Memory horse detection method and device, equipment and storage medium
By injecting a proxy plugin into the Java process, the basic and code characteristics of class objects are obtained and analyzed. Combined with a memory malware feature library for detection, the problem of insufficient accuracy in Java memory malware detection in existing technologies is solved, achieving higher detection accuracy and applicability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TENCENT TECHNOLOGY (SHENZHEN) CO LTD
- Filing Date
- 2022-11-23
- Publication Date
- 2026-06-26
AI Technical Summary
In existing technologies, Java memory malware detection relies solely on Class and Method information, which carries the risk of false negatives and results in insufficient detection accuracy.
By injecting a proxy plugin into the target process, the basic characteristics and code characteristics of the class object are obtained. Combined with the disassembled code sequence, a memory malware feature scan is performed. The memory malware feature library is then used for matching to determine whether it is a memory malware.
It improves the accuracy of memory malware detection, reduces the risk of false negatives, expands the applicability of detection, and solves the limitations of the types and scope of Java memory malware.
Smart Images

Figure CN115859280B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a method, apparatus, device, and storage medium for detecting memory malware. Background Technology
[0002] Fileless attacks are a new type of attack method in server security, where no files are written to the disk during the entire attack process. Currently, Java memory malware (i.e., Java memory trojans) is the most widely used and frequently employed fileless attack method by attackers.
[0003] In related technologies, the Constant and Method information corresponding to each Class object in a Java process is extracted and parsed to determine whether a Class object is a Java memory malware. However, Java memory malware detection based solely on Constant and Method information carries the risk of missing detections. Summary of the Invention
[0004] This application provides a method, apparatus, device, and storage medium for detecting memory malware, which can improve the detection accuracy of memory malware and reduce the risk of missed detection of memory malware. The technical solution may include the following contents.
[0005] According to one aspect of the embodiments of this application, a method for detecting memory malware is provided, the method comprising:
[0006] The proxy plugin used to observe process behavior is injected into the target process on the host to be detected for memory malware.
[0007] The proxy plugin obtains at least one class object that has been loaded by the target process;
[0008] The proxy plugin filters at least one class object for risk-free items according to the filtering rules to obtain risky candidate class objects.
[0009] The proxy plugin extracts class features from the candidate class objects to obtain class messages of the candidate class objects. The class messages include basic features and code features of the class objects. The code features include the original bytecode and disassembled code sequence of the class objects.
[0010] The aforementioned message class is scanned for memory malware features to obtain the target class object identified as a memory malware.
[0011] According to one aspect of the embodiments of this application, a memory malware detection device is provided, the device comprising:
[0012] The proxy plugin injection module is used to inject proxy plugins for observing process behavior into the target process on the host that is to be detected for memory malware.
[0013] The existing object acquisition module is used to acquire at least one class object that has been loaded by the target process through the proxy plugin;
[0014] The candidate object determination module is used to filter the at least one class object for risk-free items according to the filtering rules through the proxy plugin to obtain risky candidate class objects.
[0015] The class message acquisition module is used to extract class features from the candidate class objects through the proxy plugin to obtain the class messages of the candidate class objects. The class messages include the basic features and code features of the class objects. The code features include the original bytecode and disassembled code sequence of the class objects.
[0016] The memory malware identification module is used to perform memory malware feature scanning on the class messages to obtain the target class objects identified as memory malware.
[0017] According to one aspect of the embodiments of this application, a computer device is provided, the computer device including a processor and a memory, the memory storing a computer program, the computer program being loaded and executed by the processor to implement the above-described method for detecting memory malware.
[0018] According to one aspect of the embodiments of this application, a computer-readable storage medium is provided, wherein a computer program is stored in the storage medium, the computer program being loaded and executed by a processor to implement the above-described method for detecting memory malware.
[0019] According to one aspect of the embodiments of this application, a computer program product is provided, comprising a computer program stored in a computer-readable storage medium. A processor of a computer device reads the computer program from the computer-readable storage medium and executes the computer program, causing the computer device to perform the aforementioned method for detecting memory malware.
[0020] The technical solutions provided in this application embodiment may have the following beneficial effects:
[0021] By injecting a proxy plugin into the target process, and then using the proxy plugin to obtain the basic characteristics and code characteristics of class objects in the target process, the class object is detected based on its basic characteristics and code characteristics to determine whether it is a memory malware. This avoids the problem of missed detection of memory malware caused by relying solely on the basic characteristics of class objects, thereby reducing the risk of missed detection of memory malware and improving the accuracy of memory malware detection.
[0022] Furthermore, by combining the code characteristics of class objects for memory malware detection, rather than being limited to a certain type of class object (such as the Class of an interface), the types and scope of memory malware that can be detected by the technical solutions provided in this application are expanded, thereby improving the applicability of the technical solutions provided in this application for memory malware detection. Attached Figure Description
[0023] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0024] Figure 1 This is a schematic diagram of the implementation environment of a solution provided in one embodiment of this application;
[0025] Figure 2 This is a flowchart of a memory malware detection method provided in one embodiment of this application;
[0026] Figure 3 This is a flowchart of an embodiment of the proxy plugin injection method provided in this application;
[0027] Figure 4 This is a schematic diagram of a Java memory malware detection method provided in one embodiment of this application;
[0028] Figure 5 This is a flowchart of a Java memory malware injection method provided in one embodiment of this application;
[0029] Figure 6 This is a schematic diagram of the front-end interactive interface provided in one embodiment of this application;
[0030] Figure 7 This is a schematic diagram of a plugin details interface provided in one embodiment of this application;
[0031] Figure 8 This is a flowchart of a method for establishing communication between a host security agent and a Java agent plugin according to an embodiment of this application;
[0032] Figure 9 This is a flowchart of a Java memory malware detection method provided in one embodiment of this application;
[0033] Figure 10 This is a schematic diagram of a Java memory malware alarm event interface provided in one embodiment of this application;
[0034] Figure 11This is a schematic diagram of the Java memory malware details interface provided in one embodiment of this application;
[0035] Figure 12 This is a schematic diagram of a Java memory malware provided in one embodiment of this application;
[0036] Figure 13 This is a block diagram of a memory malware detection device provided in one embodiment of this application;
[0037] Figure 14 This is a block diagram of a memory malware detection device provided in another embodiment of this application;
[0038] Figure 15 This is a block diagram of a computer device provided in one embodiment of this application. Detailed Implementation
[0039] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.
[0040] Before describing the embodiments of this application, the relevant terms involved in this application will be explained.
[0041] 1. Java: A programming language.
[0042] 2. Java memory malware: A type of memory malware (i.e., fileless malware, memory Trojan, fileless memory malware, etc.) injected into a Java process (such as a Java Web service process). Memory malware is a method of fileless attack.
[0043] 3. Tomcat: A common type of Java Web service, such as a lightweight Java Web container.
[0044] 4. JavaAgent: A plugin specification for JVM (Java Virtual Machine), that is, a JVM-level plugin that can observe and modify the behavior of Java code without modifying and recompiling the Java business code.
[0045] 5. Unix Domain Socket: A socket type in Linux, commonly used for IPC (Inter-Process Communication).
[0046] 6. Network Namespace: This is an important feature for implementing container network virtualization, which enables network isolation between different containers.
[0047] 7. Ysoserial: An open-source Java deserialization exploit tool that includes common deserialization gadgets.
[0048] 8. JVMTI: Java Virtual Machine Tool Interface.
[0049] 9. Agent: A software or hardware entity capable of autonomous action, usually translated as: agent.
[0050] Please refer to Figure 1 This diagram illustrates an implementation environment for a solution provided in one embodiment of this application. This implementation environment can be implemented as a memory malware detection architecture. The implementation environment may include: a front-end 10, a host 20, and a service back-end 30.
[0051] Frontend 10 is used to display the interactive interface of the memory malware detection architecture. For example, this interface includes a memory malware detection switch setting, which users can use to enable or disable memory malware detection. Optionally, the interface also displays the running status of agent plugins (such as the JavaAgent plugin) after they are injected into the process, a list of memory malware alarm events, and alarm details, allowing users to understand the memory malware detection status.
[0052] Optionally, the front-end 10 can be an electronic device such as a mobile phone, tablet computer, PC (Personal Computer), wearable device, or smart robot, and the front-end 10 can install and run target applications, such as browser applications. For example, the front-end 10 is a tenant end (i.e., a terminal that has rented or purchased a memory malware detection architecture), and the front-end 10 displays the interactive interface of the memory malware detection architecture through an installed and running web browser.
[0053] Host 20 can refer to a host corresponding to frontend 10, and host 20 is used to provide background services for frontend 10. A host security agent (i.e., a host security agent) with a memory malware detection architecture can be installed on host 20. This host security agent is used to implement the memory malware detection function. For example, the host security agent can be pre-installed on host 20. In response to the user enabling the memory malware detection function, the host security agent performs memory malware detection on the processes running on the host, obtains the memory malware detection results, and generates memory malware alarm information based on the memory malware detection results. Optionally, frontend 10 can correspond to one or more hosts 20.
[0054] The service backend 30 can refer to the server corresponding to the provider of the memory malware detection architecture, used to provide background services for the host security agent. The service backend 30 can be used to parse and store memory malware alerts from the host security agent. The service backend 30 can also be used to provide memory malware alerts to the frontend 10 for display. Optionally, the service backend 30 can be a server cluster or distributed system consisting of multiple physical servers, or it can be a cloud server providing cloud computing services.
[0055] Front-end 10 and host 20 can communicate via network, host 20 and service back-end 30 can communicate via network, and service back-end 30 and front-end 10 can communicate via network.
[0056] The technical solutions provided in this application are applicable to any scenario requiring memory malware detection, such as network security, server security, host security, and software security scenarios. The technical solutions provided in this application can improve the accuracy and applicability of memory malware detection and reduce the risk of missed detections.
[0057] The following section will provide a detailed description of the technical solutions provided in the embodiments of this application, taking into account the implementation environment of the above-mentioned scheme.
[0058] Please refer to Figure 2 It shows a flowchart of a memory malware detection method provided in an embodiment of this application. The execution entity of each step of the method can be... Figure 1 The host security agent in the implementation environment of the scheme shown can include the following steps (201-205).
[0059] Step 201: Inject the proxy plugin used to observe process behavior into the target process on the host to be detected for memory malware.
[0060] A proxy plugin is a JVM-level plugin that can observe and modify the behavior of processes on a host machine, such as the JavaAgent plugin. In this embodiment, the proxy plugin is also used for feature extraction. For example, it can extract features from class objects (i.e., Class objects) within a process to obtain class information. Optionally, the aforementioned process can refer to a web service process. The proxy plugin cannot run independently; it needs to be injected into a process and run within that process.
[0061] The aforementioned host can refer to the host that needs to be detected for memory malware, and this host can be called a server. The target process is the process running on this host that needs to be detected for memory malware. Optionally, in response to the user enabling the memory malware detection function, the aforementioned host security agent used for memory malware detection injects a proxy plugin into the target process to perform memory malware detection on the target process.
[0062] This application does not limit the types of memory malware that can be detected, such as Java memory malware and web application memory malware. Java memory malware can be categorized into Servlet-API type memory malware (e.g., Servlet, Filter, and Listener type), Value type memory malware, Agent type memory malware, and Java memory malware of the Ice Crab and Godzilla types. This application also supports detecting gadgets generated by widely used deserialization vulnerability tools such as Ysoserial and Marshalsec.
[0063] In one example, the process of determining the target process can be as follows:
[0064] 1. Obtain the list of processes on the host.
[0065] The host security agent described above can be used to traverse the processes running on the host to obtain a list of processes corresponding to that host. Optionally, processes can be selectively obtained, for example, processes named "Java" can be obtained to generate a process list; this embodiment of the application does not limit this approach.
[0066] 2. Based on the process's startup parameters and startup method, extract the main class identifier corresponding to each process in the process list.
[0067] The main class identifier is used to represent the main class of a process. For example, this identifier could refer to the name of the process's main class. For instance, in a Java process, each Java process has a main class, which is the class containing the `main()` method. The main class identifies the type of Java process. For example, the main class of the Tomcat service is `org.apache.catalina.startup.Bootstrap`, which is Tomcat's startup class (also known as the entry point). The main class is the entry point for Java program execution.
[0068] Optionally, the process can be launched by an executable class or an executable file.
[0069] When a process is launched as an executable class, the main class identifier corresponding to the process is obtained by parsing from the kernel command line of the process.
[0070] For example, when a Java process is started using the command: `java [-options]class [args...]`, the main class of the Java process can be obtained from the Java process's command line (kernel command line). `[-options]` configures JVM parameters, and `[args...]` configures Java runtime parameters.
[0071] When the process is started by an executable file, the executable file is parsed from the kernel command line of the process, and the main class identifier of the process is determined based on the executable file.
[0072] For example, when the Java process is started using the command: `java [-options] -jar jarfile [args...]`, the executable JAR file can be parsed from the Java process's command line. The META-INF / MANIFEST.MF file within the JAR file can then be extracted. Since the JAR file is in ZIP format, it can be parsed and extracted in ZIP format. The Main-Class variable value in MANIFEST.MF is the main class identifier of the Java process.
[0073] 3. Based on the main class identifier, identify at least one of the target processes.
[0074] Optionally, the main class identifier of the process is matched with a preset list of main classes to filter out at least one target process. The processes corresponding to the main classes in this list are the processes that need to be detected for memory malware. This can exclude processes that do not need to be detected for memory malware, thereby reducing the workload of memory malware detection and improving the efficiency of memory malware detection.
[0075] In one example, to avoid proxy plugin injection failure due to container isolation, this embodiment divides proxy plugin injection into two cases: inside the container and outside the container, as referenced. Figure 3 Step 201 may also include the following sub-steps:
[0076] Step 201a: Obtain the symbolic link of the target process, which is used to indicate the reference path.
[0077] Symbolic links are references to another file or directory that can be used to indicate a process's NetworkNamespace information. For example, a symbolic link for a Java process could be represented as: / proc / [pid] / ns / net, where [pid] is the process identifier of the Java process.
[0078] Step 201b: If the symbolic link of the security agent installed on the host is inconsistent with the symbolic link of the target process, copy the agent plugin file to the container where the target process resides; inject the agent plugin into the target process based on the agent plugin file through the virtual machine tool interface mechanism.
[0079] The security agent is used to detect memory malware; this security agent is the aforementioned host security agent. For example, the symbolic link for the security agent can be represented as: / proc / self / ns / net, where self is the identifier of the security agent.
[0080] If the symbolic link of the security agent does not match the symbolic link of the target process, it indicates that the target process is running in a container on the host machine. Since the process corresponding to the security agent runs on the host machine (i.e., outside the container), it cannot directly inject the agent plugin into the process inside the container. Therefore, it is necessary to check in advance whether the target process is in a container. The container on the host machine can communicate with the host machine itself.
[0081] If the target process is confirmed to be in a container, the proxy plugin file can be copied to the container where the target process resides before injection. The proxy plugin file can include the plugin's code, interfaces, identifiers, and other information. In one example, the proxy plugin file copying method includes at least the following three methods:
[0082] Method 1: Copy the proxy plugin files to the agreed directory of the container where the target process is located.
[0083] This agreed-upon directory can be set and adjusted according to actual usage needs, and the application embodiment does not limit this. Optionally, the docker cp command can be used to copy the agent plugin files to the agreed-upon directory of the container where the target process resides.
[0084] Method 2: Obtain the file system difference directory of the container where the target process is located, and copy the agent plugin files to the agreed subdirectory in the difference directory.
[0085] This agreed-upon subdirectory can be set and adjusted according to actual usage needs, and the application embodiment does not limit this. For example, the container's file system type can be parsed first, such as Overlay, Unionfs, etc., and then the diff directory of the container's file system can be obtained according to the file system type. Finally, the proxy plugin files can be copied to the agreed-upon subdirectory in the diff directory.
[0086] Method 3: Copy the proxy plugin files to the root directory of the target process.
[0087] For example, the agent plugin file can be copied to the root directory of the Java process (i.e., the root directory), such as / proc / [pid] / root / .
[0088] Compared to related technologies that require starting a host process for each container, entering the container via Setns calls, and analyzing proxy plugins, resulting in high costs and overhead, this application's embodiment achieves proxy plugin injection by copying the proxy plugin file into the container, thereby reducing the cost and overhead of proxy plugin injection and improving its efficiency.
[0089] After copying the proxy plugin file to the container where the target process resides, the proxy file can be injected. This process can be as follows:
[0090] 1. Obtain the user ID and group ID of the target process.
[0091] Optionally, a user can be represented as Uid (User ID) and a group can be represented as Gid (Group ID).
[0092] 2. Create an empty target file with the same user ID and group ID as the target process in the target process's current working directory or temporary file directory.
[0093] This empty target file can serve as an identifier to indicate whether a socket can be created. The empty target file can be created as an empty file named .attach_pid[pid].
[0094] 3. Send a first notification signal to the target process. This first notification signal is used to trigger the target process to create the target process's socket if it detects the existence of an empty target file.
[0095] After the target process receives the first notification signal, if it detects the existence of an empty target file, it will create a socket. For example, this first notification signal is the SIGQUIT signal. After receiving the SIGQUIT signal, if the Java process detects the existence of an empty target file, it will create a Unix Domain Socket, with the path being / tmp / .java_pid[pid]. / tmp / represents the Tmp directory (temporary file directory).
[0096] 4. Establish a transmission connection with the target process based on the target process's socket.
[0097] Optionally, the security agent establishes a TCP (Transmission Control Protocol) connection with the target process based on the target process's socket.
[0098] 5. Send a load instruction to the target process. This load instruction is used to instruct the target process to load the proxy plugin based on the proxy plugin file.
[0099] For example, the loading instruction can be a Load Instrument instruction. After receiving the LoadInstrument instruction, the Java process loads the proxy plugin based on the proxy plugin file.
[0100] Step 201c: If the symbolic link of the security agent is consistent with the symbolic link of the target process, the agent plugin is injected into the target process through the virtual machine tool interface mechanism based on the agent plugin file.
[0101] If the symbolic link of the security agent is the same as the symbolic link of the target process, it indicates that the target process is running outside the container corresponding to the host. The agent plugin can be injected into the target process directly through the virtual machine tool interface mechanism based on the agent plugin file.
[0102] In one example, after the proxy plugin is injected into the target process, its main function is executed. This main function can report successful execution to the security proxy by writing to a log file or establishing a connection via IPC. The security proxy can then obtain information such as whether the proxy plugin was executed in the target process, whether the injection was successful, and whether the execution was successful by checking the plugin's runtime logs or through IPC. The security proxy can then report this information to the service backend, which can store it and send it to the frontend for display to the user.
[0103] Compared to related technologies that use VirtualMachine.attach for injection, which suffers from JDK (Java Development Kit) version compatibility issues and container namespace isolation problems, this application embodiment establishes a transport connection between the security agent and the target process through a socket. This allows the target process to directly load the agent plugin based on the transport connection, thereby solving the JDK version compatibility and container namespace isolation problems and improving the injection applicability of the agent plugin provided in this application embodiment.
[0104] Step 202: Obtain at least one class object that has been loaded in the target process through the proxy plugin.
[0105] Before the proxy plugin is injected into the target process, the target process has already loaded a portion of class objects. These class objects may contain memory malware. Therefore, after the proxy plugin is successfully injected into the target process, it is necessary to perform memory malware detection on the existing class objects. Optionally, these class objects can be referred to as existing class objects, which are the class objects that have already been loaded.
[0106] Alternatively, all class objects loaded by the target process can be obtained by calling the Instrument's getAllLoadedClasses function.
[0107] Step 203: The proxy plugin filters at least one class object for risk-free items according to the filtering rules to obtain risky candidate class objects.
[0108] Optionally, the proxy plugin can first filter out risk-free class objects in the target process, and return risky class objects to the security proxy for further judgment. In this embodiment, a risk-free item refers to a class object that can be determined not to be a memory malware. Filtering rules are used to filter out risk-free class objects (i.e., risk-free items). For example, the filtering rules may include Interface rules, Super_Class rules, Annotation rules, Class_Name rules, etc. Filtering rules can be established for risk-free class objects or for risky class objects; this embodiment does not limit this. For example, candidate class objects that do not match the filtering rules can be determined as risk-free items, i.e., risk-free candidate class objects.
[0109] In one example, the risk-free class object filtering process can be as follows:
[0110] 1. Obtain the network namespace where the target process is located, and obtain the first listening socket of the security agent installed on the host under the network namespace.
[0111] Optionally, after obtaining the network namespace of the target process, the security agent can retrieve the first listening socket created by the security agent under the target process's network namespace. The security agent then interacts with the agent plugin injected into the target process through the first listening socket.
[0112] 2. Send a scanning command to the second listening socket of the proxy plugin through the first listening socket.
[0113] The second listening socket is a socket created by the proxy plugin in the network namespace of the target process.
[0114] Optionally, the security agent can establish IPC between itself and the agent plugin through the first and second listening sockets, allowing information exchange between them. Filtering rules are set in the scanning instructions.
[0115] 3. Parse the scanning commands using a proxy plugin to obtain filtering rules.
[0116] 4. Using a proxy plugin, exclude immutable class objects from at least one class object to obtain a preliminary set of class objects.
[0117] Optionally, you can call the Instrument's isModifiableClass function to check whether a class object is modifiable, and remove class objects that are not modifiable to obtain a set of class objects after initial screening.
[0118] 5. Select the class objects that match the filtering rules from the initial set of class objects as candidate class objects.
[0119] For each class object in the initial screening set, obtain its basic characteristics. These basic characteristics may include metadata such as Interface, Super_Class_Names, Super_Class list, Annotation, Loader_Class_Names, Loader_Class information, Class_Name, and whether the Class exists in a file. Then, compare the basic characteristics of the class object with the filtering rules and determine the class objects that match the filtering rules as candidate class objects.
[0120] By using a proxy plugin to perform preliminary screening of class objects based on their fundamental characteristics, risky class objects can be identified. This allows the security proxy to perform memory malware detection only on these risky class objects, thereby reducing the workload of the security proxy and the resources required for communication, and ultimately improving the efficiency of memory malware detection.
[0121] Step 204: Extract class features from candidate class objects using a proxy plugin to obtain class messages for the candidate class objects. These class messages include the basic features and code features of the class objects. The code features include the original bytecode and disassembled code sequence of the class objects.
[0122] Class characteristics refer to the features of a class object, which can include the basic characteristics and code characteristics of the class object. Code characteristics refer to the characteristics related to the code of the class object. Raw bytecode is the code of the class object. Disassembled code sequences can be obtained by decompiling the raw bytecode.
[0123] In one example, the process of obtaining the class message of a candidate class object can be as follows:
[0124] 1. Extract the raw bytecode of candidate class objects through a proxy plugin.
[0125] Alternatively, an instrument can be used to perform a transformation to obtain the original bytecode of the candidate class object: call addTransformer to add a dump transformer, call the retransformClasses function to retransform the candidate class object, and the original bytecode of the candidate class object is stored in the dump transformer.
[0126] 2. The original bytecode of the candidate class object is decompiled using a proxy plugin to obtain the disassembled code sequence of the candidate class object.
[0127] Optionally, decompiling the original bytecode can yield constants, strings, disassembled code sequences, etc.
[0128] 3. The basic characteristics and original bytecode of the extracted candidate class objects, as well as the disassembled code sequence, are encapsulated by the proxy plugin to obtain the class message of the candidate class objects.
[0129] The proxy plugin extracts class features from candidate objects to obtain their basic and code features. These features are then encapsulated into class messages and sent to the security proxy for further detection of memory malware.
[0130] Step 205: Perform a memory malware feature scan on the class messages to obtain the target class objects identified as memory malware.
[0131] After obtaining the class information of candidate class objects, the security agent uses a memory malware signature library to scan the class information for memory malware features, thereby obtaining the target class object. The memory malware signature library contains detection rules in regular expression format for memory malware. Memory malware features refer to the characteristics possessed by memory malware, such as its execution method and code characteristics, and these features can be represented using regular expressions.
[0132] Optionally, the security agent extracts the disassembly sequence and raw bytecode of the candidate class object from the class message, matches the disassembly sequence and raw bytecode of the candidate class object with the detection rules in the memory malware signature library, and determines the candidate class object as the target class object if either the disassembly sequence or the raw bytecode matches a detection rule.
[0133] For example, a security agent can use the Hyperscan engine to scan class messages. Because the security agent uses the Hyperscan engine, the engine compiles the regular expression-based detection rules for memory malware into a Hyperscan rule base when the agent starts. When scanning class information, this rule compilation process can be omitted, significantly reducing performance overhead. Furthermore, the Hyperscan engine features multi-pattern matching, meaning that regardless of the number of detection rules, only one scan of the class message is needed to complete the detection. In scenarios with a large number of detection rules, performance overhead can be further reduced.
[0134] In one example, if there are changed or added class objects in the target process, the class information of the changed or added class objects can be obtained through the proxy plugin; the class information of the changed or added class objects is scanned for memory malware features to obtain the detection results corresponding to the changed or added class objects.
[0135] Among them, "modified class objects" refers to existing class objects that have undergone changes, while "newly added class objects" refers to newly added class objects in the target process. The detection results are used to indicate whether the modified or newly added class objects are memory malware.
[0136] Optionally, after the proxy plugin is injected into the target process, the proxy plugin's main function is called. Within this main function, a ClassFileTransformer callback object is registered by calling the addTransformer function. The Instrument mechanism ensures that whenever a changed or newly added class object appears in the target process, the registered ClassFileTransformer callback object will be called back, from which the changed or newly added class object can be retrieved.
[0137] In one example, after identifying the target class object, the security agent can also construct a memory malware alert based on the target class object. This memory malware alert includes complete information about the target class object and the detection rules for the target class object. The memory malware alert is then reported to the server, which forwards it to the front-end page for display.
[0138] The server refers to the service backend mentioned above, and the frontend (or webpage) refers to the page displayed by the browser installed and running on the frontend. Optionally, the memory malware alarm information may also include alarm details, alarm cause, and suggested solutions.
[0139] In one example, since the security agent needs to send filtering rules, detection rules, etc. to the agent plugin, and the agent plugin also needs to send the agent plugin's running status, class messages, etc. to the security agent, communication needs to be established between the security agent and the agent plugin injected into the target process.
[0140] Taking IPC as an example, before injecting the proxy plugin into the target process, the security proxy can first create a first listening socket for communicating with the proxy plugin. This process can be as follows:
[0141] Obtain the network namespace of the security agent installed on the host, i.e., obtain the symbolic link of the security agent.
[0142] If the network namespace of the security agent installed on the host is different from that of the target process, the security agent switches to the target process's network namespace via a thread within the security agent; a first listening socket is created under the target process's network namespace; and the process returns to the security agent's network namespace.
[0143] For example, if the network namespace of the security agent is different from that of the target process, it indicates that the security agent and the target process are not in the same network namespace. The security agent can enter the target process's network namespace by calling the `Setns` call. After entering the target process's network namespace, the security agent can create an Abstract Unix Domain socket (i.e., the first listening socket) by executing a `Socket` call. This socket belongs to the target process's network namespace and is visible to all processes in the target process's network namespace. The security agent executes the `Setns` call again, returning to its own network namespace, but the first listening socket it created still belongs to the target process's network namespace.
[0144] Optionally, if the network namespace of the security agent installed on the host is the same as the network namespace of the target process, then the first listening socket can be created directly under the network namespace of the security agent.
[0145] After injecting the proxy plugin into the target process, a second listening socket corresponding to the first listening socket can be created for the proxy plugin. This process can be as follows: create the second listening socket through the proxy plugin; receive periodic heartbeat messages from the second listening socket through the first listening socket. The heartbeat information is used to reflect the running status of the proxy plugin.
[0146] Optionally, the proxy plugin can directly create a second listening socket in the network namespace of the target process. The security proxy can then communicate directly with the proxy plugin based on the first and second listening sockets. The aforementioned heartbeat information may include the version information of the proxy plugin, relevant information about the target process, and version information of the detection strategy (including filtering rules and detection rules).
[0147] The security agent can parse the proxy plugin version information, target process information, and detection policy version information (including filtering rules and detection rules) from heartbeat messages. Optionally, if the proxy plugin version is lower than the version configured by the security agent, the security agent will re-inject the latest version of the proxy plugin into the target process to replace the original proxy plugin. Optionally, if the detection policy version is not equal to the version configured by the security agent, the security agent will send the latest version of the detection policy to the proxy plugin.
[0148] In summary, the technical solution provided in this application injects a proxy plugin into the target process and then obtains the basic characteristics and code characteristics of class objects in the target process through the proxy plugin. Based on the basic characteristics of the class objects, the code characteristics of the class objects are combined to detect the class objects to determine whether the class objects are memory malware. This avoids the problem of missed detection of memory malware caused by only relying on the basic characteristics of class objects, thereby reducing the risk of missed detection of memory malware and improving the accuracy of memory malware detection.
[0149] Furthermore, by combining the code characteristics of class objects for memory malware detection, rather than being limited to a certain type of class object (such as the Class of an interface), the types and scope of memory malware that can be detected by the technical solutions provided in this application are expanded, thereby improving the applicability of the technical solutions provided in this application for memory malware detection.
[0150] In addition, this application embodiment establishes a transport connection between the security agent and the target process through a socket, so that the target process can directly load the agent plugin based on the transport connection, thereby solving the JDK version compatibility problem and the container namespace isolation problem, and thus improving the injection applicability of the agent plugin provided by this application embodiment.
[0151] In addition, by creating a listening socket in the same network namespace for the security agent and the proxy plugin, communication between them is possible. This ensures the timely delivery of detection policies and the timely uploading of the proxy plugin's running status and class messages, thereby improving the stability of memory malware detection.
[0152] In an exemplary embodiment, taking Java memory malware detection as an example, the technical solution provided by the embodiments of this application will be described, and its specific content can be as follows:
[0153] refer to Figure 4 The process can be divided into three parts: the JavaAgent plugin (i.e., the aforementioned agent plugin) injection process, the IPC establishment process between the host security agent (i.e., the aforementioned security agent) and the JavaAgent plugin, and the Java memory malware detection process.
[0154] 1. Combination Figure 4 and Figure 5 The JavaAgent plugin injection process can be as follows:
[0155] Step 501: Parse the startup parameters of the Java process.
[0156] Optionally, in response to the user enabling the Java memory malware detection switch for the target host displayed in the front-end 401, the host security agent 403 iterates through the processes running on the target host to obtain the process named Java, thus obtaining a list of Java processes corresponding to the target host. The target host can refer to any host pre-installed with the host security agent 403. For example, refer to... Figure 6 In the interactive interface 600 of the front-end 401, there are switches 601 for JavaAgent plugins 405 corresponding to multiple servers (i.e., hosts). In response to a user's activation of a specific switch 601, the host security agent 403 injects the JavaAgent plugin 405 into the server corresponding to that switch 601, thereby enabling the JavaAgent plugin 405. Users can enable the Java memory malware detection function with a single click, without needing to restart the Java process or modify its startup parameters, thus reducing user costs and improving the user experience.
[0157] After obtaining the list of Java processes corresponding to the target host, Host Security Agent 403 extracts the main class name of each Java process in the list by parsing the startup parameters and startup methods of the Java processes. Optionally, the aforementioned Java processes also refer to Java Web service processes, which is not limited in this embodiment of the application.
[0158] Step 502: Filter Java processes that need to be injected with the JavaAgent plugin.
[0159] The host security agent 403 selects Java processes whose main class names match the main class list set by the service backend 402, resulting in multiple target Java processes. These multiple target Java processes are the Java processes that need to be injected with the JavaAgent plugin 405 (e.g., ...). Figure 4Java process 404 (in progress).
[0160] Step 503: Check if the Java process is in the container.
[0161] by Figure 4 Taking Java process 404 as an example, if the host security agent 403 detects its own symbolic link and it is inconsistent with the symbolic link of Java process 404, it can be determined that Java process 404 is running in a container corresponding to the host; if the host security agent 403 detects its own symbolic link and it is consistent with the symbolic link of Java process 404, it can be determined that Java process 404 is not running in a container.
[0162] Step 504: If the Java process is in a container, copy the JavaAgent plugin file to the container where the Java process is located, and then execute step 505.
[0163] If Host Security Agent 403 detects that Java process 404 is running in a container, Host Security Agent 403 needs to copy the files of JavaAgent plugin 405 to the root directory of Java process 404 before it can execute the injection of JavaAgent plugin 405.
[0164] Step 505: If the Java process is not in the container, then execute the injection of the JavaAgent plugin.
[0165] If the host security agent 403 detects that the Java process 404 is not running in the container or that the files of the JavaAgent plugin 405 have been copied to the root directory of the Java process 404, the host security agent 403 can directly execute the injection of the JavaAgent plugin 405. The injection method of the JavaAgent plugin 405 is the same as that described in the above embodiments, and will not be repeated here.
[0166] Step 506: Obtain the running status of the JavaAgent plugin.
[0167] After JavaAgent plugin 405 is injected into Java process 404, host security agent 403 will establish an IPC with JavaAgent plugin 405. Through this communication channel, JavaAgent plugin 405 reports runtime status information such as whether the injection was successful, whether the execution was successful, and whether it was executed to host security agent 403.
[0168] Optionally, after obtaining the running status of the JavaAgent plugin 405, the host security agent 403 reports the running status of the JavaAgent plugin 405 to the service backend 402. The service backend 402 writes the running status of the JavaAgent plugin 405 into the database and displays it to the user in the frontend 401. For example, refer to... Figure 7 As can be seen from the plugin details page 700, the JavaAgent plugin in the Java process with PID 4775 has exited, that is, stopped running.
[0169] This application embodiment supports Java memory malware detection for Java processes running on the host machine and within containers, thereby improving the applicability of the technical solution provided in this application embodiment.
[0170] 2. Combining Figure 4 and Figure 8 The IPC establishment process between the host security agent and the Java agent plugin can be as follows:
[0171] Step 801: Obtain the network namespace of the Java process.
[0172] The host security agent returned a 403 error and retrieved the network namespace, i.e., the symbolic link, of the Java process, which returned a 404 error.
[0173] Step 802: Check whether they belong to the same network namespace.
[0174] If the host security agent 403 detects that its own network namespace is different from the network command space of the Java process 404, it can determine that it and the Java process 404 do not belong to the same network namespace; if the host security agent 403 detects that its own network namespace is the same as the network command space of the Java process 404, it can determine that it and the Java process 404 belong to the same network namespace.
[0175] Step 803: If they do not belong to the same network namespace, execute the Setns call to enter the network namespace of the Java process, and then execute step 604.
[0176] If the host security agent 403 detects that it does not belong to the same network namespace as the Java process 404, it can call Setns CLONE_NEWNET to enter the network namespace of the Java process 404.
[0177] Step 804: If they belong to the same network namespace, create the first listening socket.
[0178] If host security agent 403 detects that it belongs to the same network namespace as Java process 404 or has already entered the network namespace of Java process 404, host security agent 403 creates the first listening socket under the network namespace of Java process 404. Then host security agent 403 can execute the Setns call again to return to its own network namespace.
[0179] Step 805: Perform the operation of injecting the JavaAgent plugin.
[0180] Step 806: Create a second listening socket using the JavaAgent plugin.
[0181] After JavaAgent plugin 405 is injected into Java process 404, JavaAgent plugin 405 creates a second listening socket in the network namespace of Java process 404.
[0182] Since the Java language lacks an API (Application Programming Interface) for creating Unix Domain Sockets, it is necessary to encapsulate system calls such as Socket, Bind, Sendto, and Recvfrom into a C module via the JNI (Java Native Interface) mechanism and import it into the Java language. When the JavaAgent plugin is injected, the JavaAgent plugin calls System.load to load the C module, and then the Java code of the JavaAgent plugin can call functions such as Socket and Bind to create a second listening socket.
[0183] JavaAgent plugin 405 can periodically send heartbeat messages to the first listening socket of host security agent 403 through the second listening socket. The heartbeat message is used to reflect the running status of JavaAgent plugin 405. The heartbeat message may include the version information of JavaAgent plugin 405, relevant information of Java process 404, version information of detection strategy (including filtering rules and detection rules), etc.
[0184] Step 807: Receive heartbeat information from the JavaAgent plugin.
[0185] Host security agent 403 receives heartbeat information from JavaAgent plugin 405 through the first listening socket.
[0186] Step 808: Send the detection strategy.
[0187] When the host security agent 403 receives the heartbeat information from the JavaAgent plugin 405 for the first time, it sends a detection policy to the JavaAgent plugin 405. This detection policy is used for Java memory malware detection.
[0188] Optionally, the host security agent 403 can update and adjust the version of the JavaAgent plugin 405 and the version of the detection policy based on subsequent heartbeat information to achieve version and policy synchronization.
[0189] By establishing IPC between the host security agent and the Java agent plugin through listening sockets, this embodiment of the application breaks through the communication isolation between the container and the host machine, enabling the technical solution provided by this embodiment to support multiple service types, such as Tomcat, JBoss, Resin, Jetty, Weblogic, etc., thereby further improving the applicability of the technical solution provided by this embodiment of the application.
[0190] 3. Combining Figure 4 and Figure 9 The detection process for Java memory malware can be as follows:
[0191] Step 901: Send a scan command to the JavaAgent plugin.
[0192] Optionally, after the JavaAgent plugin 405 is successfully injected into the Java process 404 and an IPC is established between the JavaAgent plugin 405 and the host security agent 403, the host security agent 403 sends a scanning command to the JavaAgent plugin 405 through a first listening socket and a second listening socket. This scanning command instructs the JavaAgent plugin 405 to obtain existing Class objects loaded on the Java process 404. The scanning command includes filtering rules for existing Class objects.
[0193] Step 902: Obtain existing Class objects in the Java process through the JavaAgent plugin.
[0194] Optionally, the host security agent 403 can use the Java agent plugin 405 to call the instrument's getAllLoadedClasses function to obtain all existing Class objects loaded by the Java process (404).
[0195] Step 903: Filter candidate stored Class objects that need to be detected for Java memory malware using the JavaAgent plugin.
[0196] Host security agent 403 can use the JavaAgent plugin 405 to call the Instrument's isModifiableClass function to check whether existing Class objects are modifiable, excluding existing Class objects that are not modifiable. Then, the JavaAgent plugin 405 obtains the basic characteristics of the remaining existing Class objects and compares them with the filtering rules to obtain candidate existing Class objects. These candidate existing Class objects refer to risky existing Class objects (i.e., existing Class objects that may be Java memory malware).
[0197] Step 904: Transfer the candidate Class objects that need to be detected for Java memory malware.
[0198] The host security agent 403 can add a dump transformer by calling addTransformer through the JavaAgent plugin 405, and then call the retransformClasses function to retransform the candidate existing Class objects. The dump transformer contains the original bytecode of the candidate existing Class objects.
[0199] Step 905: Decompile the candidate memory objects of the Java memory malware detection.
[0200] Host security agent 403 can use Java agent plugin 405 to decompile the original bytecode of candidate storage class objects to obtain constants, strings, disassembled code sequences, etc. corresponding to the candidate storage class objects.
[0201] Step 906: Obtain the Class message of the candidate existing Class object.
[0202] Host security agent 403 can encapsulate the basic characteristics, raw bytecode, and disassembled code sequence of candidate existing Class objects through JavaAgent plugin 405 to obtain the Class message of the candidate existing Class object, and send the Class message to host security agent 403 through a second listening socket. Host security agent 403 receives the Class message through a first listening socket.
[0203] Step 907: Scan Class messages to identify Java memory malware.
[0204] The host security agent 403 uses the Hyperscan library to scan Class messages and identifies candidate stored Class objects that match the detection rules as Java memory malware.
[0205] Step 908: Report memory malware alarm information.
[0206] Host security agent 403, based on Java memory malware, constructs memory malware alarm information and reports it to service backend 402. Service backend 402 parses the memory malware alarm information, stores it in the database, and sends it to frontend 401 to be displayed to the user.
[0207] Optionally, after the JavaAgent plugin 405 is injected into the Java process 404, the main function of the JavaAgent plugin 405 is called. In the main function of the JavaAgent plugin 405, a ClassFileTransformer callback object is registered by calling the addTransformer function. The instrument mechanism ensures that when a changed or newly added Class object appears in the Java process, the registered ClassFileTransformer callback will be called back to obtain the changed or newly added Class object. Then, the same method as described above is used to perform Java memory malware detection on the changed or newly added Class object. In this embodiment, after the JavaAgent plugin 405 is injected, no further injection operation is required; that is, in the subsequent detection process, Java memory malware detection can be directly performed using the JavaAgent plugin 405.
[0208] For example, refer to Figure 10 The Java Memory Malware Alert Event Interface 1000 displays information such as the location of the Java Memory Malware, its type, and the event that was detected. (Reference) Figure 11 For a specific Java memory malware, users can further view its details. The Java memory malware details page displays detailed information about the malware, along with a description of its harm and remediation suggestions. (Reference) Figure 12 , Figure 12 The example illustrates Java Memory Mashup 1200 (details of the payload of Java Memory Mashup 1200). Java Memory Mashup 1200 contains Memory Mashup Features 1201 and 1202. When Memory Mashup Features 1201 and 1202 are detected in a class object, it can be directly identified as a Java Memory Mashup.
[0209] In summary, the technical solution provided in this application injects a JavaAgent plugin into the target Java process, and then obtains the basic characteristics and code characteristics of the Class object in the target Java process through the JavaAgent plugin. Based on the basic characteristics of the Class object, the code characteristics of the Class object are combined to detect the Class object to determine whether the Class object is a Java memory malware. This avoids the problem of missed detection of Java memory malware caused by only relying on the basic characteristics of the Class object, thereby reducing the risk of missed detection of Java memory malware and improving the detection accuracy of Java memory malware.
[0210] Furthermore, by combining the code characteristics of Class objects for Java memory malware detection, rather than being limited to a certain type of Class object, the types and scope of Java memory malware that can be detected by the technical solution provided in this application are expanded, thereby improving the applicability of the technical solution provided in this application for Java memory malware detection.
[0211] The following are embodiments of the apparatus described in this application, which can be used to execute the embodiments of the method described in this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the method described in this application.
[0212] refer to Figure 13 This diagram illustrates a block diagram of a memory malware detection device according to an embodiment of this application. The device has the functionality to implement the method example described above; this functionality can be implemented in hardware or by hardware executing corresponding software. The device can be the computer device described above, or it can be installed within a computer device. Figure 13 As shown, the device 1300 includes: a proxy plugin injection module 1301, a stock object acquisition module 1302, a candidate object determination module 1303, a class message acquisition module 1304, and a memory malware determination module 1305.
[0213] The proxy plugin injection module 1301 is used to inject a proxy plugin for observing process behavior into the target process on the host to be detected for a memory malware.
[0214] The existing object acquisition module 1302 is used to acquire at least one class object that has been loaded by the target process through the proxy plugin.
[0215] The candidate object determination module 1303 is used to filter the at least one class object for risk-free items according to the filtering rules through the proxy plugin to obtain risky candidate class objects.
[0216] The class message acquisition module 1304 is used to extract class features from the candidate class object through the proxy plugin to obtain the class message of the candidate class object. The class message includes the basic features and code features of the class object. The code features include the original bytecode and disassembled code sequence of the class object.
[0217] The memory malware identification module 1305 is used to perform memory malware feature scanning on the class message to obtain the target class object identified as a memory malware.
[0218] In some embodiments, such as Figure 14 As shown, the proxy plugin injection module 1301 includes: a symbolic link acquisition submodule 1301a, a plugin file copying submodule 1301b, and a proxy plugin injection submodule 1301c.
[0219] Symbolic link acquisition submodule 1301a is used to acquire symbolic links of the target process, wherein the symbolic links are used to indicate reference paths.
[0220] The plugin file copying submodule 1301b is used to copy the file of the agent plugin to the container where the target process resides if the symbolic link of the security agent installed on the host is inconsistent with the symbolic link of the target process; the agent plugin injection submodule 1301c is used to inject the agent plugin into the target process based on the file of the agent plugin through the virtual machine tool interface mechanism.
[0221] The proxy plugin injection submodule 1301c is further configured to inject the proxy plugin into the target process through a virtual machine tool interface mechanism based on the file of the proxy plugin, when the symbolic link of the security proxy is consistent with the symbolic link of the target process; wherein, the security proxy is used to detect memory malware.
[0222] In some embodiments, the proxy plugin injection submodule 1301c is further configured to:
[0223] Obtain the user identifier and group identifier of the target process;
[0224] In the current working directory or temporary file directory of the target process, create an empty target file with the same user identifier and group identifier as the target process;
[0225] Send a first notification signal to the target process, the first notification signal being used to trigger the target process to create the target process's socket when the existence of the target empty file is detected;
[0226] A transmission connection is established with the target process based on the target process's socket;
[0227] A load instruction is sent to the target process, which instructs the target process to load the proxy plugin based on the proxy plugin's file.
[0228] In some embodiments, the plugin file copying submodule 1301b is used for:
[0229] Copy the proxy plugin files to the designated directory of the container where the target process resides;
[0230] Alternatively, obtain the file system difference directory of the container where the target process is located, and copy the files of the proxy plugin to the agreed subdirectory in the difference directory;
[0231] Alternatively, copy the agent plugin files to the root directory of the target process.
[0232] In some embodiments, the candidate object determination module 1303 is configured to:
[0233] Obtain the network namespace where the target process is located, and obtain the first listening socket of the security agent installed on the host under the network namespace;
[0234] A scanning command is sent to the second listening socket of the proxy plugin through the first listening socket;
[0235] The filtering rules are obtained by parsing the scanning command through the proxy plugin.
[0236] The proxy plugin is used to exclude immutable class objects from the at least one class object to obtain a pre-screened set of class objects.
[0237] The class objects that match the filtering rules in the initially screened set of class objects are determined as candidate class objects.
[0238] In some embodiments, the class message acquisition module 1304 is configured to:
[0239] The proxy plugin extracts the original bytecode of the candidate class object;
[0240] The proxy plugin is used to decompile the original bytecode of the candidate class object to obtain the disassembled code sequence of the candidate class object;
[0241] The proxy plugin encapsulates the basic features and original bytecode of the extracted candidate class object, as well as the disassembled code sequence, to obtain the class message of the candidate class object.
[0242] In some embodiments, the memory malware determination module 1305 is used to perform memory malware feature scanning on the class message using a memory malware feature library to obtain the target class object; wherein, the memory malware feature library contains detection rules in the regular expression format of memory malware.
[0243] In some embodiments, the class message acquisition module 1304 is further configured to acquire the class message of the changed or added class object through the proxy plugin when there is a changed or added class object in the target process.
[0244] The memory malware detection module 1305 is further configured to perform memory malware feature scanning on the class messages of the modified or newly added class objects to obtain the detection results corresponding to the modified or newly added class objects.
[0245] In some embodiments, such as Figure 14 As shown, the device 1300 further includes: a process list acquisition module 1306, a main class identifier acquisition module 1307, and a target process determination module 1308.
[0246] The process list acquisition module 1306 is used to acquire the process list on the host.
[0247] The main class identifier acquisition module 1307 is used to extract the main class identifier corresponding to each process in the process list based on the process's startup parameters and startup method.
[0248] The target process determination module 1308 is used to determine at least one target process based on the main class identifier.
[0249] In some embodiments, the main class identifier acquisition module 1307 is used for:
[0250] When the process is launched as an executable class, the main class identifier corresponding to the process is obtained by parsing from the kernel command line of the process;
[0251] Alternatively, if the process is started by an executable file, the executable file is parsed from the kernel command line of the process, and the main class identifier corresponding to the process is determined based on the executable file.
[0252] In some embodiments, such as Figure 14 As shown, the device 1300 further includes an alarm information construction module 1309 and an alarm information reporting module 1310.
[0253] The alarm information construction module 1309 is used to construct memory malware alarm information based on the target class object. The memory malware alarm information includes complete information of the target class object and the detection rules for the target class object.
[0254] The alarm information reporting module 1310 is used to report the memory malware alarm information to the server, and the memory malware alarm information is used to forward it to the front-end page for display through the server.
[0255] In some embodiments, such as Figure 14 As shown, the device 1300 further includes: a namespace switching module 1311, a socket creation module 1312, and a heartbeat information receiving module 1313.
[0256] The namespace switching module 1311 is used to switch the network namespace of the security agent installed on the host to the network namespace of the target process through a thread within the security agent when the network namespace of the target process is different from that of the security agent.
[0257] The socket creation module 1312 is used to create a first listening socket in the network namespace of the target process.
[0258] The namespace switching module 1311 is also used to return the network namespace of the security agent.
[0259] The socket creation module 1312 is also used to create a second listening socket through the proxy plugin.
[0260] The heartbeat information receiving module 1313 is used to receive periodic heartbeat messages from the second listening socket through the first listening socket, and the heartbeat information is used to reflect the running status of the proxy plugin.
[0261] In summary, the technical solution provided in this application injects a proxy plugin into the target process and then obtains the basic characteristics and code characteristics of class objects in the target process through the proxy plugin. Based on the basic characteristics of the class objects, the code characteristics of the class objects are combined to detect the class objects to determine whether the class objects are memory malware. This avoids the problem of missed detection of memory malware caused by only relying on the basic characteristics of class objects, thereby reducing the risk of missed detection of memory malware and improving the accuracy of memory malware detection.
[0262] Furthermore, by combining the code characteristics of class objects for memory malware detection, rather than being limited to a certain type of class object (such as the Class of an interface), the types and scope of memory malware that can be detected by the technical solutions provided in this application are expanded, thereby improving the applicability of the technical solutions provided in this application for memory malware detection.
[0263] It should be noted that the apparatus provided in the above embodiments is only illustrated by the division of the above functional modules when implementing its functions. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be repeated here.
[0264] Please refer to Figure 15 This diagram illustrates the structure of a computer device according to an embodiment of this application. This computer device can be used to implement the memory malware detection method provided in the above embodiments. Specifically, it may include the following:
[0265] The computer device 1500 includes a central processing unit (such as a CPU, GPU, or FPGA) 1501, a system memory 1504 including RAM (Random-Access Memory) 1502 and ROM (Read-Only Memory) 1503, and a system bus 1505 connecting the system memory 1504 and the central processing unit 1501. The computer device 1500 also includes a basic input / output system (I / O system) 1506 to facilitate information transfer between various devices within the server, and a mass storage device 1507 for storing the operating system 1513, application programs 1514, and other program modules 1515.
[0266] The basic input / output system 1506 includes a display 1508 for displaying information and an input device 1509 for user input, such as a mouse or keyboard. Both the display 1508 and the input device 1509 are connected to the central processing unit 1501 via an input / output controller 1510 connected to the system bus 1505. The basic input / output system 1506 may also include the input / output controller 1510 for receiving and processing input from multiple other devices such as a keyboard, mouse, or electronic stylus. Similarly, the input / output controller 1510 also provides output to a display screen, printer, or other types of output devices.
[0267] The mass storage device 1507 is connected to the central processing unit 1501 via a mass storage controller (not shown) connected to the system bus 1505. The mass storage device 1507 and its associated computer-readable media provide non-volatile storage for the computer device 1500. That is, the mass storage device 1507 may include computer-readable media (not shown) such as a hard disk or a CD-ROM (Compact Disc Read-Only Memory) drive.
[0268] Without loss of generality, the computer-readable medium may include computer storage media and communication media. Computer storage media include volatile and non-volatile, removable and non-removable media implemented using any method or technology for storing information such as computer-readable instructions, data structures, program modules, or other data. Computer storage media include RAM, ROM, EPROM (Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash memory or other solid-state storage technologies, CD-ROM, DVD (Digital Video Disc) or other optical storage, magnetic tape cassettes, magnetic tape, disk storage, or other magnetic storage devices. Of course, those skilled in the art will recognize that the computer storage medium is not limited to the above-mentioned types. The system memory 1504 and mass storage device 1507 described above can be collectively referred to as memory.
[0269] According to an embodiment of this application, the computer device 1500 can also be connected to a remote computer on a network, such as the Internet. That is, the computer device 1500 can be connected to the network 1512 through the network interface unit 1511 connected to the system bus 1505, or the network interface unit 1511 can be used to connect to other types of networks or remote computer systems (not shown).
[0270] The memory also includes a computer program stored in the memory and configured to be executed by one or more processors to implement the above-described method for detecting memory malware.
[0271] In some embodiments, a computer-readable storage medium is also provided, wherein a computer program is stored therein, which, when executed by a processor, implements the above-described method for detecting memory malware.
[0272] Optionally, the computer-readable storage medium may include: ROM (Read-Only Memory), RAM (Random-Access Memory), SSD (Solid State Drives), or optical disc, etc. The random access memory may include ReRAM (Resistance Random Access Memory) and DRAM (Dynamic Random Access Memory).
[0273] In some embodiments, a computer program product is also provided, the computer program product comprising a computer program stored in a computer-readable storage medium. A processor of a computer device reads the computer program from the computer-readable storage medium, and the processor executes the computer program, causing the computer device to perform the aforementioned method for detecting memory malware.
[0274] It should be noted that all information (including but not limited to object device information, object personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.), and signals involved in this application have been authorized by the object or fully authorized by all parties, and the collection, use, and processing of related data must comply with the relevant laws, regulations, and standards of the relevant countries and regions. For example, processes, class objects, and class messages involved in this application were all obtained with full authorization.
[0275] It should be understood that "multiple" as used herein refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. Furthermore, the step numbers described herein are merely illustrative of one possible execution order. In some other embodiments, the steps may not be executed in numerical order, such as two steps with different numbers being executed simultaneously, or two steps with different numbers being executed in the reverse order of the illustration. This application does not limit this.
[0276] The above description is merely an exemplary embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.
Claims
1. A method for detecting memory malware, characterized in that, The method includes: Obtain the symbolic link of the target process on the host to be detected for a memory malware; the symbolic link is used to indicate the reference path. If the symbolic link of the security agent installed on the host is inconsistent with the symbolic link of the target process, the agent plugin file is copied to one of the following: the agreed directory of the container where the target process is located, the agreed subdirectory corresponding to the target process, or the root directory of the target process. The agreed subdirectory belongs to the difference directory of the file system of the container where the target process is located. The security agent is used to detect memory malware, and the agent plugin is used to observe process behavior. The proxy plugin is injected into the target process via the virtual machine tool interface mechanism based on the proxy plugin's file. The proxy plugin obtains at least one class object that has been loaded by the target process; Obtain the network namespace where the target process is located, and obtain the first listening socket of the security agent under the network namespace; A scanning command is sent to the second listening socket of the proxy plugin through the first listening socket. The second listening socket is a socket created by the proxy plugin in the network namespace of the target process. The proxy plugin parses the scanning command to obtain filtering rules; The proxy plugin filters the at least one class object for risk-free items according to the filtering rules to obtain risky candidate class objects. The proxy plugin extracts class features from the candidate class objects to obtain class messages of the candidate class objects. The class messages include basic features and code features of the class objects. The code features include the original bytecode and disassembled code sequence of the class objects. The aforementioned message class is scanned for memory malware features to obtain the target class object identified as a memory malware.
2. The method according to claim 1, characterized in that, The method further includes: If the symbolic link of the security agent matches the symbolic link of the target process, the agent plugin is injected into the target process through the virtual machine tool interface mechanism based on the agent plugin file.
3. The method according to claim 2, characterized in that, The step of injecting the proxy plugin into the target process via the virtual machine tool interface mechanism based on the proxy plugin's file includes: Obtain the user identifier and group identifier of the target process; In the current working directory or temporary file directory of the target process, create an empty target file with the same user identifier and group identifier as the target process; Send a first notification signal to the target process, the first notification signal being used to trigger the target process to create the target process's socket when the existence of the target empty file is detected; A transmission connection is established with the target process based on the target process's socket; A load instruction is sent to the target process, which instructs the target process to load the proxy plugin based on the proxy plugin's file.
4. The method according to claim 1, characterized in that, The step of filtering at least one class object for risk-free items according to the filtering rules through the proxy plugin to obtain risky candidate class objects includes: The proxy plugin is used to exclude immutable class objects from the at least one class object to obtain a pre-screened set of class objects. The class objects that match the filtering rules in the initially screened set of class objects are determined as candidate class objects.
5. The method according to claim 1, characterized in that, The step of extracting class features from the candidate class objects through the proxy plugin to obtain the class information of the candidate class objects includes: The proxy plugin extracts the original bytecode of the candidate class object; The proxy plugin is used to decompile the original bytecode of the candidate class object to obtain the disassembled code sequence of the candidate class object; The proxy plugin encapsulates the basic features and original bytecode of the extracted candidate class object, as well as the disassembled code sequence, to obtain the class message of the candidate class object.
6. The method according to claim 1, characterized in that, The step of performing a memory malware feature scan on the aforementioned message class to obtain the target class object identified as a memory malware includes: The target class object is obtained by scanning the class messages for memory malware features using a memory malware feature library. The memory malware feature library contains detection rules in regular expression format for memory malware.
7. The method according to any one of claims 1 to 6, characterized in that, The method further includes: If there are changed or added class objects in the target process, the class information of the changed or added class objects is obtained through the proxy plugin; Perform a memory malware feature scan on the class messages of the modified or newly added class objects to obtain the detection results corresponding to the modified or newly added class objects.
8. The method according to claim 1, characterized in that, Before injecting the proxy plugin into the target process via the virtual machine tool interface mechanism based on the proxy plugin file, the method further includes: Get the list of processes on the host; Based on the process startup parameters and startup method, extract the main class identifier corresponding to each process in the process list; Based on the main class identifier, at least one of the target processes is determined.
9. The method according to claim 8, characterized in that, The step of extracting the main class identifier corresponding to each process in the process list based on the process's startup parameters and startup method includes: When the process is launched as an executable class, the main class identifier corresponding to the process is obtained by parsing from the kernel command line of the process; or, When the process is started by an executable file, the executable file is parsed from the kernel command line of the process, and the main class identifier corresponding to the process is determined based on the executable file.
10. The method according to claim 1, characterized in that, After performing a memory malware feature scan on the aforementioned message class to obtain the target class object identified as a memory malware, the process further includes: Based on the target class object, a memory malware alarm message is constructed, which includes complete information about the target class object and the detection rules for the target class object. The memory malware alarm information is reported to the server, and the memory malware alarm information is used to forward to the front-end page for display through the server.
11. The method according to claim 1, characterized in that, The method further includes: If the network namespace of the security agent installed on the host is different from the network namespace of the target process, the security agent switches to the network namespace of the target process through a thread within the security agent. Create the first listening socket in the network namespace of the target process; Return to the network namespace of the security agent; After injecting the proxy plugin into the target process via the virtual machine tool interface mechanism based on the proxy plugin file, the process further includes: The second listening socket is created using the proxy plugin; The first listening socket receives periodic heartbeat messages from the second listening socket, and the heartbeat messages are used to reflect the running status of the proxy plugin.
12. A device for detecting memory malware, characterized in that, The device includes: The proxy plugin injection module is used to obtain the symbolic link of the target process to be detected for memory malware on the host. The symbolic link is used to indicate the reference path. If the symbolic link of the security agent installed on the host is inconsistent with the symbolic link of the target process, the proxy plugin file is copied to one of the following: a pre-defined directory of the container where the target process is located, a pre-defined subdirectory corresponding to the target process, or the root directory of the target process. The pre-defined subdirectory belongs to a different directory of the file system of the container where the target process is located. The security agent is used to detect memory malware, and the proxy plugin is used to observe process behavior. Based on the proxy plugin file, the proxy plugin is injected into the target process through the virtual machine tool interface mechanism. The existing object acquisition module is used to acquire at least one class object that has been loaded by the target process through the proxy plugin; The candidate object determination module is used to obtain the network namespace where the target process is located, and to obtain the first listening socket of the security agent under the network namespace; through the first listening socket, to send a scanning command to the second listening socket of the proxy plugin, the second listening socket being a socket created by the proxy plugin under the network namespace of the target process; through the proxy plugin, to parse the scanning command and obtain filtering rules; through the proxy plugin, to filter the at least one class of objects for risk-free items according to the filtering rules, to obtain risky candidate class objects; The class message acquisition module is used to extract class features from the candidate class objects through the proxy plugin to obtain the class messages of the candidate class objects. The class messages include the basic features and code features of the class objects. The code features include the original bytecode and disassembled code sequence of the class objects. The memory malware identification module is used to perform memory malware feature scanning on the class messages to obtain the target class objects identified as memory malware.
13. A computer device, characterized in that, The computer device includes a processor and a memory, the memory storing a computer program, the computer program being loaded and executed by the processor to implement the memory malware detection method as described in any one of claims 1 to 11.
14. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, which is loaded and executed by a processor to implement the memory malware detection method as described in any one of claims 1 to 11.
15. A computer program product, characterized in that, The computer program product includes a computer program stored in a computer-readable storage medium, and a processor reads from and executes the computer program to implement the memory malware detection method as described in any one of claims 1 to 11.