49 results about "Shellcode" patented technology

According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically to detect potential shellcode at a first storage location within a region of memory allocated for an application, conduct a first search at one or more storage locations prior to the first storage location within the region of allocated memory for at least one or more patterns, conduct a second search at one or more storage locations subsequent to the first storage location within the region of allocated memory for at least one or more patterns, detect a first pattern at one or more storage locations prior to the first storage location within the region of allocated memory, and detect a second pattern at one or more storage locations subsequent to the first storage location with the region of allocated memory, wherein at least one of the first pattern or the second pattern is absent from a predefined list of patterns.

The invention belongs to the field of computer security, and relates to a method for detecting web page Trojan horse based on program execution characteristics, which comprises the following steps: using web crawlers to capture source codes of a web page; then obtaining a recognizable script program through multilevel decoding; carrying out disassembling processing on the script program to obtainassembled source codes while reserving the script program; then, judging whether a large number of filled invalid instructions, calling system level functions and obvious URL links exist in the sourcecodes; and finally detecting whether the Trojan horse exists in the web page through the assembled source codes in a deep level. Because most of the prior web pages with the Trojan horse are embeddedwith ShellCode, to execute the ShellCode in the web pages in a local computer, system vulnerability is needed to realize buffer overflow and enable the program to skip onto the ShellCode code segment. Thus, only by analyzing the condition of executing the ShellCode, and analyzing the source codes according to the execution characteristics, whether the web page to be detected is the web page Trojan horse can be quickly detected.

Detecting buffer-overflow exploits scans generically for shellcode without using virus signatures and maintains close to a zero false-positive rate. Shellcode is detected generically without determining specifically which buffer-overflow exploit is being used. Protection is offered against unknown buffer-overflow exploits. A file is scanned to determine if a vulnerable buffer in that file includes suspect code that has characteristics of shellcode. Next, it is determined if the suspect code contains a routine to find the imagebase of Kernel32.dll using any of the techniques of PEB, TOS or SEH (process environment block, top of stack or structured exception handling). It is next determined if the suspect code contains a routine to search for APIs in the export table of kernel32.dll. Techniques for analyzing the suspect code include static analysis and executing the code in an emulator. A high sensitivity setting determines that shellcode is present when any of the techniques of PEB, TOS or SEH are found.

Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.

A malicious code tracking and recognizing method based on memory protection type monitoring includes the following steps that 1, a developed dynamic link library is injected into a target process; 2, vectorization manipulation function take-over anomaly is applied and used for conducting abnormal segment static analysis and dynamic analysis; 3, the interface function of memory protection attribute is hijacked and modified; 4, whether each call is located in stack space or not is detected; 5, whether the parameter of each call includes an attribute tag or not is judged; 6, for the interface function call of modifying the memory protection attribute into an executable attribute, the executable protection tag location is eliminated; 7, the parameter environment called by the interface function this time is recorded; 8, the original interface function is called so that the program can operate normally; 9, vulnerability attack finding is reported. By means of the steps, the effect of recognizing malicious code (shellcode) in the vulnerability attack process is achieved, and the problems that in the prior art, protection coverage area is small, and compatibility is low are solved.

A method for recognizing malicious file has steps: receiving a static file through a network or an input/out interface to be stored in the memory; defining suspicious positions where components of a malware are possibly encrypted in the static file; decrypting the suspicious positions to identify a PE header and a shellcode; extracting the PE header and the shellcode terms in segments; and determining whether the PE header and the shellcode terms can be assembled into an executable binary which indicates a recognition of the malicious file.

The invention relates to the field of computers, and in particular to a method and an apparatus for detecting Shellcode based on stack frame abnormity. The method comprises the following steps: based on each designated API function, separately generating a corresponding stack frame chain, and separately detecting each stack frame of each stack frame chain in order, selecting all stack frames with abnormities, wherein the detection of one stack frame includes the following steps: detecting whether an element indicator of the one stack frame suits a preset condition, and if the element indicator is determined not to meet the preset condition, determining the one stack frame is abnormal; and the element indicator including one or a combination of stack frame length, stack frame EBP address and stack frame returning address. The mere detection of the stack frame chain which corresponds to a designated API function can avoid blind detection on all functions, and reduces system performance spending. And the method selects abnormal stack frames based on the element indicator of the stack frame, which increases the system detection performance and reduce rate of false alarm.

The invention discloses a malicious code sample extraction method and a system based on a document type bug. The method comprises the steps that a shellcode in a document is positioned; the positioned shellcode is extracted, and then converted into a PE (Portable Executable) file; the PE file is operated; whether the PE file releases a file is judged; if so, the released file serves as a malicious code sample to be extracted; if not, whether the PE file downloads a file is judged; if so, the downloaded file serves as a malicious code sample to be extracted; and if not, malicious code sample extraction on the document is abandoned. Compared with the traditional culture method, the method extracts more accurately, quickly and conveniently.

The invention discloses a Heapspray detection method based on intermediate command dynamic instrumentation, belonging to the technical field of computer security. The method comprises the following steps of: (1) setting a virtual machine used for explaining and implementing webpage dynamic script into a single-step operating state; (2) judging whether an intermediate command to be implemented currently is an assignment type intermediate command or not; (3) if so, then judging whether a rvalue parameter type in command parameters is a alphabetic string type or not; if the rvalue parameter is the alphabetic string type and a value thereof is less than a set threshold value P, then checking whether shellcode exists or not; if the rvalue parameter is larger than the set threshold value P, then calculating an information entropy value thereof; and (4) taking a next intermediate command and repeating the step (2) and the step (3); if a rvalue parameter of an assignment type intermediate command has the shellcode and an entropy value of a rvalue parameter of the other assignment type intermediate command is less than the set threshold value, then judging the script to have a Heapspray action. The invention can reduce system overhead and improve the accuracy rate of detection.

An embodiment of the invention relates to the technical field of computer security, in particular to a detection method and a detection device for an attack in a spray pattern, which are used to solve a problem that a method judging whether the attack in the spray pattern exists simply by detecting whether a shellcode can be executed is possible to be subjected to detection failure. The method disclosed by the embodiment of the invention comprises the steps of: detecting a calling situation of a sensitive function; if calling of the sensitive function is abnormal and an accumulative number of memory blocks that are abnormal is not less than a first threshold value, performing time stamp detection upon the memory blocks that are abnormal during a calling progress of the sensitive function, generating a first fraction according to a result of the time stamp detection; if the first fraction is not less than a second threshold value, determining that an application is subjected to attach in the spray pattern. Whether the attack in the spray pattern exists can be judged simply by detecting time stamps of the abnormal memory blocks, so that occurrences of detection failure are reduced.

The invention relates to a similarity match based rapid detection method for a malicious shellcode, and advantages of traditional dynamic and static detection technologies are combined in the rapid detection method. The rapid detection method comprises that data to be detected is determined; a decoder is called to implement simulated execution detection; simulatied detection is carried out on the data to be detected and a sample library via a Shingle algorithm; and when the similarity coefficient is greater than a threshold 40%, it can be determined that attack behavior of the malicious shellcode exists in the data to be detected, and early warning is made. According to the rapid detection method, a simulator which implements deep simulated execution and system function Hook is not needed, the detection consumption of the dynamic simulated detection technology is further reduced, the throughput of detection data is improved, the detection speed for multi-state malicious codes is improved, and influence on the network speed is reduced.

The invention discloses a network threat analysis method and system. The English name of the network threat analysis system is ThreatAnalysis Center (hereinafter referred to as TAC for short). Known and unknown malicious software and files entering a network through a webpage, an e-mail or other online file sharing modes can be effectively detected, APT attack behaviors utilizing 0day vulnerabilities are discovered, and a client network is protected from various risks caused by attacks such as 0day. According to the TAC system, a multi-core virtualization platform is adopted, and higher performance and higher detection rate are achieved through a parallel virtual environment detection and stream processing mode. The system comprises four core detection assemblies: a reputation detection engine, a virus detection engine, a static detection engine (including vulnerability detection and shellcode detection) and a dynamic sandbox detection engine, through parallel detection of multiple detection technologies, a 0day attack and an unknown attack can be effectively detected while a known threat is detected, so that an advanced sustainable threat can be effectively monitored.

Disclosed is a dynamic detection method of a Shellcode. The method comprises the steps that network data flow is firstly grabbed and divided, and a plurality of execution links are obtained; then an operating system breakpoint is triggered to be abnormal, and the register value and internal storage content in the abnormality triggering process are used as an initial register value and internal storage content to be stored; finally, the execution links are executed in sequence, meanwhile, whether an endless loop or operating system abnormality occurs or not is detected in the execution process of each execution link, the current execution link has no Shellcode if the endless loop or operating system abnormality occurs, and otherwise whether the current execution link has the Shellcode or not is detected in a starting method, and detection is completed. According to the method, the Shellcode with the code obfuscation technology can be detected, the virtualization technology is not adopted, deployment is easy, the Shellcode capable of finding virtualization environment can be detected effectively, and the probability of Shellcode detection exposure is greatly reduced.

The invention discloses a Shellcode detection method based on virtual execution, which comprises the following steps of putting a network byte stream in a virtual machine to be subject to controlled execution, monitoring the execution process, and judging whether the Shellcode exists or not according to the characteristics existing in the execution process. For the Shellcode using polymorphic technology, a user can get good detection effect by using the method, and the information safety of the user can be ensured.

The invention provides a ShellCode detecting method and device. The method comprises the steps of establishing a ShellCode instruction sequence feature library containing a ShellCode feature sequence; loading a file to be detected and analyzing the file to be detected to obtain an analyzed file; conducting simulated instruction execution and analysis on the analyzed file, recording suspicious instruction sequences, comparing the suspicious instruction sequences with the ShellCode feature sequence in the ShellCode instruction sequence feature library, and judging whether the analyzed file contains the ShellCode; outputting a detection result. According to the ShellCode detecting method and device, detection can be conducted before ShellCode execution, the influence of the ShellCode on a system is prevented, and malicious tampering is prevented in time.

Various automated techniques are described herein for protecting computing devices from malicious code injection and execution by providing a malicious process with incorrect information regarding the type and/or version and/or other characteristics of the operating system and/or the targeted program and/or the targeted computing device. The falsified information tricks the malicious process into injecting shellcode that is incompatible with the targeted operating system, program and/or computing device. When the incompatible, injected shellcode attempts to execute, it fails as a result of the incompatibility, thereby protecting the computing device.

A computer worm curing system includes a string receiving module, a string generating module and a string replying module. The string receiving module receives an infected string, which is generated by a computer worm, from an infected host, which is infected by the computer worm, through a network. The infected string includes a shellcode, and the shellcode is executed utilizing a vulnerable process. The string generating module generates a curing code for curing the computer worm, and replaces the shellcode in the infected string with the curing code to generate a curing string, such that the curing string can be executed utilizing the vulnerable process. The string replying module replies the curing string to the infected host, such that the curing code of the curing string can be executed utilizing the vulnerable process of the infected host to cure the infected host of the computer worm.

A communication monitoring apparatus for monitoring communication data which are transmitted among a plurality of nodes on a network, includes a detecting section for detecting whether or not a shellcode is included in communication data transmitted and received between at least two nodes within the plurality of nodes and a storing section for storing communication data transmitted from the two nodes as being starting points during a predetermined time, when the detecting section detected the shellcode in communication data.