Method and apparatus for detecting Shellcode based on stack frame abnormity

A technology of exceptions and stack frames, applied in the computer field, can solve problems such as false alarms, achieve the effects of reducing false alarm rates, improving detection performance, and reducing system performance overhead

Inactive Publication Date: 2016-06-15
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF3 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0010] It can be seen that behavior-based shellcode detection relies on preset rules for judgi

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and apparatus for detecting Shellcode based on stack frame abnormity
  • Method and apparatus for detecting Shellcode based on stack frame abnormity
  • Method and apparatus for detecting Shellcode based on stack frame abnormity

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0085] The following will clearly and completely describe the technical solutions in the embodiments of the present invention in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

[0086] In order to effectively detect shellcode and reduce performance overhead and false alarm rate, in the embodiment of the present invention, a corresponding stack frame chain is generated based on each specified API function, and each stack frame chain in each stack frame chain is sequentially detected. A stack frame, according to the abnormal behavior of the stack frame, including the length of the stack frame, the address of the extended ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to the field of computers, and in particular to a method and an apparatus for detecting Shellcode based on stack frame abnormity. The method comprises the following steps: based on each designated API function, separately generating a corresponding stack frame chain, and separately detecting each stack frame of each stack frame chain in order, selecting all stack frames with abnormities, wherein the detection of one stack frame includes the following steps: detecting whether an element indicator of the one stack frame suits a preset condition, and if the element indicator is determined not to meet the preset condition, determining the one stack frame is abnormal; and the element indicator including one or a combination of stack frame length, stack frame EBP address and stack frame returning address. The mere detection of the stack frame chain which corresponds to a designated API function can avoid blind detection on all functions, and reduces system performance spending. And the method selects abnormal stack frames based on the element indicator of the stack frame, which increases the system detection performance and reduce rate of false alarm.

Description

technical field [0001] The invention relates to the field of computers, in particular to a method and device for detecting shellcode based on stack exceptions. Background technique [0002] In various existing computer software, due to the openness, interactivity and defects of the software itself, the computer or service system is vulnerable to malicious code and vulnerability attacks, especially when the system vulnerability triggers the execution of foreign code shellcode At the same time, Shellcode is the core of overflow programs and worm viruses. Attackers can use shellcode to realize remote download or load other modules, so that attackers can control the computer at will. [0003] Shellcode is the attack code written by the attacker to the target process. Its main functions are to remove Data Execution Prevention (DEP), code relocation, obtain the system Application Programming Interface (Application Programming Interface, API) address, load and download programs, et...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56
CPCG06F21/566
Inventor 孙建坡
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap