Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Malicious code tracking and recognizing method based on memory protection type monitoring

A malicious code and protection type technology, which is applied in the field of information security, can solve the problems that the application program cannot use the protection scheme, low compatibility, and small protection coverage area, and achieve wide protection coverage area, high compatibility, and guaranteed accuracy Effect

Active Publication Date: 2017-07-28
XINGHUA YONGHENG BEIJING TECH CO LTD
View PDF5 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

According to the statistics of patent applicants, in recent years, among vulnerability attack technologies, code reuse attacks (code reuse attacks) play a dominant role. Vulnerability attackers usually modify the memory protection attributes of malicious codes by attacking virtual function tables or returning addresses to execute system interface functions. , and the existing protection methods against this attack method, such as the execution flow protection (CFG Control Flow Guard) provided by Microsoft, have the following disadvantages: the protection coverage area is small, the compatibility is low, and the development environment usually needs to provide support when the application program is compiled. And running on high-level system versions above Windows 10, the two conditions are indispensable, resulting in a large number of applications that cannot use this type of protection scheme

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious code tracking and recognizing method based on memory protection type monitoring
  • Malicious code tracking and recognizing method based on memory protection type monitoring

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0044] The present invention hijacks and modifies the system interface function of the memory protection attribute, collects and records call parameters including the executable attribute, clears the executable flag bit, intercepts the execution of the target code by monitoring exceptions, and executes it through static rules and dynamic simulation Efficient and accurate identification of vulnerability attacks and malicious codes.

[0045] see figure 1 , is a schematic flow chart of the method of the present invention, and the specific process includes:

[0046] Step S101: Inject the protection module of the present invention into the target process.

[0047]Step S102: Apply for a vectorized exception handling function in the protected target process, which is used to take over the abnormal interruption caused by the process during operation, and handle and analyze the abnormal environment. For the processing process, see reference figure 2 , divided into 10 steps S201-S210...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A malicious code tracking and recognizing method based on memory protection type monitoring includes the following steps that 1, a developed dynamic link library is injected into a target process; 2, vectorization manipulation function take-over anomaly is applied and used for conducting abnormal segment static analysis and dynamic analysis; 3, the interface function of memory protection attribute is hijacked and modified; 4, whether each call is located in stack space or not is detected; 5, whether the parameter of each call includes an attribute tag or not is judged; 6, for the interface function call of modifying the memory protection attribute into an executable attribute, the executable protection tag location is eliminated; 7, the parameter environment called by the interface function this time is recorded; 8, the original interface function is called so that the program can operate normally; 9, vulnerability attack finding is reported. By means of the steps, the effect of recognizing malicious code (shellcode) in the vulnerability attack process is achieved, and the problems that in the prior art, protection coverage area is small, and compatibility is low are solved.

Description

[0001] 1. Technical field [0002] The invention provides a method for tracking and identifying malicious codes based on memory protection type monitoring, which relates to loophole defense, a method for detecting and identifying malicious codes, and belongs to the field of information security. [0003] 2. Background technology [0004] With the popularization of electronic equipment and the continuous development of computer technology, the entire society's dependence on the Internet and computers continues to grow. At this time, information security has become an issue that cannot be ignored, and the detection, identification and defense technology of software vulnerabilities is particularly important. According to the statistics of patent applicants, in recent years, among vulnerability attack technologies, code reuse attacks (code reuse attacks) play a dominant role. Vulnerability attackers usually modify the memory protection attributes of malicious codes by attacking virt...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56G06F21/57
CPCG06F21/563G06F21/566G06F21/577
Inventor 何永强吕承琨袁伟华朱鲲鹏
Owner XINGHUA YONGHENG BEIJING TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com