Dynamic detection method of Shellcode

A dynamic detection and to-be-detected technology, applied in the field of information security, can solve problems such as easy to be found, and achieve the effect of reducing possibility and easy deployment

Inactive Publication Date: 2015-06-24
北京信息控制研究所 +1
View PDF3 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, Shellcode is likely to evade detection by first detecting whether there is a virtualization environment to determine whether to actually execute the effective part of Shellcode
Therefore, there is a need to solve the

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Dynamic detection method of Shellcode

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] The invention proposes a dynamic detection method of Shellcode, without using any virtualization technology, so that the network data flow can be directly executed on the CPU, and the Shellcode can be effectively detected. The method of the present invention directly makes the network data flow execute on the CPU, and the general network data flow is mostly invalid or illegal instructions for the CPU, and directly executing it on the CPU will cause the operating system currently used to be abnormal or fall into an endless loop. Execution to Shellcode will not cause operating system exceptions. Therefore, in order to enable the network data flow to be executed smoothly and continuously, it is necessary to deal with the operating system exception and the system falling into an infinite loop.

[0021] To judge whether the execution chain is in an endless loop state, the core idea is to check the counter variables of the current operating system, and check the difference be...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Disclosed is a dynamic detection method of a Shellcode. The method comprises the steps that network data flow is firstly grabbed and divided, and a plurality of execution links are obtained; then an operating system breakpoint is triggered to be abnormal, and the register value and internal storage content in the abnormality triggering process are used as an initial register value and internal storage content to be stored; finally, the execution links are executed in sequence, meanwhile, whether an endless loop or operating system abnormality occurs or not is detected in the execution process of each execution link, the current execution link has no Shellcode if the endless loop or operating system abnormality occurs, and otherwise whether the current execution link has the Shellcode or not is detected in a starting method, and detection is completed. According to the method, the Shellcode with the code obfuscation technology can be detected, the virtualization technology is not adopted, deployment is easy, the Shellcode capable of finding virtualization environment can be detected effectively, and the probability of Shellcode detection exposure is greatly reduced.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a dynamic detection method of Shellcode. Background technique [0002] With the development of network attack technology, the code injection attack of buffer overflow has been paid more and more attention by attackers, and has become the main means of attacking computer systems. Among them, the code injection of buffer overflow includes Shellcode injection. Shellcode injection is to send malicious data containing Shellcode to vulnerable applications in the target host, thereby changing the execution process of vulnerable applications and even controlling the entire computer system. The key to resisting this kind of attack lies in whether the existence of Shellcode in the network data stream can be accurately discovered, and the existing technical methods for detecting Shellcode can be divided into two categories: static detection methods and dynamic detection methods...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F11/36G06F21/56G06F9/455
Inventor 陈漠刘渊王潇茵李宁
Owner 北京信息控制研究所
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap