Unlock instant, AI-driven research and patent intelligence for your innovation.

A Puppet Process Detection Method, Device, Readable Storage Medium, and Computing Equipment

A process and puppet technology, applied in computing, error detection/correction, computer security devices, etc., can solve problems such as inability to use, incomplete handle table information, and no relevant content in the handle table

Active Publication Date: 2020-12-01
BEIJING SHENGXIN NETWORK TECH CO LTD
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0011] The method of monitoring using the kernel Hook is no longer available on 64-bit operating systems
The detection method using the handle table file has a certain degree of false positives, because there are the following situations: 1) the handle table of the process cannot be obtained; 2) the obtained handle table information is incomplete; 3) there is no relevant content in the handle table; these cases Both lead to the inability to judge whether it is a puppet process

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A Puppet Process Detection Method, Device, Readable Storage Medium, and Computing Equipment
  • A Puppet Process Detection Method, Device, Readable Storage Medium, and Computing Equipment
  • A Puppet Process Detection Method, Device, Readable Storage Medium, and Computing Equipment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0068] Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present invention are shown in the drawings, it should be understood that the invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present invention and to fully convey the scope of the present invention to those skilled in the art.

[0069] figure 1 is a block diagram of an example computing device 100 arranged to implement a method of detecting a puppet process according to the present invention. In a basic configuration 102 , computing device 100 typically includes system memory 106 and one or more processors 104 . A memory bus 108 may be used for communication between the processor 104 and the system memory 106 .

[0070] Depending on the desired configuration, process...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The embodiment of the invention provides a puppet process detection method and device, a readable storage medium and computing equipment. The invariant feature values of the OEP of the memory main module is compared with the invariant feature values of the OEP of the PE file through a disassembling technology and an assembling instruction queue comparison technology, so as to determine a puppet process. The puppet process detection method and device improve the accuracy and efficiency of puppet process detection, and are suitable for different technical platforms. The method comprise the stepsof determining a first original entry point OEP of a main module of a memory corresponding to a target process; disassembling the memory content pointed by the first OEP to obtain a first instructionqueue; determining a second OEP of a transplantable executable PE file corresponding to the target process; disassembling the file content pointed by the second OEP to obtain a second instruction queue; and determining whether the target process is a puppet process or not according to a comparison result of the first instruction queue and the second instruction queue.

Description

technical field [0001] The invention relates to the technical field of computer security, in particular to a puppet process detection method, device, readable storage medium and computing equipment. Background technique [0002] A puppet process is a way of hiding a process. From the outside, it looks like a process started by a normal file, but it is actually replaced by a running process with a malicious target file. It seems normal from the name and path of the process, but the file actually executed in memory has been replaced. [0003] Process Hollowing (Process Hollowing) technology is a process creation technique commonly used by malware, and it is a method to realize a puppet process. Processes created using Process Hollowing technology look normal when viewed with tools such as Task Manager, but the code contained in such processes is actually malicious code. The implementation method of process hole technology is as follows: [0004] 1. Create a process through ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56G06F11/36G06F8/53
CPCG06F8/53G06F11/3612G06F21/566
Inventor 唐仕强
Owner BEIJING SHENGXIN NETWORK TECH CO LTD