Method for vulnerability detection in Windows operating environment based on instrumentation tool

Abstract

The invention discloses a method for vulnerability detection in a Windows operating environment based on an instrumentation tool. The method comprises the steps that when it is detected that a target process executes a function call instruction, a next instruction address and a function return address are saved; if the instruction corresponding to the skip destination address of the target progress is not a start instruction of a function, ROP vulnerability existing is determined; when it is detected that the target process executes the function return address, whether the return address in a current thread stack is stored or not is detected, and if the return address is stored, a buffer overflow vulnerability is determined; whether the address of a function return instruction is same as the stored return address or not is judged, the address of the function return instruction is saved if the address of the function return instruction is not same as the stored return address, and it is judged that a ROP vulnerability exists in the target progress when it is detected that the address is executed for multiple times; a preset debugged progress is opened based on a function call interface, then whether the preset debugged progress can open the target process or not is judged, and if the preset debugged progress cannot open the target process, a local privilege escalation vulnerability exists. By means of the method, multiple samples can be automatically identified and detected concurrently.

Description

technical field [0001] The invention belongs to the field of computers, and in particular relates to a vulnerability detection based on an instrumentation tool in a Windows operating environment. Background technique [0002] Software vulnerabilities are an important reason for the rampant attacks of worms and Trojan horses. In recent years, major security incidents have occurred frequently. For example, in January 2010, Google was affected by Microsoft’s Aurora vulnerability and was attacked by hackers, resulting in system failure; in December 2011, CSDN, the world’s largest Chinese IT community, was delisted, resulting in 6 million registered users personal information was leaked. Vulnerability data collected by ChinaNationalVulnerabilityDatabase from 2004 to 2014 show that the number of vulnerabilities decreased only between 2006 and 2008. Since 2008, the number of vulnerabilities has rebounded. There are more and more websites, and the degree of harm is also increasing...

AI Technical Summary

Problems solved by technology

[0004] The three types of vulnerabilities, buffer overflow, local privilege escalation, and ROP, are very common and dangerous vulnerabilities that exist widely in various operating systems and application software. However, the current research only analyzes and deals with one type of vulnerability, which is relatively single

At the same time, in order to protect the information security of users on the Internet, national security departments and enterprises will capture a large number of file samples at any time, relying only on static scanning or manual analysis of file samples will lead to slow analysis progress, especially in today's complex network environment , a large amount of file data has analysis requirements, and pure manual analysis can only deal with limited samples

On the other hand, the malicious codes in most sample files are hidden so deeply that manual analysis and other methods cannot accurately determine whether there are malicious behaviors such as exploiting software vulnerabilities in the files.