Memory malicious code detection method based on processor tracking

A malicious code detection and processor technology, which is applied in the field of memory malicious code detection based on processor tracking, can solve the problems that cannot be analyzed, cannot be guaranteed to obtain a complete target code trusted control flow graph, and cannot fully analyze all behaviors of the program.

Active Publication Date: 2021-10-29
COLASOFT
View PDF12 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The implementation of control flow integrity technology requires pre-offline training to prepare a trusted control flow graph for all codes of the target process, which makes it unable to function on new unadapted applications; in addition, the acquisition of trusted control flow graph Binary static analysis or dynamic fuzzing at runtime is required for the target process. Static analysis cannot analyze polymorphism at runtime, dynamic API calls, and other forms of dynamic code execution at runtime, while dynamic fuzzing at runtime is limited by code coverage rate limitation, it is impossible to achieve 100% code path coverage, and it is impossible to fully analyze all the behaviors of the program. Neither of these two methods can guarantee to obtain a credible control flow graph of the complete target code. In terms of the effect achieved by the final technology, the control flow Integrity defense is mainly aimed at the control flow hijacking behavior in the process of exploiting the target program, such as return-oriented programming, jump-oriented programming, and returning to the C standard library, which cannot be directly used in the memory commonly used for Trojan horse viruses Directly execute the detection of malicious code attack scenarios

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Memory malicious code detection method based on processor tracking
  • Memory malicious code detection method based on processor tracking

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0042] see figure 1 , a memory malicious code detection method based on processor tracking, comprising the following steps:

[0043] a. Install the driver module, register the callback processing routines for starting and exiting processes and threads in the kernel, record all started threads, processes and file information in the process callback routine, record the CR3 register information of the process, and initialize the driver module Intel processor trace function, configure physical memory buffer and interrupt processing routine for each CPU core and start processor trace function;

[0044] b. The processor tracking function monitors the code execution path of the target process, records the execution behavior of all indirect jump instructions, records the instruction execution path into the buffer, and triggers the interrupt processing routine when the buffer is full. Switch the backup buffer during the process and start malicious code analysis;

[0045] c. Decode th...

Embodiment 2

[0051] see figure 1 , a memory malicious code detection method based on processor tracking, comprising the following steps:

[0052] a. Install the driver module, register the callback processing routines for starting and exiting processes and threads in the kernel, record all started threads, processes and file information in the process callback routine, record the CR3 register information of the process, and initialize the driver module Intel processor trace function, configure physical memory buffer and interrupt processing routine for each CPU core and start processor trace function;

[0053] b. The processor tracking function monitors the code execution path of the target process, records the execution behavior of all indirect jump instructions, records the instruction execution path into the buffer, and triggers the interrupt processing routine when the buffer is full. Switch the backup buffer during the process, and start malicious code analysis;

[0054] c. Decode t...

Embodiment 3

[0061] see figure 1 and figure 2 , a memory malicious code detection method based on processor tracking, comprising the following steps:

[0062] a. Install the driver module, register the callback processing routines for starting and exiting processes and threads in the kernel, record all started threads, processes and file information in the process callback routine, record the CR3 register information of the process, and initialize the driver module Intel processor trace function, configure physical memory buffer and interrupt processing routine for each CPU core and start processor trace function;

[0063] b. The processor tracking function monitors the code execution path of the target process, records the execution behavior of all indirect jump instructions, records the instruction execution path into the buffer, and triggers the interrupt processing routine when the buffer is full. Switch the backup buffer during the process and start malicious code analysis;

[006...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a memory malicious code detection method based on processor tracking, which belongs to the technical field of information security, and is characterized by comprising the following steps that: a, a driving module initializes an Intel processor tracking function; b, monitoring a code execution path of a target process; c, decoding a buffer area to obtain a complete virtual address of the execution path; d, carrying out malicious code detection on a memory page; e, judging whether the code belongs to a trusted memory code or not; and f, detecting a memory code API calling record and a COM interface calling record, and matching the memory code API calling record and the COM interface calling record with an abnormal behavior knowledge base. Common scenes such as memory codes, shelled malicious codes, encrypted malicious code viruses and Trojan horses used in file-free attacks can be detected, meanwhile, the method also has a detection effect on execution of shellcode codes in the vulnerability utilization process, the detection effect is good, and good universality is achieved.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a memory malicious code detection method based on processor tracking. Background technique [0002] The malicious code detection mechanism of traditional terminal security detection software usually mainly detects the physical content of files, but the "fileless attack" and "shellcode separation and anti-kill" technologies that have emerged in recent years will not directly generate physical files in the system, making traditional The detection methods of security detection software are completely ineffective. For example, the malware "Poison IVY" Trojan horse provides a similar capability, which can directly generate a Trojan horse in the form of shellcode. Users can embed the Trojan horse in the form of shellcode into various carriers for spreading. At the same time, it combines code encryption and runtime decryption to bypass the detection of security defense soft...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 田红伟魏勇徐文勇
Owner COLASOFT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap