CN103632093B - Trojan detecting method - Google Patents
Trojan detecting method Download PDFInfo
- Publication number
- CN103632093B CN103632093B CN201310425258.1A CN201310425258A CN103632093B CN 103632093 B CN103632093 B CN 103632093B CN 201310425258 A CN201310425258 A CN 201310425258A CN 103632093 B CN103632093 B CN 103632093B
- Authority
- CN
- China
- Prior art keywords
- file
- dll
- function
- dll file
- fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000000875 corresponding Effects 0.000 claims description 11
- 239000000203 mixture Substances 0.000 claims description 10
- 230000026676 system process Effects 0.000 claims description 9
- 238000000034 method Methods 0.000 description 25
- 230000002155 anti-virotic Effects 0.000 description 9
- 230000002147 killing Effects 0.000 description 9
- 238000001514 detection method Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 5
- 230000006399 behavior Effects 0.000 description 3
- 238000002513 implantation Methods 0.000 description 3
- 230000035945 sensitivity Effects 0.000 description 3
- 108060007799 SPATA6 Proteins 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 210000001215 Vagina Anatomy 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000000977 initiatory Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006011 modification reaction Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 239000002965 rope Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000001960 triggered Effects 0.000 description 1
Abstract
The embodiment of the present invention provides a kind of Trojan detecting method, and the method includes: the dynamic link library (DLL) file under scanning initialization system catalogue, it is judged that whether the file fingerprint of described dll file changes;If the file fingerprint of described dll file changes, it is judged that whether system update function is called;If described system update function is not called upon, determine that described dll file is DLL wooden horse.The method that the embodiment of the present invention provides can detect that the DLL wooden horse implanted by amendment system dll file.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of Trojan detecting method.
Background technology
Along with the development of Internet technology, network security problem highlights day by day, particularly wooden horse journey
Day by day spreading unchecked of sequence, directly results in user's significant data data, illegal such as the information such as account, password
Steal or destroy.
Traditional Trojan Horse Detection many employings condition code matching technique.Owing to condition code matching technique depends on
Rely the renolation in virus base, the table when tackling the malicious file of new virus, wooden horse and deformation certainly
The best.For the hysteresis quality of condition code matching technique, existing Trojan detecting method to be used actively
Defense technique, the behavior characteristics commonly used by monitoring virus, wooden horse, such as registry file amendment, note
Volume unknown service, entity process operation etc., identify virus and wooden horse that major part is unknown.
Wooden horse developer is the killing hiding existing antivirus software, develops a kind of dynamic link library
(Dynamic Link Library is called for short DLL) wooden horse.So-called DDL wooden horse, refers to by usurping
Change the dll file of system so that when system file runs, the process of system itself will be automatic
Call the long-range controlled entity being stored in advance under certain catalogue.DLL wooden horse is by then passing through system originally
Body process is called and is triggered, and therefore need not registration service, it is not necessary to amendment registration file, does not deposits
In extra operation process.Existing Trojan detecting method exists for this kind of DLL wooden horse to be failed to report now
As.
Summary of the invention
The present invention provides a kind of Trojan detecting method, is implanted by amendment system dll file with detection
DLL wooden horse.
Embodiment of the present invention one Trojan detecting method, including:
Dynamic link library (DLL) file under scanning initialization system catalogue, it is judged that described dll file
Whether file fingerprint changes;
If the file fingerprint of described dll file changes, it is judged that whether system update function is adjusted
With;
If described system update function is not called upon, determine that described dll file is DLL wooden horse.
The present invention provides a kind of Trojan detecting method, by owning under scanning setting operation system directory
Dll file, it is judged that whether the file fingerprint of dll file changes, and judges file fingerprint
The reason changed, just can detect that the DLL wooden horse implanted by amendment system dll file,
Compensate for the deficiency of existing antivirus software, better ensure that the properly functioning of operating system of user.
Accompanying drawing explanation
The flow chart of the Trojan detecting method that Fig. 1 is provided by the embodiment of the present invention one;
The flow chart of the Trojan detecting method that Fig. 2 is provided by the embodiment of the present invention two;
The flow chart of the Trojan detecting method that Fig. 3 is provided by the embodiment of the present invention three.
Detailed description of the invention
Embodiment one
The embodiment of the present invention one is provided a kind of Trojan detecting method, and the technical scheme of the method can conduct
The procedure subject of independent antivirus software, it is possible to as the plug-in unit of existing antivirus software, be alternatively arranged as visitor
The implant inserter of family end browser.The stream of the Trojan detecting method that Fig. 1 provides for the embodiment of the present invention one
Cheng Tu.The step of the method, specifically includes:
Dll file under step 101, scanning initialization system catalogue, it is judged that described dll file
Whether file fingerprint changes.The most then perform step 102, if it is not, do not process,
Continue to scan on next file.
File fingerprint, is calculated hash sequence number, filename including using setting function to file content
The identification information etc. of timestamp.Particular content data included by file content i.e. this document, if civilian
A certain bit binary data in part changes, even if small change, the literary composition that this document is corresponding
Part fingerprint also can change.
Scan all dll files under this setting catalogue, calculate each dll file corresponding simultaneously
File fingerprint, will be calculated file fingerprint corresponding to each dll file and upper be pre-existing in
Moment file fingerprint compares, and then judges whether the file fingerprint of dll file changes.
For DLL wooden horse, in the implantation process of its wooden horse, need the DLL by revising system
File, so that amended dll file, becomes DLL wooden horse, this amended DLL literary composition
Part also has the function of original system dll file, to perform the system corresponding to original system dll file
Process.Therefore, this DLL wooden horse to be detected, need whether the dll file of detecting system is modified.
Yet with DLL wooden horse in implantation process, generally for hidden, by the filename of self
Claim and the information such as file revision time, disguising oneself as and original system dll file title, revision deliberately
The information that time etc. are external.But, due to the particularity of file fingerprint so that, even if extrinsic information with
Original system dll file is identical, but the file fingerprint of its correspondence still there occurs change.Therefore, need
Dll file under initialization system catalogue to be scanned, it is judged that whether its file fingerprint changes.
It should be noted that the operation of scanning initialization system dll file now can be to be led to by user
Cross the operation display interface of antivirus software, click on operation buttons such as " beginning killings " and trigger, or,
Can also is that according to preset the killing time or frequency self-starting scanning process, the embodiment of the present invention not with
This is limited.
If the file fingerprint of the described dll file of step 102 changes, it is judged that system update function
Whether it is called.If it is not, then perform step 103, the most then show that this DLL is not wooden horse, no
Carry out extra process.
If step 103 described system update function is not called upon, determine that described dll file is DLL
Wooden horse.
Specifically, dll file can run performing of application program as packed operating system
File, generally will not arbitrarily revise.
For repairing the leak of original operating system, to avoid the attack of virus, or provide new having more
Realize the operating system of function more, provide the user more preferably, experience more easily, need existing behaviour
The upgrading of leak reparation or operating system is carried out as system.Regardless of whether be patching bugs or upgrading,
The amendment of dll file in operating system can be caused undoubtedly.When finding DLL literary composition under certain system directory
Part is modified, and now system update function is also not called upon, say, that the finger of this dll file
Stricture of vagina change is not due to system update, then this dll file is then likely to be and is maliciously tampered,
Just may determine that this dll file is DLL wooden horse.
The embodiment of the present invention provides a kind of Trojan detecting method, by under scanning setting operation system directory
All dll files, it is judged that whether the file fingerprint of dll file changes, and judges file
The reason changed of fingerprint, just can detect that the DLL implanted by amendment system dll file
Wooden horse, compensate for the deficiency of existing antivirus software, better ensures that the properly functioning of operating system of user.
Embodiment two
The embodiment of the present invention two also provides for a kind of Trojan detecting method, in above-described embodiment technical scheme
On the basis of, initialization system catalogue described in the method be System32 catalogue, windows directory and
In system environment variable catalogue at least one.
Specifically, for existing Window operating system, such as Windows XP, Windows 7
With Windows Vista etc., its most system dll file, is also operating system critical processes
Dll file be stored under System32 catalogue.
Dll file under System32 catalogue, such as Winsock.dll, Shdoclc.dll, Comres.dll
Owing to it belongs to some dll files that operating system is the most frequently used, being injected into amendment becomes DLL wooden horse
Probability the biggest.Winsock.dll is the application programming interfaces file of Windows operating system,
Support a lot of and network related application;Shdoclc.dll is Windows operating system window and right
The file that words frame is arranged;Comres.dll is that the service network of Windows operating system supports file.
Dll file under System32 catalogue, as Sfc.dll, Sfc_os.dll are responsible for system file
Detection, can carry out Autonomous test to the dll file of system, therefore become the mesh distorted of DLL wooden horse
The probability of mark file is the biggest.
Based on above-mentioned, all dll files under System32 catalogue need to be scanned, be also scanned for behaviour
Make the most dll file of system, also scan the DLL literary composition affecting operating system critical processes
Part.And the DLL wooden horse injected by amendment system dll file, want opening by system process
Moving and be called, the probability of the dll file under amendment System32 catalogue is bigger.Pass through
All dll files under scanning System32 catalogue, just can detect that the DLL after being tampered
File, thus can determine that DLL wooden horse.
System32 catalogue is positioned under windows directory, it is also possible to expands sweep limits, and scans
Windows directory, the probability of its detection wooden horse is higher.
Store under system environment variable catalogue and run the information that the required use of operating system process is arrived.
System environment variable catalogue can be such as position or the Path ring of routing information of storage application program
Border variable catalogue, system process searches, by the dll file under this catalogue, the road needed before starting
Footpath information, and then call the dll file of correspondence to start process.System environment variable catalogue also may be used
To be OS environmental variable catalogue, can also be storage executable command processing routine path
ComSpec environmental variable catalogue etc..
Owing to System32 catalogue, windows directory and system environment variable catalogue are as operation system
The critical directories of system, is the implantation target most possibly becoming DLL wooden horse, therefore, by scanning
System32 catalogue, windows directory and system environment variable catalogue at least one, just can detect
Go out to be implanted in the DLL wooden horse under those catalogues.
In technique scheme, described file fingerprint is that the data acquisition message in dll file is plucked
Want algorithm calculated file characteristic value.
Message Digest 5 (Message-Digest Algorithm is called for short MD), calculates also known as summary
Method, hash algorithm.The present embodiment uses MD5 to check whether dll file is repaiied as eigenvalue
Change.
On the basis of such scheme, the method also includes: when storing for the first time under initialization system catalogue
During dll file, generate corresponding file fingerprint for described dll file;
When the data of described dll file are modified, produce according to amended dll file data
New file fingerprint, and using original fingerprint as historical information.
Specifically, can be after newly installed operating system, just all of to set under catalogue
Dll file all carries out the calculating of file fingerprint, and deposits as the file characteristic value that system is initial
Storage.
The flow chart of the Trojan detecting method that Fig. 2 is provided by the embodiment of the present invention two.As in figure 2 it is shown,
The method, scans the dll file under initialization system catalogue in technique scheme in step 101,
Step specifically includes:
Whether step 201, monitoring and setting system function are called, when described initialization system function is adjusted
Used time judges whether the operation object of described initialization system function is the DLL literary composition under described system directory
Part.
Step 202, when described initialization system function operation object be the DLL under described system directory
During file, determine the dll file operated by described initialization system function, and scan described DLL literary composition
Part.
Step 101 specifically also includes:
Step 203, judge whether the file fingerprint of described dll file changes.
Specifically, the detection to initialization system function can be by arranging hook (HOOK) letter
Several this initialization system function is monitored, when this initialization system function generation action changes, i.e. event
Occur, operate such as other functions that are called, call etc., this HOOK function will return to correspondence time
Between message digit.Thus just can monitor whether this initialization system is called according to the message digit returned.
Existing operating system is the stability that guarantee system is run, and all there is the peace of an operating system
Full guard mechanism, is system file inspection for this safety protecting mechanism in Windows XP system
(System File Check is called for short SFC) mechanism, at Windows 7 system and Windows Vista
In system, this safety protecting mechanism is user account control (User Account Control is called for short UAC)
Mechanism.The safety protecting mechanism of operating system so that after the dll file of system is modified, test
Demonstrate,prove the digital certificate of amended dll file, if checking is not passed through, then by the original system DLL of caching
File access pattern also deletes the dll file of amendment.The existence of safety protecting mechanism so that the DLL of system
File cannot be revised easily.
By the DLL wooden horse of the injection of the dll file of amendment system, system to be successfully implanted into, need
First to crack or around the safety protecting mechanism of open system.
The safety protecting mechanism of operating system to crack or to get around, and needs to call the system function of setting,
Realize.Therefore when monitoring initialization system function and being called, then can determine that the safety of operating system
Protection mechanism is cracked.When the safety protecting mechanism of operating system is cracked, and initialization system catalogue
Under dll file change owing to nonsystematic updates the file fingerprint that causes, just can determine that file
The dll file that fingerprint changes is DLL wooden horse.
It should be noted that monitoring and setting system function, it is judged that whether safety protecting mechanism is cracked,
With the dll file under scanning initialization system catalogue, it is judged that whether the file fingerprint of dll file occurs
Change, there is no absolute time sequencing relation, can perform simultaneously, it is also possible to first judge safeguard protection
Mechanism knows no being cracked, then scans the dll file under initialization system catalogue, it is judged that dll file
Whether file fingerprint changes, it is also possible to the first dll file under scanning initialization system catalogue, sentences
Whether the file fingerprint of disconnected dll file changes, then judges whether safety protecting mechanism is cracked.
The method of the embodiment of the present invention is cracked and the file fingerprint of dll file at safety protecting mechanism
Changing, the detection to DLL wooden horse is more accurate.
In the basis of such scheme, described initialization system function is application programming interface API
Function, including: address acquisition function, remote thread create function and document time and arrange in function extremely
Few one.
Specifically, initialization system function refers to the sensitivity function of some systems, such as address acquisition letter
Number GetProcAddress, remote thread create function CreateRemoteThread, document time sets
Put function SetFileTime etc..
GetProcAddress function is used for retrieving the output function address in certain DLL.Need explanation
, directly use GetProcAddress that sensitive dll file is carried out function address inquiry generally
Can be found and report to the police by common antivirus software, therefore when GetProcAddress often with
LoadLibrary function with the use of, first obtained the address of dll file by LoadLibrary function,
Again this address is substituted into, as parameter, the interface function address inspection that GetProcAddress carries out in file
Rope.DLL wooden horse, by calling GetProcAddress function and Load Library function, obtains system
Function address in system dll file, and then directly by interface IP address, dll file is modified,
So probably get around the killing of existing antivirus software.
Call CreateRemoteThread function and can create new thread in another process, be created
Remote thread equally share the address space of remote process.By a remote thread, enter
The memory address space of remote process, the most just has an authority that remote process is suitable, then make be
System process initiation can call far controls entity.If this function is not called upon, then when system process starts
Time, just cannot call and far control entity, it is achieved corresponding wooden horse function.
Call SetFileTime function can the information such as the filename of DLL wooden horse and modification time be carried out
Amendment, similar with original system dll file to disguise oneself as.As this function is not called upon, amended
Dll file can also directly be detected discovery by common antivirus software, and then carries out killing.
To sum up, GetProcAddress function, LoadLibrary function, CreateRemoteThread
Function and SetFileTime function are both needed to as sensitivity function, and whether monitoring sensitivity function is called,
With detection by revising the DLL wooden horse of system DLL.
The literary composition judging dll file further, on the basis of such scheme, in step 103
Whether the reason that part fingerprint changes belongs to system update, including:
When the file fingerprint of described dll file changes, read the described of system process watch-dog storage
The file read-write record that dll file is corresponding;
The file fingerprint of described dll file is determined according to the file read-write record that described dll file is corresponding
Whether the reason changed belongs to system update.
Specifically, system process watch-dog combines file monitoring device and two functions of registration table monitor,
The read-write record of All Files under its recordable current operation system, and the registration table of all processes.Therefore,
The read-write record that in the system process watch-dog that can be obtained by reading, dll file is corresponding, determines DLL
The reason that the file fingerprint of file changes.
The embodiment of the present invention two is on the basis of above-described embodiment one scheme, it is provided that trojan horse detection side
Method, it is higher for the killing probability of DLL wooden horse, and killing is more accurate.
Embodiment three
The embodiment of the present invention three provides a kind of Trojan detecting method, is explained by instantiation
Bright.The flow chart of the Trojan detecting method that Fig. 3 is provided by the embodiment of the present invention three.As it is shown on figure 3,
The method includes:
Step 301, monitoring api function, specifically monitoring address acquisition function, storehouse download function,
Remote thread creates function and document time arranges in function whether at least one is called.The most then
Perform step 302.If it is not, then perform step 307, this operating system security.
Step 302, when api function is called, it is judged that whether the operation object of this api function is
Dll file under system directory.
Step 303, when this api function operation object be the dll file under system directory, really
Fixed dll file operated by this api function, it is judged that whether the MD5 value of this dll file occurs
Change.The most then perform step 304.If it is not, then perform step 307, this operating system security.
Step 304, change when the MD5 value of dll file, it is judged that whether system update function
Called.The most then perform step 307, this operating system security.As no, then perform step 305.
Step 305, when described system update function is not called upon, determine that this dll file is DLL
Wooden horse.
There is DLL wooden horse in step 306, prompting user's current operation system.
Prompting user can be by sending alarm sound, it is also possible to is to inform use by display interface
Family, to wait that user operates further, such as killing at once, ignores or performs killing etc. after a while.
Step 307, prompting operating system of user are not detected by DLL wooden horse.
The embodiment of the present invention is on the basis of above-described embodiment, is explained by concrete example
Bright, its concrete implementation process and beneficial effect are similar to the above embodiments, do not repeat them here.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, rather than
It is limited;Although the present invention being described in detail with reference to foregoing embodiments, this area
Those of ordinary skill is it is understood that the technical scheme described in foregoing embodiments still can be entered by it
Row amendment, or the most some or all of technical characteristic is carried out equivalent;And these amendment or
Person replaces, and does not make the essence of appropriate technical solution depart from the model of various embodiments of the present invention technical scheme
Enclose.
Claims (6)
1. a Trojan detecting method, it is characterised in that including:
Dynamic link library (DLL) file under scanning initialization system catalogue, it is judged that the literary composition of described dll file
Whether part fingerprint changes;
If the file fingerprint of described dll file changes, it is judged that whether system update function is called;
If described system update function is not called upon, determine that described dll file is DLL wooden horse;
Dll file under described scanning initialization system catalogue, including:
Whether monitoring and setting system function is called, and judges described when described initialization system function is called
Whether the operation object of initialization system function is the dll file under described system directory;
When the operation object of described initialization system function is the dll file under described system directory, determine
Dll file operated by described initialization system function, and scan described dll file.
Method the most according to claim 1, it is characterised in that described initialization system catalogue is
In System32 catalogue, windows directory and system environment variable catalogue at least one.
Method the most according to claim 1, it is characterised in that described file fingerprint is DLL literary composition
Data acquisition Message Digest 5 calculated file characteristic value in part.
Method the most according to claim 1, it is characterised in that described initialization system function is application
Program Interfaces api function, including: address acquisition function, storehouse download function, remote thread creates
Function and document time arrange at least one in function.
Method the most according to claim 1, it is characterised in that also include:
When first storage dll file under initialization system catalogue, generate correspondence for described dll file
File fingerprint;
When the data of described dll file are modified, produce new according to amended dll file data
File fingerprint, and using original fingerprint as historical information.
Method the most according to claim 1, it is characterised in that judge the literary composition of described dll file
Whether the reason that part fingerprint changes belongs to system update, including:
When the file fingerprint of described dll file changes, read the described of system process watch-dog storage
The file read-write record that dll file is corresponding;
The file fingerprint of described dll file is determined according to the file read-write record that described dll file is corresponding
Whether the reason changed belongs to system update.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310425258.1A CN103632093B (en) | 2013-09-17 | Trojan detecting method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310425258.1A CN103632093B (en) | 2013-09-17 | Trojan detecting method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103632093A CN103632093A (en) | 2014-03-12 |
CN103632093B true CN103632093B (en) | 2016-11-30 |
Family
ID=
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1155700A (en) * | 1996-09-08 | 1997-07-30 | 周跃平 | Protecting method for computer software |
CN1512355A (en) * | 2002-12-30 | 2004-07-14 | 成都三零盛安信息***有限公司 | Code signature verifying method of ELF file form |
CN101520832A (en) * | 2008-12-22 | 2009-09-02 | 康佳集团股份有限公司 | System and method for verifying file code signature |
CN102750476A (en) * | 2012-06-07 | 2012-10-24 | 腾讯科技(深圳)有限公司 | Method and system for identifying file security |
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1155700A (en) * | 1996-09-08 | 1997-07-30 | 周跃平 | Protecting method for computer software |
CN1512355A (en) * | 2002-12-30 | 2004-07-14 | 成都三零盛安信息***有限公司 | Code signature verifying method of ELF file form |
CN101520832A (en) * | 2008-12-22 | 2009-09-02 | 康佳集团股份有限公司 | System and method for verifying file code signature |
CN102750476A (en) * | 2012-06-07 | 2012-10-24 | 腾讯科技(深圳)有限公司 | Method and system for identifying file security |
Non-Patent Citations (1)
Title |
---|
《基于完整性的文件保护》;洪帆等;《华中理工大学学报》;19940131;第22卷(第1期);全文 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9280664B2 (en) | Apparatus and method for blocking activity of malware | |
CN112929326B (en) | Malicious domain name access detection method and device and computer readable storage medium | |
US10581879B1 (en) | Enhanced malware detection for generated objects | |
EP3036623B1 (en) | Method and apparatus for modifying a computer program in a trusted manner | |
KR101647487B1 (en) | Analysis system and method for patch file | |
US8528087B2 (en) | Methods for combating malicious software | |
US7478431B1 (en) | Heuristic detection of computer viruses | |
US8443354B1 (en) | Detecting new or modified portions of code | |
AU2016299175A1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
JP2014038596A (en) | Method for identifying malicious executable | |
CN106803040B (en) | Virus characteristic code processing method and device | |
CN107330328B (en) | Method and device for defending against virus attack and server | |
CN102882875B (en) | Active defense method and device | |
CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
CN104268476A (en) | Application running method | |
CN107908958B (en) | SELinux security identifier anti-tampering detection method and system | |
JP2009238153A (en) | Malware handling system, method, and program | |
CN104268475A (en) | Application running system | |
CN105791250B (en) | Application program detection method and device | |
CN102857519B (en) | Active defensive system | |
CN106302515A (en) | A kind of method and apparatus of web portal security protection | |
CN105844161A (en) | Security defense method, device and system | |
CN111931192A (en) | rootkit detection method and device and electronic equipment | |
CN103632093B (en) | Trojan detecting method | |
CN112241529A (en) | Malicious code detection method and device, storage medium and computer equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |