[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111611580B - Method and system for detecting whether program runs in environment of Jinshan safe sandbox system - Google Patents

Method and system for detecting whether program runs in environment of Jinshan safe sandbox system Download PDF

Info

Publication number
CN111611580B
CN111611580B CN202010458742.4A CN202010458742A CN111611580B CN 111611580 B CN111611580 B CN 111611580B CN 202010458742 A CN202010458742 A CN 202010458742A CN 111611580 B CN111611580 B CN 111611580B
Authority
CN
China
Prior art keywords
application program
feature
module
pid
jinshan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010458742.4A
Other languages
Chinese (zh)
Other versions
CN111611580A (en
Inventor
刘德建
任佳伟
陈宏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Tianqing Online Interactive Technology Co Ltd
Original Assignee
Fujian Tianqing Online Interactive Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Tianqing Online Interactive Technology Co Ltd filed Critical Fujian Tianqing Online Interactive Technology Co Ltd
Priority to CN202010458742.4A priority Critical patent/CN111611580B/en
Publication of CN111611580A publication Critical patent/CN111611580A/en
Application granted granted Critical
Publication of CN111611580B publication Critical patent/CN111611580B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a method for detecting whether a program runs in a Jinshan safe sandbox system environment, which comprises the following steps: traversing all processes running in the operating system, and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of ksandbox.exe; traversing all processes running in an operating system, and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; detecting whether a trace of loading a dynamic link library 'KisDcom.dll' is found in a memory space of an application program; if yes, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics; analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode, and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system; so that the application program avoids itself being used maliciously.

Description

Method and system for detecting whether program runs in environment of Jinshan safe sandbox system
Technical Field
The invention relates to the technical field of computer system communication, the field of software security and game plug-in detection, in particular to a method and a system for detecting whether a program runs in a Jinshan security sandbox system environment.
Background
The Jinshan safe sandbox is also named as a Jinshan isolation sandbox, and is a safe product developed by Jinshan software company. The Jinshan security sandbox creates a virtualized isolated system environment via virtualization techniques. For application programs running in a virtualized system environment created by the Jinshan security sandbox, the Jinshan security sandbox can record behaviors of file reading, writing, registry change and the like of the application programs. In addition, high system authority operations (such as changing operating system files, controlling system drivers and the like) performed by the application program running in the environment of the Jinshan safe sandbox system can be redirected to the virtualized operating system environment by the Jinshan safe sandbox through technologies such as hooking system functions, file redirection and the like, namely, the application program in the environment of the Jinshan safe sandbox system has no influence on a real system and can be deleted and restored at any time. The program runs in a sandbox environment, is better than a sand-based drawing, is leveled at any time and does not leave any trace.
The Jinshan safe sandbox is widely applied to the field of virus behavior analysis due to the function of isolating the real operating system environment, but is also maliciously applied to the fields of reverse software cracking, illegal multi-game clients, illegal self-protection modules bypassing application programs and the like, and the legal rights and interests of related personnel such as intellectual property rights and economic benefits are indirectly damaged.
Explanation of technical wording:
DLL injection, or dynamic link library injection, is a technique for loading a dynamic link library into memory and making it part of a specified process. DLL injection includes a variety of different implementations such as modifying application import tables, DLL file hijacking, etc.
PID (Process identification) refers to a process ID, i.e., a process identifier, in an operating system. Each time a program is opened in the operating system, a process ID, i.e., PID, is created.
Disclosure of Invention
In order to overcome the above problems, an object of the present invention is to provide a method for detecting whether a program runs in a environment of a jin shan security sandbox system, which can detect whether an operating system currently running in an application is the jin shan security sandbox system, so that the application can avoid malicious use of the application itself.
The invention is realized by adopting the following scheme: a method for detecting whether a program runs in a Jinshan safe sandbox system environment or not, wherein the method comprises the following steps:
traversing all processes running in the operating system, and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of ksandbox.exe; if not, the data does not exist;
traversing all processes running in an operating system, and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; if not, the data does not exist;
detecting whether a trace of loading a dynamic link library 'KisDcom.dll' is found in a memory space of an application program; if yes, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics;
analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode, and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system;
the corresponding mode of the fuzzy judgment mode is that as long as the application program detects that any one of the three characteristics of the Jinshan safe sandbox system exists in the system environment, the operating system environment of the current operation of the application program is judged to be the Jinshan safe sandbox system environment;
the corresponding mode of the accurate judgment mode is that if and only if the fact that the Jinshan safe sandbox system characteristics are three in the system environment is detected, the operating system environment where the application program runs currently is judged to be the Jinshan safe sandbox system environment.
Further, in the method, three characteristics are stored in a program file in a character string mode; the application program A starts to run, the application program A starts to execute Feature detection, the application program A defines and initializes 3 DWORD type data variables with default values of 0, and the data variables are named as Feature _1, Feature _2 and Feature _3 respectively, wherein the Feature _1, the Feature _2 and the Feature _3 respectively correspond to whether a Feature I, a Feature II and a Feature III are detected or not.
Further, the method further comprises the steps of:
step 2.1, the application program A applies for a first memory space, the first memory space is named Buffer _ Pid and is used for storing PID arrays of all processes, the application program A applies for a second memory space, the second memory space is named Buffer _ Module and is used for storing handle arrays of all modules of the processes, the application program A applies for a third memory space, the third memory space is named Buffer _ Path and is used for storing file paths of the processes;
step 2.2, the application program A calls Windows API EnumProcesses to enumerate the PID of all processes in the current operating system, the enumerated result is stored in a memory space Buffer _ Pid in a DWORD array form, and meanwhile, the number of returned PID is obtained from the returned result of the EnumProcesses, and the number of PID is named as Proc _ Account;
step 2.3, the application program A traverses Proc _ Account for several times, and takes out one data from the Buffer _ Pid every time, and the N round of traversal takes out the N PID stored in the Buffer _ Pid and records the PID as Pid _ Tmp; if the Proc _ Account is traversed for the full time or the computing condition (Feature _1+ Feature _2) >0 is met, the loop is exited, and the step 2.9 is entered;
step 2.4, the application program A calls Windows API OpenProcess and transmits parameters PROCESS _ QUERY _ INFORMATION and PROCESS _ VM _ READ, opens a PROCESS with PID being Pid _ Tmp, and obtains a PROCESS Handle _ Proc of the PROCESS;
step 2.5, calling Windows API EnumProcessmodules and transmitting a parameter Handle _ Proc by the application program A, enumerating Module Handle information of all Modules of a process with PID (proportion integration differentiation) being Pid _ Tmp, storing an enumeration result in a memory space Buffer _ Module in a DOWND array form, and acquiring the number of returned Modules from a return result of the EnumProcessmodules, wherein the number of Modules is named as Module _ Account;
step 2.6, the application program A traverses the Modules _ Account times, takes out one data from the Buffer _ Module each time, and takes out the Nth Module handle stored in the Buffer _ Module in the Nth round of traversal, and records the Module handle as ModuleHandle _ Tmp;
step 2.7, the application program A calls the Windows API GetModuleFileNameEx query module handle as the module name Path of the module of ModuleHandle _ Tmp, and the Path can be stored into the memory space Buffer _ Path in a character string mode after API calling is completed;
step 2.8, the application program A checks whether the character string stored by the Buffer _ Path contains the module name characteristic character string 'ksandbox.exe' and the module name characteristic character string 'kislog.dll' of the main module through character string comparison, and enters the next round of circulation if the two times of character string comparison are not matched; otherwise, if matching "ksandbox.exe" is successful, assigning Feature _1 to 1; if matching "kislog.dll" is successful, Feature _2 is assigned to 1;
step 2.9, the application program A calls the Windows API GetModuleHandle, a parameter 'KisDcom.dll' is transmitted, if the return value is not 0, the trace of loading the dynamic link library 'KisDcom.dll' can be judged to be found in the memory space of the application program A, namely the application program A is injected into the dynamic link library 'KisDcom.dll' by the Jinshan safe sandbox software, and in this case, the Feature _3 is assigned to 1.
Further, the method analyzes the detection result through a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode, and returns the analysis result, and specifically comprises the following steps:
step 3.1, the application program a defines a DWORD type data, named Result, for calculating a decision weight in a manner of Result-1 (Feature _1+ Feature _2) + 3-Feature _ 3;
step 3.2, the application program A carries out logic judgment according to the service requirement, namely, if the application program is required to be prevented from being operated in the environment of the Jinshan safe sandbox system, a fuzzy judgment mode is adopted; if the data accuracy is required to be ensured, an accurate judgment mode is adopted;
step 3.3, the application program A defines a BOOL type data for returning a Result, named Return _ Value, if the application program A adopts an accurate judgment mode, when Result is more than or equal to 3, the Return _ Value is assigned to TRUE, otherwise, the Return _ Value is assigned to FALSE; if the application program A adopts a fuzzy judgment mode, when Result is more than or equal to 1, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned;
and 3.4, if Return _ Value is TRUE, judging that the application program is currently operated in the environment of the Jinshan safe sandbox system, and if Return _ Value is FALSE, judging that the current application program is operated in the environment of a normal operating system.
The invention also provides a system for detecting whether the program runs in the environment of the Jinshan safe sandbox system, which comprises the following steps: the device comprises a first detection characteristic module, a second detection characteristic module, a third detection characteristic module and a logic judgment module;
the first detection feature module is used for traversing all processes running in the operating system and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of ksandbox.exe; if not, the data does not exist;
the detection characteristic two module is used for traversing all processes running in the operating system and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; if not, the data does not exist;
the detection feature three module is used for detecting whether a trace of loading the dynamic link library 'KisDcom.dll' is found in the memory space of the application program; if yes, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics;
the logic judgment module is used for analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system;
the corresponding mode of the fuzzy judgment mode is that as long as the application program detects that any one of the three characteristics of the Jinshan safe sandbox system exists in the system environment, the operating system environment of the current operation of the application program is judged to be the Jinshan safe sandbox system environment;
the corresponding mode of the accurate judgment mode is that if and only if the fact that the Jinshan safe sandbox system characteristics are three in the system environment is detected, the operating system environment where the application program runs currently is judged to be the Jinshan safe sandbox system environment.
Further, all three characteristics in the system are stored in a program file in a character string mode; the application program A starts to run, the application program A starts to execute Feature detection, the application program A defines and initializes 3 DWORD type data variables with default values of 0, and the 3 DWORD type data variables are named as Feature _1, Feature _2 and Feature _3 respectively, wherein the Feature _1, the Feature _2 and the Feature _3 respectively correspond to whether a Feature I, a Feature II and a Feature III are detected or not.
Further, the system is further realized by the following steps:
step 4.1, the application program A applies for a first memory space, the first memory space is named Buffer _ Pid and is used for storing PID arrays of all processes, the application program A applies for a second memory space, the second memory space is named Buffer _ Module and is used for storing handle arrays of all modules of the processes, the application program A applies for a third memory space, the third memory space is named Buffer _ Path and is used for storing file paths of the processes;
step 4.2, the application program A calls Windows API EnumProcesses to enumerate the PID of all processes in the current operating system, the enumerated result is stored in a memory space Buffer _ Pid in a DWORD array mode, and meanwhile, the number of returned PID is obtained from the returned result of the EnumProcesses, and the number of PID is named as Proc _ Account;
step 4.3, the application program A traverses Proc _ Account for several times, and takes out one data from the Buffer _ Pid every time, and the N-th PID stored in the Buffer _ Pid is taken out in the N-th round of traversal and recorded as Pid _ Tmp; if the Proc _ Account is traversed for the full time or the computing condition (Feature _1+ Feature _2) >0 is met, the loop is exited, and the step 4.9 is entered;
step 4.4, the application program A calls Windows API OpenProcess and transmits parameters PROCESS _ QUERY _ INFORMATION and PROCESS _ VM _ READ, opens a PROCESS with PID being Pid _ Tmp, and obtains a PROCESS Handle _ Proc of the PROCESS;
step 4.5, calling Windows API EnumProcessmodules and transmitting a parameter Handle _ Proc by the application program A, enumerating Module Handle information of all Modules of a process with PID (proportion integration differentiation) being Pid _ Tmp, storing an enumeration result in a memory space Buffer _ Module in a DOWND array form, and acquiring the number of returned Modules from a return result of the EnumProcessmodules, wherein the number of Modules is named as Module _ Account;
step 4.6, the application program A traverses the Modules _ Account times, takes out one data from the Buffer _ Module each time, and takes out the Nth Module handle stored in the Buffer _ Module in the Nth round of traversal, and records the Module handle as ModuleHandle _ Tmp;
step 4.7, the application program A calls the Windows API GetModuleFileNameEx to inquire the module handle as the module name Path of the module of ModuleHandle _ Tmp, and the Path can be stored into the memory space Buffer _ Path in a character string mode after API calling is finished;
step 4.8, the application program A checks whether the character string stored by the Buffer _ Path contains the module name characteristic character string 'ksandbox.exe' and the module name characteristic character string 'kislog.dll' of the main module through character string comparison, and enters the next round of circulation if the two character string comparisons are not matched; otherwise, if matching "ksandbox.exe" is successful, assigning Feature _1 to 1; if matching "kislog.dll" is successful, Feature _2 is assigned to 1;
step 4.9, the application program a calls the Windows API getmoduleuhandle, a parameter "kisdcom.dll" is introduced, if the returned value is not 0, it can be determined that a trace of loading the dynamic link library "kisdcom.dll" is found in the memory space of the application program a, that is, the application program a is injected into the dynamic link library "kisdcom.dll" by the mountains security sandbox software, and in this case, Feature _3 is assigned to 1.
Further, the system analyzes the detection result in a corresponding manner of a set accurate determination mode or a set fuzzy determination mode, and returns an analysis result, which is specifically realized by the following steps:
step 5.1, the application program a defines a DWORD type data, named Result, for calculating a decision weight in a manner of Result-1 (Feature _1+ Feature _2) + 3-Feature _ 3;
step 5.2, the application program A carries out logic judgment according to the service requirement, namely if the application program is required to be prevented from being operated in the environment of the Jinshan safe sandbox system, a fuzzy judgment mode is adopted; if the data accuracy is required to be ensured, an accurate judgment mode is adopted;
step 5.3, the application program A defines a BOOL type data for returning a Result, named Return _ Value, if the application program A adopts an accurate judgment mode, when the Result is more than or equal to 3, the Return _ Value is assigned to TRUE, otherwise, the Return _ Value is assigned to FALSE; if the application program A adopts a fuzzy judgment mode, when Result is more than or equal to 1, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned;
and 5.4, if Return _ Value is TRUE, judging that the application program is currently operated in the environment of the Jinshan safe sandbox system, and if Return _ Value is FALSE, judging that the current application program is operated in the environment of a normal operating system.
The invention has the beneficial effects that: 1. aiming at the phenomenon that a program protection module is bypassed or software behaviors are tracked through the Jinshan safe sandbox software in a large number, the patent provides a method for detecting whether a program runs in the environment of the Jinshan safe sandbox system; the software can effectively detect whether the current operating environment is a special system environment constructed by the Jinshan safe sandbox system or not through the scheme, and determines not to continue operating or show the core function according to the judgment result.
2. This patent proposes two kinds of detection and judges the mode, 3 department detection characteristics and 3 record characteristic information's character string, and the user can select different judgement modes according to actual demand, and application scope is wide.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
Fig. 2 is a schematic diagram of a feature detection process according to a first embodiment of the present invention.
Fig. 3 is a schematic logic flow chart according to a first embodiment of the invention.
Fig. 4 is a schematic block diagram of the system of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The principle of the Jinshan safe sandbox software is as follows:
1. the core function module of the Jinshan safe sandbox software consists of two driver files with the names of "kdhicker.sys" and "kiskn.sys" and a dynamic link library file with the file name of "kisDcom.dll". The two driver files provide technical function support of a driver layer for the Jinshan safe sandbox software.
2. The KisDcom.dll is injected into the memory space of the isolated application program by the Jinshan safe sandbox software by using a DLL injection technology, so that the KisDcom.dll becomes a part of the isolated application program, and the subsequent operation of the isolated application program is influenced.
3. After the Jinshan safe sandbox software is started and operated, a process with a default process name of 'ksandbox.exe' is established in an operating system, the process is a main process of the Jinshan safe sandbox software and is also an interactive process with a user, and in addition, the process is also a loader of a driver 'Kdhacker.sys' and a driver 'kiskn.sys' and is also responsible for DLL injection work of an isolated application program. The process has 2 detection features, namely firstly, the process is named as "ksandbox.exe", and in addition, the process loads a dynamic link library named as "kislog.dll" (the dynamic link library "kislog.dll" provides technical function support for recording the behavior of the isolated application program and printing the running log of the application program for the process).
4. In addition, regarding the process "ksandbox.exe", the process name "ksandbox.exe" thereof may be used as a detection feature for judging whether a process is "ksandbox.exe", but there may be a scenario 2 in which the process name of the process is maliciously tampered with, thereby bypassing the detection for the process; the process also has a unique process characteristic that the process loads a dynamic link library with the name of 'kislog.dll', and the dynamic link library 'kislog.dll' provides technical function support for the process 'ksandbox.exe' in terms of behavior record and log printing.
5. The application program started by the Jinshan safe sandbox software can be isolated to the virtualization system environment created by the Jinshan safe sandbox software, and other application programs are not influenced by the Jinshan safe sandbox software.
Referring to fig. 1, a method for detecting whether a program runs in a environment of a Jinshan safe sandbox system according to the present invention includes:
traversing all processes running in the operating system, and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of ksandbox.exe; if not, the data does not exist;
traversing all processes running in an operating system, and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; if not, the data does not exist;
detecting whether a trace of loading a dynamic link library 'KisDcom.dll' is found in a memory space of an application program; if yes, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics;
analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode, and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system;
the corresponding mode of the fuzzy judgment mode is that as long as the application program detects that any one of the three characteristics of the Jinshan safe sandbox system exists in the system environment, the operating system environment of the current operation of the application program is judged to be the Jinshan safe sandbox system environment;
the corresponding mode of the accurate judgment mode is that if and only if the fact that the Jinshan safe sandbox system characteristics are three in the system environment is detected, the operating system environment where the application program runs currently is judged to be the Jinshan safe sandbox system environment.
This patent proposes 2 detection and determination modes: a fuzzy decision mode and a precise decision mode; the two decision modes have different application scenarios.
In contrast, the accurate judgment mode is more accurate and stable, but fails in some special application scenarios, so that the required protection effect cannot be achieved; for example, a user can specifically erase or tamper with environment characteristics of the Jinshan safe sandbox software system through some technical means, and in the application scenario, even if an application program objectively runs in the environment of the Jinshan safe sandbox software system, the detection of the accurate determination mode can determine that the currently running system environment is a normal operating system environment. Compared with an accurate judgment mode, the scope of the fuzzy judgment mode is wider, but misjudgment may exist; for example, a user only runs the Jinshan safe sandbox software A and the application program B adopting the fuzzy judgment mode at the same time, but does not use the program A to start the program B, and objectively runs the program B in a normal operating system environment, but the fuzzy judgment mode can judge that the currently running system environment is the Jinshan safe sandbox system environment.
In addition, this patent provides 3 character strings that detect features and record feature information: "ksandbox.exe", "kisslog.dll", and "kisdcom.dll".
Through analysis of the Jinshan safe sandbox software and testing of the application program running in the Jinshan safe sandbox system environment, the following conclusions are made:
【1】 On the premise that there is no behavior for specifically erasing or tampering the operating characteristics of the Jinshan safe sandbox software, if the Jinshan safe sandbox software is operated in the operating system, other programs in the operating system can necessarily detect the following characteristics:
[ PROPERTIES one ]: all processes running in the operating system are traversed and can be matched to a process with the process name/main module name "ksandbox. (since in the Windows system platform the process name of the application is the module name of the main module of this process, [ feature one ] can also be understood as the process with the module name "ksandbox
[ PROPERTIES II ] of: all processes running in the operating system are traversed, and a process loaded with a dynamic link library' kislog.
【2】 On the premise that the behavior of specifically erasing or tampering the running characteristics of the Jinshan safe sandbox software does not exist, the application program running in the Jinshan safe sandbox system environment additionally has the following characteristics on the basis of the characteristics of the first characteristic and the second characteristic:
[ PROPERTIES III ]: the trace of loading the dynamic link library "kisdcom.
In summary, [ feature one ] and [ feature two ] are necessary and insufficient conditions for the application to run in the environment of the golden hill secure sandbox system. [ PROPERTIES III ] are the essential conditions for the application program to run in the environment of the Jinshan safe sandbox system.
So in the fuzzy decision mode, as long as any one of the above three features is detected, the application is determined to be running in the environment of the safe sandbox system in the Jinshan mountain. In the accurate determination mode, if and only if [ feature three ] is detected, it is determined that the application is running in the environment of the gold mountain secure sandbox system.
The invention is further illustrated below with reference to a specific embodiment:
firstly, 3 detection characteristics provided by the invention are all stored in a program file adopting the technical scheme in a character string mode; as shown in fig. 2, 1. application a starts running. And entering the step 2.
2. Application a begins executing feature detection module code. The application program A defines and initializes 3 DWORD type data variables with default values of 0, which are named as Feature _1, Feature _2 and Feature _3 respectively, and whether the corresponding Feature I, Feature II and Feature III are detected or not is judged. For example, [ Feature one ] is detected, Feature _1 is assigned a value of 1; for example, [ Feature three ] is not detected, Feature _3 is assigned 0.
2.1 application a applies for a first memory space of 4 × 16384 bytes in size, and this first memory space is named Buffer _ Pid and is used to store Pid arrays of all processes (in a 32-bit Windows system platform, PIDs are stored in memory in the form of a DWORD, 1 DWORD type of data occupies 4 bytes, and theoretically, Windows simultaneously runs no more than 16384 processes, so that the memory space of 4 × 16384 bytes can theoretically store PIDs of all processes in a 32-bit Windows system). In addition, the application a applies for a second memory space with a size of 4 × 1024 bytes, and the second memory space is named Buffer _ Module and used for storing handle arrays of all modules of a certain process. The application program a applies for a third memory space with the size of 520 bytes, and the third memory space is named Buffer _ Path and is used for storing a file Path of the process.
2.2 the application program A calls Windows API EnumProcesses to enumerate the PID of all processes in the current operating system, and stores the enumerated result in the memory space Buffer _ Pid in the form of DWORD array, and simultaneously obtains the number of returned PID from the returned result of EnumProcesses, and names the number of PID as Proc _ Account.
2.3 the application program A traverses Proc _ Account for several times, and takes out one data from the Buffer _ Pid every time, and takes out the Nth PID stored in the Buffer _ Pid in the Nth round of traversal, and records the Nth PID as the Pid _ Tmp. If the Proc _ Account is traversed for the full number of times or the calculation condition (Feature _1+ Feature _2) >0 is met, the loop exits and step 2.4 is entered
2.3.1, the application program A calls Windows API OpenProcess and transmits parameters PROCESS _ QUERY _ INFORMATION and PROCESS _ VM _ READ (used for declaring the operating system that the PROCESS INFORMATION needs to be inquired and the permission of reading the PROCESS memory), opens the PROCESS with PID being Pid _ Tmp, and acquires the PROCESS Handle Handle _ Proc of the PROCESS.
2.3.2 the application program A calls Windows API EnumProcessModules and transmits a parameter Handle _ Proc, enumerates Module Handle information of all Modules of a process with PID being Pid _ Tmp, stores an enumeration result in a memory space Buffer _ Module in a DOWND array form, and obtains the number of returned Modules from the returned result of the EnumProcessModules, and names the number of Modules as Module _ Account.
2.3.3 application A traverses the Modules _ Account times, takes out one data from the Buffer _ Module each time, and takes out the Nth Module handle stored in the Buffer _ Module in the Nth round of traversal, and records the Module handle _ Tmp.
2.3.3.1 the application program A calls the Windows API GetModuleFileNameEx to inquire the module handle as the module name Path of the module of ModuleHandle _ Tmp, and the Path is stored into the memory space Buffer _ Path in a character string form after the API call is completed.
2.3.3.2 the application program A checks whether the character string stored by Buffer _ Path contains the main module name characteristic character string "ksandbox.exe" and the module name characteristic character string "kislog.dll" by the character string comparison method (namely, comparing with the detection characteristic at 3 in the program file), and enters the next round of loop if the two character string comparisons fail; otherwise, if matching "ksandbox.exe" is successful, assigning Feature _1 to 1; dll, if the match "kislog. dll" is successful, Feature _2 is assigned to 1.
2.4 the application program a calls the Windows API getmoduleundle, and transmits a parameter "kisdcom.dll", and if the returned value is not 0, it can be determined that a trace of loading the dynamic link library "kisdcom.dll" is found in the memory space of the application program a, that is, the application program a is injected into the dynamic link library "kisdcom.dll" by the jinshan security sandbox software, and in this case, Feature _3 is assigned to 1. Step 3 is entered next.
As shown in fig. 3, 3. application a starts executing the logically judged code.
3.1 application A defines a DWORD type of data, named Result, for calculating decision weights. The calculation method is Result 1 (Feature _1+ Feature _2) +3 Feature _ 3.
3.2 the application program A carries out logic judgment according to the service requirement, and if the application program A needs to be prevented from being operated in the environment of the safe golden hill sandbox system as far as possible, a fuzzy judgment mode is adopted; and if the data accuracy is ensured as much as possible, an accurate judgment mode is adopted.
3.3 application A defines a BOOL type of data for returning results, named Return _ Valle. If Return _ Value is TRUE, the detection process of the patent scheme is used for judging that the application program runs in the environment of the Jinshan safe sandbox system currently, and otherwise, the current application program runs in the environment of a normal operating system.
3.4 if the application program A adopts the accurate judgment mode, when Result is more than or equal to 3, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned. If the application program A adopts the fuzzy judgment mode, when Result is more than or equal to 1, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned.
3.5 exit the process.
As shown in fig. 4, the present invention further provides a system for detecting whether a program runs in a environment of a safe sandbox system in the gold mountains, wherein the system comprises: the device comprises a first detection characteristic module, a second detection characteristic module, a third detection characteristic module and a logic judgment module;
the first detection feature module is used for traversing all processes running in the operating system and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of ksandbox.exe; if not, the data does not exist;
the detection characteristic two module is used for traversing all processes running in the operating system and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; if not, the data does not exist;
the detection feature three module is used for detecting whether a trace of loading the dynamic link library 'KisDcom.dll' is found in the memory space of the application program; if yes, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics;
the logic judgment module is used for analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system;
the corresponding mode of the fuzzy judgment mode is that as long as the application program detects that any one of the three characteristics of the Jinshan safe sandbox system exists in the system environment, the operating system environment of the current operation of the application program is judged to be the Jinshan safe sandbox system environment;
the corresponding mode of the accurate judgment mode is that if and only if the fact that the Jinshan safe sandbox system characteristics are three in the system environment is detected, the operating system environment where the application program runs currently is judged to be the Jinshan safe sandbox system environment.
Wherein, the three characteristics in the system are all stored in a program file in a character string form; the application program A starts to run, the application program A starts to execute Feature detection, the application program A defines and initializes 3 DWORD type data variables with default values of 0, and the data variables are named as Feature _1, Feature _2 and Feature _3 respectively, wherein the Feature _1, the Feature _2 and the Feature _3 respectively correspond to whether a Feature I, a Feature II and a Feature III are detected or not.
The system is further realized by the following steps:
step 4.1, the application program A applies for a first memory space, the first memory space is named Buffer _ Pid and is used for storing PID arrays of all processes, the application program A applies for a second memory space, the second memory space is named Buffer _ Module and is used for storing handle arrays of all modules of the processes, the application program A applies for a third memory space, the third memory space is named Buffer _ Path and is used for storing file paths of the processes;
step 4.2, the application program A calls Windows API EnumProcesses to enumerate the PID of all processes in the current operating system, the enumerated result is stored in a memory space Buffer _ Pid in a DWORD array form, and meanwhile, the number of the returned PID is obtained from the returned result of the EnumProcesses, and the number of the PID is named as Proc _ Account;
step 4.3, the application program A traverses Proc _ Account times, one data is taken out from the Buffer _ Pid each time, and the Nth PID stored in the Buffer _ Pid is taken out in the Nth round of traversal and is recorded as Pid _ Tmp; if the Proc _ Account is traversed for the full time or the computing condition (Feature _1+ Feature _2) >0 is met, the loop is exited, and the step 4.9 is entered;
step 4.4, calling Windows API OpenProcessby the application program A, transmitting parameters PROCESSS _ QUERY _ INFORMATION and PROCESSS _ VM _ READ, opening a PROCESS with PID (proportion integration differentiation) of Pid _ Tmp, and acquiring a PROCESS Handle _ Proc of the PROCESS;
step 4.5, calling Windows API EnumProcessModules and transmitting a parameter Handle _ Proc into the Windows API EnumProcessModules, enumerating Module Handle information of all Modules of a process with PID being Pid _ Tmp, storing an enumeration result in a memory space Buffer _ Module in a DOWND array form, and simultaneously obtaining the number of returned Modules from a return result of the EnumProcessModules, and naming the number of Modules as Module _ Account;
step 4.6, the application program A traverses the Modules _ Account times, takes out one data from the Buffer _ Module each time, and takes out the Nth Module handle stored in the Buffer _ Module in the Nth round of traversal, and records the Module handle as ModuleHandle _ Tmp;
step 4.7, the application program A calls the Windows API GetModuleFileNameEx to inquire the module handle as the module name Path of the module of ModuleHandle _ Tmp, and the Path is stored into the memory space Buffer _ Path in a character string mode after the API is called;
step 4.8, the application program A checks whether the character string stored by the Buffer _ Path comprises a module name characteristic character string 'ksandbox.exe' and a module name characteristic character string 'kislog.dll' of the main module through character string comparison, and enters the next round of circulation if the two times of character string comparison are not matched; otherwise, if matching "ksandbox.exe" is successful, assigning Feature _1 to 1; if matching "kislog.dll" is successful, Feature _2 is assigned to 1;
step 4.9, the application program a calls the Windows API getmoduleuhandle, a parameter "kisdcom.dll" is introduced, if the returned value is not 0, it can be determined that a trace of loading the dynamic link library "kisdcom.dll" is found in the memory space of the application program a, that is, the application program a is injected into the dynamic link library "kisdcom.dll" by the mountains security sandbox software, and in this case, Feature _3 is assigned to 1.
The system analyzes the detection result through a set corresponding mode of an accurate judgment mode or a fuzzy judgment mode, and returns the analysis result, and is realized by the following steps:
step 5.1, the application program a defines a DWORD type data, named Result, for calculating a decision weight in a manner of Result-1 (Feature _1+ Feature _2) + 3-Feature _ 3;
step 5.2, the application program A carries out logic judgment according to the service requirement, namely if the application program is required to be prevented from being operated in the environment of the Jinshan safe sandbox system, a fuzzy judgment mode is adopted; if the data accuracy is required to be ensured, an accurate judgment mode is adopted;
step 5.3, the application program A defines a BOOL type data for returning a Result, named Return _ Value, if the application program A adopts an accurate judgment mode, when the Result is more than or equal to 3, the Return _ Value is assigned to TRUE, otherwise, the Return _ Value is assigned to FALSE; if the application program A adopts a fuzzy judgment mode, when Result is more than or equal to 1, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned;
and 5.4, if Return _ Value is TRUE, judging that the application program is currently operated in the environment of the Jinshan safe sandbox system, and if Return _ Value is FALSE, judging that the current application program is operated in the environment of a normal operating system.
The specific application scenarios of the invention are as follows:
suppose that a game client a performs plug-in scanning during the starting process, and the system data needs to be read and written during the plug-in scanning process. In order to prevent a plug-in used by a user B from being scanned in a mode of reading and writing system data and system files in the starting process of a game client A, a Jinshan safe sandbox program is started first, then the game client A is started in a virtual system environment constructed by the Jinshan safe sandbox program, and the plug-in detection function of the game client A is tried to be bypassed in the mode. The game client A adopts the technical scheme provided by the patent.
1. Application A calls Windows API EnumProcesses to enumerate the PIDs of all processes in the current operating system.
2. The application program A traverses each process, calls the Windows API OpenProcesses to respectively obtain the handle of each process, and calls the Windows API EnumProcessmodules enumeration module handle by taking the handle as a parameter.
3. The application program A calls the Windows API GetModuleFileNameEx to inquire the module name of each module, and judges whether the module name contains any data member in the character string feature library by using a character string comparison algorithm.
4. In the Nth traversal, the module name to be compared is 'C: \ \ ksandbox.exe', the module name of the module is judged to contain the characteristic character string 'ksandbox.exe' through the character string comparison algorithm, and the value of Feature _1 is 1.
5. Since (Feature _1+ Feature _2) >0, the loop is directly exited.
6. The application program A calls the Windows API GetModuleHandle, the returned result is a value which is not 0, and therefore the fact that the application program A is injected into a dynamic link library 'kislog.dll' by the Jinshan safe sandbox software is judged, and the value of the dynamic link library 'kislog.dll' is assigned to 1 for Feature _ 3.
7. The application program a enters a decision module, and according to the weight calculation rule, Result _1 ═ Feature (Feature _1+ Feature _2) +3 ═ Feature _3 ═ 1+3 ═ 4.
8. Assuming that the accurate determination mode is adopted, since the Result is 4-3, the returned value is TRUE; assuming that the fuzzy decision mode is adopted, the returned value is TRUE because the program Result is 4> 1.
And (II) expanding according to the cases, and discussing the condition that the user does not have the behavior of specifically erasing or tampering the operation characteristics of the Jinshan safe sandbox software.
1. The program runs in a special system environment constructed by the Jinshan safe sandbox system, in this case, no matter a fuzzy judgment mode or an accurate judgment mode is adopted, the detection result is TRUE, namely the system environment in which the program currently runs is the Jinshan safe sandbox system environment.
2. The program runs in a normal system environment and does not run the Jinshan secure sandbox software. In this case, since the features mentioned in this patent are all features specific to the jin shan safe sandbox software, and other application programs do not have these features, under the condition that the jin shan safe sandbox software is not running, the program cannot detect any feature, so the Result value is 0, and no matter the precise determination mode or the fuzzy determination mode is adopted, the detected Result is FALSE, that is, the system environment in which the program is currently running is a normal system environment.
3. The application program A runs in a normal system environment, the user also opens the Jinshan safe sandbox software at the same time, but the application program A is not opened by using the Jinshan safe sandbox software, namely the application program A does not run in the Jinshan safe sandbox system environment. In this case application a can detect the presence of the gold security sandbox software but not the DLL injection behavior, so Result has a value of 1. In the accurate judgment mode, the detection result is FALSE; because the fuzzy judgment mode adopts the principle that the current system environment is considered to be the Jinshan safe sandbox system environment when program characteristics are found, the detection result is TRUE in the fuzzy judgment mode. In this case, different patterns may produce differences in the returned results.
In addition to [ three ], there are some extreme cases. For example, the application program a runs in a special system environment constructed by the Jinshan safe sandbox system, and then the user hides the DLL injection behavior characteristics of the Jinshan safe sandbox through some special technical means such as DLL hiding. In this case, the result obtained by the accurate determination mode is FALSE, and the result obtained by the fuzzy determination mode is TRUE, and the fuzzy determination mode instead obtains a correct detection result.
In summary, the accurate determination mode and the fuzzy determination mode have application scenarios respectively, and have advantages and disadvantages respectively, and an appropriate application scheme is specified according to a specific application scenario.
The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.

Claims (4)

1. A method for detecting whether a program runs in a Jinshan safe sandbox system environment is characterized in that: the method comprises the following steps:
traversing all processes running in the operating system, and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of ksandbox.exe; if not, the data does not exist;
traversing all processes running in an operating system, and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; if not, the data does not exist;
detecting whether a trace of loading a dynamic link library 'KisDcom.dll' is found in a memory space of an application program; if so, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics;
analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode, and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system;
the corresponding mode of the fuzzy judgment mode is that as long as the application program detects that any one of the three characteristics of the Jinshan safe sandbox system exists in the system environment, the operating system environment of the current operation of the application program is judged to be the Jinshan safe sandbox system environment;
the corresponding mode of the accurate judgment mode is that if and only if the fact that the Jinshan safe sandbox system characteristics are three in the system environment is detected, the operating system environment where the application program runs currently is judged to be the Jinshan safe sandbox system environment;
in the method, three characteristics are stored in a program file in a character string mode; the method comprises the following steps that an application program A is started to run, the application program A starts to execute Feature detection, the application program A defines and initializes 3 DWORD type data variables with default values of 0, and the 3 DWORD type data variables are named as Feature _1, Feature _2 and Feature _3 respectively, wherein the Feature _1, the Feature _2 and the Feature _3 respectively correspond to whether a Feature I, a Feature II and a Feature III are detected or not;
the method further comprises the steps of:
step 2.1, the application program A applies for a first memory space, the first memory space is named Buffer _ Pid and is used for storing PID arrays of all processes, the application program A applies for a second memory space, the second memory space is named Buffer _ Module and is used for storing handle arrays of all modules of the processes, the application program A applies for a third memory space, the third memory space is named Buffer _ Path and is used for storing file paths of the processes;
step 2.2, the application program A calls Windows API EnumProcesses to enumerate the PID of all processes in the current operating system, the enumerated result is stored in a memory space Buffer _ Pid in a DWORD array form, and meanwhile, the number of returned PID is obtained from the returned result of the EnumProcesses, and the number of PID is named as Proc _ Account;
step 2.3, the application program A traverses Proc _ Account for several times, and takes out one data from the Buffer _ Pid every time, and the N round of traversal takes out the N PID stored in the Buffer _ Pid and records the PID as Pid _ Tmp; if the Proc _ Account is traversed for the full time or the computing condition (Feature _1+ Feature _2) >0 is met, the loop is exited, and the step 2.9 is entered;
step 2.4, the application program A calls Windows API OpenProcess and transmits parameters PROCESS _ QUERY _ INFORMATION and PROCESS _ VM _ READ, opens a PROCESS with PID being Pid _ Tmp, and obtains a PROCESS Handle _ Proc of the PROCESS;
step 2.5, calling Windows API EnumProcessModules and transmitting a parameter Handle _ Proc into the Windows API EnumProcessModules, enumerating Module Handle information of all Modules of a process with PID being Pid _ Tmp, storing an enumeration result in a memory space Buffer _ Module in a DOWND array form, and simultaneously obtaining the number of returned Modules from a return result of the EnumProcessModules, and naming the number of Modules as Module _ Account;
step 2.6, the application program A traverses the Modules _ Account times, takes out one data from the Buffer _ Module every time, and takes out the Nth Module handle stored in the Buffer _ Module in the Nth round of traversal, wherein the Nth Module handle is recorded as a ModuleHandle _ Tmp;
step 2.7, the application program A calls the Windows API GetModuleFileNameEx query module handle as the module name Path of the module of ModuleHandle _ Tmp, and the Path can be stored into the memory space Buffer _ Path in a character string mode after API calling is completed;
step 2.8, the application program A checks whether the character string stored by the Buffer _ Path contains the module name characteristic character string 'ksandbox.exe' and the module name characteristic character string 'kislog.dll' of the main module through character string comparison, and enters the next round of circulation if the two character string comparisons are not matched; otherwise, if matching "ksandbox.exe" is successful, assigning Feature _1 to 1; if matching "kislog.dll" is successful, Feature _2 is assigned to 1;
step 2.9, the application program A calls the Windows API GetModuleHandle, a parameter 'KisDcom.dll' is transmitted, if the return value is not 0, the trace of loading the dynamic link library 'KisDcom.dll' can be judged to be found in the memory space of the application program A, namely the application program A is injected into the dynamic link library 'KisDcom.dll' by the Jinshan safe sandbox software, and in this case, the Feature _3 is assigned to 1.
2. The method of claim 1, wherein the method comprises: the method analyzes the detection result through a set corresponding mode of an accurate judgment mode or a fuzzy judgment mode and returns the analysis result, and specifically comprises the following steps:
step 3.1, the application program a defines data of a DWORD type, named Result, for calculating a decision weight in a manner of Result-1 (Feature _1+ Feature _2) + 3-Feature _ 3;
3.2, the application program A carries out logic judgment according to the service requirement, namely if the application program is required to be prevented from being operated in the environment of the Jinshan safe sandbox system, a fuzzy judgment mode is adopted; if the data accuracy is required to be ensured, an accurate judgment mode is adopted;
step 3.3, the application program A defines a BOOL type data for returning a Result, named Return _ Value, if the application program A adopts an accurate judgment mode, when Result is more than or equal to 3, the Return _ Value is assigned to TRUE, otherwise, the Return _ Value is assigned to FALSE; if the application program A adopts a fuzzy judgment mode, when Result is more than or equal to 1, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned;
and 3.4, if Return _ Value is TRUE, judging that the application program is currently operated in the environment of the Jinshan safe sandbox system, and if Return _ Value is FALSE, judging that the current application program is operated in the environment of a normal operating system.
3. A system for detecting whether a program runs in a Jinshan safe sandbox system environment is characterized in that: the system comprises: the device comprises a first detection characteristic module, a second detection characteristic module, a third detection characteristic module and a logic judgment module;
the first detection feature module is used for traversing all processes running in the operating system and detecting whether a process name or a process with a module name of 'ksandbox.exe' of a main module of the process is matched; if yes, the operating system has a characteristic of one ksandbox.exe; if not, the data does not exist;
the detection characteristic two module is used for traversing all processes running in the operating system and detecting whether a process loaded with a dynamic link library 'kislog.dll' is matched; if so, the operating system has a characteristic of two kislog.dll; if not, the data does not exist;
the detection feature three module is used for detecting whether a trace of loading the dynamic link library 'KisDcom.dll' is found in the memory space of the application program; if yes, the operating system has a characteristic of three KisDcom.dll; if not, the data does not exist; obtaining detection results of the three characteristics;
the logic judgment module is used for analyzing the detection result in a corresponding mode of a set accurate judgment mode or a set fuzzy judgment mode and returning an analysis result, namely judging whether the application program runs in the environment of the Jinshan safe sandbox system;
the corresponding mode of the fuzzy judgment mode is that as long as the application program detects that any one of the three characteristics of the Jinshan safe sandbox system exists in the system environment, the operating system environment of the current operation of the application program is judged to be the Jinshan safe sandbox system environment;
the corresponding mode of the accurate judgment mode is that if and only if the fact that the Jinshan safe sandbox system characteristics are three in the system environment is detected, the operating system environment where the application program runs currently is judged to be the Jinshan safe sandbox system environment; three characteristics in the system are stored in a program file in a character string mode; the method comprises the following steps that an application program A is started to run, the application program A starts to execute Feature detection, the application program A defines and initializes 3 DWORD type data variables with default values of 0, and the 3 DWORD type data variables are named as Feature _1, Feature _2 and Feature _3 respectively, wherein the Feature _1, the Feature _2 and the Feature _3 respectively correspond to whether a Feature I, a Feature II and a Feature III are detected or not; the system is further realized by the following steps:
step 4.1, the application program A applies for a first memory space, the first memory space is named Buffer _ Pid and is used for storing PID arrays of all processes, the application program A applies for a second memory space, the second memory space is named Buffer _ Module and is used for storing handle arrays of all modules of the processes, the application program A applies for a third memory space, the third memory space is named Buffer _ Path and is used for storing file paths of the processes;
step 4.2, the application program A calls Windows API EnumProcesses to enumerate the PID of all processes in the current operating system, the enumerated result is stored in a memory space Buffer _ Pid in a DWORD array form, and meanwhile, the number of the returned PID is obtained from the returned result of the EnumProcesses, and the number of the PID is named as Proc _ Account;
step 4.3, the application program A traverses Proc _ Account for several times, and takes out one data from the Buffer _ Pid every time, and the N-th PID stored in the Buffer _ Pid is taken out in the N-th round of traversal and recorded as Pid _ Tmp; if the Proc _ Account is traversed for the full time or the computing condition (Feature _1+ Feature _2) >0 is met, the loop is exited, and the step 4.9 is entered;
step 4.4, the application program A calls Windows API OpenProcess and transmits parameters PROCESS _ QUERY _ INFORMATION and PROCESS _ VM _ READ, opens a PROCESS with PID being Pid _ Tmp, and obtains a PROCESS Handle _ Proc of the PROCESS;
step 4.5, calling Windows API EnumProcessModules and transmitting a parameter Handle _ Proc into the Windows API EnumProcessModules, enumerating Module Handle information of all Modules of a process with PID being Pid _ Tmp, storing an enumeration result in a memory space Buffer _ Module in a DOWND array form, and simultaneously obtaining the number of returned Modules from a return result of the EnumProcessModules, and naming the number of Modules as Module _ Account;
step 4.6, the application program A traverses the Modules _ Account times, takes out one data from the Buffer _ Module every time, and takes out the Nth Module handle stored in the Buffer _ Module in the Nth round of traversal, wherein the Nth Module handle is recorded as a ModuleHandle _ Tmp;
step 4.7, the application program A calls the Windows API GetModuleFileNameEx to inquire the module handle as the module name Path of the module of ModuleHandle _ Tmp, and the Path is stored into the memory space Buffer _ Path in a character string mode after the API is called;
step 4.8, the application program A checks whether the character string stored by the Buffer _ Path contains the module name characteristic character string 'ksandbox.exe' and the module name characteristic character string 'kislog.dll' of the main module through character string comparison, and enters the next round of circulation if the two character string comparisons are not matched; otherwise, if matching "ksandbox.exe" is successful, assigning Feature _1 to 1; if matching "kislog.dll" is successful, Feature _2 is assigned to 1;
step 4.9, the application program a calls the Windows API getmoduleuhandle, a parameter "kisdcom.dll" is introduced, if the returned value is not 0, it can be determined that a trace of loading the dynamic link library "kisdcom.dll" is found in the memory space of the application program a, that is, the application program a is injected into the dynamic link library "kisdcom.dll" by the mountains security sandbox software, and in this case, Feature _3 is assigned to 1.
4. The system for detecting whether a program runs in a Jinshan safe sandbox system environment according to claim 3, wherein: the system analyzes the detection result through a set corresponding mode of an accurate judgment mode or a fuzzy judgment mode, and returns the analysis result, and is realized by the following steps:
step 5.1, the application program a defines a DWORD type data, named Result, for calculating a decision weight in a manner of Result-1 (Feature _1+ Feature _2) + 3-Feature _ 3;
step 5.2, the application program A carries out logic judgment according to the service requirement, namely, if the application program is required to be prevented from being operated in the environment of the Jinshan safe sandbox system, a fuzzy judgment mode is adopted; if the data accuracy is required to be ensured, an accurate judgment mode is adopted;
step 5.3, the application program A defines a BOOL type data for returning a Result, named Return _ Value, if the application program A adopts an accurate judgment mode, when Result is more than or equal to 3, the Return _ Value is assigned to TRUE, otherwise, the Return _ Value is assigned to FALSE; if the application program A adopts a fuzzy judgment mode, when Result is more than or equal to 1, Return _ Value is assigned to TRUE, otherwise, FALSE is assigned;
and 5.4, if Return _ Value is TRUE, judging that the application program is currently operated in the environment of the Jinshan safe sandbox system, and if Return _ Value is FALSE, judging that the current application program is operated in the environment of a normal operating system.
CN202010458742.4A 2020-05-27 2020-05-27 Method and system for detecting whether program runs in environment of Jinshan safe sandbox system Active CN111611580B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010458742.4A CN111611580B (en) 2020-05-27 2020-05-27 Method and system for detecting whether program runs in environment of Jinshan safe sandbox system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010458742.4A CN111611580B (en) 2020-05-27 2020-05-27 Method and system for detecting whether program runs in environment of Jinshan safe sandbox system

Publications (2)

Publication Number Publication Date
CN111611580A CN111611580A (en) 2020-09-01
CN111611580B true CN111611580B (en) 2022-09-23

Family

ID=72205042

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010458742.4A Active CN111611580B (en) 2020-05-27 2020-05-27 Method and system for detecting whether program runs in environment of Jinshan safe sandbox system

Country Status (1)

Country Link
CN (1) CN111611580B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12045335B2 (en) 2022-03-29 2024-07-23 International Business Machines Corporation Software discovery within software packaging and deployment systems

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120014673A (en) * 2010-08-10 2012-02-20 주식회사 잉카인터넷 Method for dectecting falsification of process by inserting disguised dll
CN107609396A (en) * 2017-09-22 2018-01-19 杭州安恒信息技术有限公司 A kind of escape detection method based on sandbox virtual machine
CN109471697A (en) * 2017-12-01 2019-03-15 北京安天网络安全技术有限公司 The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine
CN109684826A (en) * 2018-01-15 2019-04-26 北京微步在线科技有限公司 Anti- method and the electronic equipment of escaping of application program sandbox

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120014673A (en) * 2010-08-10 2012-02-20 주식회사 잉카인터넷 Method for dectecting falsification of process by inserting disguised dll
CN107609396A (en) * 2017-09-22 2018-01-19 杭州安恒信息技术有限公司 A kind of escape detection method based on sandbox virtual machine
CN109471697A (en) * 2017-12-01 2019-03-15 北京安天网络安全技术有限公司 The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine
CN109684826A (en) * 2018-01-15 2019-04-26 北京微步在线科技有限公司 Anti- method and the electronic equipment of escaping of application program sandbox

Also Published As

Publication number Publication date
CN111611580A (en) 2020-09-01

Similar Documents

Publication Publication Date Title
CN102054149B (en) Method for extracting malicious code behavior characteristic
CN100481101C (en) Method for computer safety start
CN107808094A (en) The system and method for detecting the malicious code in file
CN107729752B (en) One kind extorting software defense method and system
CN101558386A (en) Confirmation method of API by the information at call-stack
CN111191243B (en) Vulnerability detection method, vulnerability detection device and storage medium
CN108898012B (en) Method and apparatus for detecting illegal program
CN104572197B (en) A kind for the treatment of method and apparatus of startup item
CN111368299A (en) Dynamic link library file hijacking detection method, device and storage medium
CN107103237A (en) A kind of detection method and device of malicious file
CN109977671B (en) Compiler modification-based Android screen-locking type lasso software detection method
CN111611580B (en) Method and system for detecting whether program runs in environment of Jinshan safe sandbox system
CN115688106A (en) Method and device for detecting Java agent non-file-injection memory horse
CN110427758B (en) Position spoofing detection method, intelligent terminal and storage medium
US8079026B2 (en) Job definition verification system, and method and program thereof
CN111046349A (en) So library file reinforcement identification method, intelligent terminal and storage medium
CN114297655A (en) Linux system based process dynamic injection method and device and storage medium
CN117725583A (en) Linux malicious code detection method and system based on virtual machine introspection
CN107209815A (en) For using the method for returning to the Code obfuscation for being oriented to programming
KR101207434B1 (en) System and Method for Preventing Collision Between Different Digital Documents Protection System
CN118215917A (en) Vulnerability analysis for computer drivers
CN116305120A (en) Dual-verification android malicious software hybrid detection system and method
CN104008336A (en) ShellCode detecting method and device
Lee et al. A method for preventing online games hacking using memory monitoring
KR20230043194A (en) How to Check for New Software Versions on Redundancy Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant