Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

A potential malware analysis method apparatus based on virtualization technology and related

A virtualization technology and malware technology, applied in the fields of computer-readable storage media and potential malware analysis devices, can solve problems such as blue screen, security risks, and inability to analyze, avoid cracking operations, improve efficiency, and improve the scope of use Effect

Active Publication Date: 2019-02-26
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF6 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] However, the system integrity check is introduced in the current system. When the system descriptor table is hooked, the hooked function will be found, causing the software to exit or not run the code that needs to be analyzed, and the software cannot be analyzed.
In the existing technology, it is also possible to crack the system integrity check, but it will lead to security risks and instability problems. The algorithms protected by KPP in different versions are inconsistent and difficult to achieve universality. May cause the corresponding blue screen problem
The final consequence is that the target function of the software cannot be analyzed, in other words, the maliciously executed software program cannot be analyzed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A potential malware analysis method apparatus based on virtualization technology and related
  • A potential malware analysis method apparatus based on virtualization technology and related
  • A potential malware analysis method apparatus based on virtualization technology and related

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0045] The core of this application is to provide a potential malware analysis method based on virtualization technology, a potential malware analysis device, a server, and a computer-readable storage medium, and replace the normal code page with the hook code page by hooking the type of abnormal interruption, so that Through the integrity check, the program data is obtained when the proxy function corresponding to the hooked code page is executed, and malware analysis is realized under the integrity check, which improves the analysis efficiency.

[0046] In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, not all of them. Base...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a potential malware analysis method based on virtualization technology and a related device. The method comprises the following steps: when an abnormal interrupt occurs to a program running in a virtualization environment, judging whether the abnormal interrupt is a hook abnormal interrupt or not; if so, the abnormal behavior type of hook abnormal interruption is determined; when the exception behavior type is read / write permission exception, the EPT entry corresponding to hook exception interrupt is replaced with normal code page to check the integrity of normal code page. When the abnormal behavior type is execution exception, the program data is obtained by executing the corresponding surrogate function according to the objective function of the hook code page, so as to perform malware analysis according to the program data. The normal code page is replaced with the hook code page by the type of hook abnormal interrupt, so that program data can be obtained when executing the proxy function corresponding to the hook code page through integrity check, malware analysis is realized under the integrity check, and the analysis efficiency is improved.

Description

technical field [0001] The present application relates to the field of computer technology, and in particular to a potential malware analysis method based on virtualization technology, a potential malware analysis device, a server, and a computer-readable storage medium. Background technique [0002] With the continuous development of information technology, malicious software is a huge threat in the field of network security. Whenever malicious software spreads through the network and causes a large outbreak, countless information is leaked and data is damaged. In the process of fighting against malware, a large number of malware uses encryption, obfuscation, and virtual machine protection technologies to encrypt and anti-debugging logic codes, which brings great disadvantages to binary analysts. [0003] In the current technology, the system descriptor table in the system is hooked, and when the program runs to some sensitive functions, the information of the program is o...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 江皓秋范渊王俊杰
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com