Malicious code analysis method and system under Linux platform

Abstract

The invention provides a malicious code analysis method and system under a Linux platform. According to the method and the system provided by the invention, dynamic loading can be realized by using an LKM (Loadable Kernel Module) technology, a position of intercepting system call is positioned between a VFS (Virtual File system) layer and a detailed file system so as to acquire more information related to file operation and provide more accurate and useful monitoring information. The system call can be intercepted without the need of correcting a system call table, so that the potential safety hazards brought by the traditional method of correcting the system call table are avoided; a shared memory mechanism is adopted to increase the communication speed of a kernel module and a user progress, and the data volume of communication transmission; key files and progresses needing to be monitored are selected by a user so as to improve the usability, the flexibility and the high efficiency of the system, and the demands of the user on malicious code analysis are well met; the selected malicious code progresses and a plurality of important key files are monitored so as to avoid great performance loss of the system and improve the operation speed of the analysis system.

Description

technical field [0001] The invention relates to the field of malicious code analysis under the Linux platform, in particular to a malicious code analysis method and system under the Linux platform. Background technique [0002] While the Internet brings convenience and efficiency to people's lives, security threats are increasing year by year. A large number of viruses and Trojan horses on the network have caused serious harm to people's property, social production safety and national information security. Among various hazards, the loss and harm caused by executable malicious code is particularly prominent. The prevalence of malicious codes has awakened people's security awareness and prompted people to study malicious codes from various aspects. With the continuous development and progress of malicious codes, all kinds of malicious codes are endless and unpredictable. Traditional malicious code debugger debugging detection methods and sample analysis techniques have long...

AI Technical Summary

Problems solved by technology

The premise of this method is that the application request needs to be trapped into the kernel through the INT 0x80 instruction, but for the SYSENTER or SYSCALL instruction, this method will fail

[0006] (2) For the method of intercepting the system call by reading the / dev / kmem device file to obtain the address of the system call table, there are potential security risks

[0007] (3) The interception of system calls involved in the traditional malicious code analysis method is at the system call layer, above the VFS layer, and more and more specific information related to malicious code cannot be obtained

[0008] (4) Modifying the system call table will cause security risks, and the robustness is not good in a multi-threaded environment

Images