Method and device for detecting and processing remote-thread injection type Trojan

Abstract

The invention discloses a method for detecting and processing remote-thread injection type Trojan, comprising the following steps of: traversing all threads in an operation system to find out a thread possibly established by the Trojan; traversing all internal memory modules in the internal memory space of a parent process of the thread to read the data of the internal memory modules; carrying out feature matching to the data of the internal memory modules by using Trojan features; and terminating the thread established by the remote-thread injection type Trojan, unloading the internal memory modules successfully matched by using the Trojan features in the internal memory space of the parent process of the thread, and deleting relevant files of the internal memory modules. The invention also discloses a device for detecting and processing remote-thread injection type Trojan, comprising a judging module, a reading module, a matching module and a processing module. The invention canl rapidly, accurately and thoroughly detect the remote-thread injection type Trojan existing in the operation system and searches, kills and eliminates the remote-thread injection type Trojan so that people do not need to restart computers, and the normal running of the system is not influenced.

Description

technical field [0001] The invention relates to the field of computer information security, in particular to a method and device for detecting and processing remote thread injection type Trojans. Background technique [0002] Malicious code is the most serious threat in the field of information security. How to effectively detect and kill malicious codes is the core issue in this field. [0003] Trojan horse is one of the most numerous and harmful types of malicious codes. At present, most Trojan horses have adopted the so-called "remote thread injection" technology, which hides in an existing process (especially a system process) in the form of a thread instead of opening a new process, thereby hiding itself and avoiding being attacked by the computer. Users find that they also protect themselves to a certain extent against the detection and killing of anti-virus products. [0004] For this type of remote thread injection Trojan horse (hereinafter referred to as "Trojan ...

AI Technical Summary

Problems solved by technology

[0008] 1. The detection speed is slow, because it needs to perform feature matching on the memory data of all processes, and the matching amount is large;

[0009] 2. There is a certain possibility of false positives. This is because the range of matching objects is wide. If the quality of the features is poor, the probability of false positives is high.

[0011] 1. Trojan horses are often injected into key processes of the protected system, and anti-virus products cannot terminate them with ordinary system privileges; and if anti-virus products elevate their privileges to end such processes, system abnormalities or even Mandatory restart, so it will cause the user's work interruption and data loss. If the network server restarts unexpectedly, it will lead to the suspension of network services and cause heavy losses;

[0012] 2. If the file is cleared and the computer is restarted, the above problems also exist

[0014] 1. The Trojan adopts a variety of technical methods to achieve remote thread injection, instead of only calling a fixed API, so it is possible to bypass this detection method;

[0015] 2. This method requires the anti-virus product to be running and monitoring for a long time, which not only occupies the user's computer resources, but also cannot take effect on the Trojan horse that has been injected before running

Images