. the method for claim 1, it is characterized in that the method for extracting described malicious code mirror image is: stain behavior list is recalled, the API calling according to abnormal behaviour process and the instruction of execution, the stain data that find the behavior sequence dependence of this process, are the malicious code capturing; Extract data that attack process carries out skew, length and the content in whole stain packet simultaneously.
8. the method for claim 1, is characterized in that described abnormal behaviour sequence is a series of continuous API operations.
CN201110029135.7A 2011-01-26 2011-01-26 Method for catching malicious codes Active CN102622536B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110029135.7A CN102622536B (en) 2011-01-26 2011-01-26 Method for catching malicious codes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110029135.7A CN102622536B (en) 2011-01-26 2011-01-26 Method for catching malicious codes

Publications (2)

Publication Number Publication Date
CN102622536A CN102622536A (en) 2012-08-01
CN102622536B true CN102622536B (en) 2014-09-03

Family

ID=46562451

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110029135.7A Active CN102622536B (en) 2011-01-26 2011-01-26 Method for catching malicious codes

Country Status (1)

Country Link
CN (1) CN102622536B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104252447A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 File behavior analysis method and device
CN103440457B (en) * 2013-08-20 2015-12-09 上海交通大学 Based on the binary program analytic system of process simulation
CN103927484B (en) * 2014-04-21 2017-03-08 西安电子科技大学宁波信息技术研究院 Rogue program behavior catching method based on Qemu simulator
CN104021084A (en) * 2014-06-19 2014-09-03 国家电网公司 Method and device for detecting defects of Java source codes
CN104376261B (en) * 2014-11-27 2017-04-05 南京大学 A kind of method of the automatic detection malicious process under evidence obtaining scene
CN104462973B (en) * 2014-12-18 2017-11-14 上海斐讯数据通信技术有限公司 The dynamic malicious act detecting system and method for application program in mobile terminal
CN105989283B (en) 2015-02-06 2019-08-09 阿里巴巴集团控股有限公司 A kind of method and device identifying virus mutation
CN106446681B (en) * 2015-08-07 2019-09-17 腾讯科技(深圳)有限公司 Checking and killing virus method and apparatus
TWI575401B (en) * 2015-11-12 2017-03-21 財團法人資訊工業策進會 Mobile device and an monitoring method suitable for mobile device
CN107526966B (en) * 2016-06-21 2020-03-13 中国科学院软件研究所 Composite stain propagation tracking method for Android platform
CN107291617B (en) * 2016-12-26 2020-08-11 中国科学院软件研究所 Vulnerability analysis method based on implicit taint propagation
CN108256323A (en) * 2016-12-29 2018-07-06 武汉安天信息技术有限责任公司 A kind of detection method and device for phishing application
CN107124425A (en) * 2017-05-26 2017-09-01 北京立思辰新技术有限公司 The method and computing device of monitoring device safety
CN109583200B (en) * 2017-09-28 2021-04-27 中国科学院软件研究所 Program abnormity analysis method based on dynamic taint propagation
CN108038378A (en) * 2017-12-28 2018-05-15 厦门服云信息科技有限公司 High in the clouds detection function is by the method for malicious modification, terminal device and storage medium
CN108875372B (en) * 2017-12-29 2022-07-26 安天科技集团股份有限公司 Code detection method and device, electronic equipment and storage medium
CN108229172A (en) * 2018-02-13 2018-06-29 国家计算机网络与信息安全管理中心 Astride hierarchy data flow method for tracing based on windows platforms
CN109766700A (en) * 2018-05-04 2019-05-17 360企业安全技术(珠海)有限公司 Access control method and device, the storage medium, electronic device of file
CN109918907B (en) * 2019-01-30 2021-05-25 国家计算机网络与信息安全管理中心 Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform
CN112395595B (en) * 2019-08-15 2023-08-01 奇安信安全技术(珠海)有限公司 Method and device for monitoring instruction execution sequence, storage medium and computer equipment
CN112836216B (en) * 2021-02-04 2023-11-17 武汉大学 Malicious sample reverse task allocation method and system based on behaviors and code length
CN113010481B (en) * 2021-03-18 2023-06-09 成都欧珀通信科技有限公司 File capturing method, device, terminal and storage medium
CN113569244B (en) * 2021-09-18 2021-12-03 成都数默科技有限公司 Memory malicious code detection method based on processor tracking
CN114244599B (en) * 2021-12-15 2023-11-24 杭州默安科技有限公司 Method for interfering malicious program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1625121A (en) * 2003-12-05 2005-06-08 中国科学技术大学 Hierarchical cooperated network virus and malice code recognition method
CN101616151A (en) * 2009-07-31 2009-12-30 中国科学院软件研究所 A kind of automated network attack characteristic generation method
CN101645119A (en) * 2008-08-07 2010-02-10 中国科学院软件研究所 Method and system for automatically analyzing malicious codes based on virtual hardware environment
CN101770551A (en) * 2008-12-30 2010-07-07 中国科学院软件研究所 Method for processing hidden process based on hardware simulator

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1625121A (en) * 2003-12-05 2005-06-08 中国科学技术大学 Hierarchical cooperated network virus and malice code recognition method
CN101645119A (en) * 2008-08-07 2010-02-10 中国科学院软件研究所 Method and system for automatically analyzing malicious codes based on virtual hardware environment
CN101770551A (en) * 2008-12-30 2010-07-07 中国科学院软件研究所 Method for processing hidden process based on hardware simulator
CN101616151A (en) * 2009-07-31 2009-12-30 中国科学院软件研究所 A kind of automated network attack characteristic generation method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Dynamic taint analysis for automatic detection,analysis,and signature generation of expoits on commodity software;J Newsom etc.;《Proceedings of the 12th Annual Net-work and Distributed System Security Symposium(NDss05)》;20050228;全文 *
J Newsom etc..Dynamic taint analysis for automatic detection,analysis,and signature generation of expoits on commodity software.《Proceedings of the 12th Annual Net-work and Distributed System Security Symposium(NDss05)》.2005,第1-18页.
何永军 等.基于动态二进制分析的网络协议逆向解析.《计算机工程》.2010,第36卷(第9期),第267-270页.
基于动态二进制分析的网络协议逆向解析;何永军 等;《计算机工程》;20100531;第36卷(第9期);正文第4.1节以及第4.2.3节内容 *

Also Published As

Publication number Publication date
CN102622536A (en) 2012-08-01

Similar Documents

Publication Publication Date Title
CN102622536B (en) Method for catching malicious codes
CN105393255B (en) Process assessment for the malware detection in virtual machine
CN101770551A (en) Method for processing hidden process based on hardware simulator
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
Rathnayaka et al. An efficient approach for advanced malware analysis using memory forensic technique
Canfora et al. Acquiring and analyzing app metrics for effective mobile malware detection
CN101373502B (en) Automatic analysis system of virus behavior based on Win32 platform
CN105893848A (en) Precaution method for Android malicious application program based on code behavior similarity matching
EP2975873A1 (en) A computer implemented method for classifying mobile applications and computer programs thereof
CN102664875A (en) Malicious code type detection method based on cloud mode
CN108469984B (en) Virtual machine introspection function level-based dynamic detection system and method for inner core of virtual machine
CN103902885A (en) Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system
CN107864676A (en) System and method for detecting unknown leak in calculating process
CN106201872A (en) A kind of running environment detection method of android system
CN102651062A (en) System and method for tracking malicious behavior based on virtual machine architecture
RU2748518C1 (en) Method for counteracting malicious software (malware) by imitating test environment
CN105760787A (en) System and method used for detecting malicious code of random access memory
CN109298855A (en) A kind of network target range management system and its implementation, device, storage medium
Li et al. Robbery on devops: Understanding and mitigating illicit cryptomining on continuous integration service platforms
Sihag et al. Opcode n-gram based malware classification in android
Ki et al. Reptor: Enabling api virtualization on android for platform openness
Letaw et al. Host identification via usb fingerprinting
US20160092313A1 (en) Application Copy Counting Using Snapshot Backups For Licensing
Zhang et al. Firmware fuzzing: The state of the art
CN103971055B (en) A kind of Android malware detection method based on program slicing technique

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant