CN101739519A - Monitoring apparatus and monitoring method for hardware - Google Patents
Monitoring apparatus and monitoring method for hardware Download PDFInfo
- Publication number
- CN101739519A CN101739519A CN200810178659A CN200810178659A CN101739519A CN 101739519 A CN101739519 A CN 101739519A CN 200810178659 A CN200810178659 A CN 200810178659A CN 200810178659 A CN200810178659 A CN 200810178659A CN 101739519 A CN101739519 A CN 101739519A
- Authority
- CN
- China
- Prior art keywords
- instruction
- address value
- hardware
- supervising
- point information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a monitoring apparatus and a monitoring method for hardware. The hardware comprises a central processing unit and a storage module. The monitoring apparatus comprises an acquisition module and an analysis module, wherein the acquisition module is used for acquiring the entry point information of a process before the process is executed; and the process comprises at least one command. The analysis module acquires a corresponding address value of the process according to the entry point information, wherein the address value can correspond to a storage block which stores the at least one command. When the central processing unit executes the at least one command of the process, the storage module records the at least one command of the process according to the address value.
Description
Technical field
The invention relates to a kind of supervising device and method for supervising that is used for a hardware; Particularly a kind of supervising device and the method for supervising that can avoid hardware to be attacked by a malicious process (malicious process).
Background technology
Along with the development of information industry, computer and network occupies indispensable status in daily life.For example, with the various data of Computer Processing or with the various information of Web search, shopping and exchanges data or the like, all be the habitual life styles of the mankind.Say that further the network credit card is checked out, shopping at network places an order and network cash machine (web ATM) etc., the network service that many especially people often use.
Yet, under computer and network is subjected to prerequisite that the user so relies on for counsel, the computing machine that some Malwares (malware) just have an opportunity to encroach on the user.For example, some Malware will be stolen the user by network, USB flash memory, infrared ray or blue bud and deposits in significant data in the computing machine, destroys computer-internal information, controls the rights of using of user's computer system with the restriction user even.In addition, some Malware more can be installed ad ware or spam software on user's computing machine, and then causes user's puzzlement, wastes the resource of network preciousness simultaneously.In view of the above, the security of computer and network is considerable problem.
In order to prevent that Malware from passing through the described variety of way of leading portion and destroying user's computing machine, normally stoped Malware that user's computing machine is carried out access or destruction with the gas defence program in the past.The gas defence program then is the destruction of detecting and stoping Malware according to the characteristic of malware that the Malware analysis tool is set up.In more detail, CWSandbox (Malware analysis tool) will set up different types of characteristic of malware by analyzing different Malwares, and Kaspersky (gas defence program) can detect and stop the destruction of Malware by these characteristic of malware.
Yet, no matter be which kind of gas defence program or Malware analysis tool, all be to be installed in the operation system of computer, its running is also identical with Malware, all operates by operating system.In detail, gas defence program or Malware analysis tool are carried out under same environment (being same operating system) with Malware.In other words, when some malware detection be that Malware can further destroy the normal operation of gas defence program or Malware analysis tool when being under the environment that a gas defence program or Malware analysis tool carrying out to itself.Perhaps, Malware can be carried out the various instructions of the normal procedure of some other kinds, causes sweep-drug program or Malware analysis tool to collect wrong data.Hence one can see that, if will be when being present in gas defence program in the operating system and detecting the execution that is present in the Malware in the operating system equally, the detectability of gas defence program be to be subjected to suitable restriction.
In view of the above, under the situation that Malware spreads unchecked day by day, how to design a kind of is not the method for supervising of carrying out in operating system and can't being arrived by the Malware inverse detection, is the problem that industry is needed solution badly.
Summary of the invention
A purpose of the present invention is to provide a kind of supervising device that is used for a hardware.This hardware comprises a central processing unit and a memory module.This supervising device comprises an acquisition module and an analysis module.This acquisition module is before a process (process) is carried out, and this memory module captures an inlet point (entry point) information of this process certainly, and this process then comprises at least one instruction (instruction).This analysis module is then according to this inlet point information, and this central processing unit is obtained and the corresponding address value of this process certainly, and wherein this address value corresponds to the memory block of this at least one instruction of storage.When this central processing unit was carried out at least one instruction of this process, the memory module of this hardware write down at least one instruction of this process according to this address value.
Another purpose of the present invention is to provide a kind of method for supervising.This method for supervising comprises following steps: before a process is carried out, capture an inlet point information of this process, wherein this process comprises at least one instruction; According to this inlet point information, obtain and the corresponding address value of this process, wherein this address value corresponds to the memory block of this at least one instruction of storage; Carry out at least one instruction of this process; And at least one instruction of writing down this process according to this address value.Wherein, a hardware at least one instruction of capturing this inlet point information and writing down this process according to this address value.
A further object of the present invention is to provide a kind of computer program, and the described method for supervising of leading portion can be carried out and finish to the program of a kind of method for supervising of interior storage, this program after being loaded a microprocessor.
In sum, disclosed supervising device and the method for supervising that is used for a hardware of the present invention can be monitored all processes that are performed of this hardware.For this hardware, computing machine is when carrying out the instruction that these processes comprised, and these instructions will be recorded and analyze according to its pairing address value.In view of the above, the present invention does not need the operating system support directly to come detection of malicious software according to the pairing address value of the instruction of process, and then improves the shortcoming of prior art.Simultaneously; by aforesaid mode detection of malicious software; the present invention also can protect the various important section (critical section) of computing machine; important section such as storer for example, the process that causes carrying out in the important section with the destruction of avoiding Malware produces can't expected result (as skipping verification process, Control hijacking etc..).
Description of drawings
Behind the embodiment of consulting accompanying drawing and describing subsequently, the knowledgeable that knows usually with the technical field of the invention just can understand other purpose of the present invention, advantage and technological means of the present invention and implement aspect, wherein:
Fig. 1 is the synoptic diagram of first embodiment of the invention; And
Fig. 2 is the process flow diagram of second embodiment of the invention.
Embodiment
The invention relates to a kind of supervising device and method for supervising that is used for a hardware.The invention has the advantages that the existence that to avoid being detected supervising device, and can in this hardware, analyze the comparatively information of the program language of high-order by malicious process.The person of noting, program (program) is to be defined as the file that can be loaded execution, process is to be defined as the program of carrying out.Yet for the sake of simplicity, the present invention is also named with process the program that is about to carry out.Following embodiment is in order to illustrate content of the present invention, is not in order to restriction the present invention.In following examples and the accompanying drawing, the element that has nothing to do with the present invention omits and does not illustrate.
As shown in Figure 1, the first embodiment of the present invention is a kind of supervising device 13 that is used for a hardware 11.Hardware 11 has a central processing unit 111 and a storer 113, and the user then passes through each element of an operating system 15 control hardwares 11.Operating system 15 can be the various operating systems of selling on the market, for example Microsft Windows (Windows) operating system, Apple computer Macintosh operating system, (SuSE) Linux OS or Unix operating system etc., in first embodiment, operating system 15 is Microsft Windows operating system.Hardware 11 then can be personal computer (Personal Computer; PC) or the Macintosh (Macintosh that sells of Apple Computer; MAC), in first embodiment, 11 on hardware is personal computer.The person of noting, the present invention do not limit the kind of operating system 15 and hardware 11, affiliated technical field know usually operating system, hardware that the knowledgeable also can use other kind with and collocation finish the present invention, so do not repeat them here.
After the acquisition module 131 of supervising device 13 is obtained inlet point information 112, analysis module 133 will be obtained according to inlet point information 112 and be present in the central processing unit 111, with the process 150 corresponding C R3 values 110 that are about to carry out.Process 150 then is by a plurality of instructions, for example instructs 150a, 150b and 150c, combine, and to reach a certain specific purpose, for example recordable paper or editing files or the like.And these instructions 150a, 150b and 150c all have the CR3 value 110 identical with process 150.These instruction 150a, 150b and 150c that process 150 is comprised then are stored in the storer 113 of hardware 11.And process 150 is except reaching the specific purpose by a plurality of instruction 150a, 150b and 150c, and central processing unit 111 also can be stored in various system calling 152 in the operating system 15 is reached process 150 with house- keeping instruction 150a, 150b and 150c specific purpose by execution.
With present embodiment, process 150 is a portable execute file (portable executable file; PEfile).The portable execute file is that operating system 15 employed standards can be carried out a grade form, for example: executable file in the microsoft system (executable file:exe file) or dynamic link library file (dynamic linklibrary file; DLL file) etc.System calling 152 then can be that Microsoft's 32 system callings (win32 systemcall) or natural system are called out (native system call).Similarly, system calling 152 also has the CR3 value 110 identical with process 150.Affiliated technical field has knows that usually the knowledgeable can be by the composition of existing technological document and itself knowledge understanding process 150, so do not repeat them here.
After process 150 began to be performed, will get instruction in storer 113 150a, 150b and 150c of central processing unit 111 handled, because these instruction 150a, 150b and 150c all have the CR3 value 110 identical with process 150.When instructing 150a, 150b and 150c processed, supervising device 13 will will instruct 150a, 150b and 150c to be recorded in the storer 113 of hardware 11 according to its CR3 value 110.On the other hand, obtain in operating system 15 when handling corresponding to the system calling 152 of process 150 when central processing unit 111, supervising device 13 also can be recorded to system calling 152 in the storer 113 of hardware 11 according to its CR3 value 110.
When process 150 is carried out or after complete, the judge module 137 of supervising device 13 will be obtained all instruction 150a, 150b and 150c and system callings 152 that process 150 was carried out from storer 113, and with these instruction 150a, 150b that carried out and 150c and system calling 152 and a malicious process behavior model (figure does not illustrate) comparison, to judge whether process 150 is malicious process.
When process 150 when carrying out or after complete because of meeting after the malicious process behavior model is judged as malicious process, the blocking module 139 of supervising device 13 can directly send shutdown signal 130 to central processing unit 111, to close the process 150 that is judged as malicious process.In more detail, if the instruction of process 150 one of them (as instruction 150b) or its system calling 152, when the execution by central processing unit 111 comes a critical chunk 115 of access hardware 11, the blocking module 139 of supervising device 13 will send a shutdown signal 130 to central processing unit 111, closing the process 150 that is judged as malicious process, and then avoid the critical chunk 115 of process 150 access hardware 11.
When present embodiment mainly utilizes supervising device 13 to carry out by record and collection process 150, instruction and system calling that central processing unit 111 is handled, and the behavior model of summarizing process 150 by this.Subsequently, supervising device 13 utilizes the behavior model of process 150 and the behavior model of malicious process to compare, if closely similar, represents that promptly the chance that this process 150 is malicious process is quite high between the two.Supervising device 13 can be tackled the process 150 that is judged as malicious process, with the stored data of each element in the protected data hardware.
The present invention does not limit the scope of the critical chunk 115 of hardware 11, and critical chunk 115 can be in the hardware, programmed counting (the program counter relevant with the program execution sequence; PC), with relevant conversion corresponding tables impact damper (the translation lookaside buffer of virtual address sign indicating number conversion; TLB) or other will be if will cause the abnormal block of hardware 11 running after being modified or destroying.Affiliated technical field has knows that usually the knowledgeable can define the critical chunk 115 of hardware 11 voluntarily, so do not repeat them here.
The second embodiment of the present invention is a kind of method for supervising as shown in Figure 2.An its suitable supervising device, for example described supervising device 13 of first embodiment of can be used for.More specifically, the described method for supervising of second embodiment can be carried out by a computer program, after a microprocessor loads this computer program and carries out a plurality of instructions that this computer program comprises, can finish the described method for supervising of second embodiment.Aforesaid computer program can be stored in the computer-readable medium storing, for example ROM (read-only memory) (read onlymemory; ROM), flash memory, floppy disk, hard disk, CD, flash memory, tape, can or be familiar with this operator by the database of network access and had now and have in any other Storage Media of identical function.
The described method for supervising of second embodiment comprises the following step: at first, execution in step 301 before a process is carried out, captures an inlet point information of this process, and wherein this process comprises at least one instruction.Then, execution in step 303 distributes an address value to this process.Execution in step 305 again, according to this inlet point information, obtain and the corresponding address value of this process.Execution in step 307 is carried out at least one instruction corresponding to this process.Follow execution in step 309, according to of at least one instruction of this address value record corresponding to this process.
Execution in step 311 is carried out at least one system calling corresponding to this process.Follow execution in step 313, according at least one system calling of this address value record corresponding to this process.Execution in step 315 again, according at least one instruction that is recorded and at least one system calling, judge whether this process is a malicious process.If then execution in step 317, respond at this process.If this process is not to be malicious process, then repeated execution of steps 301 judges then to step 315 whether other process is malicious process.
In sum, the present invention is the instruction of the process that directly the monitoring central processing unit is handled in a hardware, for this hardware, the user is when execution instruction that these processes comprised or system calling, and these instructions and system calling will be recorded and analyze according to its pairing address value.In view of the above, the present invention does not need the operating system support directly to come detection of malicious software according to the pairing address value of the instruction of process, and then improves the shortcoming that prior art need be passed through the auxiliary ability detection of malicious software of operating system.
The above embodiments only are used for exemplifying enforcement aspect of the present invention, and explain technical characterictic of the present invention, are not to be used for limiting protection category of the present invention.Any be familiar with this operator can unlabored change or the arrangement of the isotropism scope that all belongs to the present invention and advocated, the scope of the present invention should be as the criterion with claim.
Claims (12)
1. method for supervising comprises the following step:
Before a process is carried out, capture an inlet point information of this process, wherein this process comprises at least one instruction;
According to this inlet point information, obtain and the corresponding address value of this process, wherein this address value corresponds to the memory block of this at least one instruction of storage;
Carry out at least one instruction of this process; And
Write down at least one instruction of this process according to this address value;
Wherein, a hardware at least one instruction of capturing this inlet point information and writing down this process according to this address value.
2. method for supervising according to claim 1 is characterized in that also comprising the following step:
Distribute this address value to this process.
3. method for supervising according to claim 1 is characterized in that this inlet point information is a processor mark.
4. method for supervising according to claim 1 is characterized in that also comprising the following step:
Execution is corresponding at least one system calling of this process; And
According to this this at least one system calling of address value record.
5. method for supervising according to claim 4 is characterized in that this system calling is that a Microsoft 32 system callings and a natural system are called out one of them.
6. method for supervising according to claim 1 is characterized in that also comprising the following step:
According at least one instruction of this process that is recorded, judge that this process is a malicious process; And
Respond at this process.
7. supervising device that is used for a hardware, this hardware comprises a central processing unit, a memory module and a critical chunk, and this supervising device comprises:
One acquisition module, before a process was carried out, this memory module captured an inlet point information of this process certainly, and wherein this process comprises at least one instruction;
One analysis module, in order to according to this inlet point information, this central processing unit is obtained and the corresponding address value of this process certainly, and wherein this address value corresponds to a memory block that stores this at least one instruction; And
Wherein, when this central processing unit was carried out at least one instruction of this process, the storage module of this hardware write down at least one instruction of this process according to this address value.
8. supervising device according to claim 7 is characterized in that, an operating system distributes this address value to this process.
9. supervising device according to claim 7 is characterized in that, this inlet point information is a processor mark.
10. supervising device according to claim 7 is characterized in that, when this central processing unit was carried out at least one system calling corresponding to this process, the memory module of this hardware was according to this this at least one system calling of address value record.
11. supervising device according to claim 10 is characterized in that, this system calling is that a Microsoft 32 system callings and a natural system are called out one of them.
12. supervising device according to claim 7 is characterized in that also comprising:
One judge module according at least one instruction of this process of the memory module of this hardware record, judges that this process is a malicious process; And
One blocking module responds at this process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2008101786590A CN101739519B (en) | 2008-11-24 | 2008-11-24 | Monitoring apparatus and monitoring method for hardware |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2008101786590A CN101739519B (en) | 2008-11-24 | 2008-11-24 | Monitoring apparatus and monitoring method for hardware |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101739519A true CN101739519A (en) | 2010-06-16 |
CN101739519B CN101739519B (en) | 2013-01-16 |
Family
ID=42462995
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2008101786590A Expired - Fee Related CN101739519B (en) | 2008-11-24 | 2008-11-24 | Monitoring apparatus and monitoring method for hardware |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101739519B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220544A (en) * | 2016-03-22 | 2017-09-29 | 趣斯特派普有限公司 | System and method for detecting command sequence interested |
CN113239364A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting vulnerability exploitation |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1728106A (en) * | 2004-07-26 | 2006-02-01 | 中兴通讯股份有限公司 | Method for positioning malfunction of application program |
CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
WO2007071999A1 (en) * | 2005-12-20 | 2007-06-28 | Symbian Software Limited | Malicious software detection in a computing device |
CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
-
2008
- 2008-11-24 CN CN2008101786590A patent/CN101739519B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1728106A (en) * | 2004-07-26 | 2006-02-01 | 中兴通讯股份有限公司 | Method for positioning malfunction of application program |
CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
WO2007071999A1 (en) * | 2005-12-20 | 2007-06-28 | Symbian Software Limited | Malicious software detection in a computing device |
CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220544A (en) * | 2016-03-22 | 2017-09-29 | 趣斯特派普有限公司 | System and method for detecting command sequence interested |
CN113239364A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting vulnerability exploitation |
Also Published As
Publication number | Publication date |
---|---|
CN101739519B (en) | 2013-01-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI401582B (en) | Monitor device, monitor method and computer program product thereof for hardware | |
CN101593259B (en) | Method and system for verifying software completeness | |
US8621624B2 (en) | Apparatus and method for preventing anomaly of application program | |
CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
US8434151B1 (en) | Detecting malicious software | |
JP5265061B1 (en) | Malicious file inspection apparatus and method | |
US10121004B2 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
KR101816751B1 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
JP2009129451A (en) | Apparatus and method for detecting dynamic link library inserted by malicious code | |
KR100954356B1 (en) | Detection system for malicious program considering code protection method and method thereof | |
TWI515599B (en) | Computer program products and methods for monitoring and defending security | |
CN101739519B (en) | Monitoring apparatus and monitoring method for hardware | |
Liao et al. | Automated detection and classification for packed android applications | |
KR20130074224A (en) | Apparatus and method of collecting action pattern of malicious code | |
KR101724412B1 (en) | Apparatus for analysis application using expansion code and method usnig the same | |
US20090133124A1 (en) | A method for detecting the operation behavior of the program and a method for detecting and clearing the virus program | |
EP1962168A1 (en) | A method for detecting the operation behavior of the program and a method for detecting and clearing the virus program | |
KR101824583B1 (en) | System for detecting malware code based on kernel data structure and control method thereof | |
US20220060324A1 (en) | Apparatus and method for recovering encryption key based on memory analysis | |
WO2023073822A1 (en) | Backdoor detection device, backdoor detection method, and recording medium | |
CN105718810A (en) | Method and device for protecting sensitive documents of virtual machine | |
Zhang et al. | KVM-based detection of rootkit attacks | |
KR101871407B1 (en) | Apparatus for identifying work history of removable storage media and method using the same | |
CN118153038A (en) | Risk behavior detection method and device | |
CN117370981A (en) | eBPF Rootkit attack formalized modeling method based on behavior characteristics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130116 Termination date: 20201124 |
|
CF01 | Termination of patent right due to non-payment of annual fee |