Memory inspection method and system for virtual machine

Abstract

The present disclosure provides a memory inspection method and system for a virtual machine. The method is applied to a memory inspection system, and the memory inspection system is used to run a main process to execute the method as follows: in response to an inter-process communication request from each of at least one inspection process, determining a memory to be inspected of a virtual machine; according to an inspection item, performing memory parsing on the memory to obtain a parsing result, the parsing result comprising memory information of the memory under an operating system in which the virtual machine is located; transmitting the parsing result to the inspection process by means of inter-process communication between the main process and the inspection process, the parsing result being used to perform inspection in the inspection process according to the inspection item to obtain a memory inspection result; and acquiring, by means of the inter-process communication, the memory inspection result corresponding to the parsing result.

Description

Virtual machine memory detection methods and systems

[0001] Cross-reference

[0002] This disclosure claims priority to Chinese Patent Application No. 202411805391.4, filed on December 9, 2024, entitled "Method and System for Memory Detection of Virtual Machine", the entire contents of which are incorporated herein by reference. Technical Field

[0003] This disclosure relates to the field of memory security detection technology, and more specifically, to a method and system for detecting memory in a virtual machine. Background Technology

[0004] Currently, cloud host security employs the same agent-based memory detection scheme as traditional information technology (IT) systems. This involves injecting a process into the client machine to collect information from its memory and perform security checks. However, injecting a process into the client machine consumes client resources, and if the malware is sophisticated enough, this process can be bypassed, resulting in poor stability of virtual machine memory detection systems.

[0005] There is currently no effective solution to the above problems. Summary of the Invention

[0006] This disclosure provides a method and system for detecting the memory of a virtual machine, thereby at least solving the technical problem of poor stability in memory detection systems for virtual machines based on agent software in related technologies.

[0007] According to one aspect of the present disclosure, a virtual memory detection method is provided, applied to a memory detection system. The memory detection system runs a main process to perform the following methods: responding to inter-process communication requests from at least one detection process, determining the memory to be detected in a virtual machine, wherein the inter-process communication request is used to request information associated with detection items of the memory to be detected; parsing the memory to be detected according to the detection items to obtain a parsing result, wherein the parsing result includes memory information of the memory to be detected under the operating system of the virtual machine; transmitting the parsing result to the detection process through inter-process communication between the main process and the detection process, wherein the parsing result is used to perform detection according to the detection items in the detection process to obtain a memory detection result, the memory detection result being used to indicate the security level of the memory to be detected under the detection items; and obtaining the memory detection result corresponding to the parsing result through inter-process communication.

[0008] According to one aspect of the present disclosure, a virtual memory detection method is provided, applied to a memory detection system. The memory detection system runs a detection process to perform the following methods: transmitting an inter-process communication request to the main process via inter-process communication between the detection process and the main process of the memory detection system; wherein the inter-process communication request is used to request information associated with detection items of the memory to be detected in the virtual machine; the inter-process communication request is used to enable the memory detection system to determine the memory to be detected in the main process; the memory to be detected is used to enable the memory detection system to perform memory parsing according to the detection items in the main process, obtaining parsing results, the parsing results including memory information of the memory to be detected under the operating system of the virtual machine; obtaining the parsing results from the main process via inter-process communication; detecting the parsing results according to the detection items to obtain memory detection results, wherein the memory detection results are used to indicate the security level of the memory to be detected under the detection items; and transmitting the memory detection results to the main process via inter-process communication.

[0009] According to another aspect of the embodiments of this disclosure, a memory detection apparatus for a virtual machine is also provided, comprising: a determining component configured to determine the memory to be detected of the virtual machine in response to an inter-process communication request from at least one detection process, wherein the inter-process communication request is used to request information associated with detection items of the memory to be detected; a parsing component configured to perform memory parsing on the memory to be detected according to the detection items to obtain a parsing result, wherein the parsing result includes memory information of the memory to be detected under the operating system of the virtual machine; and a first transmission component configured to transmit the parsing result to the detection process through inter-process communication between the main process and the detection process, wherein the parsing result is used to perform detection according to the detection items in the detection process to obtain a memory detection result, wherein the memory detection result is used to indicate the security level of the memory to be detected under the detection items.

[0010] According to one aspect of the present disclosure, a virtual memory detection device is provided, comprising: a second transmission component configured to transmit an inter-process communication request to the main process via inter-process communication between a detection process and the main process of a memory detection system, wherein the inter-process communication request is used to request information associated with detection items of memory to be detected in a virtual machine, the inter-process communication request is used to enable the memory detection system to determine the memory to be detected in the main process, the memory to be detected is used to enable the memory detection system to perform memory parsing according to the detection items in the main process to obtain a parsing result, the parsing result including memory information of the memory to be detected under the operating system where the virtual machine resides; a first acquisition component configured to acquire the parsing result from the main process via inter-process communication; a detection component configured to detect the parsing result according to the detection items to obtain a memory detection result, wherein the memory detection result is used to indicate the security level of the memory to be detected under the detection items; and a third transmission component configured to transmit the memory detection result to the main process via inter-process communication.

[0011] According to another aspect of the embodiments of this disclosure, a virtual machine memory detection system is also provided, including a memory detection end and a memory parsing end. The memory detection end runs at least one detection process, and the memory parsing end runs a main process. The memory detection end is configured to transmit an inter-process communication request to the main process via inter-process communication between the detection process and the main process. The inter-process communication request is used to request information associated with detection items of the virtual machine's memory to be detected. The memory parsing end is configured to, in response to the inter-process communication request, determine the memory to be detected, perform memory parsing on the memory to be detected according to the detection items, and obtain a parsing result. The parsing result includes memory information of the memory to be detected under the operating system where the virtual machine resides. The memory detection end is configured to obtain the parsing result from the main process via inter-process communication; and to detect the parsing result according to the detection items to obtain a memory detection result. The memory detection result is used to indicate the security level of the memory to be detected under the detection items.

[0012] According to another aspect of the embodiments of this disclosure, a computer terminal is also provided, including: a memory storing an executable program; and a processor for running the program, wherein the program executes the methods in the various embodiments of this disclosure when it runs.

[0013] According to another aspect of the embodiments of the present disclosure, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored executable program, wherein, when the executable program is executed, it controls the device where the computer-readable storage medium is located to perform the methods of the various embodiments of the present disclosure.

[0014] According to another aspect of the embodiments of this disclosure, a computer program product is also provided, including a computer program that, when executed by a processor, implements the methods of various embodiments of this disclosure.

[0015] According to another aspect of the embodiments of this disclosure, a computer program product is also provided, including a non-volatile computer-readable storage medium storing a computer program that, when executed by a processor, implements the methods of various embodiments of this disclosure.

[0016] According to another aspect of the embodiments of this disclosure, a computer program is also provided, which, when executed by a processor, implements the methods of the various embodiments of this disclosure.

[0017] This disclosure provides a method for detecting virtual machine memory, applied to a memory detection system. After responding to an inter-process communication request from at least one detection process, the method can determine information associated with detection items in the memory to be detected within the virtual machine based on the inter-process communication request. Then, it performs memory parsing on the memory to be detected according to the detection items to obtain parsing results. The parsing results include memory information of the memory to be detected under the operating system of the virtual machine. Subsequently, the parsing results are transmitted to the detection item process through inter-process communication between the main process and the detection process. After receiving the parsing results, the detection process can detect the detection items corresponding to the parsing results to obtain memory detection results. After obtaining the memory detection results, the detection process can transmit the memory detection results to the main process through inter-process communication so that the main process can obtain the memory detection results corresponding to the parsing results. In other words, in this embodiment, an inter-process communication (IPC) connection is established between the detection process and the virtual machine. The detection process can obtain memory information under the operating system of the virtual machine through IPC requests, and then detect the memory information under the operating system of the virtual machine to obtain memory detection results. The memory detection results are then transmitted to the main process through IPC between the detection process and the main process. That is, outside the virtual machine, memory parsing logic and security detection logic can be decoupled through IPC. When the detection process detects the memory information under the operating system of the virtual machine, multiple detection processes are independent of each other and can be executed in parallel. If any detection process encounters an error or exception, it will not affect the normal operation of the main process or other detection processes, thus improving the stability (robustness) of the memory detection system. Furthermore, since there is no need to install agent software in the virtual machine, the potential performance overhead and the risk of being exploited or bypassed by malware are avoided, greatly reducing the resource consumption of the virtual machine. This achieves the goal of effectively detecting the memory security of the virtual machine, improving the memory detection efficiency of the virtual machine, and enhancing the stability and scalability of the virtual machine memory detection system. In turn, it solves the technical problem of poor stability of memory detection systems that rely on agent software to detect the memory of virtual machines in related technologies.

[0018] It is worth noting that the general description above and the detailed description that follow are merely for illustrative purposes and do not constitute a limitation on this application. Attached Figure Description

[0019] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0020] Figure 1 is a hardware structure block diagram of a computer terminal (or mobile device) for implementing a memory detection method for a virtual machine according to an embodiment of the present disclosure.

[0021] Figure 2 is a structural block diagram of a computing environment according to an embodiment of the present disclosure;

[0022] Figure 3 is a structural block diagram of a service mesh according to an embodiment of the present disclosure;

[0023] Figure 4 is a flowchart of a virtual machine memory detection method according to an embodiment of the present disclosure;

[0024] Figure 5 is a flowchart of another virtual machine memory detection method according to an embodiment of the present disclosure;

[0025] Figure 6 is a structural diagram of a virtual machine memory detection system according to an embodiment of the present disclosure;

[0026] Figure 7 is a schematic diagram of a proxyless memory detection system according to an embodiment of the present disclosure;

[0027] Figure 8 is a schematic diagram of an interface organized hierarchically according to an embodiment of the present disclosure;

[0028] Figure 9 is a schematic diagram of a memory detection process according to an embodiment of the present disclosure;

[0029] Figure 10 is a flowchart of a detection method for checking whether a Java process has loaded a malicious dynamically loaded library according to an embodiment of the present disclosure;

[0030] Figure 11 is a schematic diagram illustrating the decoupling of detection logic and semantic reconstruction logic through a rule engine according to an embodiment of the present disclosure;

[0031] Figure 12 is a schematic diagram of a virtual machine memory detection device according to an embodiment of the present disclosure;

[0032] Figure 13 is a schematic diagram of another virtual machine memory detection device according to an embodiment of the present disclosure;

[0033] Figure 14 is a structural block diagram of an electronic device according to an embodiment of the present disclosure. Detailed Implementation

[0034] To enable those skilled in the art to better understand the present disclosure, the technical solutions of the present disclosure will be clearly and completely described below with reference to the accompanying drawings of the embodiments. Obviously, the described embodiments are only some embodiments of the present disclosure, and not all embodiments. Based on the embodiments of the present disclosure, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present disclosure.

[0035] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this disclosure are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this disclosure described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0036] First, some nouns or terms that appear in the description of the embodiments of this disclosure shall be interpreted as follows:

[0037] Memory detection can uncover security threats or extract other valuable information from memory.

[0038] Security detection is the process of identifying security threats in computer systems.

[0039] Detection tasks, specifically security detection targeting a particular type of threat;

[0040] A process control block (PCB) is a structure in an operating system that stores runtime information about a process.

[0041] Semantic reconstruction refers to reconstructing high-level semantic information, such as process information, page tables, and network connection information, from the original physical memory.

[0042] Agent software refers to processes injected into virtual machines that can perform monitoring, security detection, and interception capabilities.

[0043] Agentless software refers to technologies that achieve monitoring, security detection, and other capabilities without relying on agent processes on the client machine.

[0044] A hypervisor (also known as a Virtual Machine Manager) is the software or firmware that runs on a host machine to create and run virtual machines. The hypervisor can be used to obtain the running status of virtual machines.

[0045] Virtual Machine Introspection (VMI) is a technology that allows virtual machine managers to monitor and manage the internal state of virtual machines. Through VMI, the operating data of virtual machines, such as memory, central processing unit (CPU), and disk, can be obtained without interfering with the operation of the virtual machine.

[0046] Agentless cloud server security technology, based on data such as the virtual machine's memory, CPU, and disk, enables multiple security detection capabilities outside the virtual machine without relying on agent software. Agentless cloud server security technology has the advantages of no performance loss for users and difficulty for malicious software to bypass.

[0047] According to embodiments of this disclosure, a method for detecting memory in a virtual machine is provided. The steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions. Although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in a different order than that shown here.

[0048] The method embodiments provided in this disclosure can be executed in a computer terminal or similar computing device. Figure 1 shows a hardware structure block diagram of a computer terminal (or mobile device) for implementing a memory detection method for a virtual machine. As shown in Figure 1, the computer terminal 10 (or mobile device) may include one or more processors 102 (shown as 102a, 102b, ..., 102n in the figure) (processor 102 may include, but is not limited to, a microprocessor (MCU) or a field-programmable gate array (FPGA), etc.), a memory 104 for storing data, and a transmission device 106 for communication functions. In addition, it may also include: a display, an input / output interface (I / O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the BUS bus), a network interface, a power supply, and / or a camera. It will be understood by those skilled in the art that the structure shown in Figure 1 is only schematic and does not limit the structure of the above-described electronic device. For example, computer terminal 10 may also include more or fewer components than shown in FIG1, or have a different configuration than shown in FIG1.

[0049] It should be noted that the aforementioned one or more processors 102 and / or other data processing circuitry are generally referred to herein as "data processing circuitry". This data processing circuitry may be embodied, in whole or in part, in software, hardware, firmware, or any other combination thereof. Furthermore, the data processing circuitry may be a single, independent processing component, or may be integrated, in whole or in part, into any other element within the computer terminal 10 (or mobile device). As per the embodiments of this disclosure, the data processing circuitry serves as a processor control mechanism (e.g., selection of a variable resistor termination path connected to an interface).

[0050] The memory 104 can be used to store software programs and modules of application software, such as the program instructions / data storage device corresponding to the method in the embodiments of this disclosure. The processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, thereby implementing the method in the above embodiments. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory remotely located relative to the processor 102, and these remote memories can be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0051] The transmission device 106 is used to receive or send data via a network. Specific examples of the network described above may include a wireless network provided by the communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network Interface Controller (NIC), which can connect to other network devices via a base station to communicate with the Internet. In another example, the transmission device 106 may be a Radio Frequency (RF) module, used for wireless communication with the Internet.

[0052] The display can be, for example, a touchscreen liquid crystal display (LCD), which allows the user to interact with the user interface of the computer terminal 10 (or mobile device).

[0053] The hardware structure block diagram shown in Figure 1 can serve as an exemplary block diagram not only for the aforementioned computer terminal 10 (or mobile device) but also for the aforementioned server. In an optional embodiment, Figure 2 illustrates a block diagram of using the computer terminal 10 (or mobile device) shown in Figure 1 as a computing node in the computing environment 201. Figure 2 shows a structural block diagram of a computing environment. As shown in Figure 2, the computing environment 201 includes multiple computing nodes (such as servers) running on a distributed network (shown as 210-1, 210-2, ... in the figure). Each computing node contains local processing and memory resources, and the end user 202 can remotely run applications or store data in the computing environment 201. Applications can be provided as multiple services 220-1, 220-2, 220-3, and 220-4 in the computing environment 201, representing services "A", "D", "E", and "H", respectively.

[0054] End user 202 can provide and access services through a web browser or other software application on a client. In some embodiments, the provisioning and / or requests of end user 202 can be provided to ingress gateway 230. Ingress gateway 230 may include a corresponding agent to handle the provisioning and / or requests for services (one or more services provided in computing environment 201).

[0055] Services are provided or deployed based on various virtualization technologies supported by the computing environment 201. In some embodiments, services may be provided based on virtual machine (VM)-based virtualization, container-based virtualization, and / or similar methods. VM-based virtualization can simulate a real computer by initializing a virtual machine, executing programs and applications without directly accessing any actual hardware resources. While the machine is virtualized by a virtual machine, container-based virtualization can launch containers to virtualize an entire operating system (OS), allowing multiple workloads to run on a single OS instance.

[0056] In one embodiment based on container virtualization, several containers of a service can be assembled into a Pod (e.g., a Kubernetes Pod). For example, as shown in Figure 2, service 220-2 can be equipped with one or more Pods 240-1, 240-2, ..., 240-N (collectively referred to as Pods). A Pod can include a proxy 245 and one or more containers 242-1, 242-2, ..., 242-M (collectively referred to as containers). One or more containers in a Pod handle requests related to one or more corresponding functions of the service. The proxy 245 typically controls service-related network functions such as routing and load balancing. Other services can also be equipped with similar Pods.

[0057] During operation, executing a user request from end user 202 may require calling one or more services in computing environment 201, and executing one or more functions of one service may require calling one or more functions of another service. As shown in Figure 2, service "A" 220-1 receives a user request from end user 202 from ingress gateway 230. Service "A" 220-1 can call service "D" 220-2, and service "D" 220-2 can request service "E" 220-3 to execute one or more functions.

[0058] The aforementioned computing environment can be a cloud computing environment, where resource allocation is managed by cloud services, allowing functionality development without needing to consider implementation, adjustment, or server scaling. This computing environment allows developers to execute event-responsive code without building or maintaining complex infrastructure. Services can be partitioned into a set of functions that can automatically and independently scale, rather than scaling a single hardware device to handle potential loads.

[0059] In another alternative embodiment, FIG3 illustrates a block diagram of an example using the computer terminal 10 (or mobile device) shown in FIG1 above as a service mesh. FIG3 shows a structural block diagram of a service mesh 300, which is mainly used to facilitate secure and reliable communication between multiple microservices. Microservices refer to decomposing an application into multiple smaller services or instances and distributing them across different clusters / machines.

[0060] As shown in Figure 3, a microservice may include application service instance A and application service instance B, which together form the functional application layer of service mesh 300. In one implementation, application service instance A runs as a container / process 308 on machine / workload container group 314 (Pod), and application service instance B runs as a container / process 310 on machine / workload container group 316 (Pod).

[0061] As shown in Figure 3, application service instance A and grid agent (sidecar) 303 coexist in machine / workload container group 314, and application service instance B and grid agent 305 coexist in machine / workload container group 316. Grid agents 303 and 305 form the data plane layer of service mesh 300. Grid agents 303 and 305 run as containers / processes 304 and 306 respectively, and can receive requests 312 for determining the memory to be tested in virtual machines. Grid agent 303 and application service instance A can communicate bidirectionally, as can grid agent 305 and application service instance B. Furthermore, grid agents 303 and 305 can also communicate bidirectionally.

[0062] In one implementation, traffic from application service instance A is routed to the appropriate destination via mesh proxy 303, and network traffic from application service instance B is routed to the appropriate destination via mesh proxy 305. The network traffic mentioned herein includes, but is not limited to, Hypertext Transfer Protocol (HTTP), Representational State Transfer (REST), high-performance, general-purpose open-source frameworks (Google Remote Procedure Call, gRPC), and open-source in-memory data structure storage systems (Redis).

[0063] In one implementation, the functionality of the extended data plane layer can be achieved by writing custom filters for the proxy (Envoy) in service mesh 300. The service mesh proxy configuration can enable the service mesh to correctly proxy service traffic, achieving service interoperability and service governance. Mesh proxies 303 and 305 can be configured to perform at least one of the following functions: service discovery, health checking, routing, load balancing, authentication and authorization, and observability.

[0064] As shown in Figure 3, the service mesh 300 also includes a control plane layer. This control plane layer can consist of a set of services running in a dedicated namespace, managed by a managed control plane component 301 within machine / workload container groups (machine / Pods) 302. As shown in Figure 3, the managed control plane component 301 communicates bidirectionally with mesh agents 303 and 305. The managed control plane component 301 is configured to perform control and management functions. For example, it receives telemetry data from mesh agents 303 and 305 and can further aggregate this telemetry data. The managed control plane component 301 can also provide a user-facing Application Programming Interface (API) for these services, facilitating easier manipulation of network behavior and providing configuration data to mesh agents 303 and 305.

[0065] In the above operating environment, this disclosure provides a virtual machine memory detection method as shown in Figure 4, which is applied to a memory detection system. Figure 4 is a flowchart of a virtual machine memory detection method according to an embodiment of this disclosure.

[0066] Step S401: In response to inter-process communication requests from at least one detection process, determine the memory of the virtual machine to be detected.

[0067] In the technical solution provided in step S401 of this disclosure, at least one detection process is located outside the virtual machine, and at least one detection process can communicate with the main process via inter-process communication (IPC). The IPC request is used to request process information from the main process. This process information includes, but is not limited to, the following: a list of processes in the memory to be detected, detailed information about a specific process, the virtual address of the process, network connection information of the process, and a list of open files, etc., without specific limitations. The list of processes in the memory to be detected can at least include: basic information about the processes included in the list, such as process name, process identifier (ID), parent process ID, executable file path, and process startup parameters. The detailed information about a specific process can at least include: the ID of the specified process, basic information about the specified process, addresses and permissions of each memory segment of the specified process, and the mapped file path of the memory segment of the specified process. The virtual address of the process can at least include: the ID of the specified process, memory address, and read length. The list of processes in the memory to be detected allows identification of all running processes, which is the basis for detecting security threats. For example, when detecting cryptocurrency mining programs, abnormal processes with high CPU usage may be mining processes; when detecting Trojan programs, processes communicating with suspicious remote servers may be Trojan carriers. Detailed information about a process allows for deeper analysis of its behavioral characteristics and resource usage, such as CPU utilization, open files, and network connections. By examining process information, it's possible to determine if security threats exist in virtual machine memory, such as malware (e.g., rootkits), Trojan programs, or ransomware.

[0068] For example, when detecting a Trojan program, the detection process might request the following information: the process's network connection list, the executable file path and startup parameters, and the list of open files. Since Trojan programs typically need to communicate with external servers, obtaining the process's connection information can reveal unexpected network connections, which is a key clue for Trojan detection. By detecting whether the process's executable file comes from a legitimate path and whether the startup parameters are abnormal, well-disguised Trojan programs can be identified. Trojans may need to read and write specific files, such as log files and configuration files; obtaining the list of open files can reveal the Trojan's file access behavior. This is merely an example and does not limit the information requested by the detection process when detecting a particular item.

[0069] In this embodiment, the number of detection processes is variable. One detection item can correspond to one detection process. That is, one detection process is configured to detect one detection item in the memory to be detected. Different detection items can correspond to different detection processes. Different detection processes can be executed in parallel, dynamically loaded, and independently updated to improve the scalability and robustness of the operating system.

[0070] Optionally, after the detection process starts, it can generate an inter-process communication request based on the items it wants to detect. This inter-process communication request follows the Hypertext Transfer Protocol (HTTP). After generating the inter-process communication request, the detection process can transmit it to the main process via inter-process communication (IPC) between the detection process and the main process. The inter-process communication uses Unix Domain Sockets (UDS) as the communication mechanism to achieve data transmission between the detection process and the main process. The UDS communication mechanism allows the detection process and the main process to establish a connection through pathnames in the file system, thereby enabling bidirectional data transmission.

[0071] Optionally, if the inter-process communication request requests a list of processes in the memory to be detected, the inter-process communication request needs to specify the virtual machine ID (vm-id). If the inter-process communication request requests detailed information about a specific process in the memory to be detected, the inter-process communication request needs to specify the virtual machine ID and the target process ID. If the inter-process communication request requests the virtual address of a specific process in the memory to be detected, the inter-process communication request needs to specify the virtual machine ID, the target process ID, and provide the starting address and length of the virtual memory of the process to be read in the path parameter.

[0072] Optionally, after receiving the inter-process communication request from the detection process, the main process can determine the virtual machine's memory to be detected based on the virtual machine ID carried in the inter-process communication request.

[0073] In this step, the security detection of the memory to be tested is divided into different detection items. Each detection item focuses on a specific security threat, such as rootkits, Trojans, ransomware, etc. This modular design makes the system easy to expand. New detection items can be easily added to deal with new security threats without modifying the logic of the main process or restarting the entire system, which greatly improves the system's flexibility and response speed.

[0074] Furthermore, since the detection process can be executed in parallel, this fully utilizes the capabilities of multi-core processors, enabling the simultaneous detection of multiple threat types and significantly accelerating the detection speed. Compared to single-process detection, this method can significantly reduce the total detection time and is particularly effective when dealing with large-scale virtual machine environments.

[0075] Step S402: Perform memory parsing on the memory to be tested according to the test items to obtain the parsing results.

[0076] In the technical solution provided in step S402 of this disclosure, memory parsing can also be called semantic reconstruction. The specific process of memory parsing is to extract information associated with the detection items from the memory to be tested, and then parse and reconstruct higher-level, more semantically meaningful operating system runtime state data from the memory to be tested based on the extracted information associated with the detection items. Memory parsing is a prerequisite for memory security testing of the memory to be tested. Based on the high-level semantics obtained from memory parsing, various security checks can be performed on the detection items in the virtual machine's memory to be tested. For example, checking whether there are malicious processes in the virtual machine, or whether any process has loaded a dynamic link library containing malicious code. The parsing result includes the memory information of the memory to be tested under the operating system of the virtual machine. This memory information may include: a process list, detailed information about a process, the virtual address of a process, etc., without specific limitations here.

[0077] In this embodiment, after the main process determines the memory to be tested in the virtual machine, it can use the memory parser in the main process to perform memory parsing of the memory to be tested. The memory parser can read the process information in the memory to be tested in the virtual machine through the VMI interface provided by the hypervisor, and parse the read process information in the runtime environment provided by the hypervisor to obtain the parsing result.

[0078] Optionally, the memory parser can locate the kernel image starting address in the memory to be tested. This kernel image starting address is used to represent the starting address of the operating system image loaded in the memory to be tested. This kernel image starting address contains the code and data required for the operating system to run. When the operating system starts, the kernel image is loaded into the memory to be tested.

[0079] Optionally, after determining the kernel image's starting address, the memory resolver can locate various key kernel data structures based on the offsets between these structures and the kernel image's starting address. These key kernel data structures can include kernel page tables, process list starting addresses, etc., but this is merely an example and does not limit the specific key kernel data structures. Optionally, the offsets are determined based on the definitions of data structures used in different operating systems. After determining the operating system version, the offsets between each key kernel data structure and the kernel image's starting address can be determined based on the definitions of its key kernel data structures.

[0080] Optionally, since the process list links together the process control blocks (PCBs) of all active processes on the current operating system, and this PCB is a data structure of virtual machine memory, after locating the process list, it is possible to traverse the process list and read all currently existing processes, detailed process information, or information about each memory segment of the process in the memory to be tested based on the detection items. The detailed process information can be extracted from the PCB, and through this information, details such as the process name, process ID, executable file path, and startup parameters of each process can be obtained. The information about each memory segment indicates the start and end addresses and permissions of the process in the memory to be tested. For example, in mainstream operating systems, process memory segments are usually organized in the form of a binary tree. By obtaining the starting address of the binary tree from the PCB and traversing the binary tree of memory segments, the start and end addresses and permissions of each memory segment in a process's virtual memory space can be obtained. Based on this, memory parsing can be performed on the relevant content in the memory to be tested according to the information associated with the detection items in the inter-process communication request, and the parsing results can be obtained.

[0081] Optionally, after obtaining the parsing result corresponding to the detection item, the main process can send the parsing result back to the detection process.

[0082] In this step, memory parsing is performed on the memory to be tested according to the detection items. Only memory information directly related to the detection items can be parsed. For example, when setting a detection item, the type of threat to be detected and the types of memory information and data structures that need to be accessed to detect these threats can be determined. Then, after receiving an inter-process communication request for the detection item, the information associated with the memory information and data structures requested by the inter-process communication request can be parsed without performing full memory parsing. This avoids unnecessary data processing and transmission, allowing the detection process to quickly obtain detailed information about the required memory segments, thereby significantly improving detection efficiency and response speed. Moreover, it avoids injecting processes into the virtual machine to obtain the running status information in the memory to be tested, saving virtual machine memory space. Memory parsing can provide in-depth information about the running status of the virtual machine, providing data support for more efficient and comprehensive security detection.

[0083] Step S403: The parsing result is transmitted to the detection process through inter-process communication between the main process and the detection process.

[0084] In the technical solution provided in step S403 of this disclosure, the main process (detection process) provides different calling interfaces to realize inter-process communication between the main process and the detection process. These interfaces may include: an interface for obtaining a process list, an interface for obtaining detailed information about a specific process, an interface for obtaining the virtual memory of a specific process, and an interface for reporting memory detection results. Each interface is configured to transmit a specific type of memory information.

[0085] In this embodiment, after determining the parsing result through step S402, the detection process calls the interface provided by the main process for transmitting the parsing result to obtain it. This parsing result corresponds to the inter-process communication request in step S401.

[0086] Optionally, the interfaces are organized according to resource hierarchy, with the resource hierarchy being "virtual machine → process on the virtual machine → virtual memory of the process". For example, when a detection process requests an interface to obtain a list of processes, it needs to specify the virtual machine ID in the request path. In this case, the main process can return a list of processes through this interface, which may include basic information such as process name, process ID, parent process ID, file path, and startup parameters.

[0087] Optionally, when the detection process requests an interface to obtain detailed information about a certain process, it needs to specify the virtual machine ID and the target process ID in the request path. Based on this, the main process can return the basic information of the process (such as process name, process ID, parent process ID, file path, startup parameters) and the process's memory segment information (such as the start and end virtual addresses of each segment, access permissions, etc.) through this interface.

[0088] Optionally, when the detection process requests to call the interface to obtain the virtual memory of a certain process, it needs to specify the virtual machine ID, the target process ID, and the starting address and length of the virtual memory to be read in the request path parameter. Based on this, the main process can return a raw binary buffer through the interface, the content and length of which are the same as the virtual address and length specified in the parameter.

[0089] Optionally, the above method is a resource-oriented, hierarchical design, which makes the interface highly extensible. For example, to provide an interface for querying files opened by a specific process, a sub-resource type under the process of open files can be added; if an interface for querying all network connections on a virtual machine is to be provided, a resource type named network connections can be added under the virtual machine.

[0090] Optionally, after receiving the parsing result, the detection process can perform detection on the parsing result according to the detection items to obtain the memory detection result, which is used to indicate the safety level of the memory to be detected under the detection items.

[0091] For example, after the detection process calls the interface for listing processes to obtain the current process list, it can iterate through the list to find the ID of a specific process. After calling the interface describing process details to obtain the memory segment information for that process, the detection process can iterate through each memory segment, checking if each segment contains mapped files. For memory segments with mapped files, it checks the file paths and whether they contain suspected malicious dynamic libraries. For memory segments that contain suspected malicious dynamic libraries, the detection process calls the interface for reading virtual memory to obtain the virtual memory of the process in question. It can then detect whether there is malicious code in the virtual memory and generate memory detection results based on the results.

[0092] Optionally, after obtaining the memory detection results, the detection process can transmit the memory detection results to the main process through inter-process communication, so that the main process can obtain the memory detection results corresponding to the parsing results.

[0093] For example, as described above, the main process also provides an interface for reporting memory detection results. Based on this, after obtaining the memory detection results, the detection process can call the interface in the main process to report the memory detection results and send the memory detection results back to the main process.

[0094] Optionally, the calling interface provided by the main process enables the detection process to accurately obtain the virtual machine's memory information (parsing results), and then detect the obtained memory information, thereby improving the accuracy of detecting security threats such as malicious processes and malicious code injection.

[0095] In steps S401 to S403 above, memory detection and memory parsing are both implemented outside the virtual machine. Specifically, memory parsing can read the virtual machine's memory through the VMI interface provided by the virtual machine manager and parse it in the runtime environment provided by the virtual machine manager to obtain the virtual machine's memory information. Then, through inter-process communication, the parsed memory information is transmitted to the memory detection process located outside the virtual machine for detection. The memory detection process performs the detection. The two parts are decoupled through inter-process communication, realizing the scalability and stability of the virtual machine's memory detection system.

[0096] The memory detection method for the virtual machine described above will be further introduced through specific implementation methods.

[0097] As an optional implementation, step S401, in response to an inter-process communication request from at least one detection process, determines the memory to be detected in the virtual machine, including: in response to the inter-process communication request, determining the interface corresponding to the inter-process communication request; and using the interface to call the virtual machine manager to read the memory to be detected.

[0098] In this embodiment, as described above, the main process (detection process) provides different calling interfaces to achieve inter-process communication between the main process and the detection process. These interfaces may include: an interface for obtaining a process list, an interface for obtaining detailed information about a specific process, an interface for obtaining the virtual memory of a specific process, and an interface for reporting memory detection results. These are merely illustrative examples and can be extended according to actual needs. The information associated with the item to be detected in the inter-process communication request may include, but is not limited to, the following: a list of processes in the memory to be detected, detailed information about a specific process, and the virtual address of the process. Based on this, after responding to the inter-process communication request from the detection process, the interface corresponding to the inter-process communication request can be determined based on the information associated with the item to be detected requested in the inter-process communication request.

[0099] For example, if the information associated with the detection item in the inter-process communication request is a list of processes in the memory to be detected, then the interface corresponding to the inter-process communication request can be determined to be the interface for obtaining the process list. Similarly, if the information associated with the detection item in the inter-process communication request is an interface for obtaining detailed information about a specific process in the memory to be detected, then the interface corresponding to the inter-process communication request can be determined to be the interface for obtaining detailed information about that specific process.

[0100] Optionally, after determining the interface corresponding to the inter-process communication request, the interface can be used to call the virtual machine manager to read the memory to be tested.

[0101] In this step, the detection process can use inter-process communication (IPC) via an interface to call the virtual machine manager to read the memory to be detected, achieving accurate acquisition of the memory information and avoiding resource waste. Furthermore, multiple detection processes can execute in parallel, improving the efficiency of reading the memory. This IPC method is also generally highly stable. Even if a detection process malfunctions, it will not directly affect the main process, thus improving the overall system robustness.

[0102] As an optional implementation, in response to an inter-process communication request, determining the interface corresponding to the inter-process communication request includes: obtaining the inter-process communication request through inter-process communication, and in response to the obtained inter-process communication request, determining the request path of the inter-process communication request, wherein the request path includes parameters for obtaining memory information, the memory information being used to represent the running state of the virtual machine; and determining the interface corresponding to the request path.

[0103] In this implementation, inter-process communication (IPC) is implemented through an interface provided by the main process. Once the main process receives an IPC request, it can determine the request path. This request path indicates the HTTP protocol followed by the interface corresponding to the IPC request. The request path includes parameters for obtaining memory information, which includes information about the virtual machine runtime, such as a process list, detailed information about a specific process, and the virtual memory of that process.

[0104] Optionally, if the inter-process communication request requests a list of processes associated with the detection items in the memory to be detected, then the request path of the inter-process communication request can be determined to include the virtual machine ID. Based on the virtual machine ID, the memory to be detected can be located, thereby obtaining the list of processes in the memory to be detected.

[0105] Optionally, if the information requested by the inter-process communication request to be associated with the detection item in the memory to be detected is detailed information of a certain process, then it can be determined that the request path of the inter-process communication request includes the ID of the virtual machine and the ID of the target process. Then, the memory to be detected can be located according to the ID of the virtual machine, and the ID of the target process can be located according to the ID of each process in the process list in the memory to be detected.

[0106] Optionally, after determining the request path, the interface corresponding to the request path can be determined. For example, if the request path includes the ID of the virtual machine whose memory is to be inspected, then the interface corresponding to the request path can be determined to be the interface for obtaining the process list. If the request path includes both the ID of the virtual machine whose memory is to be inspected and the ID of the target process, then the interface corresponding to the request path can be determined to be the interface for obtaining detailed information about a specific process.

[0107] As an optional implementation, the parsing results are transmitted to the detection process through inter-process communication between the main process and the detection process, including: transmitting memory information to the detection process through an interface via inter-process communication.

[0108] In this embodiment, after the main process performs memory parsing on the memory to be detected through the memory parser and obtains the parsing result, it can transmit the parsing result to the detection process through inter-process communication between the main process and the detection process.

[0109] Optionally, if the memory information included in the parsing result is a process list, the detection process can call the memory parsing interface provided by the main process (e.g., the interface for obtaining the process list) to obtain the process list for detection. The process list may include basic information such as process name, process ID, parent process ID, and executable file path.

[0110] Optionally, if the memory information included in the parsing result is detailed information about a certain process, the detection process can call the interface provided by the main process to obtain detailed information about the process. The detailed information about the process can include basic information such as process name, process ID, parent process ID, file path, and startup parameters, as well as memory segment information of the process. The memory field information of the process can include the start and end virtual addresses of each segment, access permissions, etc.

[0111] Optionally, if the memory information included in the parsing result is the virtual memory of a certain process, the detection process can call the interface provided by the main process to obtain the virtual memory of the process, thereby obtaining the virtual memory of the transmission process. The virtual memory of the process may include: a raw binary memory data segment (buffer), the memory and length of which are equal to the address and length of the virtual memory specified in the parameters.

[0112] As an optional implementation, step S402 involves parsing the memory to be tested according to the detection items to obtain the parsing results, including: obtaining a reference address from the data structure of the memory to be tested according to the detection items, wherein the reference address is used to represent the starting address of the operating system kernel in the memory to be tested; and determining the parsing results based on the reference address.

[0113] In this embodiment, the data structure of the memory to be inspected can be regarded as a raw bit array. During memory parsing, to extract meaningful information, it is necessary to reconstruct higher-level semantic information at the virtual machine operating system level from the memory to be inspected. This includes data structures such as PCB, page tables, kernel function addresses, and network connections. This reconstruction process is called memory parsing or semantic reconstruction. Memory parsing is a prerequisite for memory security testing of the memory to be inspected. Only after obtaining the higher-level semantics through parsing can various security checks be performed on the virtual machine's memory to be inspected, such as checking whether the virtual machine contains malicious processes or whether any processes have loaded dynamic link libraries containing malicious code.

[0114] Optionally, the reference address is used to indicate the starting address of the kernel image. As described above, the starting address of the kernel image is used to characterize the starting address of the virtual machine operating system image loaded into the memory to be detected.

[0115] Optionally, after determining the reference address in the memory to be detected, other key data structures can be located based on the reference address and the offset of other key data structures relative to the kernel image's starting address. Then, the process control block on the operating system can be reconstructed using the located key data structures.

[0116] As an optional implementation, the resolution result is determined based on the reference address, including: offsetting the reference address to obtain the address of at least one key data structure of the memory to be detected; using the key data structure to reconstruct the process control block on the operating system; and determining the memory information that satisfies the data structure corresponding to the process control block.

[0117] In this embodiment, the key data structure can be used to indicate the kernel page table and process list. This is merely an example and does not limit the key data structure. The offset between the key data structure address and the reference address can be determined according to the definition of the data structure of different operating systems. That is, as long as the version of the operating system is determined, the offset can be determined according to the definition of its key kernel data structure.

[0118] Optionally, after determining the offset of the key data structure address relative to the reference address, the reference address can be offset according to the offset to obtain the address of the key data structure in the memory to be detected.

[0119] Optionally, after determining the address of the key data structure in the memory to be tested, the PCB on the operating system is reconstructed using the key data structure. The PCB is a structure that stores process runtime information in the operating system. After reconstructing the PCB, the values ​​of each field in the PCB can be determined.

[0120] Alternatively, assuming the key data structure is a process list, since the process list links the PCBs of all active processes on the current operating system, based on this, all processes currently existing in the virtual machine can be read by traversing the process list, and the PCBs of each process can be reconstructed.

[0121] Optionally, after reconstructing the PCB of each process, the memory information that satisfies the data structure corresponding to the PCB can be further determined. For example, details such as the process name, process ID, executable file path, and startup parameters can be extracted from the process PCB. In mainstream operating systems, the memory segments of a process are usually organized in the form of a binary tree. By obtaining the starting address of the binary tree from the PCB and traversing the binary tree of the memory segments, information such as the start and end addresses and permissions of each memory segment in a process's virtual memory space can be obtained. For address segments with mapped files, information such as the file path can also be obtained.

[0122] As an optional implementation method, the virtual machine memory detection method also includes: obtaining detection items from the server; and loading the detection items into the detection process.

[0123] In this embodiment, after the memory detection task begins, the main process first retrieves the detection items from the server. These detection items can be scripts or binary files. Then, the retrieved detection items are loaded into the detection process.

[0124] Optionally, the number of detection items is variable, with one detection item corresponding to one dedicated detection process. Since the interface provided by the main process follows the HTTP protocol, which is widely supported by major programming languages, this makes the implementation of detection items more flexible; they can be Python scripts, binary executables, etc.

[0125] Optionally, after loading the detection item into the detection process, the detection process can generate an inter-process communication request based on the detection item, and then transmit the inter-process communication request to the main process to request information associated with the detection item from the main process.

[0126] As an optional implementation, the virtual machine memory detection method further includes: reloading the detection item to the detection process or deleting the detection item from the detection process in response to the detection item being in an abnormal state.

[0127] In this embodiment, the abnormal state of the detection item is used to indicate that the detection process has timed out during the detection of the detection item based on memory information. That is, the detection process has not completed the detection of the detection item within a predetermined time period, or the detection process has encountered an error when detecting the detection item. In both of these cases, the detection item is determined to be in an abnormal state.

[0128] Optionally, if a detection item is in an abnormal state, the detection item can be reloaded into the detection process, or the detection item can be removed from the detection process to release the detection process.

[0129] For example, by monitoring the running status of detection items, the system can release relevant resources in a timely manner when a detection item times out or encounters an error. For instance, if a detection item times out for some reason, the system can automatically terminate the detection item, releasing the CPU time, memory, and other resources it occupies, avoiding resource waste and ensuring the effective utilization of system resources.

[0130] In this step, the abnormal state monitoring mechanism of the detection items helps to enhance the robustness and stability of the system. When an error occurs in a detection item, the system can quickly identify it and take measures (such as reloading or deleting the detection item) to prevent the error from spreading, avoid the crash of the entire system or major processes, and ensure the continuous operation of the system.

[0131] As an optional implementation method, the virtual machine memory detection method further includes: obtaining the memory detection result corresponding to the parsing result through inter-process communication.

[0132] In this embodiment, after obtaining the memory detection result, the detection process can transmit the memory detection result to the main process through inter-process communication, so that the main process can obtain the memory detection result corresponding to the parsing result.

[0133] For example, as described above, the main process also provides an interface for reporting memory detection results. Based on this, after obtaining the memory detection results, the detection process can call the interface in the main process to report the memory detection results and send the memory detection results back to the main process.

[0134] In this step, once the detection process completes the memory detection, it can immediately transmit the memory detection results to the main process via IPC without waiting for the entire system detection process to complete, which makes the feedback of the detection results more real-time.

[0135] In the above operating environment, this disclosure provides a memory detection method for a virtual machine as shown in Figure 5, which is applied to a memory detection system. The memory detection system is used to run a detection process to execute the following methods.

[0136] Step S501: Transmit an inter-process communication request to the main process through inter-process communication between the detection process and the main process of the memory detection system.

[0137] In the technical solution provided in step S501 of this disclosure, inter-process communication between the detection process and the main process is achieved through a calling interface provided by the main process to the detection process. The inter-process communication request is used to request information associated with the detection items in the memory to be detected. These detection items may include, but are not limited to, the following: malware (e.g., rootkits), Trojan programs, ransomware, etc. This is merely an example and does not limit the specific content of the detection items. The information associated with the detection items in the inter-process communication request may include, but is not limited to, the following: a list of processes in the memory to be detected, detailed information about a specific process, and the virtual address of the process.

[0138] In this embodiment, the main process provides multiple calling interfaces to the detection process. These multiple calling interfaces may include: an interface for obtaining a process list, an interface for obtaining detailed information of a process, an interface for obtaining the virtual memory of a process, and an interface for reporting memory detection results, etc. This is only an example, and the calling interfaces provided by the main process can be extended.

[0139] Optionally, after generating an inter-process communication request, the memory detection system can select the interface to be called in the main process based on the information related to the detection item requested in the inter-process communication request, and then transmit the inter-process communication request to the main process.

[0140] For example, if the information requested in the inter-process communication request is the list of processes running in the virtual machine's memory to be detected, then it can be determined that the interface to be called in the main process is the interface for obtaining the process list, and then the interface for obtaining the process list in the main process is called to transmit the inter-process communication request.

[0141] Optionally, after receiving an inter-process communication request, the main process can parse the virtual machine's memory to be detected based on the information requested in the inter-process communication request that is associated with the detection item, and then obtain the parsing result, wherein the parsing result includes the memory information of the memory to be detected under the operating system where the virtual machine is located.

[0142] In this step, the security detection of the memory to be tested is divided into different detection items. Each detection item focuses on a specific security threat, such as rootkits, Trojans, ransomware, etc. This modular design makes the system easy to expand. New detection items can be easily added to deal with new security threats without modifying the logic of the main process or restarting the entire system, which greatly improves the system's flexibility and response speed.

[0143] Step S502: Obtain the parsing result from the main process through inter-process communication.

[0144] In the technical solution provided by step S502 of this disclosure, as described in step S501, after receiving the inter-process communication request from the detection process, the main process can parse the inter-process communication request and obtain the parsing result. Since the inter-process communication between the main process and the detection process can realize bidirectional data transmission, based on this, after obtaining the parsing result, the main process can feed back the parsing result to the detection process through the interface for receiving inter-process communication requests.

[0145] Optionally, the detection process can receive the parsing results fed back by the main process.

[0146] In this step, inter-process communication (IPC) is used to separate the memory parsing logic (main process) from the security detection logic (detection process), allowing the two parts to be developed, tested, and updated independently. After the main process obtains the parsing results, it can transmit them to the detection process via IPC. This modular design improves the maintainability and scalability of the system.

[0147] Step S503: Detect the parsing results according to the detection items to obtain the memory detection results.

[0148] In the technical solution provided in step S503 of this disclosure, a detection process is configured to perform a security detection on the memory to be detected according to a detection item. That is, one detection process corresponds to one memory detection result, whereby the memory detection result is used to indicate the security level of the memory to be detected under the detection item. As described above, the detection item may include, but is not limited to, the following: malicious software (e.g., rootkit), Trojan programs, ransomware, etc. In other words, the memory detection result can be used to indicate whether malicious software exists in the memory to be detected, or the memory detection result can be used to indicate whether Trojan programs exist in the memory to be detected. This is only an example.

[0149] In this embodiment, after receiving the parsing result, the detection process can perform detection on the parsing result according to the detection items to obtain the memory detection result. Based on this, if the detection item to be detected by the detection process is a Trojan program, the detection process can perform Trojan detection on the memory information process of the memory to be detected in the operating system of the virtual machine included in the parsing result to determine whether there is a Trojan program in the memory to be detected.

[0150] In this step, after receiving the parsing results, the detection process can perform detection on the parsing results according to the detection items. One detection process corresponds to one detection item, and multiple detection processes are independent of each other and execute in parallel. Even if one detection process has a problem, it will not affect other detection processes, thus improving the stability of memory detection.

[0151] Step S504: Transmit the memory detection results to the main process through inter-process communication.

[0152] In the technical solution provided by step S504 of this disclosure, after the detection process obtains the memory detection result, it can transmit the memory detection result to the main process through inter-process communication between the main process and the detection process.

[0153] In steps S501 to S504 above, the memory parsing logic and the memory detection logic are decoupled through inter-process communication between the detection process and the main process of the memory detection system. This allows the memory detection logic to be updated independently and hot-updated, increasing the system's scalability, stability, and performance. Furthermore, since the memory parsing logic and the memory detection logic are decoupled, errors in the detection logic will not affect the main process, which increases the stability of the operating system. Moreover, the detection processes are independent of each other and can be executed in parallel, which also improves the efficiency of security detection of the memory to be detected.

[0154] As an optional implementation, the memory detection method further includes updating the detection item in response to an update instruction for the detection item.

[0155] In this embodiment, the update instruction for the detection item can be sent by the management service, which is configured to manage the detection items. Before each detection begins, the main process requests the detection items and detection configuration from the management service. The management service then sends an update instruction for the detection items to the main process based on their update and release status. This update instruction may include the latest detection item, which exists in file format. After receiving the update instruction, the main process can update the detection item.

[0156] Optionally, each detection item can be independent, executed in parallel, dynamically loaded, and updated independently. This design improves the system's scalability and robustness.

[0157] In the above operating environment, this disclosure provides a virtual machine memory detection system 600 as shown in Figure 6, including: a memory detection end 601 and a memory parsing end 602. The memory detection end runs at least one detection process, and the memory parsing end runs a main process.

[0158] The memory detection terminal 601 is configured to transmit an inter-process communication request to the main process through inter-process communication between the detection process and the main process. The inter-process communication request is used to request information associated with the detection items of the virtual machine's memory to be detected.

[0159] The memory parsing terminal 602 is configured to respond to inter-process communication requests, determine the memory to be tested, perform memory parsing on the memory to be tested according to the detection items, and obtain the parsing results. The parsing results include the memory information of the memory to be tested under the operating system of the virtual machine. The memory detection terminal is configured to obtain the parsing results from the main process through inter-process communication; and perform detection on the parsing results according to the detection items to obtain the memory detection results. The memory detection results are used to indicate the security level of the memory to be tested under the detection items.

[0160] In this embodiment, inter-process communication (IPC) between the detection process and the main process is implemented through a calling interface provided by the main process to the detection process. The IPC request is used to request information associated with the detection items in the memory to be detected. These detection items may include, but are not limited to, the following: malware (e.g., rootkits), Trojans, ransomware, etc. This is merely an example and does not limit the specific content of the detection items. The information associated with the detection items in the IPC request may include, but is not limited to, the following: a list of processes in the memory to be detected, detailed information about a specific process, and the virtual address of the process.

[0161] Optionally, the main process provides multiple calling interfaces to the detection process. These interfaces may include: an interface for obtaining a process list, an interface for obtaining detailed information about a specific process, an interface for obtaining the virtual memory of a specific process, and an interface for reporting memory detection results, etc. This is merely an example; the calling interfaces provided by the main process can be extended. After generating an inter-process communication request, the memory detection end can select the interface to be called in the main process based on the information related to the detection item requested in the inter-process communication request, and then transmit the inter-process communication request to the main process.

[0162] Optionally, after receiving an inter-process communication request, the memory parsing end can perform memory parsing on the memory to be tested according to the detection items contained in the inter-process communication request, and then obtain the parsing result.

[0163] Optionally, the memory detection client runs multiple detection processes, each configured to perform a security check on the memory to be tested according to a specific detection item. After the main process obtains the parsing results, the memory detection client can obtain the parsing results from the main process through inter-process communication between the detection processes and the main process, and then perform the checks on the parsing results according to its own corresponding detection items to obtain the memory detection results.

[0164] Optionally, after obtaining the memory detection results, the memory detection end can transmit the memory detection results to the main process through inter-process communication.

[0165] In the aforementioned virtual machine memory detection system, the memory detection end is configured to send an inter-process communication (IPC) request to the memory parsing end via IPC between the detection process and the main process. Upon receiving the IPC request, the memory parsing end parses the memory to be detected according to the request, obtains the parsing result, and then transmits the parsing result to the memory detection end via IPC. The memory detection end then performs memory detection according to the detection items, obtains the memory detection result, and transmits it back to the main process via IPC. In other words, by using IPC, the memory parsing process and the memory detection process are decoupled, allowing the memory detection logic to be updated independently and hot-updated, increasing the system's scalability, stability, and performance. Furthermore, because the memory parsing logic and the memory detection logic are decoupled, errors in the detection logic will not affect the main process, increasing the stability of the operating system. Moreover, the detection processes are independent and can execute in parallel, which also improves the efficiency of security detection of the memory to be detected.

[0166] As an optional implementation, the memory parsing end includes an inter-process communication component and a memory parsing component. The inter-process communication component is configured to, in response to an inter-process communication request, determine the interface corresponding to the inter-process communication request; and, using the interface, trigger the memory parsing component to call the virtual machine manager to read the memory to be detected. The memory parsing component is configured to, according to the detection items, perform memory parsing on the read memory to be detected to obtain the parsing result.

[0167] In this embodiment, the Inter-Process Communication Server (IPC Server) is a specially designed server component that acts as a communication intermediary, handling and coordinating inter-process communication between the main process and the detection process. The IPC Server is implemented based on UDS and follows the semantics of the HTTP protocol, providing a standardized interface that enables the detection process to exchange data efficiently and reliably with the main process through a method similar to HTTP requests.

[0168] Optionally, the interfaces provided by the IPC Server may include: an interface for obtaining a list of processes, an interface for obtaining detailed information about a specific process, an interface for obtaining the virtual memory of a specific process, and an interface for reporting memory detection results. Since the information associated with the detection item in the inter-process communication request may include, but is not limited to, the following: a list of processes in the memory to be detected, detailed information about a specific process, and the virtual address of the process, based on this, after responding to the inter-process communication request of the detected process, the interface corresponding to the inter-process communication request can be determined according to the information associated with the detection item requested in the inter-process communication request.

[0169] Optionally, after determining the interface corresponding to the inter-process communication request, the inter-process communication request can be transmitted to the memory parsing component in the main process through the interface. After receiving the inter-process communication request, the memory parsing component can call the virtual machine manager to read the memory to be tested, and then perform memory parsing on the read memory to be tested according to the test items to obtain the parsing result.

[0170] As an optional implementation, the inter-process communication component is configured to obtain an inter-process communication request through inter-process communication, and in response to the obtained inter-process communication request, determine the request path of the inter-process communication request, wherein the request path includes parameters for obtaining memory information, the memory information being used to represent the running state of the virtual machine; and determine the interface corresponding to the request path.

[0171] In this embodiment, inter-process communication (IPC) is implemented through an interface provided by the IPC Server. Once the IPC component receives an IPC request, it can determine the request path, which indicates the HTTP protocol followed by the interface corresponding to the IPC request. The request path includes parameters for obtaining memory information, which may include: a process list, detailed information about a specific process, and the virtual memory of a specific process.

[0172] Optionally, after determining the request path, the interface corresponding to the request path can be determined. For example, if the request path includes the ID of the virtual machine whose memory is to be inspected, then the interface corresponding to the request path can be determined to be the interface for obtaining the process list. If the request path includes both the ID of the virtual machine whose memory is to be inspected and the ID of the target process, then the interface corresponding to the request path can be determined to be the interface for obtaining detailed information about a specific process.

[0173] As an optional implementation, the inter-process communication component is configured to transmit memory information to the detection process via an interface through inter-process communication.

[0174] In this embodiment, after obtaining the memory information of the memory to be detected, the inter-process communication component can use the interface provided by the main process to transmit the memory information to the detection process.

[0175] As an optional implementation, the memory parsing component is configured to obtain a reference address from the data structure of the memory to be tested according to the test item, wherein the reference address is used to represent the starting address of the operating system kernel in the memory to be tested; and the parsing result is determined based on the reference address.

[0176] In this embodiment, the reference address is used to indicate the starting address of the kernel image, which is located at the beginning of the memory to be detected.

[0177] Optionally, after determining the reference address in the memory to be detected, other key data structures can be located based on the reference address and the offset of other key data structures relative to the kernel image's starting address. Then, the process control block on the operating system can be reconstructed using the located key data structures.

[0178] As an optional implementation, the memory resolution component is configured to offset the reference address to obtain the address of at least one key data structure of the memory to be detected; reconstruct the process control block on the operating system using the key data structure; and determine the memory information that satisfies the data structure corresponding to the process control block.

[0179] In this embodiment, the key data structure can be used to indicate the kernel page table and the process list. The offset between the key data structure address and the reference address can be determined according to the definition of the data structure of different operating systems. That is, as long as the version of the operating system is determined, the offset can be determined according to the definition of its key kernel data structure.

[0180] Optionally, after determining the offset of the key data structure address relative to the reference address, the reference address can be offset according to the offset to obtain the address of the key data structure in the memory to be detected.

[0181] Optionally, after determining the address of the key data structure in the memory to be tested, the process control block (PCB) on the operating system can be reconstructed using the key data structure. The PCB is a structure in the operating system that stores runtime information about a process. The process of reconstructing the PCB using the key data structure can be found in the preceding description and will not be repeated here.

[0182] Optionally, after reconstructing the process control block on the operating system, process information can be extracted from it, such as process name, ID, executable file path, startup parameters, etc., without specific restrictions here.

[0183] As an optional implementation, the virtual machine memory detection system further includes: a server, and the memory parsing end further includes: a main control component, wherein the memory detection end is configured to transmit the memory detection results to the inter-process communication component through inter-process communication; the main control component is configured to report the memory detection results from the inter-process communication component to the server; and the server is configured to send the memory detection results to the client.

[0184] In this embodiment, the server is configured to manage and control the detection items. For example, based on the update and release status of each detection item, it distributes the latest detection items to the main process in the form of files. The server can also be referred to as a management and control service. The master control component is configured to instruct the service management component (Master) in the main process.

[0185] Optionally, the memory detection end is configured to transmit memory detection results to the inter-process communication component in the main process via inter-process communication between the detection process and the main process. After receiving the memory detection results, the inter-process communication component in the main process can report the memory detection results to the main control component.

[0186] Optionally, after receiving the memory detection results, the main control component can report the memory detection results to the server, which will then send the memory detection results to the device used by the customer so that the customer can understand whether there are any security risks in the virtual machine.

[0187] As an optional implementation, the master control component is configured to obtain detection items from the server and load the detection items into the detection process.

[0188] In this embodiment, the main control component requests detection items and configurations from the server. The server, based on the update and release status of each detection item, sends the latest detection items to the main control component in the form of files. The main control component loads the detection items into the detection process, performs the detection on the items in the memory to be detected through the detection process, and forwards the memory detection results corresponding to each detection item back to the server after the detection is completed.

[0189] As an optional implementation, the master control component is configured to initiate an inter-process communication component in response to an inter-process communication request.

[0190] In this embodiment, the main control component is configured to start the inter-process communication component in the main process to respond to inter-process communication requests from the detection process and perform memory parsing based on the inter-process communication requests.

[0191] As an optional implementation, the master control component is configured to either reload the detection item into the detection process or delete the detection item from the detection process in response to the detection item being in an abnormal state.

[0192] In this embodiment, the abnormal state of the detection item is used to indicate that the detection process has timed out when detecting the detection item based on memory information, or that an error occurred when the detection process detected the detection item. In both cases, it can be determined that the detection item is in an abnormal state.

[0193] Optionally, when a detection item is in an abnormal state, the detection item can be reloaded into the detection process, or the detection item can be deleted from the detection process to release the detection process.

[0194] As an optional implementation method, the multiple detection processes corresponding to multiple detection items are independent of each other.

[0195] In this embodiment, the number of detection items is variable. One detection item can correspond to one detection process. That is, one detection process is configured to detect one detection item in the memory to be detected. Different detection processes can be independent of each other, can be executed in parallel, dynamically loaded, and independently updated to improve the scalability and robustness of the operating system.

[0196] The technical solutions of the present disclosure embodiments are illustrated below with reference to preferred embodiments.

[0197] Currently, cloud host security widely adopts the same agent-based approach as traditional IT systems. This involves injecting a process into the virtual machine for information gathering and security countermeasures. Agent-based solutions consume user machine resources (CPU time, memory, etc.) and can be bypassed by malware. For example, in more extreme scenarios, if an attacker gains root access to the user machine, they can hijack system calls, preventing the agent from obtaining accurate information.

[0198] Agentless memory monitoring products in related technologies are also based on VMI technology. They obtain the physical memory of the guest virtual machine (GVM) through a hypervisor, parse out information such as the process list and CPU usage of each process, and calculate information such as memory page hash values. This information is then sent to a rule analysis engine, which matches this information with specific security rules to identify various threats such as mining programs, Trojans, and rootkits. However, in this rule-based memory monitoring product, all detection logic is fixed in the rules. Due to the limited expressive power of the rules, it is difficult to implement complex detection logic like general-purpose programming languages.

[0199] However, this disclosure proposes a scalable agentless memory detection method for virtual machines. One or more detection processes are set up outside the virtual machine. These detection processes communicate with the main process via IPC to request and obtain necessary memory information, CPU usage, disk activity, and other data. Based on this reconstructed information, the detection processes dynamically execute detection logic to determine whether security threats, such as rootkits, Trojans, or ransomware, exist in the memory. In other words, in this embodiment, detection items can be implemented as independent processes, can be executed in parallel, and have high scalability and robustness. Furthermore, it eliminates the need to inject processes into the virtual machine, saving virtual machine resources and avoiding the problem of malware bypassing detection. The communication between the detection processes and the main process via IPC decouples memory parsing and memory detection. Errors in the detection logic do not affect the main process, increasing system stability. Moreover, the independent and parallel execution of detection items improves detection performance, achieving the technical effect of effectively detecting cloud host memory security.

[0200] The agentless memory detection method for virtual machines in this embodiment will be further described below.

[0201] This disclosure utilizes the Virtual Machine Introspection (VMI) interface provided by the Hypervisor to obtain the physical memory of the virtual machine and perform security checks on it. Physical memory can be viewed as a raw bit array. To extract meaningful information from it, it is necessary to reconstruct higher-level semantic information at the operating system level from the physical memory. This includes data structures such as the Process Control Block (PCB), Page Table, kernel function addresses, and network connections. This reconstruction process is called memory resolution or semantic reconstruction.

[0202] Semantic reconstruction is a prerequisite for memory safety testing. Only by reconstructing high-level semantics can various security checks be performed on the virtual machine's memory. For example, checking for the presence of malicious processes within the virtual machine, or whether any process has loaded dynamic link libraries containing malicious code.

[0203] This disclosure decouples semantic reconstruction from security detection logic, implementing the two in different processes and interacting through inter-process communication. This allows memory security detection to be dynamically loaded and independently updated as a plugin, improving the system's scalability and robustness.

[0204] Figure 7 is a schematic diagram of the structure of an agentless memory detection system according to an embodiment of the present disclosure. As shown in Figure 7, the agentless memory detection system 700 includes a main process 701, a detection item process group 702, and a management service 703. The detection item process group 702 can contain multiple detection item processes depending on the number of specific detection items. The main process 701 is responsible for semantic reconstruction. The detection item processes call the semantic reconstruction capabilities provided by the main process on demand via IPC and perform security threat detection. The management service 703 is responsible for managing changes to detection items, distributing detection configurations, receiving detection results, and displaying the results to the client.

[0205] The following is a brief introduction to the main process 701 in the agentless memory detection system.

[0206] The main process is responsible for semantic reconstruction and the dynamic loading and management of the detection item processes. The main process exposes the reconstructed results to the detection item processes via IPC, and forwards the memory detection results reported by the detection item processes via IPC to the management service. As shown in Figure 7, the main process consists of three logical components: a memory parsing component (Parser), an inter-process communication component (IPC Server), and a service management component (Master).

[0207] The memory parser component will be introduced in more detail next.

[0208] The memory resolution component reads the physical memory of a specified virtual machine through the VMI interface provided by the virtual machine manager and performs semantic reconstruction. The specified virtual machine can be any one of virtual machine 1, virtual machine 2, virtual machine 3, or virtual machine 4 in Figure 7.

[0209] Optionally, the main process can first locate the kernel image's starting address in the virtual machine's physical memory. Then, based on the offsets of each key data structure in physical memory relative to the kernel image's starting address, it can locate the addresses of various key data structures. For example, the kernel page table and the process list's starting address. The process list links the Process Control Blocks (PCBs) of all active processes on the current operating system and is a data structure used by mainstream operating systems (Linux / Windows) to manage process runtime information. After determining the kernel page table, the kernel virtual addresses can be translated, allowing traversal of the process list and reconstruction of the PCBs of all processes.

[0210] Optionally, after obtaining the kernel page table and process list, the main process can further parse the kernel page table and process list to obtain detailed memory information of the virtual machine. This includes, for example, a list of processes running in the virtual machine's physical memory, detailed information about each process, and information about each memory segment of the process.

[0211] For example, by traversing the process list, all processes currently existing within GVM can be read. During this traversal, the Process Control Block (PCB) of each process can be reconstructed, allowing further access to details such as process name, ID, executable file path, and startup parameters. In mainstream operating systems, process memory segments are typically organized as binary trees. By obtaining the starting address of the binary tree from the PCB and traversing the memory segment binary tree, information such as the start and end addresses and permissions of each memory segment within a process's virtual memory space can be obtained. For address segments with mapped files, information such as the file path can also be obtained.

[0212] The inter-process communication component (IPC Server) will be introduced in more detail next.

[0213] The inter-process communication component is configured to respond to semantic inter-process communication requests from the detection item process. Based on the capabilities provided by the Parser, the IPC Server can return richer GVM runtime information for the detection item. For example, it can provide, but is not limited to, the following interfaces: an interface for retrieving a process list, an interface for retrieving detailed information about a specific process, an interface for reading the virtual address of a process, and an interface for reporting detection results. The interface for retrieving a process list returns a list of processes including the following basic information: process name, process ID, parent process ID, executable file path, and startup parameters. The interface for retrieving detailed information about a specific process returns the specified process ID, basic process information, memory segment addresses and permissions, and the mapped file path of the memory segment. The interface for reading the virtual address of a process returns a raw binary buffer of the corresponding length based on the specified process ID, memory address, and read length. The interface for reporting detection results is used to report memory detection results.

[0214] Optionally, the inter-process communication component follows the HTTP protocol, routing requests to different interfaces based on the HTTP request path. These interfaces then call a combination of functions provided by the Parser to perform semantic reconstruction in response to the request. For ease of understanding and use, the IPC Server's interface design follows the practices of REST (Representational State Transfer) APIs, employing a resource-oriented approach and organizing resources in a hierarchical structure. The resource hierarchy is "GVM - Virtual Machine Resources - Sub-resources".

[0215] Figure 8 is a schematic diagram of an interface organized hierarchically according to an embodiment of the present disclosure. As shown in Figure 8, suppose we want to read the IPC request URL of virtual memory with virtual address XXXXX and length 24 bytes under process number 4 on a virtual machine with ID XXXX. The resource hierarchy is "virtual machine - resources on the virtual machine - sub-resources of the process". This resource-oriented, hierarchical organization design makes the interface highly scalable. For example, to provide an interface for querying files opened by a specific process, we can add a sub-resource type named "opened-files" under the process; to provide an interface for querying all network connections on a GVM, we can add a resource type named "net-connections" under the virtual machine.

[0216] The following are examples of the interfaces provided by the inter-process communication components provided in this disclosure and the requests corresponding to those interfaces.

[0217] Optionally, assuming a request is made to call the process list interface, the virtual machine's ID (vm-id) needs to be specified when sending the request. The server will return a list containing information about multiple processes, each including the process name, ID, parent process ID, executable file path, and other basic information. Through this interface, users can view detailed information about all processes running on the virtual machine, helping to monitor and manage the virtual machine's running status. This request can be represented as: GET / vms / vm-id / processes.

[0218] Optionally, assuming a request is made to call an interface describing detailed process information, the virtual machine ID and the target process ID must be provided in the request path. The returned information includes basic process information (e.g., process name, process ID, parent process ID, file path, startup parameters) and process memory segment information (e.g., start and end virtual addresses of each segment, access permissions, etc.). This interface provides memory information to the detection process for a security check of the virtual machine's memory.

[0219] Optionally, assuming the interface requests the virtual memory of the calling process, the request path needs to specify the virtual machine ID and the target process ID, while the path parameter specifies the starting address and length of the virtual memory to be read. This interface returns a raw binary buffer with the same content and length as the virtual address and length specified in the parameters.

[0220] Optionally, assuming a request is made to call the interface for reporting detection results, the unique ID identifying this detection task and the name of the detection item should be specified in the request path. The detection results will be reported to the management service via the Master component of the main process.

[0221] Optionally, the above only shows the definitions of some interfaces. Depending on the resource hierarchy, interfaces such as "get all network connections on a specified GVM" and "get files opened by a specific process" can also be implemented. This can be achieved by simply adding new resource types to the corresponding resource directories. Since mainstream operating systems follow similar abstractions (processes, virtual memory, etc.), the IPC Server's interfaces are operating system neutral. Furthermore, unlike traditional HTTP, the IPC Server uses UDS instead of TCP as the transport protocol. The advantage of using UDS is that it eliminates the need for a complete TCP protocol stack, resulting in higher performance.

[0222] The service management component (Master) will be introduced in more detail next.

[0223] The Master component in the main process is a logical component on the main process, configured to dynamically load, start, and schedule detection tasks, as well as report detection results.

[0224] Figure 9 is a schematic diagram of a memory detection process according to an embodiment of this disclosure. As shown in Figure 9, after the detection task begins, the main program first pulls detection items from the server. Detection items can be scripts or binary files. Subsequently, the Master starts the IPC Server to prepare to respond to IPC requests from the detection items. Next, the Master schedules and manages each detection item, such as cleaning up or retrying detection items that have timed out or encountered errors. During the operation of the detection process, semantic information is requested from the main process on demand via IPC. When the IPC Server responds to the semantic information request, it calls the Parser to complete the reconstruction of the specified semantic information. After each detection task is completed, the detection results are reported via IPC. The IPC Server forwards the results to the Master component to complete the final report to the server. Different detection items can be implemented as different detection processes and can be executed in parallel. Figure 7 shows three detection items: rootkit detection, Trojan detection, and ransomware detection.

[0225] The following section will further introduce the detection process group 702 in the agentless memory detection system.

[0226] The detection item process group 702 includes multiple detection item processes, the number of which is variable; one detection item can correspond to one dedicated detection process. Because the interface provided by the IPC Server follows the HTTP protocol, it is widely supported by various mainstream programming languages.

[0227] Optionally, Figure 10 is a flowchart of a detection method for checking whether a Java process has loaded a malicious dynamically loaded library according to an embodiment of the present disclosure. As shown in Figure 10, the detection process includes the following steps during execution:

[0228] Step S1001: Call the interface of the process list to obtain the current process list.

[0229] In this embodiment, after calling the interface of the process list to obtain the process list, the obtained process list can be traversed to find the ID of the Java process.

[0230] Step S1002: Call the interface describing process details to obtain the memory segment information of the Java process.

[0231] Step S1003: Traverse each memory segment of the Java process and check if there is a mapped file in each memory segment.

[0232] In this embodiment, mapped files are a technique used by the operating system to achieve efficient file reading and writing, memory sharing, and other goals. The principle is to map files into virtual memory, allowing processes to read and write files in user space by accessing virtual memory. Dynamic link libraries are typically loaded into memory as mapped files. For memory segments with mapped files, the file path is checked to determine if they are suspected malicious dynamic libraries.

[0233] Step S1004: For memory segments loaded with suspected malicious dynamic libraries, call the interface for reading virtual memory to detect whether there is malicious code in the memory.

[0234] Step S1005: Call the interface for reporting results and report the detection results.

[0235] In steps S1001 to S1005 above, each detection item is independent of the others and can be executed in parallel, dynamically loaded, and updated independently. This design improves the scalability and robustness of the system.

[0236] The following section will provide a further introduction to the management service 703 in the agentless memory detection system.

[0237] The management service is configured to manage the detection items. Before each detection begins, the Master component of the main process requests the detection items and configuration from the management service. The management service then distributes the latest detection items to the main process in the form of files, based on the update and release status of each detection item. The main process starts the detection items into different processes and forwards the detection results reported by each detection item via IPC back to the management service after the detection is completed.

[0238] Optionally, the management service is also configured to receive the detection results reported by the Master component of the main process, process the results, and notify the user in the form of alarms, reports, etc.

[0239] Optionally, this disclosure also provides an agentless memory detection method based on a rule engine, which mainly decouples memory security detection and memory parsing capabilities, allowing them to be updated independently and enabling dynamic updates to the memory security detection logic. Figure 11 is a schematic diagram illustrating the decoupling of detection logic and semantic reconstruction logic through a rule engine according to this disclosure. As shown in Figure 11, by defining detection items as a series of rule sets, a rule engine is added to the main process. After semantic reconstruction is completed, the Parser inputs system status information (such as process lists, network connections, etc.) into the rule engine, which then schedules and executes rule matching to detect security threats. Rules are usually declarative, such as YARA rules. The rules define the characteristics and judgment conditions of different threats. The above rule engine scheme can achieve a similar effect to the IPC scheme in decoupling detection logic and semantic reconstruction. However, its main drawback compared to the IPC scheme is the limited expressive power of the rules. Its expressive power cannot be compared with that of general programming languages, thus making it unable to implement some complex detection logic.

[0240] The key to this disclosure lies in the use of IPC to achieve complete decoupling between memory security detection logic and memory parsing logic. This allows the security detection logic to be updated independently and hot-updated, increasing the scalability, stability, and robustness of the operating system. Compared to agentless memory detection methods based on rule engines, the memory detection logic of this disclosure can be implemented using a general-purpose programming language, without being limited by the expressive power of declarative rules, thus enabling the implementation of more complex detection logic.

[0241] The IPC in this disclosure is compatible with the standard HTTP protocol, which makes the implementation of the memory parsing logic more flexible and allows for the use of various technology stacks. For example, it can be implemented using scripting languages ​​such as Python, or distributed as a binary executable file compiled from C / C++. This not only makes the system more adaptable to multi-team development, but also reduces the cost and makes adding new detection items more agile. In addition, since the detection logic is isolated from the main process, errors in the detection logic will not affect the main process, which increases the stability of the system; and since the detection items are independent of each other, they can be executed in parallel, which also improves the detection performance.

[0242] This disclosure utilizes Virtual Machine Introspection (VMI) technology to access the physical memory of virtual machines on a cloud host in real time and perform security checks on the physical memory. Each check task is implemented as an independent process, and errors in one check task do not affect the main process, improving its stability. Furthermore, each check task interacts with a standardized, HTTP-compliant IPC interface during execution, dynamically calling IPC-provided interfaces for memory resolution, result reporting, and other functions. This allows check items to be dynamically loaded and updated independently on demand.

[0243] For clients, on-demand detection can be implemented, running only the specified detection items, which can shorten detection time. For developers, detection items can be implemented in different programming languages ​​than the main process. For example, the main process can be implemented in higher-performance system-level programming languages ​​such as C++ / Rust, while detection items can be implemented in more flexible scripting languages ​​such as Python, thereby improving development efficiency, shortening change cycles, and reducing change costs.

[0244] The user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this disclosure are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data shall comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation entry points shall be provided for users to choose to authorize or refuse.

[0245] For the foregoing method embodiments, in order to simplify the description, they are all described as a series of actions. However, those skilled in the art should understand that this disclosure is not limited to the described order of actions, because according to this disclosure, some steps can be performed in other orders or simultaneously. Furthermore, those skilled in the art should also understand that the embodiments described in the specification are preferred embodiments, and the actions and modules involved are not necessarily essential to this disclosure.

[0246] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods according to the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, they can also be implemented by hardware. Based on this understanding, the technical solutions of this disclosure, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of this disclosure.

[0247] According to an embodiment of this disclosure, a memory detection device for a virtual machine for implementing the above-described memory detection method for a virtual machine is also provided. As shown in FIG12, the memory detection device 1200 for a virtual machine includes: a determination component 1201, a parsing component 1202, and a first transmission component 1203.

[0248] Component 1201 is configured to determine the virtual machine's memory to be detected in response to an inter-process communication request from at least one detection process, wherein the inter-process communication request is used to request information associated with the detection items of the memory to be detected.

[0249] The parsing component 1202 is configured to perform memory parsing on the memory to be tested according to the detection items, and obtain the parsing results, which include the memory information of the memory to be tested under the operating system of the virtual machine.

[0250] The first transmission component 1203 is configured to transmit the parsing result to the detection process through inter-process communication between the main process and the detection process. The parsing result is used to perform detection according to the detection item in the detection process to obtain the memory detection result. The memory detection result is used to indicate the safety level of the memory to be detected under the detection item.

[0251] The aforementioned determining component 1201, parsing component 1202, and first transmission component 1203 correspond to steps S401 to S403 in the above embodiments. The three components and their corresponding steps implement the same instances and application scenarios, but are not limited to the content disclosed in the above embodiments. The aforementioned components may be hardware or software components stored in memory (e.g., memory 104) and processed by one or more processors (e.g., processors 102a, 102b, ..., 102n). The aforementioned components may also be part of a device and run in the computer terminal 10 provided in the above embodiments.

[0252] The preferred embodiments involved in the above-described embodiments of this disclosure are the same as the solutions, application scenarios, and implementation processes provided in the above-described embodiments, but are not limited to the solutions provided in the above-described embodiments.

[0253] According to an embodiment of this disclosure, a memory detection device for a virtual machine for implementing the above-described memory detection method for a virtual machine is also provided. As shown in FIG13, the memory detection device 1300 for a virtual machine includes: a second transmission component 1301, a first acquisition component 1302, a detection component 1303, and a third transmission component 1304.

[0254] The second transmission component 1301 is configured to transmit an inter-process communication request to the main process through inter-process communication between the detection process and the main process of the memory detection system. The inter-process communication request is used to request information associated with the detection items of the memory to be detected in the virtual machine. The inter-process communication request is used to enable the memory detection system to determine the memory to be detected in the main process. The memory to be detected is used to enable the memory detection system to perform memory parsing according to the detection items in the main process and obtain the parsing result. The parsing result includes the memory information of the memory to be detected under the operating system of the virtual machine.

[0255] The first acquisition component 1302 is configured to acquire the parsing results from the main process through inter-process communication.

[0256] The detection component 1303 is configured to perform detection on the parsing results according to the detection items to obtain memory detection results, wherein the memory detection results are used to indicate the safety level of the memory to be detected under the detection items.

[0257] The third transmission component 1304 is configured to transmit the parsing results to the main process via inter-process communication.

[0258] The second transmission component 1301, the first acquisition component 1302, the detection component 1303, and the third transmission component 1304 mentioned above correspond to steps S501 to S504 in the above embodiments. The four components and the corresponding steps implement the same instances and application scenarios, but are not limited to the content disclosed in the above embodiments. The above components may be hardware or software components stored in memory (e.g., memory 104) and processed by one or more processors (e.g., processors 102a, 102b, ..., 102n). The above components may also be part of a device and run in the computer terminal 10 provided in the above embodiments.

[0259] The preferred embodiments involved in the above-described embodiments of this disclosure are the same as the solutions, application scenarios, and implementation processes provided in the above-described embodiments, but are not limited to the solutions provided in the above-described embodiments.

[0260] Embodiments of this disclosure can provide an electronic device, which can be any one of a group of electronic devices. Optionally, in this embodiment, the aforementioned electronic device can also be replaced with a terminal device such as a computer terminal.

[0261] Optionally, in this embodiment, the aforementioned electronic device may be located in at least one of a plurality of network devices in a computer network.

[0262] In this embodiment, the computer terminal described above can execute the program code in the method.

[0263] Optionally, FIG14 is a structural block diagram of an electronic device according to an embodiment of the present disclosure. As shown in FIG14, the electronic device A may include: one or more (only one is shown in the figure) processors 1402, memory 1404, memory controller, and peripheral interface, wherein the peripheral interface is connected to a radio frequency module, an audio module, and a display.

[0264] The memory can be used to store software programs and modules, such as the program instructions / modules corresponding to the methods and apparatus in the embodiments of this application. The processor executes various functional applications and data processing by running the software programs and modules stored in the memory, thereby implementing the methods in the above embodiments. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory may further include memory remotely located relative to the processor, and these remote memories can be connected to electronic device A via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0265] The processor can invoke information and applications stored in memory via a transmission device to perform the following steps: responding to inter-process communication requests from at least one detection process, determining the virtual machine's memory to be detected, wherein the inter-process communication request is used to request information associated with detection items of the memory to be detected; performing memory parsing on the memory to be detected according to the detection items to obtain parsing results, wherein the parsing results include memory information of the memory to be detected under the operating system of the virtual machine; transmitting the parsing results to the detection process via inter-process communication between the main process and the detection process, wherein the parsing results are used to perform detection according to the detection items in the detection process to obtain memory detection results, wherein the memory detection results are used to indicate the security level of the memory to be detected under the detection items.

[0266] Optionally, the processor may also execute program code that performs the following steps: in response to an inter-process communication request, determines the interface corresponding to the inter-process communication request; and uses the interface to call the virtual machine manager to read the memory to be tested.

[0267] Optionally, the processor may also execute program code that performs the following steps: obtains an inter-process communication request through inter-process communication, and in response to the obtained inter-process communication request, determines the request path of the inter-process communication request, wherein the request path includes parameters for obtaining memory information, the memory information being used to represent the running state of the virtual machine; and determines the interface corresponding to the request path.

[0268] Optionally, the processor may also execute program code that performs the following steps: transmitting memory information to the detection process via an interface through inter-process communication.

[0269] Optionally, the processor may also execute program code that performs the following steps: obtaining a reference address from the data structure of the memory to be tested according to the detection item, wherein the reference address is used to represent the starting address of the operating system kernel in the memory to be tested; and determining the parsing result based on the reference address.

[0270] Optionally, the processor may also execute program code that performs the following steps: offsetting the reference address to obtain the address of at least one key data structure of the memory to be detected; using the key data structure to reconstruct the process control block on the operating system; and determining the memory information that satisfies the data structure corresponding to the process control block.

[0271] Optionally, the processor may also execute program code that reports the memory detection results to the server.

[0272] Optionally, the processor may also execute program code that performs the following steps: retrieves detection items from the server; loads the detection items into the detection process.

[0273] Optionally, the processor may also execute program code that performs the following steps: in response to an item being in an abnormal state, reloads the item into the detection process, or deletes the item from the detection process.

[0274] Optionally, the processor may also execute program code that performs the following steps: obtaining the memory detection result corresponding to the parsing result through inter-process communication.

[0275] This disclosure provides a memory detection scheme for virtual machines. An inter-process communication (IPC) connection is established between the detection process and the virtual machine. The detection process can obtain memory information under the operating system of the virtual machine through IPC requests, and then detect the memory information under the operating system of the virtual machine to obtain memory detection results. The memory detection results are then transmitted to the main process through IPC between the detection process and the main process. That is, through IPC, the memory parsing logic and the security detection logic are decoupled. When detecting memory information under the operating system of the virtual machine, multiple detection processes run in parallel. If any one of the detection processes encounters an error or exception, it will not affect the normal operation of the main process or other detection processes, thus improving the stability (robustness) of the memory detection system. Moreover, there is no need to install agent software in the virtual machine for information collection and security countermeasures, which greatly reduces the resource consumption of the virtual machine and avoids the potential performance overhead and the risk of being exploited or bypassed by malware. It achieves the goal of effectively detecting the memory security of the virtual machine, improves the memory detection efficiency of the virtual machine, and enhances the stability and scalability of the virtual machine memory detection system. In turn, it solves the technical problem of poor scalability and stability of memory detection systems that rely on agent software to detect the memory of the virtual machine.

[0276] It will be understood by those skilled in the art that the structure shown in the figure is merely illustrative, and the electronic device may also be a smartphone (such as an Android phone, an iOS phone, etc.), a tablet computer, a PDA, a mobile internet device (MID), a PAD, or other terminal device. This figure does not limit the structure of the aforementioned electronic device. For example, electronic device A may include more or fewer components (such as a network interface, a display device, etc.) than shown in the figure, or may have a different configuration than shown in the figure.

[0277] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be implemented by a program instructing the hardware related to the terminal device. The program can be stored in a computer-readable storage medium, which may include: flash drive, read-only memory (ROM), random access memory (RAM), disk or optical disk, etc.

[0278] Embodiments of this disclosure also provide a computer-readable storage medium. Optionally, in this embodiment, the computer-readable storage medium can be used to store program code executed by the method provided in the above embodiments.

[0279] Optionally, in this embodiment, the storage medium may be located in any one of the electronic devices in the group of electronic devices in the computer network, or in any one of the computer terminals in the group of computer terminals.

[0280] Optionally, in this embodiment, the computer-readable storage medium is configured to store program code for performing the following steps: determining the virtual machine's memory to be tested in response to inter-process communication requests from at least one detection process, wherein the inter-process communication request is used to request information associated with detection items of the memory to be tested; performing memory parsing on the memory to be tested according to the detection items to obtain parsing results, wherein the parsing results include memory information of the memory to be tested under the operating system of the virtual machine; transmitting the parsing results to the detection process through inter-process communication between the main process and the detection process, wherein the parsing results are used to perform detection according to the detection items in the detection process to obtain memory detection results, and the memory detection results are used to indicate the security level of the memory to be tested under the detection items.

[0281] Optionally, the computer-readable storage medium is further configured to store program code for performing the following steps: in response to an inter-process communication request, determining the interface corresponding to the inter-process communication request; and using the interface, invoking the virtual machine manager to read the memory to be detected.

[0282] Optionally, the computer-readable storage medium is further configured to store program code for performing the following steps: obtaining an inter-process communication request via inter-process communication, and in response to the obtained inter-process communication request, determining a request path for the inter-process communication request, wherein the request path includes parameters for obtaining memory information, the memory information being used to represent the running state of the virtual machine; and determining an interface corresponding to the request path.

[0283] Optionally, the computer-readable storage medium is also configured to store program code for performing the following steps: transmitting memory information to the detection process via an interface through inter-process communication.

[0284] Optionally, the computer-readable storage medium is further configured to store program code for performing the following steps: obtaining a reference address from a data structure of the memory to be tested according to the test item, wherein the reference address is used to represent the starting address of the operating system kernel in the memory to be tested; and determining the parsing result based on the reference address.

[0285] Optionally, the computer-readable storage medium is further configured to store program code for performing the following steps: offsetting a reference address to obtain the address of at least one key data structure of the memory to be detected; using the key data structure to reconstruct the process control block on the operating system; and determining memory information that satisfies the data structure corresponding to the process control block.

[0286] Optionally, the computer-readable storage medium is also configured to store program code for performing the following steps: reporting memory detection results to the server.

[0287] Optionally, the computer-readable storage medium is also configured to store program code for performing the following steps: obtaining detection items from the server; loading the detection items into the detection process.

[0288] Optionally, the computer-readable storage medium is also configured to store program code for performing the following steps: reloading the detection item to the detection process in response to the detection item being in an abnormal state, or deleting the detection item from the detection process.

[0289] Optionally, the computer-readable storage medium is also configured to store program code for performing the following steps: obtaining memory detection results corresponding to the parsing results through inter-process communication.

[0290] Embodiments of this disclosure also provide a computer program product. Optionally, in this embodiment, the computer program product may include a computer program that, when executed by a processor, implements the methods provided in the embodiments described above.

[0291] Embodiments of this disclosure also provide a computer program product. Optionally, the computer program product may include a non-volatile computer-readable storage medium, which can be used to store a computer program that, when executed by a processor, implements the methods provided in the embodiments described above.

[0292] Embodiments of this disclosure also provide a computer program. Optionally, in this embodiment, when the computer program is executed by a processor, it implements the method provided in the above embodiments.

[0293] In the above embodiments of this disclosure, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0294] In the several embodiments provided in this disclosure, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual couplings, direct couplings, or communication connections may be through some interfaces; indirect couplings or communication connections between units or modules may be electrical or other forms.

[0295] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0296] Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0297] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.

[0298] The above description is only a preferred embodiment of this disclosure. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principles of this disclosure, and these improvements and modifications should also be considered within the scope of protection of this disclosure. Industrial applicability

[0299] This disclosure provides a method for detecting memory in a virtual machine. Outside the virtual machine, memory parsing logic and security detection logic can be decoupled through inter-process communication. When detecting memory information under the operating system of the virtual machine, multiple detection processes operate independently and can execute in parallel. An error or exception in any one of these processes will not affect the normal operation of the main process or other detection processes, thus improving the stability (robustness) of the memory detection system. Furthermore, since there is no need to install agent software in the virtual machine, potential performance overhead and the risk of exploitation or bypass by malicious software are avoided, significantly reducing virtual machine resource consumption. This achieves the goal of effectively detecting the memory security of the virtual machine, improving the efficiency of virtual machine memory detection, and enhancing the stability and scalability of the virtual machine memory detection system.

Claims

A memory detection method for a virtual machine, applied to a memory detection system, wherein the memory detection system runs a main process to execute the following methods: Responding to inter-process communication requests from at least one detection process, the virtual machine's memory to be detected is determined, wherein, The inter-process communication request is used to request information associated with the detection item of the memory to be detected; The memory to be tested is parsed according to the detection items to obtain the parsing result, wherein the parsing result includes the memory information of the memory to be tested under the operating system of the virtual machine; The parsing result is transmitted to the detection process through inter-process communication between the main process and the detection process. The parsing result is used to perform detection according to the detection item in the detection process to obtain a memory detection result. The memory detection result is used to indicate the security level of the memory to be detected under the detection item. According to the method of claim 1, wherein, In response to inter-process communication requests from at least one detection process, determine the virtual machine's memory to be detected, including: In response to the inter-process communication request, determine the interface corresponding to the inter-process communication request; Using the aforementioned interface, the virtual machine manager is invoked to read the memory to be detected. The method according to claim 2, wherein, In response to the inter-process communication request, determining the interface corresponding to the inter-process communication request includes: The process obtains the inter-process communication request through the inter-process communication, and in response to the obtained inter-process communication request, determines the request path of the inter-process communication request, wherein the request path includes parameters for obtaining the memory information, and the memory information is used to represent the running state of the virtual machine; Determine the interface corresponding to the request path. The method according to claim 3, wherein, The parsing result is transmitted to the detection process via inter-process communication between the main process and the detection process, including: The memory information is transmitted to the detection process via the inter-process communication interface. According to the method of claim 1, wherein, The memory to be tested is parsed according to the aforementioned detection items to obtain the parsing results, including: According to the detection item, a reference address is obtained from the data structure of the memory to be detected, wherein the reference address is used to represent the starting address of the kernel of the operating system in the memory to be detected; The resolution result is determined based on the reference address. The method according to claim 5, wherein, Based on the reference address, the resolution result is determined, including: Offset the reference address to obtain the address of at least one key data structure of the memory to be detected; Using the aforementioned key data structure, the process control block on the operating system can be reconstructed; Determine the memory information that satisfies the data structure corresponding to the process control block. The method according to any one of claims 1 to 6, wherein, The method further includes: The memory detection results are reported to the server. The method according to any one of claims 1 to 6, wherein, The method further includes: The detection items are obtained from the server. The detection items are loaded into the detection process. The method according to any one of claims 1 to 6, wherein, The method further includes: In response to the detection item being in an abnormal state, the detection item is either reloaded into the detection process or deleted from the detection process. The method according to any one of claims 1 to 6, wherein, The method further includes: The memory detection result corresponding to the parsing result is obtained through the inter-process communication. A method for detecting virtual machine memory, applied to a memory detection system, wherein the memory detection system runs a detection process to perform the following methods: Through inter-process communication between the detection process and the main process of the memory detection system, an inter-process communication request is transmitted to the main process, wherein... The inter-process communication request is used to request information associated with the detection items of the memory to be detected in the virtual machine. The inter-process communication request is used to enable the memory detection system to determine the memory to be detected in the main process. The memory to be detected is used to enable the memory detection system to perform memory parsing according to the detection items in the main process to obtain the parsing result. The parsing result includes the memory information of the memory to be detected under the operating system of the virtual machine. The parsing result from the main process is obtained through the inter-process communication. The parsing results are tested according to the test items to obtain memory test results, wherein the memory test results are used to indicate the security level of the memory to be tested under the test items; The memory detection results are transmitted to the main process through the inter-process communication. A memory detection system for virtual machines, comprising: The system comprises a memory detection module and a memory parsing module. The memory detection module runs at least one detection process, while the memory parsing module runs a main process. The memory detection terminal is configured to transmit an inter-process communication request to the main process through inter-process communication between the detection process and the main process, wherein the inter-process communication request is used to request information associated with the detection items of the virtual machine's memory to be detected; The memory parsing end is configured to respond to the inter-process communication request, determine the memory to be detected, perform memory parsing on the memory to be detected according to the detection items, and obtain a parsing result, wherein the parsing result includes the memory information of the memory to be detected under the operating system of the virtual machine; The memory detection terminal is configured to obtain the parsing result from the main process through the inter-process communication; and to detect the parsing result according to the detection items to obtain the memory detection result, wherein the memory detection result is used to indicate the security level of the memory to be detected under the detection items. The system according to claim 12, wherein, The memory resolution terminal includes: an inter-process communication component and a memory resolution component, wherein... The inter-process communication component is configured to, in response to the inter-process communication request, determine the interface corresponding to the inter-process communication request; and, using the interface, trigger the memory parsing component to call the virtual machine manager to read the memory to be detected. The memory parsing component is configured to perform memory parsing on the read memory to be detected according to the detection items, and obtain the parsing result. The system according to claim 13, wherein, The inter-process communication component is configured to obtain the inter-process communication request through the inter-process communication, and in response to the obtained inter-process communication request, determine the request path of the inter-process communication request, wherein the request path includes parameters for obtaining the memory information, the memory information being used to represent the running state of the virtual machine; and determine the interface corresponding to the request path. The system according to claim 14, wherein, The inter-process communication component is configured to transmit the memory information to the detection process via the interface through the inter-process communication. The system according to claim 13, wherein, The memory parsing component is configured to obtain a reference address from the data structure of the memory to be tested according to the detection item, wherein the reference address is used to represent the starting address of the kernel of the operating system in the memory to be tested; and to determine the parsing result based on the reference address. The system according to claim 16, wherein, The memory parsing component is configured to offset the reference address to obtain the address of at least one key data structure of the memory to be detected; reconstruct the process control block on the operating system using the key data structure; and determine the memory information that satisfies the data structure corresponding to the process control block. The system according to claim 13, wherein, The system also includes a server-side component, and the memory parsing terminal further includes a main control component, wherein... The memory detection terminal is configured to transmit the memory detection result to the inter-process communication component via the inter-process communication. The main control component is configured to report the memory detection results from the inter-process communication component to the server. The server is configured to send the memory detection results to the client; The main control component is configured to obtain the detection items from the server; load the detection items into the detection process; and / or, The master control component is configured to start the inter-process communication component in response to the inter-process communication request. A computer-readable storage medium includes an executable program, wherein, When the executable program is executed, it controls the device containing the storage medium to perform the method described in any one of claims 1 to 11. A computer program product includes a computer program that, when executed by a processor, implements the method according to any one of claims 1 to 11.

Images