Windows system-based concealed self-starting method and device and detection method and device

Abstract

The invention discloses a concealed self-starting method and device and a detection method and device based on a windows system, and the method comprises the steps: obtaining a system file started along with a system, and obtaining a dll imported by the system file; replacing the malicious dll with a dll file which is abandoned by a windows system but still loaded by a program; the method comprises the following steps: detecting a digital signature in an Attnibute Certifice located at the tail end of a PE in a PE structure, and judging whether the digital signature is a regular signature to which Microsoft belongs or not; if not, the file is a suspected Trojan file; further judging whether the suspected Trojan file is a Trojan by using an abnormal behavior model; according to the concealed self-starting method and device based on the windows system and the detection method and device, self-starting is achieved by bypassing antivirus software through a program, and a certain hiding effect is achieved.

Description

technical field [0001] The invention relates to the technical field of self-starting Trojan horses, in particular to a concealed self-starting method and device based on a windows system, and a detection method and device. Background technique [0002] Existing technology (for example, the patent No. is: CN103955644A patent) is mainly based on the startup mode disclosed by the operating system for the Trojan detection technology of the self-starting mode. For example, the windows operating system provides APIs of various self-starting modes by default, such as registration Tables, scheduled tasks, and self-starting folders. Usually, the detection technology will be based on the characteristics of the Trojan horse and check the self-starting items. It can detect which startup item or action the Trojan horse is based on. The detected Trojan horse can be located. Trojan storage location and its associated files. [0003] But there are following problems in prior art: [0004]...

AI Technical Summary

Problems solved by technology

[0015] At present, the vast majority of Windows platform programs (including legitimate programs and malicious programs) use the above seven methods to achieve self-starting. Red team attackers also often use the above-mentioned seven methods to self-start; whether it is detection or utilization, they are full of Limitations

[0016] 2. The killing rate of antivirus software is high. The self-starting of Trojan horse program is the first step of Trojan horse program. Usually, ordinary Trojan horse will start using the above seven self-starting methods. Due to the limitation of traditional startup methods, the above startup methods are also the focus of antivirus software. Check and kill the object, other startup methods will not intercept the soft kill

[0017] 3. Advanced Trojans use unconventional methods to start, and antivirus or EDR products cannot guarantee the security of the target unit; advanced Trojans usually use a variety of concealment techniques to evade antivirus software. The way the application implements self-starting is currently difficult to detect with technology

[0018] 4. The traditional dll hijacking completes self-starting, especially the system dll hijacking, usually needs to realize the original system dll function, otherwise the system may cause the system process to crash or function abnormally when the system obtains the dll export function and calls it

Images